IMPLICATIONS OF DMCA ANTI-CIRCUMVENTION RULES FOR RESEARCH

May 8, 2002 Pamela Samuelson, SIMS & Law, EECS Lecture Colloquium Series, May 8, 2002 EECS Lecture Colloquium 1

OVERVIEW

• Overview of the DMCA rules • Why research might violate the DMCA • Statutory and constitutional defenses • Other DMCA claims to watch out for • Why the logic of the DMCA may lead to outlawing the general purpose computer (CBDTVA aka SSSCA) • Concluding thoughts May 8, 2002 EECS Lecture Colloquium 2

17 U.S.C. 1201

• (a)(1)(A): Illegal to circumvent a technical measure copyright owners use to control access to their works • (a)(2): Illegal to make/distribute tool to circumvent access controls • (b)(1): Illegal to make/distribute tool to bypass other technical measures used by copyright owners to protect rights in works • No counterpart to (a)(1)(A) for bypassing copy controls (compromise to enable fair uses?) May 8, 2002 EECS Lecture Colloquium 3

1201(a)(1)(A) EXCEPTIONS

• (Relatively) meaningful exceptions: – achieving program-to-program interoperability – encryption research & computer security testing – law enforcement/national security • Unmeaningful exceptions: – library/nonprofit “shopping” privilege – privacy protection – protecting kids vs. porn • Ambiguous about fair use preservation 1201 (c)(1) • LOC rulemaking to make new exceptions May 8, 2002 EECS Lecture Colloquium 4

ENCRYPTION RESEARCH

• 1201 (g) & (j) “legitimate” encryption research & computer security testing OK – Acquisition of content must have been lawful – Acts must be necessary & in good faith – Must request permission from copyright owner 1 st (testing--must actually get permission) – Must give results to copyright owner (free consulting) – Limited dissemination of results (advance knowledge v. facilitate infringement—what if paper on Internet?) – OK to make (a)(2) tool but silent as to (b)(1) tool May 8, 2002 EECS Lecture Colloquium 5

OTHER DMCA RULES

• 1202 protects the integrity of “copyright management information” (e.g., watermarks) from alteration/removal • 1203 gives broad remedies to successful plaintiffs (injunctions, statutory damages, etc.—even if no actual infringements!) • 1204 makes willful violation of 1201 or 1202 for profit/financial gain a crime: – up to $500K fine for 1 st – up to $1M for 2 nd offense, up to 5 yrs in jail offense & up to 10 yrs in jail May 8, 2002 EECS Lecture Colloquium 6

RIAA v. FELTEN

• RIAA/SDMI/Verance claimed Felten et al. paper violated DMCA anti-circumvention rules – No violation of 1201(a)(1)(A) because SDMI challenge authorized attack during 3 week period – Would delivering or publishing a paper on weaknesses “provide” a circumvention tool to the public?

– Did Felten make or adapt a tool to bypass SDMI TMs?

– Did Felten alter/remove CMI in course of research?

• Huge damages award possible if “pirates” use detailed information about weakness to infringe May 8, 2002 EECS Lecture Colloquium 7

STATUTORY DEFENSES

• SDMI watermarks are not “effective” technical measures within 1201 (weak) • Paper on weaknesses of a technical measure may not “provide” a circumvention technology within the statute (quite strong) • Ambiguity in statute about whether an intent to enable infringement is required for 1202 (strong) • No injury because no infringement attributable to paper (weak;

UCS v Reimerdes

says lack of infringement is irrelevant) May 8, 2002 EECS Lecture Colloquium 8

OTHER DEFENSES

• Encryption research/computer security exception – SDMI watermarks don’t use encryption – Hacking them is not computer security testing (as such) – (a)(2) v. (b)(1) problem – No application to 1202 – Intended publication on the Internet might facilitate infringement • Court might construe exception broadly as to Felten et al., but DMCA caselaw so far takes very narrow view of exceptions May 8, 2002 EECS Lecture Colloquium 9

1

st

AMENDMENT DEFENSE

• Even if Felten et al. violated the DMCA, the Constitution may protect them • 1 st A generally protects a scientist’s right to publish results of lawful research •

Bernstein v. US

: cryptographers have 1 st A right to post source code on the ‘Net to communicate scientific ideas in code • Fact that someone MIGHT do something illegal with the information is generally not enough to enjoin the speech (e.g., how to make bomb) May 8, 2002 EECS Lecture Colloquium 10

FELTEN v. RIAA

• Felten et al. sought a declaratory judgment that: – Presenting or publishing the paper not violate 1201 or 1202 – 1 st A right to publish results of research • Thereafter, RIAA/SDMI/Verance announced no objection to presentation of paper at USENIX • Court dismissed: no live controversy • Good news: – RIAA backed down – Ashcroft brief: Felten’s intent was to improve security May 8, 2002 EECS Lecture Colloquium 11

1

st

A ONLY GOES SO FAR

• Courts routinely reject 1 st A defenses in IP cases (

Universal v. Reimerdes

) • What if Felten had reverse-engineered the SDMI watermarks outside of the SDMI challenge?

– Might violate 1201(a)(1)(A) if watermarks were intended for use as access controls in players • Is there a constitutional right to do research or to reverse engineer technical measures? – If can’t do research, can’t engage in 1 st A speech – If RE is conduct, not speech, does 1 st A protect it?

May 8, 2002 EECS Lecture Colloquium 12

OTHER DMCA CLAIMS

• • •

Sony vs. Connectix & Bleem

: emulation programs said to bypass PlayStation game TPMs

Sony vs. Gamemaster

: game enhancer software violated DMCA because bypassed country code (gave Sony control over complementary products & stopped competition w/ Sony’s game enhancer)

Sony vs. Aibohack

: threatened lawsuit vs. host of website where owners of Aibo robot dogs could post programs to make dogs do different tricks May 8, 2002 EECS Lecture Colloquium 13

OTHER DMCA CLAIMS (2)

•

RealNetworks v. Streambox

: enjoined “VCR” that bypassed RN authentication procedure & allowed personal use copies of streamed content • • Microsoft claimed Slashdot violated DMCA because users posted instructions on how to bypass click-through license forbidding copying or disclosure of interface specification

Blizzard v. bnetd

: open source emulation program enabled users to form private game network; RE as circumvention; program as circumvention tool May 8, 2002 EECS Lecture Colloquium 14

WHY CLAIMS PLAUSIBLE

• Country codes/watermarks/streaming being treated as access controls • Reverse engineering them violates 1201(a)(1)(A) unless exception applies • Making or adapting a tool to reverse engineer them violates (a)(2), as does making/distributing software capable of bypassing the TPM • No underlying act of infringement needs to occur • Fact that no infringement is even possible may be irrelevant!

May 8, 2002 EECS Lecture Colloquium 15

UNIVERSAL v. REIMERDES

• Preliminary injunction vs. Reimerdes & Corley/2600 in Jan. 2000 to stop posting of DeCSS on web as violation of 1201(a)(2) • CSS held to be an access control for DVD movies (why not a copy-control?) • DeCSS bypassed CSS • All statutory & constitutional defenses rejected • Reimerdes settled; Corley (sadly) did not May 8, 2002 EECS Lecture Colloquium 16

BAD DICTA JAN. 2000

• ISP safe harbor rules re copyright infringement don’t apply to 1201 claims; ISP can be strictly liable for user posting of circumvention software • Corley (a mere journalist) lacked standing to raise interoperability, encryption research, computer security testing, or fair use defenses (even if they might be valid as to Jon Johansen) because Corley wasn’t trying to make an interoperable program, do encryption research, or make a fair use—think of implications for scientific publishers!!!

• No right to interoperate with data (e.g., DVD movie) May 8, 2002 EECS Lecture Colloquium 17

RULING IN AUG. 2000

• Same analysis of 1201(a)(2) • Shamos testimony on potential harm of DeCSS: he used DeCSS to copy movie & distribute via Internet with DivX compression • Judge didn’t believe Johansen on DeCSS as a necessary step to developing Linux player, so rejected interoperability defense • Likened DeCSS to deadly plague, assassination • Functionality of DeCSS limits 1 st A scope May 8, 2002 EECS Lecture Colloquium 18

UCS v. CORLEY (2d Cir. 2001)

• Praised & followed Kaplan’s analysis • Some good news?

– Software is 1 st A protected speech (programmers express themselves in code) – No distinction between source & object (object code is like Sanskrit) – More general affirmation of 1 st A protection for scientific & technical info (e.g., instructions) – “Intermediate scrutiny” applies May 8, 2002 EECS Lecture Colloquium 19

MORE ON UCS v. CORLEY

• Little discussion of statutory issues (but rejects as “perversion” of 1 st sale defense idea that users have rights to use access-control content in unlicensed technology) • 1201(c)(1) does not preserve fair use; also Corley lacks standing to raise (even if JJ was a fair user) • Threats/dangers of Internet for copyright owners lessen scope of 1 st A protection for software (in conflict with

ACLU v. Reno

?) May 8, 2002 EECS Lecture Colloquium 20

OTHER DeCSS ISSUES

•

DVD-CCA v. Bunner:

Calif. Ct. Ap. held that Bunner had a 1 st A right to post DeCSS on the Web even if CSS is a trade secret and even if JJ misappropriated it (on appeal to Calif Sup Ct) • Jane Ginsburg’s copyright course website links to sites where DeCSS can be found • David Touretsky maintains a “Gallery of DeCSS Expressions” on CMU server • DeCSS source code printed on some T-shirts • OK to use DeCSS to fast-forward DVD movie?

May 8, 2002 EECS Lecture Colloquium 21

DMCA TO CBDTPA

• DMCA hasn’t stopped “piracy” • Digital content won’t really be secure until DRMs are embedded in all interactive digital technology • Computer/software industry has resisted “voluntary” standards on DRM • Mandating DRMs is the only way to ensure they won’t be competed away • Broadband deployment has been hindered by “piracy,” stronger IPR necessary May 8, 2002 EECS Lecture Colloquium 22

PRECEDENTS

• Public legislation: – Audio Home Recording Act: serial copy management system (SCMS) chips required in consumer grade DAT machines – 17 U.S.C. sec. 1201(k): future VCRs must build in Macrovision anti-copying technology • Private legislation: – Content industry consortium (DVD-CCA) licenses for DVD players require installation of CSS – SDMI aimed to achieve similar result May 8, 2002 EECS Lecture Colloquium 23

S. 2048: CBDTPA

• Consumer Broadband & Digital Television Promotion Act • Digital media device makers, copyright owners, & consumer groups have 12 mo. to reach agreement on standard security measures for such devices • FCC to require installation in all devices (open source player likely to be illegal; general purpose computer too) • If no agreement, FCC will choose security standard anyway & mandate it in digital media devices • Illegal to make or provide digital media device w/o SSM • Also illegal to remove/alter SSM; criminal penalties May 8, 2002 EECS Lecture Colloquium 24

QUESTIONING CBDTPA

• Would impede many beneficial uses of IT • Would add expense to IT systems • Would retard innovation & investment in IT • May make systems more vulnerable to hacking (can one virus take down all systems?) • The government & content industry shouldn’t tell the IT industry how to build its products • Ill effects for computer science research • Will rearchitecture of the Internet be next?

May 8, 2002 EECS Lecture Colloquium 25

REASON FOR HOPE?

• House leadership is not keen on CBDTPA; nor is Leahy in Senate • Rep. Rick Boucher believes in fair use and balanced copyright law • Courts less subject to “capture” than legislature – may interpret DMCA to allow research – “bad” decisions/dicta may be rejected or narrowed • People (like you?) believe in sound & balanced IP rules, but what does it take to mobilize you?

May 8, 2002 EECS Lecture Colloquium 26

CONCLUDING THOUGHTS

• Congress passed the DMCA thinking it was necessary to stop “piracy” • Content industry got a broader law than necessary to achieve this goal—and yet they still want more • Courts may decline to enjoin research & innovative uses under the DMCA • Technology community can help to make Congress aware of broader interests at stake (e.g., innovation, competition, user rights) • Death by 1000 cuts unless technologists organize May 8, 2002 EECS Lecture Colloquium 27

WHAT YOU CAN DO

• Write Diane Feinstein (co-sponsor of CBDTVA), other people in Congress about balanced IPRs • Support EFF & digitalconsumer.org’s bill of rights • Participate in USACM public policy activities • Work with high tech clinic at Boalt • Join Cornell CS in work vs. CBDTPA • Help articulate the positive case for open systems and general purpose computers/software • Don’t let your own research be “chilled” May 8, 2002 EECS Lecture Colloquium 28