DMCA Hacking

23:53 Fri 04 May 2007. Updated: 04:54 05 May 2007
[, , , , , ]

The DMCA is, as discussed two days ago, a piece of legislation with a rather broadly-reaching grasp. Particularly in giving copyright holders a lot of leeway in preventing the dissemination of “circumvention devices”. I suspect that certain approachs could exploit this latitude and make the absurdity of the law even more evident than it already is.

The program DeCSS was a “circumvention device”: it allowed you to extract the unencrypted MPEG files from DVDs. The recent AACS encryption key controversy shows that the groups behind the copy prevention technology will treat their own keys as “circumvention devices”, claiming that they coutn as such because they allow users to get past their prevention measures.

The relevant portion of the DMCA:

No person shall … offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof that that -

(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or

(C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
09 f9: A Legal Primer

B) is quite interesting, particularly in that it refers explicitly to commercial use. Significant purposes that are not commercial are not protected. It seems clear, however, that the hexadecimal number in question must have plenty of other significant uses (such as in the creation of colored blocks). There must be many software programs that have that hex code in them.

So what would happen under the following circumstances:

I create a new method of controlling access to a work of mine currently under copyright. I make grandiose claims about how unbreakable this access control is. I offer some works I’ve created wrapped in this access control methodology.

Then someone cracks it, because of a flaw in my work. The easiest way to break it turns out to be something silly like the program leaving the key in memory at a specific point. Also, this key is all that is needed to get free access.

Clearly, just as with the AACS, I can start sending out cease and desist orders to anyone who publishes the key. However, in this instance the key is the US Constitution. Can I win any of the cease and desist cases? I don’t see why not, especially since the AACS aren’t required to make any affirmative claim regarding their “ownership” of the hexadecimal key.

Yes, it would most likely get thrown out. However, the critique here is serious: the statute obviously gives the content provider the right to decide what a circumvention device is. I suppose a judge could claim that the Constitution has a “significant commercial use”, but that would be a stretch in my opinion.

There may be better options for keys than the Constitution here, but I can’t think of any right now. I wonder if the EFF would have any interest in trying out something like that.

Leave a Reply