It was thanks to the work of independent security researchers that the security risks in Sony-BMG's copy protected CDs were discovered. But what about the copy-protected CDs being sold by EMI labels (including Virgin, Capitol, and Liberty Records), which use similar copy protection technologies from Macrovision Corporation?

In the wake of the Sony-BMG debacle, it is more important than ever that independent security researchers kick the tires of the EMI CDs (because we can be sure that the bad guys are now wise to the fact that copy-protection software can yield tasty new vulnerabilities). Unfortunately, the good guys - security researchers - interested in doing the work have a minefield of legal risks to negotiate.

First, there is the Digital Millennium Copyright Act (DMCA), which makes it illegal to tamper with DRM technologies. Although the DMCA includes a "security research" exception, that exception is too narrow to be of use to most researchers. Princeton's Professor Ed Felten has made this point in his repeated efforts to get a broader DMCA exception from the Copyright Office in its triennial DMCA rulemaking process.

Second, there are the omnipresent click-thru end-user license agreements (EULAs) forbidding reverse engineering, including for security testing purposes. Many courts treat these contractual restrictions as enforceable, as the open source developers behind the bnetd project found out when Blizzard successfully sued them for violating the anti-reverse-engineering clause in the EULA.

If EMI has no interest in unleashing the lawyers on security researchers, now is the time for them to say so, eliminating the legal uncertainty so that the good guys can do the work that the bad guys are already at.

Accordingly, EFF has today sent EMI Music an open letter, urging it to:

  • Agree not to assert any claims under Title 17 of the U.S. Code (or similar statutes in other countries) against security researchers who have been, are, or will be working to identify security problems with copy protection technologies used on EMI compact discs;
  • Agree not to assert any claims under the end user license agreement (EULA) that accompanies copy protected EMI compact discs against security researchers who have been, are, or will be working to identify security problems with copy protection technologies used on EMI compact discs; and
  • Agree to take reasonable steps to ensure that vendors who supply copy protection technology to EMI also agree to waive any legal claims as described above against security researchers who have been, are, or will be working to identify security problems with copy protection technologies used on EMI compact discs.

Related Issues