------ Forwarded Message From: Michael Geist < >
Date: Tue, 08 Mar 2005 17:30:17 -0500 To: Subject: Canadian Security Co's Speak Out Against Anti-circumvention Legislation Dave,
A substantial group of Canada's security technology companies have sent a public letter to the Industry and Heritage Ministers to express concern about the potential for DMCA-like legislation in Canada. Years of discussions and no one bothered to ask these guys what they think.
The public letter has been posted online at
A release and backgrounder are atThis might be a sign of Canada's technology community waking up to the implications of copyright reforms that directly impact their businesses.
March 8, 2005
The Honourable David L. Emerson, P.C., M.P. Minister of Industry235, Queen Street, 11th Floor, East Tower Ottawa, Ontario K1A 0H5
The Honourable Liza Frulla, P.C., M.P. Minister of Canadian Heritage and Status of Women15 Eddy Street Gatineau, Quebec K1A 0M5
Dear Minister Emerson and Minister Frulla:
Re: Proposals to include Anti-Circumvention Rights in A Bill to Amend the Copyright Act
We write to you as leaders of Canada's security research business community. We understand that the Canadian government in the near future will introduce legislation to amend the Copyright Act to introduce rights to prohibit the circumvention of technological protection measures, or "TPMs". Any such amendment will have profound negative consequences for security researchers and businesses that commercialize such research. The business community involved with security research and related services has a great deal at stake in this legislation, both economically and technologically. Despite these considerations, the government has yet to consult with us. We urge the government to take our concerns into account prior to implementing any such amendment.
Legal protection for TPMs is the equivalent of making screw-drivers illegal because they can be used to break and enter. Good legislation targets the illegal act, not the legal tools the crook might use. Canada is already well-served by laws protecting copyright. Outlawing the technological tools - the screw-drivers of the technology community - undermines Canada's commitment to fostering an economy built on innovation and opportunity.
Understand that the science and business of digital security implicates the practical application of circumvention technologies. To understand security threats, researchers must understand security weaknesses. We are not in the business of circumventing technological safeguards for the purposes of exploiting the weaknesses we find; rather, we are in the businesses of finding and addressing those weaknesses. In this way, our work offers crucial support to the business interests of those who seek to protect their copyrighted works through technology. Indeed, technological protection measures and digital rights management systems themselves are practical applications of the work of this research community.
We observe that in other jurisdictions, rights holders have often sought to enforce anti-circumvention rights for reasons other than copyright protection. Anti-circumvention rights have anti-competitive applications. These have been well documented and should be familiar to you. We won't dwell on them here. More troubling from a public policy perspective, however, are those attempts to assert anti-circumvention rights to silence critical research into security holes. Such attempts are at base motivated by a desire to maintain control over security research in respect of particular platforms or applications. Centralized control over security research does not make for good public policy. Security weaknesses are best found - and addressed - when a variety of security researchers examine a platform or application. The odds of one party devising the best response to a security issue are slim; the likelihood of an optimal response improves significantly when a community of security researchers has the opportunity to examine and test a platform or application. Anti-circumvention laws throw a shroud of legal risk over that community, and dampen security research at the edges. Simply, anti-circumvention laws that provide for excessive control make for bad security policy.
The American experience under the Digital Millennium Copyright Act (the "DMCA") should be instructive in this regard. Professor Ed Felton of Princeton University was threatened with litigation (as were conference organizers) for attempting to present his findings on security holes in the work of the Secure Digital Music Initiative industry working group. Dmitri Sklyarov, a Russian programmer, was jailed for travelling to the United States and presenting the results of his work on a software tool that could be used to read Adobe's "e-book" files. American security researchers are choosing to avoid research with DMCA implications. Global experts on security now avoid traveling to the United States. Richard Clarke, former White House cybersecurity and counterterrorism adviser, has observed that the DMCA's anti-circumvention provisions have had a "chilling effect on vulnerability research." The DMCA has had a demonstrably negative impact on security research in the United States.
Canada has historically been a global leader in the science of cryptography. Canada is now turning to apply that strength to the business of digital security. The Canadian government should support this emerging industry, not erect market barriers or create new risks of legal liability. In the late nineties, the Canadian government made online connectivity a priority with the goal of making Canada "the most connected nation in the world". Consistent with that goal, Canada released its Cryptography Policy in 1998, envisioning digital security as key to "building Canada's information economy and society", and making a commitment to fostering the development of the digital security business sector. In 1998, the Canadian government recognized the importance of this business sector to securing reliable electronic commerce. In the context of anti-circumvention laws, these considerations have barely merited a mention.
Proponents of anti-circumvention laws protest that these laws do not target "legitimate" security research, and that laws may be crafted with exceptions for such research. With respect, the DMCA carries such exceptions. They have proven both inadequate and ineffective in protecting security researchers from threats of litigation. Moreover, such exceptions offer little security against the threat of litigation. Rights-holders have not hesitated to assert anti-circumvention rights against researchers to maintain control over public dissemination of security research implicating their applications and platforms, even where such claims have only the most tenuous basis in fact. Nonetheless, such threats create a "liability chill". Security researchers and businesses generally lack the time and resources to defend such claims, with the result that the mere threat achieves the claimant's objective. The mere threat of liability for circumvention is a mischief itself that may only be addressed by not creating the basis for the threat in the first place.
In our view, the best policy would be to introduce no change to the law at all. Rights-holders are well protected by traditional rights under the Copyright Act. An infringement remains an infringement regardless of whether or not a TPM is circumvented. TPMs themselves provide a second layer of protection sufficient to deter all but the most sophisticated would-be infringers. Legally privileging TPMs would add a third layer of protection; however, we seriously question whether the marginal value of this legal protection outweighs the severe impairment it causes to legitimate security research.
We welcome the opportunity to discuss the matters addressed in this letter with you. We look forward to being consulted by the government on future developments in this area.
Brian O'Higgins Chief Technology Officer Third Brigade, Ltd.
Brian Flood Chief Executive Officer VE Networks, Inc.
Bob Young, Co-founder and Director, Red Hat, Inc. Founder and CEO of Lulu, Inc. Owner, Hamilton Tiger-Cats Football Team Hugh Ellis Chief Executive Officer Cinnabar Networks Inc.
John Detombe Director AEPOS Technologies Corporation
Austin Hill President Synomos Inc.
John Alsop Founder and Chairman Borderware Technologies Inc.
Michael Kouritzin Chief Executive Officer Random Knowledge Inc.
Dr. Stefan Brands President Credentica
Carl C. Bond President Innusec, Inc.
Djenana Campara Chief Technology Officer Klocwork Inc.
Randy Sutton, President Elytra Enterprises Inc.
Professor Michael A. Geist Canada Research Chair in Internet and E-commerce Law University of Ottawa Law School, Common Law Section
------ End of Forwarded Message