ACADEMIC FREEDOM v. ANTI-CIRCUMVENTION

November 2001

 

            News regarding a Princeton University computer scientist who responded to an invitation from the Recording Industry Association of America (RIAA) to test its Secure Digital Musical Initiative (SDMI) has raised serious concerns on the part of the research and scientific communities. SDMI is a consortium of parties interested in preventing piracy of digital music, and it is working to develop and standardize technologies that give music publishers more control over what consumers can do with purchased recorded music. It developed audio watermarking and other security technologies to this end. 

 

Dr. Edward W. Felten is an Associate Professor of Computer Science at Princeton University.  He and his research group have sued the Record Industry Association of America (RIAA) for chilling his right to scientific speech.

 

            The RIAA issued a public challenge to the entire Internet world to try to crack the technologies it proposed to use to protect digital music from copyright infringement.   Dr. Felten notified the Association (via its website) that he accepted the challenge to remove the digital watermarks and crack the security technologies. His group engaged in this research and successfully reverse-engineered the four audio watermarking technologies  and cracked the security technologies within a short time.  Dr. Felten stated that based on the techniques his group used, “no public watermark-based scheme designed to thwart copying will succeed.”

 

            Dr. Felten and his research group (now referred to as the Princeton 12) then did what academic researchers normally do.  They wrote up their findings in a scientific paper and submitted it to a peer-reviewed scientific conference, the Usenix Security Conference.  The paper was accepted for publication and presentation at the August conference. 

 

            The RIAA then sent Felten a letter and threatened to sue if he presented the paper or published it charging a violation of the anti-circumvention provision of the Digital Millennium Copyright Act, despite the fact that it had invited and even specifically authorized Felten to attack their technologies.  So, Dr. Felten withdrew from the conference citing fear of suit as the reason.  News of RIAA’s heavy-handed tactics caused considerable concern and debate among academics and researchers, especially since his work could be defined as “legitimate encryption research” under the DMCA and because RIAA had invited such research.

 

            Assisted by the Electronic Frontier Foundation (EFF), Dr. Felten and the others filed suit against the RIAA.  The basis of the suit is a declaratory judgment that presentation of the scientific paper will not violate the DMCA since they have a First Amendment right to publish their research.  The suit asks the court to overturn the anti-circumvention provisions of the DMCA as unconstitutional restrictions on freedom of expression.  In July, the RIAA filed a motion to dismiss the suit, saying that its letter to Dr. Felten was not meant to be threatening and that it would not sue if the information were published.

 

            On August 15, 2001, the paper was published at the Usenix Security Conference with permission of RIAA and other relevant groups. The lawsuit has not been dropped, however, because these groups continue to insist on veto power over the ongoing work and future publications of the Princeton 12.

 

            The issues raised by this suit are quite serious for researchers, especially in the area of Internet security.  Matthew Blaze, a research scientist at AT&T Laboratories who filed a declaration in the Felten suit, said that scientific and engineering researchers rely on the open publication of knowledge to communicate with others and to gauge progress in the field.  Conferences, such as the one in which Felten was to participate, are critical if scientists are to have the results of others on which to build the development of new knowledge.  Prohibitions on discussions and publication of security vulnerabilities greatly harm researchers and scientific advancement. According to Blaze, criminal organizations are not stymied by such restrictions, and there is considerable reason for concern if legitimate researchers are not permitted to study, learn and fix vulnerabilities that are visible to criminals.  The Computing Research Association stated that “the action by RIAA represents a clear and immediate threat to the healthy conduct of computer systems research.”

 

            The anti-circumvention provisions of the DMCA[1] have been controversial among the academic community while content providers and the courts have cited them with approval.  The prohibition against distribution of circumvention devices are particularly troubling in the area of cryptology and security research since such distribution could include publication of research results.  In fact, some security researchers are reluctant to engage in the study of vulnerabilities of security systems because of a fear that they will be unable to publish their research results – a truly chilling effect of the DMCA which was bolstered by RIAA’s action with Felten.                    

                    

                     

 

 

 

 

 

 

 


[1]               See Copyright Corner in Information Outlook June, 1999 & January, 2001.