TELECOM Digest OnLine - Sorted: Canadian Security Co's Speak Out Against Anti-circumvention

Canadian Security Co's Speak Out Against Anti-circumvention

Marcus Didius Falco (
Wed, 09 Mar 2005 23:26:40 -0500

------ Forwarded Message
From: Michael Geist < >
Date: Tue, 08 Mar 2005 17:30:17 -0500
To: <dave farber. >
Subject: Canadian Security Co's Speak Out Against Anti-circumvention


A substantial group of Canada's security technology companies have sent a
public letter to the Industry and Heritage Ministers to express concern
about the potential for DMCA-like legislation in Canada. Years of
discussions and no one bothered to ask these guys what they think.

The public letter has been posted online at

A release and backgrounder are at

This might be a sign of Canada's technology community waking up to the
implications of copyright reforms that directly impact their businesses.



March 8, 2005


The Honourable David L. Emerson, P.C., M.P.
Minister of Industry
235, Queen Street, 11th Floor, East Tower
Ottawa, Ontario K1A 0H5

The Honourable Liza Frulla, P.C., M.P.
Minister of Canadian Heritage and Status of Women
15 Eddy Street
Gatineau, Quebec K1A 0M5

Dear Minister Emerson and Minister Frulla:

Re: Proposals to include Anti-Circumvention Rights in A Bill to Amend
the Copyright Act

We write to you as leaders of Canada's security research business
community. We understand that the Canadian government in the near
future will introduce legislation to amend the Copyright Act to
introduce rights to prohibit the circumvention of technological
protection measures, or "TPMs". Any such amendment will have profound
negative consequences for security researchers and businesses that
commercialize such research. The business community involved with
security research and related services has a great deal at stake in
this legislation, both economically and technologically. Despite
these considerations, the government has yet to consult with us. We
urge the government to take our concerns into account prior to
implementing any such amendment.

Legal protection for TPMs is the equivalent of making screw-drivers
illegal because they can be used to break and enter. Good legislation
targets the illegal act, not the legal tools the crook might use.
Canada is already well-served by laws protecting copyright. Outlawing
the technological tools - the screw-drivers of the technology
community - undermines Canada's commitment to fostering an economy
built on innovation and opportunity.

Understand that the science and business of digital security implicates the
practical application of circumvention technologies. To understand security
threats, researchers must understand security weaknesses. We are not in
the business of circumventing technological safeguards for the purposes of
exploiting the weaknesses we find; rather, we are in the businesses of
finding and addressing those weaknesses. In this way, our work offers
crucial support to the business interests of those who seek to protect
their copyrighted works through technology. Indeed, technological
protection measures and digital rights management systems themselves are
practical applications of the work of this research community.

We observe that in other jurisdictions, rights holders have often
sought to enforce anti-circumvention rights for reasons other than
copyright protection. Anti-circumvention rights have anti-competitive
applications. These have been well documented and should be familiar
to you. We won't dwell on them here. More troubling from a public
policy perspective, however, are those attempts to assert
anti-circumvention rights to silence critical research into security
holes. Such attempts are at base motivated by a desire to maintain
control over security research in respect of particular platforms or
applications. Centralized control over security research does not
make for good public policy. Security weaknesses are best found - and
addressed - when a variety of security researchers examine a platform
or application. The odds of one party devising the best response to a
security issue are slim; the likelihood of an optimal response
improves significantly when a community of security researchers has
the opportunity to examine and test a platform or application.
Anti-circumvention laws throw a shroud of legal risk over that
community, and dampen security research at the edges. Simply,
anti-circumvention laws that provide for excessive control make for
bad security policy.

The American experience under the Digital Millennium Copyright Act
(the "DMCA") should be instructive in this regard. Professor Ed Felton
of Princeton University was threatened with litigation (as were
conference organizers) for attempting to present his findings on
security holes in the work of the Secure Digital Music Initiative
industry working group. Dmitri Sklyarov, a Russian programmer, was
jailed for travelling to the United States and presenting the results
of his work on a software tool that could be used to read Adobe's
"e-book" files. American security researchers are choosing to avoid
research with DMCA implications. Global experts on security now avoid
traveling to the United States. Richard Clarke, former White House
cybersecurity and counterterrorism adviser, has observed that the
DMCA's anti-circumvention provisions have had a "chilling effect on
vulnerability research." The DMCA has had a demonstrably negative
impact on security research in the United States.

Canada has historically been a global leader in the science of
cryptography. Canada is now turning to apply that strength to the
business of digital security. The Canadian government should support
this emerging industry, not erect market barriers or create new risks
of legal liability. In the late nineties, the Canadian government
made online connectivity a priority with the goal of making Canada
"the most connected nation in the world". Consistent with that goal,
Canada released its Cryptography Policy in 1998, envisioning digital
security as key to "building Canada's information economy and
society", and making a commitment to fostering the development of the
digital security business sector. In 1998, the Canadian government
recognized the importance of this business sector to securing reliable
electronic commerce. In the context of anti-circumvention laws, these
considerations have barely merited a mention.

Proponents of anti-circumvention laws protest that these laws do not
target "legitimate" security research, and that laws may be crafted
with exceptions for such research. With respect, the DMCA carries
such exceptions. They have proven both inadequate and ineffective in
protecting security researchers from threats of litigation. Moreover,
such exceptions offer little security against the threat of
litigation. Rights-holders have not hesitated to assert
anti-circumvention rights against researchers to maintain control over
public dissemination of security research implicating their
applications and platforms, even where such claims have only the most
tenuous basis in fact. Nonetheless, such threats create a "liability
chill". Security researchers and businesses generally lack the time
and resources to defend such claims, with the result that the mere
threat achieves the claimant's objective. The mere threat of
liability for circumvention is a mischief itself that may only be
addressed by not creating the basis for the threat in the first place.

In our view, the best policy would be to introduce no change to the
law at all. Rights-holders are well protected by traditional rights
under the Copyright Act. An infringement remains an infringement
regardless of whether or not a TPM is circumvented. TPMs themselves
provide a second layer of protection sufficient to deter all but the
most sophisticated would-be infringers. Legally privileging TPMs would
add a third layer of protection; however, we seriously question
whether the marginal value of this legal protection outweighs the
severe impairment it causes to legitimate security research.

We welcome the opportunity to discuss the matters addressed in this
letter with you. We look forward to being consulted by the government
on future developments in this area.

Yours truly,

Brian O'Higgins
Chief Technology Officer
Third Brigade, Ltd.

Brian Flood
Chief Executive Officer
VE Networks, Inc.

Bob Young,
Co-founder and Director, Red Hat, Inc.
Founder and CEO of Lulu, Inc.
Owner, Hamilton Tiger-Cats Football Team
Hugh Ellis
Chief Executive Officer
Cinnabar Networks Inc.

John Detombe
AEPOS Technologies Corporation

Austin Hill
Synomos Inc.

John Alsop
Founder and Chairman
Borderware Technologies Inc.

Michael Kouritzin
Chief Executive Officer
Random Knowledge Inc.

Dr. Stefan Brands

Carl C. Bond
Innusec, Inc.

Djenana Campara
Chief Technology Officer
Klocwork Inc.

Randy Sutton,
Elytra Enterprises Inc.

Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section

------ End of Forwarded Message

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Marcus Didius Falco: "Hollywood Hacking Bill Author Named Dem. Liaison"
Go to Previous message: John Levine: "Re: Vonage Outage Last Thursday, was: Vonage"
TELECOM Digest: Home Page