January 4, 2006 | By Fred von Lohmann

What About EMI's Copy-Protected CDs?

It was thanks to the work of independent security researchers that the security risks in Sony-BMG's copy protected CDs were discovered. But what about the copy-protected CDs being sold by EMI labels (including Virgin, Capitol, and Liberty Records), which use similar copy protection technologies from Macrovision Corporation?

In the wake of the Sony-BMG debacle, it is more important than ever that independent security researchers kick the tires of the EMI CDs (because we can be sure that the bad guys are now wise to the fact that copy-protection software can yield tasty new vulnerabilities). Unfortunately, the good guys - security researchers - interested in doing the work have a minefield of legal risks to negotiate.

First, there is the Digital Millennium Copyright Act (DMCA), which makes it illegal to tamper with DRM technologies. Although the DMCA includes a "security research" exception, that exception is too narrow to be of use to most researchers. Princeton's Professor Ed Felten has made this point in his repeated efforts to get a broader DMCA exception from the Copyright Office in its triennial DMCA rulemaking process.

Second, there are the omnipresent click-thru end-user license agreements (EULAs) forbidding reverse engineering, including for security testing purposes. Many courts treat these contractual restrictions as enforceable, as the open source developers behind the bnetd project found out when Blizzard successfully sued them for violating the anti-reverse-engineering clause in the EULA.

If EMI has no interest in unleashing the lawyers on security researchers, now is the time for them to say so, eliminating the legal uncertainty so that the good guys can do the work that the bad guys are already at.

Accordingly, EFF has today sent EMI Music an open letter, urging it to:

  • Agree not to assert any claims under Title 17 of the U.S. Code (or similar statutes in other countries) against security researchers who have been, are, or will be working to identify security problems with copy protection technologies used on EMI compact discs;
  • Agree not to assert any claims under the end user license agreement (EULA) that accompanies copy protected EMI compact discs against security researchers who have been, are, or will be working to identify security problems with copy protection technologies used on EMI compact discs; and
  • Agree to take reasonable steps to ensure that vendors who supply copy protection technology to EMI also agree to waive any legal claims as described above against security researchers who have been, are, or will be working to identify security problems with copy protection technologies used on EMI compact discs.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

A deep dive into XKEYSCORE, one of the NSA's creepiest spying tools: https://eff.org/r.c6hp

Jul 3 @ 3:12pm

Come to EFF HQ on July 8 for a book talk with author of "Geek Heresy: Rescuing Social Change from the Cult of Tech" https://eff.org/r.i3fv

Jul 2 @ 4:57pm

EFF is turning 25! Here's the who, what, when, where, how, and—maybe most importantly—why of our celebration: https://eff.org/r.6dov

Jul 2 @ 4:51pm
JavaScript license information