[DMCA-Activists] Canadian Security Co's Oppose Anti-circumvention Law

[Seth Johnson]

-------- Original Message --------
 Subject: [IP] Canadian Security Co's Speak Out
          AgainstAnti-circumvention Legislation
    Date: Wed, 09 Mar 2005 10:27:30 -0500
    From: David Farber <address@hidden>
Reply-To: address@hidden

------ Forwarded Message
From: Michael Geist <address@hidden>
Date: Tue, 08 Mar 2005 17:30:17 -0500
To: <address@hidden>
Subject: Canadian Security Co's Speak Out Against
Anti-circumvention Legislation

Dave,

A substantial group of Canada's security technology companies
have sent a public letter to the Industry and Heritage Ministers
to express concern about the potential for DMCA-like legislation
in Canada.  Years of discussions and no one bothered to ask these
guys what they think.

The public letter has been posted online at
<http://www.cippic.ca/en/news/documents/Letter_to_Ministers_Emerson_and_Frulla_from_Security_Business_Community.pdf>

A release and backgrounder are at
http://www.cippic.ca/en/news/documents/Press_Release_-_Security_Businesses.pdf

http://www.cippic.ca/en/news/documents/Backgrounders_of_Participants.pdf

This might be a sign of Canada's technology community waking up
to the implications of copyright reforms that directly impact
their businesses.

Best,
MG

---

March 8, 2005

BY COURIER

The Honourable David L. Emerson, P.C., M.P.
Minister of Industry
235, Queen Street, 11th Floor, East Tower
Ottawa, Ontario   K1A 0H5

The Honourable Liza Frulla, P.C., M.P.
Minister of Canadian Heritage and Status of Women
15 Eddy Street
Gatineau, Quebec  K1A 0M5

Dear Minister Emerson and Minister Frulla:

Re:     Proposals to include Anti-Circumvention Rights in A Bill
to Amend the Copyright Act

We write to you as leaders of Canada's security research business
community.  We understand that the Canadian government in the
near future will introduce legislation to amend the Copyright Act
to introduce rights to prohibit the circumvention of
technological protection measures, or "TPMs".  Any such amendment
will have profound negative consequences for security researchers
and businesses that commercialize such research.  The business
community involved with security research and related services
has a great deal at stake in this legislation, both economically
and technologically.  Despite these considerations, the
government has yet to consult with us.  We urge the government to
take our concerns into account prior to implementing any such
amendment.

Legal protection for TPMs is the equivalent of making
screw-drivers illegal because they can be used to break and
enter.  Good legislation targets the illegal act, not the legal
tools the crook might use.  Canada is already well-served by laws
protecting copyright.  Outlawing the technological tools - the
screw-drivers of the technology community - undermines Canada's
commitment to fostering an economy built on innovation and
opportunity.

Understand that the science and business of digital security
implicates the practical application of circumvention
technologies. To understand security threats, researchers must
understand security weaknesses.  We are not in the business of
circumventing technological safeguards for the purposes of
exploiting the weaknesses we find; rather, we are in the
businesses of finding and addressing those weaknesses.  In this
way, our work offers crucial support to the business interests of
those who seek to protect their copyrighted works through
technology.  Indeed, technological protection measures and
digital rights management systems themselves are practical
applications of the work of this research community.

We observe that in other jurisdictions, rights holders have often
sought to enforce anti-circumvention rights for reasons other
than copyright protection.  Anti-circumvention rights have
anti-competitive applications. These have been well documented
and should be familiar to you.  We won't dwell on them here. More
troubling from a public policy perspective, however, are those
attempts to assert anti-circumvention rights to silence critical
research into security holes.  Such attempts are at base
motivated by a desire to maintain control over security research
in respect of particular platforms or applications.  Centralized
control over security research does not make for good public
policy. Security weaknesses are best found - and addressed - when
a variety of security researchers examine a platform or
application. The odds of one party devising the best response to
a security issue are slim; the likelihood of an optimal response
improves significantly when a community of security researchers
has the opportunity to examine and test a platform or
application.  Anti-circumvention laws throw a shroud of legal
risk over that community, and dampen security research at the
edges.  Simply, anti-circumvention laws that provide for
excessive control make for bad security policy.

The American experience under the Digital Millennium Copyright
Act (the "DMCA") should be instructive in this regard. Professor
Ed Felton of Princeton University was threatened with litigation
(as were conference organizers) for attempting to present his
findings on security holes in the work of the Secure Digital
Music Initiative industry working group.  Dmitri Sklyarov, a
Russian programmer, was jailed for travelling to the United
States and presenting the results of his work on a software tool
that could be used to read Adobe's "e-book" files.  American
security researchers are choosing to avoid research with DMCA
implications. Global experts on security now avoid traveling to
the United States. Richard Clarke, former White House
cybersecurity and counterterrorism adviser, has observed that the
DMCA's anti-circumvention provisions have had a "chilling effect
on vulnerability research."  The DMCA has had a demonstrably
negative impact on security research in the United States.

Canada has historically been a global leader in the science of
cryptography.  Canada is now turning to apply that strength to
the business of digital security.  The Canadian government should
support this emerging industry, not erect market barriers or
create new risks of legal liability.  In the late nineties, the
Canadian government made online connectivity a priority with the
goal of making Canada "the most connected nation in the world".
Consistent with that goal, Canada released its Cryptography
Policy in 1998, envisioning digital security as key to "building
Canada's information economy and society", and making a
commitment to fostering the development of the digital security
business sector. In 1998, the Canadian government recognized the
importance of this business sector to securing reliable
electronic commerce.  In the context of anti-circumvention laws,
these considerations have barely merited a mention.

Proponents of anti-circumvention laws protest that these laws do
not target "legitimate" security research, and that laws may be
crafted with exceptions for such research.  With respect, the
DMCA carries such exceptions.  They have proven both inadequate
and ineffective in protecting security researchers from threats
of litigation.  Moreover, such exceptions offer little security
against the threat of litigation.  Rights-holders have not
hesitated to assert anti-circumvention rights against researchers
to maintain control over public dissemination of security
research implicating their applications and platforms, even where
such claims have only the most tenuous basis in fact.
Nonetheless, such threats create a "liability chill".  Security
researchers and businesses generally lack the time and resources
to defend such claims, with the result that the mere threat
achieves the claimant's objective.  The mere threat of liability
for circumvention is a mischief itself that may only be addressed
by not creating the basis for the threat in the first place.

In our view, the best policy would be to introduce no change to
the law at all.  Rights-holders are well protected by traditional
rights under the Copyright Act.  An infringement remains an
infringement regardless of whether or not a TPM is circumvented.
TPMs themselves provide a second layer of protection sufficient
to deter all but the most sophisticated would-be infringers.
Legally privileging TPMs would add a third layer of protection;
however, we seriously question whether the marginal value of this
legal protection outweighs the severe impairment it causes to
legitimate security research.

We welcome the opportunity to discuss the matters addressed in
this letter with you.  We look forward to being consulted by the
government on future developments in this area.

Yours truly,

Brian O'Higgins
Chief Technology Officer
Third Brigade, Ltd.

Brian Flood
Chief Executive Officer
VE Networks, Inc.

Bob Young,
Co-founder and Director, Red Hat, Inc.
Founder and CEO of Lulu, Inc.
Owner, Hamilton Tiger-Cats Football Team
Hugh Ellis
Chief Executive Officer
Cinnabar Networks Inc.

John Detombe
Director
AEPOS Technologies Corporation

Austin Hill
President
Synomos Inc.

John Alsop
Founder and Chairman
Borderware Technologies Inc.

Michael Kouritzin
Chief Executive Officer
Random Knowledge Inc.

Dr. Stefan Brands
President
Credentica

Carl C. Bond
President
Innusec, Inc.

Djenana Campara
Chief Technology Officer
Klocwork Inc.

Randy Sutton,
President
Elytra Enterprises Inc.

--
**********************************************************************

Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
address@hidden              http://www.michaelgeist.ca


------ End of Forwarded Message
  -----------------------------------------------------------------

Archives at:
http://www.interesting-people.org/archives/interesting-people/

No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.6.3 - Release Date: 3/7/05