March 15, 2000

COPYRIGHT LOOPHOLE MAY LET CORPORATIONS DUCK SCRUTINY

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—Imagine that a company loses a lawsuit for a faulty product that caused deaths or severe damage, but manages to have the court records sealed as part of the settlement. (This routinely happens.) Imagine further that they have to report some details about the case in an annual report. When the report is distributed through standard channels, an enraged shareholder can legally pass it to a reporter and the reporter can quote it. But in the future, a company may choose to email the report, lightly encrypted, and claim a violation of its “technical self-help protection measures” when the truth hits the newsstands.

This danger is why we should pay attention to a story of apparently minimal significance that turned up around March 8 in some of the computer trade news sites and online discussion groups. On its surface, the story looked like just another lark by young hackers. But to the discerning eye it opened up a chasm onto corporate irresponsibility.

The blustering company in this case was Symantec, a long-time vendor of filtering software called I-Gear that promises to keep kids from viewing sleazy Web pages or engaging in saucy online chats. As always happens when someone seriously evaluates one of these software packages, the results showed that the choices of what to block were arbitrary, unfair, spotty, and sometimes even bizarre.

“The blocked pages included a 75 K page written entirely in Latin, a description of a milking machine system written in Spanish, and volumes 4 and 6 of ‘The Decline and Fall of the Roman Empire’,” wrote Bennett Haselton, who delved into I-Gear’s code and posted the results on his PeaceFire anti-filter site.

Most filter companies are secretive about what sites they block; they claim that the information represents a competitive advantage over other filtering software. Its more likely that revealing the list would cause customers to question the reliability, if not the sanity, of those doing the rating. The question is whether customers have a right to know what the products they use are doing under the hood—and whether free speech protects those who try to warn them.

There are several ways to figure out what Internet sites are being blocked; the simplest is just to try various common Web sites or keywords and see what fails to get through. But for maximum visibility, some programmers like to crack the files of blacklisted Web sites distributed with filtering programs. For this purpose, experts use reverse engineering, a technique for figuring out what code is doing that has been exploited by professional computer users ever since programming languages were invented.

But reverse engineering and code-cracking have been under attack over the past few years. The campaign began in scattered law clauses and initially appeared to affect only a few small constituencies, such as companies developing products that competed with popular software packages. But experts in computer science predicted from the beginning that such bans would lead to abuses by a wide range of companies trying to avoid having their practices brought to light—and they were right.

The first shots fired were in an audio recording act of the early 1990s, and then the massive Digital Millennium Copyright Act of 1998. The companies pushing these laws planned to use encryption (or scrambling) to keep people from copying their products, and anticipated that someone would be able to break the encryption.

Thus, the laws made it a crime to manufacture or distribute any device whose “primary purpose” was to overcome such technical protection measures. As narrowly as the legislators tried to word such prohibitions, they represented an astonishing restriction on the freedom to do research and engineering.

It took a couple years for the dire predictions of computer scientists and free-speech advocates to hit. Then the DMCA was employed in a widely publicized lawsuit by the manufacturers of DVDs and the motion picture industry. When someone decrypted their weak controls so that people could play DVDs on Linux systems, these companies undertook the daunting job of prosecuting everyone they could find who posted the offending software on a Web site.

Even this show of corporate muscle, however, stayed within the realm of copyright debates. The movie studios and DVD makers simply wanted to control the use of their wares (a goal opposed to the customers’ traditional right to make use of a product any way they want). Symantec is threatening to use copyright law for an entirely different end: to keep the public from examining and discussing its actions.

Haselton had a sense this was coming; back on February 22 he published an appeal to defend the DVD decryption sites and to fight UCITA, a proposed law that would enshrine the restrictions software companies like to put on reverse engineering. (Almost any commercial software you buy or download, if you check the license, will prove to include a ban on reverse engineering. But unless UCITA is passed, the ban is unsupported by court precedent.) The current threat by Symantec is by no means the first that Haselton has suffered for his efforts to educate filter users.

Isn’t it bizarre that Symantec claims to hold a copyright on information coded deep in hidden files? Copyright is for things that the creator wants people to see, like this article. In software, copyright has traditionally been used to prevent an employee from jump-starting a new company by reusing code from a previous firm. Copyright is a powerful weapon, so any attempt to broaden its definition is dangerous.

Symantec is on shaky ground in claiming that Haselton has misused their intellectual property, whether they invoke copyrights or trade secrets. But we still don’t know how the courts will rule on the use of the DMCA, or UCITA (which was passed into law yesterday by the state of Virginia and is under consideration by most other states).

Thus, the trend among companies with something to hide is to use intellectual property as their shield. While Symantec wants to keep its filters secret, an automobile manufacturer can’t keep a consumer advocate from opening the hood of a car and checking how its engine filters air. But in the future, an automobile manufacturer might embed the complexities of its filtering in a computer chip and use the Symantec defense to keep consumer advocates from investigating its practices.

So the story of the I-Gear fight should be bigger news. It’s bigger than technical questions of computer security, even bigger than the debate over Internet censorship. We’re talking about the right to share information about corporate practices, and that touches everyone.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles