30 July 1998
Source: House Report 105-551 Part II:
http://jya.com/hr105-551p2.txt
Selected provisions on encryption; see full report and HR 2281 for all citations.
Compare to WIPO-Crypto: http://jya.com/wipo-crypto.htm
(g) Encryption Research.--
(1) Definitions.--For purposes of this subsection--
(A) the term ``encryption research'' means activities
necessary to identify and analyze flaws and
vulnerabilities of encryption technologies applied to
copyrighted works, if these activities are conducted to
advance the state of knowledge in the field of
encryption technology or to assist in the development
of encryption products; and
(B) the term ``encryption technology'' means the
scrambling and descrambling of information using
mathematical formulas or algorithms.
(2) Permissible acts of encryption research.--Notwithstanding
the provisions of subsection (a)(1)(A), it is not a violation
of the regulations issued under that subsection for a person to
circumvent a technological protection measure as applied to a
copy, phonorecord, performance, or display of a published work
in the course of an act of good faith encryption research if--
(A) the person lawfully obtained the encrypted copy,
phonorecord, performance, or display of the published
work;
(B) such act is necessary to conduct such encryption
research;
(C) the person made a good faith effort to obtain
authorization before the circumvention; and
(D) such act does not constitute infringement under
title 17, United States Code, or a violation of
applicable law other than this section, including
section 1030 of title 18, United States Code, and those
provisions of title 18, United States Code, amended by
the Computer Fraud and Abuse Act of 1986.
(3) Factors in determining exemption.--In determining whether
a person qualifies for the exemption under paragraph (2), the
factors to be considered shall include--
(A) whether the information derived from the
encryption research was disseminated, and if so,
whether it was disseminated in a manner reasonably
calculated to advance the state of knowledge or
development of encryption technology, versus whether it
was disseminated in a manner that facilitates
infringement under title 17, United States Code, or a
violation of applicable law other than this section,
including a violation of privacy or breach of security;
(B) whether the person is engaged in a legitimate
course of study, is employed, or is appropriately
trained or experienced, in the field of encryption
technology; and
(C) whether the person provides the copyright owner
of the work to which the technological protection
measure is applied with notice of the findings and
documentation of the research, and the time when such
notice is provided.
(4) Use of technological means for research activities.--
Notwithstanding the provisions of subsection (a)(2), it is not
a violation of that subsection for a person to--
(A) develop and employ technological means to
circumvent a technological protection measure for the
sole purpose of performing the acts of good faith
encryption research described in paragraph (2); and
(B) provide the technological means to another person
with whom he or she is working collaboratively for the
purpose of conducting the acts of good faith encryption
research described in paragraph (2) or for the purpose
of having that other person verify his or her acts of
good faith encryption research described in paragraph
(2).
(5) Report to congress.--Not later than 1 year after the date
of the enactment of this Act, the Assistant Secretary of
Commerce for Communications and Information shall report to the
Congress on the effect this subsection has had on--
(A) encryption research and the development of
encryption technology;
(B) the adequacy and effectiveness of technological
protection for copyrighted works; and
(C) protection of copyright owners against the
unauthorized access to their encrypted copyrighted
works.
The Assistant Secretary shall include in such report
recommendations, if any, on proposed amendments to this Act.
Promoting Encryption Research
H.R. 2281, as reported by the Committee on the Judiciary,
provided no exception for the field of encryption research to
the bill's broad prohibition against the circumvention of
technological protection measures. Recognizing the importance
of the field of encryption research to electronic commerce, the
Committee on Commerce crafted a provision that provides for an
exception to the bill's anti-circumvention provisions.
The effectiveness of technological protection measures to
prevent theft of works depends, in large part, on the rapid and
dynamic development of better technologies, including
encryption-based technological protection measures. The
development of encryption sciences requires, in part, ongoing
research and testing activities by scientists of existing
encryption methods, in order to build on those advances, thus
promoting and advancing encryption technology generally. This
testing could involve attempts to circumvent or defeat
encryption systems for the purpose of detecting flaws and
learning how to develop more impregnable systems. The goals of
this legislation would be poorly served if these provisions had
the undesirable and unintended consequence of chilling
legitimate research activities in the area of encryption.
In many cases, flaws in cryptography occur when an
encryption system is actually applied. Research of such
programs as applied is important both for the advancement of
the field of encryption and for consumer protection. Electronic
commerce will flourish only if legitimate encryption
researchers discover, and correct, the flaws in encryption
systems before illegitimate hackers discover and exploit these
flaws. Accordingly, the Committee has fashioned an affirmative
defense to permit legitimate encryption research.
(g) Encryption research
As previously discussed in the background section to this
report, the Committee views encryption research as critical to
the growth and vibrancy of electronic commerce. Section 102(g)
therefore provides statutory clarification for the field of
encryption research, in light of the prohibitions otherwise
contained in Section 102. Section 102(g)(1) defines
``encryption research'' and ``encryption technology.'' Section
102(g)(2) identifies permissible encryption research
activities, notwithstanding the provisions of Section
102(a)(1)(A), including: whether the person lawfully obtained
the encrypted copy; the necessity of the research; whether the
person made a good faith effort to obtain authorization before
circumventing; and whether the research constitutes
infringement or a violation of other applicable law.
The Committee recognizes that courts may be unfamiliar with
encryption research and technology, and may have difficulty
distinguishing between a legitimate encryption research and a
so-called ``hacker'' who seeks to cloak his activities with
this defense. Section 102(g)(3) therefore contains a non-
exhaustive list of factors a court shall consider in
determining whether a person properly qualifies for the
encryption research defense.
Section 102(g)(4) is concerned with the development and
distribution of tools--typically software--which are needed to
conduct permissible encryption research. In particular,
subparagraph (A) provides that it is not a violation of Section
102(a)(2) to develop and employ technological means to
circumvent for the sole purpose of performing acts of good
faith encryption research permitted under Section 102(g)(2).
Subparagraph (B) permits a person to provide such technological
means to another person with whom the first person is
collaborating in good faith encryption research permitted under
Section 102(g)(2). Additionally, a person may provide the
technological means to another person for the purpose of having
the second person verify the results of the first person's good
faith encryption research.
The Committee is aware of additional concerns that Section
102 might inadvertently restrict a systems operator's ability
to perform certain functions critical to the management of
sophisticated computer networks. For example, many independent
programmers have created utilities designed to assist in the
recovery of passwords or password-protected works when system
users have forgotten their passwords. Because Section 102
prohibits circumvention without the authorization of the
copyright owner, circumvention to gain access to one's own
work, as a matter of logic, does not violate Section 102.
The law would also not prohibit certain kinds of commercial
``key-cracker'' products, e.g., a computer program optimized to
crack certain ``40-bit'' encryption keys. Such machines are
often rented to commercial customers for the purpose of quick
data recovery of encrypted data. Again, if these products do
not meet any of the three criteria under Section 102(a)(2)
because these products facilitate a person's access to his or
her own works, they would not be prohibited by Section 102.
In addition, network and web site management programs
increasingly contain components that test systems security and
identify common vulnerabilities. These programs are valuable
tools for systems administrators and web site operators to use
in the course of their regular testing of their systems'
security. The testing of such ``firewalls'' does not violate
Section 102 because in most cases the firewalls are protecting
computer and communications systems and not necessarily the
specific works stored therein. Accordingly, it is the view of
the Committee that no special exception is needed for these
types of legitimate products.
Finally, Section 102(g)(5) requires the Assistant Secretary
of Commerce for Communications and Information to report to
Congress, within one year of enactment, on the effect Section
102(g) has had on the field of encryption research, the
adequacy of technological protection for copyrighted works, and
protection of copyright owners against unauthorized access.