November 22, 2024

Posts Comments

The Professional Device Hole

January 12, 2006 by

Any American parent with kids of a certain age knows Louis Sachar’s novel Holes, and the movie made from it. It’s set somewhere in the Texas desert, at a boot camp for troublemaking kids. The kids are forced to work all day in the scorching sun, digging holes in the rock-hard ground then re-filling them. It seems utterly pointless but the grown-ups say it builds character. Eventually we learn that the holes aren’t pointless but in fact serve the interests of a few nasty grown-ups.

Speaking of holes, and pointless exercises, last month Reps. Sensenbrenner and Conyers introduced a bill, the Digital Transition Content Security Act, also known as the Analog Hole Bill.

“Analog hole” is an artfully chosen term, referring to the fact that audio and video can be readily converted back and forth between digital and analog formats. This is just a fact about the universe, but calling it a “hole” makes it sound like a problem that might possibly be solved. The last large-scale attack on the analog hole was the Secure Digital Music Initiative (SDMI) which went down in flames in 2002 after its technology was shown to be ineffective (and after SDMI famously threatened to sue researchers for analyzing the technology).

The Analog Hole Bill would mandate that any devices that can translate certain types of video signals from analog to digital form must comply with a Byzantine set of design restrictions that talk about things like “certified digital content rights protection output technologies”. Let’s put aside for now the details of the technology design being mandated; I’ll critique them in a later post. I want to write today about the bill’s exemption for “professional devices”:

PROFESSIONAL DEVICE.—(A) The term‘‘professional device” means a device that is designed, manufactured, marketed, and intended for use by a person who regularly employs such a device for lawful business or industrial purposes, such as making, performing, displaying, distributing, or transmitting copies of audiovisual works on a commercial scale at the request of, or with the explicit permission of, the copyright owner.

(B) If a device is marketed to or is commonly purchased by persons other than those described in subparagraph (A), then such device shall not be considered to be a ‘‘professional device”.

Tim Lee at Tech Liberation Front points out one problem with this exemption:

“Professional” devices, you see, are exempt from the restrictions that apply to all other audiovisual products. This raises some obvious questions: is it the responsibility of a “professional device” maker to ensure that too many “non-professionals” don’t purchase their product? If a company lowers its price too much, thereby allowing too many of the riffraff to buy it, does the company become guilty of distributing a piracy device? Perhaps the government needs to start issuing “video professional” licenses so we know who’s allowed to be part of this elite class?

I think this legislative strategy is extremely revealing. Clearly, Sensenbrenner’s Hollywood allies realized that all this copy-protection nonsense could cause problems for their own employees, who obviously need the unfettered ability to create, manipulate, and convert analog and digital content. This is quite a reasonable fear: if you require all devices to recognize and respect encoded copy-protection information, you might discover that content which you have a legitimate right to access has been locked out of reach by over-zealous hardware. But rather than taking that as a hint that there’s something wrong with the whole concept of legislatively-mandated copy-protection technology, Hollywood’s lobbyists took the easy way out: they got themselves exempted from the reach of the legislation.

In fact, the professional device hole is even better for Hollywood than Tim Lee realizes. Not only will it protect Hollywood from the downside of the bill, it will also create new barriers to entry, making it harder for amateurs to create and distribute video content – and just at the moment when technology seems to be enabling high-quality amateur video distribution.

The really interesting thing about the professional device hole is that it makes one provision of the bill utterly impossible to put into practice. For those reading along at home, I’m referring to the robustness rulemaking of section 202(1), which requires the Patent and Trademark Office (PTO) to establish technical requirements that (among other things) “can only with difficulty be defeated or circumvented by use of professional tools or equipment”. But there’s a small problem: professional tools are exempt from the technical requirements.

The robustness requirements, in other words, have to stop professional tools from copying content – and they have to do that, somehow, without regulating what professional tools can do. That, as they say, is a tall order.

That’s all for today, class. Here’s the homework, due next time:
(1) Table W, the most technical part of the bill, contains an error. (It’s a substantive error, not just a typo.) Explain what the error is.
(2) How would you fix the error?
(3) What can we learn from the fact that the error is still in the bill at this late date?

Filed Under: Uncategorized Tagged With: ,

Open Thread: SonyBMG Lawsuit Settlement

December 29, 2005 by

SonyBMG has reportedly reached a settlement agreement in the class action lawsuits. Alex Eckelberry has posted the motion proposing the settlement, and a brief summary of its terms. The settlement must be approved by a court before taking effect.

We’re on holiday hiatus, so I won’t analyze the settlement now. Feel free to discuss it in the comments, though.

(Update: Discussion had already started in the comments on another post, starting here. It has moved over here now.)

(Update 2: Jim Tyre pointed out that what I had previously called the “settlement” was actually a motion asking the court to approve the settlement. I modified the text to reflect this, and I added a link to the actual settlement.)

Filed Under: Uncategorized Tagged With: , , ,

Sony CDs and the Computer Fraud and Abuse Act

December 21, 2005 by

We’ve written plenty here about the adventures of SonyBMG, First4Internet, and SunnComm/MediaMax in CD copy protection. Today, I want to consider whether the companies violated the Computer Fraud and Abuse Act (CFAA), which is the primary Federal law banning computer intrusions and malware. A CFAA violator is subject to criminal enforcement and to civil suits filed by victims.

A major caveat is in order: remember that although I have studied this statute, I am not a lawyer. I think I know enough to lay out the issues, but I won’t pretend to give a firm legal opinion on whether the companies have violated the CFAA. Also, bear in mind that the facts are different as to First4Internet (which designed and distributed the XCP software), SunnComm/MediaMax (which designed and distributed the MediaMax software), and SonyBMG (which distributed both software systems but may have known less about how they worked).

There are two relevant provisions in the CFAA. The first one, which I’ll call the “spying provision”, says this:

Whoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer if the conduct involved an interstate or foreign communication … shall be punished …

The second one, which I’ll call the “damage provision”, says this:

Whoever … intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage … shall be punished …

(“Protected computer” is defined in the CFAA to include nearly every computer at issue here.)

Let’s look first at the spying provision. We know that the programs obtained information from the user’s computer (about how the user used the CD drive) and sent that information across the Net to either SonyBMG or SunnComm. In most cases that would be interstate communication. So the main issue would seem to be whether the companies, in installing their software on a user’s computer, intentionally accessed the computer without authorization or exceeded authorized access.

According to the CFAA,

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter

In the case of XCP, the software that gathers and sends information only gets installed if the user agrees to an End User License Agreement (EULA), so the company is authorized to access the computer. They might still have exceeded authorized access, if the EULA’s terms did not entitle them to obtain some information that they obtained. Given the vagueness of the EULA language, this seems like a close call. Eric Goldman has argued that a court would give XCP the benefit of the doubt.

Things look worse for MediaMax. The company sometimes installs its software even if the user rejects the EULA. In this case the company is not authorized to put software on the user’s computer or to cause that software to run. But they do it anyway. It’s hard to see how that’s not either accessing without authorization or exceeding authorized access. It looks like MediaMax is in jeopardy on the spying provision.

Sony’s position here is interesting. They shipped the affected software, but they may not have known as much about how it worked. The spying provision applies only if the company accessed the computer (or exceeded authorized access) “intentionally”. If Sony didn’t know that MediaMax installed when the user denied the EULA, then Sony may be in the clear even if MediaMax itself is in violation.

Let’s turn now to the damage provision. This provision covers access without authorization, but doesn’t cover exceeding authorization. As I understand it, this means that you’re not in violation if you had any kind of authorization to access the computer.

The provision also requires that there be “damage”. According to the CFAA, damage includes “any impairment to the integrity or availability of data, a program, a system, or information, that causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals”. As I understand it, the cost of detecting and mitigating a problem, including the value of time spent by people on detection and mitigation, can be included in the loss. Given that, there can be little doubt that each of these software systems caused damage of more than $5000 total. For example, if a system was installed on 100,000 computers and imposed at least five cents in detection and mitigation costs on each one of those computers, the aggregate damage is more than $5000.

It seems clear, too, that the installation of a rootkit, or the installation of software without permission – not to mention the security vulnerabilities caused by the software – constitutes an impairment to the integrity of users’ systems.

So the main sticking point in the damage provision would seem to be access without authorization. XCP gets a limited authorization to access the computer when the user agrees to the EULA, so they would seem to be okay. But when MediaMax installs despite the user rejecting the EULA, that looks to me like access without authorization. Again, it looks like MediaMax may be in trouble.

The word “intentionally” pops up in again in the damage provision, and again it might protect SonyBMG, if SonyBMG did not know that the software was designed to install without authorization.

There are two more issues regarding the damage provision. The first one is a possible objection from MediaMax, claiming that although the unauthorized installation may have been intentional, the damage was not intentional. As I understand it, courts have rejected this reading of the CFAA, holding that only the access must be intentional, but the statute applies even if the damage was an accident. It’s easy to understand why Congress would have wanted to write the law that way, to say that if you intentionally break in to somebody’s computer, you are responsible for any damage you cause to that computer, even if the damage happens accidentally.

The last issue is whether the companies had authorization to install or run software immediately upon insertion of the CD into the computer, even before the user is presented with a EULA. I think there’s a good argument that the companies ran more software than they were authorized to run in that situation, but it seems like a stretch to argue that they had no authorization to do anything at all. It seems reasonable to allow them to at least run enough software to pop up a EULA. In any case, it would be hard to find $5000 in damage from this behavior.

So here’s my very tentative bottom line: XCP is in the gray area but is probably okay; MediaMax may well be in violation; and Sony’s status depends on how much they knew about what the MediaMax software did. Perhaps a court hearing one of the SonyBMG lawsuits will give us its own analysis.

UPDATE (1:30 PM EST): In the comments, Sam points out an important issue that I missed in writing this post. Even if SonyBMG did not know from the beginning that MediaMax installs and runs without authorization, they did find out about it eventually, and they kept shipping MediaMax discs anyway. So the software’s behavior would seem to be intentional on Sony’s part, at least with respect to those discs sold after Sony learned about the MediaMax behavior. ]

Filed Under: Uncategorized Tagged With: , , ,

Is DRM Good for You?

December 19, 2005 by

Randy Picker, a principled DRM (copy protection) advocate, had an interesting comment on one of my prior posts about the Sony incident. Here’s the core of it:

Assume for now that you are right that DRM leads to spyware; all that means is that we need to figure out whether we should or shouldn’t favor active protection/supervision environments.

That gets us to the central point: namely the fact that consumers don’t want it doesn’t tell us anything about whether it is in the joint interests of consumers and producers. I spent the morning writing my exam and then will have to grade it after the students take it (no grad student graders for law profs). By far and away the worst part of the job, and I certainly don’t want it as part of the job, but that doesn’t mean that it isn’t jointly sensible.

Putting that point slightly differently, consumers may gain more from a DRM world than they would from whatever alternative world emerges without DRM; those subject to restrictions rarely want them but restrictions are frequently welfare maximizing; the fact that one party would like to get rid of the restrictions tells me little (nothing, probably) about whether the restriction is in the joint interest of the parties to the transaction.

It’s true in principle that an arrangement can be unwanted but ultimately good for those on whom it is imposed; but I don’t think that observation matters much in the specific case of CD DRM.

To understand why, let’s look at a case where a similar argument has traditionally worked: copyright. Copyright can be understood as an agreement among all of us that we will not infringe. Even though each of us individually would prefer to use works without paying, we understand that if we all refrain from infringing this increases incentives for authors, leading to the creation of more works we can enjoy. By making and keeping this copyright deal with each other, we come out ahead. (That’s the theory anyway. We all know what happens when the lobbyists show up, but work with me here, okay?)

One of the practical problems with this kind of deal is that each individual can gain by defecting from the deal – in the case of copyright, by infringing at will. If enough people defect, the deal could collapse. This danger is especially acute when it’s technologically easy to defect. Some people argue that this is happening to the copyright deal.

Anyway, what Randy is suggesting is that there might be a similar deal in which we all agree to accept some kind of DRM in order to boost incentives for authors and thereby cause the creation of more works than would otherwise exist. I think that if we weigh the costs and benefits, that would be a bad deal. And I’m especially sure it’s a bad deal for CD DRM. Let me explain why.

First, it turns out to be easy technologically to defect from the CD-DRM deal. Experience with the copyright deal teaches us that when it’s easy to defect, many people will, whether we like it or not.

Second, the costs of the CD-DRM deal seem much clearer than the benefits. Allowing spyware-DRM on our computers will open loopholes in our anti-spyware defenses that will foster more spyware infections. And as we have seen already, spyware-DRM will itself expose us to security risks. That’s the cost side. On the benefit side, we have only the dubious premise that CD-DRM might boost record sales. The costs are more certain, and larger.

The best argument against the CD-DRM deal, though, is that it is inferior to the copyright deal. If we’re going to make and keep a deal of this general type, the copyright deal is the one to pick. Compared to the copyright deal, the CD-DRM deal is a loser: costs are higher, benefits are the same at best, and the deal is just as easy to defect from. If we can’t keep the copyright deal, then we won’t be able to keep the CD-DRM deal either. But more to the point, we shouldn’t make the CD-DRM deal in the first place.

I’ve looked here at the specific case of DRM for CDs, but I think the same argument holds for other types of DRM as well. Leaving aside the mythical side-effect-free DRM systems and perfectly just legal regimes that some DRM advocates dream about, and looking instead at DRM systems and legal rules that could actually exist and how they would work in practice – as I am sure Randy and other principled DRM advocates would want us to do – the available DRM deals look lousy. Certainly they look worse than the original copyright deal.

Now I’m not arguing here that the current copyright deal is perfect or even close to perfect. The copyright deal is under stress and we need to keep thinking about how we might improve it or how we might renegotiate it to work better in the digital world. I’m not certain what the best deal would look like, but I’m pretty sure that it won’t try to lock in any kind of DRM.

Filed Under: Uncategorized Tagged With: , , , ,

Make Your Own Copy-Protected CD with Passive Protection

December 15, 2005 by

Here’s a great gift idea just in time for the holidays: Make your friends and relatives their very own copy-protected CDs using the same industrial-grade passive protection technology built into XCP and Macrovision discs.

Passive protection exploits subtle differences between the way computers read CDs and the way ordinary CD players do. By changing the layout of data on the CD, it’s sometimes possible to confuse computers without affecting ordinary players — or so the theory goes. In practice, the distinction between computers and CD players is less precise. Older generations of CD copy protection, which relied entirely on passive protection, proved easy to copy in some computers and impossible to play on some CD players. For these reasons, copy protection vendors now use active protection — special software designed to block copying.

Discs with XCP or Macrovision protection employ active protection in conjunction with a milder form of passive protection. You can create your own CD with exactly the same passive protection by following a straightforward five-step procedure. I’ll describe the procedure here, and then explain why it works.

What you’ll need:

  • A computer running a recent version of Windows (instructions are Windows-specific; perhaps someone will write instructions for MacOS or Linux)
  • Nero, a popular CD burning application
  • CloneCD, an advanced disc duplication utility
  • Two blank recordable CDs

Step 1: Burn a regular audio CD

Start Nero Burning ROM and create a new Audio CD project. [View] Add the audio tracks that you want to include on your copy-protected disc. [View] When you’re ready to record, click the Burn button on the toolbar. In the Burn tab, make sure “Finalize disc” is unchecked. [View] Insert a blank CD and click Burn. Be careful not to infringe any copyrights! For loads of great music that you can copy legally, visit Creative Commons.

Step 2: Add a data session to the CD

Start another Nero compilation, this time selecting the “CD-ROM ISO” project type. In the Multisession tab, make sure “Start Multisession disc” is selected; and in the ISO tab, make sure Data Mode is set to “Mode 2 / XA”. [View] Add any files that you want to be accessible when the CD is used in a computer. You might include “bonus” content, such as album art and lyrics. [View] For a more professional effect, consider adding the installer for your favorite spyware application and creating an Autorun.inf file so it starts automatically. When you’re finished, click the Burn toolbar button. Insert the audio CD you created in Step 1, and click Burn. [View] Nero should warn you that the disc you’ve inserted is not empty; click Yes to add your data files as a second session. [View]

At this point, you’ve created a CD that contains both audio tracks and data files. The data files you put on the CD should be visible in Windows Explorer (in My Computer, right click the CD icon and click Open) and the audio tracks should be rippable with your favorite audio player. To add passive copy protection, you’ll need to modify the layout of the data on the disc so that the audio tracks are more difficult to access.

Step 3: Rip the CD as a CloneCD image file

Make sure the CD you just created is still in the drive and start CloneCD. Click the “Read to Image File” button. Select your drive and click Next. Choose “Multimedia Audio CD” and click Next. [View] Select an easy to find location for the image file and click OK to begin ripping.

Step 4: Modify the image file to add passive protection

The CloneCD image you created in step 3 actually consists of three files with names ending in .CCD, .IMG, and .SUB. The .CCD file describes the layout of the tracks and sessions on the CD. You’ll edit this file to add the passive protection.

Start Windows Notepad and open the .CCD file. Modifying the file by hand would be tedious, so I’ve created an online application to help. Copy the entire contents of the file to the clipboard and paste it into this form, then click Upload. Copy the output from the web page and paste it back into Notepad, replacing the original file contents. [View] Save the file and exit Notepad.

Step 5: Burn the modified image to create a copy-protected CD

Insert a blank CD and start CloneCD again. Click the “Write From Image File” button. Select the image file you modified in step 4 and click next. Select your CD recorder and click Next. Select “Multimedia Audio CD” and click OK to begin burning. [View]

That’s it! You’ve created your very own copy-protected CD.

Now it’s time to test your disc. If everything worked, the files from the data session will be visible from My Computer, but the audio tracks will not appear in Windows Media Player, iTunes, and most other mainstream music players. The CD should play correctly in standalone CD players.

How it works. To see how this form of passive protection works, you can examine the layout of the CD you created. Start Nero and select Disc Info from the Recorder menu. You should see something like this:

(The exact number of tracks you see will depend on how many songs you included.)

Notice that the tracks are grouped into two sessions — essentially two independent CDs burned onto the same disc. Unprotected CDs that combine audio and data files contain audio tracks in the first session and a single data track in the second. The only difference in the passive protected CD you just created is that the second session contains two tracks instead of one.

You added the extra track (shown in yellow) when you edited the disc image in step 4. This simple change makes the audio tracks invisible to most music player applications. It’s not clear why this works, but the most likely explanation is that the behavior is a quirk in the way the Windows CD audio driver handles discs with multiple sessions.

For an added layer of protection, the extraneous track you added to the disc is only 31 frames long. (A frame is 1/75 of a second.) The CD standard requires that tracks be at least 150 frames long. This non-compliant track length will cause errors if you attempt to duplicate the disc with many CD drives and copying applications.

Caveat emptor. Yes, your copy-protected CD is “industrial strength” — XCP and Macrovision employ exactly the same passive protection — but even the pros have their limitations. There are many well-known method for defeating this kind of passive protection, such as:

  • Enhanced software – Advanced CD ripping programs avoid the Windows CD audio driver altogether and communicate directly with the CD drive. Thus, programs such as EAC are able to rip the tracks without any difficulty. – Better CD copying applications, including Nero, support a recording mode called Disc-at-Once/96; this lets them create an exact duplicate of the protected disc even though the last track has an illegal length.
  • Other operating systems – The discs can be ripped with standard software on Macs and on Linux systems. These platforms don’t suffer from the limitation that causes ripping problems on Windows.
  • Magic markers – The famous magic marker trick involves carefully drawing around the outer edge of the CD. This blocks out the second session, allowing the disc to be ripped and copied just like an unprotected CD.

And of course, at any time Microsoft could fix the Windows quirk that is the basis for this technique, rendering it completely ineffective.

Despite these limitations, who wouldn’t enjoy finding a homemade copy-protected CD in their stocking? They’re a great way to spread holiday cheer while preventing anyone else from spreading it further.

Filed Under: Uncategorized Tagged With: , , ,