The DVD Encryption Software and US Export Regulations

Abstract

The DVD encryption algorithm, DeCSS, is representative of a paradigm shift from a world where encryption technology is rare and mostly used by the military to a world in which encryption is a standard tool for business. Much like Web browsing software, encryption is now embedded into many products and is essential to their usage. The various issues created by this shift focus intense interest on government policy and subsequent intervention in encryption regulation. These position papers will discuss the role of the government in controlling encryption software and its related source code.

1. Argument in favor of regulating encryption
2. Argument against regulating encryption
3. References

Encryption Should Be Regulated

Introduction

The DVD encryption case has presented some interesting issues concerning property rights and the definition of freedom of expression. Since 1996, President Clinton has established that the US should regulate the flow of encryption technology across international borders. The DVD encryption case is particularly interesting because the encryption algorithm, DeCSS, has spread in the form of source code. This source code enables the decryption of DVDs used globally. However, this is still merely a case of encryption software, and it is in the best interests of the government to regulate it as such. This paper explores the arguments in favor of the United States government regulating the distribution of encryption software.

Regulate a Chaotic Medium and Provide for Accountability

The Internet is widely regarded as unregulated territory. There is no central government authority and no accountability for the information and quality of service. There are two main reasons for this. First, the technology is so new that previous laws do not pertain to the Internet or are impossible to enforce in this new medium. The second reason for the Internet's lack of regulation is its seamless stretch across international boundries. With a click of a button, information can be accessed from any country in the world. While these reasons have rendered past regulations ineffective, the time has come for the Internet to adopt some central authority to ensure fair usage and accountability.

By regulating encryption software, the United States is taking the first step toward establishing safe practices on the Internet. This regulation will enable the United States to more efficiently monitor the hacks and attacks by foreigners on American computers. This will increase the safety of our own computers and allow for reliability in the information we receive.

With the DVD encryption, we can see that this regulation would allow for more reliability. Since DVDs have a special encryption algorithm that ensures the contents of the DVD, people can typically trust the information presented on the DVD. However, malicious people can now modify that information and distribute that information to the unwary consumer. The reliability embedded in the original technology was taken away when DeCSS was released to the public, highlighting the need for a more cautious approach to new technology.

The government can now crack down on those sites presenting illegal information. The courts have ruled that DeCSS, and other programs that allow for the decryption of DVDs, are not protected by freedom of speech. As such, they can now regulate and enforce laws against those sites that posted the code. This is a step toward the regulation so badly needed on the Internet.

Threat to National Security

The United States also needs to consider the implications encryption software has for national security. As the Internet is becoming more of a backbone for commerce and sensitive information, that information needs to be secured from malicious parties. The best way for the government to do so is by limiting the strength of the encryption as it leaves the country. This allows the best encryption to be freely used within the United States, but limits the strengths in other countries.

As seen with the DVD encryption, information stored on disks meant for American use only can now been seen in other countries as well. While the information can be further encrypted, the basis still stands that Americans can not freely distribute information on these disks with the sole intent of other Americans viewing this information. By not regulating this software, the American public has to worry about foreign use of these disks.

Need to Protect National Infrastructure

By regulating encryption software, the government will allow only weak or back-door encryption to be exported. This will allow the government to easily decrypt the information so that they can monitor communications. In doing so, the government will be able to thwart international crimes before they occur. This has wide-spread advantages in protecting the national infrastructure. It allowa the government to more efficiently police international crimes and the Internet as a whole. In this age of technology and our growing dependence on it, it is imperative that we protect our resources against foreign attack.

Open Source Causes Vulnerabilities

One of the largest issues with the DVD encryption case is its involvement with the open- source code community. By spreading the source code for such encryption, anyone is able to see the actual technology behind DVD encryption. This puts the power in the hands of the informed to exploit weaknesses. Ordinary people are able to decrypt the DVDs for any purpose they wish. The code can also be modified to serve any purpose they wish. This becomes a particularly scary prospect if the code were ever used by the masses. If that code were replaced by modified code, hardly anyone would notice the difference. The export of this source code enables a malicious hacker to make infinitely many changes, which can seriously affect the way computing works. This causes uncertainty and fear in the public, which the government could have prevented through regulation.

Need to Protect Intellectual Property in Foreign Markets (i.e.- piracy issues)

The most compelling reason for regulation comes from the DVD case. The encryption standard was established in the United States to be distributed around the world. It was monumental in that this encryption would allow for protection of intellectual property rights. Since the United States is the only country where software can be made without being demolished by piracy, it is important that such protection extend beyond the boundary of the U.S.

The Motion Picture Association of America (MPAA) used the CSS encryption algorithm so that their content could not be easily reproduced and modified. This protection is especially important as the world becomes more of a global market economy and products are being more freely exchanged. The use of the CSS encryption algorithm was hailed as the beginning of a new era in which technology could offer a reliable defense against piracy.

By having the government regulate encryption software, it would allow companies to more freely explore foreign markets without fear of serious losses due to piracy. This has been a largely limiting factor for previous software products. The regulation would allow for only the right parties to have the decryption software, regaining reliability and security long lost due to piracy. In our growing economy, it is imperative that the US protect our own intellectual property interests.

Conclusion

The DVD encryption software brings up important technology questions as our economy extends to global proportions. It is imperative for the US to regulate the distribution of encryption software as it affects our national security, infrastructure, and intellectual property rights. The courts have ruled that the DVD encryption source code is not a form of expression protected under freedom of speech, so it is important that the government enforce a set of export standards that will establish the cornerstone of future technology and policy. Encryption export standards must be established and regulated.

Encryption Should Not Be Regulated

Since 1996, the US government has attempted to regulate the distribution of encryption software. This was done under the guise of national protection and policing efforts, but it has become blatantly obvious that this kind of regulation limits our ability to freely express ourselves. The DVD encryption case presents some interesting issues, as its primary purpose is not to secure communication but intellectual property. Since this case involves both encryption software and has global implications, though, there is a question of how the US should intervene. It is the position of this paper that the United States government should not regulate the distribution of encryption software.

One of the first issues concerning encryption and its export involved Web browser software. Web browsing is the most popular form of distributing information over the Internet. However, there are serious security issues with the technology in that people can easily watch the information sent over the Internet. This causes great concern as the Web has gravitated toward e-commerce and the electronic sale of information. Credit card numbers, passwords, and personal information now become vulnerable to malicious hackers.

The solution to such attacks is the use of encryption to scramble the information. This allows for only the sender and receiver to communicate without fear of the information being intercepted by a third party. The popular browsers, Internet Explorer and Netscape Communicator, adopted this encryption and included it in their software. However, this caused a problem in that the encryption exceeded the standards for export set by the US government. In response, the companies released two different distributions: one for US-only use and another for foreign use.

The government recently eased the standards for encryption export, allowing more sophisticated algorithms to appear in products sold by abroad. Since the browser software fits within these new limitations, this change in standards has effectively lifted the ban on the export of state-of-the-art browser technology. However, this scenario illustrates that businesses are quickly adding encryption technology to their products. The global economy is starting to revolve around reliability and accountability, and encryption is becoming a necessity. If the government regulates encryption software, it will only stifle international commerce. The government's only reason for banning the export of encryption technology is their desire to intercept and decrypt communication from foreign sources. This is an intrusion of privacy and is also costly for U.S. businesses that participate in the international marketplace.

The DVD case is particularly interesting because the encryption was developed within the U.S. to be adopted as a standard for worldwide distribution. However, a major issue is that the encryption was extremely weak and easily decoded. While some might say that encryption regulation could help the MPAA, many believe it is the regulation that caused the problem in the first place by forcing the MPAA to use a weaker encryption algorithm. Encryption is vital to a businessâs success, and the government simply cannot put a limitation on a companies ability to take advantage of encryption technology.

As was previously mentioned, Microsoft and Netscape were forced to release their browser software in two different formats - one for U.S. use and one for foreign use. Companies are spending more time adapting to encryption regulations than they are innovating. Foreign companies are forced to buy encryption software from foreign companies because it is far superior to the technology that U.S. companies are allowed to export. Thus, American companies are at a disadvantage. This disadvantage is one of the main reasons why encryption companies like RSA are established in foreign countries.

In addition, communication between companies is becoming a standard business practice. The Internet has provided communication channels that revolutionize the ease with which companies can communicate, but it does not offer the protection most proprietary data requires. People are afraid to share information over the Internet for fear of theft. The DVD technology also establishes a secret that is meant to stifle interoperability within other video formats. The point to stress here is that technology is developing rapidly, but the U.S. is behind in its efforts. It needs to understand that encryption is an important tool that will be paramount to many businessâs futures.

Despite a court ruling that sided with the MPAA against the DeCSS, many people are still trying to post this information to defend their right to freedom of speech. Recently, a seven-line code was posted that decrypted the CSS (encryption of DVD). This program, written in perl, was used by presenters at a conference to demonstrate the weakness of the CSS encryption algorithm. Whereas the MPAA has sued people for posting code before, the poster say this is different because it is used for purely academic purposes.

The point here is that encryption source code is important for academic learning and protection of freedom of speech. People have found numerous ways of circumventing the exportation of source code by publishing it on a t-shirt, embedding it in pictures, and putting it to lyrics. By regulating these forms of expression, the government will surely affect the freedom of speech.

By regulating the exportation of encryption source code, the government will effectively limit the individualâs rights to freedom of speech. As previously mentioned, DVD encryption supporters are finding various ways to creatively present the source code. Many of the examples are truly ingenious, definitely warranting a work of art. They also represent a form of rebellion to protect their own rights, which is important in its own right. It is just as effective as a mural or sculpture, so it should not be limited in its audience. If the government regulates the exportation of the source code, it will set the precedent for years to come in expression issues.

The DVD encryption case is important for its freedom of speech issues as well as its implications for exportation of encryption. Encryption software enables secure, reliable communication and interoperability with other companies. It facilitates innovation and allows for growth in the global economy. It has been established that this sharing of code across borders is important for academic growth and expression issues. Simply put, the government cannot regulate the exportation of encryption source code because it will irreparably damage multiple aspects of our society. DVD encryption will set the precedent for this matter, and it must be allowed to be freely exchanged.

References

What is DeCSS?

http://www.cs.cmu.edu/~dst/DeCSS/index.html (Great site with overview of DeCSS and DVD issues)

US Policy and Restriction of Encryption Source Code

http://www.cdt.org/crypto/admin/991206comments.shtml (Center for Democracy and Technology- Letter Concerning a Draft on Encryption Regulation)

http://www.cdt.org/crypto/admin/ (CDT summary of encryption regulation)

http://207.96.11.93/Encryption/July2KProposedRegSum.html (Bureau of Export Administration: Encryption Fact Sheet)

http://207.96.11.93/Encryption/Default.htm (U.S. Department of Commerce- The Bureau of Export Administration: Information Technology Controls Division)

http://www.zdnet.com/zdnn/content/inwo/0904/inwo0003.html (ZDNet article from 1997 concerning the FBI's call for more Encryption Regulation)

http://www.steptoe.com/WebDoc.NSF/Law+&+The+Net+All/BXA+Advisory+on+Source+Code+Export?OpenDocument (Letter from Bureau of Export Administration concerning January 2000 Export Regulation )

Trials

http://bondiboard.macpublishing.net/daily/daily.889.html (Article Concerning 1996 Case where Encryption Regulation was struck down based upon Freedom of Speech )

http://www.farces.com/farces/publications/box-of-rain/technology/source-code.html (Commentary on 1996 Source Code case)

http://people.qualcomm.com/karn/export/doj_appeal_supplemental_brief.html (Summation concerning trial from 1997 over Encryption Source Code)

http://www.cdt.org/crypto/litigation/000404junger.shtml (Summation from 1999 Trial concerning Source Code not protected by Freedom of Speech)

http://www.wired.com/news/politics/0,1283,35425,00.html (Wired magazine article and links from 2000 discussing panel's decision that Source Code is protected by Freedom of Speech)

http://www.cov.com/publications/bernstein.asp (Paper: The First Amendment Rescues Electronic Commerce and Internet Privacy ) Sharing Source Code for Academic Purposes

http://www.zdnet.com/zdnn/stories/news/0,4586,2254799,00.html ( ZDNet article discussing EFF victory over Regulation of Encryption)

http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoJ/ (EFF documents about 1999 case of Professor sharing Encryption Source Code with overseas collegues)

http://www.zdnet.com/zdnn/stories/news/0,4586,2610482,00.html (ZDNet article about Copyleft T-Shirt with DeCSS code)

http://www.copyleft.net/item.phtml?&page=product_273_front.phtml (Link to Copyleft's shirt and the summons issued by the MPAA)

http://www.gigalaw.com/articles/ghosh-2000-05-p1.html (Argument in a Law Website about Source Code as Freedom of Speech in Encryption Case)

http://www.theregister.co.uk/content/4/17568.html (UK site- Article and links concerning DeCSS and 7-line Perl code)

http://www.ucomics.com/boondocks/viewbo.cfm?uc_full_date=20010302&uc_comic=bo&uc_daction=X (Comic censured because of DeCSS code)

http://www.lemuria.org/DeArt/ (Amazing source of Art and other forms of Expression with DeCSS code embedded)

http://www.visi.com/~leppik/css-auth-artistic/ (Another site with DeCSS as Art)