Arrest of Computer Researcher Is Arrest of First Amendment Rights

By Bruce Schneier
InternetWeek
August 6, 2001

The arrest of a Russian computer security researcher was a major setback for computer security research. The FBI nabbed Dmitry Sklyarov after he presented a paper at DefCon, the hacker community convention in Las Vegas, on the strengths and the weaknesses of software to encrypt an electronic book.

Although I'm certain the FBI's case will never hold up in court, it shows that free speech is secondary to the entertainment industry's paranoia about copyright protection.

Sklyarov is accused of violating the Digital Millennium Copyright Act (DMCA), which makes publishing critical research on this technology more serious than publishing design information on nuclear weapons.

I've been a longstanding DMCA critic because of the futility of using technical solutions to prevent digital copying. Basically, DMCA forbids invention and distribution of "circumvention devices" and "reverse engineering of document protection." It's illegal to break- or to show how to break-the technology used to protect digital copyright.

Technically, the law protects only "effective" copy protection technology. This is a wonderful piece of circular logic because surely if it's been broken, it's been ineffective. The complaint against Sklyarov sidestepped this problem: Because the e-book is sold in encrypted form, is accessible only through the eBook Reader and can't be duplicated, it's in the copyright holder's interest for the e-book to be protected, the FBI's complaint said. But if that were true, there would be no grounds for the case.

There are also provisions in the DMCA to allow for security research, provisions that I and others fought hard to have included. But these provisions are being ignored.

What the DMCA has done is create a new controlled technology. In the United States, there are several technologies that citizens are prohibited from buying and selling without proper credentials: lock picks, fighter aircraft, pharmaceuticals, explosives. The DMCA goes one step further. Not only are circumvention tools controlled, but so is the information about them.

I attended Sklyarov's talk. He did legitimate security research, determining the security of several popular e-book reader products and notifying the respective firms of his findings. His company, Elcomsoft, in Russia published software that circumvented the ineffectual security systems.

The Def Con talk was a clear, evenhanded presentation of the facts. Sklyarov said, in effect: "This security is weak, and here's why." One company he mentioned stored the password in plain text inside the executable. So anyone with Notepad and a few minutes of scrolling could have the e-book modified for easy distribution.

The FBI held Sklyarov without bail after Adobe Systems wanted him for breaking the security on Acrobat's E-Reader API.

How could Sklyarov be convicted, especially given that the U.S. government more than 20 years ago let The Progressive magazine publish an article providing details on how to build a hydrogen bomb? Despite government concerns about "grave, direct, immediate and irreparable harm" to national security, the magazine published the article after six months of legal maneuvering.

Yet now here we are in 21st-century America, where the profits of the major record labels, movie houses and publishing companies are more important than First Amendment rights.

In many ways, we're seeing the legacy of the National Security Agency's long war against cryptographic information. Until the late 1990s, the NSA used the threat of national security to prevent the dissemination of encryption technologies. Many people believed the NSA's primary rubric, export controls, wouldn't stand up to a constitutional challenge, but it was never tested. The NSA eventually gave up, but every day it could delay the failure was a day of victory.

The entertainment industry is behaving the same way. The DMCA is unconstitutional, but until it's ruled as such, the industry wins. The charges against Sklyarov won't stick, but their chilling effect on other researchers will.

earlier essay: Marriage Of Phone Services, Biz Apps Could Be A Security Risk
later essay: The Real Lesson of Code Red: Insecurity Is a Way of Life
categories: Computer and Information Security, Laws and Regulations, National Security Policy
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..