311APPENDIX GThe Digital Millennium Copyright Actof 1998 and Circumvention ofTechnological Protection MeasuresINTRODUCTIONThe World Intellectual Property Organization (WIPO) treaty seeks toharmonize different countries’ treatment of the ownership and protectionof intellectual property, in order to enable the growth of global commercein information goods and services. The Digital Millennium CopyrightAct of 1998 (DMCA)1 is the implementation of the WIPO treaty by theU.S. Congress.As articulated in Chapter 6, many members of the committee believethat the DMCA, although well intentioned and well written in manyrespects, has some significant flaws with respect to its handling of techni-cal protection mechanisms and circumvention. This appendix, endorsedby those committee members, describes those flaws and suggests ways inwhich the law’s approach to circumvention could be improved.Simply put, the DMCA makes it illegal, except in certain narrowlydefined circumstances, to circumvent an “effective technical protectionmeasure” used to protect a work. The DMCA seemingly makes it illegal(again, except in certain narrowly defined circumstances) to distributesoftware or other tools used in an act of circumvention, even if this par-ticular act of circumvention is covered by one of the exceptions and, hence,is legal.1Public Law 105-304. Relevant excerpts are found in the addendum to this appendix; thefull text is available online at <http://frwebgate.access.gpo.gov/cgi-in/getdoc.cgi?dbname=105_cong_public_laws&docid=f:publ304.105>.Copyright © National Academy of Sciences. All rights reserved.The Digital Dilemma: Intellectual Property in the Information Age http://www.nap.edu/catalog/9601.html312 APPENDIX GGiven that it is already illegal to infringe copyright, why did the U.S.Congress, in writing the DMCA, feel it necessary to criminalize “circum-vention”?It is a fundamental premise of the DMCA that, for the foreseeablefuture, the digital-content distribution business will be an important andgrowing part of the U.S. economy and that technological protection mea-sures will be needed for the success of that business. The DMCA’santicircumvention provisions respond to the (presumed) economic im-portance of these developments by giving content owners a propertyright over the technological protection mechanisms they deploy, in addi-tion to their existing rights over the content that these mechanisms protect.In the physical world, the theft of a tangible object is roughly analogous tocopyright infringement; “breaking and entering” the room in which thatobject is stored is roughly analogous to circumvention. In the words ofCallas et al. (1999), it is reasonable to assume that Congress’s goal was“[t]o make it a more serious crime to infringe a work that the owner hasactively tried to protect than to infringe one that the owner merely statedownership of.” Interpreted as an incentive for copyright owners to pro-tect their own property, rather than to rely solely on the police and thecourts, this is a perfectly understandable goal.Unfortunately, it is far from clear that the DMCA’s anticircumventionprovisions will have primarily positive effects on content distributors andother interested parties. One problem is that circumvention is a bread-and-butter work practice in the cryptology and security research anddevelopment (R&D) community, yet this is precisely the technical commu-nity that content distributors are relying on to make effective technologicalprotection measures. If this community is hindered in its ability to developgood products, is it wise to encourage owners to use these products?It is of course possible that anticircumvention laws will be interpretedby distributors not as incentives to use effective protection measures but,rather, as incentives to do just the opposite—use insufficiently tested,possibly weak protection technology, and increase reliance on the policeand the courts to punish people who hack around it. This would result insome cost shifting: Instead of owners and distributors paying for goodtechnology to protect their property, the public at large would likely payfor a greater portion of this protection through the law-enforcement sys-tem, although some of the increased costs in enforcement may be borneby the antipiracy efforts of the various information industry associations.This appendix begins by explaining how the cryptology and securityR&D community works and what role circumvention plays in that work.The relevant sections of the DMCA are excerpted and some commentarygiven on their shortcomings, suggesting ways in which they could beCopyright © National Academy of Sciences. All rights reserved.The Digital Dilemma: Intellectual Property in the Information Age http://www.nap.edu/catalog/9601.htmlAPPENDIX G 313improved. Formal recommendations on this subject can be found inChapter 6.HOW THE CRYPTOLOGY AND SECURITY R&DCOMMUNITIES WORKUnderstanding the interaction of intellectual property and technicalprotection services requires an understanding of the research and devel-opment process in cryptology and security.2 A distinguishing feature ofthese disciplines is that they proceed in an adversarial manner: Onemember of the R&D community proposes a protection mechanism; othersattack the proposal and try to find its vulnerabilities. Using this approach,serious vulnerabilities can be discovered and corrected before the mecha-nism is fielded and relied on to protect valuable material.Like most scientific and engineering communities, the security R&Dcommunity does both theoretical and experimental work. The theory ofcryptology and security is substantial and still evolving, touching on someof the deepest and most challenging open questions in the foundations ofcomputation.3 A goal of this theory is to study concepts such as privacy,security, tamper resistance, integrity, and proof in a manner that is bothmathematically rigorous and relevant to the construction of secure prod-ucts and services.4One purpose that this study serves is rigorous analysis of securitymechanisms. When a technique for protecting digital assets is put forth,there are often follow-up papers demonstrating technical flaws that pre-vent it from living up to its claims. Sometimes, a purely theoretical analy-sis is sufficient