Yesterday was the deadline to submit requests for limited exemptions from the DMCA's ban on circumvention of access control technologies. This happens every three years. Alex Halderman and I submitted a request, asking for an exemption that would allow the circumvention of compact disk copy protection technologies that have certain spyware-ish features or create security holes. We'd like to thank Aaron Perzanowski and Deirdre Mulligan of the Samuelson Clinic at UC Berkeley, whose great work made this possible.
Many people decided not to submit exemption requests in this round, because of the way previous rounds have been handled. For example, the EFF argues that the process is so strongly tilted against exemptions, and the Copyright Office tries so hard to find excuses not to grant exemptions, that there is no point in asking for one. Even Seth Finkelstein, the only person who has had any real record of success in the process, decided to sit out this round. I submitted requests for research-related exemptions in 2000 and 2003; and having seen how those requests were handled, I sympathize with the skeptics' position.
Nevertheless, I think it's worth asking for this exemption, if only to see whether the Copyright Office will acknowledge that copy protection technologies that install spyware or otherwise endanger the security or privacy of citizens are harmful. Is that too much to ask?
To most readers here, the most interesting paragraph of our exemption request is this one:
Researchers like Professor Edward Felten and Alex Halderman waste valuable research time consulting attorneys due to concerns about liability under the DMCA. They must consult not only with their own attorneys but with the general counsel of their academic institutions as well. Unavoidably, the legal uncertainty surrounding their research leads to delays and lost opportunities. In the case of the CDs at issue, Halderman and Felten were aware of problems with the XCP software almost a month before the news became public, but they delayed publication in order to consult with counsel about legal concerns. This delay left millions of consumers at risk for weeks longer than necessary.
The DMCA exemption process continues, with reply comments due February 2.
Front page posts
DMCA vs. Security Research
Last month, I commented on how the DMCA was preventing research on spyware: ...the legal cloud that overhangs this sort of research. That legal cloud was intentionally put there by the copyright industry, in the form of the Digital Millennium...
The DMCA is protecting spyware makers
It’s a sign of thinks gone nuts when a law suddenly becomes a shield for those who want to carry out evil, and this is exactly what is happening with the Digital Millennium Copyright Act (DMCA) which now seems to be hampering serious security re...
I had been wondering if that could be one of the reasons AV vendors were initially shying away from providing software to detect and remove the Sony malware. After all, that means they are actually trafficking in software to circumvent a protection device as part of their business. Better check and double-check with the lawyers on that one.
I'm not American, my country (Israel) does not yet have this kind of law, and still I'm shocked at the reality of the DMCA. How such a draconian piece of legally binding cr*p came into existence, giving underhanded corporations such a powerful weapon against all unprofitable innovation, is beyond my understanding.
This law affects me now as a technological person, and I'm scared because Israel will inevitably be forced to "upgrade" its copyright legistlation accordingly. Count me in with the EFF when this turns into a global war.
YEAH for the DMCA! Help protect content by any means possible I say!
Well Anonymous, I propose we just start putting viruses on CD's that cause the users harddrives to spin backwards and melt down if files are copied from the CD. That will protect your sacred content.
The whole situation is garbage. If I went into a store that was as hostile to me as a customer as the recording industry, especially SonyBMG, has been to its consumers, I'd openly admit that I was going straight to their competitors.
I already have told Sony by emailing executives and customer relations and investor relations that I'm going to their competitors for my business.
Suggestion : Check your DVDs for malware ....you will be unpleasantly shocked
According to a October 9th, 2003 SunnComm press release:
SunnComm believes that Mr. Halderman has violated the Digital Millennium Copyright Act (DMCA) by disclosing unpublished MediaMax management files placed on a user’s computer after user approval is granted.
Notice that two years ago, SunnComm used the phrase, "after user approval is granted." Now that it's been demonstrated that SunnComm now places MediaMax files on a user's computer without user approval, SunnComm's October 2003 statement must be read in a new light.
Just a brief clarification: EFF's view is that the DMCA exemption process is broken for the kinds of exemptions consumers are interested in (exemptions needed for lawful uses of CDs and DVDs). With respect to consumer-related uses, the various presumptions erected by the Register of Copyrights makes an exemption effectively impossible to get.
We continue to believe that the process could prove useful for exemptions aimed at non-consumer users (like Ed and Alex). We'll have to wait and see what the Register recommends. I will note, however, that Ed asked in 2003 for a very similar exemption for studying CD copy protection, only to have it rejected for formalistic reasons.
Fred
Further comment:
DMCA Exemption Non-Participation
S'up dudes. Hey an earlier article mentioned 'unless' you have disabled the Windows autorun feature. How do I do this?
'When you insert a CD containing either version of MediaMax, an installer program automatically starts (unless you have disabled the Windows autorun feature).'
flybynite:
You ought to disable autorun not specifically in case Sony CDs install malware but as a matter of course anyway. It's a dangerous thing to allow. Why Microsoft continues to make it the default behavior is unfathomable to me. Here's how:
http://www3.ca.com/securityadvisor/pest/collateral.aspx?cid=76351
Sony says, "Think of the artists." Here is what I say to Sony:
1. You have been found guilty or have settled with the state of New York for price fixing of CD's. You have participated in cheating consumers.
2. You have been found guilty or have settled with the state of New York for payola. Your actions in these instances have hurt artists badly. You pay to have select artists (usually pretty but untalented people) promoted at the expense of many with true talent.
3. Now you attempt to harm my computer. In my opinion you have *NO* redeeming social value. Your hands are dirty.
[...] Groups Home | My Groups | Language | Help Community FeedbackCommunityFeedback@groups.msn.com What's New Join Now Home Page Member of Month Hidden Gems HG Group Points Known Problems Update Status FAQ Hot Flashes Message Boards General Off Topic Tips and Tricks The Wish Board Promote Here Help Groups Multimedia Grps AwardPromo Grps Feedback Chat Problem Report Virus Alert Helpful Links Hijack File ID Search This Site Proud Member Tutorials Site Map Tools L_H_APP='MSN Groups';L_H_TEXT='For help on reading discussions, click a topic:';H_KEY='mb_ReadAll';H_CONFIG='wcv9c.ini';H_TOPIC='';H_URL_BASE='http://help.msn.com/en_us';H_BRAND='';H_FILTER='';H_BURL='/_PaneHelpFrame.msnw';bSearch= true ; function Help(){DoHelp();} function openPostPopup(url) { window.open(url, 'reply_popup', 'height=535,scrollbars=yes,resizable=yes,status=yes,width=600'); } Off Topic : SONY- from bad to worse Choose another message board function set_mb_view_mode(mode) { document.cookie = "WSMBView=" + mode + "; path=/; expires=Mon, 16 Aug 2010 10:20:00 UTC;"; window.location = "/CommunityFeedback/social.msnw"; } function rep(s){window.location.href = '/CommunityFeedback/social.msnw?action=get_message&mview=0&ID_Message=936287&LastModified=4675550199431362300&openpopup=1&posturl=' + escape('social.msnw?action=mb_post&mview=0&ID_TopParent=936287&ID_Parent=' + s)} Prev Discussion Next Discussion Send Replies to My Inbox ReplyRecommend Message 1 of 26 in Discussion From: MontyJacobs (Original Message)Sent: 11/16/2005 1:48 AM I couldnt find the thread about Sony's antipiracy software. Here is an update, it seems their program to remove the spyware opens your PC up to attacks Experts: Sony Plan Widens Security Hole But the uninstaller has created a new set of problems. To get the uninstall program, users have to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, it makes the PC open to downloading and installing code from the Internet. According to the Princeton analysis, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet. First Previous 12-26 of 26 Next Last ReplyRecommend Message 12 of 26 in Discussion From: MontyJacobsSent: 11/22/2005 2:01 AM Texas sues Sony BMG over anti-piracy ReplyRecommend Message 13 of 26 in Discussion From: _rocketjsquirrel_Sent: 11/22/2005 8:55 PM SONY Update: Consumer goods giant Sony BMG continues to refuse comments to the press moving quickly towards one of the three largest consumer goods days in the USA of 11/25.Tech and media blogs recall readers' attention to July 2005 when Sony BMG was last fined by the US Attorney General and agreed to pay with no argument $10 million to settle their most recent disk jockey bribery suit. Tech news dailies are astonished that consumers continue to buy and play Sony BMG's cd's on home computers since the roolkit announcement was made 48 hours ago. ReplyRecommend Message 14 of 26 in Discussion From: JudyC©Sent: 11/22/2005 9:15 PM We just got our first HijackThis log posted today with the rootkit installed. Sony's removal tool was yanked after it was discovered it left computers vulnerable to malware attacks. After researching the best way to remove, it was stated that conventional removal methods will kill a computer's CD drive beyond repair. I can just picture the class action over that one. Sony may be big and may have a lot of money, but this is going to put a serious hurt on them before it's all over. ReplyRecommend Message 15 of 26 in Discussion From: _rocketjsquirrel_Sent: 11/22/2005 9:31 PM Judy, i just read that lady's OE issue with the Sony on her HJT. you are really and truly right for the reasons you mention and in the above few posts. this thing's getting uglier by the day and i'd have to change my opinion at this point about the level of legal penalties that'll be involved once this fiasco is concluded. at this point, it's getting clearer they'll be liable not only for the cd damages but all their (and other makers) cd/dvd drives out there as well. it's not another Eliot Spitzer $10 million slap on the wrist like they paid in July.the other cd makers and cd drive makers are notable in their lack of public comments about this affair - i gotta sneakin suspicion this ain't very promising news. no more pre-recorded cd's on the puter for me till we find out a bit more. ReplyRecommend Message 16 of 26 in Discussion From: _rocketjsquirrel_Sent: 11/24/2005 1:45 AM Sony news. Media business and tech security blogs made some reasonable legal forecasts and did some math today calculating that this penalty - as things stand now - may cost SNE more or less five billion dollars based on the per incident legal dollar penalty under Texas anti-spyware law. that'd be about eight percent of Sony's market capitalisation. it's speculation but there's a lot of it agreeing about the seriousness of the issue as well as that dollar figure and it sure seems this thing will make for lots of thanksgiving weekend conversation across the country. ReplyRecommend Message 17 of 26 in Discussion From: petite-57Sent: 11/24/2005 5:26 AM ReplyRecommend Message 18 of 26 in Discussion From: MontyJacobsSent: 11/25/2005 7:13 PM Levy: Sony Gets Caught With Slipped Discs After infuriating its customers, alienating its artists and running afoul of the Homeland Security Department, Sony last week announced a recall of 52 CD titles—everyone from Dion to Celine Dion—protected with a flawed scheme that left customers' computers vulnerable to viruses and vandals. ReplyRecommend Message 19 of 26 in Discussion From: T¤m_Sent: 11/25/2005 8:50 PM Microsoft to remove Sony malware from PCs CD copy-protection software deemed security risk MSNBC from Reuters Quote from Microsoft "we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta" ReplyRecommend Message 20 of 26 in Discussion From: JudyC©Sent: 11/25/2005 9:45 PM The MS detection/removal tool is due out on December 13th. I hope it's well tested ahead of time, because up to now, other removal methods have been ineffective, killed the CD drive and/or crashed Windows. ReplyRecommend Message 21 of 26 in Discussion From: £¬rotterdarned¬£Sent: 12/2/2005 8:46 PM Here's an interesting take by two anti-spyware researchers who were aware of the problem before it became known publically, and the action they've taken today because of their concern. Freedom To Tinker's their blog and the article's titled "The DMCA Should Not Protect Spyware". http://www.freedom-to-tinker.com/?p=938 ReplyRecommend Message 22 of 26 in Discussion From: JudyC©Sent: 12/2/2005 9:38 PM I hope they're successful, but I'm not going to hold my breath. The DCMA protects copyright holders at the expense of consumers, and exemptions are hard to come by. Too bad when the laws are written to protect...for lack of a better word....criminals. If an average citizen unleashed a program like that rootkit on the unsuspecting public, they'd be facing serious jail time. ReplyRecommend Message 23 of 26 in Discussion From: JudyC©Sent: 12/2/2005 9:39 PM ...DMCA ReplyRecommend Message 24 of 26 in Discussion From: _rocketjsquirrel_Sent: 12/3/2005 12:22 AM great link! i agree with you Judy about not holding our breath. but from reading the article written by the two professors, i don't think they're holding their breath either - it's just a way of giving DMCA the grief which they well deserve. and you never know - with this rootkit business now in the public's eye, DMCA may feel obliged to exempt these guys' research.Judy, on your comment about the Dec 13th MSFT patch, it's a shame we gotta wait - and i don't buy this pr mumbo jumbo they give about testing the patch requires the delay. this tuesday, a rare "extremely critical" vulnerability was reported by secunia in internet explorer. their recommendation until a manufacturer patch is offerred - use another browser. microsoft immediately confirmed the vulnerability and said: (1) wait til 12/13 (but maybe we'll do an immediate patch so stay tuned); (2) meanwhile, install WLSC (still in beta) to run a scan of your system - tacky bait, if ya ask me, to convince unwitting consumers to install the MSFT security suite. ReplyRecommend Message 25 of 26 in Discussion From: MontyJacobsSent: 12/3/2005 1:48 AM Just an update, there are apparently 2 spyware programs being used by SONY: Legal Woes Mount for Sony BMG Because Of Its CD Software at FindLaw, Dec 02 background According to the Electronic Frontier Foundation (EFF), co-counsel in the California case, Sony BMG has damaged consumers by including First4Internet XCP (XCP) and SunnComm MediaMax software in more than 24 millon music CDs. ReplyRecommend Message 26 of 26 in Discussion From: JudyC©Sent: 12/3/2005 9:46 AM More info at this link: http://www.groklaw.net/article.php?story=20051115001431715 I will never buy another Sony product again. First Previous 12-26 of 26 Next Last Return to Off Topic Prev Discussion Next Discussion Send Replies to My Inbox function navAway(url) { window.location.href = url; } Notice: Microsoft has no responsibility for the content featured in this group. Click here for more info. Try MSN Internet Software for FREE! MSN Home | My MSN | Hotmail | Shopping | Money | People & Chat | Search Feedback | Help ©2005 Microsoft Corporation. All rights reserved. Terms of Use Advertise TRUSTe Approved Privacy Statement GetNetWise document.cookie = "WStz=" + (new Date()).getTimezoneOffset() + "; path=/; expires=Mon, 16 Aug 2010 10:20:00 UTC;"; [...]
[...] Politics: Researchers Want Right to Bypass Protected Spyware Posted by Zonk on Fri Dec 02, '05 12:43 PM from the just-a-peek dept. Dotnaught writes "Computer security researchers Professor Edward Felten and Alex Halderman have asked the U.S. Copyright Office for an exemption (pdf) to the Digital Millennium Copyright Act (DMCA) so that they can circumvent copy protection technology used to protect spyware. The DMCA currently makes it illegal to bypass digital locks almost regardless of what they protect or the user's intent. As noted by the Electronic Frontier Foundation, the Copyright Office theoretically grants exemptions, but in reality discourages anyone from asking. What's significant about the application submitted by Felten and Halderman is that they knew about the dangers posed by Sony's XCP DRM software a month before the news became public. But they delayed publication for fear of prosecution. During that time, many more consumers fell victim to the spyware propagated by Sony." [...]
[...] Freedom to Tinker Blog Archive The DMCA Should Not Protect General and agreed to pay with no argument $10 million to settle their most recent disk jockey bribery citizen unleashed a program like that rootkit on the unsuspecting public, they d be facing [...]