Security in the First World
The social consequences of the proposed US Security Systems Standards and Certification Act, which would make hardware copyright protection compulsory in America's 'interactive digital devices.'
Back in 1999 I conducted, for Telepolis, the most demanding and, frankly, harrowing interview of my life, with the Free Software GNUru Richard Stallman. After he educated me on the subject of the Free Software Movement, we discussed the increased facility of copying and distributing media presented by digital formats and the internet. To me, these factors seemed to be pushing all digital media, software included, towards becoming 'free', as in gratis, as in no corporation being able charge for files because it would simply be too easy for people to copy them and swap them. 'No,' Stallman argued, 'don't underestimate the power of these people. They have a massive amount of money and incredible influence with governments. You're in great danger if you talk about the future of trading gratis software, or sound files, or whatever, being assured. There is a strong likelihood that they will find a successful strategy to combat this.'
It's still too early to tell which of us will be proved right, but the proposed Security Systems Standards and Certification Act (SSSCA) clearly represents the next stage - some would say the last stand - in the battle of the United States' corporate media owners to retain control over the digital properties that seem to be steadily slipping through their fingers. If passed, it will require all personal computers within the US to incorporate a hardware digital rights management system that will make the use of 'illegally' copied files very difficult, at least for the average user. It will provide for potential $1,000,000 fines and 10 year prison sentences for anyone caught attempting to make a commerical product out of, or simply make money with, a device not containing such security measures. Further, anyone who distributes copyrighted material with the proposed security measures disabled or has a network-attached computer that disables copy protection will also be liable for prosecution.
This is a new escalation in the attempt to levy control over digital property, one which comes on the heels of two years in which the Digital Millenium Copyright Act, enacted in October 1998, has managed the trick of exciting universal contempt whilst seeming peculiarly impotent. The DMCA shifted the civil matter of copyright infringement into the criminal realm - by making it illegal to circumvent security provisions contained within software and media files. But the first and only criminal indictment it has produced has been this year's highly controversial Dmitry Sklyarov case. Skylarov, a Russian national, was booked whilst working in the US for producing a piece of software for his employer, Elcomsoft, which permits users to translate from Adobe's 'secure' eBook format into the more common PDF format. The software, which reputedly only works on legitimately purchased eBooks, has been used by blind people to read otherwise-inaccessible PDF user's manuals, and by others who want to move an eBook from one computer to another - just as anyone may (currently, at least) move a CD from the living room player to a car or a friend's house. Skylarov is currently facing a hefty prison sentence for this egregious crime.
Others have tangled with the DMCA but managed to avoid arrest. In September last year, a team led by Princeton Professor Edward Felten accepted a public challenge from the Secure Digital Music Initiative (SDMI) to break their new security systems, little imaginging that they were expected to give up their First Amendment rights in order to to so. The 'SDMI Public Challenge' asked crytographers to try to break the watermark schemes used to control consumer access to digital music. But when the scientists' paper about their successful defeat of these watermarks was accepted for publication, Felten received a threatening letter from SDMI and the Recording Industry Association of America (RIAA) which advised him to keep quiet or face litigation under the DMCA. Never mind the censorship this implied, or Felten's respected academic career in teaching others about security. In the US, it seems, the needs of copyright owners take precedence over Constitutional law.
Niels Ferguson is a Dutch cryptographer who claims to have cracked yet another 'secure' digtial media encryption standard, the High Bandwidth Digital Content Protection System (HDCP) which is used to encrypt the signal between (for example) digital video cameras, DVD players and digital TVs to prevent the copying of video content. Ferguson is not alone in arguing that experiences such as those of Felten and Skylarov show up the DMCA for what it is: a 'Snake Oil Protection Act.' 'When a manufacturer makes a defective product,' Feguson says, 'you expect them to fix it. But the DMCA protects the manufacturer of the product by making it illegal to show that it's defective.' Ferguson argues that in the long run, the DMCA will make it much easier to create illegal copies. Why? 'If we cannot do research in this area, we will never develop good copyright protection schemes. We will be stuck with flawed systems.'
Another consequence of this protectionist attitude to security is its criminalisation of cryptography and cryptographers. Ferguson, fearing prosecution under the DMCA, has refused to release his HDCP findings into the public domain. The same goes for an anonymous US hacker who claims to have cracked Microsoft's Reader format. It is never desirable to create a new criminal class (especially a highly educated one) but there is a further, more specific danger here. Findings such as those of Ferguson and Felten are usually published through forums like Bugtraq or Usenix. Threats of litigation under the DMCA prevent this public logging of vulnerabilities, which consequently means they don't get fixed. They also remove the detente between between industry and hackers, driving cryptographic activities further undergound. As Ferguson is quick to point out, preventing the publication of security flaws will not mean that they don't get exploited. Snake Oil Protectionism cannot prevent clever hackers from exploiting security gaps, just make it difficult for them to tell more than a few close friends that they have done so.
In fact, there are many things that Snake Oil Protectionism cannot actually protect. When, early in the DMCA's tenure, Napster was crippled after a US court ruled that it must get permission for the use of songs from record labels, many pronounced the imminent demise of the fileshare revolution. Obviously they had not yet heard of the then hugely popular Hotline, or the now ubiquitous Gnutella network with its user-friendly LimeWire, BearShare and Gnotella clients. Nor did they predict the rise of other peer-to-peer sharing systems, like Audiogalaxy, Napigator, FreeNet, and the (fantastically named) eDonkey. Together, such systems are making it possible for Net users to share files far more effectively than they ever could through Napster alone. And the rising last-mile bandwidth available to Net users, accompanied by innovative compression formats like DivX ;-), are making things worse, not better, for media owners. Many full length feature films, including pre-release copies sneaked out of studios and those 'ripped' from DVDs, are available over these new P2P systems. There may be one or two high profile arrests yet under the DMCA, but these will not change the fact that the digital worm is out of the can - and replicating swiftly.
This, of course, is what the Security Systems Standards and Certification Act is all about. The corporations that lobbied for the DMCA - chief amongst them Disney - must be well aware that they are losing the battle. The leakage of their intellectual property into the digital commons has not only continued unabated after the Draconian measures imposed by the DMCA, but has in fact accelerated. The notion now seems to be that if encryption algorithms and legislational measure are not enough, then control must be leveraged over the hardware too. Those behind the SSSCA hope to solve the problem of the innate copyability of digital files by making it 'physically impossible' to play illegally copied media.
But what many already know is that the SSSCA provisions will never make it 'physically impossible' for people to copy and exchange 'secure' copyrighted files. Precisely because such files are inherently copyable, the most that can be done is to put some artificial limitations in place that, sooner rather than later, will be circumvented by cryptographers or hackers. I say sooner, because it seems likely that the 'security measures' referred to in the Act will take the shape of the so-called Trusted PC design that Microsoft, Intel, IBM and Compaq/HP have been working on for the last few years. In other words, the company that currently produces the most insecure OS in the world is to be tasked with securing digital media. No wonder that they're going to need some legislational muscle - in the form of even more Snake Oil Protectionism - to give the scheme a chance of working.
Ultimately, this is edging us towards a very dangerous situation indeed. Since it is not possible to find a purely technical solution to the problem of inherent copyability, schemes such as those represented by the SSSCA are going to need the power of the state and the police behind them. That means really arresting people for pointing out security flaws in systems like SDMI and Trusted PC. That means actually imprisoning software engineers who make it possible for members of the public to regain the fair use of their media (such as being able to lend and make selective copies for personal use) that they have enjoyed until now. And worse, it means criminalising not only cryptographers and hackers, but also those millions who see sharing files online as a natural pastime - just as in the last decade they shared cassette tapes with mixes of their favourite music.
Dmitry Skylarov's case is totemic, but it is just the beginning. I do not believe that the provisions outlined in the SSSCA will work - certainly not if they are confined to the US, and perhaps not even if they are adopted (as with the DMCA) by the rest of the world. But that does not mean that they will not cause untold social damage along the way. The scenario that haunts me most, one that I discussed with a fairly senior AOL TimeWarner executive just a week ago, is the continuation of the process that is criminalising and forcing underground those who know that they cannot be physically stopped from having free access to media, who realise that it is ethically wrong for the state, lobbied aggessively by large corporations, to attempt to make such access illegal. This AOL TimeWarner executive, a friend of mine, opined that a two-tier society was imminent, in which the media experience of the average consumer (tier one) would be delivered through a tightly controlled content and distribution network (it's not just hot air: AOL TimeWarner put in a bid for AT&T's cable assets this week). This average consumer would never know that the systems used to deliver this experience were fundamentally insecure, or ever consider that they might have a fundamental right to greater control over the media that they consumed.
In tier two, the malcontents, cryptographers, hackers, renegades, would lurk in the shadows, building illegal, non-Trusted machines, contraband Linux boxes, hacking security provisions, swapping software and media, hunted by the police and facing extended jail sentences if they were caught. It's not so far fetched. Such a totalitarianism may be necessary to allow Big Media to continue making money, if it continues to refuse to think up a new business model. I have told my friend, the AOL TimeWarner executive, that under such conditions, I will have to consider him the enemy. He has acknowledged my position. The battle lines are drawn.