Copyright Extensions threaten Free Software in Europe

In May 2001 the European Union Copyright Directive (EUCD) was approved. This directive enacts new extensions to copyright legislation including the ability for the copyright owner to limit the use and provides effective protection to any kind of rights management information (this included any of those so called copy-protection technologies). This legislation implements, in practice, the same principles as the USA's Digital Millenium Copyright Act (DMCA) that, so far, has been used to arrest a Russian programmer after his presence at a conference, to prevent the scientific publication of an article in a conference by a university's professor, to intimidate the security community and is the answer to the question "Why can't I read DVDs with any GNU/Linux distribution?".

The EUCD has been adopted on May 22nd, 2001, so national governments have until December 22nd, 2002 to include this directive in national legislation, assuming that no country refuses it. The main issue with this directive is article 7 (Obligations concerning rights-management information). The problem in this article is that it prohibits the distribution, broadcasting, communication or making available to the public of anything "if the person knows, or has reasonable grounds to know, that by so doing he is inducing, enabling, facilitating or concealing an infringement of any copyright or any rights related to copyright". But what does rights-management information (RMI) mean? The information supplied is that it's any information that the copyright owner supplies that defines the work and the terms of its use.

This means that, for the first time in the history of recent copyright legislation, the copyright owner is given the right to, through RMI, limit the private use of a work. This means that protective measures like DVD zoning that tries to limit playing a DVD to a defined geographical area suddenly become legal in Europe. It also means that freedom of speech may be at peril, if companies start following the example of Microsoft that prohibits the use of MS FrontPage 2002 for sites that criticise Microsoft, its subsidiaries or its products.

Besides that, if some tool can be used to circumvent any kind of RMI, then it's illegal to communicate and distribute it. This protection is as absurd as prohibiting the sale and use of knives because they can be used to kill people, even if that's not the use made by most people. For free software there are three effects of this legislation that, in fact, will hinder its development: the creation of monopolies in file formats, the inability to operate with other systems and the inability to discuss security issues in a open way as needed by the collaborative development used by free software.

Monopolies on file formats

If some file format includes some RMI, like the password feature of MS Word files, or the ability to disable copy&paste in Adobe's PDF files, then reverse-engineering the file format and publishing the information gathered would be a crime under this legislation, because the people doing that would be facilitating the circumvention of these RMI. In practice, this means that companies are given the protection to effectively create a format and monopolise software which can access files in this format, because then can simply send to jail any developer that creates a free software program that uses their file format. Unfortunately this is happening today in the USA with DVDs. There's no GNU/Linux distribution that includes the ability to play a DVD because the distribution of DeCSS code that is needed to play DVDs has been found to be illegal in, at least, one court case.

Interoperability

The interoperability of free software with proprietary software will be hindered by this legislation. Besides the possible difficulty of free software to deal with some proprietary file formats, there's the risk that software licenses, which also are RMI, simply prohibit reverse engineering of protocols. This would mean that efforts like the samba project, jabber and others would never have seen the light of day. This will also mean that companies will be able to trap their customers in custom and non-standard protocols without the business risk of having a free software implementation of their protocol compete with them. This means that projects like dotGNU are in peril.

Insecurity

Last, but not least, the security problems. Due to the broad definition of RMI, something like a security policy or any protective technologies like a firewall can fall under this definition. This means that discussing, distributing or developing security auditing tools will be illegal. The problem here is not so much the fear that all our houses will be searched and all our computers checked for this tools, but the fact that, in a situation where anyone who wants to silence you can do so merely by accusing you, exposing you to the risk of imprisonment. This fear can be more effective in controlling a group of people than the enforcement of the law as is.

The other security problem has recently been illustrated by Alan Cox. Mr. Cox recently published a changelog for a linux kernel where the description of some security-related bug fixes was censored. The reasoning for this is simple to follow. Those bugs could be used to circumvent RMI (in this case file permissions) and simply stating that they were there would be facilitating the circumvention of that RMI. This is only one example that reminds us that security is dealing with circumvention of rules: describing ways to circumvent protections and fixing the software so that each one of those ways becomes ineffective. Now, what this directive says is that we can't discuss ways to circumvent protections, because we would be breaking the law and could go to jail. Ignoring the fact that his makes it easier for proprietary software companies get away with not fixing the security bugs in their software because nobody can talk about them, for free software this means that all the "find a bug, tell the program owner/maintainer, fix the bug" cycle is broken because telling about the bug could be a crime, specially if it's in a public forum like a mailing-list or a bugzilla web page, could mean jail, not automatically but, more dangerously, when someone feels like accusing you.

What can be done ?

Until now there is no notice of any one country that has already incorporated the EUCD into national law. This means that there's still the possibility of getting, at least, one European state to challenge the directive. There is another case where Germany fought a directive based on the same articles of the European Community treaty as this one and won. Of course this means that politicians, the public and the press must understand these issues and the inherent risks. This also means that it's up to you, the reader, to learn more about these issues and tell about them to your friends and family; to start a conversation about this at the bus station and to write to your elected representative about the EUCD and why it is bad for consumers, programmers, the internet and security.

Below you will find links to groups and organizations that will be interested in hearing from you and will gladly accept your help on these issues:

Campaign for Digital Rights
Free Software Foundation Europe

Written by: João Miguel Neves <joao@silvaneves.org>
Several corrections done by: MJ Ray, Luminas Internet Applications <markj@luminas.co.uk> and Edward Welbourne