German Court: Open Source Project Liable For 3rd Party DRM-Busting Coding

← Back to Stories (view on slashdot.org)

German Court: Open Source Project Liable For 3rd Party DRM-Busting Coding

Posted by samzenpus on Thursday December 5, 2013 @08:05PM from the damned-by-association dept.

Diamonddavej writes "TorrentFreak reports a potentially troubling court decision in Germany. The company Appwork has been threatened with a 250,000 Euro fine for functionality committed to its open-source downloader (JDownloader2) repository by a volunteer coder without Appwork's knowledge. The infringing code enables downloading of RTMPE video streams (an encrypted streaming video format developed by Adobe). Since the code decrypted the video streams, the Hamburg Regional Court decided it represented circumvention of an 'effective technological measure' under Section 95a of Germany's Copyright Act and it threatened Appwork with a fine for 'production, distribution and possession' of an 'illegal' piece of software."

39 of 178 comments (clear)

Min score:

Reason:

Sort:

"effective technological measure" by mwvdlee · 2013-12-05 20:14 · Score: 4, Insightful

You keep using that word. I do not think it means what you think it means.
Doesn't the concept of "effective" mean that code breaking the DRM cannot exist?

--
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
1. Re:"effective technological measure" by fuzzyfuzzyfungus · 2013-12-05 20:25 · Score: 4, Interesting
  
  One would like to think so; but the courts haven't (CSS is how broken now, and for how long?) I assume that the argument is that it's 'effective' because you still need a specially designed tool to break it, not unlike a lockpick. What isn't clear, under that reasoning, is why essentially all file formats of remotely nontrivial complexity don't count as 'effective technological measures', since virtually nothing in digitized form is remotely human readable without specialized software transformation. Your odds of turning an RTMP stream into video with your brain are basically as good as your odds of doing the same with an RTMPE stream, and neither are high.
2. Re:"effective technological measure" by Anonymous Coward · 2013-12-05 20:26 · Score: 4, Interesting
  
  German speaking guy here. You're absolutely right, I have the exact same opinion, but they really use this "wording" (sorry if I didn't get that expression right). It's stupid. I believe that it is written like this deliberately. So they can use any $drm scheme, doesn't matter how cheap, it could be as cheap as, any 12 year scriptkidde can circumvent it, if it says $drm, you can be sued for the circumvention of it. Or the other possibility is, they really just have no idea. Maybe they compared drm to the physical world. Burglers can smash in your window just like that, enter your house and steal everything of value/easily movable. Doesn't mean they couldn't be sued for it, because security doors + windows are an effective counter measure against burglars.
3. Re:"effective technological measure" by advocate_one · 2013-12-05 21:02 · Score: 2
  
  by their definition, ROT13 is an "effective" DRM scheme...
  
  --
  Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
4. Re:"effective technological measure" by Sockatume · 2013-12-05 21:22 · Score: 2
  
  It presumably has a technical legal definition which the article, according to its footnotes, doesn't have available.
  
  --
  No kidding!!! What do you say at this point?
5. Re:"effective technological measure" by Kjella · 2013-12-05 21:36 · Score: 5, Insightful
  
  A book written in Greek and a book written in English using a cipher are both gibberish to me, but understanding one depends on a parser and the other on a decryption key. In short the understanding of "effective technological measure" seem to be that the protocol is trying to use a secret (CSS key, AACS key, HDMI key etc.) to protect the content. So if you took any file format and wrapped it in AES with a static key with no memory protection whatsoever then decrypting it in any other program would be a DMCA violation, geeks all get caught up in "effective" but in context it just means a measure intended to have that effect specifically to exclude all other attempts at interpreting a protocol as "cracking" it.
  
  --
  Live today, because you never know what tomorrow brings
6. Re:"effective technological measure" by Anonymous Coward · 2013-12-05 22:02 · Score: 2, Insightful
  
  Meanwhile in the crypto world, if someone breaks a cipher, the creator will admit defeat like an honorable man, he won't go cry to a judge like a baby.
7. Re:"effective technological measure" by sumdumass · 2013-12-05 22:54 · Score: 4, Informative
  
  The law is a direct result of the WCT or WIPO Copyright Treaty. The judge is likely interpreting "effective" within respect to that. It is under article 11 I think but i'm on my phone right now and it is a bit hard to check.
  Anyways, i believe effective would mean anything non trivial or ancillary at the time of creation. So if a cipher is so easy to break that they teach doing so as part of security lessons, using that couldn't be effective. But requiring something that isn't known or readily done could be if it isn't blatently obvious.
8. Re:"effective technological measure" by squiggleslash · 2013-12-06 00:27 · Score: 4, Informative
  
  Well perhaps, but to play Devil's advocate: this isn't a game.
  There are two parts to DRM when combined with an anti-circumvention law. The first is the one that exists anyway: to attempt to make it as difficult as practically possible for someone to gain unrestricted access to the raw content. The other - which the DMCA (and its apparent German equivalent) adds - is to add legal liabilities for creating, possessing and/or using the tools, however easy, that break that encryption, should they ever come into being.
  Us nerds have a tendency to misread laws and assume that rather than it being a reflection of the intent of the authors, that the language used is arbitrary and written by dolts to be interpreted in the widest possible context. Specifically we look at words like "effective" and rather than interpreting it in the context of the rest of the law, we go off on tangents and ask whether something is effective using other definitions within different contexts.
  Is, for example, CSS effective? Well, I'd argue it is in context. It requires you use a specialized tool, designed specifically to break CSS, in order to access the content. It meets the definition in context. It doesn't meet the definition if you change the subject and say "Well, in 1998 it protected content, but does it now? Is it easy to find the tools needed to circumvent it?", but that's not the definition of effective that's implied by the context of the legislation - which is why better lawyers than us are not making that claim when protecting, say, Real Networks.
  As for ROT-13.... well, maybe it is, maybe it isn't. My guess is it wouldn't, because ROT-13 doesn't require knowledge of any secrets beyond the fact it's being used to begin with, and the "tool" used to decrypt it is already built-in to a billion email, USENET, and so on clients. At the very least, if SuperdooperRayVD 4K discs in 2020 are encrypted using ROT-13, they'd have great difficulty persuading judges that millions of pre-existing USENET clients from the 1990s are illegal.
  
  --
  You are not alone. This is not normal. None of this is normal.
9. Re:"effective technological measure" by KozmoStevnNaut · 2013-12-06 01:26 · Score: 3, Interesting
  
  I'm pretty certain that by "effective" they mean "something that is in effect", not "something that is very good at its function".
  
  --
  Eat the rich.
10. Re:"effective technological measure" by Kat+M. · 2013-12-06 01:46 · Score: 4, Insightful
  
  Section 95a (2) of the German copyright law defines specifically what an effective technological measure is. It specifically includes "encryption, scrambling or other transformation". It does not require that the encryption etc. need to be unbreakable, just as a physical lock does not have to pose an unsurmountable barrier in order to make breaking it illegal.
11. Re:"effective technological measure" by Gr8Apes · 2013-12-06 03:43 · Score: 3, Insightful
  
  And yet, I can easily hook up a camera and video the TV and hook directly into the sound pickups, and voila - a copy is made without circumventing anything. Depending upon hardware, it may actually be a reasonably good copy. And if I wish to go one step further, I can hook into the screen's display and record the raw video directly too, resulting in a perfect copy. Again - no circumvention required of anything the DCMA protects digitally. IOW, it's ineffective and only causes harm to those that wish to use things legally anyways. Those that wish to do illegal things will never be stopped by something like the DMCA, and as just stated, the DMCA doesn't even need to be circumvented to create a perfect digital copy. That implies that the DMCA itself is ineffective.
  
  --
  The cesspool just got a check and balance.
Does the copyright need an owner? by Anonymous Coward · 2013-12-05 20:16 · Score: 3, Interesting

Is it legally possible to author and licence an opensource project without disclosing your identity? All the licences I've see have a place for the copyright holder (the person or other entity that is granting the rights detailed in the license). I presume its possible and legal to do this without including your actual name right? If you don't care about getting credit for it (or suing for damages), you can avoid this potential liability by having the project copyright controlled by some nameless entity. As long as you don't need to re-licence it in the future, I think that is safe.
I suppose you could have the copyright in some arbitrary name (your friend's dead pet, whatever), but still require the license to credit you. A lot of opensource projects really don't care who holds the copyright, so if its a liability, the developers shouldn't hold it. GPL type projects have to be careful, since the copyright holder could use it themselves however they want, or reissue it under some other license. This approach makes much more sense for permissive licenses like public domain, or MIT/BSD.
1. Re:Does the copyright need an owner? by mwvdlee · 2013-12-05 20:21 · Score: 4, Interesting
  
  Open source licenses use copyright.
  Only the owner of a copyright can enforce it.
  If somehow copyright would be assigned to a non-existant entity, nobody could enforce it and it would effectively become public domain.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
2. Re:Does the copyright need an owner? by fuzzyfuzzyfungus · 2013-12-05 20:34 · Score: 3, Informative
  
  Section three of Article 7 of the Berne Convention states:
  
  "(3) In the case of anonymous or pseudonymous works, the term of protection granted by this Convention shall expire fifty years after the work has been lawfully made available to the public. However, when the pseudonym adopted by the author leaves no doubt as to his identity, the term of protection shall be that provided in paragraph (1). If the author of an anonymous or pseudonymous work discloses his identity during the above-mentioned period, the term of protection applicable shall be that provided in paragraph (1). The countries of the Union shall not be required to protect anonymous or pseudonymous works in respect of which it is reasonable to presume that their author has been dead for fifty years."
  
  Virtually everyone is a Berne Convention signatory; but actual implementation in domestic law has been both spottier and more...complex... than the convention text itself. It seems unlikely that something of clearly recent authorship would find itself presumed to be uncopyrighted merely because an author could not be found; but I'd imagine that, in practice, the more risk-averse would be very, very, jumpy about taking 'anonymous coward' at his word that they are authorized to use a given piece of code under the terms of whatever license, that he is even the author, and so forth. That might hinder adoption.
3. Re:Does the copyright need an owner? by WWJohnBrowningDo · 2013-12-05 21:06 · Score: 3, Insightful
  
  Easy, public key cryptography. Instead of using "anonymous coward" as the pseudonym, use "anonymous coward who posses the private key to the following public key.
  -----BEGIN PUBLIC KEY-----
  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0
  FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/
  3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB
  -----END PUBLIC KEY-----"
  Oh who am I kidding, we're talking about law makers who criminalized a piece of software. "public key cryptography" probably sounds like "thermonuclear weapons" to them.
4. Re:Does the copyright need an owner? by mwvdlee · 2013-12-05 22:42 · Score: 2
  
  Only the owner of a copyright can enforce it.
  Please don't post legal advice without appropriate qualifications. The above isn't the whole story in many jurisdictions, as there are other factors such as exclusive licensing to consider.
  You understand the exact same applies to what you just said yourself?
  It doesn't change the simple fact that, even when exclusively licensed (which is pretty much never going to happen with open source licenses, but let's entertain your line of thought here), the entity it is exclusively licensed has to actually exist in order to be able to enforce copyrights.
  Using open source licenses with absolute anonimity is still impossible.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
5. Re:Does the copyright need an owner? by hawkinspeter · 2013-12-05 23:42 · Score: 2
  
  I am a lawyer, and I am your lawyer and this is legal advice.
  
  I advise you to not post your "legal advice recommendations" in an online forum meant for people to hold discussions about relevant topics. Please don't post to Slashdot without appropriate qualifications (an MSC should suffice).
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
6. Re:Does the copyright need an owner? by lgw · 2013-12-06 03:28 · Score: 2
  
  As I understand it, public domain does not imply that derive works are public domain.
  You create a game, and make it public domain. Someone modifies your code and sells it as commercial software, then sues anyone distributing the original for violating their copyright. This is more or less what happened with some crappy Unix game back in the day to push RMS over the edge.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
7. Re:Does the copyright need an owner? by hawkinspeter · 2013-12-06 11:00 · Score: 2
  
  Nope, I don't have appropriate qualifications in most of those areas. I was being ironic in my reply to someone stating that posters should have relevant qualifications to post legal opinions.
  
  I totally agree with your statements about legal advice and I was hoping that my post would highlight the stupidity of following legal advice from strangers.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
contributions to open source products should be by Chrisq · 2013-12-05 20:24 · Score: 4, Insightful

contributions to open source products should be just like posts to websites. If someone posts something illegal then the authorities should issue a "take down" notice to the project. If they remove it then only the original poster should be liable.
1. Re:contributions to open source products should be by X0563511 · 2013-12-06 03:12 · Score: 2
  
  What do you mean "was all about?" I think you mean "is all about."
  They have not given up, they have just been using different acronyms.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Hamburg regional court by dunkelfalke · 2013-12-05 20:36 · Score: 4, Informative

is known for its cowtowing to the intellectual property holders. That is why they try to go to that particular court if they sue for copyright infridgement.

--
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
1. Re:Hamburg regional court by Hypotensive · 2013-12-05 23:01 · Score: 2
  
  Copyright infridgement is where the copyright has a cooling off period, amirite?
2. Re:Hamburg regional court by Anonymous Coward · 2013-12-05 23:11 · Score: 2
  
  You must feel very smart for criticizing the linguistic skill of someone who doesn't speak English as their native language.
3. Re:Hamburg regional court by couchslug · 2013-12-05 23:53 · Score: 2
  
  "is known for its cowtowing to the intellectual property holders. That is why they try to go to that particular court if they sue for copyright infridgement."
  How wonderfully American of them. (barfs)
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
4. Re:Hamburg regional court by Anonymous Coward · 2013-12-06 00:51 · Score: 2, Informative
  
  Or to put it differently: Hamburg is the East Texas of Germany.
good decission by SuperDre · 2013-12-05 20:42 · Score: 3, Interesting

Maybe it's not great because this time it's about busting DRM, but ofcourse it shouldn't be like an opensource project wouldn't be liable for any illegal activity while a closed source project would be fined.. Open source doesn't mean it doesn't have to obey laws..
1. Re:good decission by xvan · 2013-12-05 23:33 · Score: 2
  
  The concept of "legitimate use of a tool" isn't inherent to the tool... A tool has a purpose: a weapon kills , a lock pick opens doors, and stream decryption software decrypts streams.
  
  Legitimate use is subjective: Being able to access the decryption key, means the user had legal access to play the content.
  
  Stream decryption might not only be only used to infringe copyright... It may be used to play the content with whatever combination of hardware/software that the user wants to use.
  
  If the content is deleted after being viewed, it wouldn't be morally different from the several temporary copies made in different memory levels of the computer, and thus, should not infringe copyright...
  
  TOS might limit how and where the content is displayed, but without signing any legal contract, a TOS infraction isn't a legal infraction. The content provider has the right to deny their stream, but not to determine what is or isn't the legitimate use of their stream.
2. Re:good decission by jklovanc · 2013-12-06 06:12 · Score: 2
  
  The content provider has the right to deny their stream, but not to determine what is or isn't the legitimate use of their stream.
  Do you have any legal precedents to back up this opinion?
Not 3rd party code by Anonymous Coward · 2013-12-05 20:43 · Score: 2, Insightful

It stopped being 3rd party code the moment Appwork accepted the contribution and started spreading the code itself. That is the moment they became liable. If they do not like that, they should not spread "just anybody's code" without verification.
We may not like it, it makes the life of open source projects more difficult, but that is the way it works. For good reasons.
The owner/admin is (broadly) responsble... by Stolpskott · 2013-12-05 20:55 · Score: 4, Insightful

In the world of athletics, the athlete is responsible for verifying beforehand that any substances entering their body are free from performance-enhancing drugs and a range of other substances. In this case, that same rule seems to have been applied to software - the admins are responsible for code entering the body of the application.
Aside form anything else, my opinion is that someone on the project should have oversight of new code submissions before they are committed to the main codebase. If that is not happening here, then this is a lesson in stupidity for the admins. If it is happening, then the admins really are facilitating, because they have explicitly allowed that functionality into the application. Flipping the coin again, if the admins explicitly allowed the content without realizing what it does, then they have commited code without understanding the purpose or impact of the code, and we are back to the lesson in stupidity again...
1. Re:The owner/admin is (broadly) responsble... by Sesostris+III · 2013-12-05 22:27 · Score: 2
  
  I did wonder about this. How does any code get into the release branch of any project (Open Source or not) without some form of code review or understanding of the functionality behind it? How is it tested? (I assume it is tested!). This is not a problem of Open Source, this is a problem of poor Configuration Management!
  
  To compare - I expect nothing gets into the Linux kernel main branch (as maintained by Linus Torvalds) without being discussed, agreed, reviewed by someone, tested, and signed off.
  
  --
  You never know what is enough unless you know what is more than enough. - Blake
unreviewed code by feds · 2013-12-05 21:20 · Score: 5, Insightful

Actually this is worrisome for the open source community not because they ended up in court but because Appwork accepted code without reviewing it and actually without even knowing what it does. How can they assure users that installing the application they don't become part of a 15 million users botnet?
1. Re:unreviewed code by Anonymous Coward · 2013-12-05 23:09 · Score: 2, Insightful
  
  Did they actually accept the code? Is it a fork? We don't seem to know and I suspect that this was more along the lines of code being submitted, not yet reviewed by core contributors, etc. But because it was public... the court decided to convict. The code probably would not have ever gotten into a binary or official / stable release of the code.
Re:ho humm by clickclickdrone · 2013-12-05 21:53 · Score: 3

Silly, the land of fascism is Italy
You forgot the US & UK.

" any movement, ideology, or attitude that favors dictatorial government, centralized control of private enterprise, repression of all opposition, and extreme nationalism"

Yep, sounds about right although some definitions mention merging of state and corporate power which is possibly more pertinant.

--
I want a list of atrocities done in your name - Recoil
Hamburg Court by Tom · 2013-12-05 21:59 · Score: 5, Interesting

he Hamburg Regional Court decided
You can stop reading there.
This particular court is the laughing stock of the german legal system, and its decisions are routinely overturned at the higher courts. They are famous for "creative" interpretations of the copyright laws.
Source: I live in Hamburg, Germany and I've been following copyright-related civil rights matters for more than a decade.

--
Assorted stuff I do sometimes: Lemuria.org
Ok You Clowns Here is the scoop. by deviated_prevert · 2013-12-05 22:15 · Score: 4, Interesting

The warez in question is a java app with binaries available to be loaded at time of install from a script. So the setup starts with a set of jars that get extracted. YOU CAN INSTALL IT TO /HOME and view the entire process which downloads more binaries as the install takes place, at least on Linux if you install unpriviledged it will just install in a created directory and do everything from $ directory without requiring logging elsewhere or so you can easily track everything the software does.
I ran Wireshark on it and it does not do the ET phone home crap that most spyware does so it is what the writers say it is.
If you boot it up and do not leave it in the sys tray it does not leave active processes hanging around. HOWEVER you can run it as a background process to snoop your RTMPE and have them automatically download the vids. On youtube it downloads the whole smash including the webM html5 streams and all available vid size pieces of a vid including any mp3 or other audio files.
Best stream ripper out there IMO. EAT MY SHORTS MPAA, RIAA and all your ill begotten drm bullshit nonsense. This video is a great one and as a result I will order her works online she is one hot guitarist! Fantasia la Traviata a little beyond the reach of most musicians, eat your heart out if you like guitar!

--
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
Player keys, not cipher by tepples · 2013-12-06 03:05 · Score: 2

In digital restrictions management cases like this, it's usually not the cipher that ends up broken* but the handling of player keys.
* CSS is the big exception, as it was cryptanalyzed fairly easily, but that's from when the United States didn't allow exporting crypto stronger than 40-bit.