EFF is suing the US government to invalidate the DMCA's DRM provisions

The Electronic Frontier Foundation has just filed a lawsuit that challenges the Constitutionality of Section 1201 of the DMCA, the "Digital Rights Management" provision of the law, a notoriously overbroad law that bans activities that bypass or weaken copyright access-control systems, including reconfiguring software-enabled devices (making sure your IoT light-socket will accept third-party lightbulbs; tapping into diagnostic info in your car or tractor to allow an independent party to repair it) and reporting security vulnerabilities in these devices.

EFF is representing two clients in its lawsuit: Andrew "bunnie" Huang, a legendary hardware hacker whose NeTV product lets users put overlays on DRM-restricted digital video signals; and Matthew Green, a heavyweight security researcher at Johns Hopkins who has an NSF grant to investigate medical record systems and whose research plans encompass the security of industrial firewalls and finance-industry "black boxes" used to manage the cryptographic security of billions of financial transactions every day.

Both clients reflect the deep constitutional flaws in the DMCA, and both have standing to sue the US government to challenge DMCA 1201 because of its serious criminal provisions (5 years in prison and a $500K fine for a first offense).

The US Trade Rep has propagated the DMCA's anticircumvention rules to most of the world's industrial nations, and a repeal in the US will strengthen the argument for repealing their international cousins.

Huang has written an inspirational essay explaining his reasons for participating in this suit, explaining that he feels it is his duty to future generations:

Our recent generation of Makers, hackers, and entrepreneurs have developed under the shadow of Section 1201. Like the parable of the frog in the well, their creativity has been confined to a small patch, not realizing how big and blue the sky could be if they could step outside that well. Nascent 1201-free ecosystems outside the US are leading indicators of how far behind the next generation of Americans will be if we keep with the status quo.

Our children deserve better.

I can no longer stand by as a passive witness to this situation. I was born into a 1201-free world, and our future generations deserve that same freedom of thought and expression. I am but one instrument in a large orchestra performing the symphony for freedom, but I hope my small part can remind us that once upon a time, there was a world free of such artificial barriers, and that creativity and expression go hand in hand with the ability to share without fear.

Update: Matthew Green has also published a statement on his involvement in the case:

There’s a saying that no good deed goes unpunished. The person who said this should have been a security researcher. Instead of welcoming vulnerability reports, companies routinely threaten good-faith security researchers with civil action, or even criminal prosecution. Companies use the courts to silence researchers who have embarrassing things to say about their products, or who uncover too many of those products’ internal details. These attempts are all too often successful, in part because very few security researchers can afford a prolonged legal battle with well-funded corporate legal team.

This might just be a sad story about security researchers, except for the fact that these vulnerabilities affect everyone. When security researchers are intimidated, it’s the public that pays the price. This is because real criminals don’t care about lawsuits and intimidation – and they certainly won’t bother to notify the manufacturer. If good-faith researchers aren’t allowed to find and close these holes, then someone else will find them, walk through them, and abuse them.

In the United States, one of the most significant laws that blocks security researchers is Section 1201 of the Digital Millennium Copyright Act (DMCA). This 1998 copyright law instituted a raft of restrictions aimed at preventing the “circumvention of copyright protection systems.” Section 1201 provides both criminal and civil penalties for people who bypass technological measures protecting a copyrighted work. While that description might bring to mind the copy protection systems that protect a DVD or an iTunes song, the law has also been applied to prevent users from reverse-engineering software to figure out how it works. Such reverse-engineering is a necessary party of effective security research.

The EFF's complaint, filed minutes ago with the US District Court, is as clear and comprehensible an example of legal writing as you could ask for. It builds on two recent Supreme Court precedents (Golan and Eldred), in which the Supremes stated that the only way to reconcile free speech with copyright's ability to restrict who may utter certain words and expressions is fair use and other exemptions to copyright, which means that laws that don't take fair use into account fail to pass constitutional muster.

In this decade, more and more companies have figured out that the DMCA gives them the right to control follow-on innovation and suppress embarrassing revelations about defects in their products; consequently, DMCA 1201-covered technologies have proliferated into cars and tractors, medical implants and home security systems, thermostats and baby-monitors.

With this lawsuit, the EFF has fired a starter pistol in the race to repeal section 1201 of the DMCA and its cousins all over the world: to legitimize the creation of commercial businesses that unlock the value in the gadgets you've bought that the original manufacturers want to hoard for themselves; to open up auditing and disclosure on devices that are disappearing into our bodies, and inside of which we place those bodies.

I've written up the lawsuit for the Guardian:

Suing on behalf of Huang and Green, EFF’s complaint argues that the wording of the statute requires the Library of Congress to grant exemptions for all conduct that is legal under copyright, including actions that rely on fair use, when that conduct is hindered by the ban on circumvention.

Critically, the supreme court has given guidance on this question in two rulings, Eldred and Golan, explaining how copyright law itself is constitutional even though it places limits on free speech; copyright is, after all, a law that specifies who may utter certain combinations of words and other expressive material.

The supreme court held that through copyright’s limits, such as fair use, it accommodates the first amendment. The fair-use safety valve is joined by the “idea/expression dichotomy”, a legal principle that says that copyright only applies to expressions of ideas, not the ideas itself.

In the 2015 DMCA 1201 ruling, the Library of Congress withheld or limited permission for many uses that the DMCA blocks, but which copyright itself allows – activities that the supreme court has identified as the basis for copyright’s very constitutionality.

If these uses had been approved, people such as Huang and Green would not face criminal jeopardy. Because they weren’t approved, Huang and Green could face legal trouble for doing these legitimate things.


America's broken digital copyright law is about to be challenged in court [Cory Doctorow/The Guardian]

Why I’m Suing the US Government [Andrew "bunnie" Huang]

Section 1201 of the DMCA Cannot Pass Constitutional Scrutiny [Kit Walsh/EFF]

(Image: Bunnie Huang, Joi Ito, CC-BY)

Notable Replies

  1. "No person shall be...deprived of property, without due process of law."

    I purchased your product at a store or online. I didn't rent or license it, regardless of what the terms of use I didn't read says. If I decline to agree to your "license," you don't come back and take it from me or pay me rent for keeping your property at my house. If I own it, that means I own my copy of your DRM scheme and can do what I want with it for personal use, including hack it, override it, disable it, dissect it, desecrate it, piss on it, and describe to others what I did to it using my 1st Amendment right to free speech. If you disagree, I want back rent for all the crap you're storing at my house.

  2. I don't know enough about copper coils under power lines to say. Given that energy doesn't tend to come from nowhere, I would guess that doing this would actually affect the current moving through the line. That is, you are actually stealing something since theft is depriving someone else of something. Someone with more electrical knowledge could clarify.

    Satellite TV is not like that at all. Those beams coming down from space blanket the planet. If I set up a satellite I am only intercepting those beams that would have hit that particular spot anyway, so unless it's casting a shadow over someone else's satellite it isn't stopping anyone else from using anything.

  3. In two places:

    First: if you own a thing, you own it. You should be able to enjoy that thing however you want without being sued (as long as your use doesn't cause actual harm to someone). So, if I own a DVD, I should be able to watch that DVD on an iPad, regardless of not having purchased a separate digital copy. I can understand not having been given a right to distribute the movie, but I should be able to watch it in whatever manner I see fit. This goes double if I have some sort of special needs which require an alternative manner of accessing the content (like a person with visual impairment having an eBook reader that reads the book aloud).

    Second, the law should not criminalize normal behaviour. If, say, it's common behaviour to bring a car to a non-dealer mechanic for service, the dealer should not be able to lock that mechanic out from performing the same kind of diagnostics on the car that the dealer can.

    I would argue that your first three examples fail both tests --- most people watching satellite TV are not pirating, and the descrambler-users haven't paid for the service they're stealing; most people borrowing DVDs from libraries are only watching once, and the people who do pirate media are also the people who usually buy the most media, so no harm done; a copper coil imposes costs on the rest of the system (which has to generate more power to compensate for that being impeded by the coil), and said coils are not exactly commonplace.

    For your last example: if I was attending a game, and then come home, and excitedly describe as much of the game that I can remember to a family member, should that be illegal? I don't think so, but if "accounts and descriptions of this game may not be disseminated without the express written consent of Major League Baseball," then MLB might try to argue that you are harming them by doing so.

  4. I would say yes in this case. If they use flawed encryption, it's their fault. You don't control that their signal gets to your property.

    Do you think you own a DVD that you borrow from the library? No? There's your answer.

    Are power lines your property? Are power lines covered by DRM? Do you know what the lawsuit is actually about?

    Personally, I think that's a 1st Amendment right, yes. The actions you're factually describing are not copyrighted or copyrightable.

    Read what the lawsuit is about. That's a good place to start where the line is already drawn. The DRM provision doesn't consider fair use, which it should. It takes an already acceptable practice like making a personal copy and makes that illegal solely because it's wrapped in DRM, however weak and decryptable that DRM is.

    Considering the lobbying power/campaign fund saturation of IP companies and the decrease of the focus on manufacturing products in the US economy, I don't rate anyone too high on their chances of unraveling the corruption of law that is the current copyright system. But that doesn't mean we shouldn't continue fighting it.

  5. It's generally a pretty annoying discussion practice to take someone's responses and try to act as though they are supporting entirely different situations.

    Permitting DRM to be broken for purposes of fair use (or use of one's personal property, even) doesn't get rid of the rest of copyright law, which would apply in most of the situations you've advanced.

Continue the discussion bbs.boingboing.net

24 more replies