Edward Felten, a professor of computer science at Princeton University, and a team of colleagues decided to take up the challenge. Within a very short time, they had cracked all four selections. [See "Breaking the Code Crackers," May 7.] But before Felten could publish the paper describing the strategy, and hence the weaknesses in the SDMI system, lawyers for the Recording Industry Association of America (a member of SDMI) sent him a letter demanding he destroy his research, and threatening that publication "would subject your research team to enforcement actions under the DMCA."

The reference was to Congress' 1998 Digital Millennium Copyright Act. That law essentially makes it a crime to build or distribute tools for circumventing copyright protection measures - regardless of the purpose of the circumvention and regardless of the means. The law purports to provide more airtight protection for copyrighted material than copyright law itself protects copyrighted material. Under copyright law, a user has the right of fair use. Under the DMCA, the user has a right to fair use only if the code of the copyright protection scheme permits it. If the code does not permit fair use, then the user commits a crime if he makes and distributes tools that would enable others to crack the copyright protection system, even for purposes of fair use. The law thus gives industry coders more control over copyrighted material than the Constitution gives Congress.

The RIAA insists this battle is about promises - Felten promised, the RIAA says, not to release his results except under the terms the industry group set. But this misses the point. In its letter to Felten, the RIAA made clear it believed he would not have had the right to study the SDMI's system for encrypting digital music without the permission of the RIAA. The group thinks that Congress, through the DMCA, has given it the right to control who does what research and when. If a scientist does research that the RIAA doesn't like, its lawyers believe they can then threaten that scientist with criminal prosecution.

So here's the picture: The RIAA and others get to build code that in effect displaces copyright law. But unlike copyright law, the only people who get to study this code are the people the codewriters permit. If someone else studies and criticizes the code, then a member of that consortium - the RIAA - can threaten the misbehaving scientists with prosecution. (In classic form, once the story broke, the RIAA insisted it "does not - nor did it ever - intend to bring any legal action against professor Felten." Apparently its letter warning Felten about his being "subject ... to enforcement actions" was just a bit of free legal advice.)

Someone's on the wrong planet here. In America, we don't hand over the exclusive right to conduct research to industry consortiums; we don't give lawyers hired by industry consortiums the right to threaten criminal prosecution when the results of that research don't prove the party line. If the RIAA believes this is what legislators did when Congress approved the DMCA, then it is time for the courts to remind the RIAA of a few lessons from high-school civics: We don't use the law to punish critics, and it can't be a crime to point out flaws.

The copyright thugs don't get this. They insist they're just trying to stop "piracy." But pirates don't publish in academic journals. And everything that might help a pirate is not a crime. The Felten affair is one more example of why it is a mistake to hand over copyright policy to industry lawyers. Yet the sad fact is that this is just what Congress's DMCA has done.