Declaration of Alan Cox
in Felten v. RIAA (Aug. 13, 2001)
Grayson Barber (GB 0034)
Frank L. Corrado (FLC 9895)
(Additional Counsel listed on signature page)
IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY
1. I am a kernel engineer for Red Hat UK Ltd., a wholly-owned subsidiary of Red Hat, Inc., headquartered in Durham, North Carolina. The kernel is the core software of any computer; among other things, it enforces security policies and access controls where appropriate. I live in and am a citizen of the United Kingdom. This declaration is made on my own behalf and does not represent the position of my employer or any other party. The facts stated in this declaration are known to me of my own personal knowledge or, if stated on information or belief, I believe them to be true.
2. I am also heavily involved in the main development of the Linuxtm operating system. The Linux Operating System is a global project building the core software for running computers. Most people regard me as second in command to Linus Torvalds, the creator of the project. See, e.g., <http://www.softpanorama.org/People/Cox/index.shtml>.
3. The project operates under an "Open Source" license. The license used grants all parties equal rights to use, distribute and modify the Linux system. In particular, all users receive the source code (often described in non-computing terms as "the blueprints") of the system.
4. I was the original Linux project contact with CERT (the Computer Emergency Response Team, http://www.cert.org/) and am still heavily involved in vendor-sec, the e-mail list that handles security issues with the Linux operating system.
5. I am a frequent invited speaker at conferences about the Linux system and its workings. I have provided keynote speeches to conferences such as the Ottawa Linux Showcase (probably the biggest technically oriented Linux event).
6. Until July 20, 2001, I was on the program committee
of the Usenix ALS Linux conference
7. On July 20, I resigned from the Usenix ALS committee. I issued the following statement, of my own free will, after the Russian programmer Dmitry Sklyarov was arrested by the FBI on charges of violating the DMCA, and it became clear how much the DMCA was a threat to speakers on many important subjects:
With the arrest of Dimitry Sklyarov it has become apparent that it is not safe for non US software engineers to visit the United States. While he was undoubtedly chosen for political reasons as a Russian is a good example for the US public the risk extends arbitarily further.
Usenix by its choice of a US location is encouraging other programmers, many from eastern european states hated by the US government to take the same risks. That is something I cannot morally be part of. Who will be the next conference speaker slammed into a US jail for years for committing no crime? Are usenix prepared to take the chance it will be their speakers ?
Until the DMCA mess is resolved I would urge all non US citizens to boycott conferences in the USA and all US conference bodies to hold their conferences elsehere.
I appreciate that this problem is not of Usenix making, but it must be addressed
I still stand by this statement.
8. I made this public announcement because I felt that many software engineers, particularly those working in security-related projects, or on disabled-access activities legal in their own countries, risked arrest merely for speaking about things they had discovered.
9. When the first cases of DMCA censorship occurred, I was less worried. Attempts by large corporations to silence the truth by legal abuse are common and normally get resolved to the benefit of the people. However, the Sklyarov case really made me concerned, because it was now the case that people telling unpopular truths could be seized by the FBI and slammed into jail under the DMCA.
10. Free speech -- including the ability to discuss circumvention methods -- is a vital part of computer security. When a weakness in a security system is discovered, it needs to be discussed, it needs to be evaluated and it needs to be tested by many minds.
11. Without this kind of continual testing the vendors will be able to ship flawed and broken technology without those depending on the technology ever knowing about the flaws. In fact, this aspect of the DMCA only serves to further the business of the incompetent. It exposes copyright owners to serious risk by preventing the truth from being told about products that they rely on.
12. Experience in computer security has shown me that the bad guys share their knowledge and act without regards to laws. One of the few weapons the good guys used to have is an organised network of information sharing and conferences.
13. In my work on Linux security, I have to warn people about security problems I am aware of - indeed, for paid commercial work in the UK, failing to do so would almost certainly be negligent. Yet under the DMCA, I have to choose betweem keeping quiet when a flaw is known or discovered in an encryption system or other rights management tool, which could put my clients at risk -- or being unable to visit the United States without fear of arrest. Without that ability to tell the truth the fight against crime is weakened and the possibility that the national security infrastructure of nations is flawed and weak increases.
14. Some parties often seek to mislead on the situation with 'Open Source' and copyright. Let me therefore set some points straight:
I declare under penalty of perjury under the laws of the United States of America that the
foregoing is true and correct and was executed at Swansea, Wales on this the ___ day of
_______________________ Alan Cox
Attorneys for Plaintiffs
Please send any questions or comments to firstname.lastname@example.org.