Copyright Extensions threathen Free Software in Europe

Mon Dec 3 01:06:16 UTC 2001

This is an article I wrote about the effects of DMCA and EUCD (European
Union Copyright Directive) on free software. I'm looking for comments
and sugestions. I hope that this raises a discussion that defines what
FSFE will do about this.

A web copy is available at http://silvaneves.org/eucd/eucd-fs.en.html
and I'm gathering information on this subject on
http://silvaneves.org/eucd/eucd.en.html.

Copyright Extensions threathen Free Software in Europe

In May 2001 the European Union Copyright Directive (EUCD) was approved.
This directive enacts new extensions to copyright legislation including
the limitation of use and effective protection to any kind of rights
management information (this included any of those so called
copy-protection technologies). This legislation implements, in practice,
the same principles than USA's Digital Millenium Copyright Act (DMCA)
that, so far, has been used to arrest a russian programmer after his
presence on a conference, to avoid the scientific publication of an
article in a conference by a university's professor, to instill fear on
the security community and is the answer to the question "Why can't I
read DVDs with any GNU/Linux distribution ?".

The EUCD has been adopted in May 22nd, 2001, so national governments
have until December 22nd, 2002 to include this directive in national
legislations, assuming that no country refuses it. The main issue with
this directive is article 7 - Obligations concerning rights-management
information. The problem in this article is that it prohibits the
distribution, broadcasting, communication or making available to the
public of anything "if the person knows, or has reasonable grounds to
know, that by so doing he is inducing, enabling, facilitating or
concealing an infringement of any copyright or any rights related to
copyright". But what does rights-management information (RMI) mean ? The
information supplied is that it's any information that the copyright
owner that defines the work and the terms of its use.

This means that, for the first time in the history of recent copyright
legislation, the copyright owner is given the right to, through RMI,
limit the private use of a work. This means that protective measures
like DVD zoning that tries to limit playing a DVD to a defined
geographical area suddenly become legal in Europe. It also means that
freedom of speech may be at peril, if companies start following the
example of Microsoft that prohibits the use of MS FrontPage 2002 for
sites that criticise Microsoft, its subsidiaries or its products.

Besides that, if some tool can be used to circumvent any kind of RMI,
then it's illegal to communicate and distribute it. This protection is
at the same level as prohibiting the sale and use of knives because they
can be used to kill people, even if that's not the use made by most
people. For free software there are three effects of this legislation
that, in fact, will hinder its development: the creation of monopolies
in file formats, the inability to operate with other systems and the
inability to discuss security issues in a open way as needed by the
colaborative development used by free software. 

Monopolies on file formats

If some file format includes some RMI, like the password feature of MS
Word files, or the ability to disable copy&paste in Adobe's PDF files,
then reverse-engineering the file format and publishing the information
gathered would be a crime under this legislation, because the people
doing that would be facilitating the circumvention of these RMI. In
practice, this means that companies are given the protection to
effectively create a format and make sure that noone else can take away
its control from them, because then can simply send to jail any
developer that creates a free software program that uses their file
format. Unfortunately this is happening today in the USA with DVDs.
There's no GNU/Linux distribution that includes the ability to play a
DVD because the distribution of DeCSS code that is needed to play DVDs
has been found to be illegal in, at least, one courtcase.

Interoperability

The interoperability of free software with proprietary software will be
hindered by this legislation. Besides the possible difficulty of free
software to deal with some proprietary file formats, there's the risk
that software licenses, which also are RMI, simply prohibit reverse
engineering of protocols. This would mean that efforts like the samba
project, jabber and others would never have seen the light of day. This
will also mean that companies will be able to trap their customers in
custom and non-standard protocols without the business risk of having a
free software implementation of their protocol. This means that projects
like dotGNU are at peril. 

Insecurity

Last, but not least, the security problems. Due to the broad definition
of RMI, something like a security policy or any protective technologies
like a firewall can fall under this definition. This means that
discussing, distributing or developing security auditing tools will be
illegal. The problem here is not so much the fear that all hour houses
will be searched and all our computers checked for this tools, but the
fact that, in a situation where you have someone against you there is
only the possibility of an accusation that can lead to jailtime. This
fear can be more effective in controlling a group of people than the
enforcement of the law as is.

The other security problem has been recently demonstrated by Alan Cox.
Cox recently published a changelog for a linux kernel where the
description of some security-related  bug fixes were censored. The
reasoning for this is simple to follow. Those bugs could be used to
circumvent RMI (in this case file permissions) and simply stating that
they were there would be facilitating the circumvention of that RMI.
This example is only one example that remembers us that security is
dealing with circumvention of rules: describing ways to circumvent
protections and fixing the software so that each one of those ways
becomes ineffective. Now, what this directive says is that we can't
discuss ways to circumvent protections, because we would be breaking the
law and could go to jail. Ignoring the fact that proprietary software
companies were given a way to avoid fixing the security bugs in their
software because nobody can talk about them, for free software this
means that all the "find a bug, tell the program owner/maintainer, fix
the bug" cycle is broken because telling about the bug could be a crime,
specially if it's in a public forum like a mailing-list or a bugzilla
webpage, could mean jail, not automatically but, more dangerously, when
someone feels like accusing you.

What can be done ?

Until now there is no notice of anyone country that has already passed
th EUCD to national law. This means that there's still the possibility
of getting, at least, one european state to challenge the directive.
There is other case where Germany fought a directive based on the same
articles of the European Community treaty as this one and won. Of course
this means that politicians, the public and the press must understand
these issues and the inherent risks. This also means that it's up to
you, the reader, to learn more about these issues and tell about them to
your friends and family; to start a conversation about this at the bus
station and to write to your ellected representative about the EUCD and
why it is bad for consumers, programmers, the internet and security.

-- 
						Joao Miguel Neves
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 246 bytes
Desc: not available
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20011203/5ddb4feb/attachment.sig>