I Am not a Thug

After releasing my press release, I got this e-mail message, apparently copied from a Washington state Libertarian Party chat list, accusing me of intellectual thuggery. I forwarded my Golden Gate Libertarian article, which is better-pitched to libertarians, and also sent this response:

I am not now, nor have I ever been, a thug.

[Mike apologized for the implication - he noted that he tried to be clear that he was attacking my ideas, not me, and I appreciate that.]

At 13:05 8-08-2001, Mike Hihn wrote:

Geez, I hate to blast this to the entire original list, but Libertarians seem a bit confused on this issue, if they believe this is a mainstream Libertarian position. It's not.

It's important to note that this was a press release; space for arguing the points of a proposition is limited. Mike will, I hope, have already forwarded my article for Golden Gate Libertarian, which was more targeted towards convincing libertarians to support Dmitry's case. The August GGL should be showing up on lpsf.org Real Soon Now.

Rather than reply to Mike's points one-by-one, and produce an incoherent and very long message, I'll attempt to outline my views and conclusions and hope I've addressed his concerns.

What Happened

Adobe is not in the business of selling ebooks. Adobe produces the free Acrobat eBook Reader (which they actually acquired as part of a company called Glassbook), and they produce publishing software which they sell to publishers. They warrant to publishers that the software will protect their ebooks from piracy.

Mike points out that the Reader is free and that one needs nothing else to open a legitimately-purchased book... on a particular computer. When you buy a book with the Reader, you can only use the book on the computer you selected when purchasing the book. The Reader has a "lend this book" feature, which disables it on one computer and enables it on another - but that feature is optional. A publisher can disable it, as he can the ability to copy text from the book to the clipboard, the ability to print the book, and the ability to have the book read aloud with text-to-speech software. (There was a PR fiasco when Adobe released Alice in Wonderland with the poorly worded admonishment, "This book cannot be read aloud.") Note that if you upgrade certain parts of your computer (such as the hard drive, after a crash), or replace your computer, the book will no longer work. Backups are therefore of limited use.

Adobe uses a form of encryption to protect the security of these books. It is long-established fact in the encryption industry that "security through obscurity" is no security at all: if you rely on your protection working because no one knows how it works, then when someone does figure it out - and they will - your system will be wide open. Better, then, to permit wide review of security schemes to get maximum testing coverage for better quality and consumer confidence in the product. By analogy, manufacturers of locks and safes invite public review, including dissection of the lock; this makes better locks, and no reputable locksmith would ever recommend a lock that he was legally barred from inspecting first.

Dmitry is a cryptographic researcher in graduate school. He investigated Adobe's encryption practices, and found them extremely weak. When purchasing an ebook with the Acrobat eBook Reader, one enters a password to unlock it; Dmitry found that the unlocked file could be intercepted at that stage.

Dmitry also works for a software company called Elcom. Elcom specializes in password-recovery tools. For instance, they make a tool to recover data from password-locked Excel spreadsheets and Access databases, where the password has been forgotten, has left with a former employee, or is needed by criminal investigators. The FBI is among their customers for these tools. Elcom presented information on these tools at the Microsoft Black Hat security conference; Microsoft responded by noting in their on-line technical bulletins that their Office passwords are not secure, and referenced Elcom's presentation in the bulletin. This is the proper attitude of a security system vendor (such as Microsoft is) to exposure: note and correct the flaw. It establishes Elcom's reasonable expectation of a US company's reaction to other similar exposure, as well.

Elcom used Dmitry's research to develop a tool to unlock Adobe ebooks, the Advanced eBook Processor, or AEBPR. It's not clear whether Dmitry wrote all or part of the tool, or only developed the key algorithms. Elcom placed AEBPR for sale on a Web site for $99. The download is crippled - it can only decrypt part of a book - but after paying the fee, Elcom would send an enabling key. The price discourages purchase by casual pirates - it was primarily aimed at alerting the security community of the flaw. (Free copies were also available for review by journalists and researchers.) It is important to note again that AEBPR can only be used to unlock a book that the unlocker has purchased; it can't be used to H4X0R arbitrary books intercepted over the wire or found posted on the Internet.

Adobe sent a cease-and-desist letter to Elcom, giving five days to remove the product from sale. Elcom did not have a chance to comply before Adobe convinced their service provider to shut down the site peremptorily. Adobe also filed a criminal complaint against Dmitry, whose name may have been listed as AEBPR's copyright holder in one version of the tool, the day after sending the cease-and-desist letter.

There are more important facts to note here:

Adobe knew Dmitry would be coming to the US to speak at DefCon, and that information was included in the sealed criminal complaint. On Monday 16 July, Dmitry was arrested as he was getting ready to leave his hotel to return to Russia. Two of Elcom's senior management were also present at the conference, including the president; however, only Dmitry was arrested.

Why AEBPR Is Legal and Moral

As libertarians, we know that "legal" and "right" are often different things. However, I'll argue that AEBPR is both.

Also as libertarians, we can say that any contract entered into without coercion is acceptable. If a manufacturer places conditions on the use of the product, if I choose not to accept those conditions, I shouldn't purchase the product. If an ebook is sold with certain restrictions, I should accept those restrictions or not purchase the book. (It is possibly worth noting that I avoid the Acrobat eBook Reader for technical reasons, but those aside, I would probably still eschew it because of these restrictions.)

However, there are a couple of problems with that approach in this case. First, one must know the terms of a contract going in; the exact licensing terms of an Adobe ebook are not revealed until the book has actually been downloaded. Under any reasonable ethical or legal regime, that is unacceptable and not binding. Second, there are consumer rights issues - how far are the manufacturers' restrictions binding? For instance, Adobe says that if I have a crash or upgrade my computer, I can contact them for a new key so that I can continue reading my books. But what if Adobe goes out of business, or changes their policy? Do I have the right to continue to implement the policy I agreed to in their absence, using whatever technology is at my disposal? If so, then it seems reasonable to be able to make an unlocked backup of my books now, while I can. See Roger Sperberg's review of AEBPR, written before Dmitry's arrest.

Next, AEBPR is not of itself an act of piracy. It can be used for the legitimate purposes mentioned above, and it can be used for illegal purposes. The analogy with guns here seems obvious in a libertarian context (though I stayed away from it, mostly, in the press release as unnecessarily inflammatory). In fact, the California Supreme Court just held that gun manufacturers are not liable for the guns' misuse. Should Elcom be liable for the potential misuse of its tool? (No actual misuse has been demonstrated; only nine or so copies were sold before the product was pulled from sale.)

Then there's the issue of Russian law. Copyrights are created by law (as distinct from the moral right to benefit from one's own work; see below) as temporary monopolies to reproduce works of art. Copyright law includes fair use exemptions; one may make a copy of software for backup purposes in the United States, one may photocopy a certain proportion of a book, excerpt a book for a review, make a parody of a work, etc. Freedom of speech justifies many of the fair use exemptions in the US, while common law expectations of a purchased product justify others. In Russia, the copyright law includes very strong fair use conditions - so strong that Adobe's licensing restrictions violate the law. Adobe's ebook licensing terms are illegal in Russia!

Now, we can certainly argue about whether Russian copyright law is good or not, so let's stick to the legal sphere for this. One cannot be bound by an illegal contract; if I contract to kill someone for money, and then you refuse to pay me, I can hardly hold you to the contract in court. Similarly, Adobe's ebook licenses are not binding in Russia. But the technological restrictions are stronger than the law, here; AEBPR permits the users to exercise the fair use privileges that Russian law provides. (Some critics have noted that Elcom's Web page is in English and that they are obviously targeting American markets. That's true. However, the actions concerned here all occurred within Russia, so we have to at least consider those implications.)

On the moral front, the Russian fair use clauses are not very different from what used to be the case in the US before the Digital Millennium Copyright Act (again, see below).

A lot of Mike's comments seem to confuse AEBPR with stealing books directly, and he may think that Dmitry was arrested for doing so. Dmitry was arrested for developing a tool that could enable, among other things, stealing of books. When Rob notes that security through obscurity doesn't work, Mike replies, "He decides that public exposure is the best way to build secure computer systems, a valid opinion - but the then asserts that he can make that decision for copyright holders who may disagree, and simply seize their work." Not quite - if the system is not secure, then the copyright holders' work is not safe. To hide the fact that the system is not secure does not help the copyright holders; it only gives them a false sense of security that may lead to increased exposure in the long run. Publicizing the holes alerts the copyright holders to their situation.

He misinterprets another of Rob's comments ("In order to protect these anemic security mechanisms, businesses and governments will rely on the brute power of the courts to keep those who understand from sharing their knowledge."), saying, "sharing = seizing. Orwell would be proud." Rob was not referring to sharing the copyrighted work of others, but to sharing one's own findings about the state of the world. If I discover that the sky is blue, I should be permitted to tell others. And if Dmitry discover that Adobe's encryption is weak, he should not be sent to jail for revealing that fact to others. Yet this is exactly what the DMCA outlaws. (I can hear the ever-rising pitch of Ayn Rand's corpse's revolutions, as the government outlaws saying, "A is A.")

When I said that Adobe was "bullying by government proxy," I was referring to Adobe's attempt to silence Dmitry, and to frighten other potential critics into silence, not, as Mike says, "Like the police recovering my stolen car?" More like the police arresting someone for pointing out that you left your doors unlocked.

Why the DMCA Is So Bad

And that brings us to the DMCA, which made the arrest possible.

The DMCA is not necessary to protect copyright, and has a demonstrable chilling effect on speech. Pirating books and other copyrighted material is illegal under previous copyright law. The DMCA does not change that.

The DMCA also does not outlaw the legitimate circumvention of copyright protection technology, such as allowed by fair use provisions. Using AEBPR is perfectly legal under the DMCA, as long as you're not using it for piracy.

What is illegal is trafficking in a tool to circumvent copyright protection technology. The flaws here should be obvious: using a tool for legitimate purposes is legal, and the illegal uses are already illegal, but to further discourage them we'll make it illegal to distribute the tool. This is like allowing possession of firearms, and their use in self-defense, but outlawing their sale.

This means that if I discover a flaw in an encryption product, and I tell anyone, I can be punished through civil or criminal action. I may be able to defend myself under the cryptographic research exemption in the DMCA, but the chilling effect of having to defend speech in the courts should be obvious. Already, cryptographic researchers are changing how they think about publishing their findings. This will increase the likelihood that someone is using technology in the belief that it is secure, while it is known not to be; only those that know are scared to tell anyone. Foreign scientists are now reconsidering traveling to the United States for fear that they may have pissed off one corporation or another; American scientists traveling abroad should wonder whether they've violated any restrictive laws in the other countries while publishing work here. Retaliation is not out of the question.

Other fine DMCA cases include the DeCSS case. DVDs are encrypted, and licensed manufacturers are given separate decryption keys. Since no manufacturer produces a DVD player for Linux, Linux users have no way of reading DVDs which they have purchased on their own computers. A Norwegian teenager, Jon Johanssen, discovered that one manufacturer was not careful with their keys, and was able to devise an algorithm for decrypting DVDs. Linux users can now play their own DVDs! But the Motion Picture Association of America is suing Jon - and worse, they are suing 2600 magazine for linking to the cracking code on their Web site. Again, a fundamental freedom, this time of the press, is chilled by the law.

The Recording Industry Association of America devised an anti-piracy watermarking scheme for music called SDMI. They issued the SDMI Hack Challenge, offering a prize to any researcher who could crack the watermark, in exchange for keeping silent about the nature of the crack. A Princeton team, headed by Edward Felten, cracked the code very quickly, but declined the prize (and its conditions). They prepared to publish their findings at a conference, but were threatened with a lawsuit by the RIAA under the terms of the DMCA. When stating a fact in public is actionable, something is very wrong with the situation.

Read about these and other problems with the DMCA at the Electronic Frontier Foundation. Those of you who are black helicopter types may be interested to know that the DMCA was justified as bringing us into line with the World Intellectual Property Organization, yet another entangling alliance.

I hope that this, together with the Golden Gate Libertarian article, gives a good picture of why I think that libertarians should not only support Dmitry's case, but should also oppose the laws under which he is charged and Adobe's actions that led to his arrest.

On Intellectual Property

Now on to the theory. Mike accuses me of intellectual thuggery: "Maden argues like a slavemaster - that certain people have no right to sell the fruits of their labor, on their own terms (assuming a willing buyer)."

I really don't appreciate having words put in my mouth. I make my living from intellectual property - as a programmer, an author, and a consultant (yes, an ebook consultant - not sure why that was so funny). I am fully aware of its value.

I am also aware of how fragile a concept it is. Intellectual property is different from real property in the key sense that intellectual property is trivially reproducible. If you have IP, and I take a copy, we both have it now. If you have a car, and I take it, you don't have a car any more. This changes the game completely.

When I have an idea in my head which I have conceived, it is all mine. There is one copy in the world (assuming the idea is original). I created it, and I have the moral right to profit from it.

However, as soon as I impart that idea to someone else, there is now another copy in their head. That copy is entirely out of my control. I can't stop them from imparting it to someone else, or writing it down, or posting it to the 'net.

But that clearly poses a challenge to my right to profit from my own work. If he is better-financed, let's say, and produces more copies of a better-marketed edition of my novel than I can afford to do, I've been screwed. It's my novel, but he's getting all the money.

Without copyright law, I have three options: one, never tell anyone my ideas; two, hold my ideas hostage until I feel I've been paid satisfactorily for them, then let them go and make what additional money I can from them; three, take my chances (selling signed copies of the book, say, which only I can produce, or going on paid speaking tours, or selling services associated with the book based on my authority established thereby).

Option one is obviously a loss for everyone. I don't profit from my ideas, and the world never gets the benefit of being exposed to my ideas.

Option two is a kind of idea escrowing. It's been called the "Street Performer Protocol" by some - the idea is that a street musician keeps playing as long as he gets paid, but he doesn't really care who is doing the paying and who is doing the listening. The OpenCulture Foundation is a non-profit attempting to implement this protocol. I can offer a sample of my work, and market it, and if people think it's worthwhile, I can profit without legal protection. If they like that work, they're more likely to pay to see my next one.

Option three is proven to work. Any number of Open Source related companies make money this way; they pay people to work full time on Open Source software, with no direct benefit to the company. However, the company gains credibility and name recognition, and presumably expertise in the software, and profits from consulting services.

However, both of these approaches involve some substantial risk to the author. Option three is very risky, and option two runs the risk of theft. With no controls on copying, the chances of getting paid for the work drop dramatically if it's already been propagated.

Copyright was instituted as an artificial, temporary legal monopoly to protect authors' natural right to profit from their work. It is a form of prior restraint on copying. It is constitutionally authorized, but Jefferson had severe misgivings. He reveled in the fact that information reproduces itself as it springs from mind to mind; in 1788, he wrote to Madison, "The saying there shall be no monopolies lessens the incitements to ingenuity, which is spurred on by the hope of a monopoly for a limited time, as of 14 years; but the benefit even of limited monopolies is too doubtful to be opposed to that of their general suppression." Madison apparently convinced him of the necessity of these monopolies to encourage publication, but Jefferson said in '89, "I like the declaration of rights as far as it goes, but I should have been for going further. For instance, the following alterations and additons would have pleased me... Article 9. Monopolies may be allowed to persons for their own productions in literature, and their own inventions in the arts, for a term not exceeding ___ years, but for no longer term, and for no other purpose." He wanted constitutional controls on the maximum length of copyright monopoly; as in so many other aspects, it turns out he was right, as corporate copyright now extends indefinitely. (It currently is set to expire in the future, but corporations like Disney can be trusted to take up arms again to push for another extension when the date draws closer.) His thoughts on copying were summed up thus: "he who lights his taper at mine, receives light without darkening me."

Jefferson is big on the idea that the world belongs to the living. However, modern copyright extends seventy-five years past the death of the author; so even in cases where the author holds his own copyright, it's mostly not the author who is profiting. But in most cases, the copyrights are assigned to corporations, and the author receives a licensing fee or royalties. Note that most musicians are pleased with Napster; see in particular Courtney Love's comments on the record industry.

Given that reproducing intellectual property is so trivial to do in the digital age, and that most people don't have an ethical dilemma doing so ("they're all rich anyway"; "the money just goes to big evil corporations"), there is only the legal barrier to copying. And as libertarians, we know what the likely consequence is when a law is the only thing in someone's way; sit by any highway with a radar gun for an illustration.

Because of that and my inherent libertarian mistrust for laws, and that I think the anarchist situation outlined earlier can actually work for artists, I'm inclined to prefer that situation. But in the meantime, I do try to follow the law, and I avoid entering into any licensing agreement whose terms I do not accept. (I use a lot of Free and Open Source software as a result, though I am typing this in the adware version of Qualcomm Eudora on Windows NT.)

But the main points here are:

An exhaustive summary of the news coverage of Dmitry's case, both pro and con, can be found at Planet eBook.