Yesterday's post on the 32 Questions and Answers on Bill C-32's digital lock provisions focused on general issues in the bill, including compliance with WIPO, the penalty provisions, and their constitutional validity. Today's post discusses the shortcomings in the anti-circumvention exceptions that are included in C-32. With the exception of a new exception for cellphone unlocking, the exceptions are the same as those found in C-61 and a virtual mirror of the U.S. DMCA. For those that want it all in a single package, I've posted the full series as PDF download.

C-32's Circumvention Exceptions



This section features answers to the following questions:

Bill C-32 contains circumvention exceptions for encryption research and security testing. Doesn't that address the research concerns?

Bill C-32 contains a circumvention exception for privacy. Doesn't that address the privacy concerns?

Bill C-32 contains a circumvention exception for the visually impaired. Doesn't that address those access concerns?

Bill C-32 contains a circumvention exception for interoperability. Doesn't that address those concerns?

Bill C-32 contains circumvention exceptions for encryption research and security testing. Doesn't that address the research concerns?

No. The impact of the anti-circumvention provisions on the research community extends far beyond just encryption research and security testing. Bill C-32's exception is the same as that used in Bill C-61. When C-61 was introduced, I met with several University of Ottawa researchers engaged in fields as diverse as biblical scholarship and engineering. Their common thread was that their research plans would be stymied by Bill C-61. Researchers that need to circumvent in order to access content for media criticism, search technologies, network content distribution, etc. will all find themselves unable to conduct their research. Those that argue that Bill C-32 is unenforceable have never had their work subjected to an ethics review that invariably includes an examination of the legality of the methodology. If the work fails the review, there will be no grant funding and the research simply stops. The exceptions for encryption research and security testing are needed, however, the Canadian approach to exceptions has been to simply mirror the U.S. DMCA list. A general research exception is essential if Canadian researchers are to be able to continue their work.

Moreover, the encryption research exception requires the researcher to inform the target about plans for circumvention for research purposes. The exception already includes a condition that "it would not be practical to carry out the research without circumventing the technological measure" and that the person has "lawfully obtained the work," so the researcher has a legal copy and must pass a necessity barrier. The inclusion of an additional notice requirement should be dropped since it has little to do with copyright protection, yet creates a possible barrier for researchers who need to do encryption research without telegraphing their plans to the target organization. The exception also raises issues for peer review since the exception does not cover third party peer reviewers, who may be unable to adequately review the research.

Bill C-32 contains a circumvention exception for privacy. Doesn't that address the privacy concerns?



No. The exception fails to provide Canadians with full privacy protection and Bill C-32 unquestionably makes it more difficult for Canadians to effectively protect their privacy. The reason for this is that though there is an exception that permits circumvention to protect (and prevent the collection or communication of) personal information, the ability to exercise this exception is rendered difficult by virtue of the inability to legally obtain devices (ie. software programs) for this very purpose. The bill states that a person can offer circumvention devices or services for the protection of personal information only "to the extent that the services, technology, device or component do not unduly impair the technological measure."

Bill C-32 does not include a definition of "unduly impair." However, according to an Industry Minister official who was responding to a journalist inquiry under Bill C-61 about the same language:

"The intent of the provision is to ensure that while individuals may obtain devices and services that circumvent technological measures with a view to protecting privacy, any ensuing circumvention of the technological measure cannot be done in a manner that would enable unauthorised uses of the underlying copyright material by that person or by a third party."

In other words, you can use a circumvention device to protect your privacy but it cannot allow you to simultaneously access the underlying content. Of course, once most circumvention devices circumvent a technological measure, the protected content will be in the clear. Distribution of this form of device is therefore illegal. Moreover, service providers will be likely be unwilling to use this provision for fear of facing liability. Not only should the "unduly impair" wording be removed, but the bill should place a positive obligation on those companies that use DRM that may raise privacy concerns to provide the keys to circumvent their technological measure where requested to do so for privacy purposes.

Bill C-32 contains a circumvention exception for the visually impaired. Doesn't that address those access concerns?

No. The provision suffers from the same shortcoming as the privacy exception. While there is an exception for the act of circumvention, access to devices that can be used to circumvent again comes with the restriction that a person can offer circumvention devices or services only "to the extent that the services, technology, device or component do not unduly impair the technological measure."

The notion of not unduly impairing the TPM is even more non-sensical in this context given that the whole point of circumventing is to provide access to the content for those with perceptual disabilities. The content will obviously be in the clear since that is what is needed to provide the necessary access. The limitation on devices and services here makes absolutely no sense unless the real aim to stop those with perceptual disabilities from obtaining access. Not only should the "unduly impair" wording be removed, but the bill should place a positive obligation on those companies that use DRM to circumvent their technological measure where requested to do so for access for those with perceptual disabilities.

Bill C-32 contains a circumvention exception for interoperability. Doesn't that address those concerns?

No. The emergence of open source software as a powerful alternative to proprietary software models has been an important business and societal development. Open source software is today widely used by consumers (e.g., Firefox browser) and businesses (e.g., Linux operating system, Apache web server). From a policy perspective, the Canadian government's professed goal is to create a level playing field so that the marketplace rather than laws will determine marketplace winners. It has opposed attempts to create policy preferences for open source (over the objection of some advocates and countries) instead favouring a more neutral approach.

Notwithstanding the claims of neutrality and trusting in the market, Bill C-32 creates significant marketplace impediments for open source software. Achieving a level playing field requires interoperability so that differing computer systems can freely exchange data. The bill includes an interoperability provision at Section 41.12 which states that the anti-circumvention provisions do not apply to:

a person who owns a computer program or a copy of it, or has a license to use the program or copy, and who circumvents a technological measure that protects that program or copy for the sole purpose of obtaining information that would allow the person to make the program and any other computer program interoperable.

The problem with this provision is that it does not extend far enough to maintain a level playing field. The classic example involves the use of Linux as a consumer operating system. Unfortunately, this operating system cannot officially play DVDs since most commercial DVDs contain a digital lock and the entity that controls the lock does not license the necessary locks to play DVDs on Linux. Programmers have developed alternatives, but all involve circumventing the digital lock, an act that becomes illegal under Bill C-32.

The interoperability provisions do not help address this issue, since DVDs may not be considered computer programs and many of the circumventing programs have functionality beyond playback of commercial DVDs. The net effect is that Bill C-32 erects an enormous barrier to open source software adoption, thereby harming innovation and a competitive marketplace. The solution – as proposed by the Computer and Communications Industry Association in 2000 – is to create an exception the substantially broadens the interoperability exception.