America’s Digital Millennium Copyright Act (DMCA) has been on the receiving end of ‘geek wrath’ for some time. Passed in 1998, it was drafted in order to extend US copyright laws to protect digital assets and to outlaw digital piracy.

But while legislators intended the Act mainly to cover software and media piracy, opponents argue that it is so badly worded that it covers many otherwise harmless acts. Among the many things the DMCA prohibits is the disclosure of information about security vulnerabilities – because that information could potentially be used to circumvent computer security measures.

Now Red Hat, a distributor of the Linux open source operating system (OS), has waded into the fray. In October 2002, the company released a security patch for its version of the Linux OS. But under the rules imposed by the DMCA, Red Hat executives claim, they can only explain the purpose of the patch to non-US citizens.

Red Hat says that fear of prosecution under the DMCA means neither it nor the Linux community of developers that created patch RHSA-2002-158 are willing to publish details of how it works. By doing so, the company argues, it would be in violation of the DMCA.

Taken to its logical conclusion, this argument implies that anyone running a bug tracking list – as many organisations and individuals do – is liable for prosecution under the Act.

Granted, Red Hat’s motivation is to highlight flaws in the DMCA, rather than any real fear of prosecution. But if US academics can be taken to court for exposing weaknesses in watermarking technology, as has already happened, nothing seems unlikely for the Act.

For further reading on software patch management, see this month’s feature, ‘Patch panic’.