A dozen Canadian security companies are lobbying the government to prevent changes to the Copyright Act which could make routine business practices illegal.
The company principals, among them Canadian Bob Young, director of open source pioneer Red Hat, on Tuesday sent an open letter to
Industry Canada and the Ministry of Canadian Heritage and Status of Women. They claim that future legislation that would amend the existing Copyright Act would make it very difficult to operate a security business in Canada.
The group takes issue with a proposed change to the act that would make it illegal to circumvent technological protection measures (TPMs). “Legal protection for TPMs,” the letter states, “is the equivalent of making screw-drivers illegal because they can be used to break and enter. Good legislation targets the illegal act, not the legal tools the crook might use.”
Security companies routinely try to circumvent or “crack” existing security measures as part of their research and development, said David Fewer, legal counsel for the Canadian Internet Policy and Public Interest Clinic in Ottawa.
“If you crack that technological protection measure . . . to get at the work underneath, that will be expose you to civil liability and potentially criminal liability, depending on what the act looks like,” said Fewer, who helped draft the letter.
Fewer said he expects to see an amended version of the Copyright Act this summer. A spokesperson for Industry Canada said that the ministry had received a copy of the letter and was still considering a response.
“We do a lot of R&D around security,” said Carl Bond, the president of Innusec Inc. and co-owner of Elytra Enterprises Inc., two of the companies that signed the letter. “The problem with security is that you cannot avoid looking into things. You start taking things apart and investigating things to see where they might have vulnerabilities.”
Bond, based in Gloucester, Ont., said his companies benchmark security solutions for clients and by necessity attempt to crack protection measures around media. He said that the law is already fuzzy around security and liability with copyright protection and his company had to abandon some research into wireless network security for this reason.
He said he is not looking forward to the tightening of restrictions around the existing Copyright Act. “Every time they make a ruling like this, it erodes the ability to give a solid and wide offering to your clients.”
Fewer said, “Right now in Canada, you can crack technological protection measures so you can make a copy for your archives or for interoperability purposes.” But the expected changes to the Copyright Act could change all that.
It could end up looking more like American legislation covered by the Digital Millennium Copyright Act, he said. The DMCA, which passed in 1998, prevents people from owning devices or technology which could be used to circumvent copyright protection. The open letter notes that there are exceptions within the DMCA for legitimate research purposes, but these “have proven both inadequate and ineffective in protecting security researchers from threats of litigation.”
For example, a Princeton University professor was threatened with litigation for attempting to present research on security holes. The biggest flashpoint of controversy came in 2001 when Russian programmer Dmitri Sklyarov was jailed for trafficking in a program that could be used to read Abode e-Book files.
“Why aren’t we looking to learn from their mistakes and craft laws that avoid the excesses of the American approach?” said Fewer.
The letter points to a “liability chill” that would hamper Canadian security research efforts should any changes the Copyright Act go ahead.