| |||||||||||||
|
| |||||||||||||
'component, or part' of a circumvention device, almost certainly'component, or part' of a circumvention device, almost certainlyPosted May 3, 2007 0:25 UTC (Thu) by louie (subscriber, #3285)In reply to: Is a key a 'circumvention device'? by AJWM Parent article: EFF: 09 f9: A Legal Primer
Given that the number is not typically conveyed to end-users, it is less like a lock's key (which every owner of a lock has their own copy of) and more like a lock's tumbler- something internal to the circumvention device, without which the device won't function. In other words, a 'component or part'. ("No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof....") Additionally, if there is any doubt as to what the thing is, a judge is going to look at the use of the thing. If it is only arguably used for circumventing, then maybe, maybe the component/part argument will get looked at. But here the key violates not just one but all three of the tests for intent: it is clearly "designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title." It has no "commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title." And despite the language being used ('I hear this number is magical') clearly everyone who is posting it is 'marketing' the key knowing that it is "for use in circumventing a technological measure that effectively controls access to a work protected under this title." You only have to do one of those to violate the DMCA- and clearly the number hits all three. FWIW, to 'circumvent a technological measure' here means specifically to "descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure." The key clearly 'deactivates' the technological measure, so again, it pretty clearly 'circumvents' under the language of the statute. So yeah, I can't see any plausible way in which a court can find that this isn't a circumvention device. You're very right to point out that the language could be clearer and explicitly define 'component or part' to include keys/data, but no court is going to rule in your favor on that unless you are otherwise very, very sympathetic. And lets be honest here- there ain't no sympathetic players here, at least not from a court's perspective. If you want to see an example of how a court would walk through such an analysis, poke at the 2600 case- search for "B. Posting of DeCSS", and see how the court walks through the determination that DeCSS is a circumvention measure. It isn't exactly analogous (since DeCSS was primarily code, and this is not) but it'll give you some feel for what a court does in a situation like this one where there is very little precedent and the court wants to be very, very clear about what it is doing.
(Log in to post comments)
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 0:26 UTC (Thu) by louie (subscriber, #3285) [Link] Oh, and, uh, IANAL, but I will be one in two years. And I have an exam which covers the DMCA and the 2600 case in 36 hours. So I'm going to chalk this up as studying ;)
'component, or part' of a circumvention device, almost certainly Posted May 14, 2007 2:14 UTC (Mon) by mikov (subscriber, #33179) [Link] How did you do on your exam ? In the end I do hope you are going to work for EFF or RedHat's legal team ... :-)
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 1:33 UTC (Thu) by jimmybgood (guest, #26142) [Link] It's not as clear to me as it is to you. The key was designed and produced not by the doom9.org poster, but by the AALS-LA. Is the AALS-LA going to claim that they produced it for circumvention purposes and prosecute themselves? The doom9.org poster made it very clear that he didn't crack it or reverse-engineer it, he merely made note of it as it flitted through his computer's memory. Now he did copy it, but it's neither copyrighted nor copyrighteable.
The key's original purpose is to provide authorized decryption. If that's a "limited commercial purpose", then the AALS-LA is claiming that their entire business is a limited commercial purpose. Perhaps this is going to be a self-fulfilling prophecy.
Ar least in my dictionary, marketing implies selling or purchasing. Most posts involve neither, although some are intended to sell t-shirts and coffee mugs which no one is likely to ever use for circumventing anything other than a "no shoes - no shirts - no service" edict.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 2:25 UTC (Thu) by louie (subscriber, #3285) [Link] [Note that I think this is an interesting mental exercise; but no court is going to grant even the slightest benefit of the doubt in this case, so it is only an interesting mental exercise.] I'm going to address all three subsections, but remember that the court need prove only one of them, not all three, so the fact that the last one is a stretch doesn't save anybody. The key was designed and produced not by the doom9.org poster, but by the AALS-LA. Is the AALS-LA going to claim that they produced it for circumvention purposes and prosecute themselves? They don't offer the key as a stand-alone product, nor did they 'primarily design or produce' it to allow indiscriminate access- it was designed explicitly to control access. So what they created, and what the hackers created, are going to be substantively very different in the eyes of the court. Yes, their random number generator created it, and they give it to you, but deeply embedded in many layers of protection. When I can go down to Best Buy and buy the stand-alone key off the shelf, this argument might fly :) Note here that the 'purpose' of the key, as produced by AALS-LA, is distinguishable from "circumventing a technological measure that effectively controls access" in large part because "effectively controls access" is defined specifically in terms of the "authority of the copyright owner." So while the language is awkward, the statute clearly anticipates that the "copyright owner" will "require[] the application of information"- i.e., the key- as something distinct from the forbidden circumvention. The key's original purpose is to provide authorized decryption. If that's a "limited commercial purpose", then the AALS-LA is claiming that their entire business is a limited commercial purpose. The commercial purpose is not to provide decryption- it is to protect the sales of HD-DVDs without rampant redistribution, and to be sold as part of an expensive/functional HD-DVD player, both of which are going to be a very strong commercial purpose in the eyes of the court. Distributing the key independent of the rest of the tool doesn't have either of those purposes. (I think you probably could make this argument if the key were distributed as part of some system which provided valuable features to users, like a backup system, rather than standalone. For example, if GNOME or KDE distributed the key buried inside totem or kplayer, there might be an argument here to have the key in gnome/kde CVS/SVN. Maybe. Would be very risky. IANALY, etc., etc. :) At least in my dictionary, marketing implies selling or purchasing. While you're right that this part is more of a stretch than the other two components, you have to look at 'marketing' here in light of 'No person shall... offer to the public...' Given that 'mere' offering to the public constitutes the offense, and that there is no product to sell yet, a court is probably going to define marketing here as 'publicity inducing people to use it' rather than 'salesmanship inducing people to buy it', and clearly publicity inducing use/distribution has occurred here. Hope that clarifies things. Please continue to point out where I'm unclear or wrong or just talking too much; this verbal sparring is good practice for my exam :)
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 16:39 UTC (Thu) by jimmybgood (guest, #26142) [Link] Even lawyers can disagree over the law. But I'll point out succinctly where I disagree with you. You say "what the hackers created." But I claim the person who posted the number did not create it, they merely copied it. DeCSS was very definitely a creation of DVD Jon and his two unidentified cohorts, so all the analogies with the DeCSS case are invalid.
You also use the phrase "deeply embedded in many layers of protection." I claim you're wrong. The number was in clear text in system RAM. If it had been so deeply embedded, it would still be unknown. If it had been extracted from the firmware of the DVD player, perhaps it could be said to have been created in the process of reverse-engineering, but that's not what happened.
Perhaps, it could be a trade secrets case, based on the argument, that the number was intended to have been a secret part of technology and they didn't expect that people would be browsing through their system RAM. But that case could only be made against the person who revealed the secret. I think the claim of DMCA violation is a stretch and will not be resolved without lengthy legal process.
Good luck on your exam!
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 5:54 UTC (Thu) by ncm (subscriber, #165) [Link] "technology, product, service, device, component, or part thereof"A number is a number. A number is not a product. (Well, maybe this one is, because it's not prime, but never mind that.) A number is not a service. A number is not a device. A number is not a component. A number is not part of a component. The argument fails before you get to any of your three horns, because it isn't any of the things in that presumably exhaustive list of proscribed items. If Congress had meant to restrict distribution of numbers, they could have added that to the list, but they chose not to. If an unpleasant odor turned out to be useful in breaking somebody's DRM scheme, that wouldn't be covered either. Odors just ain't in the list, and neither are numbers. They might reasonably use the DMCA to attack people distributing software that can use the number, but that's not what's under discussion here. It's an odious law composed by odious people, but we don't have to make it seem more odious than it is.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 7:10 UTC (Thu) by tetromino (subscriber, #33846) [Link] > A number is a number.
Credit card numbers, expiration dates, and PINs are numbers - but distributing those isn't exactly legal. In fact, any file is a finite sequence of bytes, and hence a number. By your logic, I could freely distribute files containing Vista source code, the private medical records of the residents of Minneapolis, and the current list of undercover FBI agents - because, after all, they are just very big numbers.
Somehow I suspect that a real-world judge might take objection to your line of argument.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 8:06 UTC (Thu) by cate (subscriber, #1359) [Link] For the part private medical records of the residents of Minneapolis, I think it is because of privacy laws. And I don't think distribution of HD-DVD or they keys has something to do with privacy: the purpose of DVDs is to be distributed and to be shown.The credit card number is more interesting. I think tat the owner, the shop and the bank cannot distribute the number, per contract. But IMHO, IANAL, if you distribute the credit card number (you break the contract), the other people (that obtained the number legally, they are not binded to your contract) can distribute it. But maybe also this is in some commerce, money, payment laws. The laws are not so general as you think, so every new application give interesting results (both in interpretation of old laws and in the rules of new laws), until it stabilize in something intelligent.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 10:52 UTC (Thu) by kripkenstein (subscriber, #43281) [Link] >> Credit card numbers, expiration dates, and PINs are numbers - but distributing those isn't exactly legal. In fact, any file is a finite sequence of bytes, and hence a number.
Of course you are technically right, any file is a number. But from a more practical point of view, let's say that the AACS number was "76" (which is certainly possible in theory). Surely to prevent websites from posting "76" makes no sense. On the other hand, posting the number representing an .mp3 file of a copyrighted song is different somehow.
The actual AACS number is somewhere in the middle, I would say. It is so short that it qualifies for what a (non-mathematician) judge would call a 'number'. A number representing an .mp3 file doesn't, it is only a 'number' to people like you and me.
The problem is that preventing people from saying "76" is just ridiculous. People _need_ to say that number in their normal lives. Perhaps the AACS number is not exactly that, but it is so short that certainly large portions of it are uttered in normal life. To restrict stating the AACS number is therefore dangerously close to restricting free speech. This risk is not present with .mp3 'numbers'.
In addition, you mention credit card numbers as things that are illegal to distribute. Well actually it is perfectly legal to distribute them, such distribution happens all the time when a waiter swipes a card at the table and carries the imprinted number to the cash register. What is not legal is to use them to steal the owner's money, and I presume the law has some clause wherein copying credit cards in bulk is 'with intent to steal' or something along those lines. Yet if a child copies their parent's credit card number, without permission, is this a crime BEFORE it is used to steal money? I'm not sure. And, importantly, regardless of the result here, this is completely different than the AACS number, which cannot be used to steal money - it *might* be used to infringe on copyright or circumvent anti-circumvention measures, but those are handled by completely different laws than credit card numbers. So these matters are not necessarily related, even though in both cases we have numbers (even of about the same length).
So, in summary, I am not sure how a judge would act, when ruling on this case. Perhaps the AACS-LA won't want to risk a negative judgment, which would have far worse consequences than the benefits of winning such a case (the number is already out there).
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 11:47 UTC (Thu) by louie (subscriber, #3285) [Link] A number is a number, sure, but a letter is a letter, a word is a word, and a piece of paper is a piece of paper, and all of them can become 'parts' of 'books.' This particular number is a number, but it is also a "part" of a "technology" (unless you think that the copy control system is magic and not a technology); it is "part" of a "device" (whatever xbox they ripped it out of); and it is "part" of a "product" (again, the xbox, which they sold for a nice sum of money.)
Later comments compare the number to a credit card number (where distributing it is presumably not illegal until it is used), but lets be clear- the DMCA makes it very illegal to distribute this number, period. It doesn't have a 'wait until it is used' clause, like a credit card law might. The law says very clearly, in very plain language, that it is illegal to 'offer to the public'. Doesn't have to be used by anyone- just offered.
Now, you could argue that you have a free speech defense about shouting the number from the rooftops; it seems unlikely to fly, because the number, by itself, is so useless, and so completely unlikely to be uttered in casual conversation. (It is 'short', as numbers go, but still long enough that I'm sure it would take a lot of monkeys a lot of time to type it out randomly.) So speaking it is much more akin to screaming fire in a crowded theater than most other speech acts. But if someone turns this into a Linux player ASAP, given the larger number of Linux users than there were in 2001, the industry's failure to create a licensed DVD player in that timespan, and the failure of the decss key to be involved substantially in piracy, you might get a more sympathetic ear on the free speech claim this time, and the ruling on the speech issue in 2600 suggests that if you can show that the government could reach their end (prevention of piracy) by 'less restrictive means', the court might rule otherwise. Seems unlikely, but it might not hurt to try again. If I have time later today, I'll try to re-read the first amendment section of 2600 and see how well it holds up over time- my guess is that it will not have aged gracefully but it'll be 'good enough' to bar a first amendment defense in this case.
More pragmatically, even though they'll almost certainly win a DMCA case, the AACS-LA folks now have to sue a bazillion people to put this cat back in the bag. That seems unlikely. I'm guessing they'll try to get the doom9 forums taken down, and to get Google to block searches on the number. But we'll see- should be interesting, strategically.
'component, or part' of a circumvention device, almost certainly Posted May 3, 2007 22:40 UTC (Thu) by ncm (subscriber, #165) [Link] A book is also not a technology, service, device, component, or part thereof. (It could be a product.)
Again, the DMCA is odious, but it is not omnipotent. It doesn't outlaw electrons, metals, RAM, or computers, despite that all of those may be involved in a circumvention, because that would have been recognized (even by congress members, or at least their staffs) as over-reaching. The MPAA might wish that numbers were included in the list, but they just aren't.
Was it an oversight, or a deliberate choice? It shouldn't matter, but if we can show a draft that included numbers (or language that would include them), that ought to be very persuasive even to somebody as stupidly hostile as your typical judge.
component or part of a circumvention device? Posted May 3, 2007 21:24 UTC (Thu) by dark (✭ supporter ✭, #8483) [Link] Hmm. One problem is that it doesn't look like a number to the nontechnical. It looks more like a password. Perhaps we should have written it as 13256278887989457651018865901401704640 in the first place. This may be something to keep in mind in the future.
|
|
||||||||||||