December 21, 2024

Finnish Court: Okay to Circumvent DVD DRM

A court in Finland ruled last week that it is not a violation of that nation’s anticircumvention law to circumvent CSS, the copy protection system in DVDs. Mikko Välimäki, one of the defense lawyers, has the best explanation I’ve seen.

Finnish law bans the circumvention of “effective” DRM (copy protection) technologies. The court ruled that CSS is not effective, because CSS-defeating tools are so widely available to consumers.

The case is an interesting illustration of the importance of word choice and definitions in lawmaking. The WIPO copyright treaty required signatory nations to pass laws providing “effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of the rights …” Reading this, one can’t help but notice that the same word “effective” describes both the remedies and the measures. The implication, to me at least, is that the legal remedies only need to be as effective as the technological measures are.

The Finnish law implementing the treaty took the same approach. In language based on an EU Copyright Directive, the Finnish law defined an effective technology as one that “achieves the protection objective” (according to Mr. Välimäki’s translation). The court ruled that that doesn’t require absolute, 100% protection, but it does require some baseline level of effectiveness against casual circumvention by ordinary users. CSS did not meet this standard, the court said, so circumvention of CSS is lawful.

U.S. law took a different approach. The Digital Millennium Copyright Act (DMCA), the U.S. law supposedly implementing the WIPO treaty, bans circumvention of effective technological measures, but defines “effective” as follows:

a technological measure `effectively controls access to a work’ if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work

Some courts have read this as protecting any DRM technology, no matter how lame. It has even been held to protect CSS despite its notoriously weak design. It’s even possible that the structure of the U.S. DMCA helped to ensure the weakness of CSS – but that’s a topic for another post.

One of the tricks I’ve learned in reading draft legislation is to look closely at the definitions, for that’s often where the action is. An odd or counterintuitive definition can morph a reasonable-sounding proposal into something else entirely. The definition of a little word like “effective” might be the difference between an overreaching law and a more moderate one.

What's the Biggest Impact of IT on Copyright?

On Saturday I gave a talk (“Rip, Mix, Burn, Sue: Technology, Politics, and the Fight to Control Digital Media”) for a Princeton alumni group in Seattle. The theme of the talk is that the rise of information technology is causing a “great earthquake” in media businesses.

Many people believe that the biggest impact of IT is that it allows easy copying and redistribution of all types of content. To some people, this is the only impact of IT.

But I argue in the talk that the copying issue is only one part of IT’s impact, and not necessarily the biggest part. The main impact of IT, I argue, is that computers are universal devices that can perform any operation on digital data (except those operations that are inherently undoable and therefore can’t be done by any device).

I stress universality over copying in the talk for two reasons. First, it’s a point that most people miss, especially non-techies. Second, it lets me hint at the most important tradeoff in copyright/tech policy, which is how copyright sometimes stands in the way of developing powerful technologies for creating and communicating. Most people are quick to see the advantages of strong copyright in the digital world, but slow to see the price we’re paying for it.

This debate – whether IT is primarily a copying machine, or a creative tool – seems to run deeply throughout the online copyright debate. Those who see copying as the main impact of IT don’t much mind restricting digital technologies to further their copyright aims. But those who see creativity as the main impact of IT aim to protect the vitality of the IT ecosystem.

I come down on the creative side. I think the biggest long-run effect of IT will be in changing how we communicate and express ourselves. This is not to say that copying doesn’t matter – it clearly does – but only that we need to take the creative effects of IT at least as seriously as we take copying.

As I say in the talk, if IT’s impact is like an earthquake, file sharing is not the Big One, it’s only the first tremor.

(Thanks to Ed Lazowska, whose email exchange with me after the talk triggered this post.)

AACS Updated, Broken Again

[Other posts in this series]

We predicted in past posts that AACS, the encryption system intended to protect HD-DVD and Blu-ray movies, would suffer a gradual meltdown from its inability to respond quickly enough to attacks. Like most DRM, AACS depends on the secrecy of encryption keys built into hardware and software players. An attacker who discovers a player’s keys can defeat the protection on any disc that works with that player. AACS was designed with a defense against such attacks: after a player has been compromised, producers can alter new discs so that they no longer work with the compromised player’s keys. Whether this defense (which we call “key blacklisting”) will do much to stop copying depends how much time elapses before each leaked key is blacklisted.

Next week marks three months after the first compromised player key appeared on the Internet (and more than five months after cracks for individual discs began to appear). Discs slated for release on Tuesday will be the first to contain an update to AACS that blacklists the leaked keys.

What took so long? One limitation comes from the licensing agreement signed with player manufacturers, which requires that they receive ninety days’ notice before their keys are blacklisted, so that they have enough time to update their products.

Customers who obtained the new discs a few days early confirmed that the previously leaked keys no longer worked. It seemed as if AACS had recovered from the attacks just as its designers intended.

However, a new twist came yesterday, when SlySoft, an Antigua-based company that sells software to defeat various forms of copy protection, updated its AnyDVD product to allow it to copy the new AACS discs. Apparently, SlySoft had extracted a key from a different player and had kept the attack a secret. They waited until all the other compromised keys were blacklisted before switching to the new one.

The AACS Licensing Authority will be able to figure out which player SlySoft cracked by examining the program, and they will eventually blacklist this new key as well. However, all discs on store shelves will remain copyable for months, since disc producers must wait another ninety days before making the change.

To be successful in the long run, AACS needs to outpace such attacks. Its backers might be able to accelerate the blacklisting cycle somewhat by revising their agreements with player manufacturers, but the logistics of mastering discs and shipping them to market mean the shortest practical turnaround time will be at least several weeks. Attackers don’t even have to wait this long before they start to crack another player. Like Slysoft, they can extract keys from several players and keep some of them secret until all publicly known keys are blacklisted. Then they can release the other keys one at a time to buy additional time.

All of this is yet more bad news for AACS.

If It's Not Snake Oil, It's Pretty Awesome (Part 2)

Four years ago I wrote about a company called Music Public Broadcasting:

In today’s Los Angeles Times, Jon Healey writes about a new DRM proposal from a company called Music Public Broadcasting. The company’s claims, which are not substantiated in the story, give off a distinct aroma of snake oil.

I went on to document the snake oil indicators: (1) the flamboyant, self-promoting entrepreneur, newly arrived from another field; (2) the vaguely articulated theoretical breakthrough, described in mystical terms unintelligible to experts in the field; (3) the evidence that the product hadn’t been demonstrated or explained to its customers; (4) the claims to invalidate an accepted, fundamental principle in the field — but without really explaining how it is done. As one potential customer said, “If it’s not snake oil, it’s pretty awesome.”

Now the same company, having adopted a new name, is floating an equally improbable legal theory: that Microsoft, Apple, Adobe, Real, and anybody else making music download tools is legally required to license the company’s technology. Their theory is that these target companies are “avoiding” the use of their anti-copying technology – avoiding it in the sense of not buying it – and the Digital Millennium Copyright Act prohibits avoidance of copy protection. In other words, the target companies have a legal obligation to buy the company’s technology and, on the same theory, any other technology that claims to stop infringement. Snake oil purchases are now mandatory.

If you believe this company’s legal claim is any more solid than its technical claim, I have a bridge to sell you – and let me assure you that you’re legally compelled to buy it.

HBO Exec Wants to Rename DRM

People have had lots of objections to Digital Rights Management (DRM) technology – centering mainly on its clumsiness and the futility of its anti-infringement rationale – but until recently nobody had complained that the term “Digital Rights Management” was insufficiently Orwellian.

That changed on Tuesday, when HBO’s Chief Technology Officer, Bob Zitter, suggested at an industry conference that DRM needs a name change. Zitter’s suggested name: Digital Consumer Enablement, or DCE.

The irony here is that “rights management” is itself an industry-sponsored euphemism for what would more straightforwardly be
called “restrictions”. But somehow the public got the idea that DRM is restrictive, hence the need for a name change.

Zitter went on to discuss HBO’s strategy. HBO wants to sell shows in HighDef, but the problem is that many consumers are watching HD content using the analog outputs on their set-top boxes – often because their fancy new HD televisions don’t implement HBO’s favorite form of DRM. So what HBO wants is to disable the analog outputs on the set-top box, so consumers have no choice but to adopt HBO’s favored DRM.

Which makes the nature of the “enablement” clear. By enabling your set-top box to be incompatible with your TV, HBO will enable you to buy an expensive new TV. I understand why HBO might want this. But they ought to be honest and admit what they are doing.

I can think of several names for their strategy. “Consumer Enablement” is not one of them.