August 1, 2002 5:58 PM PDT
HP backs down on copyright warning
WASHINGTON--Hewlett-Packard has backed away from legal threats it made against security analysts who publicized flaws in the company's software.
In a statement released late Thursday, HP emphasized that it would not use a controversial copyright law, the Digital Millennium Copyright Act (DMCA), to pursue a loosely organized team of researchers who demonstrated a bug in the company's Tru64 Unix operating system.
"We can say emphatically that HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security," the statement said.
As previously reported, HP invoked the DMCA and computer crime laws when threatening to sue a collective of researchers who released a utility allowing a Tru64 user to gain full administrator privileges. An HP vice president sent a letter on Monday warning the SnoSoft researchers that they "could be fined up to $500,000 and imprisoned for up to five years."
HP's dramatic warning appears to have been the first time the DMCA was invoked to stifle research related to computer security. Previously it had been used by copyright holders to pursue people who distribute computer programs that unlock copyrighted content such as DVDs or encrypted e-books.
This time, public outcry among programmers, researchers and technologists was quick and fierce, prompting HP to back down from its stark warning earlier in the week.
"Let's just say it's been significant," Martin Fink, general manager for HP's Linux Systems Operation, said in an interview on Thursday. "The fact that customers care is a good thing. And that's why we need to make sure what the true HP position is."
Fink said security researchers should have no fear of legal warnings from HP "if you reveal security threats using industry standard security practice." He said the DMCA was "not a part" of HP's corporate culture.
"I am glad that HP backed down," Adriel Desautels, co-founder of SnoSoft, said Thursday evening, "but I would still like to know how exactly they planned on using the DMCA against SnoSoft. I am happy that we appear to be coming to a peaceful resolve."
HP said that it had been alerted to the security vulnerability in Tru64 Unix on July 18 and would have a fix available to customers no later than Saturday.
On July 19, a researcher at SnoSoft posted a note to SecurityFocus.com's popular Bugtraq mailing list with a hyperlink to a computer program letting a Tru64 user take over the system. SnoSoft says the post by a group member called "Phased" was unauthorized.The letter and the law
That public disclosure drew the ire of Kent Ferson, a vice president in HP's Unix systems unit, who alleged in his letter on Monday that the post violated the DMCA and the Computer Fraud and Abuse Act.
"HP hereby requests that you cooperate with us to remove the buffer overflow exploit from securityfocus.com and to take all steps necessary to prevent the further dissemination by SnoSoft and its agents of this and similar exploits of Tru64 Unix," Ferson wrote. "If SnoSoft and its members fail to cooperate with HP, then this will be considered further evidence of SnoSoft's bad faith."
The letter's invocation of the DMCA was a last-minute addition by an outside lawyer, HP said.
Fink, HP's Linux manager, said on Thursday that he could not discuss whether his employer would pursue other legal action against SnoSoft that did not rely on DMCA. The HP statement said, "We won't comment on the specifics of our discussions with SnoSoft. However, we take our customers' security requirements very seriously and have a strong track record following industry-standard security practices."
HP's initial letter accused SnoSoft of attempts at extortion in violation of Massachusetts state law. Until Wednesday, SnoSoft's home page stressed that it had a policy of "full disclosure" of security threats--unless that company retains SnoSoft as consultants.
"If someone hires us to do research, we cannot disclose that information since the information becomes theirs--they purchase it," said Snosoft's Desautels.
SnoSoft said in a statement that it intends to "continue serving the community by finding and reporting security vulnerabilities in a broad spectrum of operating systems, software applications, and other hardware and software systems."
Bruce Perens, the open-source evangelist whom HP hired two years ago, said HP's final statement is acceptable.
"The important thing is that HP was not attempting to establish a precedent, that use of DMCA to intimidate people who report security problems was not corporate policy," Perens said in an interview. "Obviously I did not want HP to be the poster child for abuse of the DMCA."
Perens said that some executives did not realize what a "hot button" the DMCA was. "Certainly the engineering staff all spoke up about that," he said. "At the high point there was an e-mail to (HP CEO Carly Fiorina) every 90 seconds."
One explanation for the company's lack of appreciation for the DMCA's controversial nature could be the culture clash that developed when Compaq Computer and HP were joined. The vice president who sent the DMCA threat, Ferson, came from Compaq.
But Fink, HP's Linux manager, says that's not likely. "Not everybody in a 150,000 person company deals with the complexity of the DMCA and what real impact it has in the industry at large. This wasn't anything to do with culture clash or anything like that."