DeCSS, crypto, law, and economics

John Gilmore gnu at toad.com
Wed Jan 8 05:17:40 EST 2003 

> The truly amazing thing about this case is that the
> "crime" would not have occured if the studios had used
> decently-strong crypto.  It's ironic that in an age when
> for cryptographers enjoy a historically-unprecedented
> lopsided advantage over cryptanalysts, the industry
> adopted a system that could be cracked by amateurs.
> This probably wasn't simply due to stupidity in the
> industry; it is more plausibly attributed to stupidity
> in the US export regulations which induced the industry
> to use 40-bit keys.

Actually, the scheme was invented in Japan, and the
"predecessor-in-interest to the DVD-CCA", Matsushita, designed it to
be weak because Japanese export laws prevented the export of more than
40-bit encryption.

The US had pressured Japan to impose 40-bit crypto export controls.
The Japanese laws didn't change, even after EFF's Bernstein lawsuit
and commercial firms' political pressure forced US policy to become
sensible.  Last I heard, crypto export is still a morass in Japan.

> US law is not the same as Norwegian law.  You should
> not imagine that this case sets a precedent for US
> courts.

Correct, but.  One of the basic prongs of the entire DVDCCA "trade
secret" series of cases was that the reverse-engineering had been
illegal in Norway.  If it wasn't illegal to do it, it wasn't illegal
to reproduce the results of it.  Since Norwegian courts have
determined that it wasn't illegal to reverse-engineer it, there is no
case against any of the defendants.  Like Matt Pavlovich, Andrew
Bunner, and many dozens of other people who DVDCCA have been trying to
drag into California courts.  You may not have noticed, but EFF and its
pro-bono partners have been spending major time on winning these cases.
The Norwegian decision will make it much easier.

> For "normal" products, market segmentation is neither
> forbidden by law nor protected by law.  ...  The law is silent on
> the issue.

This is false.  Market segmentation by country is deliberately
outlawed by "free trade" laws and treaties, which exist to benefit
consumers by letting them import whatever products they want from
other countries.

For example, in New Zealand, the DVD region-code system was
found to violate their free-trade laws, and therefore New Zealand
never permitted one-region players to be sold there.

The Coors brewery tried to limit distribution of their beer to certain
Western states.  They failed.  My local liquor store in Washington, DC
made a ton of money bringing in semi-loads of Coors, in violation of
Coors company policy, and selling them to thirsty expatriate Rocky
Mountainers.

Similarly, the US Supreme Court recently struck down laws in many US
states that prohibited the interstate purchase of wine and other
products.  These laws were all designed to benefit local producers, at
the expense of local consumers.  Most of these laws were wrapped up in
a cloak of "consumer protection against shoddy products" or
"protection of minors" but it was easy to pierce that veil to see the
monopoly interest.

(This is not to say that market segmentation is dead in the US!  Many
continue.  The federally supported "Milk Compact" deliberately
segments the New England market and costs consumers of milk many
billions of dollars per year.  The federal DMCA has nothing to do with
protecting copyrights and everything to do with protecting monopolies,
as the judge agreed in the 2600 case.  Many state and local laws
continue to restrict entry into fields such as lawyering, surveying,
haircutting, and even carpentry ("union shop" laws).  Producers are
always looking for political opportunities to outlaw their
competition, and there are always corrupt people inside governments,
who are happy to oblige.)

> We should try to avoid overwrought arguments about the
> "morality" of market segmentation and/or arbitrage.

Unfortunately you set the wrong tone by starting as apologist for it.

> In fact it is easy to demonstrate that _some_ market
> segmentation is good for society as a whole.

The kind of segmentation your graphs rely on can easily be created
by *time* segmentation.  Producers start off charging high prices for
their goods, and then gradually reduce the prices as they ramp up
volumes, pay off their startup costs, learn the desires of their market
better, etc.  This gets the social benefit you desire, without propping
up any artificial forms of segmentation.

Of course, there are always people who will claim that people aren't
free to change their prices up or down over time.  (After the
earthquake, according to those folks, bottled water should sell for
the same price as before, even if at that price the entire supply has
sold in two hours, to the people who value the water least.)

> The closest they could come was to make it slightly hard
> to get a _multi-region_ player.  The manufacturers of
> player hardware had to do the studios' bidding because of
> the the controversial (to say the least) "anti-circumvention"
> provisions of the 1998 "DMCA" law.

That's not actually true.  Several years before the DMCA passed, the
legal control structure was in place.

The studios got a couple of manufacturers (including Matsushita) to
design an encryption system (CSS).  The companies & studios set up a
licensing entity that would issue CSS licenses to manufacturers of DVD
players, makers and operators of DVD pressing equipment, and copyright
holders.  These licenses were relatively cheap to buy, but imposed
most of a hundred pages of restrictions on what the licensees could
do.  One thing that they could NOT do is to build multi-region
players.

Manufacturers were free to build DVD players that would play
UNencrypted disks, without signing any license with Matsushita or the
DVDCCA.  But since Hollywood was only releasing encrypted disks, any
manufacturer who didn't play along would have useless products (at
least until DVD Recorders came along a few years later, allowing
consumers to record things of their own making on unencrypted disks).

Thus, the control was via a contract that manufacturers, studios,
and pressing plants had to sign in order to get access to the trade
secrets required to interoperate.  That contract contained many specific
provisions that prohibited unencrypted digital outputs, required
the no-fast-fowarding crap and region codes, and had many other
anti-consumer features.

The licensing entity was a subsidiary of Matsushita.  The licensing
authority was only transferred to the DVDCCA a few weeks before the
lawsuits started.  Apparently Matsushita didn't want to be known as
the heavy who was suing everybody (they succeeded in keeping their
name out of EVERY ONE of the cases and out of the press).  And it
probably looked better for the licensing organization to be a
"California nonprofit" rather than a "Japanese megacorp", particularly
when trying to sue competitors under California law, claiming damage
in California.

Such a license would only survive until the trade secret was reverse
engineered, which is legal to do in almost all jurisdictions.  But
most of the parties likely to benefit from that reverse engineering
had already agreed to the license.  And anyone with no money, but who
had not yet published the secret, could be tied in knots for years by
overpaid studio lawyers.  It took the free spirit of honest
technologists who refused to sign restrictive licenses, and who
believe in open publication of scientific and technological ideas, to
do the hard work of reverse engineering that benefited all DVD
consumers.  And on them has fallen the punishment of years of 
harassment and uncertainty by the studio mafia.

(You'll note that even after CSS was broken, the industry didn't stop
pressing DVDs, and continues to make increasing billions of dollars
from making and selling them.  While the breaking of CSS benefited
consumers, it did not harm producers.  As usual, the producers' fears
were overblown ghosts, just as in the Betamax VCR situation.)

Just in case somebody came along to cater to the market of consumers
who wanted restrictionless players, the studios and their buddies
in other monopolies paid off politicians to pass the DMCA.  But they
were releasing DVDs and players long before it passed.  It was a
belt-and-suspenders strategy.

> I repeat, the practical issue in this case was never about
> cheating the studios out of their per-disk royalties on
> DVDs.

This is probably also false.  The reason is that today you can't get
consumer DVD recorders that will let you record encrypted DVDs.  Their
firmware refuses to write in the key area of the disk, and the blank
disks are shipped with the key area obliterated.  (And, DVD readers
will only let you read out the keys from a disk after you've reverse
engineered some simple bits that the industry wouldn't reveal.)  So
you can't do any bit-for-bit copying of DVDs unless you have a very
expensive (and restrictively licensed) DVD mastering press.

How this lack of bit-copying ability came to be, we haven't unearthed
yet.  No other major computer storage technology has lacked it (though
every medium invented since then has tried to shoehorn it in -- even
hard disk drives!).  The patents on DVD recording technologies are
owned by another consortium, and they were probably pressured by
Hollywood into putting this condition into their licenses.  Apple, the
first major computer company to release a DVD recorder, was
notoriously silent on the whole subject, while their monster
"Rip. Mix. Burn" billboards tried to create the opposite impression
among consumers.

Since the keys would get lost in the transfer, consumers wouldn't be
able to make copies of DVDs for backup or for their friends, the way
they can back up CDs, mix songs from different CDs, transfer them into
their preferred formats like MP3 on hard drives, etc.  

The cracking of CSS has made all of those applications possible.  For
this we must thank the always innocent Mr. Jon Johansen, and also
particularly Frank Andrew Stevenson, who cryptanalyzed CSS and made
player keys unnecessary, and the LiViD project, which turned their
early prototypes into point-and-click free software for Linux.

	John

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list