Dmitry Sklyarov and the DMCA

As you may have read in the news over the last few weeks, a Russian programmer named Dmitry Sklyarov was arrested in Las Vegas by the FBI following the DefCon computer security conference. He was charged with trafficking in a copyright protection circumvention device, which is a criminal infraction under the Digital Millennium Copyright Act of 1998.

The DMCA, as it is known, is a nasty little bit of legislation. Most notably, it outlaws the publication of information on how to circumvent copy-protection schemes; Jon Johanssen, a teenager in Norway, was charged for figuring out how simple the protection on DVD movies is. Users of the free Linux operating system could not play DVDs on their own computers because no authorized company had written a "driver" for them - with Johanssen's scheme, they could. The Motion Picture Association of America not only dealt harshly with Johanssen, but sued the hacker magazine 2600 for even linking to Johanssen's code from their Web site. Princeton University professor Edward Felten was also threatened with a lawsuit if he presented his investigation into a file protection scheme, proposed by the music industry, at a conference.

The DMCA does have "fair use" provisions, but they are much narrower than the copyright law that preceded DMCA's passage. The fair use doctrine was developed to balance free speech rights against copyrights - e.g., satirical uses or parodies of copyrighted work, or short excerpts in a critical review are permitted under fair use. Under the DMCA, a publisher can take those rights away from a user via technology, and it becomes illegal to develop a tool to restore those rights to the information's consumer.

As a Ph.D. candidate at a Moscow state university, Sklyarov (pronounced skul-yahr-off) investigated the security of Adobe Systems' "Acrobat eBook Reader" software. This software enables publishers to deliver "ebooks" that are locked to one specific computer - the end-user can not copy the book to another computer, nor print it or have the text read aloud by the computer if the publisher has not specifically enabled those features. (In other words, blind customers may not be able to legally use a product they purchase.) Adobe's product has not been doing very well; the on-line customer discussion fora are filled with comments about the inadequacy of the product (many using a four-letter verb that starts with "s").

In the course of his investigations, Sklyarov found that Adobe's security was very poor, and that it was a simple matter to intercept the unprotected book when the purchaser entered the enabling password. He developed a program that exploited this shortcoming. This enables a user who has legitimately purchased a book to create an unlocked copy, which they can then print, copy to another computer, or even publish across the Internet to thousands of other readers.

Sklyarov's employer, a Russian company called ElcomSoft, specializes in password-recovery tools. For instance, if you lock an Excel spreadsheet, but then forget the password (or worse, your accountant who had the password quits), you can buy a tool from ElcomSoft to recover the data. The FBI is a significant customer of these tools, which have obvious law enforcement applications. ElcomSoft dubbed Sklyarov's tool the "Advanced eBook Processor", or "AEBPR", and put it up for sale, using a US-based credit card processing Web site.

On the June 25, Adobe filed a cease-and-desist notice with ElcomSoft, giving them five days to pull the program from sale. On June 26, Adobe filed a criminal complaint with the US Attorney against Dmitry Sklyarov, as the author of the program. Adobe knew that Sklyarov would be coming to the United States to speak at DefCon, and advised the FBI of this fact. He was arrested in due course on July 16.

This outraged the electronic community, for a variety of reasons. The Electronic Frontier Foundation, located here in San Francisco, got involved, and activists organized a boycott of Adobe products and demonstrations against Sklyarov's arrest around the world. On Monday, July 23, demonstrators rallied in Boston, St. Paul, Seattle, Salt Lake City, Moscow, New York, and most significantly, outside Adobe's headquarters in San José while the EFF met with Adobe's leadership inside. The end result of the pressure from the demonstrators, the boycott, and press coverage, together with the EFF's negotiations, was that Adobe dropped the criminal complaint and called for Sklyarov's release in a joint press release with the EFF.

Unfortunately, this is a criminal case, and it remains up to the Department of Justice to actually free Sklyarov. Another protest was held on Monday, July 30, at the San Francisco at the Federal Building as well as in several other cities around the nation. A protest at the US Embassy in London got significant media attention on Friday, August 3. As I write this, we are preparing for a rally at Sklyarov's bail hearing in San José for Monday, August 6.

There are several important reasons to set him free:

  1. He is charged with trafficking in forbidden technology. He did not sell the program; his employer did. Although three ElcomSoft employees were at the conference, including the president, it was Sklyarov who was arrested. It seems obvious that an example is being made of him.
  2. The DMCA specifically allows for narrow fair use exemptions from the civil and criminal violations it defines. AEBPR will only unlock a book legitimately purchased by the user; it can not be used to steal others' books. It is thus probable that the program does not even violate the law.
  3. The DMCA is a very bad law. It has a demonstrably chilling effect on speech; one colleague, while a co-worker of mine at an ebook company, did the same research as Sklyarov. He did not publish his work, though, and is now much more careful about what he publishes. Foreign scientists are beginning a boycott of US conferences for fear of prosecution and also in solidarity with Sklyarov and Johanssen. It also punishes research, rather than copyright violation; since AEBPR only unlocks a user's legitimately purchased copy, it is the user who must make the decision to pirate the unlocked copy. AEBPR is a tool with legitimate and illegal uses, like a lockpick, a crowbar, a car, and a gun. Outlawing the tool does not help.

However, there are other DMCA test cases, civil ones, working through the court system, and it is not important to keep Sklyarov as a hostage for a test case. Let him go.

This is an important Libertarian issue as well, for a few reasons.

  1. The rights violations mentioned above - Sklyarov's right to do research, publish his findings, and create tools with legitimate uses, and the public's right to fair use of information they purchase.
  2. It is an excellent example of the dangers of big government. Adobe, faced with an inferior product and public criticism of their security, used the government to bully its critics by proxy, having one of them arrested. The use of criminal charges as a substitute for competition in the marketplace is unacceptable. A small government is not a useful tool for a corporation, and would thus avoid similar abuses.
  3. The community response, the boycott, and Adobe's subsequent relenting and call for Sklyarov's release are a case study in how the free market can be used as a tool to effect social change without regulation.

Interested Libertarians are encouraged to join the protests and voice our support for free speech and our opposition to abusive laws and their enforcement. Please see freesklyarov.org for up-to-date information, or contact the author of this article directly at crism@maden.org or 504-8677.

The EFF's Web site is eff.org, and it includes information about Sklyarov, Johanssen, Felten, and the DMCA.