USACM Letter on HR 2281

Representative W.J. "Billy" Tauzin
Chairman
Subcommittee on Telecommunications, Trade and Consumer Protection
House Commerce Committee
2125 Rayburn House Office Building
Washington D.C. 20515

Dear Chairman Tauzin,

We are writing to express our concern about the effects of the "anti-circumvention provision" in H.R. 2281, the "WIPO Copyright Treaties Implementation Act" on encryption research and computer security. The Association for Computing (ACM) is the oldest and largest international association of computer professionals with 70,000 members in the U.S. As scientists, we are concerned that section 1201 will have the serious effect of criminalizing research intended to improve product and system security and the manufacture, import, or use of tools necessary to perform such research. It will also impede the ability of system operators to find and correct weaknesses in their own systems. Devices that circumvent technological protection measures are necessary for researching, developing, and testing copyright protection systems. The anti-circumvention provision in H.R. 2281 fails to recognize these legitimate uses of decrypting or descrambling tools.

ENCRYPTION RESEARCH

Research in encryption science entails the study of algorithms and their implementation in hardware and software that encrypt or scramble data. These products are tested using devices that attempt to circumvent the encryption algorithms or their implementation mechanism. Such adversarial testing is necessary to identify weaknesses in the system. Under HR 2281, both the testing itself and the manufacture of software tools that test the viability of a proposed encryption algorithm would be prohibited.

In addition to prohibiting encryption research, H.R. 2281 could also limit the ability of cryptographers to publish scientific articles revealing weaknesses in an algorithm or its implementation. Such publication is an integral part of the scientific method. The cryptographers intent is to promote the science of cryptology, and to prevent users from trusting the flawed algorithm, not to encourage others to use the article to break into a system protected by the flawed algorithm. HR 2281 will effect the ability of a cryptographer to publish any article that reveals a security flaw in a commonly used encryption scheme. Under Section 1201(a), all copyright owners who use that particular encryption scheme may file action against the author on the basis that the article is "trafficking in [a] technology" or is a "service" that enables circumvention of the access control technology. The result may be that weak algorithms continue to be used even after researchers determine they are flawed.

COMPUTER SECURITY

H.R. 2281 makes circumventing access control technology per se illegal. This may effect the ability of system operators to test their computer systems for security weaknesses. Often, the exact same technology (encryption) is used to control access both to a copyrighted digital work and to certain components of a computer security system. For example, the same encryption algorithm might be used to restrict access both to a password file and to a literary work stored on the system. System operators have important, legitimate reasons to circumvent such access control technologies to confirm the security of the password file or other vulnerable elements of the system. They must be able to use or create software which circumvents access control technologies in order to determine the robustness of the security system.

The sweeping language of section 1201(a) will subject the system operator testing the security of their system to criminal penalties simply because they circumvented a technological control mechanism. This will likely discourage system operators from vigorously testing the security of their system.

In conclusion, the leadership that the United States currently enjoys in research and development of encryption algorithms, cryptographic products, and computer security technology may be seriously eroded by section 1201 as currently drafted. We urge you to adopt instead an "anti-circumvention provision" that restricts only circumvention related to infringement and will not reduce US competitiveness in encryption and inhibit the development of electronic commerce.

If you have any questions, please contact Lauren Gelman at 202/544-4859. We look forward to working with you on this important issue.

Sincerely,

Dr. Barbara Simons
Chair, U.S. Public Policy Committee
Association for Computing

cc: House Commerce Committee