April 23, 2024

The DMCA Should Not Protect Spyware

Yesterday was the deadline to submit requests for limited exemptions from the DMCA’s ban on circumvention of access control technologies. This happens every three years. Alex Halderman and I submitted a request, asking for an exemption that would allow the circumvention of compact disk copy protection technologies that have certain spyware-ish features or create security holes. We’d like to thank Aaron Perzanowski and Deirdre Mulligan of the Samuelson Clinic at UC Berkeley, whose great work made this possible.

Many people decided not to submit exemption requests in this round, because of the way previous rounds have been handled. For example, the EFF argues that the process is so strongly tilted against exemptions, and the Copyright Office tries so hard to find excuses not to grant exemptions, that there is no point in asking for one. Even Seth Finkelstein, the only person who has had any real record of success in the process, decided to sit out this round. I submitted requests for research-related exemptions in 2000 and 2003; and having seen how those requests were handled, I sympathize with the skeptics’ position.

Nevertheless, I think it’s worth asking for this exemption, if only to see whether the Copyright Office will acknowledge that copy protection technologies that install spyware or otherwise endanger the security or privacy of citizens are harmful. Is that too much to ask?

To most readers here, the most interesting paragraph of our exemption request is this one:

Researchers like Professor Edward Felten and Alex Halderman waste valuable research time consulting attorneys due to concerns about liability under the DMCA. They must consult not only with their own attorneys but with the general counsel of their academic institutions as well. Unavoidably, the legal uncertainty surrounding their research leads to delays and lost opportunities. In the case of the CDs at issue, Halderman and Felten were aware of problems with the XCP software almost a month before the news became public, but they delayed publication in order to consult with counsel about legal concerns. This delay left millions of consumers at risk for weeks longer than necessary.

The DMCA exemption process continues, with reply comments due February 2.


  1. […] Politics: Researchers Want Right to Bypass Protected Spyware Posted by Zonk on Fri Dec 02, ’05 12:43 PM from the just-a-peek dept. Dotnaught writes “Computer security researchers Professor Edward Felten and Alex Halderman have asked the U.S. Copyright Office for an exemption (pdf) to the Digital Millennium Copyright Act (DMCA) so that they can circumvent copy protection technology used to protect spyware. The DMCA currently makes it illegal to bypass digital locks almost regardless of what they protect or the user’s intent. As noted by the Electronic Frontier Foundation, the Copyright Office theoretically grants exemptions, but in reality discourages anyone from asking. What’s significant about the application submitted by Felten and Halderman is that they knew about the dangers posed by Sony’s XCP DRM software a month before the news became public. But they delayed publication for fear of prosecution. During that time, many more consumers fell victim to the spyware propagated by Sony.” […]

  2. Sony says, “Think of the artists.” Here is what I say to Sony:
    1. You have been found guilty or have settled with the state of New York for price fixing of CD’s. You have participated in cheating consumers.
    2. You have been found guilty or have settled with the state of New York for payola. Your actions in these instances have hurt artists badly. You pay to have select artists (usually pretty but untalented people) promoted at the expense of many with true talent.
    3. Now you attempt to harm my computer. In my opinion you have *NO* redeeming social value. Your hands are dirty.

  3. flybynite:

    You ought to disable autorun not specifically in case Sony CDs install malware but as a matter of course anyway. It’s a dangerous thing to allow. Why Microsoft continues to make it the default behavior is unfathomable to me. Here’s how:


  4. S’up dudes. Hey an earlier article mentioned ‘unless’ you have disabled the Windows autorun feature. How do I do this?

    ‘When you insert a CD containing either version of MediaMax, an installer program automatically starts (unless you have disabled the Windows autorun feature).’

  5. Just a brief clarification: EFF’s view is that the DMCA exemption process is broken for the kinds of exemptions consumers are interested in (exemptions needed for lawful uses of CDs and DVDs). With respect to consumer-related uses, the various presumptions erected by the Register of Copyrights makes an exemption effectively impossible to get.

    We continue to believe that the process could prove useful for exemptions aimed at non-consumer users (like Ed and Alex). We’ll have to wait and see what the Register recommends. I will note, however, that Ed asked in 2003 for a very similar exemption for studying CD copy protection, only to have it rejected for formalistic reasons.


  6. Ned Ulbricht says

    According to a October 9th, 2003 SunnComm press release:

    SunnComm believes that Mr. Halderman has violated the Digital Millennium Copyright Act (DMCA) by disclosing unpublished MediaMax management files placed on a user’s computer after user approval is granted.

    Notice that two years ago, SunnComm used the phrase, “after user approval is granted.” Now that it’s been demonstrated that SunnComm now places MediaMax files on a user’s computer without user approval, SunnComm’s October 2003 statement must be read in a new light.

  7. Jonathan C. says

    Suggestion : Check your DVDs for malware ….you will be unpleasantly shocked

  8. I already have told Sony by emailing executives and customer relations and investor relations that I’m going to their competitors for my business.

  9. Well Anonymous, I propose we just start putting viruses on CD’s that cause the users harddrives to spin backwards and melt down if files are copied from the CD. That will protect your sacred content.

    The whole situation is garbage. If I went into a store that was as hostile to me as a customer as the recording industry, especially SonyBMG, has been to its consumers, I’d openly admit that I was going straight to their competitors.

  10. YEAH for the DMCA! Help protect content by any means possible I say!

  11. I’m not American, my country (Israel) does not yet have this kind of law, and still I’m shocked at the reality of the DMCA. How such a draconian piece of legally binding cr*p came into existence, giving underhanded corporations such a powerful weapon against all unprofitable innovation, is beyond my understanding.

    This law affects me now as a technological person, and I’m scared because Israel will inevitably be forced to “upgrade” its copyright legistlation accordingly. Count me in with the EFF when this turns into a global war.

  12. I had been wondering if that could be one of the reasons AV vendors were initially shying away from providing software to detect and remove the Sony malware. After all, that means they are actually trafficking in software to circumvent a protection device as part of their business. Better check and double-check with the lawyers on that one.

  13. The DMCA is protecting spyware makers

    It’s a sign of thinks gone nuts when a law suddenly becomes a shield for those who want to carry out evil, and this is exactly what is happening with the Digital Millennium Copyright Act (DMCA) which now seems to be hampering serious security re…

  14. DMCA vs. Security Research

    Last month, I commented on how the DMCA was preventing research on spyware: …the legal cloud that overhangs this sort of research. That legal cloud was intentionally put there by the copyright industry, in the form of the Digital Millennium…