The Anti-Circumvention Rules of the Digital Millennium Copyright Act
The Digital Millennium Copyright Act (“DMCA”) makes it illegal to circumvent technical measures (e.g., encryption, copy protection) that prevent access to copyrighted materials, such as computer software or media content. The DMCA also bans the distribution of products or services that are designed to carry out circumvention of technical measures that prevent either access to or copying of copyrighted materials. As a result of the passage of the DMCA, copyright owners who implement protective measures such as encryption can greatly enhance their ability to control the use of their products and to prevent piracy and unauthorized product dispositions. The DMCA also presents some potential pitfalls for developers of products that interoperate with other software products and for researchers into encryption and other technologies that limit access to digital products.
Why was the DMCA passed? Several factors converged to result in passage of the DMCA, but the major driver has been the growth of the use of computers and the Internet, and the increased distribution in digital form of copyrighted works such as music and movies, and to a lesser extent text-based works such as books, articles and sheet music. The broad availability of personal computers and the Internet allows users to easily make and distribute accurate digital copies of these works, and many publishers are interested in implementing technical measures to protect their copyrighted material. Another factor is that the technology of cryptography has matured and become more effective and more practical.
The DMCA is the most significant change to U.S. copyright law since its last major revision in 1976. Its anti-circumvention rules have generated much controversy, and have been viewed by some as going too far in strengthening the rights of intellectual property owners to control access and copying. The rules are complex, and they are generally acknowledged to present many questions as to their meaning and intent. According to one well-known commentator the DMCA “bursts with conundrums, brain-teasers, and paradoxes.” This article first describes the rules and their exemptions, and then discusses the implications for software developers and vendors, researchers, content providers, and users of the Internet.
I. WHAT THE NEW LAW SAYS
Passage
The DMCA was signed into law by President Clinton in 1998, with broad bipartisan support in Congress. The law reflects the merger of several unrelated bills and covers multiple topics, but one of the most far-reaching sections was the set of rules that (a) prohibit circumventing technology measures such as encryption that effectively prevent access to copyrighted material, (b) ban the distribution of tools or technology designed to help the user in circumventing technology protections for unauthorized access or copying purposes, and (c) prohibit providing false identifying information (e.g. the title of the work, the name of the author or copyright owner, etc.) and altering the identifying information. (In this article the term “tools” is used to mean any technology, product, service, device or component that is designed or marketed for use in circumventing access controls or copy controls.) The anti-circumvention rules were enacted to address the concern that the ease with which digital works can be copied and distributed would lead to widespread piracy.
The DMCA made several other changes to the Copyright Act in addition to the anti-circumvention rules:
- created a safe harbor for Internet service providers to avoid liability for vicarious or contributory liability for copyright infringement by their customers;
- provided an exemption to liability for infringement of copyrighted computer programs and files as a result of copying that is incidental to computer troubleshooting, diagnosis and repair;
- provided a new type of limited copyright protection for original designs of useful articles which make the article attractive or useful in appearance, where the design is not dictated solely by utilitarian functions of the article;
- included boat hull designs under the new protection for designs of useful articles; and
- barred the manufacture, import or sale of analog video cassette recorders that do not conform to two types of copy control technology.
Circumvention of Access Controls
The DMCA’s basic rule prohibits the act of circumventing technological measures that “effectively control access” to a copyrighted work without the consent of the copyright owner. (An “effective access control” is a measure that in the ordinary course of its operation requires the application of information, or a process or treatment, with the authority of the copyright owner, to gain access to the work.) Prohibited acts therefore include descrambling a scrambled work, decrypting an encrypted work, or otherwise avoiding, bypassing, removing, deactivating or impairing a technological measure without the authority of the copyright owner. For example, assume you have a copy of an encrypted e-book that cannot be read without purchasing the right to access it from the publisher. The DMCA says you may not, without authorization from the copyright owner, hack the encryption to read the book. The House Report on the DMCA likened violations of the basic anti-circumvention rule to breaking into a locked room to obtain a copy of a book - the invasion inside another’s property is itself the offense. This rule does not apply to access controls on materials in the public domain, e.g. Shakespeare, since they are not protected by the copyright law.
Trafficking in Circumvention Tools
Tools that Circumvent Access Controls. The DMCA’s ban on circumventing access control measures is supplemented by its prohibition on trafficking in certain products and services that in effect “aid and abet” those who would “break and enter,” i.e., circumvent access control measures. This rule prohibits trafficking in such tools by barring the manufacture, import, offering to the public, providing or otherwise trafficking in any technology, product, service, device, component or part that:
- is “primarily designed or produced for the purpose of circumventing a technological measure” that effectively controls access to a copyrighted work,
- has “only limited commercially significant purpose or use other than to circumvent a technological measure” that effectively controls access to a copyrighted work, or
- is marketed for use in circumventing a technological measure that effectively controls access to a copyrighted work.
The House Report on the DMCA confirms that legitimate multipurpose devices can continue to be made and sold, although a manufacturer cannot escape liability by labeling as a household device a product that is primarily designed to circumvent access controls.
- item 1
- item 2
- item 3
Tools that Circumvent Controls on Copying. The DMCA also implements a ban on trafficking in a second category of products and services: those that target the circumvention of copy controls and other technological measures that effectively protect the rights of a copyright owner under the Copyright Act. The rights of a copyright owner include the exclusive right to reproduce the work, to prepare derivative works, to distribute copies, to perform a work and to display a work. (In this Article the term “copying” is used as shorthand for the exercise of any of the exclusive rights of the copyright owner.) The DMCA’s formulation of this additional ban on trafficking in tools that circumvent copying controls is parallel to the prohibition described above on products that circumvent access controls. I.e., the prohibition on trafficking applies to tools that are primarily designed or marketed for the purpose of circumventing copy controls, or have only limited commercially significant purpose other than to circumvent copy controls.
The DMCA’s distinction between accessing a work and copying a work recognizes that one may have purchased the right to access a work, but yet remain subject to copy controls that limit or prevent copying of the work. The DMCA bars trafficking in tools that circumvent either access controls or copying controls. However, the DMCA does not ban the act itself of circumventing copying controls, although it does ban the act of circumventing access controls. Unauthorized copying (except as allowed by the fair use rules), making derivative works, distributing copies, etc. has long been prohibited by the Copyright Act, so apparently no new prohibition was felt necessary. In contrast, before the DMCA the act of circumventing access control technology was not itself unlawful.
The prohibition against trafficking in tools to circumvent access controls has been applied broadly by the courts. Since similar language is used in the statute, presumably the ban on trafficking in tools to circumvent copy controls would also be applied broadly . In Universal City Studios, Inc. v. Corley, the Court of Appeals for the Second Circuit in 2001 upheld a lower court injunction against the Internet Web site www.2600.com, which is affiliated with the magazine 2600: The Hacker Quarterly. The owners of the Web site had posted the computer program DeCSS, which can be used by purchasers of DVDs to access the encrypted movies by decrypting the encryption scheme used on all movie DVDs sold in the U.S. The unencrypted movies can then be played on any personal computer, copied and transmitted over the Internet. The injunction prohibited the owners of the Web site from posting the program DeCSS. The owners complied, but then posted links to other, foreign Web sites from which DeCSS could be downloaded. The final injunction was modified to prohibit the Web site owners from even posting the hypertext links to other sites from which DeCSS could be obtained. The Court of Appeals concluded that the defendants’ posting of links to other Web sites constituted, in the words of the statute, “trafficking” in DeCSS. The defendants’ challenges to the injunction on several grounds, including “fair use” and First Amendment bases, were completely rejected by the Court of Appeals.
Other Rights Not Affected
The acts prohibited by the DMCA are unlawful regardless of whether they constitute copyright infringement. Conversely, the DMCA clearly states that it does not affect other rights or remedies. It does not affect rights, remedies, limitations or defenses to copyright infringement, including fair use. (Keeping in mind, of course, that the theoretical right to reproduce a small portion of a work for purposes of criticism or comment, which would be allowed under the Copyright Act as a fair use, is of no avail if the work is protected by copy controls and you can’t buy or make a tool to get around the copy controls.) It does not enlarge or diminish vicarious or contributory liability for copyright infringement. It does not require that any consumer electronics, telecommunications or computing product provide for a response to any particular technological measure. It ostensibly does not enlarge or diminish any rights of free speech or the press.
Exemptions from the Anti-circumvention and Anti-Trafficking Rules
Particular Categories of Works. The DMCA sets forth a number of exemptions from its anti-circumvention and anti-trafficking rules. The first is an exemption from the basic rule barring the circumvention of access controls, for users of particular categories of works. The Librarian of Congress, for each successive three-year period beginning on October 28, 2000, is to determine in a rule-making proceeding which categories of works have users who would be adversely affected by the ban on circumventing access controls in their ability to make noninfringing uses of the work. The Librarian of Congress has made its determination for the initial three-year period, and has concluded that two classes of works will be subject to the exemption, at least until October 28, 2003: (a) compilations consisting of lists of websites blocked by filtering software applications, and (b) literary works, including computer programs and databases, protected by access control mechanisms that fail to permit access because of malfunction, damage or obsolescence. This exemption does not apply to the rules against trafficking in tools to circumvent access controls, so as a practical matter this exemption, even if theoretically available, will in most cases not be useful because of the lack of tools to carry out the circumvention.
Nonprofit Libraries, Archives and Educational Institutions. The DMCA allows nonprofit libraries, archives and educational institutions to circumvent access controls solely for the purpose of making a good faith determination as to whether they wish to obtain authorized access to the work, if the work is not reasonably available in another form. Again, as a practical matter this exemption will in most cases not be useful because of the lack of tools to carry out the circumvention.
Law Enforcement. Officers, agents and employees of governmental bodies are exempt from all the anti--circumvention rules in carrying out lawfully authorized law enforcement, intelligence and information security activities.
Reverse Engineering to Achieve Interoperability. One exemption that may have wide applicability is an exemption for reverse engineering to research and achieve interoperability between computer programs. Interoperability is defined here as the ability of computer programs to exchange and use information. A person who has lawfully obtained the right to use a copy of a computer program may circumvent access controls to a particular portion of the program, and may develop and use tools to circumvent access and copy controls, in order to achieve interoperability so long as doing so does not constitute copyright infringement. (The courts have generally upheld the process of reverse engineering against claims of copyright infringement.) The access to the other program may only be for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability. The information developed in this process, as well as the tools developed, may be shared with others solely for the purpose of enabling interoperability of an independently created computer program with other programs.
Encryption Research. The DMCA exempts encryption research from its circumvention and trafficking bans. Circumvention of access controls by one who has lawfully obtained the encrypted copy is permitted if the circumvention is done in the course of “an act of good faith encryption research.” The researcher must first have made a good faith effort to obtain authorization before the circumvention, and the circumvention itself must not constitute infringement. The researcher may also develop and employ tools to circumvent the access controls for the sole purpose of carrying out the research, and may share those tools with collaborative researchers. The DMCA lists several factors to be used in determining whether the exemption for good faith research should apply in a particular situation, including whether and how the research results were disseminated, whether the researcher is engaged in a course of study or is trained or experienced, and whether the researcher provides the copyright owner with the results of the research.
Protection of Minors. This provision gives a court, faced with an alleged access to a protected work in violation of the anti-circumvention rule or alleged trafficking in devices to facilitate circumvention of access controls, discretion in applying the rules. In applying the prohibitions to a component or party, the court is to consider the necessity for its incorporation in a technology, product, service or device which does not itself violate the DMCA and which has the sole purpose of preventing the access of minors to material on the Internet. This is obviously an narrow exemption, and lodging discretion in the court leaves a lot of unpredictability as to how it will be applied.
Personal Privacy. The DMCA exempts circumvention of access controls that is done solely to prevent the collection or dissemination of personally identifying information about a natural person who seeks to gain access to the work protected. For example, a user can circumvent access controls in the course of deactivating “cookies,” which are packets of information sent by an Internet server to a user’s browser and then sent back by the browser each time it accesses that server, and which are often used to collect personal information about the user. This exemption only applies if the technological measure, or the work it protects, collects or disseminates the personal information without providing conspicuous notice and the capability for the user to prevent or restrict the collection or dissemination.
Security Testing. Circumvention of access controls on copyrighted works is not a violation of the DMCA if it is done in the course of accessing a computer, computer system or computer network solely to carry out good faith testing, investigating or correcting of security flaws or vulnerabilities, with the authorization of the computer owner or operator. Factors to be considered in determining whether the exemption for good faith testing is available in a particular situation include whether the information derived from the testing is used solely to promote security, and whether the information from the testing was used or maintained in a manner that does not facilitate copyright infringement. The one doing the testing may also develop and use tools to carry out the circumvention of access controls.
Copyright Management Information
Copyright Management Information (“CMI”) is information embedded in or accompanying a copyrighted work, such as the name of the work, the name of the author, identifying serial numbers or codes, and terms and conditions of use of the work. The DMCA’s restraints are not limited to CMI in digital form; they apply to CMI “conveyed in connection with” any type of copy of a work, or performances or displays of a work. The DMCA protects this type of information from alteration, and prohibits providing false CMI. The legislative history states: “This section will operate to protect consumers from misinformation as well as authors and copyright owners from interference with the private licensing process.” The Senate report also characterizes protection of the integrity of CMI as an important element in establishing an efficient Internet marketplace in copyrighted works.
CMI is defined as any of the following:
- the title and other information identifying the work, including the information in a copyright notice;
- the name and other information identifying the author;
- the name and other information identifying the copyright owner;
- with the exception of television and radio broadcasts, certain information about performers, writers and directors in audiovisual works, and performers for works other than audiovisual works;
- terms and conditions for use of the work;
- identifying numbers or symbols referring or linking to such information;
- such other information as the Register of Copyrights may prescribe by regulation;
- except that it does not include personally identifying information about a user of a work.
Alteration or Providing False Information
The DMCA bars the providing of false CMI and the unauthorized alteration of CMI. Specifically, no one may knowingly, and with the intent to induce, enable, facilitate or conceal infringement, either provide false CMI or distribute or import for distribution false CMI. This rule applies to the copyright owner as well as others such as distributors and licensees.
Also, without the authority of the copyright owner, one may not (i) intentionally remove or alter CMI; (ii) distribute or import for distribution CMI, knowing that it has been removed or altered; or (iii) distribute or import for distribution any work, knowing that its CMI has been removed or altered. These acts only violate the DMCA if the violator knows (in the case of a criminal charge) or has reasonable grounds to know (in the case of a civil suit) that the removal or alteration will induce, enable, facilitate or conceal an infringement of copyright.
The DMCA does not require that copyright owners insert CMI in their works, so a copyright owner may distribute copyrighted materials without any CMI. But if the copyright owner does insert or provide any CMI with the work, distributors and purchasers must respect the integrity of the CMI.
Exemptions from CMI Rules
Law Enforcement. As with the anti-circumvention rules, officers, agents and employees of governmental bodies are exempt from the rules against providing false CMI or altering CMI in carrying out lawfully authorized law enforcement, intelligence and information security activities.
Broadcasting. A set of exceptions is established for broadcasters, cable system operators and persons providing programming to broadcasters and cable system operators (collectively referred to as “Broadcasters”). Analog Broadcasters are not liable for altering or removing CMI if (a) avoiding the alteration or removal is not technically feasible or would create an undue financial hardship, and (b) the Broadcaster did not intend to induce, enable, facilitate or conceal infringement of copyright.
The exemption for digital Broadcasters has two variations, depending on whether a digital transmission standard for the placement of CMI for the particular category of works has been set in a “voluntary, consensus standard-setting process involving a representative cross-section of broadcast stations or cable systems and copyright owners of a category of works intended for public performance by such stations or systems.” If such a standard has been set, a digital Broadcaster will not be liable for altering or deleting CMI covered by the standard if the CMI is not in accordance with the standard, and the alteration or deletion is not intended to aid an infringement. If no such standard has been set, the digital Broadcaster will not be liable for altering or deleting CMI covered by the standard if the Broadcaster does not intend to aid an infringement and either (i) transmission of the CMI would result in perceptible signal degradation, or (ii) the transmission would conflict with government regulation or some other applicable voluntary, consensus-based standard.
Remedies for DMCA Violations
The remedies in a civil lawsuit for one injured by another’s violation of the anti-circumvention, anti-trafficking or CMI rules of the DMCA are wide ranging. The injured party may obtain an award in federal court of its actual damages resulting from the violation plus the violator’s profits that are not otherwise measured in the damages. Alternatively, statutory damages may be elected, which obviates the need to prove one’s actual damages. For violations of the anti-circumvention and anti-trafficking rules the statutory damages are from $200 to $2,500 per violation, and for violations of the CMI rules the statutory damages are from $2,500 to $25,000 per violation. For repeated violations within three years of a final judgment for earlier violations, the damages can be trebled. The court may in its discretion award costs and fees to the prevailing party.
Injunctions and court orders are also available under the DMCA. Temporary and permanent injunctions may be granted to prevent or restrain violations of the anti-circumvention, anti-trafficking or CMI rules. As soon as an action is filed, the court may order the impounding of any device or product if the court has reasonable cause to believe it was involved in a violation. After final judgment has been entered, the court may order the remedial modification or the destruction of any device or product that has been impounded or is in the violator’s control.
Violators are also subject to criminal penalties. Willful violators of the anti-circumvention rules, the anti-trafficking rules or the CMI rules, for purposes of commercial advantage or private financial gain, may be fined up to $500,000 and imprisoned for up to five years for a first offense. Subsequent offenses may be punished by fines up to $1,000,000 and imprisonment for up to ten years.
One high profile criminal case has resulted from the DMCA. Dmitri Sklyarov, a Russian programmer who came to Las Vegas in July 2001 to speak at the DefCon 9 Conference, a security conference and hackers’ convention, was arrested by the FBI in Las Vegas after the conference. His employer in Russia made and distributed Advanced eBook Processor (“AEBPR”), a program written by Sklyarov that allowed purchasers of eBooks from Adobe Systems Incorporated to circumvent Adobe’s copy protection scheme. (The FBI had been tipped off by Adobe.) Users of AEBPR could create unprotected files that could then be copied or reproduced without limitation. Sklyarov was arrested for violating the DMCA by trafficking in circumvention tools, i.e., sales by his employer in the U.S. of AEBPR.
In July 2001 Adobe asked that the charges be dropped, but the Justice Department continued to pursue the case. Mr. Sklyarov was released on bail, and he and his employer were indicted by a federal grand jury in August 2001. In December, Sklyarov, his employer and the government entered into an agreement to take Mr. Sklyarov out of the case. Sklyarov agreed to cooperate with the United States in its ongoing prosecution of his employer and to appear at trial and testify truthfully. If he cooperates the charges against him will be dropped. In the meantime he has been permitted to return to Russia.
It should be noted that according to published reports, AEBPR is legal in Russia. Also, AEBPR only works with legally purchased eBooks. The AEBPR user must have the serial number of the book, which is only obtained at the time of purchase of the eBook, in order to use AEBPR. Nonetheless, AEBPR was being sold commercially in the U.S., and it does appear to violate the DMCA’s rules against trafficking in devices that circumvent copying controls. This case shows the Federal Government’s willingness to use criminal charges to enforce the DMCA.
The anti-circumvention, anti-trafficking and CMI rules of the DMCA were intended by Congress to strengthen copyright protection by regulating conduct which traditionally has fallen outside of copyright law, and a violation of the DMCA is not a copyright infringement. They are separate and distinct offenses, although both may be involved in the same case. For example, a consumer who buys a movie DVD which is protected by the Content Scramble System, and who then creates a device that unscrambles the movie for viewing on a computer, has violated the DMCA’s prohibition on circumventing the DVD’s access controls, but has not infringed the copyright. A violation of the Copyright Act will result if the consumer goes further and infringes the copyright by making and distributing copies of the movie.
II. IMPLICATIONS OF THE NEW LAW
Remedies for DMCA Violations
Prevention of Piracy. The DMCA gives vendors of computer software and of digital content such as books, music and graphics a set of strong legal tools to prevent piracy and copyright infringement. To take advantage of those tools, a vendor must implement technological measures that “effectively control access” to a copyrighted work, or “effectively protect a right” of the copyright owner. Examples include a password requirement to access a document over the Internet, the Content Scramble System (“CSS”) that is used to prevent copying of movie DVDs, streaming audio delivery systems that prevent the creation of copies, and restrictions on e-books that prevent copying or moving the e-book from one computer to another.
Once the Vendor’s products are protected by access and copy controls, purchasers will be unable to make and distribute unauthorized copies. Computer programmers are ingenious, of course, and programs may be created and sold to defeat the Vendor’s access and copy protection. That is where the anti-trafficking rules of the DMCA come in. The anti-trafficking rules make it unlawful to sell computer programs or services to defeat access controls or copy controls, unless the tool in question (i) is not “primarily designed” to circumvent, (ii) has a commercially significant purpose or use other than to circumvent, and (iii) is not marketed for use in circumventing. The vendor who discovers in the marketplace a seller of a tool for use in circumventing the vendor’s access or copy controls can use the DMCA to obtain an injunction against the seller and force the removal of the tool from the market, as well as damages and, if allowed by the judge, attorneys’ fees.
In addition to protecting against piracy and copyright infringement, the use of access and copy controls in a digital environment, when backstopped by the DMCA, can provide the vendor the ability to implement any of a wide variety of business and pricing models. For example, downloadable sheet music can be priced by the number of copies the user prints out. E-books, graphic art and music can be priced by the number of times read, viewed, or listened to or played. Software and content can be priced by the length of time the customer can access the material.
The DMCA protections can even be used to enforce access and copy controls on material in the public domain, if copyright-protected material is included with it. For example, access controls on an e-book consisting of Shakespeare’s As You Like It, if accompanied by a recent critical review, would be enforceable under the DMCA. (Of course, more and more material in the public domain is becoming freely available in digital format through the Internet, so this model may have little practical utility.)
Copyright Management Information. Vendors of software, digital content, and digital material distributed over the Internet should also consider using Copyright Management Information (“CMI”) in their material. CMI is protected by the DMCA from alteration by distributors or users. CMI includes not only the title, author and copyright owner, but also the terms and conditions for use of the work, and links to any of the foregoing. Although digital watermarks do not necessarily appear to be included in the CMI categories, the legislative history repeatedly refers to digital watermarks as CMI, and they can be used to preserve identification of the source of the work.
Data Protection. Some vendors sell software programs that produce data which is post-processed by any of several other programs. Sometimes such a vendor will desire to prevent competitors from producing alternative versions of the post-processing programs. For example, a compiler vendor might also produce a debugger, a simple loader, and a more sophisticated link-editor, each of which separately would take the output of the compiler (i.e. an object module) and process it further. If the compiler vendor’s compiler also includes proprietary library routines in the object modules, so that the vendor will have a claim of at least partial ownership of the object modules, the vendor could encrypt the object modules and thereby prevent competitors from producing alternative debuggers and loaders. The vendor’s own debugger and other post-processing programs would of course decrypt the object module. The customer should not care, because the object modules produced by the compiler will be fully usable for either debugging or for loading onto a computer to be run. This example demonstrates that in some cases the DMCA may buttress a vendor’s ability to prevent others from decrypting data, thereby preventing second source providers from entering the field.
Reverse Engineering
The reverse engineering exemption from the anti-circumvention and anti-trafficking bans of the DMCA will be useful in some cases, but not in as many as one might think at first glance. It will apply, for example, to the not uncommon situation of a software developer that is developing a program to do post-processing work on the output of another company’s software. If the developer needs to reverse engineer the other company’s program to analyze how the program creates the data, or what the data means, then the exemption may enable the developer (if he can get the right to use a copy of the program) to circumvent access and copy controls as part of the reverse engineering process. He can even create circumvention tools and, if necessary to enable interoperability, distribute them to others.
But observe what he cannot do. Under the fair use provisions of US copyright law, as interpreted by cases like Sega Enterprises Ltd. v. Accolade, Inc., one can make copies of another party’s computer program in the course of reverse engineering, not only for the limited purposes of achieving interoperability as described in the DMCA, but to analyze the algorithms, methods, designs and general functioning of the other’s computer program. If the program has access controls or copy controls on it, however, the DMCA bars one from circumventing those controls to reverse engineer for the broader purpose of analyzing the program’s internal functioning.
Observe also the difficulty if the output of a program is encrypted, perhaps because the output is intended only for use by either of two other programs, both developed by the same vendor as the original program. (This scenario is described above under “Data Protection.”) Unless the reverse engineering exemption is interpreted more broadly by the courts than its language seems to admit, the exemption will not excuse any circumvention of access or copying controls on the output.
Researchers
The DMCA allows researchers to circumvent access controls in the course of their research, and to develop and share with other collaborative researchers the technological tools to carry out the circumvention, provided (i) the circumvention is done as part of good faith encryption research, (ii) the encrypted copy was lawfully obtained, and (iii) the researcher has made a good faith effort to obtain authorization before the circumvention. This exception seems to be intended to encourage, or at least not prevent, legitimate research and testing in the field of encryption research as applied to systems for controlling access to copyrighted works.
Notwithstanding this research-oriented provision, some copyright owners have threatened researchers with legal action under the DMCA for publishing the results of their encryption research. These threats have resulted in a lot of public controversy and one lawsuit. The concern of the copyright owners was that the publication of research results that reveal flaws in cryptographic access control systems may in some cases enable users or developers of circumvention tools to easily defeat existing access and copying controls.
In a highly-publicized dispute, Professor Edward Felten and his co-authors were about to present a paper at a conference in April 2001 that revealed flaws in the recording industry’s control systems for digital music. Shortly before the conference they were contacted by the Recording Industry Association of America (“RIAA”) and threatened with legal action for violating the DMCA if they published the results of their research. The RIAA alleged that the paper provided unnecessarily detailed information, in particular relating to detailed numerical measurements such as frequencies and numeric parameters that would aid those seeking to circumvent the RIAA’s controls over its published music. The researchers withdrew their paper from the conference as a result. The RIAA later withdrew its threat, and the researchers subsequently published the paper. The researchers then commenced a lawsuit to strike down the DMCA and to declare that future publications of their research results would not violate the DMCA. In November 2001 the U.S. District Court in New Jersey dismissed the case as not amounting to a controversy, because of the withdrawal of the threats of prosecution. In February 2002 Professor Felten and the other plaintiffs announced they would not appeal the case.
What does all this mean to researchers who will want to publish their results? The DMCA is so new that there is very little case law on it, so unfortunately it’s difficult to predict how the law will be interpreted. The DMCA does prohibit an “offer to the public” of any “technology” that is either (a) “primarily designed or produced for the purpose of circumventing a technological measure”, (b) “has only limited commercially significant purpose or use other than to circumvent a technological measure”, or (c) is marketed “for use in circumventing a technological measure”. “Technology” would almost certainly be construed to include information about the results of research into encryption systems, and publishing the results is clearly an “offer to the public.” Whether the research publication would be viewed as meeting the “primarily designed,” “limited commercially significant purpose” or “marketed for use in circumventing” tests may depend on the how specific the published results are, as well as how applicable are the factors set out in the DMCA to determine if the researcher is in good faith and qualifies for the exemption for circumventing access controls during the research. Those factors include how the results were disseminated, whether the researcher is engaged in a legitimate course of study, or is employed or experienced in the field of encryption technology, and whether and when the researcher provides the copyright owner with notice of the findings and documentation of the research.