DMCA Forces Cox To Censor Changelog?

Ross Vandegrift writes: "Alan Cox released 2.2.20pre10 today, which includes security fixes. He is refusing to indicate what security holes have been fixed, as Unix-style permissions could be used as an anti-circumvention device. The thread starts here. " It'd be great if people could read the threads here and try to figure out what is going on. I'm a little lost, but it looks like he's being overzealous.

Overzealous, eh?

Hey, remember that time Felten wrote a paper and couldn't release it cuz it was a circumvention device?

Or that time I wanted to play DVDs in Linux and couldn't because I needed a circumvention device?

Or when some Russian dude got locked up away from his family because he wanted to let blind people use eBooks?

Overzealous my ass. This is a problem and we need to take a stand, whether it's "reasonable" or not. People need to understand what is at stake - and what better way to help that process than by showing them?

Re:Overzealous, eh?

Of course, when he filed suit against the RIAA, the RIAA realized they were trapped and fell on their sword.

They didn't fall on their sword, they threw it out of the picture and said "What sword?"

Which is the most chilling of all chilling effects -- they get to delay publication of information they're not happy with, then when someone calls their bluff they change their story and say they have no objections, and (according to the DOJ's interpretation), therefore, no prior restraint actually happened and you can't sue to prevent it from happening again.

You know, mid-term elections are happening in almost exactly a year. We all know that voter turnout sucks, especially for off years. What're the chance of a Slashdot party (hell, we're even Green) forming and fielding some geek candidates in key areas? I know my district has had the Republican incumbent running essentially unopposed for years. And we're home to Worldcom, AOL, and many other geek-heavy companies. Hell, these geek companies together probably employ as many people as voted in the entire district in '98, anyway.

Hm. Maybe I should repost this elsewhere...

Re:Offtopic

Republicans tend to not like business that deal in porn, etc, things they find morally offensive (however you feel like defining that).

More generally, "Republicans" do not favor government interference in commerce, and do favor government interference in "moral" conduct. The Republican definition of "moral" seems to coincide with the Religious Right (which is also apparently a vocal subset of Republicans), and does not address most business/commercial practices unless they are also "immoral" for non-business-related religious reasons (e.g., porn).

Conversely, the "Democrat" viewpoint seems to be in favor of government interference in commerce, but against government interference in non-business-related moral issues.

As far as I can tell, "Libertarians" seem to be against government interference in any area. Of course, all of these groups tend to favor any government decision that furthers their more immediate goals, or hinders the immediate goals of the other parties. For the Libertarians, this results in an oddly self-referencing approach where one acceptable role of government is to prevent government interference.

This applies to the United States of (North) America, naturally. YMMV.

libertarianism defined

As far as I can tell, "Libertarians" seem to be against government interference in any area. Of course, all of these groups tend to favor any government decision that furthers their more immediate goals, or hinders the immediate goals of the other parties. For the Libertarians, this results in an oddly self-referencing approach where one acceptable role of government is to prevent government interference.

I am a minarchist libertarian, and here is my attempt to briefly describe libertarianism.

First of all, the difference between "libertarian" and "Libertarian" is that the second one specifically means a member of the Libertarian Party, while the first one just means anyone who believes in libertarian ideas. Thus Thomas Jefferson could be called a libertarian, but he was not a Libertarian.

The defining principle that all libertarians must believe in (or else they are not really libertarians) is that people own themselves, and the product of their own labor. All else follows from that.

Because people own themselves, it is wrong for government to outlaw behavior that doesn't hurt anyone but the person doing it. Thus it is wrong for government to outlaw smoking, or outlaw eating fatty foods, or outlaw prostitution. (Government may have a legitimate role regulating prostitution, for example to require medical screening of prostitutes for public health reasons, but there is no moral basis for government to outlaw it.)

Because people own themselves, government should not prevent them from freely entering into contracts. Government can legitimately have a role in enforcing contracts. (The major areas where government is useful: national defense, enforcing the laws against violence and theft, and enforcing contracts.) Because of this, if Microsoft wants to require product activation, government shouldn't tell them they can't do that. It's up to people to vote with their dollars. (Note that it was not government that finally dethroned IBM from its monopoly position, it was the free market.)

So, no libertarian can be in favor of a law like the DMCA. The record companies could have annoying license agreements, and libertarians would not be in favor of using government to force the companies to not have them, but the kind of free speech infringement that the DMCA is all about would be right out. And of course no libertarian would be in favor of outlawing encryption.

P.S. In case you are wondering, a "minarchist" libertarian is in favor of a minimal government; an anarchist is in favor of no government. There are many libertarians who believe that we don't need a government at all; the free market can solve all problems. Minarchists like me think we do need a small government to handle things like national defense.

steveha

Thefreeworld.net Re:Overzealous, eh?

Indeed, the US outlawing something is one thing. That's their business, if it turns out to hurt them too much they can always revert the law. It's a democratic country, isn't it ?

OTOH, the US outlawing something shouldn't mean that all these good things are suddenly no longer available to the rest of the world. We need a place to publish the things which are outlawed in the US, without getting prosecuted for publishing these things to the US.

Such a site has been started (well, not quite, but we're busy getting it up and running) and we hope there will soon be a place to publish crypto research, security information and other useful tools which are not allowed in the US. The only small gotcha is that in order to publish it legally, some kind of access controll will have to be put in place so US citizens cannot get at the archive. Unfortunate, but so be it.

The site? http://thefreeworld.net/ [thefreeworld.net]

Re:Thefreeworld.net Re:Overzealous, eh?

You gotta love the irony of a site being called "The free world" excluding US, the so-called "land of the free".

As Bill Hicks said, "You are free... to do as we tell you". Right now, it seems that US "freedom" means the freedom to bribe (sorry, to fund...) senators et al to get your pet bills passed.

Re:Overzealous, eh?

Well I can play dvd's under linux, just not legally. What people don't realize is that people still find a way, it just forces them to take the effort unground and do it illegally. We'll see more and more of this kind of "illegal" activity with the DMCA around, I guarantee it. Only when the minority opinion becomes the majority will the DMCA be repealed. That's how politics works.


I can legally view DVD's on my Linux computer.
I can legally download DECCS.
I can legally buy a DVD player which is regioncode free.
The reason is very simple.
I live in the Netherlands and we don't have the DMCA.
Second, large corporations don't have as much influence on Dutch law as they do have in the US.
Second, contrary to the US we don't have a duocracy.
And third, we don't give a fuck about the US.

just making a point

It seems to me that Alan is just trying to make a point about how ridiculous the DMCA is in this case by taking this relatively extreme position how the DMCA throws a wet blanket onto legitimate security discussions.

he's just trying to "make a point"

Here's his key points in the thread (and the points that he was responding to)

> > 2.2.20pre11

> > o Security fixes
> > | Details censored in accordance with the US DMCA
>
> Care to elaborate?

On a list that reaches US citizens - no. File permissions and userids may
constitute and be used for rights management.

> Are you saying that we can't divulge security problems in our own software
> anymore for fear of being sued by affected parties?

Not even affected parties - the government can do it too without anyone else
and indeed even if their are contractual agreements between parties
permitting the data to be released..

I hope to have the security stuff up on a non US citizen accessible site in
time for 2.2.20 final

> Putting pressure on US people to have them influence their
> legislation? Aka. every people have the rulers they deserve? Won't work
> out.

"Until they become conscious they will never rebel, and until after
they have rebelled they cannot become conscious."

> Seriously, are you kidding?

The current interpretation of the DMCA is as lunatic as it sounds. With luck
the Sklyarov case will see that overturned on constitutional grounds. Until
then US citizens will have to guess about security issues.

> This would then presumably lead to password protected access for US kernel
> developers that need to know? And some kind of NDA?

US kernel developers cannot be told. Period.

> 'IANAL', and neither are you, are you sure this sillyness is necessary?

Its based directly on legal opinion.

I stopped reading at this point.

too late

It'd be great if people could read the threads here and try to figure out what is going on.

Unfortunately, it looks like the site might already be hosed. How about if we just speculate wildly, make irrational calls-to-action that will never commence, throw in a few anti-government rants, and top it all off with a good old fashion linux/bsd flamewar?

You know, the usual.

Oh sure

Oh sure, just the sort of thing we'd expect from a stinkin' EMACS USER!

People! He's Joking!

People. He's just using this humorous approach to show us how ridiculous the DMCA can be.

Re:People! He's Joking!

I don't think he's joking at all. I think he's dead serious, and I think he's absolutely right to be. European programmers can no longer travel to the United States without risking being arrested for doing things which are perfectly legal where they did them (and in 95% of the rest of the world). Until you guys get this sorted, you have to face up to the fact that the rest of us can't safely share stuff with you.

Re:Using the Linux community as pawns

Then I guess the moral of the story is, "don't live in America." Think about it:

• You can be stopped, searched, and arrested [expertlaw.com] anytime you're in public if a police officer doesn't like the way you look. If you're lucky, your case will get thrown out or the cop will be nice. Cops have the right to tear your car apart looking for drugs, and not pay for damage if they don't find any.
• Civil forfeiture [fear.org] means that if you break any of the millions of anal, petty laws in the U.S., you can lose your house, your car, or any other property you own. Watch the first 20 minutes of Traffic to see how it works.
• Software and media piracy can land you in prison for five years and subject you to up to $250,000 in fines, per violation. (Naturally this bill was signed by our Democratic friend, Bill Clinton). It's a steep penalty for something so trivial.
• "Disorderly conduct" is a catch-all crime which can be used to arrest people for a reason of the officer's choosing. Ask any minority about it and you're certain to hear a few stories.
• Many forms of sexual activity (such as oral or anal sex) are banned in several states. Most people in the country (besides the Slashdot crowd) are guilty of one or more of these offenses.
• It is widely known that most powerful politicians can trigger an IRS audit on their political enemies.
• The ATA has made it legal for authorities to detain foreign nationals indefinitely, without presenting evidence of a crime or making a formal arrest.

The DMCA is only one of the many laws which make the USA into a police state. AC's intentions are good but he's got a lot more battles in front of him before the U.S. can be considered safe from authority abuse.

-CT

Re:Using the Linux community as pawns

Is Dmitri not a legitimate programmer? I think he is. Dmtitri writes programs which are legal in his country. He has never written a program in the US which violates US law. What other test of legitimate is there?

Re:Using the Linux community as pawns

But it is obvious that he is using his public role (in the kernel and in usenix) to achieve a political end: namely, the repeal of the DMCA.

Funny, I thought he was obeying the law.

Political ends are may be a side effect of that, and indeed this has all the writings of a political snub, but it's nevertheless undeniable that he would be commiting criminal acts by not making this pointed omission.

Re:Using the Linux community as pawns

Alan needs to realize that, although the DMCA does have important and evil implications for the freedom to code and speak in the U.S., it would not be used against a legitimate programmer such as himself. The people who have been targeted by the DMCA have been crackers: people who defeat lame encryption schemes and distribute point-and-click software that allows the masses to pirate. Although I fully support 2600 and Dmitri in their efforts (I have been a security engineer and I appreciate the truly talented invididuals in the field), DeCSS and the PDF utility are simply not in the same class as the Linux kernel and the other software Cox has worked on. He is simply a non-target and he needs to stop pretending that the DMCA affects him.

First they came for the Communists,
and I didn't speak up,
because I wasn't a Communist.
Then they came for the Jews,
and I didn't speak up,
because I wasn't a Jew.
Then they came for the Catholics,
and I didn't speak up,
because I was a Protestant.
Then they came for me,
and by that time there was no one
left to speak up for me.

by Rev. Martin Niemoller, 1945

Re:Using the Linux community as pawns

it would not be used against a legitimate programmer such as himself

While it is unlikely that Alan would be arrested for fixing security bugs in the Linux kernel, he is quite right in saying that under the letter of the law, he might be. Even if you merely can be arrested for such an activity, then the DMCA is a bad law and must be repealed, or at least modified very substantially. So Alan should be applauded for taking a stand, even if (or exactly because!) that inconveniences some people temporarily.

Actions Speak Louder

We can't bomb the RIAA et al so we'll have to resort to other methods of getting attention to have the DMCA reviewed. We could write letters until we are blue in the face but that isn't working.

I'm not sure if Alan's actions will get the attention it needs but it is certainly a step in the right direction.

Cox successful: Senator Fritz Hollings recants!

In related news today Senator Fritz Hollings [slashdot.org], author of the SSSCA proposal, recanted stating:
"I just downloaded the latest 2.2.20pre10 and found censored changelogs! This will seriously impact my l33t hax0r activities. I finally see how my SSSSCA proposal will impact freedom. I am official withdrawing my proposal effective immeditely."

Apparently Alan Cox's plan to publicly demonstrate the absurdity of the DCMA and SSSCA in a place that would hit congress where it hurts has paid off.

Does DMCA apply here?

Correct me if i'm wrong, but doesn't the DMCA only apply in cases of devices meant to enforce copyright protection?

Re:Does DMCA apply here?

And if you read the thread, you'll see that Alan Cox's assertion is that UNIX-style permissions can be used for digital rights managment purposes. That is, they can be used as an access control to protect copyrighted works that are covered under the DMCA. Therefore, disclosing a security vulnerability which can subvert UNIX-style permissions is equivalent to describing how to circumvent an access-control device as described under the DMCA.

I would guess that the specific DMCA clause that Alan's affected by is this one:

• (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--

  • (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

    (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or

    (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

It would seem Alan's conjecture is that describing a specific vulnerability in the Linux kernel that allows subverting some aspect of Linux's permission structure (which can be used as an access control device to a protected work) constitutes "traffic[king] in any technology [...] or part thereof" that would allow someone to circumvent the access control. Under the current interpretation of the law (re: Skylarov), detailing a security weakness in a product seems to (a) constitute such trafficking, and (b) seems to fit one of the three clauses 2(A), 2(B), or 2(C) above. (Notice they're connected by an 'or', so it's is necessary to fit only one of the three to be in violation of DMCA. I'm guessing the kernel information would fit 2(A).)

I'm so proud to be an American, where at least I know I'm free[*]. :-P

--Joe

[*] For a suitably narrow definition of free.

Civil Obedience

Imagine a law so stupid that civil obedience becomes an efficient way to fighting it...

Things to realise about Alan Cox

Firstly, he's a Brit. They have a sense of humour which is sometimes very subtle and is usually based on 'irony' (as in the saying something different to what you mean, rather than the more American 'Alanis Morissette' use of the word). Some Americans take ironic statements at face value, as is often seen on Slashdot.

Secondly, he's a clever guy. He's being stubborn about this to make a point. If he wasn't stubborn about it, the point wouldn't be made. He is acting correctly according to an unjust law to highlight the danger of it.

He is not being 'dumb' or deliberately annoying, he's highlighting the potential effects of a worrying development in the American legal which could have significant negative impact on all Open Source software developers.

Disgusted to be an American

I used to be proud to be a Citizen of US. But it seems everyday that the "land of the Free" becomes a little less free. This is beginning to reach insane proportions. Everyday we seem to pass more and more laws that are seemingly(to me anyway) directly in conflict with Our Constitution. Our politicans don't listen to us anymore. I am disgusted...and angry...so much so i can't even think of words to express my rage at what is being done to this great nation. Our laws were ment to protect our citizens, and ensure the right to "life, liberty and the persuit of happiness" I feel as if I have none of these lately.

--"The refuses to bend, he refuses to fall, he's always at home with his back to the wall" --Bill Joel- Angry Young Man.

Re:Disgusted to be an American

You can go live in the UK and get your nice unhappy face photographed a thousand times a day. You could go live in the UK where certain books are banned because ??(Add inane reason here). You can go live in the UK where the ability to protect yourself with a firearm has been taken away by the good Government.

Every country (and I've been to quite a few) has limitations on peoples freedom somehow. As a modern society we are fast approaching big brother if we aren't careful (UK has had big brother for a while hasn't it?).

Instead of being "Disgusted" perhaps you should pay an attorney to help "wage the war". You know we still have the ability to change the law and it has yet to be constitutionally tested. With all the "open source" companies out there I'm suprised there hasn't been a class action lawsuit for damages to the "open source product" caused by the RIAA.

Oh yeah, and next time there is an election, vote.

Re:Reason behind this.

And the REST of the world must suffer because some american law (which has no jurisdiction OUTSIDE america) exists?

They harrassed an Norwegian, kidnapped a Russian over this law. A good reason for the rest of the world to take notice...

Just got back from the Post Office.

The SSSCA, which could become DMCA's darker sibling, has even more for Alan Cox to ponder. In fact, I just finished a weekend writing a fairly long letter to my representatives, and sent it only a few moments ago, so that it may get there in time for a Senate Commerce Committee hearing on the 25th.

The full letter is at http://www.halley.cc/ed/politics/2001-10-22.conten t.control.html [halley.cc]. I welcome comments, and the letter may be reprinted with attribution.

Denying US-Access to Security lists

Security lists should be even more aware of DMCA legislation. When dealing with US-based businesses security experts should demand an outside US contact-address to send the report to, as well as a document stating that the information will not be divulged to US citizens or residents.

Posting the report to a Site accessible from USA gives anyone who wants the means to sue to their liking, and the only reason Microsoft didn't already sue bug-reporters into submissive silence is the cry of outrage to be expected after such a move. But we'll probably soon see that nevertheless with their hacked Mediaformat.