i. Background

ii. Covenant

iii. Examples of security research confounded by anti-circumvention

iv. FAQ



The incorporation of EME in the W3C's work brings its work-products, for the first time, under an obscure and difficult-to-navigate realm of copyright called "paracopyright," which is created by statutes such as section 1201-1203 of the the US DMCA, as well as laws in other territories (EUCD implementations in the EU; Bill C-11 in Canada; and other laws throughout Asia, Latinamerica, Australia, NZ, etc).

Copyright concerns the exclusive rights to authors to control a limited suite of statutorily defined activities, generally: reproduction, performance, display, and adaptation. The limits to these rights are also defined by statute; for example, "format shifting" exemptions that permit transcoding media for use on a variety of devices; "time-shifting" exemptions that allow users to record streams for later viewing, etc. These limitations and exceptions to copyright include the familiar categories of "fair use" and "fair dealing" as well as ideas like "exhaustion" and "first sale."

DMCA 1201/3 and its analogues create a new cause of action for rightsholders that goes far beyond the traditional "anti-piracy" contours of copyright and establishes a form of private law, often called "paracopyright" by IP law scholars. Under 1201/3 (etc), rightsholders who deploy access control systems have a right of action against manufacturers, users and third parties who defeat this access control, even when that defeat is undertaken for a lawful purpose. For example, some mobile OS vendors use access-control systems to prevent users from installing software from sources other than the official OS app store. Buying a program from a vendor and installing it on a phone
you own isn't piracy by any stretch -- but the paracopyright created by DMCA 1201/3 allows rightsholders to prosecute vendors, software authors, and users who reconfigure their devices to allow them to install any software they choose to run.

(See EFF's white paper on this for more.)

A significant consequence of paracopyright is its impact on security researchers. Rightsholders' counsel have argued (sometimes successfully), that the prohibition on circumventing access-controls includes a prohibition on publishing information that would assist in circumvention. This includes the disclosure and demonstration of vulnerabilities in technologies that include an access control. Security researchers widely cite the chilling effect of this as a factor in preventing disclosure of their results, and there have been real-life instances of serious security vulnerabilities that were able to fester for months after discovery because the initial discoverer was advised by counsel not to make any disclosure -- these vulnerabilities were not disclosed until less risk-averse researchers independently rediscovered them and came forward. In the interim, the vulnerabilities spread to new systems and were sometimes exploited by attackers.

These two features of paracopyright -- a prohibition on releasing compatible, legal implementations of existing products; and a prohibition on disclosing security vulnerabilities -- are at odds with the purpose of open standards:

* First, to enable implementers to ensure compatibility between technologies; and second

* To ensure that implementations are subject to independent scrutiny and review, with a robust culture of disclosure so that users can make informed choices about whose technologies they trust.

Accordingly, the Electronic Frontier Foundation has formulated a covenant that it asks be inserted into the charter of appropriate working groups, and/or in other policy documents as would be most effective in the W3C context, through which members who participate in standards-setting are asked to bind themselves to a "non-aggression" posture in relation to those future implementers and vulnerability reporters who come to rely on the work product of that group.

At the request of the AB, we've asked the security researchers mentioned in the matter below whether they would endorse this proposal. All the researchers we approached agreed that this should be the minimum precautionary measure for standards bodies contemplating EME-style standardisation:

* Bruce Schneier
* Matt Blaze
* Matt Green



1. Scope of Obligations

The following covenant applies to all participants (W3C Members, W3C Team members, invited experts, and members of the public) in a Working Group for the development of a specification that provides a content protection or Digital Rights Management system or a substantial component of such a system, or that requires or recommends such a system.

2. W3C DRM Circumvention Nonaggression Covenant

Each participant irrevocably covenants that it will not bring or join suit against any person under 17 U.S.C. § 1203, or under under any other law of any jurisdiction that regulates the circumvention of technological measures that effectively control access to a work protected by copyright, where the act complained of relates to:

(a) the circumvention of any implementation of the specification;

(b) the publication of any non-compliant implementation of the specification; or

(c) the publication or disclosure of any vulnerability in the specification or in any implementation of the specification.

For avoidance of doubt, the foregoing only applies to Section 1203 of the DMCA and its international analogues and is not intended to interfere with the ability of rightsholders to police their copyrights under other parts of the relevant statutes.



Recent issues with anti-circumvention liability, from the US Copyright
Office's triennial exemption hearings:

(All documents in the Copyright Office's initial volley are here.)



"The legal cloud hanging over vehicle security research has also chilled research and publication of research results"

* Matthew Green/Johns Hopkins

"Today, the ambiguity and onerousness of the current security-related DMCA exemptions impose a high degree of risk, overhead, and uncertainty on researchers, chilling security research and necessitating a clearer exemption"



* Coalition of computer scientists (Drexel, Indiana U, NYU, CMU, CUNY, UC Berkeley, Georgetown, Rheinische Friedrich-Wilhelms-Universitaet Bonn, Penn, Northeastern, as well as industry scientists from Symantec, Bitcoin Foundation, etc)

* UK computer scientists (Oxford, Cambridge, UCL)

"DMCA Section 1201 is actively research-hostile and destructive to security without the proposed exemption of the Security Researchers: it leaves us all more vulnerable to the criminality of both nation-state sponsored and independent malicious attackers."

* Matthew Green (CMU)

"[DMCA] ambiguity and other shortcomings [...] chill security research"

* Internet Association

"Our business planning is meaningfully damaged by legal ambiguities such as those in the DMCA. The DMCA exposes us and our employees to additional legal risk as we strive to protect our customers' safety and our own intellectual property assets and goodwill."

* Felten/Halderman/Blaze/Bellovin/Heninger

Voting machines: "One of the Security Researchers was asked by the Ohio Secretary of State to lead a team to examine the integrity of various vendors' voting machines certified for use in Ohio.  Because voting machine vendors generally maintain tight controls over the software and technical details of their systems, this investigation happened solely because of the Secretary of State's intervention and request. In the course of this investigation, the researcher team discovered numerous serious exploitable vulnerabilities in almost every component of every vendor's system that was examined, including vulnerabilities that could be used to undetectably alter the outcome of an election. As a result of this study, technical and procedural changes were made in Ohio and other states to make it more difficult to exploit the flaws that we discovered. In the course of the analysis, the researcher team needed to defeat hardware and software mechanisms that were intended to prevent copying or alteration of data.   The research team developed techniques for misusing various hardware and software interfaces to extract and alter software, firmware and other data stored on the machines that were not intended to be copied or altered.  These machines used multiple different types of TPMs, and they all needed to be defeated in order to fully conduct the research as desired by the Secretary of State of Ohio."

Also in this paper: rootkits

* Eminent law profs (e.g. Pam Samuelson) and Bruce Schneier:

"The DMCA’s anti-circumvention provisions create a significant barrier to research on software flaws and vulnerabilities. The computer security researchers listed above are all aware of instances in which they or their colleagues have refrained from conducting or disseminating security research due to legal fears stemming from the DMCA. The prominent security researchers who submitted the exemption petitions have stated that they have chosen not to perform or disseminate security research that could have benefitted public safety because of the legal risks. 4 A group of corporate computer security leaders rep resenting nearly 50 companies have stated that the DMCA “hamper[s] both our ability to protect our businesses and the public from information security threats and to conduct critical security research.”"

* Association for Computing Machinery:

"A perceived association with the DMCA can chill legitimate research – potentially leaving computing systems vulnerable to attack .1 As one respondent put i t: “Yes!.. . Due to the [DMCA] I can't even talk about some of [the security flaws I find],” adding “[i]f a client sees my name publicly listed on such a document and they know I work with an organization to provide such research capability, I could lose my future contract work.” In our professional judgment, as computer and computer security professionals, we believe that the security of government and corporate systems, safety of consumer products, security of financial transactions, and even our national security are placed at significant risk if security research and testing is prevented by the threat of prosecution under the DMCA. We strongly urge the Copyright Office to grant this exemption request. "



* Verified Voting

"Security researchers believe that the DMCA currently prevents them from conducting in depth investigations of voting system software"



* Jay Radcliffe, Senior Security Consultant, Rapid 7

"This research that I have not performed based on the advice of my attorney includes research on the following code-dependent devices that have the capacity to kill or injure patients through malfunction: (1) Insulin pumps, including the Animas Ping, T-Slim, Dexcom and G4, (2) Artificial organs, including the Medtronic Artificial Pancreas, (3) Birth control implants; (4) Kidney dialysis machines; (5) Morphine infusion pumps; and (6) Smart contact lenses for diabetes monitoring.

"Because of the DMCA, as much as 40% of the computer code in these medical devices remains untested for safety by independent security experts. I am confident that I would find serious flaws in some or all of these devices if the DMCA did not prevent my research. Because of this lack of safety research, as a type 1 diabetic, I feel that using an insulin pump is too unsafe, and I instead self-inject with needles many times daily."

* Matthew Green (Johns Hopkins)

"Today, the ambiguity and onerousness of the current security-related DMCA exemptions impose a high degree of risk, overhead, and uncertainty on researchers, chilling security research"


iv. FAQ

1. This isn't needed, because EME doesn't trigger liability under Section 1201 of the DMCA and its analogues in other legal systems

EFF's copyright lawyers have extensive experience litigating and addressing 1201 threats as EFF is the first place many researchers turn when they receive threats. It's their professional judgement, based on that comprehensive, in-the-round view of the threat landscape, that there will be 1201 claims regarding EME.

You may disagree. Those claims might not succeed. We would even put that case to a judge in the event that we represented a researcher or implementer on the receiving end of such a threat.

Until the question is adjudicated, though, there's only one way to be certain that W3C members can't bring actions under DMCA 1201 and its analogues against entities who implement EME or demonstrate vulnerabilities in EME implementations: a non-aggression pact that binds them not to do so.

This is infinitely preferable to having nonprofits use their donors' money on up to a decade in court to get legal certainty.

Furthermore, each legal analogue to 1201 -- EUCD implementations, Canada's C11, etc -- has its own contours. Even if a US judge were to rule that EME was not covered by the statute, researchers in all those territories would gain little assurance from such a ruling -- but they would gain more from a covenant.

Here's a useful analogy to the patent policy: a W3C member may have a patent whose claims have an ambiguous overlap with a standard the W3C promulgates. Without the W3C patent policy you have to spend millions and years in court to find out whether the patent prevents you from implementing a standard


2. But I'm really, really certain that EME isn't covered by the DMCA or any of its analogues.

OK, we can agree to disagree. But if that's the case, then there's nothing to lose by adopting the covenant, since it only has effect if you're wrong. And if you are wrong, adopting the covenant is a zero-cost way of extending protection from liability to entities who implement W3C standards and who report vulnerabilities in them.


3. Not everyone with standing to take action under DMCA 1201 is a W3C member, so the protection offered by the covenant here will be useless

There's a big difference between "useless" and "incomplete." A huge plurality of the entities with the standing to bring an action under DMCA 1201 (and its global analogues) *are* W3C members.

Another analogy to the Patent Policy: not everyone who has a Web patent is a member of the W3C, but there are so many Web patents held by W3C members that the royalty-free license to implement all of the W3C's standards without permission from its members has given untold numbers of developers enough legal certainty to do so.


4. But the entertainment companies, especially, are likely to bring a 1201 action, and most of them are not members

It's a strange feature of 1201 and its analogues that companies that make DRM may have an easier time getting standing than the rightsholders whose copyrights are restricted by DRM.

To have standing under 1201 to sue someone for publishing a vulnerability or implementing a compatible tool, you have to show that your own copyrights are implicated in the activity.

In the case of the company that made the DRM, this is self-evident: when someone publishes a reader that can interoperate with Adobe's ebook DRM, Adobe knows that its rights have been violated -- it made the lock, it has standing automatically.

But for a publishing company to bring a suit, it would generally have to show that one or more of the copyrights it controls have been breached as a consequence of the jailbreak. That is a higher evidentiary burden.

That said. there's already a few members of the W3C who are primarily producers of copyrights that are restricted by DRMs, not companies that make DRM.

There's also another useful parallel to the Patent Policy. The most litigious patent holders are "Non-Practicing Entities" (NPEs, also known as "patent trolls").

NPEs, by definition, are *never* members of the W3C, and they are avid purchasers of patents whose art is widely practiced. They are absolutely the biggest patent-threat that W3C members face, and the Patent Policy offers no protection from them.

Despite this, the Patent Policy remains an important bulwark in the protection of the openness of W3C standards, but insulating implementers from much of the liability, if not all of it.


5. What about existing EME members? Will they be able to go on participating? What about their contributions prior to the covenant?

As the covenant will be added through a rechartering process, this will be no different to any other change of scope through rechartering -- members who don't like the new charter don't have to stay in the group. Former contributions are still in the spec, but may be modified or excised in future evolutions of the specification.