The introduction of the Digital Millennium Copyright Act (DMCA) in 1998 took cryptography out of the hacker’s domain — the law now spells out that only researchers “engaged in a legitimate course of study, is employed or is appropriately trained or experienced”5 are allowed to investigate cryptographic methods for protecting access rights to works.
As a result, Xbox hacking has been a politically charged topic. It is a battle between hackers and lawmakers to keep cryptography within the legal rights of hackers.
Microsoft’s laudable reaction to Xbox hackers — that is, no persecution or attempt so far to shut down Xbox hacking projects — will hopefully serve as a role model to others thinking about using the DMCA to stop hacking activities. Despite all of the Xbox hacks out there, Microsoft still enjoys robust sales of games. All of the interest and buzz generated by Xbox hacking may have increased Microsoft’s sales more than piracy has hurt them. (Of course, I am sympathetic with the hackers, so my interpre-tation of the situation is biased. A more subjective and informed legal analysis of reverse engineering can be found in Chapter 12, “Caveat Hacker,” by Lee Tien of the Electronic Frontier Foundation.)
The most alarming aspect of the DMCA for hackers is that it embodies the fallacy that the only sources of innovation of benefit to society lie within the halls of research institutions and corporations. Suddenly, it is a crime to explore, in the comfort of your own home in pursuit of your hobby, the cryptographic methods used to secure access rights. Restrict-ing the research of such technology to only established institutions disallows the possibility of technology development by unaffiliated individuals. Without the freedom to research and develop technology in their own garage, where would the likes of Bill Hewlett and Dave Packard, or Steve Jobs and Steve Wozniak be today? Would we have Linux and netBSD if the right of hackers to express themselves freely in code was regulated?
For every copyright protection scheme that is defeated by a hacker, there is someone who learned an important lesson about how to make a better protection scheme. To pass laws that regulate the research of technological measures that protect copyrights and the dissemination of such results is to concede that copyright technology is broken and can never be improved — that the only possible outcome of allowing common people to understand copyright control technology is the demise of the technology. I offer a counter to that mindset: some of the best peer review that I received on my Xbox hacking work did not come from the academic community. It came from individual hackers around the world — especially in foreign
5 17 U.S.C § 1201(g)(3), Factors in determining exemption. Of course, the meaning of “appropriately trained or experienced” is not defined. I think that the best training for applied
cryptography research should involve some practical hands-on experience hacking real cryptosystems.
countries — who have been free to explore and understand access control technologies. The stricter laws in the U.S. and the litigious nature of corporations has already negatively affected the U.S.’s standing in electronic security, and this is just the beginning.
The societal impact of the DMCA is being felt by hacker communities around the world. During the course of my work on the Xbox, I had the good fortune of meeting brilliant hackers across the globe. Hackers in America were some of the most fearful of the group, and even though they were talented engineers, they were loath to apply their skills to such prob-lems for fear of persecution. The result is that some of the most interesting results in Xbox hacking are garnered by European and Asian hacker communities. Significantly, these results are not well known in America, as these hackers have little motivation to make the effort to share their findings with Americans. In fact, many foreign hackers make a conscious effort to keep their findings from leaving their communities, for reasons including a fear of retribution by American corporations. This “brain drain” does little to strengthen America’s competency in a technology as important as fair and effective digital copyright control. And in today’s global economy, American corporations cannot survive by pretending to do business in a vacuum.
One may point to the successful publication of my paper on the Xbox security system as an example of how the DMCA works to protect both free speech rights as well as economic interests in copyright control technology.
My situation was not typical for most hackers in the US. Since I was a graduate student at the time, I had no family to worry about or significant assets to lose if I were to get involved in a lawsuit over my work. I also had the generous legal assistance of the Electronic Frontier Foundation (EFF) to help guide me through the legal minefield. The EFF helped position my paper in the most legal light possible, informing me of my rights and obligations under the DMCA.
For example, I am required to “make a good faith effort to obtain authorization [from Microsoft] before the circumvention.” 6 (Note that authorization is not required, but the good faith effort is.) The EFF helped me draft such a letter for research. I also had to fight MIT to allow my research to be published as an affiliated entity. All of the direct effort of reverse engineering the Xbox security was funded out of my own pocket, conducted in my apartment, and done after-hours on my own time. MIT initially took advantage of this fact to separate themselves from my work, forcing me to seek out the counsel of the EFF. MIT finally capitulated and allowed me to publish my paper as a student of MIT after much cajoling by sympathetic professors and after I had received a constructive, non-threatening letter from Microsoft about my research.
Freedom of speech should not require a lawyer, and free thought should not involve letters of authorization for research. I fought to publish my
6 17 U.S.C. § 1201(g)(2), Permissible acts of encryption research
paper because I had nothing to lose, and because I believed in making a statement about my rights as a hacker. Unfortunately, there is a silent majority of hackers out there who have families to feed and jobs to lose, and not everyone can be so fortunate as to have the EFF helping them out.
This book you are reading is yet another example of how the DMCA has a chilling effect on free speech. Originally commisioned by the technical publisher, John Wiley & Sons, Ltd., this book was cancelled in the last hour over fears of lawsuits and backlash from Microsoft. Such censor-ship is frustrating and discouraging, and perhaps some authors would have stopped there and allowed their voice to be silenced by fear. I am taking the legal and financial risk of self-publishing this book to make a statement about my right to free and unimpeded speech as a hacker. Even this path is not free of impediments, however. The book pre-order process was suspended on its second day because the original e-com-merce provider, Americart, “declined to offer [me] cart service for selling hacker materials . . . $15 per month doesn’t pay for us to take the risk of being named in a DMCA suit.”
I must emphasize that this book does not infringe on Microsoft’s copyrights, and the knowledge presented in this book cannot be directly applied to copyright circumvention. To perform an infringing act, one would have to hone their skills and apply a substantial amount of additional art and know-how aimed specifically at copyright control circumvention. To claim that this book is a circumvention tool would be tantamount to claiming that all books about circuit boards, embedded software or cryptography are also circumvention tools.
The scope of the DMCA with respect to the “fair use” of hardware is another important political topic with enormous economic repercussions. Is it illegal to modify or circumvent a cryptographically secured boot sequence for the purpose of running alternate, legitimately purchased or created, software? This question may be decided in part by the fate of Xbox hackers.
A strict interpretation of the reverse engineering exemption of the DMCA7 reveals strong arguments for making such acts of circumvention illegal.
In particular, reverse engineering is only allowed for interoperability, where interoperability means “the ability of computer programs to exchange information, and of such programs mutually to use the information which has been exchanged.” But this definition contains two potential land mines: First, circumventing hardware-based security measures is arguably different from circumventing a program’s (software) security measures. It may not be a very strong argument technically, but the clause has yet to be legally tested, to the best of my knowledge.
Second, the purpose is not really to exchange information with the hardware security measures — it is to bypass them.
The final argument against allowing the reverse engineering of the hardware security mechanisms is incidental copyright circumvention. The
7 17 U.S.C § 1201(f), Reverse Engineering
information gained through the process of reverse engineering can be applied equally to create copyright circumvention devices. In other words, the basic research that enables interoperability, at least in the case of the Xbox, may also be applied indirectly to those wishing to construct circumvention devices. As it turns out, some very specific design flaws in the Xbox enable boot security circumvention without necessarily enabling copyright circumvention, though these flaws may be patched in the near future, bringing us face to face with our original question.
There are significant economic implications if it turns out that “fair use”
does not cover the reverse engineering of Xbox security for the purpose of running alternate applications. The most significant implication is that Microsoft can sell legally restricted hardware to end users, locking users into their software base. This can be used to create an unbreakable monopoly over computer hardware and software. For example, Microsoft could offer subsidies to vendors that elect to secure their hardware to run Microsoft’s operating system. This financial incentive will be transferred to customers, who will be motivated to buy the discounted hardware. Once a significant portion of the installed base of hardware is locked into Microsoft’s operating systems, Microsoft can set prices for their products in a competition-free market, since it would be illegal for anyone to run any other operating system on locked hardware.
In reality, this scenario might be difficult for Microsoft to execute even if the DMCA did restrict the fair use of hardware, since government and civic bodies are closely monitoring Microsoft’s activities for monopolis-tic behavior. However, in other emerging markets, such as smart cell
The author at his workstation.
phones, PDAs and set-top boxes, it may not be unrealistic for a vendor to try to gain an edge over the competition through such low-ball tactics.
At least, such tactics can be used to stall competition for the duration of the court proceedings, which may be long enough to cause irreparable harm to the competition’s market position. It is because of these con-cerns that many Xbox hackers have been consciously acting to express their political beliefs through their engineering efforts.