February 5, 2023

Edelman, ACLU File Anti-DMCA Suit

Ben Edelman, a soon-to-be law student at Harvard, has filed, with help from the ACLU, a lawsuit challenging restrictions on his right to disassemble and study a Web censorware product from a company called N2H2. The suit challenges the validity of an anti-tinkering clause in N2H2’s license agreement, and of the DMCA provisions that apply to Edelman’s proposed research. The complaint filed by Edelman and the ACLU is light on technical details about N2H2’s product.

Edelman says he wants to tinker with N2H2’s product, in order to determine the list of Web sites that it blocks, and to create and distribute a software tool that lets others extract the list (in case the list changes).

It looks like the main event will be the challenge to the license agreement, with the DMCA issues more remote and hence less likely to be ruled upon by the court. It seems to me that if the Court upholds the validity of the license provisions, then the DMCA issue is moot. And the DMCA’s prohibition on acts of circumvention doesn’t apply, because there is an exception that protects efforts to extract the blocking lists of censorware products. That exception doesn’t apply to the dissemination of technologies for extracting blocked-site lists, so Edelman’s distribution of his proposed list-extraction tool would appear to be prohibited by the DMCA.

Princeton Accused of "Hacking" Yale

[This is slightly off-topic, but as a Princeton person I have gotten lots of questions about this incident.]

Somebody in Princeton’s admissions office, probably an associate dean of admissions, apparently accessed without authorization a Web site that Yale set up for people who had applied for admission to Yale. Yale says that 11 students’ records were accessed, on 18 occasions. Princeton admits that the accesses occurred, and has suspended the associate dean in question pending an investigation. The FBI is sniffing around.

I don’t have any direct knowledge of the relevant facts, so I’ll just assume for now that the press reports are accurate.

Three comments are in order. First, Yale was pretty irresponsible to put applicants’ private information on the Web with only the applicant’s social security number and birthdate as “passwords.” It’s no secret that it is easy to learn anybody’s SSN and birthdate, so Yale’s scheme left the applicants’ information open to almost any unscrupulous person. According to today’s Washington Post, the Yale site was designed and built by a Yale junior. I wonder how much adult supervision he had. (Of course, none of this can excuse the improper accesses that Princeton people, or anybody else, might have made to the site.)

Second, the Princeton admissions person who apparently made the accesses told the press that he was just trying to verify the insecurity of the Yale system. Whether the facts (e.g. the pattern of accesses) are consistent with this excuse remains to be seen. In any case, it’s an utterly lame excuse, as one could have verified the insecurity of the site without breaching it. This excuse was Slate’s Whopper of the Week.

Finally, this case illustrates one of the differences between computer intrusions and tinkering. An intrusion like this is wrong not because somebody disapproves of it, and not because somebody gains an advantage by doing it, but because it involves an unauthorized access to a system that belongs to somebody else. People often apply the same kind of rhetoric (i.e. “hacking”) to cases of tinkering, where the purported crime is to “break in” to one’s own property.