|
||||||
An eBook Publisher on why the U.S. Attorney should free Dmitry Sklyarovby Brad Templeton (July 25, 2001)There's been a lot of debate about the recent jailing of a young Russian named Dmitry Sklyarov, who helped write a controversial program that used to be sold by his employer, a Moscow company named Elcomsoft. This missive will be a bit different from some of the others you've read because I'm an ebook publisher -- one of the first. In addition, I've made pretty much all the money I've got from publishing copyrighted material online, have written professionally myself, am the son of full-time author and a heavy defender of the rights of authors. Back in 1992 and 1993 I made two pioneering (and foolishly far too early) moves in ebooks. First, I built a subscription library of top science fiction, offering readers "all you can read" for a flat monthly fee. In 93 I published an online and CD-rom anthology that even today is one of the largest anthologies of current fiction ever published in one volume. So I have some history in this market. Yet I'm also chairman of the Electronic Frontier Foundation (EFF), the organization that's been leading the fight against the problems with the new copyright laws and the prosecution of Sklyarov. The program that got him arrested, the Advanced eBook Processor, "unlocks" books published in the Adobe eBook format, so that you can extract the ordinary text of the book and do what you want with it. That includes a variety of harmless things like moving it to your new computer when you upgrade, or reading it 20 years from now when the publisher has gone out of business. It also includes nefarious actions, like republishing the book out to people who didn't pay for it. The Adobe eBook system, like many other "digital rights management" tools, provides a tool to encrypt books and "lock" them so that they can only be read using the eBook reader. In turn, the reader software only lets you do certain things with the books it decodes. Only things the publisher of the book has decided to let you do. Making an "unlocker" for such systems was made illegal under a new revision of copyright law in 1998 called the Digital Millennium Copyright Act. In fact, though normally copyright is the subject of lawsuits, the DMCA made certain actions federal crimes. And that's how Sklyarov ended up in jail. He helped his employer write a program that bypasses the locks, and his employer briefly sold it in the USA. (They sold a grand total of 7 copies, 15% of them to Adobe.) His employer, it seems, violated the U.S. law when it sold the program in the USA. Writing and selling such software is not just legal, but encouraged in Russia, where there are limits on the locks that publishers can put on books. The Department of Justice alleges that because Sklyarov helped write the program and his employer sold it that he is personally a criminal. They arrested him at his hotel in Las Vegas as he was on his way to the airport to go back home. He had come to a convention in Las Vegas called DefCon, where computers security people and hackers of both the good and bad stripes gather to discuss computer security issues. CryptanalysisHe went there because he got started in all this doing the well respected practice called cryptanalysis. Cryptanalysis is code-breaking. It involves looking at code-based security systems for flaws. Cryptanalists like Alan Turing are now widely regarded as among the greatest contributors to the defeat of Nazi Germany -- they are some of the greatest heros of the 2nd world war. Sklyarov is a PhD student in Moscow, and as an academic exercise in such research, he examined the security of the Adobe eBook locking system. Truth is, he found it to be of a very poor design, with several flaws. He described these, and then got employed by Elcomsoft to make a program to demonstrate the flaws. Adobe makes the claim, quite possibly valid, that Elcomsoft's goal was to make money selling a tool to let people illicitly copy books locked by Adobe's tools. Sklyarov, however, is mainly an academic and employee -- he owns no part of Elcomsoft and got his salary regardless of how well the program did. Unfortunately, because he's a Russian, he's in a lot more trouble. He's thousands of miles from home and family and the world he knows. And the courts will feel that if they let him out in the street, he would be a fool not to be on the next plane to Moscow. So they have to keep him in jail, where a U.S. resident would be out on bail, planning his defense. DRMDigital Rights Management (DRM) is controversial in part because it changes the rules of how publishing works. Publishers ask for DRM because digital books are trivially easy to copy, and in particular, to copy without paying for them. Paper books can also be copied, but putting all the pages through a photocopier is a fair bit of work, so most people don't do it. This difference of degree is important to the publishers. The ease of digital copying is so great that the whole world can get a book with only one person buying it, if the world is so inclined. They have reason to be scared of that. At the same time, DRM allows a degree of control over publishing that's far beyond what existed in the paper world. As noted, paper books can also be copied if you have the time or a fancy machine. More commonly people copy a single page out of a book for reference later, and most publishers don't mind a great deal. An eBook can be set to not allow even the slightest copying, not even the copy and paste of a single sentence. Paper books can be lent to friends, but of course you can't read them while they are on loan, and you can only loan to one person at a time. eBooks that are unlocked can be lent to the whole world at once (which scares the publishers) but can also be set so they can not be lent at all, and commonly are. Paper books can be sold, in fact copyright law explicitly assures this with a special doctrine describing the rights after "first sale" on a copyrighted work. Locked ebooks can be set so they can't be sold, and again they commonly are. Ordinary text files on a computer, like web pages, can be read in all sorts of programs -- web browsers, ebook readers, word processors etc. -- and easily moved to different machines (Windows, Apple, Linux, Palm) on demand. Locked ebooks can only be read in their special reader program, and normally only on the computer or device they were sold for. Regular books and computer files are subject to a number of special exemptions to copyright law called "fair use" in the USA. These exemptions, defined by the courts and the congress, are in place to make sure that copyright law doesn't get out of hand, and especially to make sure it doesn't violate the first amendment. For example, you can copy and paste a page out of this article (or any other copyrighted work) if you want to write something critical about it, or teach about it, or make fun of it. You don't have to ask me. You can do it even if I tell you not to. This is essential. Movie critics would never be able to show clips of movies they are panning otherwise, and that would limit their 1st amendment right to be critics. You can also make a backup copy of it, or move it from one machine of yours to another to read it there, again without me being able to deny you. In theory you have the rights to do all this with an ebook, but a locked eBook can be sealed up so you don't have the physical ability to do it. Now locked eBooks, when done well, can solve some of these problems. They can be programmed to be able to move from machine to machine (this is a must for people who, like me, upgrade their computer every few years.) They can be programmed so you can loan them out, or give them away, or sell them, losing your own access in the process. Adobe has done some of these things. Unfortunately in these cases, the usual means provided for acts like these is to contact the publisher or provider of locked ebook software, and ask them to give you the magic keys to perform such a special operation. If they let anybody copy from machine to machine, then they face that great fear of one copy going to the whole world. As such, the ability to do things that are inherently possible with paper books becomes a privilege which is bestowed, and which can be revoked. Or, even more likely, it can become impossible because the publisher is no longer in business. Walk through the halls of a fine library or antiquarian book store, and consider what it would be like if the books on the shelves that come from publishers who are now out of business could no longer be read. Imagine if this were true simply because the supplier of the printing press or the inks were out of business. Or perhaps they can still be read -- but only on that old 286 computer running DOS 6.0 that you threw out 15 years ago. Such is the risk of tying reading of a book to a single device until granted otherwise by the publisher or maker of the publishing tools. You can imagine why people are concerned about this. We have publishers scared to death of being unable to sell their books, and readers scared of books turning into pages in guarded steel boxes without many of the useful abilities they took for granted. It can be argued that people retain all the rights of trade, first sale and backup on the encrypted bits. But this dodges the issue. The encrypted bits are literally just noise unless there is a tool to read them, so when it comes down to defining the nature of reading, we have to look at what people can actually do with their books. Stop the tools!The publishers, scared as they were, saw the need for locked books (and more-so music and movies) and lobbied congress for a convoluted law -- the DMCA -- to protect the locks. In the past, copyright law protected the books, making the actual unauthorized copying unlawful. They changed the law to make the copying tools themselves illegal, and in some cases criminal. It's like, in many ways, making the photocopier itself illegal rather than dealing with the person doing the photocopying. It's like making locksmith's tools illegal because they can unlock doors, rather than just making breaking and entering illegal. Uncharitably, Sklyarov's company sold a lock-picking tool. More charitably they made an electronic analog of a photocopier that handles deliberately hard to photocopy books. He found the flaws in Adobe's locks and helped design the tool. That's part of how he ended up in jail. (There are laws in several states against carrying lock-picks, but almost all these laws make it illegal only if they are carried for criminal purpose, and it's rare for their manufacture to be illegal.) One thing people don't like about the law is that it protects even really badly designed computer locks. If they put on the simplest security that a high school student can break, a person who publishes how to break it in software code can still go to jail. Even if -- and this is literally true in this case -- the books are locked just by replacing every letter with the one 13 letters later in the alphabet, a code you may remember from when you were ten years old. This isn't to say that the victim is at fault in a burglary because they have a simple lock anybody can break. It does say that when you make it illegal to even publish how to get past a trivial lock that even the people who want strong locks will never get them. (Cryptographers know that the only way to make strong codes is to make sure they are constantly strained and tested.) Now the picture I've painted so far makes it seem crazy that he's in jail or could go to jail for what he did, especially since he did it in Moscow, where it's all perfectly legal. Yet reasonable people are pushing to keep him in jail. Until we made compelling arguments to them on the matter, Adobe was so angered by the program he wrote that they -- a company full of programmers -- landed this programmer in jail and were encouraging keeping him there. Some people don't buy the philosophy that making tools should be legal, and the nefarious uses of the tools should be what's illegal. This is nothing new, and this split occurs in all sorts of other debates, most around things like guns, marijuana pipes and even lock-picks. Most of the time the camp that blames the tools loses, though not always. Generally most support a justice system based on the presumption of innocence. If a tool has a legitimate use, it should be legal, even if the majority of its use is illicit. I think those siding with punishing the toolmaker rather than the copyright infringer should step back and look at the scale of this. One can understand, when the subject is guns, and killing people, how some people side with banning guns and thus interfering with the legal uses of the weapons by innocent people. Indeed they advocate such bans even in spite of the arguments that the 2nd amendment disallows them. But we're talking copyright infringement here, not murder. Yes, it can be costly, but on the grand scheme, most people don't see jail time as an appropriate response to the actual pilfering of ebooks, let alone the making of tools that might facilitate such infringement. There are valid uses for Elcomsoft's tool, and as such the good or evil lies in the hands of the user, not the programmer. Adobe was particularly concerned, I think, because Elcomsoft was selling the tool. Others have made unlockers before and given them away, but this company was making a (meagre) business of it. Adobe felt hurt, I think, at a company making a business out of reversing their hard work. They were annoyed that the company was in Russia and could ignore them, because Russia didn't have such a law. They complained to the FBI, and told them one of the programmers was coming to Nevada. The FBI promptly arrested him. In the end Adobe realized that was the wrong way to deal with this problem. JurisdictionThis is particularly true because, while he did play a role in writing the program, Sklyarov is just an employee. All the countries of the world routinely pass their own local (and to other perspectives, bizarre) laws but don't enforce them on people in other lands. Imagine a world where, if the U.S. company you worked for country did things that violated obscure laws in Saudi Arabia this could result in you or any other employee being hauled into jail if you visited Saudi Arabia or any other place that extradited to it. I suspect a lot of people could never travel the world if this were how things operated. The internet is raising these jurisdiction questions all the time. Americans were rightly incensed when France ordered Yahoo to stop allowing their users to auction off Nazi memorabilia, whose sale is illegal in France. Even more angry when Germany moved to jail a Compuserve executive because Compuserve carried newsgroups with content potentially illegal in Germany. These issues won't go away, but it's sad to see the first person jailed by the USA would be the foreign programmer of a software tool who had been invited to the USA as a guest. The DMCA criminal issues are contentious enough as they are. Throwing in the jurisdictional question muddies the issue, and benefits nobody. Obviously not the man denied bail, but also not the legal eagles on both sides who want to set DMCA precedents. Hard to useAs an early ebook publisher, I know that right now the public is mostly resistant to ebooks. This resistance derives mostly from a feeling that people don't want to read a book on a computer. Turns out that once you design your ebooks and the devices well, this prejudice is abandoned by many readers, but other problems persist, including weight, limited battery life, flickering displays and inability to browse. The publishers of ebooks need to put fewer barriers in front of the reader, not more, so it's bemusing that some have put such a strong focus on DRM. Those who release books in open formats that can be read anywhere do face more illicit copying than they would find in the paper world, but in many cases they also get more sales. Publishers are looking for new models for how to get financial return in the electronic world. They are out there, and a number of promising suggestions are already being tried. The problem many have with DRM is that, in spite of the goals, it doesn't simulate the dynamic of the old paper book, but locks it up even more. Perhaps if paper had allowed publishers to make books that could not go in libraries or used book stores they would have. Perhaps they would have made books that professors couldn't photocopy a few pages from to hand to their literature class. Is this the legal regime we would have wanted? The problem with the DMCA gets worse, however. If publishers want to put their books in a super lockbox, they should still have the right to do so. But the DMCA goes far further. It lets them put the books in a weak lockbox, and then arrest anybody that shows how the lock is weak, and writes software that opens it. This actually encourages the design of poor locking systems, as was the case for DVD movies. People have the right to keep secrets, for example, and to pile on security to protect them. But the DMCA question is not really one of whether the publishers can have locks. Whether they should use them is a moral question. The DMCA question is akin to asking, if the secrets get out because of poor security, are the people who found out how to get past the security liable or criminal? If Coca-cola holds up their secret formula to a window you can see with a telescope once a day, you might feel that people who see it still shouldn't publish it. But is the person who reveals where the window is a criminal? The DMCA contains exemptions for researchers, reverse engineers, cryptanalysts and even fair use. But in practice, in real court cases, those exemptions have shown to be close to useless. When one magazine published the results of reverse engineers who figure out how to play a locked DVD movie, the judge ruled that the magazine itself was not a reverse engineer or cryptographer, it just published their work. As such it could be shut down. Not much of an exemption. Where is the answer?Well, first of all, release Sklyarov. He's not the right test case for anybody and his kids miss their father. Next realize that before you can work out the best dynamic for protecting ebooks to keep them commercial, you need to have an industry in the first place. Ebook sales are still tiny, and nobody has really worked out the right way to sell them. I personally favour the subscription model (which I tried to build in 1992, offering all you can eat and dividing up the money to the authors based on who got most widely downloaded) or possibly a system I call "microrefunds" or the "Don't Pay" button, where people can freely trade content, and silently pay a small fee to the rights-holder when they do, but have the ability to ask not to pay (get a microrefund) at any time. Criminalizing the tools just creates a pointless war. Computer experts just consider an attempt at a lock to be a challenge, and the weak systems can and will be broken even with the threat of jail. The jail will just make them do it underground, releasing the programs for free rather than selling them. No book reader for a PC can every truly protect its content, since it's always possible for a program to read the screen (whose contents are in the computer's memory) and convert it back to text. Open formats encourage everybody, commercial and non-commercial, to make great tools to read and distribute the formats, and even great tools to help make money from them. If the proprietary formats provided some benefit to the actual reader, then one could imagine a market for them. But they don't, they only limit the reader, giving the reader very little reason to want them. The publishers want them, or think they do. (While the American Publisher's Association -- or some of it -- lauded the jailing, the Electronic Publishers Coalition condemned it.) The debate over how to publish digital books will continue for some time. However, the issue of whether a young programmer from another country should sit without bail in a jail cell is much simpler. Whether you love DRM or hate it, sending people to jail for writing programs accomplishes little that's positive. It will make those who work in the area of computer security and cryptanalysis very frightened -- it has already done so. Sadly, it frightens both the "white hats" and "black hats" at the same time, as evidenced by the fact that a very white hat Princeton professor had to cancel giving a paper at a conference due to a letter threatening DMCA penalties. While the white hats sit in fear, the black hats (and some of the white) will move underground, producing programs but releasing them anonymously, for free. Adobe was particularly concerned about a commercial product unlocking their books, but they and other DRM vendors would suffer much more commercial damage from free programs, and have less dialogue with those who find the flaws in their systems. Nobody benefits. And most of all, the consumer doesn't benefit, and in the end the customer is always right. When I published e-books, I did them in open formats, and frankly never got any significant reports of lost sales due to piracy. Due to an inability to get rights outside the USA on two stories, I did have to do a simple DRM on those, and it caused far more problems and customer hassle than having the stories was worth. Digital books are bigger today, but I don't think that equation has changed. The customer is still always right, and the fight to get any sort of adoption at all for ebooks is far more important than the fight to lock them up. The fight should never have led to putting a programmer in jail. Executive SummarySkylarov made an eBook unlocking tool while he was in Russia. That's legal to do in Russia. His employer -- not him -- then allegedly sold 7 copies of the tool into the USA. Assuming the tool is ruled a "circumvention device" under the DMCA, that's illegal. A just society punishes those who actually do harm, not those who make tools which can be used to do harm. While the law does waver from that ideal, it seems that copyright infringement, and this case in particular, is a poor arena to make one of the exceptions. Especially one of the criminal exceptions. In fact, the tool has a number of legitimate purposes, because without it, the dynamic of reading books changes, and removes a variety of fundamental rights and abilities that society has traditionally found to be of great benefit. Those include the "fair uses" which allow copying without the permission of the copyright holder. On top of all the other contentious issues, this case brings up sticky international jurisdiction questions. Can the USA punish programmers in Russia who do things that are legal in Russia the moment they walk on U.S. soil? Should it? The foreign aspect deepens the injustice more. While a U.S. programmer charged with this crime would be out on bail working on his defense, Sklyarov is forced to sit in jail, possibly for a long time, because he can't get bail as a flight risk. (You would be a flight risk in his shoes, too.) As we've seen, punishing those who find the flaws in the security of the locks on digital content does more than stop pirates. It scares academics and silences protected speech. Even if you feel that publishers have the right to use DRM if they want to, without us telling them it's bad for them, the real question behind the DMCA is whether we should throw those who fairly break the protection into jail. There are other answers to selling online content that don't involve draconian DRM. The DMCA needs a test case, but this one isn't it. It's not a good case for the pro-DMCA folks because of jurisdictional issues and the fact that it's his employer who sold the program not him. It's not a good case for anti-DMCA folks because a man stays in jail, thousands of miles from his family while the case is worked out. 4 stages of looking at what Dmitry did and is accused ofDid Dmitry make infringing copies of some eBook? Shouldn't that be illegal?It is illegal, but he didn't do anything like that. Did he sell a program in the USA that makes infringing copies of eBooks?He didn't sell anything in the USA. He did help write a program that his employers allegedly sold a few copies of in the USA. So this program his employers sold, it makes infringing copies of eBooks?No, the copies it makes are generally legal. The program would normally be run by people who have legally bought a locked eBook. It would give them an unlocked regular file. It is legal for them to make and have this file, since they paid for the book in the first place. So where is the copyright infringement going on here?Once a person runs the program and has their own legal, unlocked copy, they have the ability to make further copies that they give away or sell. That would be a copyright infringement. Of course, what Dmitry's employer allegedly did -- selling the unlocking program in the USA -- is not an infringement of any book publisher's copyright, but is illegal under the new DMCA law. So now Dmitry, the employee who designed the software, is in jail without bail. - end - |
||||||
Please send any questions or comments to webmaster@eff.org. |