Advertisement
Interested in hardware, diags, validation, Linux, C, ARM, Microcode and low level programming and blazing networks?
Weekly Edition
Return to the Announcements page
| |||||||||||||
|
| |||||||||||||
EFF: 09 f9: A Legal Primer
The EFF has published 09 f9: A legal primer on the counterproductive attempts to suppress the spread of an HD-DVD decryption key. "Is the key copyrightable? It doesn't matter. The AACS-LA takedown letter is not claiming that the key is copyrightable, but rather that it is (or is a component of) a circumvention technology. The DMCA does not require that a circumvention technology be, itself, copyrightable to enjoy protection."
(Log in to post comments)
Security model Posted May 2, 2007 22:31 UTC (Wed) by bojan (subscriber, #14302) [Link] Maybe I missed something important, but it seems that AACS-LA have a security model in which they ship secrets to everyone, including people in countries where DMCA doesn't apply, and expect those secrets to remain hidden? Isn't that just a little bit naive?
Security model Posted May 2, 2007 22:47 UTC (Wed) by drag (subscriber, #31333) [Link] It's not naive. It's just stupid.
So....
They are giving you encrypted content.
.... and they expect this to work?
This is clearly a result of people making technical decisions who have no technical understanding of anything. They figure that with enough money and enough engineers they can change how the world works. These are people too stupid and too rich to take 'this is f-ing stupid and a very bad idea' for a answer.
Score one for civil disobedience:
spelling Posted May 2, 2007 23:32 UTC (Wed) by ldarby (subscriber, #41318) [Link] dude...
sorry for pointing this out in public but...
It's spelt "necessary".
spelling Posted May 2, 2007 23:40 UTC (Wed) by bronson (subscriber, #4806) [Link] Next time you want to try to ridicule somebody in public, ldarby, how about showing a little more restraint? You added nothing to the conversation.drag, you're right. And that doesn't even take the analog hole into account.
spelling Posted May 3, 2007 0:06 UTC (Thu) by drag (subscriber, #31333) [Link] It's ok. I know I am a crappy speller.
I actually failed many many spelling tests in grade school, it was pathetic.
spelling Posted May 3, 2007 7:59 UTC (Thu) by dark (✭ supporter ✭, #8483) [Link] bronson, your post dragged down the tone of this discussion and made itunpleasant to read. ldarby's did not. Please think about that aspect the next time you post.
Also, I noted with amusement that the key has been registered as a domain
spelling Posted May 3, 2007 11:27 UTC (Thu) by ekj (subscriber, #1524) [Link] I dunno if you're aware of it, (and don't know anything about the country of the GP) but a large portion of the subscribers to Lwn do not, infact, have english as a mother-tongue.For me, english is my third language. Quibbling over spelling is strictly off-topic on Lwn and only adds noise, plus discourages participation from people from non-english-speaking countries. Please stop it.
spelling Posted May 3, 2007 13:02 UTC (Thu) by ldarby (subscriber, #41318) [Link] > I dunno if you're aware of it, (and don't know anything about the> country of the GP) but a large portion of the subscribers to Lwn do > not, infact, have english as a mother-tongue.
That would be an even stonger reason to make sure words are spelled
I can't believe how hypocritical both you and bronson are. You're both
I come to lwn expecting reasonably high standards, hence my attempt to
Security model Posted May 3, 2007 2:25 UTC (Thu) by njs (subscriber, #40338) [Link] They know law better than they know technology, so they're turning a problem they don't understand (selling copies of bits that act the way they want) into one they do (getting every government in the world to adopt DMCA-like laws). Much easier.
Security model Posted May 3, 2007 2:29 UTC (Thu) by louie (subscriber, #3285) [Link] they're turning a problem they don't understand (selling copies of bits that act the way they want) Let me fix that for you: a problem that is impossible to solve Much more accurate. :) (I think the soldering/unsoldering aspect of the xbox hack is really interesting here; the long-term assumption of the industry has been that pushing more stuff out of software and into firmware/hardware would help increase security, but this hack suggests that this raises the bar but not by as much as the industry hoped.)
Security model Posted May 11, 2007 23:01 UTC (Fri) by giraffedata (subscriber, #1954) [Link] I think the soldering/unsoldering aspect of the xbox hack is really interesting here; the long-term assumption of the industry has been that pushing more stuff out of software and into firmware/hardware would help increase security, but this hack suggests that this raises the bar but not by as much as the industry hoped. Are a lot of people doing that? I believe the industry set the bar at "the number of hacks will be negligible," and my guess is that's where the bar is if the hack involves soldering. Again guessing, I would expect the number of hacked boxes to be at least 500 times higher if the hack consists of downloading something from the Internet.
Security model Posted May 3, 2007 8:45 UTC (Thu) by job (subscriber, #670) [Link] Not at all. It's just us (the geekier types) who sees this as a technical problem. It is not. It is a economical and juridical problem.
As you can see, it's a solved problem in the US. They don't care about a skilled attacker, they care about the mass market, and they have taken their part in creating laws that enables them to sue the crap out of anybody who even dares to mention that key (or any other "circumvention device" for that matter).
It's almost a solved problem for them in the EU as well. We've got Infosoc and soon IPRED2. It's no secret that huge financial US interests pushed these laws on us, and it's hard to resist them. I don't know much about Asian politics but I suspect they may be even easier to convince using the existing free trade agreements etc.
Then the problem of making bits selectively uncopyable is completely solved, for all practical purposes.
Security model Posted May 3, 2007 22:17 UTC (Thu) by man_ls (subscriber, #15091) [Link] You have nailed it. There is only the small matter of keeping the mass market in the dark when all it takes is a few web searches. Even worse, when they have to raise the level of censorship this much for their goals to come true.You know, banning some "malicious" DeCSS code might seem to be OK, but censoring a magical number from appearing on a bulletin board (and potentially crippling some devices in the process) starts to look positively creepy.
Security model Posted May 4, 2007 14:09 UTC (Fri) by Nelson (subscriber, #21712) [Link] Is the "censoring" part creepy? Or is the suggestion that it's just some random number creepy?It's kind of like thinking of some proprietary source code as "just some random bytes" and they have no reason to sue anybody for posting it on the web. I understand that it's a number but what fuels the drive to post it? Technologically, we know, AACS can be broken, it's just a matter of time and effort and most of us knew that long before they shipped anything, what's the goal of posting actual keys? What if instead of just foreclosing on you when you don't pay your mortgage, they posted your social security number ("just some random number..") and various credit card numbers and particulars on the web? So that other lenders and the whole world really know who you are and don't make the same mistake or for some other lame reason. Or when a major corporation as a security breach, maybe they should post all of the SSNs and credit card numbers that they believe were stolen so we can all check to see if our information was compromised, that's just good journalism, isn't it?
Security model Posted May 4, 2007 18:12 UTC (Fri) by man_ls (subscriber, #15091) [Link] The censoring is the creepy part, of course. That it is not only the owners who must keep their secrets, but we must keep them too. That people have to shut up so that a few can make a profit, what else?This stuff is not like posting private data or proprietary code. With code the CSS consortium could give the impression that it was some evil code, even if they didn't fool anyone with a clue. This incident shows that any random sequence of letters can literally be made into a dangerous "circumvention device" and kept secret. Then they will close the dangerous "hacker" sites and then anyone with a clue will have to shut up if they accidentally step on a dirty little secret. Personally I find that creepy.
Security model Posted May 3, 2007 11:39 UTC (Thu) by grouch (guest, #27289) [Link]
It appears to me that all of the take-down notices should fail because their "technological measure" does NOT "effectively control[] access". As you and drag point out, they provide everything necessary to unlock the work on machines which provide everything necessary to see how that unlocking occurs. Sure doesn't look very effective to me. Looks to me like a pretty ineffective, technologically simple-minded measure.
There's that "effectively controls" part, again. It's a mischaracterization, at best, and a downright lie, at worst. Or does U.S. law define "effectively" and "controls" in some way that defies common sense? Could "click here" be considered a "technological measure that effectively controls access to a work"?
Ok, so all it takes is to place the number on some web site which has no marketing whatsoever. No advertisements, no sales, no commercial activity at all means that the wondrous, magical, awesomely effective number is not being marketed when displayed on that web site. Is there no lower limit to stupidity? If this keeps up, somebody is going to pass a law proclaiming a new value of pi.
defining "effectively controls" Posted May 3, 2007 11:52 UTC (Thu) by louie (subscriber, #3285) [Link] their "technological measure" does NOT "effectively control[] access" As I pointed out in another comment, the DMCA says that the technological measure 'effectively controls' if it 'requires the application of information... with the authority of the copyright owner, to gain access to the work.' You or I may think that is a pretty terrible definition of 'effective', but that is the definition of effective the judge is going to use. And clearly, the device requires 'application of information' (aka, the key) to access the work, so for the purposes of the law, it is effective, whether we think it is effective or not.
Is a key a 'circumvention device'? Posted May 2, 2007 22:41 UTC (Wed) by AJWM (guest, #15888) [Link] Since the takedown notices are based on the key being a component of a circumvention device, it raises the question of whether that is so or not. To use an analogy with a door lock, certainly a prybar or a set of lock picks are both circumvention devices -- but what about the actual key to the lock? That's not "circumventing" the lock, that is operating it as designed. What about a duplicate of said key?
The analogy with the AACS system is not farfetched - that key has a legitimate use, and forms a critical component of all legitimate high-def disc players. The 90 0f etc sequence therefor has _significant_ commercial use, and is no more a device (or component thereof) for circumventing the encryption scheme than is a key for circumventing the lock it was intended.
(Of course, IANAL, this is not legal advice, and judges have been known to rule contrary to simple logic.)
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 0:25 UTC (Thu) by louie (subscriber, #3285) [Link] Given that the number is not typically conveyed to end-users, it is less like a lock's key (which every owner of a lock has their own copy of) and more like a lock's tumbler- something internal to the circumvention device, without which the device won't function. In other words, a 'component or part'. ("No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof....") Additionally, if there is any doubt as to what the thing is, a judge is going to look at the use of the thing. If it is only arguably used for circumventing, then maybe, maybe the component/part argument will get looked at. But here the key violates not just one but all three of the tests for intent: it is clearly "designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title." It has no "commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title." And despite the language being used ('I hear this number is magical') clearly everyone who is posting it is 'marketing' the key knowing that it is "for use in circumventing a technological measure that effectively controls access to a work protected under this title." You only have to do one of those to violate the DMCA- and clearly the number hits all three. FWIW, to 'circumvent a technological measure' here means specifically to "descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure." The key clearly 'deactivates' the technological measure, so again, it pretty clearly 'circumvents' under the language of the statute. So yeah, I can't see any plausible way in which a court can find that this isn't a circumvention device. You're very right to point out that the language could be clearer and explicitly define 'component or part' to include keys/data, but no court is going to rule in your favor on that unless you are otherwise very, very sympathetic. And lets be honest here- there ain't no sympathetic players here, at least not from a court's perspective. If you want to see an example of how a court would walk through such an analysis, poke at the 2600 case- search for "B. Posting of DeCSS", and see how the court walks through the determination that DeCSS is a circumvention measure. It isn't exactly analogous (since DeCSS was primarily code, and this is not) but it'll give you some feel for what a court does in a situation like this one where there is very little precedent and the court wants to be very, very clear about what it is doing.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 0:26 UTC (Thu) by louie (subscriber, #3285) [Link] Oh, and, uh, IANAL, but I will be one in two years. And I have an exam which covers the DMCA and the 2600 case in 36 hours. So I'm going to chalk this up as studying ;)
'component, or part' of a circumvention device, almost certainly Posted May 14, 2007 2:14 UTC (Mon) by mikov (subscriber, #33179) [Link] How did you do on your exam ? In the end I do hope you are going to work for EFF or RedHat's legal team ... :-)
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 1:33 UTC (Thu) by jimmybgood (guest, #26142) [Link] It's not as clear to me as it is to you. The key was designed and produced not by the doom9.org poster, but by the AALS-LA. Is the AALS-LA going to claim that they produced it for circumvention purposes and prosecute themselves? The doom9.org poster made it very clear that he didn't crack it or reverse-engineer it, he merely made note of it as it flitted through his computer's memory. Now he did copy it, but it's neither copyrighted nor copyrighteable.
The key's original purpose is to provide authorized decryption. If that's a "limited commercial purpose", then the AALS-LA is claiming that their entire business is a limited commercial purpose. Perhaps this is going to be a self-fulfilling prophecy.
Ar least in my dictionary, marketing implies selling or purchasing. Most posts involve neither, although some are intended to sell t-shirts and coffee mugs which no one is likely to ever use for circumventing anything other than a "no shoes - no shirts - no service" edict.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 2:25 UTC (Thu) by louie (subscriber, #3285) [Link] [Note that I think this is an interesting mental exercise; but no court is going to grant even the slightest benefit of the doubt in this case, so it is only an interesting mental exercise.] I'm going to address all three subsections, but remember that the court need prove only one of them, not all three, so the fact that the last one is a stretch doesn't save anybody. The key was designed and produced not by the doom9.org poster, but by the AALS-LA. Is the AALS-LA going to claim that they produced it for circumvention purposes and prosecute themselves? They don't offer the key as a stand-alone product, nor did they 'primarily design or produce' it to allow indiscriminate access- it was designed explicitly to control access. So what they created, and what the hackers created, are going to be substantively very different in the eyes of the court. Yes, their random number generator created it, and they give it to you, but deeply embedded in many layers of protection. When I can go down to Best Buy and buy the stand-alone key off the shelf, this argument might fly :) Note here that the 'purpose' of the key, as produced by AALS-LA, is distinguishable from "circumventing a technological measure that effectively controls access" in large part because "effectively controls access" is defined specifically in terms of the "authority of the copyright owner." So while the language is awkward, the statute clearly anticipates that the "copyright owner" will "require[] the application of information"- i.e., the key- as something distinct from the forbidden circumvention. The key's original purpose is to provide authorized decryption. If that's a "limited commercial purpose", then the AALS-LA is claiming that their entire business is a limited commercial purpose. The commercial purpose is not to provide decryption- it is to protect the sales of HD-DVDs without rampant redistribution, and to be sold as part of an expensive/functional HD-DVD player, both of which are going to be a very strong commercial purpose in the eyes of the court. Distributing the key independent of the rest of the tool doesn't have either of those purposes. (I think you probably could make this argument if the key were distributed as part of some system which provided valuable features to users, like a backup system, rather than standalone. For example, if GNOME or KDE distributed the key buried inside totem or kplayer, there might be an argument here to have the key in gnome/kde CVS/SVN. Maybe. Would be very risky. IANALY, etc., etc. :) At least in my dictionary, marketing implies selling or purchasing. While you're right that this part is more of a stretch than the other two components, you have to look at 'marketing' here in light of 'No person shall... offer to the public...' Given that 'mere' offering to the public constitutes the offense, and that there is no product to sell yet, a court is probably going to define marketing here as 'publicity inducing people to use it' rather than 'salesmanship inducing people to buy it', and clearly publicity inducing use/distribution has occurred here. Hope that clarifies things. Please continue to point out where I'm unclear or wrong or just talking too much; this verbal sparring is good practice for my exam :)
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 16:39 UTC (Thu) by jimmybgood (guest, #26142) [Link] Even lawyers can disagree over the law. But I'll point out succinctly where I disagree with you. You say "what the hackers created." But I claim the person who posted the number did not create it, they merely copied it. DeCSS was very definitely a creation of DVD Jon and his two unidentified cohorts, so all the analogies with the DeCSS case are invalid.
You also use the phrase "deeply embedded in many layers of protection." I claim you're wrong. The number was in clear text in system RAM. If it had been so deeply embedded, it would still be unknown. If it had been extracted from the firmware of the DVD player, perhaps it could be said to have been created in the process of reverse-engineering, but that's not what happened.
Perhaps, it could be a trade secrets case, based on the argument, that the number was intended to have been a secret part of technology and they didn't expect that people would be browsing through their system RAM. But that case could only be made against the person who revealed the secret. I think the claim of DMCA violation is a stretch and will not be resolved without lengthy legal process.
Good luck on your exam!
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 5:54 UTC (Thu) by ncm (subscriber, #165) [Link] "technology, product, service, device, component, or part thereof"A number is a number. A number is not a product. (Well, maybe this one is, because it's not prime, but never mind that.) A number is not a service. A number is not a device. A number is not a component. A number is not part of a component. The argument fails before you get to any of your three horns, because it isn't any of the things in that presumably exhaustive list of proscribed items. If Congress had meant to restrict distribution of numbers, they could have added that to the list, but they chose not to. If an unpleasant odor turned out to be useful in breaking somebody's DRM scheme, that wouldn't be covered either. Odors just ain't in the list, and neither are numbers. They might reasonably use the DMCA to attack people distributing software that can use the number, but that's not what's under discussion here. It's an odious law composed by odious people, but we don't have to make it seem more odious than it is.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 7:10 UTC (Thu) by tetromino (subscriber, #33846) [Link] > A number is a number.
Credit card numbers, expiration dates, and PINs are numbers - but distributing those isn't exactly legal. In fact, any file is a finite sequence of bytes, and hence a number. By your logic, I could freely distribute files containing Vista source code, the private medical records of the residents of Minneapolis, and the current list of undercover FBI agents - because, after all, they are just very big numbers.
Somehow I suspect that a real-world judge might take objection to your line of argument.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 8:06 UTC (Thu) by cate (subscriber, #1359) [Link] For the part private medical records of the residents of Minneapolis, I think it is because of privacy laws. And I don't think distribution of HD-DVD or they keys has something to do with privacy: the purpose of DVDs is to be distributed and to be shown.The credit card number is more interesting. I think tat the owner, the shop and the bank cannot distribute the number, per contract. But IMHO, IANAL, if you distribute the credit card number (you break the contract), the other people (that obtained the number legally, they are not binded to your contract) can distribute it. But maybe also this is in some commerce, money, payment laws. The laws are not so general as you think, so every new application give interesting results (both in interpretation of old laws and in the rules of new laws), until it stabilize in something intelligent.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 10:52 UTC (Thu) by kripkenstein (subscriber, #43281) [Link] >> Credit card numbers, expiration dates, and PINs are numbers - but distributing those isn't exactly legal. In fact, any file is a finite sequence of bytes, and hence a number.
Of course you are technically right, any file is a number. But from a more practical point of view, let's say that the AACS number was "76" (which is certainly possible in theory). Surely to prevent websites from posting "76" makes no sense. On the other hand, posting the number representing an .mp3 file of a copyrighted song is different somehow.
The actual AACS number is somewhere in the middle, I would say. It is so short that it qualifies for what a (non-mathematician) judge would call a 'number'. A number representing an .mp3 file doesn't, it is only a 'number' to people like you and me.
The problem is that preventing people from saying "76" is just ridiculous. People _need_ to say that number in their normal lives. Perhaps the AACS number is not exactly that, but it is so short that certainly large portions of it are uttered in normal life. To restrict stating the AACS number is therefore dangerously close to restricting free speech. This risk is not present with .mp3 'numbers'.
In addition, you mention credit card numbers as things that are illegal to distribute. Well actually it is perfectly legal to distribute them, such distribution happens all the time when a waiter swipes a card at the table and carries the imprinted number to the cash register. What is not legal is to use them to steal the owner's money, and I presume the law has some clause wherein copying credit cards in bulk is 'with intent to steal' or something along those lines. Yet if a child copies their parent's credit card number, without permission, is this a crime BEFORE it is used to steal money? I'm not sure. And, importantly, regardless of the result here, this is completely different than the AACS number, which cannot be used to steal money - it *might* be used to infringe on copyright or circumvent anti-circumvention measures, but those are handled by completely different laws than credit card numbers. So these matters are not necessarily related, even though in both cases we have numbers (even of about the same length).
So, in summary, I am not sure how a judge would act, when ruling on this case. Perhaps the AACS-LA won't want to risk a negative judgment, which would have far worse consequences than the benefits of winning such a case (the number is already out there).
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 11:47 UTC (Thu) by louie (subscriber, #3285) [Link] A number is a number, sure, but a letter is a letter, a word is a word, and a piece of paper is a piece of paper, and all of them can become 'parts' of 'books.' This particular number is a number, but it is also a "part" of a "technology" (unless you think that the copy control system is magic and not a technology); it is "part" of a "device" (whatever xbox they ripped it out of); and it is "part" of a "product" (again, the xbox, which they sold for a nice sum of money.)
Later comments compare the number to a credit card number (where distributing it is presumably not illegal until it is used), but lets be clear- the DMCA makes it very illegal to distribute this number, period. It doesn't have a 'wait until it is used' clause, like a credit card law might. The law says very clearly, in very plain language, that it is illegal to 'offer to the public'. Doesn't have to be used by anyone- just offered.
Now, you could argue that you have a free speech defense about shouting the number from the rooftops; it seems unlikely to fly, because the number, by itself, is so useless, and so completely unlikely to be uttered in casual conversation. (It is 'short', as numbers go, but still long enough that I'm sure it would take a lot of monkeys a lot of time to type it out randomly.) So speaking it is much more akin to screaming fire in a crowded theater than most other speech acts. But if someone turns this into a Linux player ASAP, given the larger number of Linux users than there were in 2001, the industry's failure to create a licensed DVD player in that timespan, and the failure of the decss key to be involved substantially in piracy, you might get a more sympathetic ear on the free speech claim this time, and the ruling on the speech issue in 2600 suggests that if you can show that the government could reach their end (prevention of piracy) by 'less restrictive means', the court might rule otherwise. Seems unlikely, but it might not hurt to try again. If I have time later today, I'll try to re-read the first amendment section of 2600 and see how well it holds up over time- my guess is that it will not have aged gracefully but it'll be 'good enough' to bar a first amendment defense in this case.
More pragmatically, even though they'll almost certainly win a DMCA case, the AACS-LA folks now have to sue a bazillion people to put this cat back in the bag. That seems unlikely. I'm guessing they'll try to get the doom9 forums taken down, and to get Google to block searches on the number. But we'll see- should be interesting, strategically.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 22:40 UTC (Thu) by ncm (subscriber, #165) [Link] A book is also not a technology, service, device, component, or part thereof. (It could be a product.)
Again, the DMCA is odious, but it is not omnipotent. It doesn't outlaw electrons, metals, RAM, or computers, despite that all of those may be involved in a circumvention, because that would have been recognized (even by congress members, or at least their staffs) as over-reaching. The MPAA might wish that numbers were included in the list, but they just aren't.
Was it an oversight, or a deliberate choice? It shouldn't matter, but if we can show a draft that included numbers (or language that would include them), that ought to be very persuasive even to somebody as stupidly hostile as your typical judge.
component or part of a circumvention device? Posted May 3, 2007 21:24 UTC (Thu) by dark (✭ supporter ✭, #8483) [Link] Hmm. One problem is that it doesn't look like a number to the nontechnical. It looks more like a password. Perhaps we should have written it as 13256278887989457651018865901401704640 in the first place. This may be something to keep in mind in the future.
Is a key a 'circumvention device'? Posted May 11, 2007 22:51 UTC (Fri) by giraffedata (subscriber, #1954) [Link] The key doesn't circumvent the lock, but in the hands of an uninvited person it is nonetheless a circumvention device. What it circumvents is the security measure which consists of having a lock on the door and giving keys only to invited persons. DMCA's circumvention piece is exactly about solving the problem of, metaphorically, door keys getting into the wrong hands. Technology alone proved incapable of locking out the bad guys, so the government gave it a boost by outlawing the activities that made the technology fail. So now the metaphorical homeowner has 3 lines of defense: 1) it's illegal to trespass; 2) it's hard to get in without a key; 3) it's illegal to get a key.
|
|
||||||||||||