French deputies vs. security experts (DADVSI)
DADVSI… for the best and the worse ?
Just before Christmas, the debate about the french law project DADVSI was really captivating. Apart from the Peer to peer and intellectual property aspects, it simply could also lead to a major change in the way french security experts and researchers work.
The first articles of the Dadvsi law are focused on the Peer-to-Peer problem, mostly based on the fact that more and more citizens don’t care about copyright laws and spend their time downloading and sharing music and files they do not own. Some deputies (the ones against this law) even stated that this behaviour has even become a cultural change that could not be prevented. At Christmas’s eve, after passionate debates between the government and opponents, an amendment was voted that legalized the sharing of musical files on the french Internet, provided that every internet user would pay a fixed fee (around 7 Euros) autorizing her to download as many mp3 files as wanted ! Obviously, this unique position worldwide seemed to stress the Majors and most famous singers that understood that their revenues wouldn’t be as much as nowadays. The CD music stores such as FNAC are also worried since this measure could lead to major losses of sales for them since everybody could then download songs instead of buying CDs. I fully understand the opposition against the legalization of music sharing, since the “Global tax” will certainly bring up more problems and annoyances for every actor of the market.
But the main concern I have in regards to this law, is related to my position of IT security expert. As I am focused on IT laws that could impact security research, I noticed the articles 13 and 14 of the project, that worries me quite a bit. Those articles are focused on the fact that if the french government (and all the majors) want to check the way people buy and share music, the technical measures that prevent copying must be generalized on all players and songs. As all security experts know, it is technically very difficult to release in the wild - public market - protection schemes that can last a long time without being broken or circumvented. The only efficient way to prevent this is simply to forbid users to do so, by the means of laws and prohibition of detaining, using or selling tools and information to circumvent protections. This is the main essence of those articles, and I fully understand the objectives, that seems normal from my point of view (Yes, I buy my music, DVDs, and software !).
Apart from the numerous problems caused by the DRM technologies (incompatibilities, impossibility to donate or resell music if we don’t want to listen it any more, etc.), I’m really worried that this law don’t make a distinction between pirates that don’t own the music and share it and legal users of the tools and information that could be used to circumvent protections, basically most developpers tools, including debuggers and languages ! is that possible in the short future ?
As an example, I am the legal owner of a well known development suite (Microsoft eMbedded Visual Studio), but also of free tools that are commonly shipped with any Linux distribution and that could be used to such nasty purposes : an hexadecimal editor, a text editor (vi) and a couple of languages (perl, gcc). Even every version of Windows is shipped with tools that could be used for illegal purposes : regedit (a registry editor), debug (a debugger that lasted since old MS-Dos days) and even notepad, the simplistic text editor… all those could be used in bad ways. Will the law forbid the use and detention of such tools for every french citizen as it is clearly stated ? How will the police cope with the seizing of all those tools that *every* computer user has on its computer ?
It is also obvious that this law could lead french researchers in IT security (any probably other critical domains) to be delayed in regards to international innovation and competition. Are France and Europe ready to tolerate that research in those domains would be decreasing, probably contributing lead experts to move away and continue their works abroad ? I have at least one formal testimonial of a french specialist that will not publish his second book related to IT security in France, by fear of prosecution related to the already active LEN (Loi sur l’Economie Numérique) law and the future DADVSI law.
Bruno Kerouanton
External links :
Bruno Kerouanton on janvier 9th 2006 in IT Security
