[DMCA-Activists] Notes from yesterdays' 2743 hearing

[David Turner]

I probably mangled some names and missed some points here, but I think I
got most of the major points.  

Yesterday, I went to a hearing for House bill 2743, held by the Joint
Commitee on Criminal Justice.  Initially present were Representatives
Paulsen, Linsky, Hillman, and Vallee and Senator McGee.  Showing up
later were Festa (10:25), Brian Knuuttila (10:50), Daniel Webster
(11:15), and Walter Timilty (12:45).  It got very loud outside towards
the middle of the morning.  Some identity theft issues were discussed
before the 2743 speakers started.

The plan of the day was to hear supporters of bills first, then those
who oppose it.  So, at some time after Festa entered, the MPAA rep Amy
Isabelle (sp?), a VP of State Legislative Affairs was called.  She
claimed that the goal of the at was to "Prevent Theft".  The MPAA is
in Washington today working with electronics manufacturers and
consumer groups to fix the drafting of these acts.  Other states have
already passed them.  Then she went on the defensive.  She set up the
straw man that people claimed that these laws were copyright laws.
She claimed that there was an intent requirement, and referred back to
earlier (unrelated) comments by the Attorney General's office, which
mentioned prosecutorial discression, and stated that the laws
wouldn't be enforced against normal uses.

James DeRosa spoke against the law's current form because it's
overbroad.  Rep. Hillman said that he used a router to hook his four
computers up to his cable connection, and that his TOS allowed this.
He wondered if the act would allow this.  He also called back up the
MPAA rep, who said that this could and would be fixed.  She also
mentioned again prosecutorial discression.  Linsky wanted to make sure
that the acts the law criminalized were things ordinary people would
recognize as crimes.  Isabelle replied that the act was intended as a
deterrent, but couldn't give any specifics.  She said that cable
experienced 6.5 billion dollars per year in "losses."  She said the
law was intended to go after people who make cable descramblers.
Linsky asked if any new crimes were being added here, crimes that
couldn't be covered by existing bills.  He mentioned the general
larceny statute.  Isabelle replied that lawyers tell them that yes,
they needed these laws.  Linsky said, skeptically, "*your* lawyers
tell you."

The American Electronics Association was up next.  I couldn't catch
the speaker's name.  He opposed the law because it was too vague, but
didn't give many specifics.  

Roger Dingledine was called.  He mentioned that he had written an
anonymizing web proxy, and said that it was intended to keep people
like Doubleclick from tracking you and selling your information to
telemarketers.  Hillman said that hacking was a danger, and wondered
if these anonymity services would make it harder to track down
criminals.  Roger replied that he bill actually hurts internet
security, and that hackers are already breaking the law and wouldn't
be deterred by this law.  Then he mentioned his Navy contract and
talked in vague terms about Mixminion.  

I spoke here.  My planned speech is reproduced below, but I didn't read
from the page, because the senators said that they didn't want to hear
that, they wanted to hear personal statements.  Written statements
could be submitted.  I've added to the text below some comments which 
I added to my actual speech, responding to the MPAA's points.

My name is David Turner, and I am a copyright specialist for the Free
Software Foundation.  The Foundation is 501 (c)(3), Massachusetts
non-profit Corporation based in Boston, dedicated to the free
dissemination of information.

The Foundation opposes House Bill 2743 because of both major
provisions of the bill, 166:42B, sections (a) and (b).

Section (a) prohibits receiving communication services without
the express consent of the communication service provider.  This means
that you can't use a radio or television without permission from the
broadcasters.  Nobody is going to tell you that you can't watch TV,
but they might tell you that you can't record it, a right the US
Supreme Court affirmed in 1984.  They might tell you that you can't
use your TiVo to pause it while you answer the phone.  The Motion
Picture Associate of America, primarily through its Copyright
Protection Working Group, has already said that it wants to limit
these sorts of freedoms.

We publish, under our copyright, from our web site here in
Massachusetts, a computer program called GNU Radio.  It receives radio
and television signals, and puts them into a form suitable for
processing by computer.  You can use GNU Radio to listen to the radio
or watch High Definition Television on your computer.  And it would be
easy to reprogram it to "pause" live radio just like TiVo now does
with TV.  Under current federal law, this is called time-shifting,
and is perfectly legal.  But broadcasters are hostile to this new
technology, and House Bill 2743 gives them the means to attack it.

The MPAA representative has raised a few points which I want to
address.  First, she points out that the act isn't a copyright law.
This is true, which is problematic, because it has no provisions for
fair use like copyright law does.  Also, she mentioned prosecutorial
discression, which doesn't actually help in this case, because there's
a private right of action.  Finally, the definition of a
Telecommunication Service Provider requires that there's compensation.
I have a quote, not handy, from AOL Time Warner CEO Jamie Kellner, who
said that there was an implicit contract, that you pay for TV by
watching the ads.  So television definiately counts.

We believe that people ought to be allowed to build innovative
technology like GNU Radio without interference from the government or
media companies.  Although I'm too young to remember it, I'm told that
people used to be required to rent phones from the phone company.
People would get in trouble for using third party phones, and had to
pay for each extension.  If TV and radio broadcasters have their way,
you may have to rent your radio, TV, and VCR from them, or only use
"authorized" equipment.  And this equipment won't have a record
button.  

We also oppose section (b), but all of the cryptographers here have
told you and will tell you about the problems with that.

Senator McGee asked me which provisions the Foundation opposed, and I
responded that we opposed both (a) and (b).  I then asked if he wanted
to hear something new about (b), which hadn't been mentioned, and he
grudgingly agreed.

I replied that (b) says that you can't hide where your communications
are coming from, or where they're going.  There are lots of reasons
you might want to do that.

If you're a real estate developer, and you need to buy five plots of
land for a development, you wouldn't want your intentions to get out,
because the prices would rise.  If you're sending email to one of the
landowners, you might encrypt it, so that nobody but the landowner can
read it.  But if the other landowners noticed that someone from a real
estate firm was mailing all of their neighbors, they might figure out
your plans anyway.  This is called traffic analysis.  Since many
communication systems, such as broadband internet via cable, have
little in the way of security, this would be easy and undetectable for
a savvy landowner.  If you can hide the origin of your mail, you're
protected from that threat.  Section (b) prohibits this,
leaving you at the mercy of hackers.

---

Brian Hannum (sp?) opposed the act, because it potentially outlawed
VPNs, which are needed for security.  Paragraph (b) has no intent
requirement.  "We just make the software, we don't control how it's
used."  Also, because each device is a separate offense, the penalties
could be huge.  He also spoke against (a), because NAT and PVRs aren't
authorized by cable providers.  Knuuttila asked what the need was for
privacy, and didn't mind advertiser profiling.  On the other hand, he
was affraid of criminals.  Hannum mentioned the history of poor
technology regulation.  Then he said that tools ought not to be
criminalized.  He feared the law's chilling effect, and mentioned that
the DMCA had already had chilling effects (he mentioned playing DVDs
on Free Software operating systems).

John Palfrey, the Executive Director of the Berkman Center came to
talk, but in his personal capacity.  He was extremely professional,
articulate, and passionate.  The law has many unintended consequences,
and is effectively a special interest law.  He mentioned that the MPAA
were the only ones there to support it, and their representative
didn't even know local laws.  He said that the legitimate aims of this
law were already covered by the DMCA and Patriot acts.  Internet law
is a mess, and this law only adds to the confusion.  "I don't know
everything it criminalizes, but it's very, very broad."  And people
don't know which acts are legal, and which aren't already.  This law
would only make that wose.  Also, the law would hurt fair use, and
legitimate research, and free speech.  At the end of his speech, the
programmers in the room spontaneously applauded.  It was the only
applause for the entire day.

McGee mentioned that the federal government got Napster shut down.
Palfrey replied that yes, current laws work fine.  This new law is
overbroad.  Vallee said that internet security was very important, and
mentioned cyberterrorism.  He asked how this law would affect
security.  Palfrey said that yes, internet security was very
important, and that this law criminalized common security measures.
Callee asked about the recent DDOS attacks on military computers using
zombies.  He asked if anonymity tools would stop the government from
tracking hackers.  Palfrey said that it might, but that this was the
wrong bill to stop that.  The Patriot act is the right bill, and it's
already passed.

David Carroll spoke next.  He was probably the oldest programmer
speaking.  He submitted the New York Times article mentioned on
Freedom To Tinker
(http://www.nytimes.com/2003/03/27/technology/circuits/27basi.html),
and said that the technologies mentioned therein were "pretty good
anonymity" (laughs from the programmers).  He pointed out that,
despite anonymizing proxies, the government can still trace
communications, because they can cross ISP boundaries.  He also said
that it was odd to think of content providers as communication service
providers.  He mentioned that content providers could control the
tools used to view content, and that this hurt interoperability.
Finally, he pointed out that you might not be able to figure out what
spyware was sending, since it was providing a communication service.
He said that the DMCA has an exception for this, but 2743 doesn't.

There was a long break from 2743, while the rest of the people present
were called to speak.  After the non-2743 speakers, David Martin was
called.  He's an assistant professor of computer science at UMass
Lowell.  He pointed out the unintended effects of the law, saying that
some of his assignments in his security classes could violate this
act.  He was also concerned about the intended privacy implications of
the act.  About 88% of Internet users were concerned about internet
privacy.  He mentioned identity theft, going back to a topic which had
been discussed earlier in the day (about unrelated bills).  He
mentioned Safeweb, an anonymizing proxy which got 3 million hits per
day while it was alive.  It was funded by the Voice of America.  He
was also concerned about concealing the locations of his
communications because it might not be technically feasible.  "Most
people think of communication as person to person.  But computers talk
to computers, and users may not know where their messages go."  Also,
Carnivore could be used to catch criminals who use these services.

Nick Mathewson mentioned that human rights workers, abuse victims, and
whistleblowers have a need for anonymity.  He was also concerned about
ESMTP, NAT, and VPNs.  He mentioned location-hidden servers, which
would resist attack.  He said that sure, some privacy services can
help criminals, but so do cars.  "We can't build a privacy service
which doesn't shelter some criminals any more than we can build a car
which can't be used as a getaway car."  The existing law enforcement
system does work, hackers are in jail.  Hackers will only be helped if
we can't use these systems -- it won't stop them from using them.  He
also went back to the lack of intent requirements in (b) and (d).

Representative Vallee stepped in here, and said that he wanted to hear
original, personal stories.  He was tired of hearing the same thing
over and over again.

Thomas Bolioli (sp?) said the law was overbroad, and that network
protocols were layered, and it wasn't clear at what layer this stepped
in.  He also mentioned that, despite what the MPAA rep said, there
were no intent provisions in the Michigan bill.

Ravi (long south indian name which I didn't catch) wasn't a security
expert, but used security tools.  He has to use crypto for his job.
This bill is a symptom of the technology legislation mindset that to
regulate new technology, old definitions simply need to be expanded.
He said that instead, new technology must be considered on its own
merits.  

Derek Atkins addressed Knuuttila's point that he didn't need privacy,
by asking if his kids needed privacy from stalkers.  He was worried
about technology regulations because technology doesn't know about
intent, and can be used for good or evil.  He also mentioned general
freeedom of anonymous speech.  Finally, he said that security
discussion is important because the bad guys already know the bad
stuff, and the good guys need to be able to talk about how to stop
attacks.  

Dan Barret described the technical people as "canaries," the first
sign that something was wrong with the law.  But if passed, it would
hurt everyone.  He mentioned that printing the NYT article earlier
might violate the act by retransmitting communications services
without permission.  He said that technology people were very angry
about this.  McGee noted that the MPAA representative had already left,
and that the technical people had stayed, showing their devotion.

Scott Ananian, a MIT grad student and DMCA protester noted that the
"plans" forbidden by the act are simply speech.  Security papers are
full of plans for exploits, and security researchers and system
administrators need to have access to these to stop them.  Then he
made the almost certainly nonsensical claim that the law would stop
law enforcement from posessing these tools, even when they were
evidence in crimes.  

Michael Bower said that anonymous speech was a free speech right, so
(b) was bad with or without an intent requirement.  He described the
old history of anonymous speech, including the Federalist Papers but
not McIntyre.  He also said that spam was part of this, and was
protected.  He said that protestors and other controversial speakers
needed anonymity, and pointed out that it was a way for speakers to
focus listeners' attentions on the message, not the speaker.

Matthew Morse said this was special interest legislation, that cable
was one-to-many communication, while the internet was two-way.  He was
worried about all the laws the media companies are trying to pass,
trying to turn the 'net into a one-way medium.  

Rachel (didn't catch last name), a biologist, said that everyone
needed privacy, and that technology regulation in general is harmful,
because it hurt interoperability and market competition.  

-- 
-Dave Turner
GPL Compliance Engineer
Support my work: http://svcs.affero.net/rm.php?r=novalis&p=FSF