October 30, 2024

Bernard Lang Reports on the Proposed French DRM Law

[Bernard Lang, a prominent French computer scientist and infotech policy commentator, sent me an interesting message about the much-discussed legislative developments in France. It includes the first English translation I have seen of the proposed French law mandating open access to DRM technologies. He has graciously given me permission to post his message here, with some minor edits (mostly formatting) by me. Here is his report and commentary:]

The new French law on copyright (our own local version of DMCA), is called DADVSI for “Droit d’Auteur et Droits Voisins dans la Société de l’Information.”. “Droit voisins” stands for derived activities and works, mainly the work of performing artists – I translate it below as “adjacent rights”, not knowing a better or standard translation.

This copyright law is supposed to transpose into French Legislation the European Copyright directive of 22 May 2001.

The law was sent on a fast track procedure (meaning only one reading, rather than three, in each chamber), because it should have been passed a long time ago, and France may be fined by Brussels for being late. It has now passed the MP reading. This unique reading was supposed to take fifteen hours. It took sixty and got more publicity than the government wanted. It will be submitted to the senate in May. The current text and related documents are available online (just in case you read French and are interested).

I will not go into all details of that law, and keep to one aspect that is actually positive. The law also has many regressions that go beyond DMCA or anything accepted in other countries, such as the so-called “Vivendi-Universal” amendments, that have become articles 12-bis and 14-quater (this is temporary numbering) in the current text. These somewhat unprecise articles allow penal (12 bis) or civil (14 quater) suits against software authors whose software is “manifestly” used for illegal access to works.

The point I want to discuss is mostly in article 7, which essentially tries to turn any technical protection measure (TPM) into an open standard. We are lucky in that we have here a legal definition of what is an open standard, which specifies that the standard must be freely usable (including that it is not encumbered by IP).

One interesting fact is that this article 7 did not have most of these clauses when first voted during the debate. Then, on the last day (night ?) of the debate, after the last article, they reopened the debate on article 7 and voted the current version at 3h00 am. This was not a complete surprise, since it was known that several majority MPs were negotiating with the government.

Article 7 of the law (I am losing some technical legal subtleties in the translation, for lack of knowledge of legal vocabulary) actually creates a new article in the French Intellectual Property Code that states :

Article L. 331-5. –

Effective technical measures intended to prevent or limit uses unauthorised by the rightholder of a copyright or an adjacent right of any work, other than software, interpretation, phonogram, videogram or audiovisual program, are legally protected under the condition stipulated here.

Technical measures, in the sense of the previous paragraph, are understood as any technology, device, component, which, within the normal course of its operation, realizes the function intended in the previous paragraph. These technical measures are deemed effective when a use considered in the previous paragraph is controlled by means of an access code, a protection process, such as encryption, scrambling or any other transformation of the protected object, or a copy control mechanism, which achieves the protection objective.

A protocol, a format, a method for encryption, scrambling or transforming does not constitute as such a technical measure as understood in this article.

The technical measures should not result in preventing actual use of interoperability, not infringing copyright. Technical measures providers must give access to the information essential to interoperability.

By information essential to interoperability, we mean the technical documentation and the programming interfaces necessary to obtain, according to an open standard in the sense of article 4 of law n° 2004-575 of june 21st 2004 for trust in numerical economy, a copy of a reproduction protected by a technical measure, and a copy of the numerised information attached to this reproduction.

Anyone concerned may ask the president of the district court, in a fast track procedure, to compel a technical measures provider to provide information essential for interoperability. Only the logistic costs can be requested in return by the provider.

Any person desiring to use interoperability is allowed to proceed to decompiling steps that might be necessary to make essential information available. This disposition is applicable without prejudice to those of article L. 122-6-1. [note: this is the article regarding software interoperability that transposes into French law the part of the 1991 European directive regarding interoperability and some other provisions.]

Technical measures cannot be an obstacle to the free use of the work or the protected object within the limits of the rights set by this code [i.e. the French code of Intellectual Property] as well as those granted by the rights owners.

These stipulations are without prejudice to those of article 79-1 to 79-6 of law n° 86-1067 of September 30, 1986 regarding freedom of communication.

One cannot forbid the publication of the source code and technical documentation of independent software interoperating for legal purposes with a technical protection measure of a work.

No guaranties are offered for this translation, and I am not a lawyer 🙂

Some of the stipulations of this article are a little bit unclear, because of other articles (13 and 14) that may limit certains rights, especially in the 3rd paragraph from bottom. … It is not clear which prevails.

This text does not say that TPM must be open standards, but they they should be essentially like open standards, as long as they are not covered by patents … and we are not supposed to have software patents at this time, in Europe.

Now there have been strong international reactions to this text, some of which are reviewed on my web site, in English and/or French.

I was particularly interested in the comment by U.S. Commerce Secretary Carlos Gutierrez, in an article, “Commerce chief supports Apple’s protest over French law,” from America’s Network on March 24:

“But any time something like this happens, any time that we believe that intellectual property rights are being violated, we need to speak up and, in this case, the company is taking the initiative,” AFP quoted [Gutierrez] as saying [on MSNBC]. “I would compliment that company because we need companies to also stand up for their intellectual property rights.”

This is interesting, because I have been supporting for some time the view that DMCA-like legislation was actually attempting to create a new intellectual property right, a “DRM right”, that gives exclusive rights to the initial users of a DRM format to develop software interacting with it. Of course, no one, to my knowledge, would actually acknowledge the fact. [This is similar to what Peter Jaszi and others have called “paracopyright” in the U.S. – Ed]

Interestingly, one purpose of this new IP right is to prey on cultural creation and creators by controlling the distribution channels, while pretending to offer what seems to be mostly an illusion of protection.

The limitations of the French law just restrict technical measures to be what they are supposed to be: a protective device (for whatever it is worth), without giving any control to people other than the (rightful ?) rightowners of the work.

Without interoperability as required in the French law, DRMs (or TPMs if you prefer) behave pretty much like patents on formats and distribution models, without even requiring innovation, nor official application and examination, and without a time limit or compulsory licensing.

Now, I seem to recall that an obscure American legal document stating that:

The Congress shall have Power […] To promote Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries

is the basis for the existence of IP in the United-States.

If indeed, as asserted by Mr Carlos Gutierrez, the French law will infringe on Apple’s IP rights, these rights can only be in Europe (no software patents, recall) the new “DRM rights” I have been discussing above, and that are the consequence of the DMCA.

But if that is the case, this “DRM rights” require no novelty, nor are they limited in time, even in a formal way. Hence they can only be unconstitutional.

There are other interesting comments in the press. My preferred ones are :

French on to something with iTunes law, say analysts
Reuters, ZDNet, March 20, 2006.

Analysts say the French are on to something that the rest of the world has yet to figure out: It needs to set rules for this new market now or risk one or two U.S. companies taking control of online access to music, video and TV.

France debates new tunes for iPod
Thomas Crampton, International Herald Tribune, March 17, 2006 .

The French government’s approach is bold and the only one that makes sense,” said Michael Bartholomew, the director of the European Telecommunications Network Operators’ Association, a trade group based in Brussels.

And apparently, some professional organizations are finally coming to understand on which side their bread is buttered :

France May Force Apple to Open Up iTunes as Bill Moves Ahead
Rudy Ruitenberg, Bloomberg, March 20, 2006.

“The music industry is in favor of interoperability, it would make music accessible on more platforms. It’s quite a technical and complex provision, so it’s not quite clear how it’s going to work in practice,” [Olivia] Regnier [European regional counsel for the London-based International Federation of the Phonographic Industry] said.

The irony of this is that it is the free software organizations, presented by the “cultural community” (read “those who make pots of money in the name of culture”) as the utmost evil, who have been fighting for this interoperability clause.

I remember that, while some partners and I were being auditioned by government officials, their faces expressed surprise that we worried that artists should be able to publish their work, possibly protect their work, freely and without having to submit to the technology leveraged market control of a few large companies. My feeling was that no one else had expressed that concern before.

And, as usual, France Is Saving Civilization. But for the first time, Americans recognize the fact 🙂

How France Is Saving Civilization
Leander Kahney, Wired, March 22, 2006.

Well, that is all. I still have to read the week-end developments and prepare for the senate hearing of the law.

Is DRM Good for You?

Randy Picker, a principled DRM (copy protection) advocate, had an interesting comment on one of my prior posts about the Sony incident. Here’s the core of it:

Assume for now that you are right that DRM leads to spyware; all that means is that we need to figure out whether we should or shouldn’t favor active protection/supervision environments.

That gets us to the central point: namely the fact that consumers don’t want it doesn’t tell us anything about whether it is in the joint interests of consumers and producers. I spent the morning writing my exam and then will have to grade it after the students take it (no grad student graders for law profs). By far and away the worst part of the job, and I certainly don’t want it as part of the job, but that doesn’t mean that it isn’t jointly sensible.

Putting that point slightly differently, consumers may gain more from a DRM world than they would from whatever alternative world emerges without DRM; those subject to restrictions rarely want them but restrictions are frequently welfare maximizing; the fact that one party would like to get rid of the restrictions tells me little (nothing, probably) about whether the restriction is in the joint interest of the parties to the transaction.

It’s true in principle that an arrangement can be unwanted but ultimately good for those on whom it is imposed; but I don’t think that observation matters much in the specific case of CD DRM.

To understand why, let’s look at a case where a similar argument has traditionally worked: copyright. Copyright can be understood as an agreement among all of us that we will not infringe. Even though each of us individually would prefer to use works without paying, we understand that if we all refrain from infringing this increases incentives for authors, leading to the creation of more works we can enjoy. By making and keeping this copyright deal with each other, we come out ahead. (That’s the theory anyway. We all know what happens when the lobbyists show up, but work with me here, okay?)

One of the practical problems with this kind of deal is that each individual can gain by defecting from the deal – in the case of copyright, by infringing at will. If enough people defect, the deal could collapse. This danger is especially acute when it’s technologically easy to defect. Some people argue that this is happening to the copyright deal.

Anyway, what Randy is suggesting is that there might be a similar deal in which we all agree to accept some kind of DRM in order to boost incentives for authors and thereby cause the creation of more works than would otherwise exist. I think that if we weigh the costs and benefits, that would be a bad deal. And I’m especially sure it’s a bad deal for CD DRM. Let me explain why.

First, it turns out to be easy technologically to defect from the CD-DRM deal. Experience with the copyright deal teaches us that when it’s easy to defect, many people will, whether we like it or not.

Second, the costs of the CD-DRM deal seem much clearer than the benefits. Allowing spyware-DRM on our computers will open loopholes in our anti-spyware defenses that will foster more spyware infections. And as we have seen already, spyware-DRM will itself expose us to security risks. That’s the cost side. On the benefit side, we have only the dubious premise that CD-DRM might boost record sales. The costs are more certain, and larger.

The best argument against the CD-DRM deal, though, is that it is inferior to the copyright deal. If we’re going to make and keep a deal of this general type, the copyright deal is the one to pick. Compared to the copyright deal, the CD-DRM deal is a loser: costs are higher, benefits are the same at best, and the deal is just as easy to defect from. If we can’t keep the copyright deal, then we won’t be able to keep the CD-DRM deal either. But more to the point, we shouldn’t make the CD-DRM deal in the first place.

I’ve looked here at the specific case of DRM for CDs, but I think the same argument holds for other types of DRM as well. Leaving aside the mythical side-effect-free DRM systems and perfectly just legal regimes that some DRM advocates dream about, and looking instead at DRM systems and legal rules that could actually exist and how they would work in practice – as I am sure Randy and other principled DRM advocates would want us to do – the available DRM deals look lousy. Certainly they look worse than the original copyright deal.

Now I’m not arguing here that the current copyright deal is perfect or even close to perfect. The copyright deal is under stress and we need to keep thinking about how we might improve it or how we might renegotiate it to work better in the digital world. I’m not certain what the best deal would look like, but I’m pretty sure that it won’t try to lock in any kind of DRM.

Make Your Own Copy-Protected CD with Passive Protection

Here’s a great gift idea just in time for the holidays: Make your friends and relatives their very own copy-protected CDs using the same industrial-grade passive protection technology built into XCP and Macrovision discs.

Passive protection exploits subtle differences between the way computers read CDs and the way ordinary CD players do. By changing the layout of data on the CD, it’s sometimes possible to confuse computers without affecting ordinary players — or so the theory goes. In practice, the distinction between computers and CD players is less precise. Older generations of CD copy protection, which relied entirely on passive protection, proved easy to copy in some computers and impossible to play on some CD players. For these reasons, copy protection vendors now use active protection — special software designed to block copying.

Discs with XCP or Macrovision protection employ active protection in conjunction with a milder form of passive protection. You can create your own CD with exactly the same passive protection by following a straightforward five-step procedure. I’ll describe the procedure here, and then explain why it works.

What you’ll need:

  • A computer running a recent version of Windows (instructions are Windows-specific; perhaps someone will write instructions for MacOS or Linux)
  • Nero, a popular CD burning application
  • CloneCD, an advanced disc duplication utility
  • Two blank recordable CDs

Step 1: Burn a regular audio CD

Start Nero Burning ROM and create a new Audio CD project. [View] Add the audio tracks that you want to include on your copy-protected disc. [View] When you’re ready to record, click the Burn button on the toolbar. In the Burn tab, make sure “Finalize disc” is unchecked. [View] Insert a blank CD and click Burn. Be careful not to infringe any copyrights! For loads of great music that you can copy legally, visit Creative Commons.

Step 2: Add a data session to the CD

Start another Nero compilation, this time selecting the “CD-ROM ISO” project type. In the Multisession tab, make sure “Start Multisession disc” is selected; and in the ISO tab, make sure Data Mode is set to “Mode 2 / XA”. [View] Add any files that you want to be accessible when the CD is used in a computer. You might include “bonus” content, such as album art and lyrics. [View] For a more professional effect, consider adding the installer for your favorite spyware application and creating an Autorun.inf file so it starts automatically. When you’re finished, click the Burn toolbar button. Insert the audio CD you created in Step 1, and click Burn. [View] Nero should warn you that the disc you’ve inserted is not empty; click Yes to add your data files as a second session. [View]

At this point, you’ve created a CD that contains both audio tracks and data files. The data files you put on the CD should be visible in Windows Explorer (in My Computer, right click the CD icon and click Open) and the audio tracks should be rippable with your favorite audio player. To add passive copy protection, you’ll need to modify the layout of the data on the disc so that the audio tracks are more difficult to access.

Step 3: Rip the CD as a CloneCD image file

Make sure the CD you just created is still in the drive and start CloneCD. Click the “Read to Image File” button. Select your drive and click Next. Choose “Multimedia Audio CD” and click Next. [View] Select an easy to find location for the image file and click OK to begin ripping.

Step 4: Modify the image file to add passive protection

The CloneCD image you created in step 3 actually consists of three files with names ending in .CCD, .IMG, and .SUB. The .CCD file describes the layout of the tracks and sessions on the CD. You’ll edit this file to add the passive protection.

Start Windows Notepad and open the .CCD file. Modifying the file by hand would be tedious, so I’ve created an online application to help. Copy the entire contents of the file to the clipboard and paste it into this form, then click Upload. Copy the output from the web page and paste it back into Notepad, replacing the original file contents. [View] Save the file and exit Notepad.

Step 5: Burn the modified image to create a copy-protected CD

Insert a blank CD and start CloneCD again. Click the “Write From Image File” button. Select the image file you modified in step 4 and click next. Select your CD recorder and click Next. Select “Multimedia Audio CD” and click OK to begin burning. [View]

That’s it! You’ve created your very own copy-protected CD.

Now it’s time to test your disc. If everything worked, the files from the data session will be visible from My Computer, but the audio tracks will not appear in Windows Media Player, iTunes, and most other mainstream music players. The CD should play correctly in standalone CD players.

How it works. To see how this form of passive protection works, you can examine the layout of the CD you created. Start Nero and select Disc Info from the Recorder menu. You should see something like this:

(The exact number of tracks you see will depend on how many songs you included.)

Notice that the tracks are grouped into two sessions — essentially two independent CDs burned onto the same disc. Unprotected CDs that combine audio and data files contain audio tracks in the first session and a single data track in the second. The only difference in the passive protected CD you just created is that the second session contains two tracks instead of one.

You added the extra track (shown in yellow) when you edited the disc image in step 4. This simple change makes the audio tracks invisible to most music player applications. It’s not clear why this works, but the most likely explanation is that the behavior is a quirk in the way the Windows CD audio driver handles discs with multiple sessions.

For an added layer of protection, the extraneous track you added to the disc is only 31 frames long. (A frame is 1/75 of a second.) The CD standard requires that tracks be at least 150 frames long. This non-compliant track length will cause errors if you attempt to duplicate the disc with many CD drives and copying applications.

Caveat emptor. Yes, your copy-protected CD is “industrial strength” — XCP and Macrovision employ exactly the same passive protection — but even the pros have their limitations. There are many well-known method for defeating this kind of passive protection, such as:

  • Enhanced software – Advanced CD ripping programs avoid the Windows CD audio driver altogether and communicate directly with the CD drive. Thus, programs such as EAC are able to rip the tracks without any difficulty. – Better CD copying applications, including Nero, support a recording mode called Disc-at-Once/96; this lets them create an exact duplicate of the protected disc even though the last track has an illegal length.
  • Other operating systems – The discs can be ripped with standard software on Macs and on Linux systems. These platforms don’t suffer from the limitation that causes ripping problems on Windows.
  • Magic markers – The famous magic marker trick involves carefully drawing around the outer edge of the CD. This blocks out the second session, allowing the disc to be ripped and copied just like an unprotected CD.

And of course, at any time Microsoft could fix the Windows quirk that is the basis for this technique, rendering it completely ineffective.

Despite these limitations, who wouldn’t enjoy finding a homemade copy-protected CD in their stocking? They’re a great way to spread holiday cheer while preventing anyone else from spreading it further.

Does Sony's Copy Protection Infringe Copyrights?

The Sony copy protection debacle has so many angles that the mainstream press is having trouble keeping track of them all. The rootkit. The spyware. The other spyware. The big security hole. The other big security hole. It’s not surprising, then, that at least one important angle has gone nearly undiscussed in the mainstream press: the likelihood that the Sony/First4Internet XCP copy protection software itself infringes several copyrights. (Note to geeks: Slashdot doesn’t qualify as the mainstream press.)

Matti Nikki (a.k.a. Muzzy) and Sebastian Porst have done great work unearthing evidence pointing to infringement. They claim that the code file ECDPlayerControl.ocx, which ships as part of XCP, contains code from several copyrighted programs, including LAME, id3lib, mpglib, mpg123, FAAC, and most amusingly, DVD-Jon’s DRMS.

These are all open source programs. And of course open source is not the same as public domain. Open source programs are distributed with license agreements. If you copy and redistribute such a program, you’re a copyright infringer, unless you’re complying with the terms of the program’s license. The licenses in question are the Free Software Foundation’s GPL for mpg123 and DRMS, and the LGPL for the other programs. The terms of the GPL would require the companies to distribute the source code of XCP, which they’re certainly not doing. The LGPL requires less, but it still requires the companies to distribute things such as the object code of the relevant module without the LGPL-protected code, which the companies are not doing. So if they’re shipping code from these libraries, they’re infringing copyrights.

How strong is the evidence of infringement? For some of the allegedly copied programs, the evidence is very strong indeed. Consider this string of characters that appears in the XCP code:

FAAC – Freeware Advanced Audio Coder (http://www.audiocoding.com/). Copyright (C) 1999,2000,2001 Menno Bakker.

Porst also reports finding many blocks of code that appear to have come from FAAC. Porst claims equally strong evidence of copying from mpglib, LAME, and id3lib. This evidence looks very convincing.

He also points to evidence of copying from DRMS, which doesn’t look quite as strong, though it is very suggestive. (There are extensive similarities between DRMS and the XCP code, but because DRMS implements a decryption algorithm that offers fewer implementation choices than ordinary code does, it’s easier to imagine that similarities might have arisen by chance. I would have to study the two programs in more detail to say more. But let me reiterate that the DRMS evidence is at least very suggestive.)

The upshot of all this is that it appears the authors of at least some of these programs can sue First4Internet and Sony for copyright infringement. First4Internet wrote the allegedly infringing software and gave it to Sony, and Sony distributed the software to the public. Sony might not have known that the code they were shipping infringed, but according to copyright lawyers, there is strict liability for copyright infringement, meaning that lack of knowledge is not a defense against liability. (Lack of knowledge might reduce the damages.) So both companies could face suits.

The big question now, I suppose, is whether any of the copyright holders will sue. The developers of LAME wrote an open letter to Sony, saying that they’re not the suing type but they expect Sony to resolve the situation responsibly. They don’t say exactly what this means, but I expect they would be happy if Sony recalls the affected CDs (which it is already doing) and doesn’t ship XCP anymore. To my knowledge, we haven’t heard from the other copyright owners.

Being accused of infringement must be horribly embarrassing for Sony, given the number of ordinary people it has sued for infringing on a much smaller scale that Sony is accused of doing, and given that the whole purpose of this software was supposedly to reduce infringement. This is just another part of the lesson that Sony must have learned by now – and that other entertainment companies would be wise to learn – that it’s a bad idea to ship software if you haven’t thought very, very carefully about how it was designed and what your customers will think of it.

RIAA Critics, and their Critics, Debate Lawsuits

Last week the EFF released a report criticizing the RIAA’s lawsuits against individuals accused of P2P infringement. Some commentators have criticized the EFF. Tim Lee at Tech Liberation Front summarizes their argument:

I’m ordinarily sympathetic to the EFF’s arguments, but in this case, I agree with Adam [Thierer]:

“OK Fred, then what exactly IS the answer to the P2P dilemma? Because you don’t favor individual lawsuits, you don’t favor P2P liability, or much of anything else. This is what infuriates me most about the Lessig-ites; they give lip service to the P2P problem but then lambaste each and every legal solution proposed. In my opinion, if you can’t even support the lawsuits against individual users, then you essentially don’t believe in ANY sort of copyright enforcement.”

People who don’t like the RIAA’s litigous agenda need to come up with a workable alternative. Too many people on the anti-RIAA side like to criticize every attempt to enforce current copyright laws without suggesting alternative enforcement mechanisms, and without proposing an alternative legal regime. I’m not comfortable with simply shrugging at wide-spread piracy and telling the RIAA to lower their prices and stop whining.

Arguments about the lawsuits often get bogged down in confusion over exactly which argument the lawsuit opponents are making. There are three types of anti-lawsuit arguments.

A moral argument against lawsuits says that bringing the lawsuits is morally wrong.

A pragmatic argument against lawsuits says that bringing the lawsuits isn’t the most clever strategy for a self-interested RIAA to follow.

An empirical argument against lawsuits says that the lawsuits are not reducing infringement.

You can believe any subset of these arguments (including the empty set) without logical inconsistency. For example, you can believe that filing lawsuits is wrong but that doing so will help the RIAA by reducing infringement. Or you can believe that the lawsuits are morally justified and will reduce infringement but still aren’t the cleverest thing for the RIAA to do.

It goes without saying that each of the three arguments is either justified or not, so that some subset is correct to believe. My point is merely that no subset is logically inconsistent.

The EFF report combines threads of all three arguments. They argue at times that the lawsuits are unfair, beating up on defenseless grandmothers. They argue at times that the RIAA would be better off forgoing lawsuits. And they argue at times that the lawsuits are not reducing infringment. Although they don’t make it crystal clear, my reading is that the EFF is making all three arguments.

The Thierer/Lee criticism – that lawsuit critics have an obligation to suggest an alternative course for the RIAA – applies only to pragmatic arguments. If you believe a pragmatic argument, then you must believe there is something more clever the RIAA can do; and you should tell us what that is. But if you’re making a moral argument or an empirical argument, then you have no obligation to describe a better plan, because you’re not asserting that there is a better plan.

This is a common fallacy in policy analysis: assuming that whenever there is a problem, the solution must be some kind of bold new action. Sometimes bold action is just what’s needed. But sometimes bold action doesn’t solve the problem. Sometimes it only causes new problems. Sometimes your problem has no solution and your best course is to suck it up and figure out how to live with the problem.

Breaking down the anti-lawsuit arguments this way tells us one more imporant thing about this debate: there aren’t just two sides. There are at least eight logically consistent positions one could take – one for each subset of the three arguments – and I’m quite sure that more than two of those eight positions can be backed by plausible arguments.

If people are clearer about which arguments they are making, and which they aren’t making, maybe we can make some progress in this debate.