|foundation for information policy research|
Response to the Patent Office consultation on implementing the European Union Copyright Directive
To maintain some semblance of balance in the UK copyright regime between rights holders and society, the following issues in the Patent Office's draft Statutory Instrument need to be resolved before it is laid before Parliament:
Competition policy: Anti-circumvention rights should be strictly limited to the enforcement of copyright, and not be usable against the manufacturers of compatible accessories for a system using access control mechanisms. Without this restriction, monopolies granted in copyright would be extended to trade, clashing with competition policy in a manner contrary to recital 57 and article 9. We suggest the word "primarily" should be inserted before "intended" in s.296ZD(1).
Interaction with other directives: As noted in recital 60 and article 9, implementation must be compatible with previous EU directives, and specifically the software and privacy directives. Recital 57 demands that rights-management systems must conform to directive 95/46/EC on the processing of personal data. The UK implementation should confirm that users have the right given by directive 95/46/EC to prevent the use of personally identifiable information by rights management systems.
Enforcement of fair dealing rights: Much of the reason for fair dealing rights is that the cost of negotiating a license for the non-commercial activities covered would be far higher than the value of the use. Forcing users whose fair dealing rights are infringed to write to the Secretary of State requesting that they be made enforceable is directly contrary to this intent; and would incidentally also generate much unnecessary work for the Secretary of State and her officials. This would not provide the effective remedy demanded by article 6.4.
Copyrights should be made unenforceable for materials protected by access control measures that do not permit fair dealing rights to be exercised (as is the case with patents illegally tied to other contracts). We have attached a note detailing how this could be achieved. At a minimum, wronged parties should be able to take action in court to enforce their rights without first obtaining a ruling from the Secretary of State. Without effective enforcement mechanisms, global software and hardware manufacturers and rightsholders are likely to ignore these rights. The first review of the Directive should add a more general anti-abuse provision.
Open source software: s296ZC(1)(b) would prohibit `any device, product or component which has only a limited commercially significant purpose or use other than to circumvent'. This may cause problems for free software. The language of recital 48 specifically mentions `commercially significant purpose' but does not prevent member states making clear that open source software is also covered. Such software may not be sold commercially but is commercially significant in its benefits to its users and its effects on markets that might otherwise be monopolies. The regulations should make clear that software need not be sold commercially for its purpose to qualify as commercially significant. Indeed, by its conjunction with an exemption for security research (much of which is non-commercial), it clearly does not restrict a defence of significant non-infringing use to commercially significant activities.
It should also be made clear that circumvention of technical measures protecting file formats in order to ensure software compatibility is protected in the same manner as other reverse engineering activities protected by the software directive.
Security research exemption: A clear exemption for circumvention activities must be made for cryptography research, in accordance with recital 48 to the directive and as contained in the United States' Digital Millennium Copyright Act 1998. Sections 296ZB(1)(d), 296ZC(1)(b)(iv) and 296ZC(1)(c)(ii) and the "or otherwise than in the course of a business to such an extent as to affect prejudicially the copyright owner" clause in s.296ZB(2) are not mentioned in the directive and must be removed. The introduction of this further restriction would pose grave hazards for academic research and cannot be justified given the DTI's choice of implementation route. Article 6.2 of the directive mandates remedies against possession for a commercial purpose but provides no authority for HMG to provide remedies against possession for non-commercial purposes.
Prosecutions under s.296ZB should also require the consent of the Attorney General. The US experience of the abuse of the DMCA to harass security researchers such as Dmitri Sklyarov is not something we wish to repeat here. Yet the combination of aggressive content-industry lawyers and technically unsophisticated local police forces make it an accident waiting to happen.
Without these protections, research within the UK vital to the protection of the country's critical infrastructure will be severely curtailed by the actual and perceived threat to computer scientists examining the strength of protective measures used in those systems. We have attached a further note on the nature of cryptographic research.
Accessibility for all: Disabled users must have the right to circumvent, and gain access to tools capable of circumventing, access control mechanisms that prevent the functioning of accessibility tools. This would constitute "all necessary measures" as required by recital 43.
Effective deposit requirement: Copyright materials must be presented to copyright deposit libraries without any access control mechanisms so that they may be effectively archived in any format chosen by the library, as required by recital 51 and article 9. Otherwise format changes, media deterioration and equipment obsolescence will render many of the materials deposited today unreadable within decades. Deposit libraries should not be forced to rely on general exemptions for fair dealing, especially if they are required to seek assistance from the Secretary of State to do so. Nor should they have to wait until materials are out of copyright to gain access to unprotected versions; by that time the copyright holder may have long been out of business, and the means to unprotect the content lost.
No online exemption: Part XXX s.8(a) exempts "copyright works made available by an on-demand service" and protected by effective technical measures from fair dealing rights. The proposed new definition of "on-demand service" in s.20(3) is very broad, and would seem to cover any item retrieved using the World Wide Web - the seeming opposite of the intent of the Patent Office. The introduction of systems like Palladium will make it likely that most copyright works will within ten years be supplied in a form that has an online delivery component. This exemption will effectively abandon the whole concept of fair dealing. It should be limited to the private reproduction right that Article 6.4 provides for. It is currently unacceptable.
Research in cryptography
Recital 48 of EUCD makes clear that the legal protection given to copyright enforcement mechanisms should respect proportionality and should not prohibit those devices or activities that have a commercially significant purpose or use other than to circumvent the technical protection. In particular, this protection should not hinder research into cryptography.
Cryptographic research nowadays encompasses much more than the theory of cryptologic mathematics. Most cryptographic mechanisms do not fail as a result of mathematical cryptanalysis but for engineering reasons connected with protocol design or the implementation in hardware and/or software. Although there are some aspects of cryptographic engineering that are by now relatively well understood, much more work is needed on many other aspects.
Recent research at Cambridge University has included attacks on a large number of cryptographic processors that exploit poor design of their application programming interfaces (APIs), and attacks on hardware security devices such as smartcards that involve inducing faulty operation using lasers or X-rays. This attack research leads naturally to the invention of defences or countermeasures, such as better API design and the use of fault-tolerant or failure-evident design techniques for security hardware and software.
Engineering research of this kind cannot be very productive unless it is targeted at real systems. `Toy' systems developed in the laboratory are inadequate as many of the novel and interesting failures arise from the interaction of components designed by people from different disciplines, or from the scale and complexity of real systems.
This leads naturally to the question of whether vulnerabilities should be publicly disclosed. The debate is an old one; in Victorian times, there were people who argued that publishing books on locksmithing would help burglars. This argument eventually failed; people realized that the rogues were generally better-informed on lockpicking techniques than the public, and that the benefits of public education greatly outweighed the harm. In 1883, the first treatise on cryptographic engineering (Kerckhoffs' "La Cryptographie Militaire") warned designers to assume that the design of their system would become quickly known to the enemy, so security must reside in the choice of the key. In recent years, there has been a similar debate about the security advantages of `open-source' software: if the source code for an operating system is publicly available, then it is easier for people to find and fix vulnerabilities. It is also easier for attackers to find vulnerabilities. However, Ross Anderson managed to prove a theorem earlier this year that the defenders are helped as much as the attackers, under standard reliability model assumptions. At the practical level, many organisations (including the US Department of Defence) are starting to favour open-source software for security reasons, despite fierce lobbying from firms like Microsoft.
There remains a practical issue of how vulnerabilities should be disclosed. At one extreme, there are vendors who would prefer that vulnerabilities in their products be disclosed only to them. However, experience shows that such arrangements are likely to be abused; the vendor will often keep knowledge of the vulnerability secret and do nothing to fix it. At the other extreme, some researchers simply publish newly-discovered vulnerabilities at once on mailing lists such as bugtraq, in the belief that only rapid public disclosure will keep vendors honest and force them to issue fixes quickly. Many researchers prefer a slightly less confrontational approach, and will generally give a vendor 30 or 60 days' notice of impending publication so that fixes can be produced, tested properly, and shipped before publication.
There is a concern that if vendors can use the new regulations to bully security researchers, then such sensible arrangements will collapse: they will not wish to give a vendor advance warning of a vulnerability if his response may be to send threatening legal letters to their employers. They will be more likely to take a hard line and send a vulnerability report straight to bugtraq.
Protecting Fair Use
A further note on the implementation in the UK of the European Union Copyright Directive
Directive 2001/29/EC of the European Parliament and of the Council of 22nd May 2001 on the Harmonisation of Certain Aspects of Copyright and Related Rights in the Information Society ("the Directive") makes a number of significant references to exceptions to and limitations on the rights of copyright owners. These exceptions and limitations, referred to in this note as conferring rights of fair use, are an important part of the statutory bargain reflected in the grant of copyright. That grant is designed to stimulate the production of the literary, artistic and other works it covers by protecting their creators from unfair exploitation of their work; but it is a limited grant, designed to ensure a fair share of the benefit of that work for the public.
The use by copyright owners or their licensees of technical devices to prevent infringement of their rights, where it has the effect of impeding the exercise of rights of fair use, and especially where circumvention of those devices is itself rendered unlawful by statute, operates to alter the statutory bargain to the detriment of the public. The law should not allow technical devices to be used to alter the statutory bargain in this way, especially where the devices are themselves statutorily protected. It amounts to an abuse of the statutory scheme of copyright, and the appropriate response is to withdraw from abusers the benefit of the scheme itself. There is legislative precedent for this approach, which is indeed consistent with such equitable maxims of the common law as that he who seeks equity must do equity, and that he who comes to equity must come with clean hands.
Fair use under the Directive
The following paragraphs of the preamble to the Directive are relevant:
The rights of fair use themselves are set out in Article 5 of the Directive, and are not repeated here. It should be noted that some of the rights are subject to the proviso that the rightholders should receive fair compensation, but many are not.
Many works are nowadays created or distributed in digital form, both for the convenience of their creators or distributors, and for the benefit of those by whom they are intended to be enjoyed. Some works, such as computer software, cannot usually be distributed usefully in any other form. One incidental consequence is that such works can be copied perfectly, without degradation in quality, and that the potential damage caused by infringement is greater than in the case of works not in digital form.
Technical methods of impeding copying have been introduced in order to supplement the rightholders' legal protection with technical protection. Such methods are unlikely to make copying impossible: a work which can be displayed on a screen can be photographed, and a work which can be played through a loudspeaker can be recorded by an audio device. But the need to adopt cumbersome techniques of this kind makes the effective exercise of fair use rights difficult (and for the disabled perhaps impossible), and as a result arrogates to rightholders an unfair proportion of the benefit of the works in question.
The Directive deals with the possible conflict between fair use and copy protection in Article 6, of which the following is an extract:
The critical question is how the UK intends to comply with its obligation, and to exercise its right, to ensure that the benefit of fair use is available. The DTI consultation says, "it is proposed to give an administrative power to the Secretary of State to act in this area, as and when required."
That proposal would be implemented by empowering the Secretary of State to act on a complaint against a copyright owner or licensee by giving directions which oblige the addressee of the directions to give effect to fair use rights; and by empowering the complainant to sue the copyright owner or licensee to enforce the direction by way of an action for breach of statutory duty.
This approach is not in itself objectionable, but it is calculated to allow rightholders to sit back and wait for complaints; and it seems more than likely that the burden of making a complaint and enforcing it will deter all but perhaps substantial institutions from enforcing their rights. There is a serious risk that where fair use consists of a very large number of comparatively minor uses, it will simply be extinguished.
What is needed is a sanction which is, to quote Article 8 of the Directive, effective, proportionate and dissuasive. It should provide a real incentive to rights holders to take the initiative to ensure that fair use is protected.
A legislative precedent
The problem of abuse of statutory monopolies is not new. A typical example is found in relation to patents, where the inventor of a manufacturing process might grant a licence to a manufacturer, but might try to take the opportunity of imposing a condition compelling the manufacturer to buy all his raw materials from the owner of the patent. That was seen as an illegitimate attempt to extend the statutory patent monopoly from the process to cover unpatented raw materials.
It is dealt with by section 44 of the Patents Act 1977. Subsection 44(1) makes a licence term of this kind void. But that was well understood by Parliament as being inadequate by itself to deter attempts to extend the monopoly.
Subsection 44(3) goes further by providing as follows:
The effect is to render a patent generally unenforceable at any time when an illegal clause is in operation relating to it between the patent owner and anyone else (whether that is the alleged infringer or someone quite unconnected).
The policy is to discourage tying clauses by making them blight the patent.
This would be a powerful approach to copy prevention mechanisms which failed to preserve users' ability to take advantage of the right to make non-infringing copies: if the release of copies incorporating such mechanisms by or with the consent of the copyright owner had the effect that no action could be taken against any infringers anywhere, much more carefully targeted mechanisms would be deployed, or rightholders would ensure that schemes were in place for enabling fair use rights to be exercised conveniently.
It is the purpose of this note to suggest that a more vigorous approach of this kind is both within the scope of what is contemplated by the Directive for the protection of rights of fair use and is necessary to maintain the proper balance of the statutory bargain reflected by the law of copyright.
Problems viewing this site?