From the Security Wire Digest

SECURITY WIRE DIGEST, VOL. 4, NO. 78, OCTOBER 17, 2002
Security Wire Digest (BPA E-Mail Audit Report, June 2002*) is an e-mail newsletter brought to you on Mondays and Thursdays by Information Security magazine.
...
*DMCA OPEN FOR COMMENT, AGAIN
By Garry Ray
Beginning Nov. 19, the public will get another crack at commenting on--and perhaps even modifying--the controversial Digital Millennium Copyright Act (DMCA). The U.S. Copyright Office is soliciting specific examples of how the 1998 law restricts security and other research, but it won't consider hypothetical problems or issues of inconvenience.

DMCA makes it illegal to copy or improperly access copyrighted electronic works such as music, DVDs, e-books and even software applications. Yet critics contend the DMCA, as currently drafted, is so vague and imprecise that it lumps security researchers and practitioners in with criminals.

"If you gain access to material that is VPN'd or firewalled, there's no reason you couldn't be subject to a DMCA action," says Fred von Lohmann, senior intellectual property attorney for the Electronic Frontier Foundation.

In the first criminal DMCA case, Russian programmer Dmitry Sklyarov was charged last for developing a program that circumvented Adobe e-Book copyright protections. DMCA opponents relished the opportunity to test the law in court, but the case never went to trial. Sklyarov entered a plea bargain agreement in exchange for probation. (See "Sklyarov Denied U.S. Visa to Testify at Trial," below.)

DMCA section 1201j makes certain allowances for legitimate network security testing, which it calls "good faith testing, investigating or correcting a security flaw or vulnerability, with the authorization of the owner." But there remains enough ambiguity to cause security practitioners some concern.

"DMCA doesn't merely say that the copyright holder can sue you, but anyone claiming harm" from a security test, says Edward Felten, a professor at Princeton University.

Felten, who battled in federal court over a DCMA lawsuit last year until the Department of Justice withdrew the charge, adds, "If you discover [an access control] system doesn't work as well as the vendor said, then the vendor can potentially threaten to sue you."

But the security community shouldn't be wildly optimistic. The last comment period was more than two-and-a-half years ago and produced two adjustments, based on 129 comments from industry, academia and the public.

The comment period ends December 18, 2002. [link|http://www.copyright.gov/1201/comment_forms|http://www.copyright.gov/1201/comment_forms]
[link|http://www.copyright.gov/legislation/hr2281.pdf|http://www.copyright.gov/legislation/hr2281.pdf]

Welcome to IWETHEY!