January 4, 2006 | By Fred von Lohmann

What About EMI's Copy-Protected CDs?

It was thanks to the work of independent security researchers that the security risks in Sony-BMG's copy protected CDs were discovered. But what about the copy-protected CDs being sold by EMI labels (including Virgin, Capitol, and Liberty Records), which use similar copy protection technologies from Macrovision Corporation?

In the wake of the Sony-BMG debacle, it is more important than ever that independent security researchers kick the tires of the EMI CDs (because we can be sure that the bad guys are now wise to the fact that copy-protection software can yield tasty new vulnerabilities). Unfortunately, the good guys - security researchers - interested in doing the work have a minefield of legal risks to negotiate.

First, there is the Digital Millennium Copyright Act (DMCA), which makes it illegal to tamper with DRM technologies. Although the DMCA includes a "security research" exception, that exception is too narrow to be of use to most researchers. Princeton's Professor Ed Felten has made this point in his repeated efforts to get a broader DMCA exception from the Copyright Office in its triennial DMCA rulemaking process.

Second, there are the omnipresent click-thru end-user license agreements (EULAs) forbidding reverse engineering, including for security testing purposes. Many courts treat these contractual restrictions as enforceable, as the open source developers behind the bnetd project found out when Blizzard successfully sued them for violating the anti-reverse-engineering clause in the EULA.

If EMI has no interest in unleashing the lawyers on security researchers, now is the time for them to say so, eliminating the legal uncertainty so that the good guys can do the work that the bad guys are already at.

Accordingly, EFF has today sent EMI Music an open letter, urging it to:

  • Agree not to assert any claims under Title 17 of the U.S. Code (or similar statutes in other countries) against security researchers who have been, are, or will be working to identify security problems with copy protection technologies used on EMI compact discs;
  • Agree not to assert any claims under the end user license agreement (EULA) that accompanies copy protected EMI compact discs against security researchers who have been, are, or will be working to identify security problems with copy protection technologies used on EMI compact discs; and
  • Agree to take reasonable steps to ensure that vendors who supply copy protection technology to EMI also agree to waive any legal claims as described above against security researchers who have been, are, or will be working to identify security problems with copy protection technologies used on EMI compact discs.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Introducing a powerful new tool to help stop the California virtual currency license: https://eff.org/r.5qg6

Aug 28 @ 2:14pm

HTTPS encryption may have gotten the better of Russian censors trying to block a Wikipedia article: https://eff.org/r.vk6f

Aug 28 @ 1:55pm

Digital rights groups team up with tech companies to fight California's misguided virtual currency license: https://eff.org/r.w8ei

Aug 28 @ 11:52am
JavaScript license information