>> `(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person
>> qualifies for the exemption under paragraph (2), the factors to be
>> considered shall include--
>> `(A) whether the information derived from the encryption research was
>> disseminated, and if so, whether it was disseminated in a manner
>> reasonably calculated to advance the state of knowledge or development
>> of encryption technology, versus whether it was whether it was
>> disseminated in a manner that facilitates infringement under this
>> title or a violation of applicable law other than this section,
>> including a violation of privacy or breach of security;
My reading of these paragraphs is that basically, you don't start
out by releasing a program that script kiddies can download and
use to break stuff.
You can present your paper at defcon, as long as there's not an
executable.
You can create an executable, with source code, package it up and
send it to the copyright owner with a note that says "your protection
is broken: here's the proof."
You can shout at the top of your lungs that their crypto is broken,
on all kinds of forums.
You can engage in your right to fair use using your own executable,
ie, taking a five-second clip and using it in an original work
where it's seen in the background as your protagonists stroll by
arguing about the new sushi restaurant.
But what it looks like is, you cannot publish that executable, nor
make it possible for anybody else to engage in their right to fair
use.
Something may appear in an anonymous channel, and if it's not
traceable to you -- or downloadable from your website, etc --
then they may sue you for having done the research that made it
possible, but they will lose.
Of course, there is life outside the USA, and I'm sure some kid in
Italy or Finland or Russia will cheerfully read your paper and
implement the thing you describe and release it. But that kid
better not visit the USA anytime real soon unless that kid publishes
anonymously.
I think a lot of the flaws with the DMCA could be fixed by allowing
an exemption for a "notice period" -- one year after you notify them
that their crypto is broken, they've had enough time to fix it --
and if they haven't fixed it, they deserve what they get.
Bear
