12 October 2003

Technology and legal standards 

posted by oskeladden @ 6:21:00 pm Perm Link
Technology and legal standards

It's interesting, as Rob points out, that the little word 'effectively' has been more or less missed out in the debate over DMCA's anti-circumvention protection. It's a theme which I'll probably harp on time and again in this blog: the law simply has not figured out how to apply commonly used standards to the online world, as is beautifully illustrated by this case.

Let's start off by positing that the qualification of "effectively" in DMCA s. 1201 means protection which works. The crux, then, is deciding what standard should be applied in determining if a particular technology protects "effectively". We have a sliding scale of users to consider. First, we have the hacker sort, who've tinkered with and customised the way their computer works. If we use them as the standard, almost no technological measures would be "effective".

Second, we have the inquisitive technofriendly sort, who can actively investigate the way his OS works, and tinker with various options so that they suit him best. This category of users are likely to have known of autoplay and perhaps disabled it even before using a protected CD. If not, they're likely to be able to link the effects they see (such as the popup EULA) with autoplay, and disable it. Clearly, the measure isn't effective against them, and no technological measure which relies on standard user-configurable OS features (as opposed to proprietary code) will be effective against them.

Third, we have the mildly technofriendly sort, who tinkers a little with the most obvious OS settings, but lacks the technological skill to do anything more. These users are unlikely to be able to make the connection between autoplay and a popup window unless it's pointed out to them. Arguably, any technolgical measure will be effective against them.

Fourthly, we have old Joe Potatoes, who doesn't know enough to alter his basic desktop configuration. His ilk are unlikely to have heard of autoplay, and the technolgical measure will therefore be effective against them.

So, against which of these categories of users must a technolgical measure be "effective" to be protected under the DMCA?

I'm in general agreement with Rob's conclusions, because I think it makes most sense to determine whether a measure is effective with reference to the second category of users. But is that the intent of the DMCA? Would a judge apply the standard of a technology-aware user, or of the extremely large chunk of users who don't know what autoplay is or how to disable it, or who would never have figured out that the CD relied on autoplay if it hadn't been for the paper? What sort of technological awareness and prowess is the law going to credit a reasonable user as having?

In some ways, I really wish this case had been litigated.

11 October 2003

Weighing in on SunnComm and Shift Keys 

posted by Rob @ 9:50:00 pm Perm Link
Weighing in on SunnComm and Shift Keys

Most of you are probably already aware of the outrage that followed SunnComm's threat to bring an anti-circumvention lawsuit against a PhD student who discovered that SunnComm's alleged audio CD protection system could be defeated simply by pressing the "shift" key while inserting a "protected" CD into the system. (See stories here, here, here, here, google it, or better yet, google news it). There has been a lot (and I mean a lot) of blog activity over this, including the fact that SunnComm subsequently backed down (via LawMeme).

What's interesting to me is the number of posters and others who assumed that SunnComm had a good case under the U.S.'s version of the anti-circumvention provisions contained in the Digital Millennium Copyright Act (here's just one example, but I honestly haven't seen this point raised anywhere). There were a number of really smart analyses questioning how the law would be applied, and whether SunnComm could win (some concluding it would not, others concluding it should not be allowed to). The case, had it been brought, was seen as one that could test various provisions of the Act against U.S. copyright law's "fair use" provisions.

This assumption, however, is based on the foundational notion that SunnComm's technology was would be covered by the DMCA. The basic requirement for protection is found in section 1201 of the Act:

DMCA Sec. 1201: '(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title.'

A technology is included within the definition, according to 1201(3)(b), if: 'if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.'

My question, then, is this: Many computers users (such as myself) switch Windows from the default "autorun" that Windows ships with (so that CDs start automatically when inserted), and "shut off" autorun. Thus, if I had purchased one of the SunnComm protected CDs and put it into my computer, I would have had unfettered access to the content. It would have been unprotected. Not because I chose to make it so, but because the protection was so badly designed that a changeable setting in the operating system could render it so.

If this is the case, does anyone really think that SunnComm could have argued it was effective? I know the DeCSS decision, Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 346 (S.D.N.Y. 2000) (PDF version, via Electronic Frontier Foundation's MPAA_DVD cases archive) (upheld on other grounds by the Second Circuit), held that CSS was effective even though it was easily bypassed with the application of DeCSS. That's not the point here. Here, I did not need to run a program, or even do anything to "defeat" the "protection" on the CD. I simply needed to put the CD into my computer and I would have had complete access to the content. No information, process or treatment was required. I could simply play the disk, copy the audio files, and share them.

Let's say, for example, that I develop a new method of protecting hard copy books from unauthorized reproduction. The protection is cello tape (Scotch tape to those of you in the U.S.). I apply the tape so that it attaches the front cover to the back cover. I then paint it silver. Authorized readers are informed that they should simply remove the tape. Unauthorized readers are told nothing. But what does an unauthorized reader do when she finds a copy of the book, or buys it through an authorized dealer? She opens it, breaking the seal. Does my method "effectively control access"? I doubt it; I'll bet you do, too.

While SunnComm likely would have failed in establishing a violation by Halderman of the DMCA on other grounds, we needn't go that far. It's enough to say, "this law they're seeking protection under doesn't apply to them." And do you know what? I'll bet it doesn't; they may have wanted it to be effective, to be protected under the Act. But their wanting it to be is not enough, not even under the DMCA.