The Electronic Frontier Foundation (EFF) filed a lawsuit on Thursday that American copyright wonks, technologists and security researchers have been hotly awaiting for nearly 20 years.
If they succeed, one of America’s most controversial technology laws will be struck down, and countries all over the world who have been pressured by the US trade representative to adopt this American rule will have to figure out whether they’ll still enforce it, even after the US has given up on it.
The rule is section 1201 of the Digital Millennium Copyright Act (DMCA) of 1998, the “anti-circumvention” rule that makes it illegal to break an “access control” for copyrighted works. These “access controls” often manifest as “digital rights management” (DRM), and the DMCA gives them unique standing in law.
EFF is suing the US government, arguing that section 1201 of the DMCA is unconstitutional, and also that the Library of Congress and the copyright office have failed to perform their duties in the three-year DMCA 1201 exemption hearings.
What is digital rights management?
If you buy something, it’s yours, and – you can modify, configure, or use it any way you’d like, even if the manufacturer would prefer that you didn’t. But the law forbids you from doing otherwise legal things if you have to tamper with the DRM to do them.
Originally, this was used exclusively by the entertainment industries: by adding DRM to DVDs, they could prevent companies from making DVD players that accepted DVDs bought abroad. It’s not illegal to bring a DVD home from an overseas holiday and watch it, but if your DVD player recognises the disc as out-of-region, it is supposed to refuse to play it back, and the act of altering the DVD player to run out-of-region discs is unlawful under the DMCA’s section 1201. It could even be a crime carrying a five-year prison sentence and a $500,000 fine for a first offense (the act of offering a region-free DVD player for sale, or even the neighbour’s kid helping you to deregionalise your DVD player, can be criminal acts).
Companies can only use the DMCA if they can argue that their DRM protected a copyrighted work. Nike can’t invoke section 1201 of the DMCA to prevent a rival company from offering replacement shoelaces for its trainers, because shoelaces and trainers aren’t copyrighted (or copyrightable). But once there’s software involved, copyright enters the picture because software itself can be copyrighted.
The proliferation of “smart” devices has put software – and potentially, the DMCA – into every part of our lives. Your car is a computer that surrounds your body. Auto manufacturers use DRM to prevent independent mechanics from reading out information from broken cars and to prevent diagnostic tool-makers from making smarter diagnostic equipment. Mechanics and tool-makers who want to know what’s wrong with your car have to either break the DRM (risking fines or even prison) or get the official manufacturer’s permission to compete, which drives up repair costs. In other words, now that there’s software in your car, the DMCA can be invoked to give manufacturers a monopoly over parts, service and features for them.
And it’s not just cars. Every three years, the US copyright office entertains proposals for limited exemptions to section 1201 of the DMCA.
In 2015, they heard from people who have been frustrated by anti-circumvention rules as applied to voting machines (a computer we put a democracy inside of); hospital equipment (a computer we put sick people inside of); medical implants (computers we put inside our bodies); as well as critical infrastructure, financial technology and more.
Tellingly, many of these petitioners were security experts. DRM advocates say that when a security expert discloses a defect in their products – a flaw, say, that would allow strangers to watch your family through your baby monitor, or kill you by dumping all your insulin pump’s medicine into your blood at once, or take control of your car over the internet and drive it, operating the brakes, steering and acceleration (all examples of things people have done or shown could be done by exploiting vulnerabilities in devices with DRM) – they are violating laws that protect DRM.
These manufacturers say that the law gives them to power to determine when, if ever, the people who entrust their lives, privacy, security, votes and finances to computer-based products get to know about the defects in those products.
How is it still around?
It’s been 18 years since the DMCA passed into law under then President Bill Clinton, co-sponsored by congressman Barney Frank, voted in unanimously by the Senate. The law has obvious, gross constitutional defects, so how is it still in force?
Here’s the civics-class version of the relationship between the US constitution and Congress: America’s constitution limits the laws Congress can make. Congress isn’t supposed to make unconstitutional laws, and when a judge finds such a law, he or she can rule that the law is invalid.
But nothing as high-stakes as law is ever as simple as that. People can disagree about whether a law is constitutional – the constitution has a lot of high-flown language whose specifics have been hammered out over centuries by judges and lawyers and scholars who have fiercely debated them (and even gone to war over them). So a lawmaker might create a statute he believes to be constitutional, while a judge might rule that it’s not and strike it down.
Then there’s the question of how these sorts of questions wind up in front of a court.
In the years since the DMCA’s passage, there have been relatively few court challenges. In one case, Universal v Corley, a movie studio successfully sued the hacker magazine 2600 for publishing computer code that could descramble a DVD.
In 2002, a technologically unsophisticated judge in the case ruled that a hacker magazine could be censored under the DMCA and was not shielded by the first amendment’s guarantee of free speech because the code was a form of “stealing”.
In the years since, the entertainment industry has been canny about its threats.
When Ed Felten – a prominent computer scientist, then at Princeton University, now deputy CTO of the White House – and a group of peers published a paper on defects in DRM for music called Secure Digital Music Initiative, the record companies threatened to sue him and the technical conference where the paper was to be delivered. The Electronic Frontier Foundation stepped forward to defend Felten, and the labels beat all speed records withdrawing their threats because they understood that judges would be reluctant to give record executives a veto over the kinds of technical presentations that computer scientists could give.
At this point, you may be asking why, if the law hasn’t come up in court decisions very often, does it even matter. But it does, because the few successful prosecutions under the law have been sufficient to chill all kinds of technological development and security disclosures.
The reason your computer automatically rips your old CDs and offers to move them to your mobile device and the cloud, but prompts you to buy your DVDs anew to watch them on a mobile screen, is that the DMCA has successfully intimidated every operating system company in the world into not including DVD-ripping software out of the box (those DVD-ripping programs you may have tried? Also radioactively illegal to distribute).
Don’t forget all those security researchers who told the copyright office that their lawyers wouldn’t let them warn us about the potentially lethal defects in all those internet of things devices we’re coming to rely on – there’s no question that section 1201 of the DMCA scares the heck out of businesses and security professionals.
The case in question
Which brings us to today’s lawsuit. EFF is representing two clients: Andrew “bunnie” Huang, a legendary engineer with a PhD from the Massachusetts Institute of Technology who made his reputation when he figured out how to install the free operating system GNU/Linux on Microsoft’s Xbox and published a book about it; and Matthew Green, an assistant professor at Johns Hopkins and considered a heavyweight in security circles, whose research includes audits of OpenSSL and Truecrypt.
One of Huang’s projects is a gadget called NeTV, which allows users to overlay images over HD videos. Huang figured out a clever way to work with High-bandwidth Digital Content Protection (HDCP) – a widely used DRM for HD videos – without violating the DMCA. But he wants to expand NeTV’s features in a new device called NetVCR, which will allow you to record and manipulate digital video the same way you can with analogue videos and a video recorder: record them for later, turn them into clips that you reuse in legal ways, and so on.
Green, meanwhile, wants to do security research of the sort that could raise section 1201 threats. Though the copyright office has granted some limited exemptions to the DMCA that allow security research on consumer equipment and some medical devices, Green’s research includes investigating the security of industrial-grade encryption devices used to secure cryptographic keys for purposes such as processing credit card or ATM transactions.
He has a grant from the National Science Foundation to investigate the security of medical record systems. He wants to investigate the security of medical devices; toll collection systems; industrial firewalls and virtual private network devices; and wireless communications systems that connect vehicles to one another and to the surrounding infrastructure. Lurking flaws in these devices pose a serious threat to the economy and hundreds of millions of people who rely on them every day, so we really want people like Green to be able to independently validate their quality (the bad guys who want to abuse those devices don’t ask for permission to investigate their flaws, after all).
Why EFF is suing
Suing on behalf of Huang and Green, EFF’s complaint argues that the wording of the statute requires the Library of Congress to grant exemptions for all conduct that is legal under copyright, including actions that rely on fair use, when that conduct is hindered by the ban on circumvention.
Critically, the supreme court has given guidance on this question in two rulings, Eldred and Golan, explaining how copyright law itself is constitutional even though it places limits on free speech; copyright is, after all, a law that specifies who may utter certain combinations of words and other expressive material.
The supreme court held that through copyright’s limits, such as fair use, it accommodates the first amendment. The fair-use safety valve is joined by the “idea/expression dichotomy”, a legal principle that says that copyright only applies to expressions of ideas, not the ideas itself.
In the 2015 DMCA 1201 ruling, the Library of Congress withheld or limited permission for many uses that the DMCA blocks, but which copyright itself allows – activities that the supreme court has identified as the basis for copyright’s very constitutionality.
If these uses had been approved, people such as Huang and Green would not face criminal jeopardy. Because they weren’t approved, Huang and Green could face legal trouble for doing these legitimate things.
It’s a complicated story, existing at the intersection of law, technology and information security, realms that are hard enough to get your arms around on their own, let alone in combination. But that very complexity – honestly, that veryboringness – has allowed this anti-circumvention rule from the DMCA to fester and metastasize into devices that are taking over the physical world.
EFF’s lawsuit could take years to be finally decided.