Table of Contents:

Introduction to the online version


Preface to the printed version

Copyright Overview

Software Copyright

Digital Copyright

- Why Digital Works are Different

- A Bad Fit

- Protecting Digital Information

- What Not to Protect

- DMCA Safe Harbors

   - Notice and Takedown and Putback

   - Mere Conduits

   - Caching

   - Stored Information

   - Directories

   - Other Safe Harbor Requirements

   - Special Rules for Schools

- Protection Through Technology

- DMCA Technological Protections

   - Trafficking

   - Accessing

   - Distinction From Copyright

   - Rights Management

   - Permitted Circumventions

   - Reverse Engineering

   - Encryption Research

   - Code as Speech

   - Security Testing

Patent Overview

Software Patents

Full treatise table of contents

Home             Copyright/Other Information             Send Comments

Chapter 3: Copyright of Digital Information

IV.E.7.d. Encryption Research

The Senate Judiciary Committee felt strongly that the provisions of the DMCA should not be used to stifle the very encryption research that led to the technological measures the DMCA would now protect.

   The purpose of the Committee in proposing enactment of section 1201 is to improve the ability of copyright owners to prevent the theft of their works, including by applying technological protection measures. The effectiveness of such measures depends in large part on the rapid and dynamic development of better technologies, including encryption-based technological protection measures. The development of encryption sciences requires, in part, ongoing research and testing activities by scientists of existing encryption methods, in order to build on those advances, thus promoting and advancing encryption technology generally.

   The goals of section 1201 would be poorly served if these provisions had the undesirable and unintended consequence of chilling legitimate research activities in the area of encryption. It is the view of the Committee, after having conducted extensive consultations, and having examined a number of hypothetical situations, that Section 1201 should not have such an unintended negative effect.

   It is the view of the Committee that generally available encryption testing tools would not be made illegal by this Act. Each of those tools has a legitimate and substantial commercial purpose – testing security and effectiveness – and are not prohibited by Section 1201. In addition, the testing of specific encryption algorithms would not fall within the scope of 1201, since mathematical formulas as such are not protected by copyright. Thus, testing of an encryption algorithm or program that has multiple uses, including a use as a technical protection measure for copyrighted works, would not fall within the prohibition of section 1201(a) when that testing is performed on the encryption when it is in a form not implemented as a technical protection measure. Similarly, the testing of encryption technologies developed by or on behalf of the government of the United States, would not violate section 1201 since copyright does not subsist in such subject matter. Finally, there are many situations in which encryption research will be undertaken with the consent or at the direction of the copyright owner and therefore will not give rise to any action under section 1201. {FN185: Sen. Rep. No. 105-190 at 15}

While the Senate Judiciary Committee goes on to provide illustrations of encryption research that it believes would not be violations, and the reasons why, as discussions progressed on the DMCA it was felt that a specific exception for encryption research should be included.

(1) Definitions.-For purposes of this subsection—

   (A) the term “encryption research” means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and

   (B) the term “encryption technology” means the scrambling and descrambling of information using mathematical formulas or algorithms.

(2) Permissible Acts of Encryption Research.— Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if—

   (A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;

   (B) such act is necessary to conduct such encryption research;

   (C) the person made a good faith effort to obtain authorization before the circumvention; and

   (D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.

(3) Factors in Determining Exemption.— In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include—

   (A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;

   (B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and

   (C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided.

(4) Use of Technological Means for Research Activities.- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to—

   (A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and

   (B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2). {FN186: 17 U.S.C. §1201(g)}

The test attempts to differentiate between people performing legitimate encryption research and those claiming that they are promoting encryption research when they are simply distributing a circumvention program. It is impossible to draw a bright line here, and any attempt may simply provide a road map for those wanting to distribute circumvention technology to find a loophole they can exploit. However, in most cases it will not be difficult for a court, viewing all the evidence, to determine whether the activity is legitimate.

At one end of the spectrum is the scientific paper that indicates that a particular mechanism has been cracked and indicates the general approach used such that another encryption researcher can understand the technique. At the other end is a circumvention program distributed with little or no commentary on how it works. The easier it is for non-technical person to take the distributed result and use it for circumvention, the less it falls within the encryption research exception.

Note that the encryption research exception applies only to circumventing an access control mechanism in violation of Section 1201(a)(1)(A), as is the case for the reverse engineering exception. However, unlike the reverse engineering exception, the encryption research exception does not provide an exception to the trafficking provisions of Sections 1201(a)(2) or 1201(b), which can be a problem when a computer program resulting from the research is distributed, or Section 1202, which could be violated by encryption research aimed at removing a digital watermark used for rights management. One hopes that the courts will look at Congress’ stated desire to protect legitimate encryption research and not find a violation of any of the DMCA provisions when such research clearly meets the encryption research test.

Just to be on the safe side, Congress also asked the Copyright Office and the Commerce Department to determine whether these provisions were adequate to protect encryption research.

Not later than 1 year after the date of the enactment of this chapter, the Register of Copyrights and the Assistant Secretary for Communications and Information of the Department of Commerce shall jointly report to the Congress on the effect this subsection has had on—

   (A) encryption research and the development of encryption technology;

   (B) the adequacy and effectiveness of technological measures designed to protect copyrighted works; and

   (C) protection of copyright owners against the unauthorized access to their encrypted copyrighted works.

The report shall include legislative recommendations, if any. {FN187: 17 U.S.C. §1201(g)(5)}

The results of this joint study can be found at:

The study’s conclusions were as follows:

Of the 13 comments received in response to the Copyright Office’s and NTIA’s solicitation, not one identified a current, discernable impact on encryption research and the development of encryption technology; the adequacy and effectiveness of technological protection for copyrighted works; or protection of copyright owners against the unauthorized access to their encrypted copyrighted works, engendered by Section 1201(g). Every concern expressed, or measure of support articulated, was prospective in nature, primarily because the prohibition and its attendant exceptions will not become operative until October 28, 2000. Given the forward-looking nature of the comments and the anticipated effective date of the section at issue, any conclusion would be entirely speculative. As such, we conclude that it is premature to suggest alternative language or legislative recommendations with regard to Section 1201(g) of the DMCA at this time. {FN188: United States Copyright Office, Report to Congress: Joint Study of Section 1201(g) of The Digital Millennium Copyright Act, (May 2000)}

It is likely that there were no actual problems that could be identified in the one-year time frame for the report that Congress established, because there were few access control mechanisms in use and too little time for problems to surface. Already, the Recording Industry Association of America (RIAA) has sent a threatening letter {FN189: Letter from Matthew Oppenheim, dated April 9, 2001,} to a university professor who was about to publish a paper discussing his cryptographic research in removing digital watermarks from musical recordings, causing him to withdraw his paper from the conference. The RIAA later said that it didn’t mean to threaten him, and the paper was presented at another conference, but such acts can certainly chill legitimate encryption research. {FN190: An archive of information about the case can be found at}

There was no acknowledgment in the RIAA’s letter of the special exception provided by Congress for encryption researchers. In fact, it was more concerned about the perceived violation of the agreement for the contest to remove the digital watermarks than for a specific violation of the DMCA, although the possibility of a DMCA violation is also mentioned.

A paper to be presented at a scientific conference that doesn’t give step-by-step instructions on how to circumvent an access control mechanism is just what Congress intended to protect by the encryption research exception. Of course, the fact that somebody claims to be an encryption researcher doesn’t necessarily mean that the exception applies. A paper that basically says, “Here’s a program that you can run to circumvent this access control mechanism” should fall outside the encryption research exception. It will be up to the courts to determine where particular activities fall, but in many cases, it will be clear from the context of the activity.

Congress needs to monitor whether legitimate encryption research is being chilled, and make it clear that there will be remedial legislation, both to clarify and extend the encryption research exception and to provide sanctions against those who misuse the DMCA to scare legitimate researchers who will withdraw a paper or stop their research rather than face legal expenses in defending their activities. Though Congress provided in Section 1203(b) for the award of attorney’s fees and costs to a prevailing party, that is limited to suits brought claiming a violation of the anticircumvention or rights management provisions, and might not be available in a declaratory judgment action where a researcher who has received a threatening letter seeks to clarify that his work is not a violation.

With traditional intellectual property, like patents and copyrights, an owner places his intellectual property at risk when he litigates an alleged infringement, or even when he writes a threatening letter that leads to a declaratory judgment action, because the patent might be found invalid or the copyright unenforceable in the litigation. There is no similar risk to somebody who misrepresents that a legal act is a violation of the DMCA. Perhaps there should be, to discourage misuse of the DMCA in threatening letters.

Next section: Code as Speech

Copyright © 2002, Lee A. Hollaar. See information regarding permitted usage.