March 5, 2015


Finnish Court: Okay to Circumvent DVD DRM

A court in Finland ruled last week that it is not a violation of that nation’s anticircumvention law to circumvent CSS, the copy protection system in DVDs. Mikko Välimäki, one of the defense lawyers, has the best explanation I’ve seen.

Finnish law bans the circumvention of “effective” DRM (copy protection) technologies. The court ruled that CSS is not effective, because CSS-defeating tools are so widely available to consumers.

The case is an interesting illustration of the importance of word choice and definitions in lawmaking. The WIPO copyright treaty required signatory nations to pass laws providing “effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of the rights …” Reading this, one can’t help but notice that the same word “effective” describes both the remedies and the measures. The implication, to me at least, is that the legal remedies only need to be as effective as the technological measures are.

The Finnish law implementing the treaty took the same approach. In language based on an EU Copyright Directive, the Finnish law defined an effective technology as one that “achieves the protection objective” (according to Mr. Välimäki’s translation). The court ruled that that doesn’t require absolute, 100% protection, but it does require some baseline level of effectiveness against casual circumvention by ordinary users. CSS did not meet this standard, the court said, so circumvention of CSS is lawful.

U.S. law took a different approach. The Digital Millennium Copyright Act (DMCA), the U.S. law supposedly implementing the WIPO treaty, bans circumvention of effective technological measures, but defines “effective” as follows:

a technological measure `effectively controls access to a work’ if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work

Some courts have read this as protecting any DRM technology, no matter how lame. It has even been held to protect CSS despite its notoriously weak design. It’s even possible that the structure of the U.S. DMCA helped to ensure the weakness of CSS – but that’s a topic for another post.

One of the tricks I’ve learned in reading draft legislation is to look closely at the definitions, for that’s often where the action is. An odd or counterintuitive definition can morph a reasonable-sounding proposal into something else entirely. The definition of a little word like “effective” might be the difference between an overreaching law and a more moderate one.


  1. It seems surprising that neither standard has any mention of reasonableness. The US law does seem worded to protect any DRM scheme, but the Finnish law seems to invalidate almost any DRM scheme that has been demonstrably cracked. Consider AACS–does it achieve its protection objective? If HD movies are easily available unlocked on BitTorrent, AACS has failed to protect its content. Now, AACS is certainly far harder for the average user to crack than CSS, but would it be illegal for users to do so? Further, does AACS’s protection objective evolve? In other words, are movies crackable with the widely spread doom9 key out of luck in the Finnish system, while new ones with as-yet-undiscovered keys maintain their status? It would seem that a reasonableness standard would resolve the issue: for a reasonable person, CSS is dead and gone, but AACS is still (at least for the moment) kicking.

  2. The reasonableness standard seems problematic, to me. Do they mean that the manufacturers took reasonable efforts to protect their content? Or does it mean that fair use was protected, to a reasonable extent? Or does it address the encryption algorithm used to protect content? It seems like you could make an argument, based on the second scenario, that all forms of DRM are “unreasonable” because they limit constitutionally protected forms of derivative speech (parody, education, etc.).
    Also, using the third (my) interpretation, it seems like content protection would fall off as soon as someone published a pretty simple way to crack the encryption. I mean, at some point DES was considered secure (don’t laugh). What if AES or 1024-bit public key cryptography become “insecure” in the near future? Does that invalidate all content protection secured with these algorithms? Also, if I encrypted an mp3 of my own idiotic ravings using DES, could I sue someone under DMCA for breaking the encryption, even though it was trivially easy to do so?
    None of this affects the position of the media cartels, at any rate. The potential market loss in Scandinavia due to piracy is trivial compared to the actual losses in China and developing markets. There is probably no way to control this, in the short term. The problem now is that they are losing their core market, since everyone is unhappy with them. The companies need to “compete with free” by offering cheap, convenient downloads. Their current business model is already in the dinosaur age.

  3. Maybe the reason you’re having trouble defining “effective” or “reasonable” is that they can’t be defined. In this day and age, once a cryptographic lock is picked, the code to get at the content (assuming the content is broadly desired) will be broadly distributed. So, as comment #1 points out – this is a catch-22 for the cryptographers. OTOH, the way the US is construing it, the bar is so low that tying a piece of string around a CD case could be considered “effective control” of the contents of the CD.

    My feeling is that these DMCA provisions are entirely pointless and ineffective anyway, since, as has been demonstrated many times already, it isn’t possible to prevent people from picking the locks or from distributing the code to do so. It isn’t even possible to define what constitutes “code” – as we learned when Prof. Felten got sued!

  4. I am little confused by this whole thing. It would seem to me that prior to a DRM scheme being broken, the scheme is effective. After all, no one is getting unfettered access to the copyrighted material. After it is broken, and the code to do so is widely distributed, then it seems, at least in Finland, the scheme is deemed ineffective and people can freely use the content so long as they don’t violate copyright law.

    But what about the time in the middle? Does the first crack violate the law? At the time the crack is made, the DRM scheme is effective. After the crack is demonstrated, but before its widely distributed, it seems that the logic applied by the Helsinki court would still deem the mechanism effective. Therefore, distributing the crack is in violation of the law. But then it seems that the court has said that if the law is violated long enough, then suddenly the DRM scheme is no longer effective, and consequently, it is no longer a violation of the law to distribute a circumvention mechanism.

    Am I misunderstanding something? Are others equally troubled by this?

  5. avatar Dr. Scumm says:

    It sounds like DRM in Finland is now governed by a close cousin of trade secret law — you have remedies to try to keep the cat in the bag, up to a point, but once the cat’s out of the bag and roaming widely, that’s it — game over.

    Actually, treating DRM keys and the like as trade secrets makes more sense than giving them special treatment with special laws.

  6. avatar Mikko Välimäki says:

    Dr Scumm, I’ve come to the same conslusion as you: legal protection of DRM in Europe is pretty much the same thing as trade secrets. There are some subtly differences, however.

    Me and all of the colleagues I’ve talked to agree that the language “achieves the protection objective” in the directive makes “effectivity” subject to an empirical test. Like trade secret being really a secret and not in the public. However, according to the Helsinki court it is not enough that a DRM system is circumvented and the solution out there, it must be also easy to circumvent for any random end user.

    I offered two potential empirical tests to the court. More stronger version would be to say that when technology experts can circumvent a protection measure, it is ineffective. There were two experts who told exactly this, pointed out technical flaws in CSS etc. However, the Helsinki court did not buy that one. Instead, they opted for the weaker version of a random end-user being able to circumvent. The experts demonstrated how easy it is to download circumventing players and rippers and that was it. Anyway, I think the decision could have been even worse from the perspective of DRM companies and I could imagine that some other European court would have accepted the strictest test. After all, this was a criminal case and the interpretation of the law should favor defendants.

  7. Law throughout Europe is generally like that on a wide range of issues and extends to all sorts of matters of confidentiality etc. For example, once “Spycatcher” had been published in countries where it was not illegal so to do, the UK courts held that the secrecy having gone, they would no longer prohibit publication in the UK.

    It’s amazing where secrets do turn up.

    take a look at this post

    That is, indeed, the mk3 processing key.

  8. John:
    Hmm.. mk3, the Blueray player? I did download the updated firmware for the Samsung and Philips Blueray players (which has almost the same software).

    I thought it should be encrypted, but it was not. Not everything, maybe some stuff where encrypted but you can very easy download the zipfile, extract the firmware and browse the 48 meg file with a hexeditor and you have a lot of information.

    Like it’s running VmWorks for instance. You can also find a lot of javaclasses and and not even them are obfuscated, they are even compiled with debug information. So it would be very easy to extract the classes (for the security for instance) and decompile it and have a look.

    I’m not an expert att dissasembling stuff (did that 15 years ago on the Amiga :-) and not an expert at hardware. But I was amazed that it seemed to be totaly open.

    A link for those who want to tinker:

  9. avatar Anonymous says:

    The trouble is that once a secret is public, it has lost its secrecy and that cannot be restored. Secondly, it is difficult, if not impossible, to encrypt a message in such a way as the recipient that has to see the decrypted version, and has to possess the decryption mechanism, cannot start hacking into it.

    Yet the studios appear to be obsessed with pursuing the Holy Grail that does not exist – and appear to not be bothered about what they do to try and achieve it.

    For example, Sony are now on the receieving end of litigation which alleges that aacs itself infringes patents:


    And Movielabs, a studio consortium, are now inviting suggestions for making encryption keys secure in software players.

    If that is not an admission that the current implementations of aacs are no good, I don’t know what is.

  10. It seems to me that with the Finland ruling, DRM in Finland (in the whole EU?) is now something like a trade secret — once it’s widely enough known it’s no longer protected as a trade secret.

    Which suggests that all the DRM anticircumvention laws can just go anyway — companies can just use existing trade secret laws. Those have long been tuned to balance free speech and research interests against corporate ones. Unlike anticircumvention laws.