Thursday, October 17, 2002

DMCA Compromising Computer Security in the US?

M. Claire Stewart is linking to some great articles over on Current copyright readings, quickly making her blog an indispensible source of information on subjects such as the Digital Millennium Copyright Act (DMCA).

One of the latest is a story in the Register called If I tell you that I'll have to kill you: Red Hat fights the DMCA:
Red Hat has struck a small blow against the DMCA, by publishing a security patch which can only be explained fully to people who are not within US jurisdiction. The company's position here seems to be not altogether voluntary - according to a spokesman "it is bizarre, and unfortunately something Red Hat cannot easily do much about," but like it or not Red Hat has been recruited to the campaign to make the DMCA look ridiculous.
The explanation behind the security patch details, in part, how security can be breached in the Red Hat system and how the patch addresses that problem. Because of this, it could possibly be viewed as a violation of the DMCA.

To keep the company safe from breaking the law, the explanation for the patch is only available through another link which leads to Thefreeworld's 'NO DMCA' licence, in which you have to warrant that you are not an American citizen, or within America's jurisdiction. I didn't press the button to accept the license that clearly states: "I accept the license. I am not a US citizen, nor resident in an US Territory." (Not because I'm an American citizen, within America's jurisdiction. I just don't need the patch, so I didn't have to go there.)

If you need this security patch, and its explanation, and you are an American citizen, you might want to send a comment to the Copyright Office of the Library of Congress and explain how the DMCA might be possibly compromising the security of your computer system. Unfortunately, the length of the comment period might leave your computer vulnerable to people outside of the US who have access to the Red Hat information. The patch is still available to you without the license, which applies to the explanation of what the patch does. From the license:
Note that if you are a US citizen or under US jurisdiction, circumventing this access control is a violation of the DMCA, punishable a prison term of up to 5 years and a fine of up to $500,000 per violation. On request access_log information will be provided to the law enforcement agencies from the jurisdiction where this webserver resides.
This may be something that we will have to get used to unless Congress revisits this law.