Scientists Show Flaws in Anti-Piracy Music Technology

By Andy Sullivan

A team of scientists presented a paper on Wednesday revealing security flaws in an anti-piracy technology backed by the music industry, after getting formal assurances from the music industry that they would not be sued.

The scientists, headed by Princeton University professor Edward Felten, had originally planned to present the paper at a conference in April, but bowed out after the Recording Industry Association of America threatened to sue, a position it quickly retracted.

The legal tussle has highlighted tensions between academics who say they should be free to talk about their research and music labels, movie studios and other intellectual-property owners worried about digital piracy.

After filing suit in June, the researchers secured permission to publish the paper at the Usenix Security Symposium in Washington.

Felten said at a press conference that he was happy to finally have a chance to present his findings, but that his legal struggles have discouraged other academic efforts in the area.

"There is a big cloud hanging over our continued research and we don't feel safe doing what we normally do,'' Felten said.

A RIAA spokesman said the trade group never intended to sue Felten, but declined to say whether it would take action against other academic research in the future.

"These are hypotheticals. We have no idea what he may or may not write,'' said RIAA spokesman Jano Cabrera.

SECURITY FLAWS EXPOSED

The paper in question, entitled "Reading Between the Lines: Lessons from the SDMI Challenge,'' explores the inner workings of a technology developed to prevent unauthorized copying of digital-music files, and explains how the researchers broke the code.

Backers of the technology, a consortium called the Secure Digital Music Initiative, launched a $10,000 contest last September challenging computer experts to hack the code.

Consortium members include Vivendi Universal's (EAUG.PA) Universal Music, Sony Music (7930.T), AOL Time Warner Inc.'s Warner Music, EMI Group Plc (EMI.L) and Bertelsmann AG (BTGGga.D)'s BMG.

SDMI awarded the prize money to two hackers in November after weeks of speculation and embarrassment. Felten's group pulled out before the contest's final round but claimed it had defeated four of the protection technologies and would make its findings public.

Shortly before the group was due to present its paper at an April conference in Pittsburgh, a lawyer for SDMI and the RIAA sent Felten a letter telling him he could face legal action under the Digital Millennium Copyright Act, a 1998 law that bars efforts to defeat copyright-protection technologies.

The lawyer, Matthew Oppenheim, has since backed away from the letter, saying the SDMI had an obligation to protect the trade secrets of the companies that developed the anti-piracy technology but never intended to sue.

The research team, which includes students and professors from Princeton and Rice Universities and an employee of Xerox Corp.'s Palo Alto Research Center, filed a suit of its own in early June to seek protection against lawsuits and challenge the 1998 digital-copyright law.

The researchers were assisted by the Electronic Frontier Foundation, an outspoken critic of the law. The case is still pending.

The digital-copyright law has come under further scrutiny since federal authorities arrested Russian programmer Dmitri Sklyarov last month for creating a program that defeats anti-piracy measures on electronic books.

Felten said the law discourages legitimate research and encourages the adoption of faulty technology.

"You essentially prevent the good guys from discussing how to do better,'' he said. "In practice it won't do to pretend the technology is secure.''