30 July 1998
Source: House Report 105-551 Part II: http://jya.com/hr105-551p2.txt
Selected provisions on encryption; see full report and HR 2281 for all citations.
Compare to WIPO-Crypto: http://jya.com/wipo-crypto.htm
(g) Encryption Research.-- (1) Definitions.--For purposes of this subsection-- (A) the term ``encryption research'' means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and (B) the term ``encryption technology'' means the scrambling and descrambling of information using mathematical formulas or algorithms. (2) Permissible acts of encryption research.--Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of the regulations issued under that subsection for a person to circumvent a technological protection measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if-- (A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work; (B) such act is necessary to conduct such encryption research; (C) the person made a good faith effort to obtain authorization before the circumvention; and (D) such act does not constitute infringement under title 17, United States Code, or a violation of applicable law other than this section, including section 1030 of title 18, United States Code, and those provisions of title 18, United States Code, amended by the Computer Fraud and Abuse Act of 1986. (3) Factors in determining exemption.--In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include-- (A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under title 17, United States Code, or a violation of applicable law other than this section, including a violation of privacy or breach of security; (B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and (C) whether the person provides the copyright owner of the work to which the technological protection measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided. (4) Use of technological means for research activities.-- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to-- (A) develop and employ technological means to circumvent a technological protection measure for the sole purpose of performing the acts of good faith encryption research described in paragraph (2); and (B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2). (5) Report to congress.--Not later than 1 year after the date of the enactment of this Act, the Assistant Secretary of Commerce for Communications and Information shall report to the Congress on the effect this subsection has had on-- (A) encryption research and the development of encryption technology; (B) the adequacy and effectiveness of technological protection for copyrighted works; and (C) protection of copyright owners against the unauthorized access to their encrypted copyrighted works. The Assistant Secretary shall include in such report recommendations, if any, on proposed amendments to this Act.
Promoting Encryption Research H.R. 2281, as reported by the Committee on the Judiciary, provided no exception for the field of encryption research to the bill's broad prohibition against the circumvention of technological protection measures. Recognizing the importance of the field of encryption research to electronic commerce, the Committee on Commerce crafted a provision that provides for an exception to the bill's anti-circumvention provisions. The effectiveness of technological protection measures to prevent theft of works depends, in large part, on the rapid and dynamic development of better technologies, including encryption-based technological protection measures. The development of encryption sciences requires, in part, ongoing research and testing activities by scientists of existing encryption methods, in order to build on those advances, thus promoting and advancing encryption technology generally. This testing could involve attempts to circumvent or defeat encryption systems for the purpose of detecting flaws and learning how to develop more impregnable systems. The goals of this legislation would be poorly served if these provisions had the undesirable and unintended consequence of chilling legitimate research activities in the area of encryption. In many cases, flaws in cryptography occur when an encryption system is actually applied. Research of such programs as applied is important both for the advancement of the field of encryption and for consumer protection. Electronic commerce will flourish only if legitimate encryption researchers discover, and correct, the flaws in encryption systems before illegitimate hackers discover and exploit these flaws. Accordingly, the Committee has fashioned an affirmative defense to permit legitimate encryption research.
(g) Encryption research As previously discussed in the background section to this report, the Committee views encryption research as critical to the growth and vibrancy of electronic commerce. Section 102(g) therefore provides statutory clarification for the field of encryption research, in light of the prohibitions otherwise contained in Section 102. Section 102(g)(1) defines ``encryption research'' and ``encryption technology.'' Section 102(g)(2) identifies permissible encryption research activities, notwithstanding the provisions of Section 102(a)(1)(A), including: whether the person lawfully obtained the encrypted copy; the necessity of the research; whether the person made a good faith effort to obtain authorization before circumventing; and whether the research constitutes infringement or a violation of other applicable law. The Committee recognizes that courts may be unfamiliar with encryption research and technology, and may have difficulty distinguishing between a legitimate encryption research and a so-called ``hacker'' who seeks to cloak his activities with this defense. Section 102(g)(3) therefore contains a non- exhaustive list of factors a court shall consider in determining whether a person properly qualifies for the encryption research defense. Section 102(g)(4) is concerned with the development and distribution of tools--typically software--which are needed to conduct permissible encryption research. In particular, subparagraph (A) provides that it is not a violation of Section 102(a)(2) to develop and employ technological means to circumvent for the sole purpose of performing acts of good faith encryption research permitted under Section 102(g)(2). Subparagraph (B) permits a person to provide such technological means to another person with whom the first person is collaborating in good faith encryption research permitted under Section 102(g)(2). Additionally, a person may provide the technological means to another person for the purpose of having the second person verify the results of the first person's good faith encryption research. The Committee is aware of additional concerns that Section 102 might inadvertently restrict a systems operator's ability to perform certain functions critical to the management of sophisticated computer networks. For example, many independent programmers have created utilities designed to assist in the recovery of passwords or password-protected works when system users have forgotten their passwords. Because Section 102 prohibits circumvention without the authorization of the copyright owner, circumvention to gain access to one's own work, as a matter of logic, does not violate Section 102. The law would also not prohibit certain kinds of commercial ``key-cracker'' products, e.g., a computer program optimized to crack certain ``40-bit'' encryption keys. Such machines are often rented to commercial customers for the purpose of quick data recovery of encrypted data. Again, if these products do not meet any of the three criteria under Section 102(a)(2) because these products facilitate a person's access to his or her own works, they would not be prohibited by Section 102. In addition, network and web site management programs increasingly contain components that test systems security and identify common vulnerabilities. These programs are valuable tools for systems administrators and web site operators to use in the course of their regular testing of their systems' security. The testing of such ``firewalls'' does not violate Section 102 because in most cases the firewalls are protecting computer and communications systems and not necessarily the specific works stored therein. Accordingly, it is the view of the Committee that no special exception is needed for these types of legitimate products. Finally, Section 102(g)(5) requires the Assistant Secretary of Commerce for Communications and Information to report to Congress, within one year of enactment, on the effect Section 102(g) has had on the field of encryption research, the adequacy of technological protection for copyrighted works, and protection of copyright owners against unauthorized access.