ARCHIVED — Information Mechanics Ottawa, Inc.

COPYRIGHT REFORM PROCESS

SUBMISSIONS RECEIVED REGARDING THE CONSULTATION PAPERS

---

Documents received have been posted in the official language in which they were submitted. All are posted as received by the departments, however all address information has been removed.

---

Submission from Information Mechanics Ottawa, Inc. received on September 16, 2001 via e-mail

Subject: Comments on Copyright Consultation Paper

Esteemed Colleagues:

Attached you will find my response to the "Consultation Paper on Digital Copyright Issues."

For the most part, the value of this specific contribution is that I am intimately familar with the art of the possible in technology relating to digital copyright, and have tried to reflect this knowledge constructively in the comments.

I hope that you find this to be a useful contribution to the policy discussion, and would be glad to contribute further if appropriate.

Regards,
Gord Larose,
President, Information Mechanics Ottawa Inc.

PDF Version

Response to "Consultation Paper on Digital Copyright Issues"

Contents


Introduction 2
The Sea Change: To Have is not to Use 3
A Vision: Canadian Content Utopia 4
General Position Statements 6
Position Statements Relating to Technology 7
Lessons from the DMCA 9
Conclusions & Recommendations 11
References 13


Introduction
This document is a response to the "Consultation Paper on Digital Copyright Issues", dated June 22, 2001, as issued by the Intellectual Property Policy Directorate, Industry Canada, and the Copyright Policy Branch, Heritage Canada. It has been prepared and submitted in electronic form according to the procedures specified in the Consultation Paper, specifically Chapter 5 thereof.
The author, Gord Larose, is a recognized expert on Digital Rights Management technology, which is very pertinent to the discussion at hand. Mr. Larose has several patents issued or pending in the field and was the primary technology architect at NetActive, a Canadian Digital Rights Management company spun out of Nortel Networks. As a result, the author brings a special insight to the discussion based on knowledge of telecommunications and Internet technology in general, and on the art of the possible in Digital Rights Management in particular. Opinions are also offered, where felt important, as an ordinary Canadian citizen.
I welcome the opportunity to contribute to the discussion, and applaud both the timing and the consultative approach demonstrated by this process. Many countries have already established legal frameworks that attempt to address these issues. The issues are very complex, and it is wise to learn from the experience in other jurisdictions in order to craft the best Canadian law possible.
Not all of the comments are necessarily addressable by copyright legislation. I have included them regardless, since they are all relevant to the larger policy framework at hand.
In summary, I believe that the approaches set forth in the consultation paper, built upon in consideration of the contributions of relevant experts, and in conjunction with appropriate technology, will contribute to a copyright framework which promotes appropriate Canadian public policy objectives



The Sea Change: To Have is not to Use

Throughout most of human history, to HAVE something - from a spear to music CD - was to able to USE it. This is reflected as recently as the WIPO treaty, where article 8 refers to "..making available... in such a way that member of the public may access these works from a place and at a time individually chosen by them." (Emphasis mine.) Thus, to the extent that technology has been applied to copyright, it has been in the realm of access protection and "copy protection". The premise is that, since possession is equivalent to use, you must control the simple possession of goods - and in the case of digital goods, this is accomplished by preventing uncontrolled copying.
This does not work any more. As Nicholas Negroponte observed, when you are dealing in bits rather than atoms, everything changes (See Reference 1). For things made of atoms, copying is hard. For things made of bits, copying is easy.
This ease of copying, together with the rise of the public Internet and Personal Computers, have created a world in which the depth and breadth of content accessible to most Canadians is beyond the wildest dreams of Canadians of a generation ago. Virtually any item of media that you can think of -at least in the realm of popular entertainment - is already "out there" on the Net, just waiting to be downloaded and enjoyed.
Unfortunately, making digital copies is more than easy- it is, to all intents and purposes, unstoppable. Given this, and the current state of technology, most Internet-based distribution goes on without the knowledge or consent of the copyright holders, if any, on the works in question - and with no economic benefit to them either.
The explosive popularity of Napster brought this squarely to the attention of the entertainment industry in 1999. As this is written two years later, although Napster has been legally brought to heel, the issues it raises are still largely unresolved. In particular, similar services which are much harder to stop legally have sprung up in vast numbers.
But not all is lost - for the same technology that makes content copying so easy, is also inherently involved in the USE of that content, and it can be enhanced to both foster and control that use. To take a simple example, if I possess a computer file of a movie that is strongly encrypted, then copying that file is straightforward - but does not provide use of the movie, and should not itself give rise to copyright concerns. I may have the movie, but in order to use it, I need a decryption key supplied as part of a usage transaction.
The art and science of applying technology for such purposes constitutes the field of Digital Rights Management.
This sea change, and the inevitable role of technology in it, must be reflected in evolving copyright law. Policy and law alone are insufficient to protect copyright in the Internet era. Suitable technology, consistent with that law and policy, is a key part of the strategy and should be fostered as a matter of policy.

A Vision: Canadian Content Utopia
When considering a problem, it is often useful to put aside, for a moment, the practical limits of policy, technology, business, and so on, and ask what the solution to that problem would be like in a perfect world.
Here is a vision of such a world.
· Every Canadian has the opportunity for substantially unlimited access to the Internet, with sufficient bandwidth that any type of content, including video, can easily be obtained.
· Finding, obtaining, and getting usage rights for content - especially Canadian content - is extremely easy for all.
· Being a provider of copyrighted content for digital distribution - and being fairly compensated for it - is also very easy.
· Updated copyright laws in tune with digital distribution are simple, fair, widely understood, and widely respected.
· Technological protections for content are completely in alignment with notions of fair use as per that copyright law.
· People are encouraged to freely copy digital content, because it increases the potential consumer base, and copyright is automatically enforced as appropriate when consumers use the content.
· Digital distribution channels that respect copyright are successful on-line businesses, because they are more attractive to consumers than channels that do not. For this to be true, such channels must combine good value in service offerings with appropriate technological protections for their content.
· The technology is constantly improving both in terms of content protection and user value, because there is a healthy content security industry engaged in ongoing research.
· All digitally distributed content is "copyright-aware" and behaves appropriately in the circumstances of its use. An illustrative sequence of such logic is as follows:
o Public domain content makes itself usable unconditionally.
o Copyrighted digital content invokes a series of tamper-proof steps to determine how - and whether- to render itself usable. Notably, while content is copyright-aware, it does not generally have explicit rule data built-in, but rather "meta-data" by which any system capable of rendering that content may obtain rules and rights over a network such as the Internet. Typical steps in such a process include:
§ Is this content unconditionally usable by virtue of the user possessing it in the particular form at hand (e.g. a CD-ROM)? If so, render usable. Otherwise...
§ Is there a locally verifiable right of usage for this content, such as a license on a hard-drive? If so, render usable. Otherwise... .
§ Determine the "rights root" for this content - that is, where the user (or a software agent) could initiate the process of acquiring rights. Typically this will be an Internet site. Determine whether the user, or a designated agent, wishes to visit the rights root. If not, stop, if so, proceed with rights acquisition according to Rights Root Logic:
§ Gather information according to the policy of the Rights Root e.g. user information, content information, user device information, geographical information, current business information relating to the specific content, etc.
§ Determine which offers for use of the content, if any, are to be made available in light of the above information. Note that this determination uses all available information and may, for example,
decide that a librarian could use content that a member of the public, other things being equal, could not. If no offers are available, stop. Otherwise...
§ Present these offers and let the user or his agent choose one if desired and complete any associated (e.g. monetary) transactions. If no option is accepted, stop. Otherwise... .
§ Update records appropriately according to the usage rights acquired, and render the content usable.

In such a world, pirates will still exist, but they will be marginalized. Most people, most of the time, just won't deal much with the unsavory, unreliable, shifting, "underground" Internet. Honesty aside, the inconvenience of doing so will not be worth the small amount of money saved for most consumers.
As for content providers, in such a world, the barrier to entry for online distribution - and profit, if that is the motive - is low. This means that an independent Canadian artist in James Bay can have an Internet presence that truly brings her talent to the world, with subsequent success rightly depending on the merits of the artist's work.
Not all of this is attainable by means currently known to the author. But much of it is, and such a world is desirable for consumers, producers, and policy makers alike!


General Position Statements


These comments are offered from the perspective of an ordinary Canadian citizen and are unrelated to expertise in copyright-related technology.
1. Copyright law is an appropriate vehicle in this context because the challenge at hand is primarily with regard to mass-market content distributed over the Internet. This challenge could conceivably also be addressed by contract law, which might better accommodate, say, variations in copyright-related behavior implicit in various technologies. However from the point of view of an on-line consumer, the reality is that contracts are "click-through" nuisances to which no attention is paid. The consumer rightfully expects some uniformity of behavior such as he or she has come to expect from experience with copyrighted material in the past, and uniform copyright laws are appropriate in order to ensure that.
2. Since copying of digital media is now separable from use of that media, we feel that copyright legislation needs to be fundamentally realigned to USAGE right legislation.
3. Existing business models should neither be disadvantaged, nor entrenched, by either this law, or by any associated de facto technology.
4. The government should not be in the position of prescribing (or proscribing) specific technological measures to protect copyright. At the same time, the government should encourage the development and application of appropriate technology - and define limits which may apply to that technology as appropriate, in aspects such as personal privacy. (These may be outside the scope of copyright legislation per se, but must be considered as part of the same overall exercise at the policy level.)
5. Technological measures to protect copyright ARE necessary and possible. Legal means alone are totally insufficient in the age of the Internet.
6. Service providers with no substantive role in the selection, aggregation, or distribution of content, should not be liable (for royalties or otherwise) with respect to copyrighted material maintained on their networks. To the best of the author's understanding, the SODRAC proposals as per (http://www.cb-cda.gc.ca/propsed-e.html ) do exactly that and are, to that extent, misguided.
7. A simple allegation of wrong doing by a content owner - unsubstantiated by, say, technological verification or a court of law - should not result in a service provider unilaterally shutting down a subscriber's services.
8. The borderless, multinational, and potentially anonymous nature of the Internet is highly problematical from a legal perspective, but it cannot be ignored. It is necessary to craft laws and policies which protect Canadian interests as and when Canadian (and relevant international) laws can be brought to bear, but which are realistic about the amount of control available over the Internet at large.

Position Statements Relating to Technology

1. No particular technology applicable to the challenges of digital copyright should be either proscribed or prescribed by copyright law or policy.
2. Security research is an essential and beneficial activity for corporations as well as governments and academia. If security research is adversely affected by copyright legislation (see the section relating to the DMCA below,) then security technology in general, and copyright-related technology in particular, will be poorer quality as a result. History makes this clear.

For example, the Content Scrambling System (CSS) technology used to protect DVD movie content, was designed in secret for fear that knowledge of how it worked might lead to cracks of the technology. Indeed, the current author tried to find out, while it was being established, how the CSS system worked, and discovered that there was a closed committee with a large membership fee defining it. This backfired - the design was flawed, but the closed community involved did not adequately recognize or address the flaws. Open discussion with the security community would have resulted in a much better design. In any event, the rest is history - a Scandinavian teenager figured out how to get around the system and the resulting "circumvention device" - the DeCSS software program - is on millions of PCs around the world, and cannot be taken back.

Worse still, the program will be able to crack DVDs for the foreseeable future, because the DVD format is constrained by fixed-function, Consumer Electronic players, and cannot be changed in a way which defeats DeCSS while still working with those players.

In a related case, the Secure Digital Music Initiative organization in the United States also had flawed technology proposals for content protection - in their case, for protection of digital music. But they took the step of subjecting their technology to public scrutiny before releasing it. Though the SDMI created considerable controversy with their subsequent handling of the resulting research, the net result is good: the ineffective technology has not been deployed.
3. The specific provisions for "fair use" of copyrighted content, as entrenched in both American and Canadian law in various forms, are extremely difficult to fairly enforce with technological measures. And yet there is enormous pressure for technological protections, which will cripple fair use if left unchallenged.

For example, making a duplicate of a legitimately purchased music CD on my personal computer so that I can listen to that same CD in my car as well as on my home stereo system, is arguably "fair use". But making a copy for a friend probably isn't, and making a copy to sell certainly isn't. Unfortunately, these are issues of human intent - and until my PC can read my mind, the software on it can only either make a copy, or refuse to make a copy.

There is a real danger that owners of copyrighted content will pressure technology providers to simply prevent copying, period - not so much because they don't want fair use to be possible, but because they don't know how to make technology which allows fair use while preventing piracy. Indeed, the same can be said of nations, as the United States uses free trade negotiations as a vehicle for exporting their own aggressive stance on copyright-related technology.

We must not settle simply for what technology can do today, but neither can we inflexibly maintain legacy copyright provisions that cannot practically be implemented. Both the law and the technology will need to evolve for some time before they are substantially aligned in a way that both consumers and copyright owners can live with.
4. Transient intermediate forms of content such as those found in caches should NOT be considered "copies" in the sense that term is used in copyright law. They are artifacts of engineering implementations. Encumbering them with such legal baggage is conceptually wrong, and would substantially impede the flow of engineering innovation, such as Content Delivery networking, which is bringing better experiences to Internet users everywhere.
5. As consumer electronic devices such as digital television set-top boxes have become more sophisticated, many of them have acquired the ability to change their behavior over time, after they are purchased and in use by consumers. This has dangerous implications for copyright-related functionality and, if not constrained carefully either by industry restraint or legislation, could lead to confusion and consumer backlash.

In one famous incident, a manufacturer of Personal Video Recorders changed the behavior of a particular button, by remote control, from "skip the current recorded commercial" to "play a prerecorded commercial." Buyers of the device were outraged and the change was reversed after protests.

But suppose instead that the content-protection behavior was changed to appease a particular content provider. There are already, on the drawing boards, high-definition TV (HDTV) set-top boxes, which can have their high-definition outputs disabled by remote control. The intent is to appease content owners... but if such capability were ever used, consumers would justifiably revolt.
In light of these pressures, an enlightened copyright policy framework would set some bounds on the after-sale modification of behavior of consumer electronic equipment.


Lessons from the DMCA

The Digital Millennium Copyright Act in the United States has caused enormous controversy. Much of this controversy relates to free speech and the American constitution, which does not necessarily apply to Canada. The DMCA can be learned from, but it is not a good model for corresponding Canadian legislation.
The DMCA as it stands arguably results in the deployment of systems which are LESS secure, not more so. It does so by stifling legitimate security research of the sort that leads to better Digital Rights Management technology, without materially slowing down the work of "hackers" who seek to defeat content protection technology.
To paraphrase the gun activist community: "If you outlaw reverse engineering, only outlaws will be reverse engineers."
Copyright laws do not stop outlaw hackers, and history shows that legal measures applied against hackers of content protection schemes are "closing the barn door after the cows are out". That is, the knowledge of how to compromise a protection system cannot be stopped from spreading, even if you successfully prosecute the originator. And to make matters worse, many "circumvention devices" are pure software - which makes Internet-based distribution of the device virtually unstoppable.

Thus, laws against reverse engineering and the circumvention of copyright protection technology do not have the desired chilling effect on the hacking community.
On the other hand, there is clear evidence that such laws do have a chilling effect on the security research community and, sometimes, on ordinary citizens. Relevant incidents triggered by the DMCA in the United States include:
· The entrapment and threatened arrest of a Web designer who simply pointed out in good faith to a client that he had accidentally found a security weakness in the configuration of their Web publishing system.
· The arrest of a Russian citizen immediately after he presented a paper at an American conference on security weaknesses of commercial electronic publishing packages.
· The intimidation of an academic who had performed security research on music protection technology, causing him to cancel a scheduled presentation at a research conference.
There is a legitimate field of security research, and it includes commercial participants as well as government and academic ones. The DMCA is simply not realistic about how that research is - and must be - carried out. Specifically, while it contains exemption clauses for research, those clauses are too narrow, and put legitimate researchers and others at risk of prosecution as per the above examples.

Even the title ("Encryption Research") of the relevant Section G is excessively narrow. Encryption is but one aspect of security, and security is related to, but not the same as, copyright enforcement. Further, the restrictions on "permissible acts of encryption research" such as in section 2 g, requiring ' A good faith effort to obtain authorization before the circumvention" defy common sense and commercial realities. What would anyone have to gain by granting someone else permission to attack their protection technology?

Suppose, for example, two companies make similar Digital Rights Management products. It is perfectly reasonable - and indeed, standard practice, whether acknowledged or not - for one company to examine the security of the other company's products as a matter of competitive research. In this case neither company could reasonably expect to make, or have granted, " A good faith effort to obtain authorization before the circumvention", as would be required to comply with the exemption provisions of the DMCA. Indeed, even if the researcher seeking permission were a civil servant or an academic, it is hard to see why anyone asked would grant such permission. There is more to be lost than to be gained. If an attacker doesn't break a product's security, the producing company is no further ahead. If he does break it, the company faces a potential major embarrassment or worse.

In practice, therefore, the DMCA leaves security researchers with two unacceptable alternatives: either don't perform diligent security research, or do it in the knowledge that you risk criminal prosecution by doing so. In the long run, this give the "bad guys" a systemic advantage which will make circumvention devices, and the associated theft of copyrighted material, more common, not less so.
Prohibiting security knowledge this way is inappropriate for Canada. As a matter of policy, it is appropriate to:
· Foster the responsible creation, sharing, improvement, and application of security expertise.
· Foster the development of an overall Internet-enabled content ecosystem which thrives even when (as is inevitable) some people possess the knowledge to defeat the content protection measures in that system.
· Resist the imposition of international policy regimes on Canada which substantially commit it to the DMCA model or worse. For example, the proposed "Free Trade Area of the Americas" treaty contains language which, at the end of the day, amounts to extra-territorial imposition of the DMCA. Canada must be free to foster its own policy in this arena.



Conclusions & Recommendations

There is a war on between controlled content and uncontrolled content on the Internet, and currently, uncontrolled content is the clear winner. Therefore, at the policy level, it is necessary to both implement legislation and foster technology, that assists in the enforcement of copyrights.
This is necessary, but not sufficient. Such technology must also come into widespread use. The author has seen many Internet media systems which purportedly meet a content owner's expectations, but which utterly fail to meet consumer expectations. Such systems inevitably fail in the marketplace. The mere existence of a "legitimate" content channel does not drive people away from illegitimate channels. The legitimate channel must be perceived as better, in the face of a material disadvantage - namely, that the legitimate channels usually costs money and the illegitimate channels usually don't.

For legitimate, copyright-respecting channels to thrive, they must be based on policy, technology, and business models, which give all citizens both the opportunity and the incentive to use them.

I recommend:

1. Recognition of the rights of the copyright holder across all media without requiring (but without eliminating the possibility of) separate agreements for specific digital media types and without mandatory licensing.
2. Policy that does not confuse simple possession of digital content with the intent or ability to use it.
3. Policy that fosters technology which not only protects the rights of copyright holders, but does so in such as way that the technology comes into widespread use. Ion this arena, you can't force people to be honest. You have to entice them into it with better experiences.
4. A distinction, for the purposes of copyright law, between service providers who are specifically in the content distribution business and those who are not.
5. Law which recognizes the role of security research for commercial as well as academic and government purposes. The fact is that the public interest is indeed served if there are a small number of experts trying to break security technologies. This can weed out weak technologies and improve those that remain.

However, there are boundaries on what kind of information sharing is appropriate among such researchers, and between such researchers and the public. It is proposed, therefore, that there be some specific recognition of security research and researchers; colloquially, a "cracker's guild". Members of this research community would have an associated code of ethics to help ensure that their research was applied in ways that, on balance, contributed to the improvement of technology much more than they contributed to the theft of digital content.


The exact rules by which such a community would operate are not obvious. The author would be pleased to contribute further to this idea, or indeed to discuss any of these issues further, in order to contribute to the best Canadian copyright framework possible.




References

1. "Being Digital" by Nicholas Negroponte, Vintage Books, 1995
2. "Life After Television" by George Gilder. Norton& Co., 1994.
3. "Applied Cryptography, 2nd Edition", Bruce Schneier, Wiley & Sons 1996
4. "Secrets & Lies: Digital Security in a Networked World", Bruce Schneier, Wiley & Sons, 2000.
5. The Digital Millennium Copyright Act: http://www.eff.org/IP/DMCA/hr2281_dmca_law_19981020_pl105-304.html
6. The proposed "Free Trade Area of the Americas" legislation: http://www.ftaa-alca.org/ftaadraft/eng/draft_e.doc [MS-Word]