BEFORE THE FEDERAL TRADE COMMISSION IN THE MATTER OF FTC TOWN HALL TO ADDRESS DIGITAL RIGHTS MANAGEMENT TECHNOLOGIES Comment of: J. Alex Halderman Assistant Professor of Electrical Engineering and Computer Science ‐‐ University of Michigan CSE Building, Room 4717 2260 Hayward Avenue Ann Arbor, MI 48109‐2121 Represented by: Blake E. Reid, Clinician and Juris Doctor Candidate Harry A. Surden, Associate Professor of Law Paul K. Ohm, Associate Professor of Law J. Brad Bernthal, Associate Clinical Professor of Law ‐‐ Samuelson­Glushko Technology Law & Policy Clinic University of Colorado School of Law 105R Wolf Law Building, 401 UCB Boulder, CO 80309‐0401 January 29, 2009 Pursuant to the Proposed Topics for Discussion1 and the Notice and Request for Public Comment2 in regard to an FTC Town Hall Meeting to Address Digital Rights Management Technologies, we request that the Commission consider an approach to mitigating the security risks posed to consumers by digital rights management (“DRM”) systems. In particular, our request focuses on DRM‐protected consumer products that are accessible on personal computers (“PCs”), including video games, audio compact discs, and other works. The Commission has called for discussion on improving disclosures to consumers regarding limitations of DRM systems. Consumers would benefit greatly from transparent disclosures about the specific security risks posed by many PC‐based DRM systems. These risks can include the surreptitious installation of undesired software, the loss of control over critical PC software and hardware, and exposure to cyber‐attacks and malware such as viruses, worms, Trojan horses, and spyware, which may lead to the compromise of private personal data. 1 Available at http://www.ftc.gov/bcp/workshops/drm/topics.shtml. 2 Available at https://secure.commentworks.com/ftc‐DRMtechnologies/. Unfortunately, the content industry has been largely unable or unwilling to disclose the security risks posed to consumers by these DRM systems prior to the release of products. Content producers have remained largely dismissive of consumer concern over potential security risks, and have responded lethargically, if at all, with fixes to serious security problems. Furthermore, certain industry members have stifled the efforts of independent security researchers, who were acting in good faith to discover and fix these problems, by threatening litigation under the anti‐circumvention measures of the Digital Millennium Copyright Act (“DMCA”). This state of affairs leaves many consumers vulnerable to security threats and uninformed of the risks that they face. We believe that this is an untenable situation. In the ongoing triennial DMCA exemption rulemaking at the Library of Congress, we have requested appropriate exemptions from the DMCA anti‐circumvention measures to allow independent security researchers acting in good faith to investigate and correct security problems in DRM on many PC‐accessible works ex post. However, consumers would surely benefit from more proactive behavior on the part of the content industry to address security problems ex ante, before they end up affecting consumers’ PCs. While class action lawsuits over security problems3 may lead to ad hoc change by individual companies, it does not appear that a comprehensive, proactive approach to addressing DRM security problems will manifest across the content industry without some form of regulatory intervention. Accordingly, we ask the Commission to consider pursuing and implementing a two‐ pronged solution that will require or strongly encourage companies using DRM systems on PC‐accessible products to: 1) submit to independent security audits of the DRM systems and 2) provide conspicuous notice to consumers of the products regarding the nature, operation, and limitations of any DRM systems included in the products, as well as the general security risks inherent to most PC‐based DRM systems and any known flaws specific to the included DRM systems. In support of our request, we have attached the following documents for the consideration of the Commission: • J. Alex Halderman, Blake E. Reid, Paul K. Ohm, Harry A. Surden, and J. Brad Bernthal, In the Matter of Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies (Dec. 2, 2008) (rulemaking filing discussing the current state of PC‐based DRM systems and security issues). • J. Alex Halderman and Edward W. Felten, Lessons from the Sony CD DRM Episode (Feb. 14, 2006) (an in‐depth, peer‐reviewed analysis of the Sony‐BMG rootkit saga). 3 Five class action suits have now been filed against Electronic Arts over potential security problems in the SecuROM DRM software. See The People vs. SecuROM, RECLAIM YOUR GAME!, available at http://www.reclaimyourgame.com/index.php?option=com_content&view=section&layout =blog&id=17&Itemid=57. 2 • Edward W. Felten, J. Alex Halderman, Deirdre K. Mulligan, and Aaron Perzanowski, Comment Re: RM 2005­11 – Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies (Dec. 1, 2005) (rulemaking filing discussing the Sony rootkit saga)). We have separately requested that Professor Halderman be considered as a panelist for the Mar. 25, 2009 Town Hall meeting on DRM. We thank the Commission for its consideration. Sincerely, /s/ J. Alex Halderman • Blake E. Reid • Harry Surden • Paul Ohm • J. Brad Bernthal Enclosures 3 BEFORE THE COPYRIGHT OFFICE OF THE LIBRARY OF CONGRESS IN THE MATTER OF EXEMPTION TO PROHIBITION ON CIRCUMVENTION OF COPYRIGHT PROTECTION SYSTEMS FOR ACCESS CONTROL TECHNOLOGIES Docket No. RM 2008­8 Comment of: J. Alex Halderman Assistant Professor of Electrical Engineering and Computer Science ‐‐ University of Michigan CSE Building 2260 Hayward Avenue Ann Arbor, MI 48109‐2121 Represented by: Blake E. Reid, Clinician and Juris Doctor Candidate Paul K. Ohm, Associate Professor of Law Harry A. Surden, Associate Professor of Law J. Brad Bernthal, Associate Clinical Professor of Law ‐‐ Samuelson­Glushko Technology Law & Policy Clinic University of Colorado School of Law 105R Wolf Law Building, 401 UCB Boulder, CO 80309‐0401 December 2, 2008 Pursuant to the Notice of Inquiry of Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies1 (“NOI”) and 17 U.S.C. § 1201(a)(1)(C), we respectfully request that the Librarian of Congress grant an exemption to 17 U.S.C. § 1201(a)(1)(A) for (1) literary works, sound recordings, and audiovisual works accessible on personal computers and protected by technological protection measures that control access to lawfully obtained works and create or exploit security flaws or vulnerabilities that compromise the security of personal computers, when circumvention is accomplished solely for the purpose of good faith testing, investigating, or correcting such security flaws or vulnerabilities, or, in the alternative, for (2) video games accessible on personal computers and protected by technological protection measures that control access to lawfully obtained works and create or exploit security flaws or vulnerabilities that compromise the security of personal computers, when circumvention is accomplished solely for the purpose of good faith testing, investigating, or correcting such security flaws or vulnerabilities. 1 70 Fed. Reg. 73, 58073 (Oct. 6, 2008) [hereinafter NOI]. I. Submitting Party J. Alex Halderman is a noted computer security and privacy researcher and an assistant professor of electric engineering and computer science at the University of Michigan.2 His research focuses particularly on the threats introduced by access and copy‐ protection measures. In particular, he published in 2003 an academic paper on SunnComm’s MediaMax copy‐protection system3. In response, SunnComm first threatened a lawsuit under the Digital Millennium Copyright Act (“DMCA”)4, then subsequently retracted the lawsuit, citing the “chilling effect on [computer security] research.”5 Partially in response, Professor Halderman proposed, as part of the third iteration of this rulemaking process (along with Princeton Professor Edward W. Felten), an exemption to the DMCA anti‐circumvention measures to address the chilling effect of the statute on computer security researchers in the context of insecure technological protection measures (“TPMs”) on compact discs containing audio recordings and the unfair access limits that the statute placed on consumers.6 As a result, the Librarian of Congress exempted the following class of works from the anti‐circumvention measures (hereinafter “Sound Recordings Exemption”): Sound recordings, and audiovisual works associated with those sound recordings, distributed in compact disc format and protected by technological protection measures that control access to lawfully obtained works and create or exploit security flaws or vulnerabilities that compromise the security of personal computers, when circumvention is accomplished solely for the purpose of good faith testing, investigating, or correcting such security flaws or vulnerabilities.7 2 http://www.cse.umich.edu/~jhalderm/. 3 J. Alex. Halderman, Analysis of the MediaMax CD3 Copy­Prevention System, PRINCETON UNIVERSITY COMPUTER SCIENCE TECHNICAL REPORTS TR‐679‐03, available at http://www.cs.princeton.edu/research/techreps/TR‐679‐03. 4 Fred Locklear, Press “Shift” to Initiate Lawsuit, ARS TECHNICA (Oct. 9, 2003), available at http://arstechnica.com/archive/news/1065755223.html. 5 Fred Locklear, SunnComm Shifts Stance,
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages53 Page
-
File Size-