List: cryptography
Subject: DeCSS Court Hearing Report
From: Lucky Green <shamrock () cypherpunks ! to>
Date: 1999-12-30 4:06:32
Today, I attended a fascinating hearing in State of California Superior
Court (county of Santa Clara). The issue at bar was a request by the "DVD
Copy Control Association, Inc." (DVDCCA) to issue a temporary restraining
order (TRO) against various named and unnamed operators of websites and
other individuals distributing copies of [De]CSS source code. DeCSS was
originally published to allow for playback of DVD's on computers running the
Linux operating system.
The lines appear drawn rather clearly: a "Copy Control Association" vs. the
Open Source community. But the hearing left the audience, and I suspect the
judge, with many open questions.
First, let's introduce the players (I didn't take many notes. Other may have
more detailed information).
o three attorneys from Weil, Gotshal, and Manges (New York City) for the
DVDCCA.
o one lone defendant with two attorneys provided by the EFF.
o an audience of various Cypherpunks and Linux folks.
The DVDCCA's attorneys arrived at the courthouse after the Cypherpunks
contingent and had to make their way through a rather impressive crowd
(especially given that we had less than a day notice) to file their
complaint. One of the attorneys carried several boxes with copies of the
complaint. The complaint was sizable. Each copy stacked up almost 3 inches.
The plaintiff's attorneys were clearly surprised by the publicity their
action had generated. All three attorneys were visibly nervous and
apprehensive while waiting in the hallway for the courtroom to open. This is
significant, because these folks are professionals. Unlike some random
person who suddenly finds himself in court and might reasonably be nervous,
these guys crush people for a living. Yet our presence gave them the
jitters.
This is perhaps not /that/ surprising, given that only a *single* defendant
of the 500 alleged defendants bothered to show up in court. Chances are the
plaintiff assumed that none of the defendants would appear in court. Had
that happened, the plaintiff's attorneys would have present their case,
requested a TRO, and absent an opposing party the TRO would have been
granted. A mere formality. In and out of the court room in 15 minutes.
However, what took place was far from a formality. Instead of the judge
rubber-stamping the TRO, the plaintiffs found themselves faced with not only
a defendant, but two attorneys for the defendant that in oral arguments
framed the issue at bar in very different terms than the "evil hackers are
conspiring to cause millions of dollars in damages to the movie industry by
distributing software that allows for illegal copies to be created" put
forward by the plaintiff. The defendant's attorneys turned a potential "open
and shut" case into a First Amendment issue. Not at all what the plaintiffs
had in mind. Big thanks go to the EFF for providing for a defense literally
overnight.
Trying to sum up the arguments made during the hearing by both sides is
somewhat challenging, which is probably at least in part due to the fact
that the plaintiff's complaint has no merit. Nonetheless, I will try to
provide an attempt at summary below.
The plaintiff concedes that reverse engineering CSS from an implementation
is in principle lawful. However, they also claim that:
1. CSS was reverse engineered from Xing's DVD player.
2. Xing's player requires the user to click on a button accepting a license
agreement prohibiting reverse engineering.
3. Reverse engineering could not have been performed without accepting this
license agreement.
All taken together, the reverse engineering was supposedly performed in
violation of the license agreement to which the person performing the
reverse engineering allegedly agreed. It probably will not come as a
surprise to many readers of this post that the plaintiff failed to provide
even a shred of evidence for even a single one of these claims, much less
all of them, as would be required by the legal theory advanced by the
plaintiff.
Next, the plaintiff alleges that since the CSS trade secret was therefore
obtained by illegal means (breach of contract) the trade secret is still
afforded protection. Similarly to a trade secret that has been leaked by a
person under NDA.
Furthermore, the plaintiff alleges that every single webmaster that
presently mirrors CSS is aware of this supposed illegal origin of the CSS
source. The plaintiff conceded that once a webmaster that is unaware of the
supposed illegal origin of CSS mirrors the CSS source, the plaintiff's
complaint based on trade secret (as found in the Universal Commercial Code)
can no longer be made. The plaintiff then requested a TRO to prevent the
spread of the CSS source before such a situation occurs.
The counsel for the defendant argued that source code is speech, that the
theory that CSS was obtained illegally was questionable at best, and that
issuing a TRO would chill the speech of not just the individuals presently
mirroring CSS, but of webmasters in general.
The line of argument made by the plaintiff left the audience rather puzzled.
First, basing the litigation on trade secret seems sub-optimal. Not that a
different legal argument would be anywhere near compelling, but it appears
that an argument based on copyright would have been a better approach. In
addition, the plaintiff's choice of venue is simply abysmal. Of the many
jurisdictions in which they could have filed a complaint, they chose the 9th
Circuit, which as ruled that source code is speech.
However, the plaintiff's actions may make more sense when seen in the light
of some comments made repeatedly by the plaintiff during the oral argument.
The first comment was that the DVDCCA attorneys allege that since the /sole/
purpose of the DVDCCA is to license CSS, a freely downloadable CSS
implementation would put the DVDCCA out of business. I would be inclined to
concede this point. It is not quite clear to me why this would be a matter
of concern, since the DVDCCA is a non-profit organization. (Somebody needs
to obtain their financial statements, which, due to their non-profit status
must be public).
The second, and probably more significant, comment made repeatedly by both
the plaintiff and the attorneys for the Motion Picture Association in the
affidavits accompanying the complaint, is that the studios would not have
agreed to releasing movies on DVD if it hadn't been for the DVD consortium's
assurance that DVD technology implements an effective copy protection
scheme. It appears the DVD consortium is experiencing a lot of heat from the
copyright holders over DeCSS and is in dire need of a scapegoat. Since the
DVD consortium's own technical incompetence in fielding a copy protection
scheme that is both subject to trivial reverse engineering and cryptanalysis
is not considered a desirably admission to make to the studios, the blame
needs to be shifted elsewhere. Blaming Does 1-500 appears to have been the
fastest excuse the DVD consortium could come up with.
[Sidebar: I have just been informed that the judge denied the TRO. This is
good news. But the work has just begun].
Even though the judge denied the TRO, our side needs to submit briefs to the
Court by January 7th for the preliminary hearing to be held on the 14th. For
this to happen we will need two things: technical expertise and money.
Today, we caught the plaintiff's attorneys of guard. That won't happen
again. According to an affidavit by Harvey Shapiro of Sarogy, Stein, Rosen &
Shapiro for the MPAA and MPA, this firm alone has 9 attorneys working on
DeCSS. And those aren't just some guys with a law degree. This law firm has
been representing the MPAA for 50 years. They are the very embodiment of
high-powered American corporate lawyers serving multi-billion dollar
clients. I doubt such attorneys run less than $250/hour. If so, the MPAA's
legal team alone costs almost $550k per month. The DVDCCA's attorneys are
unlikely to be much cheaper. Neither law firm going to make the same mistake
twice.
I don't envy the DVDCCA/MPAA for the situation they are facing. They must
win this case. Otherwise, the almost mythical reputation of invincibility in
the courtroom the MPAA has enjoyed for so long will be lost. And the sharks
have been waiting for a long time, indeed. Yet, the plaintiffs have a
serious problem: their complaint is without merit. This probably wouldn't be
the first time they won a case without merit, but I sincerely doubt it will
happen this time. At least it won't if we do what needs to be done.
I believe the it is crucial for us to do the following:
o support the EFF and others helping to provide legal representation to the
defendants with cash contributions. We need to raise several hundred of
thousands of dollars to win this fight. I am putting my money where my mouth
is and hereby pledge a contribution of $2000.
o the named defendants and their counsel need to show up in court for the
hearing on the 14th. You can't win a case if you refuse to stand up for
yourself in court. Don't stick you head into the sand. If you live in the US
and you name or website is mentioned in the complaint, you only have two
realistic choices: show up in court or cave in to the censors.
o the unnamed John Does should stay out of this unless they are willing to
fight in court. The plaintiff expressed great frustration at not being able
to serve legal notice to defendants only known as
"csssux@some_mail_forwarder.com". Let's not make their job any easier.
o coordinate our actions with those who have been down this road before. It
probably would be best to contact Robin Gross <robin@eff.org>, the EFF's
lead attorney for this case, if you are (or intend to) be involved in this
case in any way.
o FWIW, there is one small benefit of coming forward as a John Doe: the
plaintiffs will serve you all the legal documents directly. They'll even
automatically email them to you in MSWord format, ready for publication on a
website.
[Disclaimer: I am not an attorney licensed to practice law in the State of
California. The preceding represents my personal opinion and should not be
considered legal advice].
--Lucky Green < shamrock@cypherpunks.to>
"Among the many misdeeds of British rule in India, history will look
upon the Act depriving a whole nation of arms as the blackest."
- Mohandas K. Gandhi, An Autobiography, pg 446
http://www.citizensofamerica.org/missing.ram
List: cryptography
Subject: Re: DeCSS Court Hearing Report
From: Sameer Parekh <sameer () bpm ! ai>
Date: 1999-12-30 19:44:12
Let me just echo everything Lucky has said, and emphasize a
few things. The EFF truly saved the day in this case. Without quick
action on the part of the EFF the TRO would have been granted and the
DVD CCA would have dealt a significant blow to free speech. Attorneys
for the defense Robin Gross and Allonn Levy deserve our
gratitude. Many thanks also to the sole defendant Andrew Bunner who
decided to stand up to the DVD CCA and appear in court.
I am not at all surprised that the DVD CCA attorneys did not
act completely professionally. The lead attorney in fact was extremely
flustered during his rebuttal, which I'm sure did not help his case. I
suspect the DVD CCA didn't bring out their best and brightest for this
hearing because, as has already been stated, they expected it to be an
open and shut 15 minute no-defendant-present TRO hearing. Now that
they have seen what opposition we can muster on two days notice, we
can expect that the DVD CCA will be making sure their best people are
on the case, people who will not get flustered during rebuttal, people
who will not show any visible signs of unease before a hearing.
This is an incredibly important case. Its outcome could set
the tone for future interactions between the large copyright holders
(MPAA, RIAA, etc.) and the Internet community at large. This case will
determine if the large copyright holders will be able to just roll
over whomever they like at their whim or if they are going to think
twice before launching a baseless case such as this.
The DVD CCA does not have a strong case, but they will not
back down. They have too much riding on this. As Lucky has stated,
their entire existence is built upon licensing the CSS
technology. Since it is no longer a trade secret, they have nothing
left to license. The DVD CCA has expected and continues to expect to
win -- not on the merits of their case, but based upon the simple fact
that they have more money than the defendants in the lawsuit.
We need to prove them wrong.
Just yesterday I sent a check to the EFF for $5,000. I
encourage everyone who has an interest in free speech to help show the
DVD CCA and its member organizations that they can not and will not be
able to use their financial might to censor free speech. I will
dispute Lucky's point, however, that cash contributions are the best
way to support the EFF. By donating appreciated liquid securities
rather than cash you get substantially increased tax benefits over
donating cash. Consult your accountant.
Plan to show up at the hearing January 14th. Show the judge
that this is an issue that matters.
Tell people about the case. Impress upon them how important
this case is in the fight for free expression as more and more
expression is done with source code, audio, and video
technology.
There was substantial support at the hearing from the Linux
community, but the support from the Cypherpunk and MP3/music
communities was thin to non-existent. This is not just a Linux
issue. This is a free speech issue.
And of course, contribute what you can to the EFF. Imagine
what the Internet would be like without the EFF. Source code would not
be speech in the 9th circuit. "Indecency" (an ill-defined term at
best) would be illegal on the Internet. The BXA would not be rewriting
the encryption regulations to support open source. Without the EFF,
the Internet as we know it and the associated wealth created with this
Internet would not exist.
Thank you,
-s
>
> Today, I attended a fascinating hearing in State of California Superior
> Court (county of Santa Clara). The issue at bar was a request by the "DVD
> Copy Control Association, Inc." (DVDCCA) to issue a temporary restraining
> order (TRO) against various named and unnamed operators of websites and
> other individuals distributing copies of [De]CSS source code. DeCSS was
> originally published to allow for playback of DVD's on computers running the
> Linux operating system.
>
> The lines appear drawn rather clearly: a "Copy Control Association" vs. the
> Open Source community. But the hearing left the audience, and I suspect the
> judge, with many open questions.
>
> First, let's introduce the players (I didn't take many notes. Other may have
> more detailed information).
>
> o three attorneys from Weil, Gotshal, and Manges (New York City) for the
> DVDCCA.
> o one lone defendant with two attorneys provided by the EFF.
> o an audience of various Cypherpunks and Linux folks.
>
> The DVDCCA's attorneys arrived at the courthouse after the Cypherpunks
> contingent and had to make their way through a rather impressive crowd
> (especially given that we had less than a day notice) to file their
> complaint. One of the attorneys carried several boxes with copies of the
> complaint. The complaint was sizable. Each copy stacked up almost 3 inches.
>
> The plaintiff's attorneys were clearly surprised by the publicity their
> action had generated. All three attorneys were visibly nervous and
> apprehensive while waiting in the hallway for the courtroom to open. This is
> significant, because these folks are professionals. Unlike some random
> person who suddenly finds himself in court and might reasonably be nervous,
> these guys crush people for a living. Yet our presence gave them the
> jitters.
>
> This is perhaps not /that/ surprising, given that only a *single* defendant
> of the 500 alleged defendants bothered to show up in court. Chances are the
> plaintiff assumed that none of the defendants would appear in court. Had
> that happened, the plaintiff's attorneys would have present their case,
> requested a TRO, and absent an opposing party the TRO would have been
> granted. A mere formality. In and out of the court room in 15 minutes.
>
> However, what took place was far from a formality. Instead of the judge
> rubber-stamping the TRO, the plaintiffs found themselves faced with not only
> a defendant, but two attorneys for the defendant that in oral arguments
> framed the issue at bar in very different terms than the "evil hackers are
> conspiring to cause millions of dollars in damages to the movie industry by
> distributing software that allows for illegal copies to be created" put
> forward by the plaintiff. The defendant's attorneys turned a potential "open
> and shut" case into a First Amendment issue. Not at all what the plaintiffs
> had in mind. Big thanks go to the EFF for providing for a defense literally
> overnight.
>
> Trying to sum up the arguments made during the hearing by both sides is
> somewhat challenging, which is probably at least in part due to the fact
> that the plaintiff's complaint has no merit. Nonetheless, I will try to
> provide an attempt at summary below.
>
> The plaintiff concedes that reverse engineering CSS from an implementation
> is in principle lawful. However, they also claim that:
>
> 1. CSS was reverse engineered from Xing's DVD player.
> 2. Xing's player requires the user to click on a button accepting a license
> agreement prohibiting reverse engineering.
> 3. Reverse engineering could not have been performed without accepting this
> license agreement.
>
> All taken together, the reverse engineering was supposedly performed in
> violation of the license agreement to which the person performing the
> reverse engineering allegedly agreed. It probably will not come as a
> surprise to many readers of this post that the plaintiff failed to provide
> even a shred of evidence for even a single one of these claims, much less
> all of them, as would be required by the legal theory advanced by the
> plaintiff.
>
> Next, the plaintiff alleges that since the CSS trade secret was therefore
> obtained by illegal means (breach of contract) the trade secret is still
> afforded protection. Similarly to a trade secret that has been leaked by a
> person under NDA.
>
> Furthermore, the plaintiff alleges that every single webmaster that
> presently mirrors CSS is aware of this supposed illegal origin of the CSS
> source. The plaintiff conceded that once a webmaster that is unaware of the
> supposed illegal origin of CSS mirrors the CSS source, the plaintiff's
> complaint based on trade secret (as found in the Universal Commercial Code)
> can no longer be made. The plaintiff then requested a TRO to prevent the
> spread of the CSS source before such a situation occurs.
>
> The counsel for the defendant argued that source code is speech, that the
> theory that CSS was obtained illegally was questionable at best, and that
> issuing a TRO would chill the speech of not just the individuals presently
> mirroring CSS, but of webmasters in general.
>
> The line of argument made by the plaintiff left the audience rather puzzled.
> First, basing the litigation on trade secret seems sub-optimal. Not that a
> different legal argument would be anywhere near compelling, but it appears
> that an argument based on copyright would have been a better approach. In
> addition, the plaintiff's choice of venue is simply abysmal. Of the many
> jurisdictions in which they could have filed a complaint, they chose the 9th
> Circuit, which as ruled that source code is speech.
>
> However, the plaintiff's actions may make more sense when seen in the light
> of some comments made repeatedly by the plaintiff during the oral argument.
> The first comment was that the DVDCCA attorneys allege that since the /sole/
> purpose of the DVDCCA is to license CSS, a freely downloadable CSS
> implementation would put the DVDCCA out of business. I would be inclined to
> concede this point. It is not quite clear to me why this would be a matter
> of concern, since the DVDCCA is a non-profit organization. (Somebody needs
> to obtain their financial statements, which, due to their non-profit status
> must be public).
>
> The second, and probably more significant, comment made repeatedly by both
> the plaintiff and the attorneys for the Motion Picture Association in the
> affidavits accompanying the complaint, is that the studios would not have
> agreed to releasing movies on DVD if it hadn't been for the DVD consortium's
> assurance that DVD technology implements an effective copy protection
> scheme. It appears the DVD consortium is experiencing a lot of heat from the
> copyright holders over DeCSS and is in dire need of a scapegoat. Since the
> DVD consortium's own technical incompetence in fielding a copy protection
> scheme that is both subject to trivial reverse engineering and cryptanalysis
> is not considered a desirably admission to make to the studios, the blame
> needs to be shifted elsewhere. Blaming Does 1-500 appears to have been the
> fastest excuse the DVD consortium could come up with.
>
> [Sidebar: I have just been informed that the judge denied the TRO. This is
> good news. But the work has just begun].
>
> Even though the judge denied the TRO, our side needs to submit briefs to the
> Court by January 7th for the preliminary hearing to be held on the 14th. For
> this to happen we will need two things: technical expertise and money.
> Today, we caught the plaintiff's attorneys of guard. That won't happen
> again. According to an affidavit by Harvey Shapiro of Sarogy, Stein, Rosen &
> Shapiro for the MPAA and MPA, this firm alone has 9 attorneys working on
> DeCSS. And those aren't just some guys with a law degree. This law firm has
> been representing the MPAA for 50 years. They are the very embodiment of
> high-powered American corporate lawyers serving multi-billion dollar
> clients. I doubt such attorneys run less than $250/hour. If so, the MPAA's
> legal team alone costs almost $550k per month. The DVDCCA's attorneys are
> unlikely to be much cheaper. Neither law firm going to make the same mistake
> twice.
>
> I don't envy the DVDCCA/MPAA for the situation they are facing. They must
> win this case. Otherwise, the almost mythical reputation of invincibility in
> the courtroom the MPAA has enjoyed for so long will be lost. And the sharks
> have been waiting for a long time, indeed. Yet, the plaintiffs have a
> serious problem: their complaint is without merit. This probably wouldn't be
> the first time they won a case without merit, but I sincerely doubt it will
> happen this time. At least it won't if we do what needs to be done.
>
> I believe the it is crucial for us to do the following:
>
> o support the EFF and others helping to provide legal representation to the
> defendants with cash contributions. We need to raise several hundred of
> thousands of dollars to win this fight. I am putting my money where my mouth
> is and hereby pledge a contribution of $2000.
>
> o the named defendants and their counsel need to show up in court for the
> hearing on the 14th. You can't win a case if you refuse to stand up for
> yourself in court. Don't stick you head into the sand. If you live in the US
> and you name or website is mentioned in the complaint, you only have two
> realistic choices: show up in court or cave in to the censors.
>
> o the unnamed John Does should stay out of this unless they are willing to
> fight in court. The plaintiff expressed great frustration at not being able
> to serve legal notice to defendants only known as
> "csssux@some_mail_forwarder.com". Let's not make their job any easier.
>
> o coordinate our actions with those who have been down this road before. It
> probably would be best to contact Robin Gross <robin@eff.org>, the EFF's
> lead attorney for this case, if you are (or intend to) be involved in this
> case in any way.
>
> o FWIW, there is one small benefit of coming forward as a John Doe: the
> plaintiffs will serve you all the legal documents directly. They'll even
> automatically email them to you in MSWord format, ready for publication on a
> website.
>
> [Disclaimer: I am not an attorney licensed to practice law in the State of
> California. The preceding represents my personal opinion and should not be
> considered legal advice].
>
> --Lucky Green <shamrock@cypherpunks.to>
>
> "Among the many misdeeds of British rule in India, history will look
> upon the Act depriving a whole nation of arms as the blackest."
> - Mohandas K. Gandhi, An Autobiography, pg 446
> http://www.citizensofamerica.org/missing.ram
>
--
sameer
List: cryptography
Subject: Re: DeCSS Court Hearing Report
From: Andreas Bogk <andreas () andreas ! org>
Date: 2000-01-02 3:37:18
Lucky Green < shamrock@cypherpunks.to> writes:
> other individuals distributing copies of [De]CSS source code. DeCSS was
> originally published to allow for playback of DVD's on computers running the
> Linux operating system.
I think it's about time to clear up some issues. DeCSS is *not* Linux
software. But DeCSS would not have been possible without the Linux DVD
development, and CSS playback under Linux would have been much harder
without the release of the DeCSS source code.
To make sense out of what I'm saying, it helps to take a look at how
CSS works. The basic idea is that the DVD is encrypted, and the
decryption key is stored on the disk, at a place where it isn't
directly readable on an ordinary PC DVD drive.
Now to play back a DVD, the decoder software or hardware runs a
two-way authentication and key exchange with the drive. Now the key
material is transmitted from the drive to the decoder, obfuscated with
the negotiated session key.
How to do this key exchange has been known to the Linux community for
almost a year, after an anonymous member of the livid (LInux VIDeo)
mailing list posted reverse engineered assembler code of the key
exchange to the mailing list. This code does *not* come from the Xing
player. The code had been analyzed and re-implemented in C by the
livid members.
The interesting point here is that this information is already
sufficient for copying a DVD: just copy all of the sectors and the key
information.
The second step is the actual decryption of the DVD sectors. For that,
there's a so-called player key required. The idea is that the title
key (the actual key used for decryption) is encrypted with a disk key,
which in turn is encrypted with 408 player keys, and all 409 encrypted
disk keys are stored on the disk. The idea is that every player
contains one of the 408 player keys, and if any of the keys gets
published, you can just omit that slot on all future DVDs and thus
limit the impact of the problem.
Now one of those player keys, as well as the actual bulk cipher, were
reverse engineered by two independent parties: one released a tool
called SpeedRipper, the other a tool named DeCSS. Both tools used the
source code developed by the Linux community. Cipher and key in DeCSS
were recovered from Xing's player. The fact that Xing didn't take
steps to make reverse engineering harder only made that step faster,
it had *not* been crucial for the success.
Now someone anonymously mailed the DeCSS source code to the livid
list, where in turn the code was analyzed. After a very short time,
cryptanalyzers blew a couple of deadly holes into the whole scheme,
making the encryption breakable without even knowing any player key in
under 20 seconds.
At that phase, the DVD consortium started to get really pissed. No,
not because of copyright issues; as I have shown above, copying a DVD
had been possible before, and tools to capture and re-encode DVDs to
MPEG1 (which makes pirating a DVD manageable, in contrast to the 4.7GB
files DeCSS will give you) also existed before.
The only reason that justifies the existence of the player keys in the
CSS scheme is control of the DVD consortium over the licensees: they
can always threaten to revoke the player key of a given licensee if
that licensee doesn't play by the rules (Macrovision, Region Codes,
etc.).
Now that the scheme has been published and broken, it's possible for
anybody (and that distinctly includes the Linux folks) to build a DVD
player. *That's* what they were afraid of. Piracy has been possible
before, and they didn't care.
> The lines appear drawn rather clearly: a "Copy Control Association" vs. the
> Open Source community. But the hearing left the audience, and I suspect the
Their use of the word "Copy Control" is heavy spin-doctoring. It's
about closed vs. open standards, about monopolies vs. open markets,
control vs. freedom.
> 1. CSS was reverse engineered from Xing's DVD player.
Only parts come from the Xing player.
> The line of argument made by the plaintiff left the audience rather puzzled.
> First, basing the litigation on trade secret seems sub-optimal. Not that a
> different legal argument would be anywhere near compelling, but it appears
> that an argument based on copyright would have been a better approach. In
But the party whose copyright would have been violated is Xing (plus
some other unknown manufacturer), not the DVDCCA; and it wouldn't have
been possible to use copyright issues to go after sites like
http://crypto.gq.nu, which only contain a description of the process,
not actual code.
> The first comment was that the DVDCCA attorneys allege that since the /sole/
> purpose of the DVDCCA is to license CSS, a freely downloadable CSS
> implementation would put the DVDCCA out of business. I would be inclined to
Is it just me, or did the DVDCCA not exist when DeCSS was released?
I've never heard of them, and when I tried to obtain a CSS license,
the information I had was that CSS is licensed by some japanese
company (which by the way didn't bother to respond to my request to
license CSS for the purpose of building a Linux DVD player. Mistake.).
> The second, and probably more significant, comment made repeatedly by both
> the plaintiff and the attorneys for the Motion Picture Association in the
> affidavits accompanying the complaint, is that the studios would not have
> agreed to releasing movies on DVD if it hadn't been for the DVD consortium's
> assurance that DVD technology implements an effective copy protection
> scheme. It appears the DVD consortium is experiencing a lot of heat from the
So in other words, the DVD Consortium lied to the movie industry, and
are now trying to keep a straight face by legal moves. And they *knew*
about the weaknesses. At the ISSE 1999 security conference in Berlin
I've talked to the guy from Intel who designed the key management
mechanism for DVD (and the Pentium III RNG btw.), and asked him if we
didn't consider the 40 bit keylength a little weak. His answer was
(and this was before the DeCSS release, and before public analysis)
that there's a 2^16 attack on the bulk cipher, and that his part of
the scheme was one of the strongest parts overall, and that the DVD
Consortium knows about this. The 2^16 attack had been rediscovered
later.
> o coordinate our actions with those who have been down this road before. It
> probably would be best to contact Robin Gross <robin@eff.org>, the EFF's
> lead attorney for this case, if you are (or intend to) be involved in this
> case in any way.
I can't come to the US at the moment for personal reasons, but I'm
available for expertise, phone conferences etc. I think I know quite a
bit about CSS, and I know most of the people involved.
Andreas
P.S.: Interestingly enough, the following pages were not on the list
of URLs in the legal documents, even though they contain lots of
information about CSS and the whole story:
http://www.fefe.de/dvd/
http://www.ccc.de/tvcrypt/dvd/
http://dvd.flatline.de/
All three contain a German text giving an analysis of the issues, some
only relevant to Germany, but most of them for anybody, as well as
copies of the relevant postings to the livid mailing list.
Andreas
--
"We should be willing to look at the source code we produce not as the
end product of a more interesting process, but as an artifact in its
own right. It should look good stuck up on the wall."
-- http://www.ftech.net/~honeyg/progstone/progstone.html
List: cryptography
Subject: Re: DeCSS Court Hearing Report
From: Ray Hirschfeld <R.Hirschfeld () cwi ! nl>
Date: 2000-01-03 20:54:49
> Date: Wed, 29 Dec 1999 20:06:32 -0800
> From: Lucky Green <shamrock@cypherpunks.to>
> First, basing the litigation on trade secret seems sub-optimal. Not that a
> different legal argument would be anywhere near compelling, but it appears
> that an argument based on copyright would have been a better approach.
I conjecture they did it this way because the prohibition against
circumventing effective technological measures that was added to
U.S. copyright law in October 1998 (as part of the Digital Millennium
Copyright Act, which implemented the WIPO Copyright Treaty) does not
take effect until October 28, 2000. Cf. Title 17, Chapter 12. The
section against trafficking in devices seems like it might apply,
though, and doesn't seem to be subject to the two-year delay. But
reverse engineering for interoperability purposes is explicitly
permitted, and making information so obtained available to others for
interoperability purposes also does not constitute infringement under
the new law (cf. Sec. 1201 (f) (3)).
(I've just been looking at these regs as part of a separate discussion
about DVD region codes.)
List: cryptography
Subject: Re: DeCSS Court Hearing Report
From: bram <bram () gawth ! com>
Date: 2000-01-04 2:43:52
On Mon, 3 Jan 2000, Ray Hirschfeld wrote:
> > Date: Wed, 29 Dec 1999 20:06:32 -0800
> > From: Lucky Green < shamrock@cypherpunks.to>
>
> > but it appears that an argument based on copyright would have been
> > a better approach.
>
> I conjecture they did it this way because the prohibition against
> circumventing effective technological measures that was added to
> U.S. copyright law in October 1998 (as part of the Digital Millennium
> Copyright Act, which implemented the WIPO Copyright Treaty) does not
> take effect until October 28, 2000. Cf. Title 17, Chapter 12. The
> section against trafficking in devices seems like it might apply,
> though, and doesn't seem to be subject to the two-year delay. But
> reverse engineering for interoperability purposes is explicitly
> permitted, and making information so obtained available to others for
> interoperability purposes also does not constitute infringement under
> the new law (cf. Sec. 1201 (f) (3)).
I'm a little confused. Are you saying that as of October it will be legal
to do any amount of reverse-engineering, publishing, and writing to APIs
you want without violating the original author's copyright? Does that mean
that, say, Bsafe will have the rug yanked out from under it by allowing
alternate non-infringing implementations?
(Doesn't the RSA patent expire in October as well? That's a mighty funny
coincidence ... for anyone other than RSA, anyhow.)
-Bram
List: cryptography
Subject: Re: DeCSS Court Hearing Report
From: Ray Hirschfeld <R.Hirschfeld () cwi ! nl>
Date: 2000-01-04 8:21:04
> Date: Mon, 3 Jan 2000 18:43:52 -0800 (PST)
> From: bram <bram@gawth.com>
> I'm a little confused. Are you saying that as of October it will be legal
> to do any amount of reverse-engineering, publishing, and writing to APIs
> you want without violating the original author's copyright? Does that mean
> that, say, Bsafe will have the rug yanked out from under it by allowing
> alternate non-infringing implementations?
No, October 28, 2000 is when the act of circumventing an effective
technological measure becomes a violation (with exceptions for fair
use, crypto research, reverse engineering, law enforcement, etc.).
Until then it is legal under the new copyright law.
Circumvention for interoperability purposes is already permitted, but
not as broadly as you state. Trafficking in technology (including
software), the primary purpose of which is to circumvent effective
technological measures, is already prohibited. I recommend that you
read Section 1201 of Title 17 for details, which is available online
at http://www4.law.cornell.edu/uscode/unframed/17/1201.html. I've
excerpted the subsection about reverse engineering below (paragraph 3
is the one I mentioned in my previous message).
Ray
(f) Reverse Engineering. - (1) Notwithstanding the provisions of
subsection (a)(1)(A), a person who has lawfully obtained the right to
use a copy of a computer program may circumvent a technological
measure that effectively controls access to a particular portion of
that program for the sole purpose of identifying and analyzing those
elements of the program that are necessary to achieve interoperability
of an independently created computer program with other programs, and
that have not previously been readily available to the person engaging
in the circumvention, to the extent any such acts of identification
and analysis do not constitute infringement under this title.
(2) Notwithstanding the provisions of subsections (a)(2)
and (b), a person may develop and employ technological means to
circumvent a technological measure, or to circumvent protection
afforded by a technological measure, in order to enable the
identification and analysis under paragraph (1), or for the purpose of
enabling interoperability of an independently created computer program
with other programs, if such means are necessary to achieve such
interoperability, to the extent that doing so does not constitute
infringement under this title.
(3) The information acquired through the acts permitted
under paragraph (1), and the means permitted under paragraph (2), may
be made available to others if the person referred to in paragraph (1)
or (2), as the case may be, provides such information or means solely
for the purpose of enabling interoperability of an independently
created computer program with other programs, and to the extent that
doing so does not constitute infringement under this title or violate
applicable law other than this section.
(4) For purposes of this subsection, the term
''interoperability'' means the ability of computer programs to
exchange information, and of such programs mutually to use the
information which has been exchanged.
List: cryptography
Subject: Re: DeCSS Court Hearing Report
From: Andreas Bogk <andreas () andreas ! org>
Date: 2000-01-04 12:45:55
Sameer Parekh < sameer@bpm.ai> writes:
> The DVD CCA does not have a strong case, but they will not
> back down. They have too much riding on this. As Lucky has stated,
> their entire existence is built upon licensing the CSS
> technology. Since it is no longer a trade secret, they have nothing
> left to license. The DVD CCA has expected and continues to expect to
Don't forget that the DVD CCA is only a month old. When the DVD CCA
became the licensee for CSS, CSS had already been published.
So in my opinion the entire reason for the existence of the DVD CCA is
the this very lawsuit.
Andreas
--
"We should be willing to look at the source code we produce not as the
end product of a more interesting process, but as an artifact in its
own right. It should look good stuck up on the wall."
-- http://www.ftech.net/~honeyg/progstone/progstone.html
List: cryptography
Subject: Re: DeCSS Court Hearing Report
From: Phil Karn <karn () qualcomm ! com>
Date: 2000-01-04 18:57:01
>No, October 28, 2000 is when the act of circumventing an effective
>technological measure becomes a violation (with exceptions for fair
But if it was an "effective technological measure", it couldn't have
been circumvented. And by circumventing CSS, wasn't it shown to not be
an effective technological measure??
Phil
List: cryptography
Subject: Re: DeCSS Court Hearing Report
From: John Gilmore <gnu () toad ! com>
Date: 2000-01-04 20:19:58
> >No, October 28, 2000 is when the act of circumventing an effective
> >technological measure becomes a violation (with exceptions for fair
>
> But if it was an "effective technological measure", it couldn't have
> been circumvented. And by circumventing CSS, wasn't it shown to not be
> an effective technological measure??
No, read the law. Their definition of "effective" is that it purports
to protect intellectual property. Welcome to Wonderland, where words
mean what *Congress* says they mean. Off with our heads!
> ``(B) a technological measure `effectively controls access
> to a work' if the measure, in the ordinary course of its
> operation, requires the application of information, or a process
> or a treatment, with the authority of the copyright owner, to
> gain access to the work.
John