The Emerging Digital Economy report continues along the path set by the Administration's early policy document, The Framework for Global Electronic Commerce, in seeking to foster the growth potential of the digital economy.³⁷ Both documents recognize that "[g]overnments can have a profound effect on the growth of commerce on the Internet. By their actions, they can facilitate electronic trade or inhibit it. Knowing when to act and-at least as important-when not to act, will be crucial to the development of electronic commerce."³⁸ One of the signal achievements of the Framework was the promulgation of five principles that were supposed to guide U.S. as well as other governmental action on policy initiatives on electronic commerce:

As laudable as the Framework's principles are, it should be said that the Clinton Administration has been somewhat erratic in following them. The Administration has a good record in promoting minimalist tax and customs policies.⁴¹ However, it has been widely criticized by the IT/digital economy sector for not following these principles in the security/encryption policy area and in the content policy area, owing to the Administration's support for the Clipper Chip and the Communications Decency Act.⁴² In the legislative struggle leading up to adoption of the DMCA, the Administration deviated from these principles once again in heeding the desires of established copyright industries to reconstruct the legal infrastructure of the digital environment so that it would accommodate their preferences. These industries insisted that this restructuring was necessary to protect them from the grave threat of piracy posed in the digital environment.⁴³ Many significant players in the existing digital economy counseled against this restructuring.⁴⁴ The Administration should, of course, have considered the interests and concerns of Hollywood and other copyright industry groups in its consideration of an appropriate digital copyright policy initiative. However, the Administration might have done more to consider the interests of those already participating in the digital economy in its policy formation on these issues, particularly since its preferred policy so clearly violated the principles that the Administration had asserted it would follow.

III. The Wipo Copyright Treaty Is Good For The New Economy

The WIPO Copyright Treaty established several norms about applying copyright law in the digital environment.⁴⁵ They include:

copyright owners should have an exclusive right to control the making of copies of their works in digital form,⁴⁶

copyright owners should have an exclusive right to control the communication of their works to the public,⁴⁷

countries can continue to apply existing exceptions and limitations, such as fair use, as appropriate in the digital environment, and can even create new exceptions and limitations appropriate to the digital environment,⁴⁸

merely providing facilities for the communication of works should not be a basis for infringement liability,⁴⁹

it should be illegal to tamper with copyright management information insofar as this would facilitate or conceal infringement in the digital environment,⁵⁰ and

countries should have "adequate legal protection and effective legal remedies against the circumvention of effective technological measures" used by copyright owners to protect their works from infringing uses.⁵¹

To the extent that uncertainties about how copyright law should apply in the digital environment were impeding the growth of a global market in electronic intellectual property products,⁵² there was reason to be optimistic that conclusion of this treaty would remove these blockages and allow e-commerce to flourish.⁵³ These norms are as "predictable, minimalist, consistent, and simple" components of a legal environment for commerce as one could expect copyright professionals to devise.⁵⁴ Thus, the WIPO treaty itself established norms compatible with Framework principles and with the needs of the digital economy. That nearly one hundred sixty nations signed this treaty indicated a strong consensus that digital works should be given appropriate protection on an international scale.⁵⁵ This was very good news for U.S. digital economy industries.

The WIPO treaty digital copyright norms were, however, mostly old news for U.S. law.⁵⁶ Its cases had already recognized the rights of authors to control digital reproductions of their works,⁵⁷ as well as to control digital transmissions of their works to the public.⁵⁸ Courts had invoked fair use in a number of digital copyright cases,⁵⁹ and had refused to hold online service providers liable for infringing activities of users about which the providers had no knowledge.⁶⁰ Because of the substantial accord between the WIPO treaty norms and existing U.S. law, the Clinton Administration initially considered whether the WIPO Copyright Treaty might even be sent to the Senate for ratification "clean" of implementing legislation.⁶¹ This would have avoided the kind of protracted legislative battle that occurred when Congress considered the Administration's White Paper legislation in 1996.⁶² Eventually, the Administration decided that implementing legislation was necessary for the U.S. to comply with the WIPO treaty provision requiring protection for the integrity of copyright management information.⁶³ The DMCA implementation of this norm, which closely tracks the treaty language, was uncontroversial during the legislative process.⁶⁴

The U.S. could have asserted that its law already complied with the WIPO treaty's anti-circumvention norm.⁶⁵ This norm was, after all, very general in character and provided treaty signatories with considerable latitude in implementation. Moreover, anti-circumvention legislation was new enough to many national intellectual property systems, and certainly to international law, to mean that there was no standard by which to judge how to instantiate the norm. The U.S. could have pointed to a number of statutes and judicial decisions that establish anti-circumvention norms.⁶⁶ With U.S. copyright industries thriving in the current legal environment, it would have been fair to conclude that copyright owners already were adequately protected by the law.⁶⁷ Even many of those who favor use of technical systems to protect digital copyrighted works have expressed skepticism about the need for or appropriateness of anti-circumvention regulations, at least at this stage.⁶⁸ Let content producers build their technical fences, advised one prominent information economist, but do not legislatively reinforce those fences until experience proves the existence of one or more abuses in need of a specific cure.⁶⁹ However, the political reality and legislative dynamics of the WIPO Copyright Treaty implementation process were such that some sort of anti-circumvention provision appeared to be a necessary part of the bill.

Even if a reasoned assessment of U.S. law might have led policymakers to conclude that some additional anti-circumvention legislation was necessary or desirable, one would have thought that the Administration would have supported a "predictable, minimalist, consistent, and simple" legal rule, as its Framework principles call for. The Administration might have, for example, proposed to make it illegal to circumvent a technical protection system for purposes of engaging in or enabling copyright infringement. This, after all, was the danger that was said to give rise to the call for anti-circumvention regulations in the first place. Silicon Valley Representative Tom Campbell proposed such an approach in his alternative bill.⁷⁰ If this same assessment caused policymakers to decide there was also a need for some regulation of circumvention technologies to promote electronic commerce, then a "predictable, minimalist, consistent, and simple" legal rule would have been to outlaw making or distributing a technology intentionally designed or produced to enable copyright infringement.⁷¹ Many "digital economy" firms and organizations supported the first of these proposals,⁷² and they would likely have supported the second if it had ever had a chance of being taken seriously.

Clinton Administration officials, bowing to the wishes of Hollywood and its allies, opted instead to support an unpredictable, overbroad, and maximalist set of anti-circumvention regulations. During Congressional consideration of these provisions, these regulations became complex and inconsistent for reasons that will become evident in later sections of this article.⁷³ It was, in short, not the needs of the digital economy that drove adoption of the anti-circumvention provisions in the DMCA. Rather, what drove the debate was high rhetoric, exaggerated claims, and power politics from representatives of certain established but frightened copyright industries. These groups seem to believe they are so important to America that they should be allowed to control every facet of what Americans do with digital information.⁷⁴ They also seem to think they are entitled to control the design and manufacture of all information technologies that can process digital information.⁷⁵ The DMCA caters to their interests far more than to the interests of the innovative information technology sector or of the public.

IV. DMCA's Overbroad Anti-Circumvention Provisions Are Neither Consistent With Framework Principles Nor Good For The New Economy

There are three principal rules in the final DMCA's anti-circumvention provision. The first focuses on the act of circumvention. Section 1201(a)(1)(A) generally outlaws the act of circumventing "a technological measure that effectively controls access to a work protected under this title."⁷⁶ This rule will, however, not take effect for two years from enactment, in part to allow time for a study to be conducted of the potential impact of this norm on noninfringing uses of copyrighted works.⁷⁷ When it does come into force, it will be subject to seven complex exceptions that will be discussed below in Part V.A.⁷⁸

Section 1201 also contains two "anti-device" provisions. Sections 1201(a)(2) and 1201(b)(1) both regulate technologies with circumvention-enabling capabilities. The former focuses on devices that circumvent "a technological measure that effectively controls access to a [copyrighted] work" (access controls).⁷⁹ The latter relates to devices that circumvent the "protection afforded by a technological measure that effectively protects a right of a copyright owner ... in a work or a portion thereof" (e.g., copy controls).⁸⁰ In each case, section 1201 states that "[n]o person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof"⁸¹ if it (1) "is primarily designed or produced for the purpose of circumventing,"⁸² (2) "has only limited commercially significant purpose or use other than to circumvent,"⁸³ or (3) "is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing"⁸⁴ the technological measure or the protection it affords. The anti-device rules have a narrower range of exceptions than does the act-of-circumvention ban.⁸⁵

One would have to admit that the act-of-circumvention rule initially sought by the Administration was simpler, and at least in this respect, more consistent with the Framework's principles than the DMCA as enacted. The original proposal would have outlawed circumventions of technical protection systems except when done for legitimate law enforcement or intelligence purposes.⁸⁶ However, representatives of major information technology firms and organizations brought to Congress's attention that this norm would interfere with many legitimate activities.⁸⁷ It would, for example, have outlawed encryption research and computer security testing, even though these activities are critical to achieving many of the objectives of the digital economy.⁸⁸ As Congress came to recognize that there were a number of legitimate reasons to circumvent technical protection systems, the bill slowly accreted exceptions that made the bill more complicated but less harmful to growth of the digital economy.⁸⁹

These same firms and organizations, in alliance with major consumer electronics firms, were also critical of the Administration's preferred anti-device provisions.⁹⁰ However, these digital economy groups exhausted their political capital on getting critical exceptions to the act-of-circumvention ban⁹¹ and on establishing that they had no affirmative duty to build their technologies to respond to technical protection systems, but only a duty to refrain from actively undermining them.⁹² They took some comfort in statements by Congressional supporters of a limited interpretation of the anti-device norms indicating that Congress meant for the anti-device provisions to apply to "'black boxes' that are expressly intended to facilitate circumvention."⁹³ Still, the digital economy sector remains understandably concerned about the potential for overbroad application of the anti-circumvention and anti-device norms, and recent developments suggest that there is reason for this concern.⁹⁴

Although Administration officials admitted in Congressional testimony that its preferred legislation went beyond what the WIPO Copyright Treaty required, it argued for this broader rule in part to set a standard that would help the U.S. persuade other countries to pass similarly strong rules.⁹⁵ Proponents of the Administration's preferred anti-circumvention regulations scoffed at arguments made by an alliance of consumer electronics firms and by representatives of the computer and software industries about the harm that broad anti-circumvention regulations would do in this industry.⁹⁶ They also dismissed as specious arguments made by library and educational groups about threats to fair use and the public domain arising from broad anti-circumvention regulations.⁹⁷

II. The Enumerated Exceptions In The Act-Of-Circumvention Ban Are Unduly Narrow And Inconsistent With Framework Principles

A. The Statutory Exceptions to the Circumvention Ban

The DMCA ban on the act of circumventing technical protection systems is subject to seven very specific exceptions,⁹⁸ as well as being qualified by several other subsections.⁹⁹ In addition, it is subject to a two-year moratorium during which the Librarian of Congress is supposed to study the potential impact of the anti-circumvention ban on noninfringing uses of copyrighted works which may lead to further limitations on the act-of-circumvention rule.¹⁰⁰ While several of these exceptions and limitations respond to the gravest of concerns expressed by digital economy firms,¹⁰¹ they are still too narrowly crafted, as examples given below will reveal.¹⁰² Congress should have adopted a provision enabling courts to exempt acts of circumvention engaged in for other legitimate purposes. Courts interpreting section 1201 may either be forced to find liability in some situations in which it would be inappropriate to impose it or to stretch existing limitations. Congress may eventually need to revise this provision to recognize a broader range of exceptions.

The structure of the final DMCA anti-circumvention provision and its complexity resulted from the maximalist position with which the Administration and its major copyright industry allies began the legislative struggle. Only when IT industry groups were able to identify particularized situations in which circumvention was appropriate was there any legislative "give" on the issue, and then only to the extent of that identified situation.¹⁰³ As noted above, Clinton Administration officials initially sought an almost unlimited ban of circumvention activities.¹⁰⁴ The only exception to the circumvention ban in the Administration's favored legislation was an authorization of circumvention of technical protection systems for legitimate law enforcement, intelligence, and other governmental purposes.¹⁰⁵ Without this exception, suspected Mafia bosses and terrorists, oddly enough, might have been able to challenge attempted law enforcement or intelligence agency decryptions of their records or communications under section 1201(a)(1).¹⁰⁶

The Administration's preferred bill also provided that nothing in section 1201 would "affect rights, remedies, limitations, or defenses to copyright infringement, including fair use, under this title."¹⁰⁷ This seemed to recognize that circumventing a technical protection system for purposes of engaging in fair use or other noninfringing acts would be lawful, although it did not directly say so.¹⁰⁸ Some representatives of major copyright industries who testified at a Congressional hearing on this legislation expressed the view that fair use should not be an acceptable reason to "break" a technical protection system used by copyright owners to protect their works.¹⁰⁹ Allan Adler, testifying on behalf of the Association of American Publishers, for example, stated that "the fair use doctrine has never given anyone a right to break other laws for the stated purpose of exercising the fair use privilege. Fair use doesn't allow you to break into a locked library in order to make 'fair use' copies of the books in it, or steal newspapers from a vending machine in order to copy articles and share them with a friend."¹¹⁰ The "breaking and entering" metaphor for circumvention activities swayed some influential Congressmen in the debate over anti-circumvention regulations.¹¹¹

Courts should distinguish between circumvention aimed at getting unauthorized access to a work and circumvention aimed at making noninfringing uses of a lawfully obtained copy.¹¹² Section 1201(a)(1) is aimed at the former, not the latter. Fair use, for example, would provide a poor excuse for breaking into a computer system in order to get access to a work one wished to parody. However, if one had already lawfully acquired a copy of the work, and it was necessary to bypass a technical protection system to make fair use of that copy, this would appear to be lawful under section 1201(a)(1) and (c)(1).¹¹³ Take, for example, an act of circumvention performed by Geoffery Nunberg, a friend of mine who works for Xerox's Palo Alto Research Center. He was an expert witness in a lawsuit which successfully challenged the Washington Redskins' trademark on the ground that the word "redskins" is scandalous or disparaging.¹¹⁴ Nunberg decided it was necessary to take a clip from an old Western movie to demonstrate derogatory uses of the term in context. It was necessary for him to defeat a technical protection system adopted by the owner of the copyright in this movie in order to make the clip for this purpose. If section 1201(c)(1)'s preservation of fair use and other defenses to infringement are to be given their plain meaning, it would seem that this sort of circumvention should be permissible.¹¹⁵ Thus, if the clip from the movie qualifies as a fair use, the act of circumvention may be privileged under section 1201(c)(1).¹¹⁶

Although this section's apparent preservation of fair use was important, it did not satisfy library and nonprofit groups who expressed substantial concern about the impact that the anti-circumvention provisions would have on public access to information.¹¹⁷ The only additional concession that the House Subcommittee on Intellectual Property thought should be made to concerns expressed by these groups was to create a special "shopping privilege" for them. This exception, which was included in the final DMCA, enables nonprofit library and educational institutions to circumvent technical protection systems to "make a good faith determination of whether to acquire a copy" of the work.¹¹⁸ Librarians and educators do not see much value in this provision because vendors of technically protected copyrighted works will generally have incentives to allow librarians and educators to have sufficient access to make acquisition decisions.¹¹⁹ Their broader concerns about the impact of anti-circumvention regulations on noninfringing uses fell on deaf ears in both the House and Senate Subcommittees on Intellectual Property.¹²⁰

Computer and software industry groups were initially unsuccessful in persuading Congress to create additional exceptions to the anti-circumvention rules and other changes to the anti-circumvention regulations to make them less harmful to legitimate activities in these industries.¹²¹ Not until the full Senate Judiciary Committee and the House Commerce Committee undertook their reviews of the legislation were concerns of these industry groups heeded. Out of the Senate Committee emerged three significant changes to the DMCA. The first was creation of a new exception to enable circumvention of technical protection systems for purposes of enabling a software developer to achieve interoperability among computer programs.¹²² The second was a provision clarifying that equipment manufacturers were under no obligation to specially design their products to respond to any particular technical measure used by those providing content for this equipment.¹²³ The third was a provision indicating that section 1201 was not intended to broaden contributory or vicarious copyright liability.¹²⁴

An interesting twist in the saga leading up to adoption of the DMCA was the House Commerce Committee's decision to exercise jurisdiction over part of the digital copyright legislation.¹²⁵ Its review led to several other significant changes to the bill. Some of these responded to concerns expressed by digital economy firms; others responded to concerns expressed by library, educational, and other nonprofit groups.¹²⁶ The Commerce version of the bill added a new exception to enable encryption research and the development of encryption-research tools.¹²⁷ It also created two consumer-oriented exceptions, one to enable parents to circumvent access controls when necessary to protect their children from accessing harmful material on the Internet, and the other to enable circumvention to protect personal privacy.¹²⁸ It also proposed a moratorium on the anti-circumvention rules so that a study could be conducted about the potential impact of anti-circumvention rules on fair use, the public domain, and other noninfringing uses of copyrighted works.¹²⁹

More clearly than the Judiciary Committees in either branch of Congress, the Commerce Committee recognized the unprecedented nature of the access right that was implicit in the act-of-circumvention provision of section 1201. "If left unqualified," said Congressman Bliley, "this new right ... could well prove to be the legal foundation for a society in which information becomes available only on a 'pay-per-use' basis."¹³⁰ To ensure this would not occur, the legislation was amended to enable librarians and educators to make a showing that the anti-circumvention provision was interfering with noninfringing uses of copyrighted materials and to seek an exemption from the ban.¹³¹ Insofar as such a showing could be made, the Commerce Committee thought that affected classes of works or of users should be exempt from section 1201(a)(1)(A). Congressman Bliley pointed out that "[c]opyright law is not just about protecting information. It's just as much about affording reasonable access to it as a means of keeping our democracy healthy...."¹³² The Commerce Committee review of the legislation also led to inclusion of a provision indicating that nothing in section 1201 "shall enlarge or diminish any rights of free speech or of the press for activities using consumer electronics, telecommunications, or computing products."¹³³ This provision recognizes the potential impact of the anti-circumvention rule on free speech and free press interests.

During the final negotiations leading up to passage of the DMCA, several of the exceptions were refined.¹³⁴ In addition, the computer security research community finally persuaded legislators to add another exception to enable circumvention of technical protection systems necessary for legitimate testing of the security of computer systems.¹³⁵

B. Circumvention for Other Legitimate Reasons Should Be Privileged

While the final version of the DMCA anti-circumvention provision responded to several significant concerns of the digital economy sector, it did so mainly by adopting specific exceptions. There are, however, many other legitimate reasons for circumventing technical protection systems that are not, strictly speaking, covered by the exceptions in the final bill. Five examples demonstrate that section 1201 should have an "or other legitimate purposes" exception to section 1201(a)(1).

Suppose, for example, that a copyright owner had reason to believe that an encrypted work contained an infringing version of one of its works. The only way to find out whether the copyright owner's suspicion is valid may be to circumvent the technical protection system to get access to the encrypted material. Even if its suspicions proved correct, the copyright owner would have violated section 1201(a)(1)(A) in the course of discovering this. There is no exception in section 1201 to protect this kind of decryption activity.

Or suppose that a content producer had licensed certain software that was essential to the development of its product (e.g., editing software used in the process of making motion pictures). In the course of a dispute about the performance quality of this software, the content producer might withhold payment of a royalty as a way of communicating its displeasure with the licensor's maintenance of the software. The software's licensor might then respond by activating a technical "self-help" system embedded in the software to stop the software from operating.¹³⁶ To deal with this development, the licensee might well attempt to circumvent the self-help feature now blocking access to the software because the licensee needed to use the software to finish its movie and because it regarded itself as having a legitimate claim of licensor breach to justify holding back the royalty.¹³⁷ However legitimate the claim or this activity, there is no exception to the anti-circumvention rule to protect the licensee in this situation.

Two further examples will illustrate the narrowness of certain existing privileges in the DMCA. Suppose, for example, that a firm circumvented a technical protection system to stop software it had licensed from monitoring certain uses of the software in ways not contemplated in the license agreement and which the licensee regarded as unwarranted and detrimental to its interests. Although there is a "personal privacy" exception in the DMCA,¹³⁸ there is no general exception for circumventing to protect other confidentiality interests. Or suppose that a firm was considering making a multi-million dollar acquisition of a computer system whose producer asserted was highly secure. If this firm wished to test the veracity of the producer's assertions, without getting the producer's permission or over the producer's objection, it would seem to violate section 1201. Although there is a computer security testing exception in the Act, it only applies if one is already the owner or operator of the computer system being tested.¹³⁹ It should be noted here that many security flaws discovered in widely deployed systems have been found by researchers who tested the system without permission of either the owner or manufacturer of such systems.¹⁴⁰ These activities too are not covered by the computer security exception provided for in the DMCA.

Finally, because the DMCA recognizes that the anti-circumvention rules may have an impact on free speech and free press concerns,¹⁴¹ it may be worth considering an example of this sort. Suppose that an employee of a major chemical company gave a reporter a disk containing a digital copy of a report and several photographs pertaining to a major chemical spill that the company was trying to cover up. If information on the disk was technically protected and the employee was not authorized by the company to provide the information to the reporter, it would appear that the reporter would violate section 1201(a)(1) if he circumvented the technical protection system to get access to this information, even if consideration of free press and free speech interests might suggest that such a circumvention was justifiable.

One response to these examples might be to assert that copyright owners will generally not sue when these or other legitimate circumvention activities occur. However, in some of the examples given above, the technical protector might well have incentives to sue the circumventor.¹⁴² Given that there are serious criminal penalties for willfully violating section 1201,¹⁴³ the overbreadth of this provision and the narrowness of existing exceptions will put many legitimate circumventors at unnecessary risk. If such suits are brought, courts may, of course, and probably will, find other ways to reach just results. They might, for example, decide that the "other defenses" provision of the anti-circumvention rule legitimized the circumvention,¹⁴⁴ that some instances were within the spirit, even if not the letter, of an existing privilege, or that there was insufficient harm to the legitimate interests of the person challenging the circumvention activity to justify imposing liability.¹⁴⁵ However, there should be a general purpose "or other legitimate purposes" provision in section 1201 so that courts will not have to thrash to reach appropriate results. This would add flexibility, adaptability, and fairness to the law. In many other parts of copyright law-with the fair use doctrine, for example, or the distinction between ideas and expressions-Congress has trusted the common law process to distinguish between legitimate and illegitimate activities. It could (and should) have done so with respect to circumvention legislation as well.

It would have been especially appropriate to adopt a general purpose "other legitimate purpose" provision because the anti-circumvention ban is an unprecedented provision for copyright law as to a significant new technology issue with which neither Congress nor the courts have much experience.¹⁴⁶ The lack of a general purpose exception is particularly troubling in view of the harsh criminal and civil provisions in the statute, which may have a chilling effect on legitimate activities, including those affecting free speech. It could also put at risk some legitimate activities in the digital economy that will impede the growth of e-commerce, as will become more apparent in the next section.

III. The Anti-Device Provisions Should Be Narrowed By Legislative Amendment Or Judicial Interpretation

The text of the DMCA and its legislative history clearly demonstrate that Congress intended to ensure that users would continue to enjoy a wide range of noninfringing uses of copyrighted works, even if copyright owners used technical protection systems to impede them. This is evident in the DMCA's recognition that circumventions for fair use, free speech, and free press purposes should be lawful.¹⁴⁷ It is also apparent in the provision enabling the Librarian of Congress to exempt certain classes of users or works from the general anti-circumvention rule when necessary to preserve socially valued noninfringing uses.¹⁴⁸ In addition, it explains why Congress adopted some exceptions to the act-of-circumvention ban, notably, the interoperability privilege.¹⁴⁹ As the last part has shown, if Congress had not been blinded by the politics of the day, it would likely have recognized other legitimate reasons to engage in acts of circumvention.

If Congress intended for circumvention of technical protection systems to be legal when done for legitimate purposes, it might seem obvious that Congress should be understood to have intended to enable users to effectuate the circumvention privileges it recognized.¹⁵⁰ Although it will not always be necessary for a legitimate circumventor to make or use a circumvention technology to accomplish a privileged circumvention (e.g., enciphered text might be decoded by purely mental activity), most often this will be necessary.¹⁵¹ The deepest puzzle of section 1201 is whether Congress implicitly intended to allow the development and/or distribution of technologies necessary to accomplish legitimate circumvention activities, or whether, in essence, it created a number of meaningless privileges.

Seemingly relevant to addressing this question are some curious features of section 1201 that close study of this complex provision reveals. First, several exceptions to the anti-circumvention rule specifically authorize the creation of tools necessary to achieving a legitimate circumvention activity (e.g., the encryption research and interoperability privileges),¹⁵² while several others (e.g., the law enforcement privilege and the privacy privilege) do not.¹⁵³ Secondly, while the interoperability privilege exempts necessary tools from both device provisions of section 1201,¹⁵⁴ the encryption and security research privileges exempt tools only from the access-device provision, not from the control-device provision. Yet, it would seem that encryption and security research would often require testing both of access and of control components of technical protection systems.¹⁵⁵ Thirdly, section 1201 contains no provision enabling the development or distribution of circumvention tools to enable fair use or other privileged uses in terrain which section 1201(a)(1)(A) doesn't reach (i.e., making fair uses of lawfully acquired copies). If Congress intended to recognize a right to "hack" a technical protection system to make fair uses, this right could be undermined if it could not be exercised without developing a tool to bypass the technical protection system or otherwise getting access to such a tool.¹⁵⁶ Under some interpretations of section 1201(b)(1), development or distribution of such a tool would be unlawful.

Consider, for example, the Xerox PARC researcher who circumvented a movie's technical protection system in order to make a fair use clip for the Washington Redskins' litigation.¹⁵⁷ It was necessary for him to develop a tool to enable him to bypass the technical protection system to make the clip. Suppose that the motion picture copyright owner found out about the circumvention and decided to make an example of this researcher, suing him for statutory damages for violating section 1201(b)(1).¹⁵⁸ On a strict interpretation of this subsection, the researcher might seem to be in trouble. The tool was, after all, "primarily designed ... for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of the copyright owner under this title in a work or a portion thereof."¹⁵⁹ However, one can easily imagine a court deciding that the researcher's code did not run afoul of section 1201(b)(1). The code might be viewed as a special purpose tool made for the limited purpose of effectuating fair use rights. In view of its lack of commercial significance and the absence of deleterious effects of the sort that the anti-device provisions were intended to reach,¹⁶⁰ a court might decide that this code should not be held to violate this law.¹⁶¹

Would the result be different if the researcher asked a co-worker or a friend to develop the tool instead of doing it himself? Or would the result be different if the researcher shared this tool with a co-worker who needed to make a fair use circumvention of a different movie? Even though he might be "provid[ing]" this technology to another person, perhaps he would escape liability because he was not "traffic[king]" in this technology or "offer[ing it] for sale" which are the principal activities Congress meant to curb by enacting this part of DMCA.¹⁶² However, it is fair to observe that courts would have to read some limiting language into section 1201(b)(1) to decide that the researcher would not be liable in all three situations.

An undoubtedly closer question is what courts would do about a technology distributed in the mass-market for purposes of enabling privileged circumventions. Consider, for example, how the 1985 Vault v. Quaid¹⁶³ case would fare under the DMCA anti-device provisions. Vault sued Quaid for contributory copyright infringement based on Quaid's development and sale of a program called Ramkey. Quaid's customers could use Ramkey to defeat Vault's Prolok copy-protection software (which Vault sold to other software developers to protect their own software from unauthorized copying). By spoofing Vault's copy-protect system,¹⁶⁴ Quaid's customers could make unauthorized copies of the third-party software protected by Vault's program.¹⁶⁵ Quaid successfully defended against the contributory infringement claim by showing that Ramkey had a substantial noninfringing use, namely, to enable users to effectuate their rights under copyright law to make backup copies.¹⁶⁶

Quaid would probably not run afoul of the access-device provision of section 1201(a)(2).¹⁶⁷ However, less clear is whether it could successfully defend against a section 1201(b)(1) claim. Suppose that Quaid's president testified that his primary purpose in designing and producing Ramkey was to enable his customers to do legitimate backup copying. Suppose further that the marketing literature for Ramkey emphasized this purpose of the program and even warned potential customers not to use Ramkey to make infringing copies. If a court considered this evidence credible, it would probably save Quaid from criminal prosecution for violating the second anti-device norm, because it would show a lack of wrongful intent. But would it save Quaid from civil liability?¹⁶⁸

To answer that question, courts would have to grapple with a seeming inconsistency in the statute. On the one hand, the DMCA seems to outlaw technologies if their primary purpose is to circumvent a technical protection measure that effectively protects a right of a copyright owner to control its work (in this case, a right to control illegal copying).¹⁶⁹ On the other hand, the DMCA recognizes that fair use-like circumventions should be lawful.¹⁷⁰ Backup copying is a specially privileged activity in the copyright statute.¹⁷¹ Because the copyright owner doesn't have a statutory right to control backup copying, perhaps a spoofing technology intended to enable backup copying should be outside the statute. It is important to understand that circumvention for backup copying purposes generally cannot occur without access to such a technology.

So if most lawful users of Prolok-protected software lack the skills to write a Ramkey-equivalent, perhaps it should be lawful to make and distribute a technology to effectuate the backup copy privilege. It is unclear whether Congress intended for the technologically savvy who could "do it themselves" to be the only ones who could engage in privileged acts of circumvention. Yet, as the example of the Xerox researcher illustrates, even the technically sophisticated will often need to develop a tool to accomplish a privileged circumvention; this would seem to put them at risk under a strict reading of section 1201(b)(1).¹⁷²

Potentially relevant to whether the distribution of a tool like Ramkey is lawful is section 1201 (c)(2), which states that nothing in section 1201 "shall enlarge or diminish vicarious or contributory liability for copyright infringement in connection with any technology, product, service, device, component, or part thereof."¹⁷³ If what this subsection purports is true, perhaps the result in Vault v. Quaid would be the same after DMCA as before. One can imagine some courts deciding to construe section 1201(b)(1) narrowly so that the honest maker of a Ramkey-equivalent for purposes of enabling backup copying would be able to do so. But they are certainly not constrained to do so.

Moreover, the major copyright industries that supported a broad ban on circumvention technologies would assert that courts should not construe the DMCA so narrowly. They would likely consider Quaid's argument that Ramkey was primarily designed and produced to enable lawful backup copying as a ruse. Moreover, they would likely point out that Ramkey doesn't just enable lawful backup copying; it enables illegal copying as well. They would regard the danger that Ramkey would be used for illegal purposes-regardless of Quaid's intent-as so substantial as to justify banning this technology. The DMCA's anti-device provisions were broadly drafted, they would argue, to address this very danger.¹⁷⁴ They would also consider it an unnecessary burden for copyright owners to have to prove that the primary use of a technology like Ramkey was to engage in infringement.¹⁷⁵ This would be difficult to do, especially for a technology that was about to be introduced into the market. When the dangers of infringement are high, they would argue, the technology ought to be deemed illegal if its purpose is to circumvent a technical protection system copyright owners are using to protect rights granted to them by copyright law.¹⁷⁶ According to this view, Ramkey is illegal under the DMCA. The major copyright industry supporters of the broad anti-device provisions of the DMCA would probably like nothing better than to make Congress' apparent preservation of noninfringing uses into a meaningless promise.

Different judges might reach different conclusions on a Ramkey-like case, but consider how they might deal with another plausible "spoofing" technology. Intel has recently developed a line of semiconductor chips with a built-in identification system for each processor.¹⁷⁷ Privacy advocates have raised concerns about the threat that processor identification systems pose for personal privacy on the Internet.¹⁷⁸ In response to these concerns, Intel announced its intent to ship these chips with the processor identity function "off."¹⁷⁹ Suppose, however, that Microsoft develops Windows 2000 as a "trusted system" technology¹⁸⁰ to run on this line of Intel chips and that it requires that licensees of Windows 2000 agree to keep the Intel identification system on at all times.¹⁸¹ Having the identifier on, Microsoft might well contend, is a critical component to the effectiveness of its trusted system technology. Suppose further that Windows 2000 will not install until the Intel identifier is on, and that the installation software, after a user clicks "I agree" to the conditions of the license, will actually turn the identifier on if necessary.¹⁸² If a privacy advocacy group developed and distributed software to spoof Windows into thinking the Intel identifier was on when it was not in order to protect user privacy, or if the group posted information about how users could turn the identifier off even when using Windows 2000, would it be violating section 1201(b)(1)?¹⁸³

Under a very strict interpretation of section 1201(b)(1), either act might be viewed as illegal.¹⁸⁴ It is, however, difficult to believe that most judges would find providing either software or information to enable circumvention of this component of a technical protection system to fall within the DMCA anti-device rules. The DMCA, judges might point out, authorizes circumvention in order to protect personal privacy.¹⁸⁵ While this provision doesn't specifically authorize the development or use of circumvention technologies to accomplish this legitimate act, judges might conclude that Congress must have intended for people to be able to develop or use technology to accomplish the privileged privacy act, or that the Intel identifier was not a component of an effective technical measure. To avert an injustice, judges would likely find an ambiguity in the statute or read in appropriate limiting language. This is clearly not the kind of "black box" circumvention device that Congress had in mind when adopting DMCA.¹⁸⁶ To hold otherwise would, in effect, allow Microsoft to employ the anti-circumvention provisions of DMCA to impose trusted system technology on the public.

It is, of course, an irony that so much of Congressional debate on section 1201 focused on refining the act-of-circumvention provision given that the anti-device provisions are, as a practical matter, by far the more important rules in this section.¹⁸⁷ Those who have followed the Clinton Administration's digital copyright policy over the last five years should realize that the anti-device provisions were what Administration officials and major copyright industry allies really cared about. The legislation proposed in the Administration's 1995 White Paper did not include any provision about circumvention of technical protection measures as such.¹⁸⁸ It sought only to outlaw technologies whose "primary purpose or effect" was to enable the circumvention of technical protection measures.¹⁸⁹ Was this lack of attention to circumvention an oversight? Or did the Administration believe that it would be difficult to detect individual acts of circumvention, and as long as such acts were done on an isolated, individual basis (due to the unavailability of circumvention devices), the danger to copyright owners would be small? It is difficult to discern why circumvention as such escaped attention until mid-1997 when the WIPO treaty implementation legislation was first introduced in Congress.¹⁹⁰ Far easier to discern has been the Administration's goal of stopping the manufacture and distribution of technologies with circumvention-enabling uses, either by commercial firms or by technically savvy Robin Hoods.¹⁹¹

Eventually someone in the Administration must have realized that it was a bit strange to be proposing to make illegal the manufacture and distribution of technologies whose ordinary uses were not themselves illegal. To justify a broad ban on circumvention technologies, a broad ban on the act of circumvention seemed to be needed. This explains why the Administration and its allies were so insistent that section 1201(a)(1) be structured to broadly ban acts of circumvention. It also explains why the Administration sought to limit the proliferation of exceptions to the anti-circumvention ban, and why such exceptions as were added to the statute were very narrow. The broader the acknowledged range of legitimate circumventions, the narrower should be an appropriately crafted regulation of circumvention technologies. The Administration may have hoped that in all the hoopla about crafting exceptions to section 1201(a), Congress would not notice that its seeming recognition of the legitimacy of circumventions for noninfringing purposes in section 1201(c)(1) might effectively be nullified by section 1201(b)(1), which arguably broadly bans technologies necessary to accomplish such circumventions.

When testifying before Congress, proponents of the Administration's anti-device rules repeatedly emphasized that the legislation was needed to stop deliberate and systematic piracy by "black box" providers.¹⁹² Yet, the anti-device provisions adopted by Congress are far broader than this, providing a basis to challenge an unacceptably wide range of technologies that have circumvention-enabling uses. This creates a potential for "strike suits" by nervous or opportunistic copyright owners who might challenge (or threaten to challenge) the deployment of a new information technology tool whose capabilities may include circumvention of some technical protection system. No doubt some expert can be found to say that deployment of a particular technology in the market would meet one of the three conditions in the anti-device provisions, giving plausibility to the suit. Weak as such testimony might be, it may be enough to extract a settlement sum from the information technology firm.¹⁹³

The potential for strike suits becomes stronger if one realizes that it is not necessary (or arguably even relevant) to litigation under the anti-device provisions of DMCA whether any act of underlying infringement (e.g., illegal copying of a protected work) has ever taken place. The mere potentiality for infringement will suffice to confer rich rewards on a successful plaintiff. Consider, for example, a recent lawsuit brought by the maker of a proprietary game console against the maker of emulation software that permits games initially developed for the proprietary console to be played on iMac computers.¹⁹⁴ Relying on the DMCA anti-device provision, the plaintiff is seeking up to $25,000 per unit sold in damages because the emulation software allegedly bypasses an anti-copying feature in the games.¹⁹⁵ The plaintiff did not allege and need not prove any actual illicit copying by users of the defendant's emulation software.

The anti-device provisions of section 1201 are not predictable, minimalist, consistent, or simple, as the Framework principles suggest that they should be. Due to inconsistencies in the statute, it is unclear whether section 1201's anti-device provisions would be interpreted to allow the development and distribution of technologies to enable legitimate uses. Boiled down to its essence, this presents the question of whether Congress should be understood to have made an empty promise of fair use and other privileged circumvention. Unless the anti-device provisions of the DMCA are modified, either by narrow judicial interpretation or by legislative amendments,¹⁹⁶ they are likely to have harmful effects on competition and innovation in the high technology sector. This is not good news for the digital economy.

IV. Policymakers Should Periodically Review Both The Act And Device Provisions

The Clinton Administration did not recommend or support inclusion of any provision in the WIPO treaty implementation legislation to assess the impact of the DMCA's anti-circumvention norms.¹⁹⁷ This might seem surprising in view of the breadth of these norms, their unprecedented character, and their potential impact on both information technology markets and on public access to information. Even if the Administration had initially been unaware of these potential negative impacts, it could not have failed to become aware of them during the legislative process.¹⁹⁸ The Administration was surely aware that the case for the act-of-circumvention and anti-device norms was long on rhetoric and short on actual evidence of harm to copyright owners.¹⁹⁹ Yet, the Administration did nothing to support post-legislative review of these norms.

This is in striking contrast to the periodic review process endorsed by the Administration as to another legislative initiative affecting digital economy markets, namely, the proposal to create a new form of legal protection for the contents of databases.²⁰⁰ Writing on behalf of the Administration concerning its reservations about a bill under consideration in the second session of the 105th Congress, Andrew Pincus, General Counsel to the Commerce Department, stated:

The Administration believes that, given our limited understanding of the future digital environment and the evolving markets for information, it would be desirable for the [database] bill to include a provision for an interagency review of the law's impact at periodic intervals following implementation of the law. This would be consistent with the laws and proposed laws in other emerging technologies where Congress has mandated examination of a new law's economic impact.²⁰¹

At least one of the database bills seemingly under consideration in the 106th Congress contains a study provision to assess the impact of the new law.²⁰² This conforms to the Administration's proposal and to Framework principles. Much the same comment might have been made about the anti-circumvention norms of the DMCA.

Even though the Administration did not support inclusion of study provisions in the DMCA, section 1201 actually does contain a study provision that will provide an opportunity to review some impacts of the anti-circumvention regulations.²⁰³ In response to the strong concerns expressed by librarians and educators about the potential negative impacts that broad anti-circumvention provisions might have on fair uses of copyrighted works and on access to information and to public domain works,²⁰⁴ the House Commerce Committee decided that there should be a two-year moratorium on enforcement of the act-of-circumvention provision.²⁰⁵ It also proposed a study to determine whether noninfringing uses were being adversely affected by technical protection systems. If so, the Commerce Committee's version of the bill would have waived application of the anti-circumvention norm as to the affected works or users.²⁰⁶

The Commerce Committee's insistence on the moratorium and an impact study proved surprisingly persuasive. Section 1201(a)(1)(A) provides that the general anti-circumvention ban will not take effect until two years after enactment of the legislation.²⁰⁷ Subsections (C) and (D) call upon the Librarian of Congress to conduct periodic studies to determine whether certain classes of users or works should be exempt from the ban because technical protection systems are impeding the ability to make noninfringing uses of copyrighted works.²⁰⁸ Subsection (B) goes on to provide the statutory basis for granting such an exemption to the classes of works or users determined by the Librarian to be adversely affected by the anti-circumvention norm.²⁰⁹ The DMCA calls for the Librarian's first study to be completed before the anti-circumvention moratorium ends.²¹⁰

The DMCA directs the Librarian of Congress to consider four factors in carrying out this study:

(i) the availability for use of copyrighted works, (ii) the availability for use of works for nonprofit archival, preservation, and educational purposes, (iii) the impact [of] the prohibition ... on criticism, comment, news reporting, teaching, scholarship, or research, [and] (iv) the effect of circumvention of technical measures on the market for or value of copyrighted works."²¹¹

The Librarian has authority to consider "such other factors as the Librarian considers appropriate."²¹² The DMCA is quite clear, however, that the Librarian's determinations cannot be asserted as a defense to an anti-device claim.²¹³ Although users would be entitled, after the Librarian's determination, to "hack" technical protection systems for any classes of works whose noninfringing uses had been inhibited, the no-defense-to-an-anti-device-claim subsection would appear to make such user self-help available only if one could accomplish the act without a device, once again raising the specter of Congress having created a meaningless privilege. As Professor Benkler has pointed out, the Librarian has no power to tell copyright owners to stop using technical protection systems that are impeding noninfringing uses.²¹⁴ Thus, it is quite possible that noninfringing uses will continue to be substantially impeded, notwithstanding the Librarian's determination and rulemaking concomitant to it. Surely, this should be the subject of further study.

While the study provisions in DMCA are surely better than nothing,²¹⁵ they fall far short of the periodic review and reporting process appropriate to the unprecedented nature of the anti-circumvention regulations.²¹⁶ To limit an assessment of the circumvention ban to a narrow range of possible effects would ignore the wider swath of harm the provision may do.²¹⁷ Besides, the device ban is the true heart of the anti-circumvention provisions of the DMCA. It is integrally interrelated with the circumvention activity ban.²¹⁸ To assess the act-of-circumvention ban without considering the device ban is to ignore the most significant technology-regulating provision in the DMCA. Unless construed narrowly, the anti-device provisions may do as much harm to competition and innovation in the information technology industry as the circumvention ban may do to noninfringing academic uses. One would have thought that Congress and the Administration would be concerned about these impacts given that these are the very industries whose tremendous growth the Commerce Department has been trumpeting to the world.²¹⁹ The Librarian of Congress should, therefore, decide that his studies can consider the impact of anti-device rules on the ability of certain classes of users or works to make noninfringing uses of protected works.²²⁰ The Librarian should also be entitled to make other observations about possible unintended side-effects of the anti-circumvention regulations that may be detrimental to the public interest.²²¹

It is especially important to have periodic reviews of the whole of the anti-circumvention provisions because they sweep so broadly that they may come to be used widely to deal with circumventions far beyond the copyright industry concerns that Congress contemplated. The low level of proof needed to maintain an action for anti-circumvention violations,²²² along with the generous remedies the Act provides,²²³ may prove to be a magnet for firms seeking to challenge acts of circumvention or devices that might, for example, concern trade secrecy or computer hacking matters.²²⁴ As long as there is a plausible claim that some material being protected by the technical protection system has a modicum of creative content that would entitle it to copyright protection,²²⁵ any act of circumvention or tool to aid the circumvention might be challenged under section 1201. Such uses of the statute could make copyright law into a general purpose misappropriation law regulating computer security matters. Moreover, as Part VI has shown, section 1201 is so ambiguous and broad that it may wreak considerable havoc in the information technology field, harming competition and innovation in this important sector. For these reasons, a broad regular review of the anti-circumvention rules should be undertaken.

V. Conclusion

The WIPO Copyright Treaty provides a "predictable, minimalist, consistent and simple legal environment" that should promote global commerce in electronic information products and services, in line with objectives and principles announced in the Clinton Administration's Framework for Global Electronic Commerce.²²⁶ As the principal leader in the treaty-making effort that led to conclusion of this treaty, the Clinton Administration deserves credit for promoting this policy initiative that promises to substantially benefit the U.S. digital economy industries.

In most respects, the legislation implementing the WIPO Copyright Treaty in U.S. law also conforms to Framework principles.²²⁷ The anti-circumvention provisions of the DMCA, however, do not. They are unpredictable, overbroad, inconsistent, and complex. The many flaws in this legislation are likely to be harmful to innovation and competition in the digital economy sector, and harmful to the public's broader interests in being able to make fair and other noninfringing uses of copyrighted works. If these regulations are not as maximalist as those initially proposed to Congress, this is mainly due to Congress' heeding of concerns expressed by some of the leading firms of digital economy interests, rather than to the Administration's leadership.

In the U.S. Congress, as well as in Geneva during the diplomatic conference leading up to adoption of the WIPO Copyright Treaty, proposed anti-circumvention regulations have been contentious. Among the concerns expressed in both venues were these: the potential effect of such rules on public access to information and on the ability to make noninfringing uses of copyrighted works, and their potential effect on competition and innovation in the market for hardware and software products whose uses might include the bypassing of some technical protection systems.²²⁸ The diplomatic conference had the good sense to adopt only a general norm on circumvention, leaving nations free to implement this norm in their own way.²²⁹ Thus, the flaws in the DMCA's anti-circumvention provisions do not derive from the treaty, but rather from the bad judgment of the Administration and the major copyright industry groups that urged adoption of overbroad rules in the DMCA.

This article has demonstrated that the DMCA's ban on the act of circumventing access controls should have included a general purpose "or other legitimate reasons" provision because the seven exceptions built into the statute, while they respond to the main concerns identified in the legislative debate, do not exhaust the legitimate reasons to bypass access controls.²³⁰ The article has provided examples of other legitimate circumvention activities and has suggested that if Congress does not narrow the reach of this provision, courts likely will do so, even if it involves some stretching to do so.

The article has also demonstrated that the anti-device provisions of the DMCA are substantially overbroad and need to be revised. The principal intent of Congress was to ban the development and deployment of "black boxes" that promote and enable piracy of copyrighted works.²³¹ However, the ban is far broader than this and threatens to bring about a flood of litigation challenging a broad range of technologies, even where there is no proof that the technologies have or realistically would be widely used to enable piracy.²³² The legislation is also unclear about a crucial question: whether it is lawful for people to develop or distribute technologies that will enable implementation of the exceptions and limitations on the circumvention ban built into the statute.²³³ Did Congress intend to allow people to exercise these privileges, or did it intend to render these privileges meaningless because the technologies to enable the excepted activities have been made illegal? No clear answer to this question emerges from a careful study of the anti-circumvention provisions. While legislative clarification of this issue would be desirable, most likely the courts will have no choice but to address this question. Because of ambiguities in the statute, it is unclear how courts will resolve disputes in which such questions will be posed.

Finally, this article urges that the anti-circumvention provisions be subject to periodic interagency review that would consider their impact as a whole.²³⁴ The DMCA includes a provision authorizing the Librarian of Congress to study the impact of the act-of-circumvention provision and make a determination about whether this provision interferes with the ability of certain classes of users to make noninfringing uses of certain classes of copyrighted works.²³⁵ This provision is too narrow in at least two respects. One is that it does not perceive the potential impact of the device bans on the ability of users to make noninfringing uses of copyrighted works. The Librarian of Congress can and should consider this as well.²³⁶ A second is that the DMCA's study provision does not recognize other kinds of potential harm that the anti-circumvention provisions may do to competition and innovation in the information technology sector.²³⁷ Because of the unprecedented character of the anti-circumvention provisions and their overbreadth, it would be highly desirable for a broader study to be undertaken of the impact of these regulations with an eye to recommending changes to remedy unintended harmful consequences they may be having.

Before concluding this article, it is perhaps worth noting that as yet relatively few copyrighted works are being distributed with technical protection systems built in.²³⁸ Much research and development work is, however, underway to develop such systems.²³⁹ Many copyright owners seem to hope or expect that such systems will be widely used for a broad range of work in the not-too-distant future and that these systems will stop piracy and other unauthorized and arguably unlawful uses of copyrighted works.²⁴⁰

One factor that will significantly affect how widely technical protection systems will be deployed and how tightly they will restrict uses of copyrighted works is how consumers will react to them.²⁴¹ Copyright owners may feel far more secure if their works are technically protected so well that no unauthorized uses can ever be made of them. However, economists Carl Shapiro and Hal Varian argue that copyright owners must consider this:

Competition among information providers may also affect the successful deployment of technical protection systems. If one information provider tightly locks up his content, a competing provider may see a business opportunity in supplying a less tightly restricted copy to customers who might otherwise buy from the first provider.²⁴⁵ A competitive alternative to tight technical controls may well be to adopt one of the several strategies that Shapiro and Varian discuss to show how content providers can take advantage of the opportunities presented by digital technologies, rather than being overwhelmed by the risks.²⁴⁶ There are, they say, many other good business models out there waiting to be invented by creative content providers.²⁴⁷

If content providers come to believe that a good business model is the best way to protect intellectual property from market-destructive appropriations, perhaps the current debate over the DMCA's anti-circumvention regulations will seem in time like a tempest in a teapot. However, in the meantime, the impact of this legislation should be closely watched because of its potential for substantial unintended detrimental consequences.