August 25, 2016

avatar

Ruling in Garage-Door-Opener Case

An important ruling was issued yesterday in the Chamberlain v. Skylink lawsuit. (See this previous post for a summary of the case.)

The court denied Chamberlain’s motion for summary judgment. Although this is only a ruling on a preliminary motion, the judge used it to offer her analysis of how the DMCA applies to the apparent facts in the case. In short, she ruled that it is not a violation of the DMCA for Skylink to make a replacement remote control that can open Chamberlain-brand garage door openers.

Chamberlain uses a simple cryptographic protocol to authenticate the remote (the small push-button device you keep in your car) to the opener (the big unit attached to the garage ceiling). The purported purpose of this is to prevent bad guys from recording the signals sent by the remote, and replaying them later to open the door when the homeowner is gone. The protocol includes a resynchronization mode that is used when the remote and the opener somehow get out of sync. Skylink’s replacement remote uses the resynchronization mode every time. Chamberlain argued that by doing this Skylink was circumventing Chamberlain’s authentication protocol, and that the protocol controls access to the copyrighted software running in the opener. Chamberlain concluded that Skylink’s actions ran afoul of the DMCA’s ban on devices that circumvent (without permission) measures that control access to copyrighted works.

The judge ruled that Skylink was not violating the DMCA, essentially because consumers have permission to open their own garages. You might think this sensible conclusion was easy to reach, but it was not. The judge’s problem was that in a previous DMCA case (Universal v. Remeirdes) a court had ruled that consumers do not have permission to view their own DVDs, except on devices “authorized” by the copyright owner. (To be more precise, the Remeirdes court ruled that whatever permission consumers had did not create an exception to the DMCA.)

The toughest part of the Chamberlain judge’s opinion is the part that tries to reconcile her ruling with the previous Remeirdes ruling. (This is on pages 25 and 26 of the ruling, if you’re reading along at home.) I have to admit I don’t fully understand this part of the judge’s ruling. Ernest Miller at LawMeme is scornful, saying that the judge used tortured reasoning, based on artificial distinctions between the cases. Derek Slater says that the judge should have simply admitted that her ruling is inconsistent with Remeirdes. (She is allowed to be inconsistent, because Remeirdes was decided in a different circuit and so is not binding precedent for her.)

I’m not sure what to think about this. I hope the issue will become clearer after more discussion.

Comments

  1. The technical details of this “protection mechanism” are laughably simple, as will likely be more and more the case. One day we may look back at CSS wistfully.

    The explanation in the introduction of the order denying summary judgement confuses “factor of three” for “increased by three” and doesn’t untangle Chamberlain’s “4096” and “1024” numbers, which are really one-third of that. See the transcript for the best technical description of both Chamberlain’s system and Skylink’s alternate approach.

    The interesting thing here is that Skylink’s opener works on a fundamentally different principle than Chamberlain’s system: Chamberlain transmits different values each time (the “rolling code”), while Skylink seems to have cut costs (perhaps?) by transmitting a *fixed* signal each time. They cleverly managed to find a sequence of three fixed values that always triggers Chamberlain’s openers.

    This difference in principle and operation seems to indicate that Skylink likely did not ever look inside Chamberlain’s system, much less access/extract the copyrighted source of either the transmitter or receiver. It seems clear that you need only observe the transmitted signal to pretty easily reconstruct the step-by-three operation of the transmitter, and similar observation of the receiver’s response to different inputs will directly lead to the rest.

    Another interesting tidbit is that it is unclear whether “code grabbers” even exist as a threat. Chamberlain claims they do, but their engineers seem to indicate that the “rolling code” approach was really meant to eliminate interference from airplanes. It seems more likely (to me, at least) that “rolling codes” were really introduced to defeat clone garage-door-openers (like Skylink’s) which relied on fixed codes. But Chamberlain’s engineers goofed, and came up with a system that was still vulnerable to (compatible with) fixed code openers.

  2. avatar Carl Witty says:

    My favorite quote from the transcript: “…when a family is unfortunate enough to make the decision to buy a Chamberlain garage door, they no longer have access to their own house except at the sufferings of Chamberlain.”

    (The quote appears on page 29 of the transcript, as part of a hypothetical question; on page 49, referring to the above statement, Chamberlain’s lawyer says “…probably that’s true.”)

    Two things strike me about the “protection mechanism”. First, given the description in the transcript, it seems likely that you can only use one garage door remote per garage door; if you wanted to have multiple family members with their own garage door remote, you would have to throw away your Chamberlain remote and buy several Skylink remotes. Second, it is a classic case of “security by obscurity” (that is, no security at all); a technically competent implementor of “code grabbers” could easily bypass this security mechanism.

  3. avatar Joshua Tauberer says:

    I would have thought the issue in this case is what is meant by access to a copyrighted work. The DMCA was created to control copying of works, which involves having access to read a work. Is any other type of access relevant to copyright law? Except when the work is computer code (in which case there is access to run the code), read access seems to be the only type of acess that exists.

    Skylink didn’t ever obtain read access to the copyrighted computer code through its remotes, so, IMO, its remotes didn’t circumvent anything.

  4. That’s one of the more unpleasant aspects of the DMCA, in my opinion: the word “copyright” in its title leads people to assume that it neccessarily has something to do with copyright, but many of its provisions actually don’t. (IANAL, etc.) The DMCA criminalizes the circumvention of certain access devices. Whether that circumvention might allow an actual copyright infringement to take place is irrelevant.

  5. avatar cypherpunk says:

    No, Wim, the DMCA definitely has to do with copyright, located as it is within Title 17 of the U.S. Code, which is the copyright section.

    The real issue here is whether to read broadly the DMCA’s language about controlling access to a “work protected under this title” (i.e. Title 17, therefore this means a work protected by copyright). Does this include every access to a computer system or device whose source code happens to be copyrighted?

    That is obviously not the intent of the legislation. All of the examples which motivated the DMCA had to do with violations of copyright. These are issues like redistribution, making personal copies, unauthorized file sharing, and so on. None of this has to do with functional access to a device which has some copyrighted software in it.

    By this broad reading, using a rock to break into someone’s car would be a DMCA violation if the engine happened to use a microchip with a copyrighted program on it. This is clearly not a case which is intended to be covered by the DMCA, based on its placement within the copyright code and by the legislative history. You’re not violating copyright when you steal the car, and nobody violated anyone’s copyrights by gaining unauthorized access to the garage door opener.

    The real problem with this case is not Remeirdes, which was a very reasonable application of the DMCA where the protections involved where exactly of the type the DMCA was intended to address. The problem is Lexmark, where a replacement printer cartridge was claimed to violate the DMCA by managing to interoperate with the printer, which contained copyrighted software. This case is closely parallel to the garage door opener situation, and the fact that the court granted a TRO in Lexmark presents a problem in the present case.

    The one salvation is that Lexmark is not fully adjudicated and it is possible that with the aid of some amicus advice and more careful analysis that the judge could change his mind. It is important going forward that we keep in mind that the DMCA is about COPYRIGHT VIOLATIONS, and specifically devices which circumvent technology that protects against COPYRIGHT VIOLATIONS. You can’t extend this to every case where some copyrighted data happens to be within the security perimeter.

  6. avatar cypherpunk says:

    Let me add a pointer to a LawMeme post which also emphasizes the distinction between protecting access to a copyrighted work like a movie, and protecting access to a garage. This writer expresses the difference in terms of “misuse of copyright”, that under the pretense of protecting access to the copyrighted computer code in the garage door opener, the company is actually protecting access to the garage, a much larger scope.

    It’s an interesting theory although IMO a careful reading of the DMCA within its legislative context does not require us to go to these lengths. Still we end up at the same point, that Remeirdes is right, Lexmark is wrong and the judge is on the right track in this case.

    http://research.yale.edu/lawmeme/modules.php?name=News&file=comments&sid=1187&tid=2661

  7. The difference between Remeirdes and unauthorized DVD viewing is that there is no way to view a DVD without “copying” it.

    That is, one cannot watch a DVD movie (or otherwise examine the data on the DVD) until data on the disc has been copied into a memory device (e.g., RAM in the DVD player or computer).

    Courts have held that transferring data from one physical medium (DVD) into another (RAM) does constitute “making a copy,” and thus may be regulated by copyright law. (OK, I disagree. Unfortunately, no one’s appointed me to a federal bench.)

    Since Remeirdes does not involve copying (in the sense described above), it belongs in a different legal category.

  8. re Caligula’s last post; while courts may have ruled that copying data to RAM consists of making a copy, at least one court has significantly ruled that making a copy to RAM does not consist of an infringing copy. While I don’t remember the case, I do recall that this very point was debated in a court, and I believe the court came down as I describe.

  9. Copywronged again

    You might think you had the right to open your own damn garage door. Not necessarily. (Muchas gracias: Hanah at…

  10. ok wat ever. this case sucked. make u sure u email me back. ok?