What are the implications of the new Super DMCA laws?

The broad scope of the new Super DMCA (Digital Millennium Copyright Act) law could be problematic for IT managers trying to protect their networks.

By Alex Breeding

Editor's note: This article contains the writer's observations and opinions.

Just when you got used to the 1998 Federal Digital Millennium Copyright Act (DMCA), there comes a new legislative kid on the block. And don't be tricked into thinking the new Super DMCA laws, which have been passed in 10 states and are under review in six others, are just extended versions of the federal DMCA. The scope of these laws is far broader than the DMCA and could threaten the very heart of technology innovation, including your ability to protect your network.

A little background
You may be familiar with the most famous alleged violation of the DMCA, when Russian programmer Dmitry Sklyarov was jailed and prosecuted for creating ElcomSoft's Advanced eBook Processor tool, which broke encryption on Abode's e-book technology. ElcomSoft was found not guilty at trial. Other security experts have removed their research from published Web sites due to threats of prosecution under the DMCA.

The federal DMCA law was written in 1998 as an attempt to bring copyright laws into the digital age. The act makes it a crime to circumvent copy protection or to distribute devices that can circumvent copyrights. While the goal of this legislation was admirable, the law has created precedents for action against those who are not participating in classic "hacker" activities. For example, Edward Felten, a computer science professor at Princeton, was threatened with a lawsuit after his research broke the protection scheme created by the Secure Digital Music Initiative (SDMI)—in response to a challenge SDMI itself had issued.

States affected by Super DMCA
The new Super DMCA has been passed in Arkansas, Colorado, Delaware, Florida, Illinois, Maryland, Michigan, Pennsylvania, Virginia, and Wyoming, and it's currently under consideration in Georgia, Massachusetts, Oregon, South Carolina, Tennessee, and Texas. For the latest information, see http://www.eff.org/IP/DMCA/states/ or http://freedom-to-tinker.com/superdmca.html.

When these laws were going through the legislative process, they were strongly supported by the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and the Business Software Alliance (BSA). This go-round, the push for SDMCA laws is being spearheaded by the MPAA with little support from the software industry and no support from any law enforcement agency.

The SDMCA makes its presence known
SDMCA laws have already claimed some victims. Tom Liston developed LaBrea, an open source application designed to stop the spread of worms across a network. He recently removed the application from his Web site under fear of prosecution under the Illinois version of the law. And Niels Provos, a University of Michigan graduate student well known for his research into steganography and honeypots, has removed his research papers and software from Web servers located in the United States.

The goal of these laws is, again, admirable. This time, the law is attempting to make it a crime to steal communications services, cable signals, premium cable programming, and/or bandwidth via wireless broadcasting or receiving devices—most of which are already covered under existing laws. These laws also attempt to legislate whatever the Internet might evolve into in the coming years. In order to accomplish this, the laws have been written in extremely broad terms. And since all of these state laws stem from the same model legislation, they all have the same flaws.

The most objectionable aspect of SDMCA makes it a crime if a person "knowingly: (1) possesses, uses, manufactures, develops, assembles, distributes, transfers, imports into this state, licenses, leases, sells or offers, promotes or advertises for sale, use or distribution any communication device: (ii) to conceal or to assist another to conceal from any communication service provider, or from any lawful authority, the existence or place or origin or destination of any communication." In other words, breaking these laws will bring severe penalties painted with a broad brush. Later, the law defines merely possessing plans or instructions or materials for creating such a device as a crime.

All of this is in addition to an overly broad initial definition that makes it a crime to merely receive and/or retransmit a signal transmitted by someone without express authorization. I'm not sure how I am supposed to prevent reception of a radio signal, other than to not use any device that receives such a signal—like my wireless LAN access card, my pager, my Toshiba e740 PDA with built-in WiFi, my cell phone, my radio, my television, or my satellite dish.

Making it a crime to retransmit a signal would mean that you can't share an Internet connection among multiple computers without express authorization from your Internet Service Provider. It also means that you can't use a proxy server. Making it illegal to conceal the origin or destination of any communications services means you can't use a firewall, virtual private network (VPN), filtering software, or network address translation (NAT).

CompUSA, Fry's, RadioShack and other outlets will have to stop selling devices capable of receiving/retransmitting communications services and "materials for creating" such devices. Anonymizer.com and Hushmail.com will have to stop operating. And I'm pretty sure that SDMCA also outlaws call forwarding and caller ID block. These laws could even conceivably be stretched to allow any communications services provider to legislate which hardware devices (Dell or HP, but not Gateway) and/or software, including operating systems (Windows XP Home Edition ONLY), are authorized to operate on their systems.

Keep in mind, these laws do not merely make a violator subject to civil penalties, such as fines. Violating these laws is a criminal offense. That means you could go to jail for operating a firewall. And while the crime is defined as a misdemeanor, depending on the number of separate offenses (each communication, unlawful device and 24-hour period), fines of between $1,500 and $10,000 per offense may be assessed by statute. If a person is found guilty of willfully violating these laws for financial gain (meaning you saved money by not paying for it), a court may increase the total damages by up to $50,000 for each offense.

The MPAA has stated that this legislation is exclusively about stealing communications services. It contends that criminal and civil remedies are evoked only if someone steals services offered for a fee. The MPAA also contends that these laws merely expand the criminalization of electronic devices and software—like illegal cable television descramblers—if they are made expressly for the purpose of stealing communications services. The MPAA does not address SDMCA's inadequate definition the newly added "intent to defraud," which is the heart of the criminal statute. And it do not address "fair use" except to say that fair use is not a law and is unnecessary in a digital world.

Fair use
Fair use is what allows you to copy certain copyrighted material in an educational setting and lets you make backups of your copyrighted software. Fair use, of course, has been at the heart of countless previous copyright cases, such as those involving Napster, the Sony Betamax, photocopiers, cassette records, and even the basic text press.

Clearly, the MPAA is concerned about protecting copyrighted works, particularly movies distributed illicitly over the Internet and other forms of digital piracy. And digital piracy is certainly a serious problem.

However, these laws propose a radical paradigm shift in technological innovation that forbids any technology that's not expressly permitted. SDMCA laws make most, if not all, independent computer security research illegal. They impose rules that will stifle technological innovation and creativity. They could create unreasonable liabilities for any communications provider, making it responsible for the content of any user (already an issue on some college campuses), which would certainly increase the network administration burden. They also practically outlaw peer-to-peer networking because of their zeal in attacking file sharing and file distribution services.

These laws impose huge economic burdens on those found guilty of violations and those accused of violations. (See this story about college students being sued for $97.8 billion.)These laws do not even allow a defendant to recover court costs and attorney's fees if they prevail. And they would outlaw some actions of the US Government (see "Software Rams Great Firewall of China," by Paul Festa). Most disturbing is the fact that MPAA and RIAA have also lobbied for the right to hack into your network and remove copyrighted material, either by explicitly doing so or by distributing worms. That is an optional remedy under these laws.

Ultimately, in the United States anyway, it will be up to the Supreme Court to decide what is fair use and what is not. And I'm certain those nine justices will have an opportunity to consider these SDMCA laws, if they're not struck down by some lower court. But keep track of this in your state, and nationwide. If it's not in your state yet, it's coming. Stay informed.