Slashdot Mirror
DVD CCA Part II - Waiting For The Judge
I got a chance to speak to Tom McGuire, Vice-President of Marketing and Communications for the EFF, who provided part of the pro bono team of attorneys at court today.
"As I understand it, both sides presented arguments, and it sounds like both sides did a good job, although I'm hoping we did a much better job than they did. As far as I understand it, the Judge is going to review the arguments and written briefs that were submitted and hand over a decision in the next few days."
I also got to speak to Matthew Pavlovich, Defendant #13 in the case.
"I think we put together a solid defense. I don't think we're in the wrong. Most of these people are not under the jurisdiction of the California court. There's 15 year olds in Europe. There are real inconsistencies in the way that the prosecuring attorneys have handled this. We really appreciate the support from the computing community. Most of these people really understand what's going on, and their support has been really helpful. This is step one. There are two more cases, and these are federal cases. The fight's not over."
Today's hearing was a much-anticipated event in the Open Source community, but it was just another drop in the DVD encryption bucket. The MPAA filed two federal lawsuits on January 14th, promising that the legal debate over DVD encryption will go on for a very long time.
UPDATE by Andrew Bunner, defendant and courtroom observer:
On the implications of this case:
It would be a tragic blow to consumers and the constitution if the DVD CCA is allowed to win this case.
Consumers want to be able to watch DVDs on their Linux computers. The DVD CCA wants you to only watch DVDs through one of their pre-approved players.
The first amendment will be seriously eroded if Judge Elfving sets a precedent restricting our freedom to distribute the CSS algorithm. I'm wearing a T-shirt that has printed on it a copy of the decryption source code. If this injunction is granted, it will be illegal for me to wear this T-shirt. It will be illegal for you to photograph me wearing this T-shirt. In fact, it will be illegal for you to link to a photograph of me wearing this T-shirt.
On the trade secret argument:
Last night, I found 245 sites that make the supposed "trade secrets" available for download. At the Temporary Restraining Order hearing, one individual handed out printed copies of the "trade secrets". Another had the same material available on floppy diskettes that he was giving away. The algorithm and how to obtain the master keys has been widely discussed on mailing lists, in class rooms and in court.
It's not much of a secret anymore.
A list of mirror sites can be found at http://www.humpin.org/decss/. Be careful, though. By including that link in your story, are you making yourself a defendant?
(*) As we understand it, the phrase "trade secrets" in the plaintiff's filings refers to the master keys and the CSS algorithm.
On the misappropriation of trade secrets:
Yesterday, the counsel for the defense claimed that I should know that the Linux DVD player was based on stolen trade secrets. I don't believe anything was stolen. The DVD CCA underestimates the skill of the software development community. I know that these programmers are capable of reverse engineering and decrypting DVDs without resorting to theft.
On how I think the case will go:
There's only one way Judge Elfving can rule without re-interpreting the First Amemendment.
On copyrights:
Movies are already protected under copyright law. No one disputes that it's illegal to duplicate and redistribute movies... in any format. That's not what we're trying to do. By making the decrypting algorithm available we want to let consumers play their legitimately purchased movies on their Linux computers.
On the hopelessness of the MPAA's situation:
It's impossible to restrict consumers from making private copies of their legitimately purchased movies through any technical means. If you can play a movie, you can capture it and copy it. And as long as that copy is for personal use only, this is perfectly legal. We think the MPAA will eventually come around and recognize this truth.
On piracy:
It would take about 16 days to download a full-length DVD over a modem. I'd rather just buy the disk.
(*) The math... 4.7 GB * 1024 MB/GB * 1024 KB/MB / 3.5 KB/sec = 1,408,087 seconds to download a 4.7 GB movie over a 28.8 phone line that gets 3.5KB/sec. That works out to over 16 days of continuos downloading.
How I felt after the hearing:
We had a fantastic showing of support from the Linux community, cryptography experts and free speech advocates.
Our defense team did an excellent job outlining the absurdity of the plaintiff's position.
We all know that the DVD CCA can't really think that they can make people stop distributing DeCSS. This is all just a big smoke screen for what they are really trying to do.
Could the DVD CCA be attacking a bunch of young people because they thought that those people were too poor to defend themselves from a crack team of lawyers?
The DVD CCA thought that they could walk right over those naive programmers and get the judge to hand them a court order with which they would use to bludgeon the rest of us back into line.
It makes me proud to see so many people pulling together to support these fellow programmers.
The only thing that has me worried is the fact that the same people that own the DVD CCA also own the press in the US. I have yet to see even a single news article or report in favor of the defendants in this case.
To listen to the main stream media the defendants are all pirates who want to rob everyone blind and sell inferior products.
I hope that the judge isn't as gullable as the DVD CCA thinks that he is.
Here are the facts that I believe to be true. I am wrong about most of them to hear the DVD CCA talk.
Fact: You don't need to decode the DVD's in order to copy them.
Fact: You do need to decode them in order to watch them or to make an archival copy of them.
Fact: It is perfectly legal for a person in the US to make an archival copy of any digital media that they own as long as they don't distribute them and as long as they only make a _reasonable_ number of archival copies. Reasonable being whether or not the judge thinks you were trying to pirate the software!
Fact: You may defeat any copy protection that is in place in order to make your archival copies. This is a court case that we won in the early 1980's. Why do you think all the software vendors stopped copy protecting their software?
Fact: Big business (and big government) will always harass the little guy in order to get him to fall into line. As long as we can show solidarity toward each other we are safe.
-- Never make a general statement.
Today, the DVD Copy Control Association and the EFF once again met in court, this time to argue for and against the ordering of a Preliminary Injunction against, basically, the entire Internet, forbidding further dissemination of DeCSS, the source code module that decrypts DVD MPEG streams. After today's hearing, there should be no doubt in anyone's mind that shrinkwrap license "agreements" are monsterously unethical and should on no account be allowed to stand.
It is worth noting up front that I am an adamant, vociferous opponent of these so-called "agreements", so I hope the reader will excuse some editorial bias. (Individuals interested in my editorial on the subject can find it here.) Also, events in court did not occur strictly in the order I will present; I will be grouping together related concepts to make them easier to compare.
Court began promptly at 13:30, and counsel for plaintiff and defendant introduced themselves (the names went by too quickly for me to get most of them). Judge Elfving indicated that he would not render his decision today, but would rather consider the arguments and filings before him and render a decision at a future time. He was unwilling to commit to a specific date, but indicated that it would not be overlong. Judge Elfving then invited plaintiff's counsel to present their argument.
Jeffrey Kessler began his argument with the following question: Can a user extract trade secrets in violation of a shrinkwrap agreement? A lot of other arguments were presented, but it seemed to me that the DVD CCA's entire case proceeds from this single precept.
In order to prevail in a trade secret violation, the plaintiff must show:
CCA's contention is that the reverse engineering employed to discover the CSS algorithm was prohibited by Xing's shrinkwrap license "agreement". (Kessler reiterated this point with some force throughout the proceeding.) Since the reverse engineering violated this contract provision, the algorithm discovered within was improperly obtained due to breach of contract, and is therefore a trade secret violation. DVD CCA therefore argues that they are entitled to a Preliminary Injuction forbidding further dissemination.
Kessler went to a lot of trouble establishing that the original source of DeCSS was Xing's player. An expert's affadivit asserts that the original DeCSS release contained only Xing's key, suggesting that it was the Xing player that had been reverse engineered. Presumably, by establishing Xing to be the original source, they can invoke Xing's "license" that prohibits inspection.
Kessler made the assertion that, even if the "clickwrap" license had somehow been avoided, it still applies and is in force, since the license stipulates that assent to the contract is made, not by clicking on "OK", but by installing and using the software.
Kessler also seemed to go to some lengths to attempt to establish when DeCSS made its first appearance, which appears to have been the binary-only release on 6 October, 1999 from the group M.O.R.E. (Masters Of Reverse Engineering). Subsequent to that, Stevenson's work (where he attacks the hash rather than the keys) appeared around 25 October, 1999. I presume he did this in an attempt to establish that any release subsequent to these dates "must" have come from the "improperly obtained" algorithms.
DVD CCA cited several court cases supporting their petition for a Preliminary Injuction, which were granted forbidding further dissemination of materials under dispute (notably, the Religious Technology Center (Scientology) vs. Netcom). Kessler further asserted that no court case has ever held reverse engineering to be proper.
Kessler also cited the recently effected Digital Millennium Copyright Act which, as a matter of "public policy", forbids reverse engineering. However, he went on to state that DVD CCA is not bringing suit under the DMCA; they are bringing suit under the Uniform Trade Secrets Act.
The plaintiffs also asserted that the "hacker community" clearly knew that DeCSS was obtained improperly, and proceeded to quote from postings in Slashdot discussion fora made back in July where random people opined that a DVD player for Linux might not be legal to develop. (There were no in-court mentions of Natalie Portman or hot grits.) Kessler asserts that this public discussion validates their claim that the defendants "should have known" DeCSS is illegal.
The plaintiff also stated that the fact people may have been trying to develop a DVD player for Linux is entirely beside the point. Moreover, he stated that DVD CCA was not discriminating against Linux, that they were more than willing to license CSS to any "credible party" who wanted to develop a DVD player.
Finally -- and I think this is fairly significant -- DVD CCA made the observation that, if this were a copyright case, there might be a provision for reverse engineering under the Fair Use doctrine. However, there is no such provision in Trade Secret law, and the reverse engineering is therefore improper.
Kessler then turned the floor over to Robert Sugarman, who proceeded to disparage the EFF's First Amendment arguments. He repudiated the assertion that the defendants were news sources, and that they should not be accorded the protections available to newspapers. He asserted that the defendants are doing much more than engaging in First Amendment-protected discussion on this issue.
He repudiated EFF's citation of the Bernstein case. Copyright was at issue in Bernstein; this is a Trade Secret issue.
He also likened the obtaining of the DeCSS algorithm to breaking into Coca Cola's inner sanctum and stealing a copy of their secret formula. (In fact, the analogy of Coke's secret formula figured prominently in the plaintiff's arguments.)
Then he dropped a small bomb and stated outright, in open court, that they seek to enjoin not only hosting of the DeCSS code, but links to the DeCSS code. He asserted that, because links provide "instant access" to the disputed material, they should be forbidden as well.
He attempted to discredit the Open Source (nee "Hacker") community's motives by bringing to the court's attention the DeCSS Distribution Contest, and Copyleft's new DeCSS t-shirts, painting it as juvenile and irresponsible.
For some reason, he also called attention to the recent cracking of PacBell's ISP accounts, and CDUniverse's credit card database. Presumably, he was trying to associate the criminal activities of these individuals with the activities of the defendants in the case, both of which "clearly" demand decisive action from the court.
Finally, Mr. Sugarman asserted that, if a Preliminary Injunction is not granted, the message it will send is:
These remarks by the plaintiff's counsel consumed about an hour and a half. Judge Elfving called a 15 minute recess, after which counsel for the defense began.
The first guy (whose name I did not catch) seemed to rely more on bombast and specious details than on concrete questions of ethics and law. Nevertheless, he did raise some interesting points.
The Scientology case was raised again, this time to point out that the Preliminary Injunction granted and affirmed in that case applied only to one person, not to the entire Internet. He went on to cite the cases of Sega vs. Accolade and Vault vs. Quaid, cases in which reverse engineering was upheld as permissible.
He asserted there was only one real defendant in this case, the one who allegedly did the "dirty deed": Mr. Johansen of Norway who originally developed and published DeCSS. If there is indeed a legitimate action that can be taken, it is solely against this individual.
He turned the plaintiff's Coca Cola analogy on its head by stating that one could buy a can of Coke, take it to a chemical analysis lab, figure out what it was made of, and publish the results. Such an act would be entirely proper under the Trade Secret Act under which DVD CCA is suing.
The defense also argued that trade secret law is a "relational tort," enabling an action of one party against another. It does not protect the secret itself.
He asked, "Where is Xing in this case?" If, as submitted, DVD CCA's license requires licensees to take reasonable measures to protect their trade secrets, then Xing has clearly failed in this obligation. Further, he asserted the DVD CCA does not provide code itself, but expects the individual licensees to develop compliant code. Therefore, any misappropriated technology belongs to Xing, not to DVD CCA.
Finally, he made a highly dubious assertion that there was no evidence submitted to establish that DVD CCA were the legitimately assigned licensors of CSS (which has been developed by Matsushita and Toshiba), and therefore were not empowered to bring this action. (This was readily debunked by the plaintiff during rebuttal.)
After he finished, Eben Moglen, Professor of Law from Columbia Law School took over. I don't think I overstate the issue when I say this guy absolutely kicked ass. Besides being a good orator, the man clearly understands technology as well as law. He's written a treatise on the issues of intellectual property in the digital age entitled Anarchism Triumphant: Free Software and the Death of Copyright.
Mr. Moglen basically proceeded to shred the plaintiff's arguments. He pointed out that DeCSS has nothing to do with wholesale copying; DVDs may be bit-for-bit duplicated and will play in any player without the use of DeCSS. He debunked the assertion of "irreparable harm" to the movie industry by doing some basic bandwidth math showing that downloading a 5.1 gigabyte movie will take you 30 hours (DSL speeds), and if you have a direct backbone connection, it'll take ten hours. Wholesale copying of movies in this manner is therefore not a realistic concern.
He raised the plaintiff's assertion that, while it may not be economically viable to copy movies today, these technologies will become cheaper and more available in the future. However, such theoretical future damages are not at issue; the court need only concern itself with what is happening now.
Mr. Moglen went on to describe CSS as extremely weak, and outlined Stevenson's novel attack against the cipher, which involves attacking the hash value to reconstruct the "title key" by which the MPEG stream may be decoded. In such a case, none of DVD CCA's keys are employed. The title key for any disc can be cracked on a Pentium-III in about 18 seconds. He drove home CSS's weakness by mentioning that Mr. Johansen of Norway is 15 years of age. Thus, the trade secret at issue must not have have been very secret, as it was literally child's play to discover it.
With all this, Moglen asserted that no cause of action remains because no trade secret remains. The "secret" in question was obtained by legitimate means, and Stevenson's subsequent work illustrates that none of DVD CCA's alleged secrets need be involved in decrypting a DVD. Had the DVD CCA acted more swiftly in restraining Mr. Johansen, they might have a cause for action. As it is, they've waited too long.
When he concluded, Moglen received light applause from the gallery as Judge Elfving asked for rebuttal from the plaintiffs.
Mr. Kessler assailed the work of Stevenson, saying that it proceeded from the improper DeCSS code by Johansen. Therefore, Stevenson's work, though novel, is "contaminated" by Johansen's alleged breach of the Xing "license", and the trade secret is still protected.
He argued against defense assertions that no license was in force, saying basically, "Yes, there was!" He attacked EFF's citation of the Sega case, stating that it was a copyright case, and that reverse engineering was held to be proper under Fair Use. This is a trade secret issue.
However, he went on to call attention to the DMCA again, stating that, as a matter of "public policy", reverse engineering is held to be improper. Then he flips again, and says they're not citing DMCA, only the Uniform Trade Secrets Act (which has no provisions for fair use).
Finally, the floor was turned over to Mr. Sugarman who (under pressure of time) characterized Professor Moglen's arguments as entertaining but irrelevant. All DVD CCA seeks, says Sugarman, is to take down the DeCSS code and all links to the DeCSS code. They are not seeking damages, nor are they seeking to quash discussion of the merits of the algorithm; only the trade secret itself.
Judge Elfving then thanked counsels, said there was a lot to think about, and would render his decision as soon as possible. Court was then adjourned at around 16:50.
My Analysis and Opinion:
We may readily concede that CSS was a trade secret, developed in secret, and made available under a comprehensive contract that obligated licensees to maintain the secrecy of the techniques used. It also seems fairly certain that the initial cracking of the CSS involved taking apart the Xing player and seeing how it worked. In order for this action to be a trade secret violation, Johansen's disassembly would have to be an improper use.
In order for it to have been improper, Johansen would have to be laboring under an obligation to maintain the secrecy of the Xing code and the CSS algorithm. The DVD CCA asserts that this obligation existed in the form of the shrinkwrap "agreement" which restricted, among other things, reverse engineering. So the DVD CCA's entire case hinges on whether shrinkwrap "licenses" are enforceable.
Let us put aside the fact that Johansen is Norwegian, where different laws and standards apply; and let us also put aside the fact that he is a minor, who likely can't be bound to contracts without parental consent (again, Norwegian law may differ on this point). Let us concentrate instead on this contract that, by the most tenuous forms of assent, may be considered in force and remove from the licensee a litany of valuable rights, including reverse engineering.
As I stated earlier, it is my adamant position that such documents are pure fiction; that they are not and should not be taken seriously. These instruments have little basis in law, and no basis whatsoever in simple ethics. They run counter to the real and reasonable expectations of consumers when they purchase software; that a sale has taken place, and they hold title to that particular copy of the software, subject to copyright restrictions. The "agreements" seek to alter the terms of the sale after the fact.
Further, these contracts attempt to escape vendors from the provisions of consumer protection laws, "lemon" laws, and remove from consumers their rights under Fair Use provisions of copyright law and, in some cases, the First Amendment (by forbidding discussion of benchmarks). And all one needs to do to assent to such onerous conditions is to, "install and use the software."
If A.H.Robins had attached such a license to its Dalkon Sheild, would it have been upheld? Would thousands of women around the country have found themselves unable to seek damages because they had "agreed" to hold A.H.Robins harmless? If Black&Decker attached such a license to its power saws saying you could only use Black&Decker saw blades, could it be enforced? We might concede they could cancel the warranty, but could they sue you for breach of contract, as DVD CCA has done over CSS?
Even if we were to presume such licenses are enforceable, how could they be said to apply to minors, who cannot be bound to contracts without parental consent? Must we then require that computer stores not sell software of any kind to anyone under age 18?
The idea is worse than ludicrous, it is offensive. No credible argument can be brought to bear that shrinkwrap licenses have any constructive use or benefit -- for consumers or publishers -- much less any foundation in ethics and basic human decency.
Some suggest that the "parade of horribles" that shrinkwraps enable has not happened, and is not likely to happen. I submit that a California corporation seeking a broad injunction, reaching beyond the borders of the state and even the country, to constrain domestic and foreign nationals from engaging in legitimate, ethical behavior to be a "horrible" that even the most paranoid among us could not have anticipated. There can be no further doubt that shrinkwrap licenses are a big, fat, ugly problem, and must not under any circumstances be allowed to stand.
Those who might suggest the GPL is weakened by such a position need not worry. While most commercial software "licenses" purport to constrain use, the GPL constrains copying. Absent a license of any kind, you still have the right to use your lawfully obtained software. You would not, however, have the right to make and distribute copies; the default conditions of copyright law apply. (This is true even if you're a minor.) Right to Use is concomitant with purchase; right to copy is not.
It is difficult to predict how the Judge will rule. Unlike the TRO hearing, the plaintiff was very well prepared. Both sides presented their arguments well. Judge Elfving stated that he wishes to be thorough, and will doubtless spend a good deal of effort considering the arguments. Still, both sides were articulate, and it will depend on who Judge Elfving chooses to believe, so the decision could go either way. Cross your fingers...
Schwab
Editor, A1-AAA AmeriCaptions
No, actually these facts are true. You _can_ copy a DVD without the key, just not with unmodified commodity PC DVD-ROM drives. The people who will be able to copy off working DVDs bit for bit are the ones the companies really have to worry about, the larger pirates with the resources to buy or hack a DVD mastering drive. The average consumer, who might rather play a backup disc and leave the clean original in the case (anyone remember this from the days of floppies?) is the only one truly shafted, because their drive will not allow them to create a copy. Given, the smaller pirates might suffer temporarily as well, but the software/hardware hacks that they need to make it happen would just end up on warez and serialz pages anyway. DeCSS will end up on far more sites than that, _because_ of the CSS lawsuit.
The industry knows their encryption is weak, and thus will be quickly defeated. The only reason they might be serious about it is because the movie industry doesn't want to release digital copies verbatim to consumers without protection. The CSS encryption was a small and ultimately ineffective bandage the DVD industry applied to their format to coax the studios to use their technology. If the studios should be upset with anyone, it's the CSS people. This lawsuit is likely just them covering their own asses.
Regardless of its purpose, the lawsuit is very dangerous from a consumer rights perspective. I've stated before (perhaps too strongly, this fiasco does make me rather angry) that I'll never buy a DVD under these conditions. I would recommend that others avoid them as well. Their involvement in defining our fair use rights is a conflict of interest at best. We cannot give our rights up just so some corporations can make a few extra million in pocket change. That's shady ethics if I've ever heard of it.
GPL: Free as in will