|
[back to notice text]
Question: What is reverse engineering?
Answer: Reverse engineering is the general process of analyzing a technology specifically to ascertain how it was designed or how it operates. This kind of inquiry engages individuals in a constructive learning process about the operation of systems and products. Reverse engineering as a method is not confined to any particular purpose, but is often an important part of the scientific method and technological development. The process of taking something apart and revealing the way in which it works is often an effective way to learn how to build a technology or make improvements to it. Through reverse engineering, a researcher gathers the technical data necessary for the documentation of the operation of a technology or component of a system. In "black box" reverse engineering, systems are observed without examining internal structure, while in "white box" reverse engineering the inner workings of the system are inspected. When reverse engineering software, researchers are able to examine the strength of systems and identify their weaknesses in terms of performance, security, and interoperability. The reverse engineering process allows researchers to understand both how a program works and also what aspects of the program contribute to its not working. Independent manufacturers can participate in a competitive market that rewards the improvements made on dominant products. For example, security audits, which allow users of software to better protect their systems and networks by revealing security flaws, require reverse engineering. The creation of better designs and the interoperability of existing products often begin with reverse engineering.
[back to notice text]
Question: Can a system be legally circumvented?
Answer: It depends. In general, the anti-circumvention provisions of the DMCA reserve broad authority to copyright holders to determine who can circumvent their systems. For example, while the DMCA contains an encryption research exemption, to come under the exception, a researcher must lawfully obtain the work and request the permission from the copyright holder to engage in circumvention in order to be exempted [1201(g)(2)(C)]. In addition, under the DMCA only individuals who are studying, trained, or employed in encryption research are likely to be considered legitimate researchers under the law [1201(g)(3)(B)]. Finally, an encryption researcher is required to immediately notify the creator of the protection system when she breaks it. [1201(g)(3)(C)] The security testing exemption is even more restrictive in its rules about obtaining authorization from the copyright owner. It requires individuals engaged in security testing to not only request, but must actually obtain the authorization. [1201(j)(1)] On the other hand, the exemption relating to law enforcement, intelligence, and other government purposes have no such requirements to notify copyright owners of their activities. [1201(e)] One important limitation to the control given to copyright owners is that manufacturers and developers of consumers electronics, telecommunications, or computing products are not required to design their products to respond to the digital protection systems implemented by copyright owners in their works. [1201(c)(3)] In this limitation, the DMCA anticipated the excessive control that copyright owners might exercise over the products used to play their works in addition to the works themselves.
[back to notice text]
Question: What kind of authorization is required of the copyright owner in order to legally circumvent a system?
Answer: It depends. In general, the anti-circumvention provisions of the DMCA reserve broad authority to copyright holders to determine who can circumvent their systems. For example, while the DMCA contains an encryption research exemption, to come under the exception, a researcher must request the permission from the copyright holder to engage in circumvention in order to be exempted [1201(g)(2)(C)]. In addition, under the DMCA only individuals who are studying, trained, or employed in encryption research are likely to be considered legitimate researchers under the law [1201(g)(3)(B)]. Finally, an encryption researcher is required to immediately notify the creator of the protection system when she breaks it. [1201(g)(3)(C)] The security testing exemption is even more restrictive in its rules about obtaining authorization from the copyright owner, requiring individuals engaged in security testing to not only request, but must actually obtain the authorization. [1201(j)(1)] On the other hand, the exemption relating to law enforcement, intelligence, and other government purposes have no such requirements to notify copyright owners of their activities. [1201(e)] One important limitation to the control given to copyright owners is that manufacturers and developers of consumers electronics, telecommunications, or computing products are not required to design their products to respond to the digital protection systems implemented by copyright owners in their works. [1201(c)(3)] In this limitation, the DMCA anticipated the excessive control that copyright owners might exercise over the products used to play their works in addition to the works themselves.
[back to notice text]
Question: What does it mean to distribute circumvention tools?
Answer: Section 1201(a)(2) defines distribution as the "manufacture, import, offer to the public, provide, or otherwise traffic" of circumvention tools. This definition can be interpreted extremely broadly as evident in the court's analysis in the DVD encryption Universal v. Corley case. In its decision, the court considered not only making the source code of a program for free a type of distribution, but also found that merely linking to a web site containing illegal tools can constitute "trafficking."
[back to notice text]
Question: What is the Digital Millennium Copyright Act?
Answer: The DMCA, as it is known, has a number of different parts. One part is the anticircumvention provisions, which make it illegal to "circumvent" a technological measure protecting access to or copying of a copyrighted work (see Anticircumvention (DMCA)). Another part gives web hosts and Internet service providers a "safe harbor" from copyright infringement claims if they implement certain notice and takedown procedures (see DMCA Safe Harbor).
[back to notice text]
Question: Are there exceptions in the DMCA to allow circumvention of technological protection systems?
Answer: There are seven exemptions built into section 1201 of the DMCA, some of which permit the circumvention of access and copy controls for limited purposes, some of which allow for the limited distribution of circumvention tools in particular circumstances. These seven exemptions are for: In addition to these seven exemptions, the Library of Congress is required every three years to exempt the circumvention of measures that prevent the "fair use" of copyrighted works. [1201(a)(1)(B-E)] The DMCA also contains provisions that ensure that the traditional rights of copyright law still apply to the DMCA. Section 1201(c)(1) provides that the rights, remedies, limitations, or defenses to claims of copyright infringement still apply. Section 1201(c)(4) states that these provisions should not affect the rights to free speech or freedom of the press for activities using electronics, telecommunications, or computing products.
[back to notice text]
Question: What does circumvention mean?
Answer: Circumvention, according to Section 1201(a)(3)(A), means "to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner." While the full scope of activities and practices that would fall under this definition has not yet been examined by the courts, any act of undoing a "lock" or "block" in a digital system may well be considered circumvention.
[back to notice text]
Question: Can a technological protection measure be reverse engineered?
Answer: Section 1201(f) allows software developers to circumvent technological protection measures of a computer program that was lawfully obtained in order to identify the elements necessary to achieve the interoperability of an independently created computer program with other programs. A software developer may reverse engineer the program only if:
- the elements necessary to achieve interoperability are not readily available and
- reverse engineering is otherwise permitted under the copyright law.
Software engineers are permitted to develop and employ circumvention devices for the purpose of achieving interoperability. [1201(f)(2)] Reverse engineers are exempt from the circumvention device ban only for the purpose of achieving interoperability, and not for gaining access to protected works for infringing purposes. [1201(f)(2)]
[back to notice text]
Question: What rights are protected by copyright law?
Answer: The purpose of copyright law is to encourage creative work by granting a temporary monopoly in an author's original creations. This monopoly takes the form of six rights in areas where the author retains exclusive control. These rights are: (1) the right of reproduction (i.e., copying),
(2) the right to create derivative works,
(3) the right to distribution,
(4) the right to performance,
(5) the right to display, and
(6) the digital transmission performance right. The law of copyright protects the first two rights in both private and public contexts, whereas an author can only restrict the last four rights in the public sphere. Claims of infringement must show that the defendant exercised one of these rights. For example, if I create unauthorized videotape copies of Star Trek II: The Wrath of Khan and distribute them to strangers on the street, then I have infringed both the copyright holder's rights of reproduction and distribution. If I merely re-enact The Wrath of Khan for my family in my home, then I have not infringed on the copyright. Names, ideas and facts are not protected by copyright. Trademark law, in contrast, is designed to protect consumers from confusion as to the source of goods (as well as to protect the trademark owner's market). To this end, the law gives the owner of a registered trademark the right to use the mark in commerce without confusion. If someone introduces a trademark into the market that is likely to cause confusion, then the newer mark infringes on the older one. The laws of trademark infringement and dilution protect against this likelihood of confusion. Trademark protects names, images and short phrases. Infringement protects against confusion about the origin of goods. The plaintiff in an infringement suit must show that defendant's use of the mark is likely to cause such a confusion. For instance, if I were an unscrupulous manufacturer, I might attempt to capitalize on the fame of Star Trek by creating a line of 'Spock Activewear.' If consumers could reasonably believe that my activewear was produced or endorsed by the owners of the Spock trademark, then I would be liable for infringement. The law of trademark dilution protects against confusion concerning the character of a registered trademark. Suppose I created a semi-automatic assault rifle and marketed it as 'The Lt. Uhura 5000.' Even if consumers could not reasonably believe that the Star Trek trademark holders produced this firearm, the trademark holders could claim that my use of their mark harmed the family-oriented character of their mark. I would be liable for dilution.
[back to notice text]
Question: What are the civil penalties for a DMCA 1201 violation?
Answer: Civil cases are brought in federal district court where the court has broad authority to grant injunctive and monetary relief. Injunctions can be granted forbidding the distribution of the tools or products involved in the violation. The court may also order the destruction of the tools or products involved in the violation. The court can also award actual damages, profits gained through infringement, and attorney's fees. If an individual held in violation of the DMCA commits another such violation within the three-year period following the judgment, the court may increase the damages up to triple the amount that would otherwise be awarded. In circumstances involving innocent violators, it is up to the courts to decide whether to reduce damages. But, in the case of nonprofit library, archives or educational institutions, the court must remit damages if it finds that the institution did not know of the violation.
| 
FAQ: Questions