DRM Anticircumvention for Dummies July 15, 2012Posted by Bill Rosenblatt in DRM, Law.
I have seen a lot of writings and gotten a lot of feedback regarding the EPUB Lightweight Content Protection (EPUB LCP) scheme I am helping to design for the International Digital Publishing Forum (IDPF), which oversees the EPUB standard. The criticisms fall into two buckets: DRM sucks, why is the IDPF wasting time on this; the security is too weak, publishers need stronger protection.
Yet these diametrically opposed criticisms have one thing in common: a lack of understanding of how anticircumvention law, such as Section 1201 of the DMCA in the United States, works in practice and how it figures into the design of EPUB LCP. This lack of understanding is common to both DRM opponents and people from DRM technology vendors. Anticircumvention law makes it a crime to hack DRMs.
So I thought I would offer some information about the practicalities of anticircumvention law, presented as rebuttals to some of the false assertions that I have heard. Three caveats are in order: first, the following is going to be U.S.-centric. That’s because am I most familiar with the U.S. anticircumvention law, but also because the U.S. law is by far the most highly developed through litigation. Second, I am not a lawyer — nor are any of the people who have talked to me about this. So if you’re a legal expert and I’m wrong, please correct me. Third, I’m not an official spokesman for IDPF, and they may have different views.
Assertion: Anticircumvention law doesn’t stop hacks; hacks are going to be available anyway.
Reality: Of course the law doesn’t eliminate hacks, but it does make hacks less easily accessible to people who are not determined hackers. The law comes down hardest on those who gain commercially from their hacks. Because of the anticircumvention law, there is not (for example) a “convert from Amazon” option in Nook readers and apps, or the converse in Kindles; instead you have to go find the hack, install it, and use it – something that requires more time, determination, and skill. (Note that this is a different issue from “DRM doesn’t stop piracy.” Here I agree: absolutely, there are various other ways to infringe copyright, some of which are easier than hacking DRMs.)
Assertion: DRM systems that aren’t robust don’t qualify for the anticircumvention law.
Reality: This one comes from DRM vendors, which have vested interests in robustness. To answer this, you need to look at the history of litigation (again, this is a US-centric view). The most important legal precedent here is Universal v. Reimerdes, which was decided in U.S. district court in 2000 and upheld on appeal. This case was one of several involving the weak CSS encryption scheme for DVDs. The defense asked the court to find it not liable because CSS was too weak to meet the definition of “effective” in “technological measure [that] effectively controls access to a work” under the law. In his opinion, the judge explicitly refused to establish an “effectiveness test” by deciding this issue. I know of a couple of cases that attempted to revisit this issue but were dropped. The effect, at least for now, is that any DRM that’s as strong (i.e. weak) as CSS, or stronger, should qualify for protection under the law.
Assertion: The IDPF intends to sue hackers as part of the EPUB LCP initiative.
Reality: Not true at all. The IDPF is not even in a position to facilitate litigation the way the MPAA and RIAA do. (For one thing, it’s an international body, not a national one.) If any organization is going to facilitate litigation, it would be the Association of American Publishers (AAP) in the U.S., which has not been involved in the EPUB LCP initiative. More generally, it may help to explain how the litigation process works in practice. Copyright owners do the suing; they are the actual plaintiffs. They will only bother to sue under the anticircumvention law if they see hacks that are being used widely enough to cause significant infringement and/or the supplier of the hack is making money from the hack. So as a practical matter, a hack that “sits in the shadows” as described above is unlikely to be used widely enough to draw a lawsuit.
Assertion: Users get sued for using hacks.
Reality: Although the law does provide penalties for using as well as distributing hacks, individual users have never gotten sued for using hacks (or for creating hacks for personal use only). Users have been sued for copyright infringement; if you hack a DRM, you may be infringing copyright. Only those who make hacks publicly available have ever been sued for DMCA 1201 violations.
Assertion: This is a US matter and irrelevant elsewhere in the world, especially now that ACTA is dead in Europe.
Reality: As mentioned above, the interpretation of “effectiveness” is a US-centric one that may or may not apply elsewhere. But otherwise, this statement is also incorrect. Anticircumvention law is on the books today in most industrialized countries, including EU member states (resulting from the European Union Copyright Directive of 2001), Australia, New Zealand, Japan, Singapore, India, China, Brazil, and a few others; South Korea and Canada should get anticircumvention laws soon.