Feeds

Super-DMCA not so bad

'Crux of what should be prohibited'

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Opinion The latest version of the controversial law could be a valuable weapon against thieves and pirates, writes SecurityFocus columnist Mark Rasch.

As the litigation over the DMCA continues -- with a 20-something Virginian sentenced to five months in jail for operating a website that sold mod chips, and a Harvard student's efforts to get federal court approval to reverse engineer web blocking software rebuffed -- the battleground over the "new" DMCA turns to the states.

Several states are considering their own versions of the Digital Millennium Copyright Act that would, in various ways, prohibit not only copyright infringement, but also the manufacturing, distributing, or advertising of products or devices that could be used to facilitate the "theft" of both broadband access and infringing downloading of copyrighted works.

In its final iteration, it's not such a bad idea.

Early versions of the legislation, pushed by the Motion Picture Association of America, were, well... terrible. These versions are, in fact, the ones that are currently being debated by state legislatures from Colorado to Massachusetts. They include provisions that would have criminalized any technology that could be used to get pay-content for free, and made it a crime to conceal the source of any communications. These bills were state copyright laws in sheep's clothing, as the federal government has the exclusive right to legislate copyright law. The state bills were phrased in terms of "theft of services" in order to avoid federal preemption.

These bills are already the law in Delaware, Maryland, Illinois, Michigan and Virginia, and a similar one was passed in Pennsylvania. The older version of the law is being considered in Arkansas, Colorado, Florida, Georgia, Massachusetts, South Carolina, Texas, Oregon and Tennessee.

In response to severe criticism, a shadowy group called the Broadband and Internet Security Task Force offered a revised version of the legislation on April 1st, 2003. The new law actually has some merit, and should be both considered and actively debated by the various legislatures that are currently looking at the MPAA version.

Indeed, the April 1st revision could be considered a model for the federal government in redrafting the DMCA itself.

Theft of Bandwidth

The Broadband and Internet Security Task Force is a consortium of cable TV companies and cable content providers that includes AT&T Broadband, Buena Vista Television, Comcast Cable Communications, Cox Communications, Macrovision, Showtime Networks, Time Warner Cable and Home Box Office. They began as the Pay-Per-View Anti-Theft Task Force and morphed into the Anti-Theft Cable Task Force before becoming the Broadband and Internet Security Task Force. As the names demonstrate, their concerns initially were about the "theft" of pay cable services (e.g., HBO, Showtime, pay-per-view) and the sale and distribution of cable descramblers to facilitate such theft.

As cable providers moved into the Internet arena, these concerns evolved into concerns about theft of bandwidth (tapping into your neighbor's cable modem without his permission) and also the related question of "theft" of pay content. In the content arena, this new task force's policy goals are similar to those of MPAA -- to allow content providers to prevent people from obtaining "free" content where the "owner" charges for it (admittedly, we still have to solve the "fair use" problem.)

The April 1st draft represents a significant improvement over both the previous drafts and the DMCA itself. It punishes (civilly and criminally) anyone who, "knowingly and with intent to defraud a communication service provider" sells, advertises or uses hardware or software that is designed to permit theft of communication services.

The mere addition of the words "with intent to defraud" makes an otherwise onerous law palatable. To succeed in a prosecution or lawsuit under this statute, the plaintiff or government would have to demonstrate not only that the product was designed for the "theft" of services, but also that the actor intended to defraud the provider. It would not be sufficient to demonstrate that the defendant knew the device could be used in that manner.

In essence, the defendant would have to intend to "steal" or assist in the "stealing" of pay-content or access. This is more limited than even the laws that prohibit the sale of cable descramblers, and is much more narrowly crafted than the current DMCA. Because the proposed law requires proof of intent to defraud, those who merely wish to engage in fair use of content would likely be protected, as would those who make products that could be used to steal content, but intend to use them for other purposes (e.g., reverse engineering, improving signal quality, etc.)

In this way, the so-called Super DMCA is actually a vast improvement over the real one, which has only very narrow exceptions.

Sure the bill could be better. "Intent to defraud" is still fairly broad; it should be tied more directly to "theft of services." The provisions for civil damages allow courts to give cable companies a larger award than the losses actually suffered. The definition of "communication device" and "communication service" is also broader than I would like.

But by focusing on defendants who actually intend to steal pay-content or broadband access, the law goes to the crux of what should be prohibited. It's worth a second look.

© SecurityFocus Logo

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related story

'Super-DMCA' fears suppress security research

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.