Russian developer Dmitry Sklyarov is now a guest of the U.S. Federal Bureau of Investigation, having been charged with violation of the DMCA (Digital Millennium Copyright Act). The feds and Adobe Systems Inc. are unhappy because Sklyarov reverse-engineered the encryption scheme used in Adobe's eBooks technology. This may be perfectly legal in Russia, but here it's a felony.
If Sklyarov had just written a paper and put together some PowerPoint slides for a presentation, things would be a lot simpler. Can you say "First Amendment"? But press reports claim that Sklyarov came to a convention in Las Vegas with 500 demo copies of his decryption program. That's a problem -- 500 of anything is enough evidence to prove a distribution charge. Although the demo version will process only about a quarter of an eBook -- and his employer ElcomSoft Co. Ltd. is keeping the full version under wraps -- Sklyarov will get deported if he's lucky, and jail if he's not.
If I were running Adobe, I'd have hired Sklyarov because he grasps encryption better than anyone at Adobe. The company chose instead to get heavy, hoping that nobody would notice the eBook scheme's shortcomings. This backfired when, faced with an ill-concealed rebellion among its own employees, Adobe management caved and is now calling for Sklyarov's release.
This circus underscores a fundamental flaw in the DMCA: that any "reverse engineering" of an encryption scheme is illegal. It doesn't matter what your motive is; if you're not authorized by the owner to tinker, you're a criminal. This flies in the face of centuries of engineering progress that came about because someone made improvements to somebody else's work. It's time to put a provision into the DMCA that should have been in the original bill: one that allows for legitimate discussion and research. Send this column to your representatives and senators, because as the law stands right now, Thomas Edison would get life.
A secure infrastructure for e-commerce cannot be created if the mere act of finding and publicizing holes in security schemes is a crime. A "reasonable behavior" test would have exonerated recent victims of the DMCA such as Princeton's Edward Felten, who with others entered the recording industry's contest to crack its latest "uncrackable" watermarking scheme. Yet he was threatened with a lawsuit this spring for succeeding and for publishing his results.
It's not hard to identify malicious behavior; judges and juries do that every day. If e-commerce is going to succeed, it has to be secure; and if it's going to be secure, it has to be tested. I'd rather that testing take place at the hands of some mild-mannered academics scrambling for tenure than by some digital pirate less interested in getting rich than in listening to free music, or discrediting my business.