Linux and DeCSS: What the MPAA is Really After

by Bryan Pfaffenberger

"If we have to file a thousand lawsuits a day,we'll do it. It's less expensive thanlosing control of your creative works."--Jack Valenti, President and CEO,Motion Picture Association of America (emphasis mine)

Next time you think about going to see a feature film, remember this: attorneys from the MPAA and its ally, the DVD Copy Control Authority, are beating up on hackers and ISPs the world over. Their complaint? Those targeted have posted or linked to DeCSS, a Linux utility that enables Linux users to play back legally purchased DVD video discs on their systems.

If you think these lawsuits are bogus, you'd better think twice. The same organization's lobbyists played a pivotal role in several key U.S. legislative acts that transformed copyright infringement into a crime with penalties akin to second-degree murder. What's more, they could very well win the lawsuits they've filed; after all, the MPAA's lobbyists were given virtually free rein to write the very laws they're citing in these lawsuits, including the DMCA. And the MPAA has already won the opening skirmishes. Hackers can only hope that, somewhere along the way, judges will come to their senses and perceive the truth: namely, that the MPAA-backed legislation pushes the rights of copyright holders to an unconstitutional extreme. In what follows, I'll trace this outrage back to its roots--the U.S. Digital Millennium Copyright Act (DMCA)--and show you just what's at stake.

First, a bit of background. The product of a reverse-engineering effort, DeCSS was posted last fall by Jon Johansen, a Norwegian teenager. (The fact that the Norwegian police hassled and charged Johansen and his father shows that this whole mess goes far beyond the U.S. borders.) In brief, CSS--short for Content Scrambling System--is a weak encryption scheme that locks up the data in DVD video discs--unless, that is, you're using MPAA-approved commercial software, which isn't available for Linux systems. Note that CSS doesn't prevent anyone from copying DVD videos; you can copy DVD video discs all you want. Whether the disc has been copied or not doesn't matter; you can't play the disc without a CSS-enabled player. In short, CSS is not a means of copy protection. It's a means of access control. CSS is designed to extract licensing fees from companies that create DVD players and DVD software. What's more, it's designed to protect the motion picture industry's profitable markets in Europe and Australia. Among other things, CSS won't let you play a lawfully obtained DVD video if the film hasn't yet opened in theaters in your region. Try to defeat this, and you go to jail--never mind that you're in possession of a legally obtained copy of the material.

So what does the DMCA have to do with all this? Just ask Lewis A. Kaplan, a judge in the U.S. District Court's Southern District. Citing the "law of record" (including the DMCA), Kaplan issued a preliminary injunction on January 21 ordering the 2600.com Web site and its ISP to refrain from posting or in any other way "trafficking" in DeCSS, even in cases where DeCSS or similar software has "only [a] limited commercially significant purpose" other than to circumvent CSS.

And what does all this mean? It's simple, as I'll explain in the following. It shows precisely why certain provisions of the Digital Millennium Copyright Act are grossly unconstitutional. The DMCA amounts to one of the most outrageous examples I've ever seen of what happens when you let wealthy corporate campaign contributors and lobbyists dictate laws to the people of the United States. If you've been wondering whether the U.S. political system is fundamentally corrupt, you won't have any illusions by the time you've finished reading this article.

A DMCA Primer

Enacted in 1998, the DMCA prohibits the circumvention of technological protection measures that copyright holders use to control access to their works. It was ostensibly enacted to bring U.S. law into conformity with the World Intellectual Property Organization (WIPO) treaty, which calls for "adequate protections" against the circumvention of measures used by copyright holders to protect their work from infringement. However, the DMCA goes far beyond the protections WIPO requires. WIPO calls for legislation that criminalizes attempts to circumvent copy-protection measures. But the DMCA criminalizes much more than that. It criminalizes any attempt to defeat any measure that controls access to a copyrighted work, even if such measures have nothing to do with copy protection.

Note that no infringement or piracy need take place in order for a civil or criminal procedure to take place under the DMCA's provisions; it is sufficient that the accused merely have manufactured, imported, offered to the public, provided, or otherwise trafficked in anything whatsoever ("a technology, product, service, device, component, or part thereof") that defeats or attempts to defeat a copyright holder's access-protection measures, even if such a thing has "only [a] limited commercially significant purpose or use other than to circumvent."

Why would the MPAA have pushed for such broad language in the anti-circumvention portions of the DMCA? In terms that seem especially chilling in the aftermath of the DeCSS lawsuits, Samuelson sums up the objectives of the MPAA and its allies:

"These groups seem to believe they are so important to America that they should be allowed to control every facet of what Americans do with digital information. They also seem to think they are entitled to control the design and manufacture of all information technologies that can process digital information" (Pamela Samuelson, "Intellectual Property and the Digital Economy: Why the Anti-Circumvention Regulations Need to be Revised", Berkeley Technology Law Review, Spring 1999).

U.S. Congressman Thomas P. Bliley of Virginia, an informed observer of the evolving digital economy, clearly recognized the peril of overly broad anti-circumvention measures. Testifying before the DMCA's enactment, Bliley noted that overly broad anti-circumvention measures "could well prove to be the legal foundation of a society in which information becomes available only on a 'pay-per-use' basis."

And that, my friends, is exactly what the MPAA and its buddies are shooting for.

The DMCA's Opponents: Fighting a Rearguard Battle

The MPAA's push for total access control alarmed several constituencies, including Silicon Valley, which feared that the DMCA would criminalize reverse engineering. Having won over the legislators with their expansive rhetoric, exaggerated claims, and lavish campaign contributions, the MPAA was in the driver's seat while the bill was being written. Those adversely affected by the DMCA's ludicrous provisions were forced into fighting a rear-guard action. They had to fight hard to win a limited number of exceptions to the DMCA's unconstitutional provisions, including the following:

  • Silicon Valley won the right to circumvent access-control measures for the purposes of reverse engineering, as long as such circumvention is done "for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs." Consumer electronics manufacturers won a provision that frees them from being required to build access protection technology into their products. The software industry also won an exemption for security testing, which enables them to defeat access-control measures to determine whether a protected program poses a security risk to the owner of a computer system or network.

  • Nonprofit libraries, archives, and educational institutions won the "right" to circumvent access protection measures in order to determine whether they should acquire a copy of the work. As widely, noted, this provision is meaningless, since content providers have ample incentive to make preview copies available to potential adopters.

  • Encryption researchers won the right to circumvent access-control measures for the purpose of identifying and analyzing flaws and vulnerabilities in encryption schemes. However, this provision is hedged with so many restrictions that it is, in practice, effectively meaningless.

  • Privacy advocates won the right to circumvent those portions of an access-control mechanism that divulge information about the consumer's use of the product. Like the concessions made to encryption researchers, this exception is hedged with sufficient restrictions to render it meaningless in practice.

In the end, the only two winners in this rear-guard action were the consumer electronics and commercial software industries. Guess why? They have money.

The MPAA's Attack on Free Speech

Ready? Any of the following heinous crimes is, if undertaken for purposes of "commercial advantage or private financial gain", by fines of up to $500,000 or imprisonment for up to 5 years for the first offense, and fines of up to $1,000,000 or imprisonment for up to 10 years for the second offense:

  • A software publisher embeds in its copy-protected code a measure designed to interfere with the operation, on the same computer, of a competitor's products. If the adversely affected competitor includes code in its product that defeats the access-control mechanism to defeat this destructive activity, the competitor will have violated the DMCA--and since the underlying purpose is commercial gain, the federal fines or imprisonment penalties apply.

  • A professor wishes to excerpt a portion of a protected work for the purposes of critical commentary in her classroom. She defeats the work's access-control mechanism so that she can excerpt this section. Even though this action is defensible under the fair use provisions of long-standing copyright law, it is an offense under the DMCA. If all available information were to be eventually digitized and protected by access-control mechanisms, teachers will be unable to share information in the classroom unless they pay fees to copyright holders.

  • A popular music utility is found to collect extensive information regarding the user's listening habits, and uploads this information surreptitiously to a marketing database. Because the utility does not associate this information directly with the user's name, it is protected against circumvention by the DMCA--and that's true even if, subsequently, this information can be linked to the user's actual name through the use of a serial-number matching program. Any attempt to circumvent this type of monitoring is a crime under the provisions of the DMCA.

  • A popular, but access-protected, operating system is found to have gaping security holes, which can be repaired only by defeating the access-control mechanism. A group of security experts creates and disseminates via the Internet a utility that defeats the access control mechanism so that users everywhere can protect themselves. Although the DMCA gives individual owners the right to circumvent the mechanism, any attempt by such owners to develop and distribute a circumvention utility would appear to be illegal under the provisions of the DMCA [see Section 1201 (b), 1]. If such a utility were commercially distributed, the "infringers" would be subject to federal fines or imprisonment.

  • To safeguard confidential information, a company develops an access-control mechanism that prevents unauthorized employees, or people outside the company, from gaining access to this information. However, an employee becomes convinced that the company is engaged in illegal activities. To blow the whistle on these activities, the employee shows an encrypted CD-ROM to a press reporter. They use an anti-circumvention utility to gain access to the potentially incriminating evidence. Learning of this incident, the company sues the employee and the reporter under the provisions of the DMCA, and wins.

  • A database provider makes a copy-protected CD-ROM containing scanned images of early 20th-century Progressive newspapers, but the original newspapers are destroyed in a fire. The CD is packaged with a reader utility that requires payment to the copyright owner each time the CD is viewed. Hoping to promote scholarship on the Progressives, a professor posts a note on the Internet concerning a method that can be used to circumvent the access-control mechanism. This is an offense under the DMCA.

One could multiply examples here ad nauseum , but the point seems clear. The DMCA's overly broad access circumvention language is plainly unconstitutional. The DMCA specifically states Congress' intention that the act should not interfere with existing fair use and free speech rights, but it is equally clear that the DMCA accomplishes precisely this goal--and what is more, this is clearly the MPAA's intent. It wasn't enough for the likes of Jack Valenti to gain protection from copyright infringement; the MPAA wants to control every form of access to digitally distributed information--and that leads me to this essay's most important point.

What's the real purpose of the overly broad access circumvention language in the DMCA? It's simply this: The MPAA wants to control those who have lawfully paid for and obtained the material. The MPAA wants to track your every move, control where and when you can view materials, and prevent you from sharing your knowledge with others. They want to control their markets and gouge you for the maximum possible amount of money they can extract from your pocket, and they don't give a rat's posterior if the laws they've pushed make a mockery of free speech rights and set off thousands of strike suits, in which unscrupulous copyright holders take advantage of the DMCA's unconstitutional provisions to attack their competitors.

I opened this column with a quote from Jack Valenti: "If we have to file a thousand lawsuits a day, we'll do it. It's less expensive than losing control of your creative works." As you can see, this was a bit of a slip. He's not talking about copyright infringement. He's talking about control--specifically, control over the uses made of lawfully obtained, copyrighted material.

We'd better make damned sure he doesn't get it. For me, I've made a decision: I'll never watch a movie again--ever--that's distributed by any studio affiliated with the MPAA.

Get Involved

OpenDVD is one of the best sources of information on the DeCSS debacle.

Print out this flyer from 2600.com and give it to everyone you know.

Join the organizations fighting to protect your rights Here's just a sampler: Electronic Frontier Foundation, the American Civil Liberties Union, Computer Professionals for Social Responsibility, and Internet Freedom.

The full text of the Digital Millennium Copyright Act is available here.

Load Disqus comments