Copyright Law — FALL 2008

(and what content providers have failed to learn)

Introduction

The Advanced Access Content System (AACS) is a digital rights management (DRM) system used in the newest generation of optical discs (Blu-Ray and the now-defunct HD DVD). Events since its release show that its developer, the AACS Licensing Administrator, LLC (AACS LA) has failed to learn the lessons of both CSS and other forms of DRM.

Not only is AACS similar in technical implementation (and thus limitations) to CSS, but the AACS LA has failed to consider certain abstract, but major, considerations in their handling of security breaches. In trying to prevent the spread of vulnerabilities (including encryption keys), they provoked a backlash resulting in more notoriety of the hack and a faster spread of the data they were trying to contain.

The Digital Millennium Copyright Act (DMCA) contains a provision that prohibits circumventing copy protection schemes without the permission of the copyright holder. This has done nothing to curtail copyright infringement and could easily cause harm to legitimate users while leaving pirates unaffected.

CSS

The Content Scramble System (CSS) is a DRM system used on commercially-produced DVD movies. Released in 1996, it uses a 40-bit key length (which was required to comply with U.S. export regulations) to encrypt the DVD content. A player must go through several steps with several keys in order to access the video content on the disc.

CSS implements its encryption poorly, however, so cracking the encryption requires less work than 40-bit encryption normally would. One proposed attack found in 1999 only required 2²⁵ calculations to break the key, which a 450MHz processor can do in less than 18 seconds.

AACS

AACS is an updated version of CSS, created for Blu-Ray and the now-defunct HD DVD. It uses a more robust encryption algorithm (including a much longer key length) and allows the AACS Licensing Authority (AACS LA) to revoke certain players’ access to protected content if compromised.

In 2005, readers of IEEE Spectrum magazine voted AACS one of the technologies most likely to fail. This proved prophetic.

It began in 2006, when an anonymous member of Doom9, a bulletin board devoted to audio/visual software, posted source code to a program that could extract content from AACS-protected discs provided it had the correct keys.

By the beginning of 2007, members of that same forum had discovered the actual keys. The process was simple: they just had to look at the RAM being used by a software movie player, and there they were. Once hackers had the keys, they could then use their own homebrew programs to decrypt the protected content.

The keys (which are simply numbers, usually in hexadecimal format) quickly proliferated around the Internet.

Responses from Licensing Authorities

DeCSS was released in October of 1999, and the Motion Picture Association of America (MPAA) quickly found out about the program and took action, leading to the case of Universal v. Reimerdes, which we read earlier. There it was found that since the primary purpose of DeCSS was to allow copying of DVDs, the creators were liable under the DMCA’s anti-circumvention provision, which states that: “[it is a violation] to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.”

The backlash against the legal challenges to DeCSS was strong. People posted the algorithm used by DeCSS in many forms across the Internet, including hidden in images, t-shirts, and even a haiku. One page (that still exists) is entitled, simply, “42 ways to distribute DeCSS.”

When AACS was cracked several years later, the AACS LA’s response was similar: it sent takedown notices under the DMCA to all sites that provided the key or software capable of decrypting protected discs. One of the largest sites targeted was news aggregator Digg, which contains links submitted and voted upon by members. It began deleting references to the encryption keys at the beginning of May. However, users rapidly revolted, spreading the key faster than administrators could delete the links. Some retailers began selling t-shirts with the key. Eventually, the entire front page of Digg contained nothing but references to the offending key (as seen here). Digg eventually relented, according to founder Kevin Rose:

But now, after seeing hundreds of stories and reading thousands of comments, you’ve made it clear. You’d rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won’t delete stories or comments containing the code and will deal with whatever the consequences might be.

Thus instead of containing the spread of information that could be used illegally, the AACS LA’s actions provoked a backlash that made this a much more widely-known phenomenon than it would otherwise have been. Instead of just hackers and tinkerers on isolated forums, it became an international story (with stories about the incident appearing in Forbes, the LA Times, and the BBC among others). Ironically enough, one of the takedown notices sent by the AACS LA (in this case to Google) itself contained the offending key.

One reason for the anger in response to the takedown notices in both cases is that there are generally no players available on open-source operating systems such as Linux. A closed-source, licensed DVD player application for Linux did not come out until 2006, years after DVDs became popular. As far as I can determine there are still no legal Blu-Ray players for Linux.

Futility of Takedown Notices

The backlash from users in both cases is a significant part of the equation that businesses, trade groups, and licensing authorities completely fail to consider. If the AACS LA, for example, had accepted that the cat was out of the bag, there would have been a few stories on tech-oriented web sites and that’s it. The revolt they provoked in trying to contain the spread of keys and programs only brought them more attention.

Moreover, Section 230(c)(1) of the Communications Decency Act (codified at 47 U.S.C. § 230) protects content providers (e.g. websites) from any liability for content posted by their users. Thus many of the takedown notices given to websites were meaningless.

Anti-Circumvention Serves No Legitimate Purpose

The speed with which these systems were cracked and the resulting programs’ spread shows that the anti-circumvention provision of the DMCA serves no practical purpose. It’s unclear that there even would be liability under the DMCA for the AACS keys acquired from software players. The keys were merely copied out of the computer’s memory, so there was no circumvention. Moreover, as we’ve seen, there’s no copyright on a random number. Thus the anti-circumvention provision in this case adds nothing to existing copyright law.

This provision also seeks to create liability where none should exist. First, it could easily create legal liability for security researchers. What if someone publishes information about security vulnerabilities in software (or hardware) players? Could they then be liable for circumventing protections? We’ve already seen backlash against researchers in other fields (e.g. vulnerabilities in Boston’s subway system).

Second, what about those users who use an operating system on which there is no licensed player? There’s no reason to think that just because someone uses Linux or BSD they’re automatically a pirate. So in this case the anti-circumvention could actually be harming sales, since users can’t even buy discs and then play them without breaking the law.

Finally, the ability of AACS LA to revoke the keys of devices that have been compromised leads to another problem. So far, it has only been software players that have been compromised, because they are the easiest. But what would happen if a hardware (i.e. connected to a TV) player’s key was compromised and then revoked? With the software players it’s only a matter of downloading a patch containing a new key, but a vast majority of TV-connected players do not have this capability (the notable exception being the PlayStation 3). Hackers figured out in 2007 how to get the device-specific keys off the firmware chip in the Xbox 360’s HD DVD drive. What then is the option of someone who bought this player, which is now unusable on any disc produced after the revocation, other than buying a new one?

It’s clear that the anti-circumvention provision of the DMCA is a failed idea and does nothing to help content providers while at the same time creating bad situations for legitimate users. It does nothing to support the underlying basis for copyright law, and in fact stifles innovation, which is the reason we’re willing to give creators a limited monopoly in the first place. In the scenarios above, only people who are unwilling to pirate discs are going to be affected. As with many schemes to prevent copy protection, it is only the legitimate users who are hurt.

This entry was posted on Thursday, November 13th, 2008 at 11:03 am and is filed under Commentary Posts. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.