Late last month, the United States Copyright Office published the results of a study on Section 1201 (17 U.S.C. § 1201), the section of U.S. copyright law that makes it a violation to hack DRM systems and other content access and copy controls. Section 1201 was enacted in 1998 as part of the Digital Millennium Copyright Act (DMCA), another part of which is the better-known “notice and takedown” law. The study resulted from a request from Congress in 2014 and was launched in January of last year.
In its 195-page report, the Office makes a modest set of recommendations to reform the law and the way it’s carried out. The recommendations generally pertain not to the core of the law but to exemptions — ways in which users and technology vendors can circumvent access/copy controls and not be held liable — and the ways in which those exemptions are determined.
There are two types of exemptions to 1201: permanent exemptions and temporary ones that the Copyright Office sets in processes called rulemakings every three years. There have been six 1201 rulemakings so far; the seventh is about to start. In the rulemaking process, the Office invites proposals for exemptions. The proposals have to address a list of specific points and conform to a set of fixed criteria. The process has three rounds, allowing for others to object to proposed exemptions — similarly to the series of motion, opposition, and reply briefs in litigations.
If the Office decides to adopt a proposed exemption, the Librarian of Congress approves it, it goes into force for three years, then it expires. Anyone who wants to renew an expiring exemption has to start from scratch and propose it anew each time. This entails providing evidence that the lack of the exemption is causing some sort of harm to legitimate activity. Congress established this triennial mechanism to ensure that new exemptions can be introduced as technology advances while obsolete or no-longer-relevant exemptions can disappear easily.
One of the reasons for the reexamination of 1201 is that the rulemaking process has become a much bigger deal that it was at the start, and it has proven to be burdensome for everyone involved. As the Office notes in its report, the number of public comments in each rulemaking has ballooned from 392 in the first rulemaking in 2000 to about 100 times that many in the sixth in 2015; and the number of exemptions granted grew from two to 22.
At the same time, the requirements for submitting exemption proposals make the process inaccessible to laypeople and instead make it primarily the province of established lobbying groups on both sides of the issue: the Electronic Frontier Foundation (EFF), Public Knowledge, academics, library groups, and advocates for the print-disabled in favor of exemptions; the movie (MPAA), recorded music (RIAA), book publishing (AAP), software (BSA), and game (ESA) industry trade associations against them. The process is adversarial in nature, and the Copyright Office has no “official” way of seeking independent, unaffiliated input on relevant technological, business, or legal issues (although I provided “unofficial” input to the Office during the second rulemaking back in 2002).
The process is defined according to a combination of 1201 itself and the law that governs rulemakings in general (5 U.S.C. § 553); this limits the Office’s scope for making changes to it. Nevertheless, just about everyone involved in the study agreed that the process needs to be streamlined, and the Office was able to promise process changes that will take effect in the upcoming rulemaking.
The process changes will include a much easier way to get exemptions renewed, such as providing a simple statement that the circumstances requiring an exemption due to expire are still relevant, rather than submitting a complete de novo proposal; and better communication to the public in lay terms rather than legalese. They also include the ability for the Office to “take administrative notice” of information it knows or learns on its own — i.e., to cite such information in its reasoning for granting or denying exemptions instead of only citing information submitted by exemption proposers or opponents. (For example, this change would have enabled the Office to cite things I told them back in 2002, if it found them relevant.)
The changes proposed in the Office’s report also include recommendations to shift a few exemptions from temporary to permanent, such as the exemptions for text materials to make them accessible to the print-disabled and for unlocking used mobile devices. Permanent exemptions require changes to the law, which only Congress can make. The same is true for a few other changes that the report recommends, such as strengthening existing permanent exemptions for testing and encryption research — which were the subjects of litigation that the EFF brought against the government last year. Significantly, the Office recommends doing away with the provision that circumventing an access control mechanism for these purposes requires the manufacturer’s permission or at least a good faith attempt to secure it.
The Office’s recommendations to allow broader input and expertise into the rulemaking process are necessary and welcome. Congress supposedly enacted 1201 to give the media industry a comfort level about making content available digitally without having to engage in arms races with hackers. The problem is that the information that the Office has gotten through rulemakings is too limited to give it the best possible picture of how the law is doing with respect to those criteria. The fact that virtually all the information the Office gets comes from advocacy groups with one-sided agendas in adversarial proceedings is compounded by the fact that no one likes to say much about how well security technology is (or isn’t) working.
As a result, the information the Office gleans about the real-world technology and market issues is often meager, shallow, obsolete, and misleading. It gets precious little up-to-date information about the availability and nature of DRM hacks or how media industry segments use this information in their strategies for distributing content to consumers.
The reality is that a couple of media industry segments (such as movies and games) base their digital distribution strategies for high-value content (e.g., newly released movies in high definition) at least in part on the availability and nature of DRM hacks, while others (e-books and music) generally don’t; and some segments (again, mainly movies and games) engage in arms races with hackers regardless of 1201. The music industry has effectively re-introduced DRM into its mainstream distribution channels, but it doesn’t seem to be especially concerned with DRM hacks. In book publishing, the new Readium LCP DRM for e-books, which I helped design, is based on an assumption that anticircumvention law would “backstop” the technological access controls.
No DRM is completely hack-proof, but some DRMs are more hack-proof than others. The DRM field has well-established criteria for the levels of hacks that a DRM must be designed to withstand in order to get it approved by, say, a Hollywood studio. The field also has developed ways of blunting the impact of hacks, but these are limited by factors such as cost (in consumer devices) and mandatory network connectivity (which has proven to be a nonstarter in, say, optical disc players). Some hacks are what I call one-click hacks, meaning that non-tech-savvy users can use them quickly and easily, while others require highly technical skills, expensive tools, and time. Some hacks will unlock any content in the given format for any device, and work permanently, while others are limited to single devices and can be overridden.
The effect of 1201 on digital media that is probably most noticeable to consumers is in e-books. Purchased downloads constitute the vast majority of commercial activity for e-books — unlike in music and video content, where streaming dominates. For e-books, 1201 means that there’s no “import from Nook” option on Kindles (or vice versa), nor any built-in DRM removal function in independent e-reading apps like Caliber and BlueFire Reader.
Instead, users who want to remove DRM from their e-books have to search online and download DRM strippers from offshore sites. There are one-click hacks for some but not all major e-book DRMs (that I know of), though the strippers often contain malware. E-book DRMs are generally considered to be weaker than their Hollywood-approved video counterparts, although Apple’s DRM for iBooks is a version of its strong DRM for iTunes video, and Adobe is known to have strengthened its e-book DRM (used in Nook, Google Play Books, and other e-book ecosystems) recently.
These points are all relevant in judging the current effectiveness and future trajectory of 1201 in achieving its goals. Yet they’ve been essentially nowhere in evidence in 1201 rulemakings, or in this study.
Making matters worse, courts in 1201-related litigations have blinded themselves to these factors by declining to take security strength into account when determining if the law applies to a given DRM; see for example Universal v Reimerdes and Lexmark v. Static Control Components.
As a result, the Office’s report gives the impression that all DRMs are more or less equally secure; that all hacks have more or less equal impact; that DRM technology hasn’t really changed over the past twenty years; and that the market will evolve by making better (easier-to-use) hacks available as time goes on “in legitimate outlets such as Best Buy or Amazon.”
Absolutely none of this is true. The report takes a few obsolete examples — such as DVD encryption, for which a one-click hack was created back in 1999 — and accepts at face value suggestions that such examples are broadly relevant today, which they aren’t. The resulting under-informed analysis has impaired the Office’s ability to judge the impact of 1201 on the market.
The 1201 process will matter more and more as time goes on, because technological access controls apply to a much greater variety of products and services than they did back in the late 1990s. Which brings us to the other most noteworthy aspect of the Office’s 1201 study and report: 1201 is no longer just about DRM hacks. It could be said to cover things like Netflix or Spotify subscriptions (as opposed to the DRM on the content itself). But much more importantly, it applies to a list of everyday devices that’s growing exponentially. And here’s where things get a lot trickier.
Leaving conventional DRM issues aside, a common complaint about 1201 pertains to its use by companies that make devices that have nothing whatsoever to do with copyright or digital media, such as laser printer toner cartridges, garage door openers, and pod-style coffee makers. Cases like Lexmark have elicited indignation from people (including myself) who see these uses of 1201 as attempts to hijack copyright law to subvert competition in non-copyright markets.
Courts have toyed around with the idea of requiring a “nexus to copyright infringement” for a 1201 claim to have merit. But as the Copyright Office found in its study, that “nexus” is very hard to pin down in any way that is accurate and will stand the test of time. Therefore the Office declined to recommend changes to 1201 that somehow limit its applicability to digital versions of traditional copyrighted works, preferring instead to leave that to the courts.
This is a controversial issue. On one side of the argument are people who believe that the right to tinker with one’s own possessions as one chooses is inviolate and therefore that 1201 should not exist or at least not apply. But the other side of the argument will no longer be limited to the usual media industry suspects: it’s going to include more and more makers of products and services that use software — and use access controls for that software to secure them. And in leaving the door open for 1201 to apply to such things, the Office is pointing the way to the likely real future of this law.
I’m not talking about pod coffee makers or laser printers, and I’m not talking (only) about using access controls as garden walls to keep competitors out. I’m talking about the wider world of Internet of Things (IoT) devices and apps. It’s one thing to suggest that people should have full ownership rights to their gadgets. But it’s another matter to suggest that the security of connected cars and medical devices should be left in the hands of consumers who are free to hack them (and purveyors of hacks to those consumers).
Developers of IoT devices use a variety of techniques to keep them from being hacked; some of these involve encryption of code and/or data that could well be found to be access controls within the meaning of 1201. Circumventing such techniques may be hard, and hackers may well find that there are easier ways to, say, take remote control of thousands of connected cars simultaneously or disable pacemakers. But IoT devices and apps need all the help they can get to prevent incidents that have much graver consequences than using third-party coffee pods in your Keurig machine.
This may seem like an arcane, peripheral point to make, and admittedly IoT developers have other causes of action besides 1201 — like the older Computer Fraud and Abuse Act — available to them if they want to sue hackers. But I suspect IoT is going to become a serious consideration in the 1201 context in the coming years — certainly after the inevitable calamitous large-scale attack through IoT devices happens.
The question, of course, is whether 1201 should apply to these situations. From the Copyright Office’s point of view, the answer ought to be no. As the report repeats several times, the Office’s mission is to maintain 1201 over time so that it continues to reflect Congress’s intent in drafting it in the first place. Congress surely did not have IoT security schemes in mind in the 1990s when it heard from the MPAA and RIAA about DRM. Yet the Office did extend its inquiries beyond traditional copyright uses in previous 1201 rulemakings, while the EFF suggested in its input to the study that the Office has no business doing so.
The other policy question is whether it’s possible or worthwhile to adapt 1201 and its rulemaking process so that it covers serious security-related cases while leaving more frivolous and consumer-hostile use cases out of scope. The Office should expect to hear from IoT interests about both of these points in future rulemakings and studies on 1201. The questions will be asked repeatedly in the coming years, even if answers don’t follow very quickly.
IOT devices are problematical: the most common ones thus far are routers, and the US FCC has had real rulemaking problems balancing vendor security schemes against the rights of the purchasers. They drew a comment from Vint Cerf, Dave Taht and a host of others, including myself, that argued the purchaser had the right to fix bugs that rendered the devices illegal, as well a specify the country (and therefor rules) the device was running in. The latter is a risk, as of course the owner might get it wrong, or leave a US router unchanged in Germany.
Prohibiting customers from installing more-secure open source operating systems on routers was not the intention of the FCC, but they came embarrassingly close to doing so.