The company has already settled and begun paying in Texas and California, but Sony still has other legal problems ahead.

The company has agreed to $1.5 million in fines and cash settlements with customers in the two biggest states. A consortium of 13 other states are looking for a similar deal. The Federal Trade Commission is also still investigating.

The lesson? Don’t preemptively decide that all your customers are also thieves and hack their computers accordingly.

Here’s a new website for the new DMCA exemption for film & communication professors. Hosted by the Annenberg School and Penn Film Studies professor Peter Decherney, the site links to all the official documents concerning the exemption.

If you’re reading this blog, the exemption is probably not news to you. Here’s why this new site should have your attention:

Coming Soon: The exemption must be renewed and possibly modified in 2009. In order to keep the exemption, it is important to have feedback and information about its use. Please check back for a comments section that will be added to this page in the coming weeks, where you can leave feedback on how the exemption works for you.

I hope many of you a) use this exemption, and b) help its advocates earn another exemption in 2009.

The US, along with the UK, is a common law country, meaning the judicial branch has fairly wide powers to interpret the law. This is actually the basis of exemptions for fair use; long before the 1976 Copyright Act, courts had spent decades insisting that copyright didn’t prevent all unauthorized uses.

In civil law countries, by contrast, courts are left with far less leeway to overturn or modify statutes through, e.g., constitutional interpretation. As William Patry elaborates:

In civil law countries, exceptions to rights don’t take the form of fair use, but rather statutory provisions that spell out the permitted conduct. This approach has some problems, though, principally rigidity: if something is not specifically enumerated, it is usually deemed excluded at least with respect to the provision in question. The U.S. has such provisions too, like Section 108, but then we also have the safety valve of Section 107. Fair use is designed to (but doesn’t always in practice) provide the type of flexibility that specific exemptions don’t. Even other common law countries, like the UK, Canada, and Australia, have migrated away from fair use and toward fair dealing and specific provisions.

Enter the DMCA, which has been used to squash consumer-friendly interpretations of 107, including the Sony decision, which would permit time- and space-shifting of copyrighted content.

A court may well still hold that these are noninfringing behavior, but 17 USC § 1201 makes that point moot. Circumventing a technological measure that controls access, for any reason not specifically permitted, is illegal. The Copyright Office has a mechanism for permitting such exemptions, but through three cycles, they have never recognized the rights of end users.

For an example of how this plays out in the marketplace, Patry cites this EFF post, “Stealing Fair Use, Selling It Back to You,” discussing the movie industry’s attempts to sell you downloads of movies you have already purchased on DVD. This doesn’t work with CDs because we have the legal right to rip CDs onto our computers. Yet the Copyright Office denied the proposal to exempt media such as DVDs for personal use on the grounds that space shifting is “mere convenience” (pdf; see p. 72).

In other words, copyright exemptions are supposed to be open to broad interpretation by the courts. Thanks to the DMCA, however, only specifically enumerated, brutally narrow exemptions are permitted. These exemptions can still be very useful and important (see next post), but they are not nearly as flexible or valuable as fair use pre-DMCA.

While I’m stoked about the offline media coverage (AP and NPR, most notably), here’s a choice selection of links to other bloggers’ comments.

Fred von Lohmann, from within the EFF Deeplinks, writes in the most-linked blog entry:

Unfortunately, just as we predicted, all the proposed exemptions that would benefit consumers were denied (space-shifting, region coding, backing up DVDs). So, while we’re pleased that film professors, archivists, cellphone recyclers, and security researchers were able to successfully navigate the exemption process, it appears that digital consumers still have no choice but to get Congress to amend the DMCA. We look forward to Rep. Rick Boucher reintroducing his DMCA reform bill, H.R. 1201, in the new Congress next year.”

Laura Quilter, at Derivative Work, recounts:

I was eagerly anticipating the rulemaking (even more eagerly than usual) after David Carson, General Counsel at the Copyright Office, kept dropping hints about the what we could all look forward to at a panel at Fordham last Friday. (The ever witty Hugh Hansen said it was the closest he’s seen to a legal strip tease.)

Seth Finkelstein mourning the death of the censorware exemption (and part 2), complete with a link to his 2003 post explaining why he, the exemption’s veritable Atlas, stopped carrying the load.

Today’s TechLiberation response, by Jerry Brito: “I can’t believe Tim Lee hasn’t posted about this already.”

Copyfighter’s Musings, summing the early reactions, and including this DMCA barb:

The exemptions also don’t make it lawful to provide circumvention tools — so media professors have the right to circumvent CSS, but technically no one is allowed to provide them with the tools to do so. Aaron [Perzanowski is] right that this ruling is better than nothing, but (as he also agrees) the exemption process remains woefully inadequate to deal with the DMCA’s myriad harms.

Finally, Ed Felten on the less-than-inexplicable strategy to drop the news right before Thanksgiving:

Last Wednesday afternoon the U.S. Copyright Office released its list of DMCA exemptions for the next three years. The timing is interesting: releasing news in the afternoon of the day before Thanksgiving is a near-optimal strategy if you want that news to escape notice and coverage in the U.S.

I thought the exact same thing, but today I would say they failed in that goal. It’s unshocking that we in the IP blawgosphere would cover the issue, but it got more press than I expected in the dailies.

What nobody has said so far, however, is that the delay robs those who will use these exemptions of a full month (about 3% of the 3 year window) of legal safe haven. Hopefully, this rulemaking will be eliminated in favor of a generic application of the fair use doctrine to Section 1201, ala Boucher’s proposal (see Section 5).

UPDATE: I can’t believe I forgot to include Alex Curtis’s post from the PK blog. He breaks down all the exemptions, noting specific drawbacks. For instance:

Exemption 1 is severely limited to the educations settings of university film or media studies departments, and to media studies or film professors, for the purposes of making compilations of portions of works. Not only can professors and students in different departments not take advantage of these provisions, but the consumer’s ability to make excerpts of digitally protected audiovisual works for criticism or comment is still prohibited.

Okay, now I think I’m done.

Quoth NPR.org (where you can listen to the audio):

All Things Considered, November 27, 2006 · The Digital Millennium Copyright Act made it illegal to reproduce copyrighted material from DVDs — even short excerpts. That proved to be an enormous obstacle to the professors of college film-studies programs, who wanted to be able to burn discs of selected scenes for their classes. Three professors from the University of Pennsylvania asked for an academic exemption to the law. And surprisingly, they say, it has been granted. From member station WHYY, Joel Rose reports.

This is awesome; not only did we win, NPR covered the story. They even quoted an EFF attorney, bringing attention to the problems of the DMCA (which still stand, despite this small victory).

The Copyright Office today granted 6 exemptions to 17 USC § 1201(a)(1), effective for the next three years, that allow end-users to circumvent technological protection measures in order to make noninfringing uses of certain works.

Two of the exemptions are particularly noteworthy. They are:

1. Audiovisual works included in the educational library of a college or university’s film or media studies department, when circumvention is accomplished for the purpose of making compilations of portions of those works for educational use in the classroom by media studies or film professors.

6. Sound recordings, and audiovisual works associated with those sound recordings, distributed in compact disc format and protected by technological protection measures that control access to lawfully purchased works and create or exploit security flaws or vulnerabilities that compromise the security of personal computers, when circumvention is accomplished solely for the purpose of good faith testing, investigating, or correcting such security flaws or vulnerabilities.

This represents a substantial shift in the Copyright Office’s interpretation of Section 1201. Read more »

In yet another sad, sad use of 17 USC § 1201, the Motion Picture Association of America is suing to stop you from ripping your DVDs to your iPod.

The US Copyright Office has delayed its ruling in the triennial rulemaking to determine exemptions to the DMCA’s ban on circumventing technological protection measures, instead extending the current set of exemptions for the near future.

The Copyright Office website provides no reason for the delay. All we know now is that the Register of Copyrights has not produced a set of recommended exemptions and that the delay is expected to last “no more than a few weeks” (pdf).

17 USC 1201(a)(1) prohibits the circumvention of a “technological measure that effectively controls access to a [copyrighted] work.” Except for a list of narrow exemptions, it is illegal to hack through such copyright-protecting technologies, popularly referred to as “digital rights management” or “DRM.”

Some of the exemptions are permantly encoded elsewhere in section 1201. The Copyright Office determines another set of temporary exemptions that last for three years. For more on this process, follow the first link or read this paper.

In hearings this spring, two highly contested proposals for exemptions were the proposal to permit hacking through technologies that compromise the security of one’s computer (transcript; pdf) and another to permit the hacking of DVDs for educational purposes (transcript; pdf). I testified at the second, but if we win an exemption, Penn professor Peter Decherney gets the lion’s share of the credit, with assists going to Jonathan Band and Peter Jaszi.

The exemptions from the 2003 rulemaking were due to expire on Friday, October 27 and be replaced by a new set expiring in 2009. There has been no explanation of whether the new set will stand for a full three years.

I will provide more on this developing story as it unfurls.

In response to European and South Korean antitrust concerns, Microsoft has made several changes to its forthcoming operating system.

The new OS, Vista, will now feature less lock-in for its search, file formatting, and security features, the company has announced. So far, security firms are skeptical; the company has promised but not yet produced the technical means to facilitate interoperability.

Unfortunately, there are as yet no antitrust concerns that can leverage MS away from their excessively anti-consumer End-User License Agreement.

Let’s hear it for OS X, produced by a company that treats its customers like customers–and not thieves.

Having studied the DRM fight for a few years now, I’m starting to become fascinated by the politics of security vulnerabilities in general.

For those of us who came to this question via the study of DRM politics, Ed Felten is perhaps the poster boy for the politics of security vulnerabilities. The professor of computer science and public affairs at Princeton was once threatened with legal action by the RIAA because his research team hacked the Secure Digital Music Initiative watermarking system and was about to discuss the hack at an academic conference.

Last year, Felten helped users cope with the security vulnerabilities that some Sony music CDs created on the computers into which they were inserted. Lately, he’s been telling anyone who will listen, from readers of his blog to members of the House Administration Committee, that Diebold e-voting machines are remarkably insecure.

At each step, he has told people who didn’t want to hear it that the digital lock they’ve devised is not half as secure as their PR department would have you believe. The fact that Diebold felt compelled to respond (pdf) illustrates that he has a substantial audience for such discoveries.

Of course, Felten is not alone, but he may be the whitest hat in the crowd. (The RIAA backed off, in part, b/c they knew they would endanger the political viability of their DMCA suit-fest.) Other people who research digital security have several means to spread the word about vulnerabilities. You can contact the CERT Coordination Center (CERT/CC), which will notify companies of vulnerabilities, help coordinate the response, and update the network user and service provider community of the status of the problem.

Until the alert and/or patch comes out, this is all pretty behind-the-scenes stuff and, by now, it’s become pretty routine. But every once in awhile, somebody violates protocol, either publicly discussing the flaw pre-patch or credibly dangling an exploit in front of security researchers without revealing the tricks so that they can patch it. Both have been in the news lately.

The now-famous Apple wifi vulnerability, performed by SecureWorks researcher David Maynor in this video, was an instance of the latter. It quickly devolved into name calling. Initially, Apple claimed that the two researchers, Maynor and Jon “Johnny Cache” Ellch, had failed to share any code demonstrating an exploit. Later, SecureWorks said:

SecureWorks and Apple are working together in conjunction with the CERT Coordination Center on any reported security issues. We will not make any additional public statements regarding work underway until both companies agree, along with CERT/CC, that it is appropriate.

Apple also stated that they are working with SecureWorks.

Some accused Maynor and Ellch of being irresponsible (not going directly to CERT), but the accusation by Apple and others that really angered them was that it was a cold fusion discovery–that is, they fabricated the whole thing. (With a little bit of effort, a great many people could perform what would look like the same hack without actually finding new vulnerabilities.)
Ellch gave a presentation on Saturday at ToorCon that defended their hacker honor as honestly having discovered a real vulnerability. SecureWorks pulled Maynor from the talk, during which the two were to share the code that enabled the exploit. Prevented from sharing the exploit (it sounds like his co-researcher had his arm twisted), Ellch’s speech was a self-described rant that left many to wonder what exactly was going on behind closed doors. All we know for sure is that this is definitely not the routine method for fixing vulnerabilities.

In contrast, nobody at ToorCon was doubting this Firefox exploit, also delivered on Saturday, by Mischa Spiegelmock and Andrew Wbeelsoi. (In case you care, it exploits Firefox’s implementation of JavaScript, which Spiegelmock calls “a complete mess” that is “impossible to fix.”) He put it on the screen for all to see–without having given Mozilla any lead time to begin to develop a patch.

Mozilla security chief Window Snyder (now THAT’S a name for an IT pro!) was not amused. Here is CNet’s reporting:

“It looks like they had enough information in their slide for an attacker to reproduce it,” [Snyder] said. “I think it is unfortunate because it puts users at risk, but that seems to be their goal.”

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. “If it is in the JavaScript virtual machine, it is not going to be a quick fix,” Snyder said.

Again, this deliberate release of a zero-day exploit is a clear violation of the heads-up-to-CERT protocol. The authors also claim to know of around 30 more unpatched Firefox flaws; they’re keeping those to themselves.

If this blog had a big audience, undoubtedly some of you would be insisting that zero-day exploits must be made illegal–that security flaws must be disclosed only to certain kinds of entities. (I’m still waiting for the high-publicity “war on hacking.” All we need is a “digital 9/11,” and the same mentality that brought you the very successful wars on drugs and terrorism will kick in.)

If the brief history of the DMCA is any indicator, that’s the wrong attitude. Felten was reluctant to release details about the Sony rootkit because he was scared of DMCA-fueled legal trouble. Additionally, part of CERT’s success has been in pressuring private firms to develop more secure products. Without third-party pressure, they just won’t do it. Sure, CERT works now, but that model may fail in the future.

Additionally, open source models (an important part of the “freedom to tinker”) generally provide greater security than proprietary closed source models (the Windows model, complete with public begging that the software’s producers release patches more quickly). If anyone can see the code, anyone can find and fix vulnerabilities, and more will be found and squashed. But if tinkering with the code is forbidden–by closed-source publishing models, EULAs, and/or the law–then only two kinds of people will look for bugs: people who have an incentive to avoid embarrassment (the authors of said closed-source code) and people who have the intention to exploit them.

Despite the pain of hacker conferees occasionally publicizing zero-day vulnerabilities and/or taunting us with their still-secret exploits, I’d still prefer a policy of freedom of information, knowing that the Feltens of the world got our collective back, over a system that prevents computer science professors and other whitehats from investigating and fixing flaws.