 Hi, good morning everybody. I'm Mitch Stoltz. I'm a lawyer at the Electronic Frontier Foundation in San Francisco where Donors supported nonprofit changing gears a little bit here because I'm going to be talking actually trying to teach you some law and it's law that impacts probably a lot of your work and the security and crypto research and practice in general And I'll tell you a little bit about what we EFF are doing to try to remove this particular threat to security research and security work I am a lawyer. I'm not your lawyer unless you know differently And I'm a US lawyer, so this talk is going to be a bit US focused But this particular law that I'm talking about it's called section 1201 of the Digital Millennium Copyright Act has Equivalence in most developed countries except Israel interestingly, so I know there's this some folks from it from Israel here So so tell me you do not have this Particular threat when you're home But anyone with sort of significant connections to the US needs to know about this and and may have this Have an issue here I'm doing here. So so um, so what is this the this law this was passed in 1998 and this is the basic Piece of it right here, and it's sort of this adjunct to copyright law so we will be all of this that I'm talking about it has a connection to Protection of creative work including software It's not really specifically Like hacking law or computer intrusion law, but it does have this very specific tie to crypto Which which would y'all show you But the basis was in protecting Creative work including software, but also movies music any sort of creative work, and this is the basic The heart of it here No person shall circumvent a technological measure that effectively controls access to a copyrighted work. What does that mean, right? There are a couple of things here, right? So what's a copyrighted work again that that that's any all that's generally any form of creative work including? Software source code object code any kind of code and then what is and then what a circumvent technological measure means The law gives us that definition there You notice this is very specific a call out to decrypting and encrypted work so if there is software or a Video audio Pros any other sort of creative work that with some sort of access control on it and the bypassing that access control involves decryption For also these wishy-washy things avoid bypass remove deactivate very kind of loosely Defined there You know you can face liability under this law and it can be it can be civil or criminal there are pretty significant Civil or criminal penalties on this and they have been used. It's not just not just not just words again. This was originally written with 1998 technology in mind and specifically technology around Traditional creative work, so this was the canonical example at the time was the encryption on DVDs And various kinds of digital audio encryption none of which are really relevant anymore But the law is written really broadly and then and this is really kind of the most troubling part. It's not just a ban on Bypassing encryption or circumventing a technical measure in the in the terms Also, this is sometimes you'll hear the the term DRM digital rights management digital restrictions management This is that's another term for these sorts of of controls often cryptographic not always But the even worst part really is this part here because this bans Manufacturing importing or again this wishy-washy word other provider otherwise traffic in any technology product service device component or part there of this has been used against researchers against the the discussion or delivery of Information about one of these systems about crypto systems that are used in this way That's really troublesome because it affects really kind of the very thing we are all doing here and the very thing that a lot that a lot of you do in in your in your day-to-day and this is exactly what we saw so this law that was written to Add an extra level of safeguard to things like DVDs and the emerging digital Entertainment media of the 1990s was very quickly in the in 2000 and 2001 it begun to be used against Security and encryption research many of you have probably heard of some of these so that so the research this was in 2000 I believe it was 2000 they the research team assembled by professor Edward Felt and at Princeton And with some other institutions involved that was looking into an audio watermarking scheme called SDMI But when and they found flaws in that scheme as with many forms of audio water watermarking And they wanted to present that at a conference and they got a threat of a civil lawsuit from the company that had Developed this this protocol and they did eventually give that talk but it but but but not in the forum They wanted it was delayed. They were censored in that sense There they would they originally would draw on their paper from that conference The the 2600 magazine Lawsuits again, this is probably familiar to some of you. I know but maybe not everyone so the 2600 magazine Published the algorithm for decrypting DVDs or one that had been independently developed They were sued and the conclusion of that lawsuit they were banned from ever Publishing this algorithm or linking to any website that published this algorithm This is really gets at the heart of a sort of a restriction on speech of the sort that US law is really very allergic to a Notion that this is this is a magazine. This is a journal. This is journalism and that magazine is forever banned from Giving true information about a subject that was at least at the time very important to the to the public This was a this was a ban on this was a restriction on the free press That's really a serious matter at least in the Under under US law and in many other places, too And then also around that time was Dimitri Sklyarov who had had worked on a company called lcom soft He was a Russian citizen who had worked on a Software that manipulated Adobe e-book files And in the process Bypassed the encryption on those files He had come to give a talk in the US at Defcon He was arrested. He spent several weeks in prison Because he had worked on this software Pretty disturbing stuff and the courts at the time EFF was involved at the time the courts at the time in the in the 2600 case really kind of Dismissed and and shot out our arguments about the importance of freedom of speech And they said that they said that really doesn't concern us here the result of these and Many other cases was I think a lot of self-censorship now. I'm not going to ask But I suspect that many of you have experienced this or or know people who have Things you haven't discussed or or papers you haven't delivered or I've thought twice about delivering Because of the possibility that they might run afoul of laws like these if not in a criminal sense Then then in drawing threats of lawsuits and the possibility of federal litigation, which no one likes ugly We've collected all of these in this paper. It's called on the unintended consequences report Going but this is the most current version. We have but this is from 2014. We really should be Updating it at this point, but but but this is where it's at these and many more examples Google EFF unintended consequences. You will you'll you'll get right to this Okay, bright side at least sort of a bright side Is that the law does pretend to Express a concern for encryption research and security research more generally And if you just read this part of it, it looks pretty good Right says this it's not a violation for a person to circumvent a technological measure in the course of an act of good faith encryption research That sounds pretty good, right? But then you get to the rest of this so so The fact is to be considered shall include and this litany of things and is always looking at well Was this you know, are you advancing the state of knowledge or development of encryption technology or are you? Facilitating a violation of law Well, first of all, what if you're doing both or what if someone else violates the law based on something you've said or and then there's this Second one here. Are you engaged in a legitimate course of study? Or are you appropriately trained or experienced? Lawyers love this stuff right a lawyer looks at language like this and visions of billable hours are dancing in their heads but But for people in the real world what's what you don't see in here is a Set of steps that you can follow that will protect you a Set of steps that will give you an assurance that you're not gonna be sued or You're not reasonably gonna be good gonna be sued. There's no there's no real sort of safe harbor in here It's wishy-washy and that means that means expensive litigation that means again a lot of potential for self-censorship There's a similar one by the way for for security testing Rather than encryption research, but it's got all it's got it's kind of this this this same wishy-washy Well, we'll balance all of these things remember this balancing is get gets done by either a judge or a jury of lay people So right not not by experts There's another way to in theory protect against these sorts of legal threats and that's Administrative process every three years the US Copyright Office, which is part of the US Library of Congress Holds a proceeding which it's complex. It takes about a year and a half And it's sort of like a court case And it's quite expensive We put a lot of resources into this and we have you know every three years for for many years now many other organizations do too But what results from these is? Temporary exemptions to the ban on circumventing access controls in the most recent cycle. This is what we got And it really suffers from the same problems as as the permanent one that I just showed you it's a Permission from the US government to circumvent solely for the purpose of good faith security research only for these three categories of things and again you know a government process here, right? So a device or machine primarily designed for use by individual consumers including voting machines Okay voting machines good. I'm not sure if those are consumer devices, but we'll take it right by land vehicles and Implantable medical devices not actually intended for use by patients. These are good things, but they're drawn are all drawn pretty narrowly And they don't cover a lot of really security critical applications of encryption And then same kind of really kind of narrow and subjective and and and not very reassuring caveats on this thing it has to be Done in a controlled environment designed to avoid any harm to individuals or the public No one really knows what that means, you know, we really would take a court So, you know and probably a couple of years of litigation to even figure out what that means. So beforehand It's pretty hard to know whether You know whose work, you know, it qualifies as a controlled environment. The other thing is this one I was only gonna last two years. They actually delayed this by a year. We don't even get the full three They wanted to give other government agencies An entire year to weigh in on this in case anyone else had any problems with this So this only took effective in October of 2016 and it will only last until the end of 2018 We're going to ask for a renewal, but but you know, that's not it's no guarantee So Congress could fix this, right? I mean we've been telling them the problems for many years There actually have been some good proposals for this and a couple of them have even been introduced as bills the best one simply says if you're if you are circumventing encryption or even Discussing or teaching how to circumvent encryption For a legal purpose, you know where there is you're not intending that anyone break the law that you're not trying to break the law You're not doing anything illegal or nefarious with these things and it should be legal to do it and to discuss it Leadership in Congress though. We're hearing crickets and not really expecting any Motion on that in the near future hoping but but but not realistically expecting so from our point of view Something else something else needs to be done and when you the phrase when you when all you have is a hammer Everything looks like a nail. Well Lawyers the tool that we look to often is lawsuits That's not actually the only tool that we think that we have but it's one of our favorites and in the US, you know There is Mechanism for this because courts have the power to strike down laws that don't comport with the US Constitution which leads to the challenge that we're working on right now a Constitutional challenge under the First Amendment the out to the to the US Constitution against section 1201 The name of the case is green versus Department of Justice Broadly what we're saying is this case this law is one that doesn't comport with the the First Amendments guarantee of free speech and a free press Give you a little bit of background about how this works As I mentioned before in the early days of section 1201 Some of the some of the federal courts out in California were pretty dismissive of the free speech arguments They said we really we don't we don't see this here even though 2600 magazine was was banned from ever discussing this particular encryption algorithm or even linking to others who did They said, you know, that's that's okay with us But something else happened in the meantime the US Supreme Court decided in a couple of copyright cases And they said something interesting they said Copyright law has some built-in First Amendment safeguards. They're built into the law You know, these are things some of you may have heard of here They but they're called it the the fair use doctrine and the idea expression Doctrine fair use is the idea that you can use other people's work without permission in certain circumstances often if it's a smaller portion a small portion of that work and or if it's for educational purposes for purposes of building new things creating new knowledge and new creativity and interestingly enough one of those purposes that the courts have identified is building interoperable software or furthering the the notion of Building new software that interoperates with existing software that's that's that's one of the things that makes copyright consistent with the Constitutions guarantee a free speech the other one the idea expression basically that means copyright law doesn't Control ideas and doesn't protect ideas patents do some to some degree copyright doesn't you can always look at someone else's work and Use the ideas from it to build something new to build your own and those are important for those are important parts of guarantee a free speech because There there are limitations on the private Copyright owners on author or a software developer or something their ability to to Control what happens with their work, but section 1201 that the DMCA Interfers with this the Supreme Court said if so you are at least Suggested that if something goes beyond these if it interferes with these traditional contours of copyright protection That's again fair use And and the the idea that you can't you cannot protect ideas, but only the the expression of ideas a lot of the interferes with those Probably also violates the First Amendment because because those are First Amendment protections Well, guess what section 1201 does exactly that Which leads to our case we filed this this past summer and it is currently a court Played ifs in this case Dr. Matthew Green from Johns Hopkins who was here yesterday I Understand he couldn't be here today, but I know many of you probably many many of you know him and he works on Security research in a variety on a variety of different field and products not all of them our our consumer products automobiles or medical devices so he is To some degree outside of these things that we got a temporary two-year protection for and Andrew Bunny Wong who is Software developer and engineer. He actually lives in Singapore. He's working on Among many other projects some devices That allow people to manipulate home video and kind of almost bring back the concept of a vcr and the ability to manipulate and share Digital video and the way that we used to be able to do with analog video There's a product that he wants to build called the he calls that the net vcr and it but it involves Decrypting the encryption in the HDCP Protocol that's I forget what that stands for but it's the it's the protocol that that that Protects video traveling between home devices digital video over an HDMI cable And he alphamax LLC is his company both of them Are concerned about the possibility of you know of criminal prosecution under section 12 of 1 in the US This is the you talk broadly about what? You know how this how this lawsuit goes and how we've how we've We've laid it out It's called the it's a it's a constitutional challenge to the law So what we're asking for we're asking the court to declare this law to be unconstitutional and Order the government not to enforce it This is this is the big this is the broad overview and I'll go into a little bit of detail on this But it's it's that section 1201 doesn't accommodate Fair use again, which is which is part of the guarantee of free speech section 1201 is overbrought It it interferes with more speech than it needs to and that this three-year exemption process Which we've used which Professor Green attempted to use But that doesn't really give the protections that that that he that he needs or that any of these folks need they were saying the This process is actually a Speech licensing regime and the courts have dealt with these before right there is in the in the US there we're we're building on what's come before and there is Pretty strong restrictions imposed by the First Amendment on government Processes that give licenses to people for speech. I'll get a little bit more into that On the first part just on the law on the law itself the ban on circumvention Why is that why does this violate the First Amendment? Well code is speech this? Courts have said this this is pretty well established at this point This actually came out of the challenges to the crypto export licensing regime with the 1990s 1999 appeals court said code is speech and Export rules that restricted the the posting of Crypto code on on web pages wasn't was an unconstitutional restriction on speech So that's pretty well established at this point The mc-1201 also restrict restrict speech because it interferes with the sort of research that that our plaintiffs are doing and Even on this potentially on discussion of their research again going back to what happened to 2,600 magazine and Circumvention is a necessary predicate to speech. So in the past courts have said You can't Indirectly government can't indirectly Limit speech by limiting the availability of printers Inc or By limiting the funding for non-profit organizations or the or the press or by limiting In some cases reporters access to things or citizens access to recording Public meetings or law enforcement. So you can't if the if where these things are necessary predicates to speech The government can't restrict those either and so where do the ability to decrypt with the ability to talk about decryption is Necessary predicate to The research and and and having these sorts of discussions and doing that in doing this work then then there are restriction on speech and then this is the really the core about the core of a First amendment argument and in many cases as any law that restricts speech Has to be written as narrowly as possible And again this one isn't and we give examples, but There's restricts a lot more speech than necessary particularly because it's not tied to illegal behavior 12 section 1201 makes illegal the Activities that you know that aren't that don't necessarily lead to any other illegal activity. So we're not Promoting or encouraging copyright infringement or You know illegal intrusion into other systems or You insert whatever other sorts of legal violations we can think of when it that's we're not going there That's so that makes the law too broad and then finally I mentioned about the Speech licensing regime the the way you think of in comparison here is Permits for demonstrations permits for street marches various sorts of licensing these happen What the first amendment says and what the courts have said about these things is that they is that they have to be fast and They have to be based on very specific criteria so that Government officials can't use them arbitrarily or to make Sort of arbitrary distinctions This three-year process is neither of those Research that someone wants to do now Papers that people want to give it's really no comfort to say you you know, well you can apply for a Exemption in 2018 to be able to do this and that the criteria for actually getting those is a bit arbitrary, right? It's In fact, the copyright office tends to move the goalposts on these things That's the shape of our lawsuit happy to take questions about this I got I think we're just about out of time, but but I'll be I'll be here and We are hopeful that the the court is gonna is gonna take this where it needs to go If you could get back to one of the first couple slides where you have the text of the basic anti-circumvention provision Yeah Yeah, yeah, okay, anyway, I was wondering if you could shed light on what the phrase effectively controls means one of the Favorite arguments of people who like to play lawyer on internet message boards is this particular piece of DRM Is so unconfidently written that it can't be considered an effective control? And I have my doubts that such an argument would ever hold up in court But I'm wondering if there's any sort of precedent there You are you are closer to right than they are The what what very the courts have said very little about this, but what but what they've said remember they're not technologists and What they've said is Really even the most minimal of encryption is enough to invoke the protections of this law what probably is not enough is is you know a Physical or digital label that says please don't copy this or please don't inspect this code. That's not enough, but You know rock 13 is probably enough Okay, thank you So I want to apologize to everyone here and everyone else who does it because I'm partly responsible by my contacts with AT&T's Lobbyists way back when for a crucial error in the DMCA It talks about encryption research not cryptographic research and encryption is defined as scrambling or unscrambling It includes hash functions digital signatures and all the other lovely things we like to play with so I want to apologize to everybody There's plenty of blame to go around