ElcomSoft supporters miss the point

Article originally appeared at Seybold Report's E-Book Zone, July, 2001. Reprinted with permission.

July 25, 2001

At this moment, electronic security expert and ElcomSoft employee Dmitry Sklyarov is sitting in a Las Vegas jail waiting to be extradited to California to faces charges of violating the U.S. Digital Millennium Copyright Act (DMCA). In a somewhat strange and certainly controversial case, the Russian national is staring down the barrel of a possible five-year prison sentence and a $500,000 fine.

Specifically, ElcomSoft, which is based in Russia, has developed password removal software for a number of very popular software applications. The software in question here cracks Adobe's digital rights management solutions Content Server and PDF Merchant, allowing PDF-based e-book buyers to remove all rights information from the file. After releasing the software in June, and advertising its availability in a Planet E-Book discussion forum on June 22, Adobe threatened legal action if sales of the software didn’t stop within five days. In mid-July Sklyarov called Adobe’s bluff and traveled to the U.S. to give a presentation at the annual hacker conference DefCon. On July 16, as he was preparing to return to Russia, Sklyarov was apprehended by law enforcement agents. Now, he sits in Las Vegas as the debate over his company’s software swirls around him. (It should be noted that on July 24, Adobe altered its stance on the apprehension of Sklyarov and requested that he be released. Adobe cited the fact that ElcomSoft’s software was no longer available in the U.S. as a reason. Final decision on Sklyarov’s possible release will be made by U.S. Attorney Joseph Sullivan in San Jose.)

Without question, the DMCA does not adequately address the issue of "fair use" in a digital environment. While current digital rights management solutions (prior to hacking) are able to protect against copying for illicit use, no solution today can adequately and accurately differentiate between copies made in good faith and in accordance with the fair use doctrine and file replication conducted to make money. Put simply, the DMCA outlaws the creation of burglary tools—which ElcomSoft makes—but it does not redefine fair use for the digital domain.

While certainly garnering far more attention due to its sensational aura, this isn’t the first time the soundness of the DMCA has been questioned. Princeton professor Edward Felten led a team that cracked an audio watermarking technology created by SDMI, and was threatened with a lawsuit if he presented his findings at a conference in April. Before that Eric Corley and 2600 Enterprises were enjoined in August of last year from distributing an application that disabled the copy protection mechanism on DVDs.

But Sklyarov’s case is different for one important reason: He, and the company he works for, profited from the sale of the cracking software. Few would argue that under its current provisions, Sklyarov and ElcomSoft are in violation of the DCMA. But in selling the software, Sklyarov stopped being a personal rights advocate and respected security expert and became a pirate.

Which is why the argument put forward by many of his supporters—most notably Executive Director of the Electronic Frontier Foundation, Sheri Steele—that Sklyarov was providing a valuable service to the technology industry by pointing out flaws in Adobe’s encryption technologies is, quite simply, laughable. In reality, the exact opposite is true: improvements to Adobe’s software would threaten ElcomSoft’s bottom line. At this moment, there are more than 20 "password recovery" applications for sale on the ElcomSoft Web site, with prices ranging from $30 to $400. On the day the PDF cracking technology was released, ElcomSoft’s posting on Planet E-book’s Web site was a sales pitch, not a warning to publishers and authors using encrypted PDFs. "ElcomSoft Co. Ltd. has released Advanced eBook Processor, a Windows ME/98/95/NT4/2000/XP program that makes it easy to remove both password encryption and usage restrictions from Adobe Acrobat PDF files and eBooks," ElcomSoft’s posting states. "With Advanced eBook Processor, these PDF files can be decrypted, opened, and used without any of these restrictions. Once protection has been removed, PDF files created with Adobe's Acrobat program can be opened in any PDF viewer, including Adobe's Acrobat Reader… Advanced eBook Processor costs $99(US) and may be purchased securely online at [the ElcomSoft Web site]." Not exactly a well-researched academic submission meant to spark debate on the security holes of PDF and PDF-based solutions.

Suppose we extend this argument to the non-Internet world. A security company, noting that the locks on a Main Street bookstore are relatively weak, decides to create a mechanism that will pick the lock rather than alert the bookstore owner or his distributors that the shop is susceptible to a break-in. It noticed similar problems with security mechanisms on several other businesses down the street, and created lock-picking mechanisms for those shops as well. The company then began selling these tools, for a hefty sum, to anyone that might walk by. The company argued that it was in no way liable when some of its customers broke into the businesses each night for two reasons. First, despite the fact that every customer that used the tools to enter a shop did so illegally, the company argued it had no way of knowing which of its customers stole materials and which simply browsed around for their own personal enrichment. As for the shop owners, the responsibility is on them to find out these tools are being sold and change their locks. Second, it’s possible that all of the company’s customers are the actual shops owners and they have lost their keys.

It’s fairly ridiculous to argue that in the non-Internet world, this type of behavior would not only be tolerated on the basis of free speech, but supported as constructive scientific work. Yet, organizations such as the EEF, and others that are actively supporting ElcomSoft, are doing just that. The only difference is that the criminal activity in question occurs in a digital environment, where the hacker ethos has penetrated so deeply that the theft of intellectual property is not only accepted, but promoted as sound research. So let the hacker hack. If it can be stolen, steal it. If it can be broken, break it. But in the end, it’s the quality and reliability of content on the Web that suffers.

The EEF is a respected organization dedicated to protecting online privacy, freedom of speech, and basic user rights. Unfortunately, like all of ElcomSoft’s supporters, on this issue they simply took the wrong position. In its hasty support of Sklyarov, the EEF has forgotten that encryption technology from the likes of Adobe is designed and implemented to protect the intellectual property rights of content creators, artists, authors, designers, business owners and others. In order for an electronic content industry to grow and flourish, intellectual property must be respected and protected. ElcomSoft, which advocates and encourages the deliberate circumvention of protection schemes specifically implemented by a content creator for its own capital gain, is a direct threat to this growth.

Now that Dmitry Sklyarov is sitting in a jail cell in Las Vegas, perhaps others will start to take notice.