The HD-DVD key fiasco

James S. Tyre jstyre at jstyre.com
Wed May 2 15:45:49 EDT 2007 

At 02:15 PM 5/2/2007 -0400, Perry E. Metzger wrote:

>I would be interested in further legal
>discussion of the DMCA's ability to control the publication of mere
>cryptographic keys, and in further technical discussion of AACS
>and similar DRM technologies.

(Links at the site, posted by EFF Senior IP Attorney Fred von Lohmann)
http://www.eff.org/deeplinks/archives/005229.php
09 f9: A Legal Primer
May 02, 2007

As was reported back in February, an enterprising hacker unearthed 
and posted one of the decryption keys used by AACS to decode HD-DVD 
movies (other keys and exploits have been made available in the weeks 
since). Now the AACS-LA (the entity that licenses AACS to makers of 
HD-DVD players) has set its lawyers on the futile mission of trying 
to get every instance of at least one key (hint: it begins with 09 
f9) removed from the Internet.

Predictably, this legal effort has backfired, resulting in eternal 
Internet fame for the key in question. In addition to having been 
posted on hundreds of thousands of web sites (and resulting in the 
temporary shutdown of Digg.com), the key has already spawned a song, 
a quiz, a domain name, and numerous T-shirts.

So now might be a good time to review a few of the basic legal issues 
raised by the posting of the keys. (This is an overview of the legal 
landscape, not legal advice, and I am not expressing any view about 
how a case might come out if AACS-LA sued anyone.)

What is the AACS-LA's argument? In its takedown letters, the AACS-LA 
claims that hosting the key violates the DMCA's ban on trafficking in 
circumvention devices. The DMCA provides that:

     No person shall ... offer to the public, provide, or otherwise 
traffic in any technology, product, service, device, component, or 
part thereof that that -

     (A) is primarily designed or produced for the purpose of 
circumventing a technological measure that effectively controls 
access to a work protected under this title;

     (B) has only limited commercially significant purpose or use 
other than to circumvent a technological measure that effectively 
controls access to a work protected under this title; or

     (C) is marketed by that person or another acting in concert with 
that person with that person's knowledge for use in circumventing a 
technological measure that effectively controls access to a work 
protected under this title.

The AACS-LA presumably would argue that the key is a "component" or 
"part" of a "technology" that circumvents AACS. Moreover, AACS-LA 
would likely argue that the key was "primarily ... produced" to 
circumvent AACS, that is has no other commercially significant 
purpose, and that it is being "marketed" for use in a circumvention 
technology. The takedown letters seem to take the position that both 
the poster and the hosting provider are engaged in "trafficking."

The AACS-LA will also doubtless point to the DMCA cases brought 
against 2600 magazine for posting the DeCSS code back in 2000 (EFF 
was counsel to the defendant). In that case, both the district court 
and court of appeals concluded that posting DeCSS to a website 
violated the DMCA.

Who can sue over the posting of the key? The DMCA entitles "anyone 
injured by a violation" to bring a civil lawsuit seeking damages 
(including statutory damages ranging between $200 and $2500 for each 
"offer"). In addition, if a person violates the DMCA "willfully and 
for purposes of commercial gain," a federal prosecutor could bring 
criminal charges (with the famous exception of the Sklyarov case, 
however, criminal prosecutions have generally been limited to 
situations where the DMCA violation was also accompanied by evidence 
of commercial piracy).

What about just linking to a place where the key is posted? The 
courts in the DeCSS case wrestled with the proper test to apply when 
someone links to a location where a circumvention tool can be found. 
Ultimately, the district court held that an injunction against 
linking could be issued after a final judgment if a the plaintiff 
could show, by clear and convincing evidence,

     "that those responsible for the link (a) know at the relevant 
time that the offending material is on the linked-to site, (b) know 
that it is circumvention technology that may not lawfully be offered, 
and (c) create or maintain the link for the purpose of disseminating 
that technology."


The court of appeals upheld that ruling, while admitting that the 
issue presented a difficult First Amendment question.

What about the DMCA safe harbors? While no court has ruled on the 
issue, AACS-LA will almost certainly argue that the DMCA safe harbors 
do not protect online service providers who host or link to the key 
(the AACS-LA takedown letters do not invoke the DMCA 
"notice-and-takedown" provisions, nor do they include the required 
elements for such a takedown, thereby signaling the AACS-LA position 
on this). The DMCA safe harbors apply to liabilities arising from 
"infringement of copyright." Several courts have suggested that 
trafficking in circumvention tools is not "copyright infringement," 
but a separate violation of a "para-copyright" provision.

It's difficult to say how a court would rule on this question, but it 
does create a specter of monetary liability for hosting providers, 
even if they otherwise comply with the "notice-and-takedown" 
procedures required by the DMCA safe harbors.

Is the key copyrightable? It doesn't matter. The AACS-LA takedown 
letter is not claiming that the key is copyrightable, but rather that 
it is (or is a component of) a circumvention technology. The DMCA 
does not require that a circumvention technology be, itself, 
copyrightable to enjoy protection.

For more information about the continuing melt-down of AACS 
generally, as well as details regarding the various keys and how they 
interact, be sure to read the coverage on Doom9's forums, Freedom to 
Tinker, and Engadget, which have been doing the best job reporting on 
developments.

Posted by Fred von Lohmann at 09:36 AM | Permalink | Technorati



--------------------------------------------------------------------
James S. Tyre                                      jstyre at jstyre.com
Law Offices of James S. Tyre          310-839-4114/310-839-4602(fax)
10736 Jefferson Blvd., #512               Culver City, CA 90230-4969
Co-founder, The Censorware Project             http://censorware.net
Policy Fellow, Electronic Frontier Foundation     http://www.eff.org

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list