As someone with an interest in technology, security, and the legal issues surrounding them, I often watch relevant legal cases with interest. Typically, those cases come from the United States. The CFAA has been in the news frequently of late, and not always in a good light. I was pleased to see Zoe Lofgren’s proposed changes, which try to make the law less draconian.
This is typical for Canada – we often see more about American news on topics like this than Canadian. I realized that I really didn’t know what the law in Canada said about so-called computer crimes, although I’ve often wondered. A while back, I took an afternoon to do some reading. I was not happy when that afternoon ended. This is part one of a three-part series on what I found.
Nothing in this series of posts should be regarded as definitive. I’m not a lawyer, nor even a law student. I’m a computer science student with an amateur interest in the law.
Copyright Act
I started with the recent amendments to Canada’s copyright law [PDF] because I knew from Kevin McArthur that it had implications for security research in Canada. He was right. There are two provisions which make computer security research difficult in Canada.
Encryption research
First, there are exceptions for encryption research.
Encryption research
30.62 (1) Subject to subsections (2) and (3), it is not an infringement of copyright for a person to reproduce a work or other subject-matter for the purposes of encryption research if
(a) it would not be practical to carry out the research without making the copy;
(b) the person has lawfully obtained the work or other subject-matter; and
(c) the person has informed the owner of the copyright in the work or other subject-matter.
Limitation
(2) Subsection (1) does not apply if the person uses or discloses information obtained through the research to commit an act that is an offence under the Criminal Code.
Limitation — computer program
(3) Subsection (1) applies with respect to a computer program only if, in the event that the research reveals a vulnerability or a security flaw in the program and the person intends to make the vulnerability or security flaw public, the person gives adequate notice of the vulnerability or security flaw and of their intention to the owner of copyright in the program. However, the person need not give that adequate notice if, in the circumstances, the public interest in having the vulnerability or security flaw made public without adequate notice outweighs the owner’s interest in receiving that notice.
The idea here is a good one – nobody should be prevented from doing research on encryption because of copyright law. However, you might have noticed a few troubling requirements.
First, s 60.62(1)(c) requires that you’ve informed the copyright owner. This assumes that the copyright owner is known, and that you can contact them. Just how would you contact the copyright owner of GnuPG, for example? Do you have to contact all of them? Why should contacting them be mandatory? Requiring researchers to inform the copyright holder, thus probably identifying themselves, opens them to retribution. This is a well-known anti-pattern in security research, so it’s not clear why the copyright law should privilege business at the expense of security researchers (and thus, indirectly, the public).
Second, s 60.62(2) means that the exception doesn’t apply if you “use or disclose” information obtained by doing your research in order to commit any crime. But if you’ve committed a crime, shouldn’t that be sufficient? Why do we need an additional layer of illegality (the copyright infringement)? With this providion, whether or not your behaviour constitutes copyright infringement depends on the contents of another law – and given the vagueness in the Criminal Code, that’s a problem.
Third, s 60.62(3) requires a particular form of “responsible disclosure” – something which I doubt belongs in law. Here again, there is a requirement to contact the copyright holder, but in this case it makes even less sense than in s 60.62(1)(c), because the copyright holder is not who you want to notify when doing “responsible disclosure.” You actually want to notify the software maintainer (if any). That might be the same as the copyright holder, but it might not, and the law doesn’t know the difference. This suggests that the drafters don’t really understand the subject matter. At least there’s a public interest exception – but without any guidance as to how to weight the different considerations, what factors might be relevant, or anything of the sort. It would be very interesting to see how courts interpret the relative weighting of interests, but until that’s done, business will have very wide latitude to use this vagueness to come down harshly on researchers who embarrass them by exposing security weaknesses.
Security research
There are similar exceptions for security research in s 30.63.
30.63 (1) Subject to subsections (2) and (3), it is not an infringement of copyright for a person to reproduce a work or other subject-matter for the sole purpose, with the consent of the owner or administrator of a computer, computer system or computer network, of assessing the vulnerability of the computer, system or network or of correcting any security flaws.
Limitation
(2) Subsection (1) does not apply if the person uses or discloses information obtained through the assessment or correction to commit an act that is an offence under the Criminal Code.
Limitation — computer program
(3) Subsection (1) applies with respect to a computer program only if, in the event that the assessment or correction reveals a vulnerability or a security flaw in the program and the person intends to make the vulnerability or security flaw public, the person gives adequate notice of the vulnerability or security flaw and of their intention to the owner of copyright in the program. However, the person need not give that adequate notice if, in the circumstances, the public interest in having the vulnerability or security flaw made public without adequate notice outweighs the owner’s interest in receiving that notice.
The problems here are similar. Although there’s no requirement like s 60.62(1)(c) to notify the copyright holder, there is still a confused “responsible disclosure” requirement. There’s no clear reason why “responsible disclosure” should be a requirement in law, much less in copyright law.
There’s an even more stringent requirement here though - the owner or administrator of the computer system must consent to the research. This is effectively a prior restraint, and protects business from unwanted criticism. This endangers the public by creating a hostile legal environment for computer security researchers. Again, business is privileged over the safety of the Canadian public.
Posted: Nov 4, 2013
Tags: