[Free-sklyarov-uk] [Fwd: RE: ebooks] WHSmith on their ebooks

[Edward Welbourne]

> Under current UK law, the eBook encryption is (imo, but ianal)
> breaking the bit of law linked to above

of even this I remain unconvinced.  The relevant bit of law says stuff
about what the purchaser can do with the purchased work.  Adobe still
permit you to sell your copy of an e-book to someone else - the law
voids any attempt on their part to forbid this - however, the second
purchaser gets something actually useless.  The law never thought to
address such a possibility because it was not feasible with books.
The law doesn't say `the vendor shall not ensure that secondary
purchasers are unable to read the book' because the law's authors
could see no way that the vendor could do so.

What might be interesting, though: the law may very well say things
about how the first purchaser can only sell the work on `in its
original condition' or at least without substantive change to the
content of the work.  In such a case, the vendor has conspired with
Adobe to ensure that the first purchaser only has a version which has
already been tampered with.  That might lead to some interesting
repurcussions: the purchaser sells the work on to someone else who,
naturally, can't read it, sues the purchaser, wins; the first
purchaser then sues the original vendor for conspiring to put them in
this fix.  IANAL either, though, and I don't see where this could go.

However, from a technical point of view, I simply don't see how the
claimed protection can work.  I only have to do a man-in-the-middle
attack on the e-book reader's download of the file purchased: I record
the bytes sent across the wire from vendor to e-book reader and,
bingo, I've got the bytes I need to send to a second e-book reader,
etc.

Unless, of course, the e-book reader sends a key to the vendor, which
the vendor then uses to encode the data before sending in reply; in
which case my robot-in-the-middle just has to intercept the reader's
key, generate a suitable key-pair, forward half of this, receive the
bytes from the vendor, decrypt them with the other half of the
generated key (save these bytes), encrypt them with the reader's key
and send them on.  Subsequently, those saved bytes can be used by a
robot which will serve up the e-book to any reader which asks, without
involving the vendor.  Again, no problem: utterly mundane attack; in
the literature, but any idiot could have thought of it.

It would appear that my fair use rights cannot possibly be exercised
without doing such an interception, so it should be arguable that such
an interception is legal (provided, of course, my robot doesn't
subsequently pass on those saved bytes to anything that I can't
reasonably insist be construed as `me' - my other computer, my
hand-held, etc.) regardless of its resemblance to a crack.  Just
maybe, silly laws - to enable big brother to demand that my ISP
provide all the bytes I've downloaded - might even *oblige* my ISP to
do this.

Extending legal protection to a vendor's ability to lie about their
products is pernicious.  It does not serve the public interest.
Death to the EUCD, DMCA and all who sail in them !

	Eddy.