The DRMperor’s New Clothes?
posted by James Grimmelmann
Like a good many law professors, I teach and write about digial rights management: the technological “locks” copyright owners use to keep people from getting at digital media without authorization. Exhibit A in any discussion of DRM is the DeCSS saga. CSS, the “Content Scramble System,” is the encryption system that keeps you, the home user, from watching DVDs without permission. The way it works is that some DVDs (the ones Hollywood cares about) come encrypted. The decryption key is stored in each and every DVD player, but manufacturers can’t get a license to make DVD players (and thereby get authorized access to the key) unless they sign an extensive license agreement with the DVD Copy Control Association. By obvious linguistic principles, DeCSS is the thing that makes CSS not do its thing. In particular, a Norwegian teen (fun fact: seven of the first ten Google hits for “Norwegian teen” are about him), frustrated at the lack of software DVD players that run on the open-source operating system Linux, wrote a program that decrypts CSS-protected DVDs. The idea is that one could then take the unencrypted version from your computer, burn it to a blank DVD, and then view the DVD on a Linux computer.
As normally told, this story illustrates all sorts of useful points. It shows how a classic DRM-based business model works: sell individual copies with DRM that keeps them from turning into lots of copies. It shows how painfully insecure such business models can be: DVD Jon was easily able to find the super-seekrit CSS decryption key in the code of a Windows DVD player (every DVD player in existence, after all, must contain a copy of the key). And it shows the might of the law descending with fury and malice in response: lawsuits under the Digital Millenium Copyright Act soon followed.
But there’s a gaping technological hole in this story. You see, CSS as I’ve described it above, tries to block one specific attack vector: copying an encrypted DVD onto a computer and decrypting it, then using the computer’s DVD burner to make a new, unencrypted DVD version. DeCSS opens up this attack again. But why would anyone bother with this slow, clumsy way of making copies? Why not just read the encrypted contents of the DVD onto the computer, keep the bits encrypted, and burn them back onto a new DVD in exactly the same form? You wind up with a new DVD, exactly identical to the old. And, of course, thanks to the convenient fact that every DVD player in existence has a copy of the decryption key, that new DVD is playable on any DVD player in existence.
In other words, CSS sounds like a gigantic dust-up over nothing. Would-be pirates already have a perfectly good way of making any number of perfect copies. Worrying about DeCSS, it would seem, is like worrying about the barn’s windows when the wide-open door is just gaping at you. Hasn’t the legal system—and by extension, the legal academy—just spent who knows how many hours on a massive intellectual boondoggle?
Thus, a question for the readership. What crucial fact is missing from the story above? I’ll post the answer tomorrow, along with some pointed observations about the implications.
May 12, 2008 at 2:25 pm
Posted in: DRM
Print This Post
Responses (14)
Scote - May 12, 2008 at 3:07 pm
“Thus, a question for the readership. What crucial fact is missing from the story above? I’ll post the answer tomorrow, along with some pointed observations about the implications.”
Why wait? People don’t necessarily want to duplicate DVDs, they want the content they purchase to be device agnostic. DeCSS isn’t about piracy, it is about giving content purchasers the ability to use the content they purchased how they wish. If they buy a movie, they want to play it on the the device of their choice, whether it is off their laptop computer hard drive or on their iPhone–where as copyright maximalists want to sell a different version of the content for each and every device.
Sarah L. - May 12, 2008 at 3:15 pm
I thought there were a bunch of keys involved in CSS, including some on the disk itself. The reason the method you described (copying an encrypted disk and playing it on a compliant player) wouldn’t work is that the CSS disk’s descrambling keys are in sectors that aren’t copied when you make a copy of the disk using a noncompliant player.
But I don’t know much about this area, so it may well be that (a) I don’t understand your hypo, (b) I don’t understand CSS, (c) this isn’t an issue anymore because people have already figured out how to get around it, or (d) any combination of (a) through (c).
mmm - May 12, 2008 at 4:44 pm
The missing fact is that DeCSS is necessary so that legally purchased DVDs would play on DVD players that did not license a CSS key. For pesky free software packages built for Linux, the creators are unlikely to be able to recoup the cost of any license fee that they would have to purchase to get the key.
As a result, DeCSS case has nothing to do with protecting the content with which CSS was entrusted to protect.
Jason W. - May 12, 2008 at 4:47 pm
As a side note, I’m scared to ask what the other three hits for “Norwegian teen” are.
Michael Risch - May 12, 2008 at 5:19 pm
I’m thinking it’s all about regionalization of DVD players (and thus differential market entry, licensing, and control of release of DVD’s) – and pricing control that goes with it. In other words, you can’t play an encrypted copy of a US DVD in Europe, and that’s the way the studios want it.
John Armstrong - May 12, 2008 at 5:25 pm
Scote and mmm have it, I think. The intended use of DeCSS is not to make illegal copies, but to enable legal use of the legally purchased DVDs.
Compare: the “intended use” of the BitTorrent protocol is to more rapidly disseminate large files by using the built-in parallelism of networked computer systems. That pirated files are distributed over the protocol doesn’t make the protocol itself illegal.
Another important note: what DVD makers claim to own is the decryption key, which is (like everything else on a computer) a number. It’s like I decided I owned “23″, and nobody else was allowed to use “23″ because it happened to be the linchpin on which I’d hung the entirety of my personal security.
Karl Lembke - May 12, 2008 at 5:34 pm
To echo Michael Risch, I recall reading about regionalization as well. A DVD intended for sale to the USA, for example, might not be playable on DVD players manufactured for sale in Europe. If I’ve bought a DVD, I want to be able to play it on my DVD player, and not have to buy one with a Japanese CSS key.
A second point, and an argument I’ve seen used against copy protection schemes in general, is that these schemes turn a durable good into a perishable one. If you can’t make an archival back-up copy of the content you’ve purchased, your purchase lasts only as long as the media on which it’s recorded.
Scote - May 12, 2008 at 5:48 pm
“A second point, and an argument I’ve seen used against copy protection schemes in general, is that these schemes turn a durable good into a perishable one. If you can’t make an archival back-up copy of the content you’ve purchased, your purchase lasts only as long as the media on which it’s recorded.”
And sometimes not even that long. DRM can not only tie the life span of content to the life span of the original media but also the life span of the original media player. And in some cases, to the life span of the DRM key server. Recently, Microsoft announced it is shutting down the DRM key server for people who bought “Plays for Sure” DRMed songs from the MSN music store.
DRMed media is like a cruise ship without lifeboats, the music goes down with the ship.
Bruce Boyden - May 12, 2008 at 6:01 pm
The missing bit is that the whole scheme depends on licensed drives, which must play by the licensing rules. A lot of people tend to miss this. I did a post on interoperability that raised the license issue here:
http://www.concurringopinions.com/archives/2006/08/what_does_it_me_1.html
Just to preempt what’s probably coming next, I don’t think there’s anything inherently wrong with license terms on decryption.
And I think it strains credibility to suggest that DeCSS is *only* used to watch legally purchased DVDs on Linux boxes. Sure, and those watches really did fall off the back of a truck.
Scote - May 12, 2008 at 6:18 pm
“And I think it strains credibility to suggest that DeCSS is *only* used to watch legally purchased DVDs on Linux boxes. Sure, and those watches really did fall off the back of a truck.”
In the case of “DVD Jon” that is exactly what happened. He had a Linux box and there were no licensed players for Linix–nor were there any plans to ever make any. And he did only use DeCSS to play DVDs on his Linux box. All attempts to prosecute him, even with discovery, failed because of that fact.
Maryland Conservatarian - May 12, 2008 at 7:05 pm
“Hasn’t the legal system—and by extension, the legal academy—just spent who knows how many hours on a massive intellectual boondoggle?”
Doesn’t that kind of call into question the whole Law Review thing if we start worrying about this…
John Armstrong - May 13, 2008 at 12:06 am
Bruce, that’s not what I said. I said the “intended” use. Not the “only” use. Please don’t set up straw men, I’ve just vacuumed.
Bruce Boyden - May 13, 2008 at 11:53 am
John, your original statement referred to “the” intended use. Other comments above seem to say roughly the same thing, that DeCSS is for playing legal DVDs on unlicensed devices. But if everyone here admits DeCSS can be used for something other than building a Linux-compatible DVD drive, then I guess we’re all on the same page. Although I’m not clear on even the connection to Linux, given that DeCSS is a Windows program.
John Armstrong - May 13, 2008 at 3:17 pm
Bruce: my comparison should have made it clear that I’m recognizing illicit uses. The point is that “what the post leaves out” is the legal use, and how having a single legal use changes the game.
Leave a Reply