Legal protection for TPMs has no place in copyright law News View:- Canada's legislators are being bombarded by lobbying from legacy content industries to enact laws that give legal protection to technological protection measures they claim can safeguard copyright.

The problem with these policy proposals is: while technological protection measures can be extremely valuable, they can’t accomplish the goals of those who want to use them as a form of copy protection.

Technological Protection Measures (TPM) protect privacy and authenticity, and can be used to make sure only authorized persons gain access to content, whereas copyright is legislation that specifies the legal limits of what a person who already has access to the content can do with it.

Since TPMs and copyright accomplish quite different goals, it should be obvious that one can’t be used as a substitute for the other and legal protection for TPMs has no place in copyright law.

I’m strongly opposed to legal protection for TPM being added to copyright but I do, however, support legal protection for TPMs when used for purposes TPMs can legitimately and directly accomplish such as identity and privacy protection. It turns out that if appropriate legislation is passed to protect TPMs used to protect identity and privacy, positive uses of TPMs for copyright holders can be protected, at the same time avoiding the harmful unintended consequences.

What TPMs do

Cryptography is the most commonly used form of TPM. There are two broad categories relating to the type of keys used: symmetric key and asymmetric key cryptography.

Think of cryptography as math that allows you to encode information using a digital key that requires "the right key" to unlock it.

With symmetric key cryptography, the key that locks the information is the same as the one that unlocks it, and the information can be seen and exchanged only by people with that key.

With asymmetric key cryptography, you have one key that locks and a matching but different key that unlocks. This is often called public key cryptography because you can publish one of the keys and keep the other private. If someone encrypts information in the public key, it’s then private to the person with the private key and only they can unlock it. If someone encrypts information in their private key, anyone can decrypt it with the public key and discover the identity of the person who encrypted it.

Watermarks are another form of TPM which can be used to indicate the identity of the rightsholder.

What TPMs don't do

There are many technical explanations about why TPMs cann’t stop people from making unauthorized copies of works under copyright.

Non-technical people should recognize intuitively that TPMs can't protect copyright. They’re often told TPMs are like a lock.

Locks prevent people without the key from gaining access through a locked door, but they can’t protect you against people who have a key. With digital content, the copyright holder wants to give authorized people access to content and will therefore give audiences a key either directly or indirectly, for instance within a device such as a DVD player. They don’t want to restrict your access to what’s behind the locked door. But they do want to somehow restrict what you do once you’re inside. Locked doors obviously won’t allow this and any attempt to use locks to accomplish this goal is fundamentally flawed.

Given that TPMs can’t directly accomplish copy protection, indirect techniques used to try to "fit the round peg in the square hole" can have harmful and unintended consequences which offends the technical community as it strives to innovate and provide better interoperable communications tools, including better TPMs. The unintended consequences of legislation protecting misuse of TPMs cause considerable harm to innovation, competition, and compatibility in the marketplace. Why creators should oppose DRM

p2pnet: Control through DRM

Cory Doctorow's Microsoft Research DRM talk

What would legal protection for TPM legislation look like?

To avoid the unintended consequences of the proposed "copyright-related" TPM laws, a few key features are needed.

Most important, legislation must clearly allow circumvention for research and learning purposes. TPMs are advanced by people trying to break them, finding flaws, and improving on the TPMs. This isn’t research that can be left vendors who have a vested interest to keep flaws secret (meaning only the "bad guys" know how to break them). It must, rather, be research anyone can take part in and whose results are made public.

The legislation should only protect the intended purposes of a TPMs such as privacy and authenticity, and not indirect uses such as copy protection; and, it should be consistent with competition policy, and include provisions to ensure that TPMs are not being used to impose specific TPM vendors onto the marketplace, or allow a tie between a consumers choice of content and technology used to access that content.

Vendor-neutral aspects of a TPM such a key should be protected, but algorithms (software processes) or other attempts to promote single vendors shouldn’t be offered protection. Protection should also not be offered to techniques used to harm competition in other ways, such as the regional coding of DVDs which are better understood as a barrier to trade and not a legitimate use of TPMs.

The legislation should be as technologically neutral as possible so that it would cover new techniques that are not yet in use today.

What can legal protection for TPMs used to protect private and identity offer copyright holders?

Many legitimate goals of copyright holders can be achieved by the proper use of TPMs without harmful or unintended consequences. It’s also true that users of TPMs such as e-Commerce and others will receive considerable benefit from digital privacy and identity protection.

Satellite/Cable/over-air broadcast undertakings

The primary use of TPMs by this sector is to ensure that people who aren’t customers are not able to access the signal. One obvious use of TPMs is to provide each customer with a unique digital key, preferably stored on something like a standard USB key device so the content access key is independent of the vendor of the receiver. Individual channels can be encoded such that they can be received only by people with keys that are authorized to receive that specific channel.

With legal protection for TPMs used for privacy/authenticity, it could be a crime to give out copies of these keys to others. If I buy a key from a cable company and I knowingly give a copy to a friend, I’d be committing an offense. If I copied someone else's key without their permission, I would be guilty of "identity theft".

There’s no technological reason I can think of why satellite, cable, or digital over-air broadcasters can’t take this approach. But they seem to prefer being technologically lazy and instead of having hardware vendor neutral standards and per-customer keys, they want to gain control over consumer electronics with schemes such as copy protection and the extremely controversial "broadcast flag".

These schemes aren’t legitimate uses of TPMs and in fact, broadcast flag doesn't involve a TPM at all. They’re no more than attempts to have the government grant one specific sector (legacy broadcasters) control over innovation in other sectors (ICT, consumer electronics, etc). This is a policy that should not only be rejected, but competition and anti-trust agencies should be modernized to ensure these types of cross-sector control are adequately investigated and prosecuted.

Subscriber or other membership-required services

There are a wide variety of services to which only subscribers should have access, such as online newspapers or forums.

Just as with broadcasters, the proper use of the technology is to sell or otherwise offer encryption keys to subscribers, with service configured so those without the proper encryption keys can’t access to it.

Moral rights protected by watermarks

Existing Canadian law includes moral rights which protect the right to be associated with a work. If watermarks are adequately recognized in law as a form of identification, the removal of watermarks would be a violation of moral rights.

Remuneration systems protected by watermarks/DRE

Digital Rights Encoding (DRE) includes a variety of techniques where copyright and license information can be embedded within content. Creative Commons uses metadata formats which are being extended to indicate many different types of licenses, with this metadata being used in search engines to allow people to search for content that are licensed in specific ways.

Watermarks can also be used to indicate authorship information for file formats that may not have adequate metadata capabilities.

One of the problems with moving to a flat-fee system such as the EFF's (Electronic Frontier Foundation) Voluntary Collective Licensing of Music File Sharing plan is trying to determine how to fairly distribute the resulting fees to copyright holders.

While it should be obvious that record sales and radio air-play won’t provide relevant data for music file-sharing because the markets are very different, this is currently what the Canadian Private Copying Collective uses for their levy.

A better option would be to automatically sample and check the watermarks and/or metadata to determine what files are being shared, offering a far more accurate indication of popularity than legacy measurements.

These examples demonstrate that there are legitimate uses of TPMs which are appropriate for governments to provide legal protection, but also that copyright is not one of those legitimate uses. Parliament must not enact harmful legislation that seeks to protect uses of TPMs that will fail, with legislation possibly tabled later this week being such an example of bad legislation.

If you're Canadian, write to your member of parliament, and otherwise get involved in the opposition to this legislation.

Russell McOrmond - p2pnet contributing editor