Why the Security Systems Standards and Certification Act Cannot Prevent Piracy

Introduction

The Security Systems Standards and Certification Act (SSSCA) is a new piece of legislation, which in essence requires manufacturers of all electronic devices and software to embed government approved copy protection technology in their products[1]. This paper is designed to show why broad-based copy protection controls such as the SSSCA are impossible to implement, and to provide a thorough introduction to this bill for those unfamiliar with it. I present this paper in a question and answer format, to give a clear depiction of the bill and my arguments.

What is the SSSCA?

Senator Fritz Hollings (D-SC), the chairman of the Senate Commerce Committee, with the help of Ted Stevens (R-AK), drafted this legislation in August 2001. It consists of two parts. Title I, the portion of the bill which is the focus of this document, provides for the establishment of one or more government-approved copy protection standards and then requires all consumer electronics and software manufacturers to embed those standards into all of their products. Title II creates a 25-member federal ãComputer Security Partnership Councilä and provides funding for an NIST (National Institute of Standards and Technology) computer security program and a federal computer security training program. This legislation applies to all types of digital content, including everything from text files to movies. It is perceived by many as being a follow-up to the Digital Millennium Copyright Act (DMCA) [2], which was passed in 1998. As of November 2001, Senators Hollings and Stevens have not yet introduced the SSSCA. This bill is being associated with the DMCA because the DMCA made it effectively illegal to attempt to remove a copy protection scheme from a digital device or program, while the SSSCA would make a copy protection scheme mandatory in all digital devices and programs. On the surface, the combination of these laws seems to provide universal protection for digital media.

Why is this seen as necessary?

Obviously, this bill was designed with interests of content owners at the forefront. After all, according to Federal Elections Commission data[3], five of the top twenty contributors to Senator Hollingsâ election fund from 1997 to 2002 are major media organizations: AOL Time Warner, News Corporation, CBS, the National Association of Broadcasters, and the Walt Disney Company.

The SSSCA seems to be guided on the principle that it is easier to enforce legal obligations on technology development companies than it is to enforce them on individual consumers. On the surface, this makes sense because these companies are fewer in number and appear to have little reason not to comply with the law. Hollywood executives, with fresh memories of the Napster spectacle (and still stung by the newer clones), have been eagerly searching for ways to prevent large-scale piracy of movies, albums, and other copyrighted works. To date, all initiatives to prevent this piracy have more or less failed. A lawsuit from the Recording Industry Artists Association has successfully blocked Napster from being used to transmit copyrighted music files, but Napster was quickly replaced with various decentralized clones that could not be shut down by a court order. Music protection schemes such as SDDI were invented, but just as quickly proven ineffective. And all the while, people were happily copying and transmitting protected media without thinking twice about the legal consequences.

A film industry consortium, led by Disney, is actively supporting this bill. The film industry is gravely concerned that with the proliferation of high-speed home Internet connections, and the development of extremely efficient compression algorithms (particularly MPEG-4), movies can be traded online as easily as music.

What types of electronic media and devices would the SSSCA apply to? How might it work?

The SSSCA provides for the copy protection of simply anything that can be digitized. This includes music, movies, e-books, 3D models, and images, but also presumably would any other computer file which a copyright holder might wish to protect. This is a very broad piece of legislation. However, although it provides for the creation of copy protection technologies, it does not define any such technologies. In Section 104(a), it specifies the following criteria:

-          Reliability

-          Renewability

-          Resistance to attack

-          Ease of implementation

-          Modularity

-          Applicability to multiple technology platforms

There is no additional detail provided. Because it is so vague, almost anything could be a potential candidate as a certified copy protection scheme, and there is no guarantee as to the efficiency or cost of a scheme. It will be left up to the Secretary of Commerce whether to certify a scheme and sign it into law.

There is no mention of research prototypes or academic uses in the bill. Therefore, under its current wording, it would be illegal to create any electronic devices or software, even a simple prototype built for classroom research, if that prototype does not include approved copy protection technology. It is not hard to imagine what effect this omission could have on the academic world.

What is wrong with digital copy protection?

From a technical standpoint, it would be difficult to impossible to protect these very different forms of media with one single protection scheme, unless some generic flags were simply appended to the data, or an encryption standard were implemented. However, simply flagging a file as ãprotectedä would not provide resistance to attack (required by Sec. 104(a)), as it would be a simple exercise to remove the flags from the file. And any encryption protection scheme has two vulnerabilities: that a public key must be retrieved and stored to play or view the media, which could be just as easily used to remove the protection, and that the information must be decrypted at some point anyhow for it to be played or viewed, and at that point the decrypted content may be copied freely. Windows Media Player is an example of a popular software package that offers an encryption based protection scheme. Recently, a hacker known as ãBeale Screamerä created a program to decrypt protected Windows Media files. In a CNN.com story about the exploit, David Caulton, product manager for Microsoftâs digital media division, said, "We don't believe any possible DRM system is actually invulnerable.ä[4]

To address these vulnerabilities, content owners have put enormous resources and effort behind the development ofÊ ãrobust digital watermarkingä. This technology allows information to be imprinted within the content in a way that does not noticeably affect it, while being able to survive fairly heavy abuse, such as copying a digital video file to an analog video tape and then digitizing it again on a personal computer[5]. In this way, a content owner may store copyright information, copy constraints, or other information within the content, and a player compliant with the robust digital watermarking standard would be required to enforce any constraints found in the media. However, digital watermarking has two major issues: that it cannot be used on e-books and other textual or numeric information, and that no such scheme has ever been proven impossible to remove from the content. The Secure Digital Music Initiative, or SDMI, is a consortium of 180 companies with an interest in digital watermarking; it has not yet developed a standard, possibly because all of its watermarking techniques have been broken by a group of researchers from Princeton and Rice Universities[6].

This begs the question: is an implementation of the SSSCA which provides significant ãresistance to attackä even possible? The answer appears to be ãnoä. Although the ãrenewabilityä requirement above theoretically makes it possible to update the copy protection standard each time it is broken, in practice it would be unlikely that the government win such a war against computer hackers.

Could I still tape television shows to watch later on my VCR?

In Section 103(b), the SSSCA specifically prevents copy protection schemes from being used to prevent individuals from making personal copies of media at the time it is performed. This would most likely prevent live television broadcasts from being protected. It would still be unlawful to record a live television show and play it back later for an audience, or to give away copies of the recording. Also, movies shown on ãpremiumä cable channels are exempt from this requirement. This is consistent with existing laws with respect to broadcast recordings, and protects the rights given to individuals under those laws.

What would the penalty be for removing or circumventing copy protection?

This would be a felony punishable by five years in prison and fines of up to $500,000.

Who would be responsible for designing the protection scheme?

According to Section 104(b), digital device manufacturers and copyright owners have twelve months to reach an agreement on the security standards, and once an agreement is reached, the Secretary of Commerce would sign those standards into law. There is no indication in the bill of exactly which companies would be involved in negotiations, or how any committees would be formed. If twelve months pass from the signing of the bill and it is determined that a standard has not been agreed upon but is in progress, an additional six months will be granted. If after twelve months it does not appear that progress is underway on a security standard, the National Institute of Standards and Technology will become responsible for developing a standard. Again, it may not even be technically possible to implement an attack resistant protection scheme. If not, it is likely that an insecure standard will be implemented to meet the deadline, and it will then be ãrenewedä at a future date to provide additional security. However, it has not been proven that a secure protection standard can ever exist, a fact that is entirely ignored by the bill. There is also no guarantee that a protection scheme will not negatively impact the functionality and price of consumer electronics, which could be a problem if it becomes the responsibility of the federal government to design a standard.

Will the SSSCA impact or change any existing laws?

Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended to establish a program to conduct research and development of computer security. It allocates $50 million in the year 2001 for this, and the amount increases by $10 million each year until 2006.

The Secretary of Commerce is also appropriated $15 million in 2001, to increase by $5 million each year until 2006, for a computer security-training program to be implemented at higher education institutions in the United States.

In Title II, ãInternet Security Initiativesä, this bill allocates a large amount of money to computer security causes, without specifying what results are expected. The allocation of funds appears to be the main purpose of Title II.

Notably, parties meeting to discuss the development of computer security standards are made exempt from the antitrust provisions of the Clayton Act.

Conclusion

When I first heard about the SSSCA, my initial impression was that it was the knee jerk reaction of a congressman to the Napster controversy and hackers who have been sensationalized in the media. While further researching this bill, it became apparent that the majority of this bill was not just a knee jerk reaction, but rather a logical complement to the Digital Millennium Copyright Act (DMCA), which was signed into law well before Napster was developed. Both the DMCA and the SSSCA seem to be the result of the extensive lobbying of large content owners such as Disney and Time Warner. Unfortunately, in both cases a legal route was chosen to control a phenomenon that is virtually the nature of electronic devices: the copying of data. Both the congressman who is sponsoring this bill and the content owners who are lobbying for it not only choose to ignore this fact, but are attempting to write rules for something they may not understand. Granted, nearly half of this bill (Title II) is dedicated to ãInternet Security Initiativesä, but Title II is vague, almost like an afterthought.

This billâs primary goal is to thoroughly control the copying of data. Regardless of the good or bad aspects of this goal, or the controversy surrounding it, there is simply no effective way to implement it in the airtight way in which it was designed to work. As Jessica Litman, a law professor at Wayne State University, said: ãForgetting all the reasons why this is bad copyright policy and bad information policy, it's terrible science policy.ä[7] Hopefully, as new laws are written to cope with issues raised by technology, our legislators will give as much thought to the limitations and capabilities of the technology as they do to the interests of their sponsors.