[Infowarrior] - EFF's analysis of AACS issue and DMCA claims

[Richard Forno]

May 02, 2007

http://www.eff.org/deeplinks/archives/005229.php

As was reported back in February, an enterprising hacker unearthed and
posted one of the decryption keys used by AACS to decode HD-DVD movies
(other keys and exploits have been made available in the weeks since). Now
the AACS-LA (the entity that licenses AACS to makers of HD-DVD players) has
set its lawyers on the futile mission of trying to get every instance of at
least one key (hint: it begins with 09 f9) removed from the Internet.

Predictably, this legal effort has backfired, resulting in eternal Internet
fame for the key in question. In addition to having been posted on hundreds
of thousands of web sites (and resulting in the temporary shutdown of
Digg.com), the key has already spawned a song, a quiz, a domain name, and
numerous T-shirts.

So now might be a good time to review a few of the basic legal issues raised
by the posting of the keys. (This is an overview of the legal landscape, not
legal advice, and I am not expressing any view about how a case might come
out if AACS-LA sued anyone.)

What is the AACS-LA's argument? In its takedown letters, the AACS-LA claims
that hosting the key violates the DMCA's ban on trafficking in circumvention
devices. The DMCA provides that:

    No person shall ... offer to the public, provide, or otherwise traffic
in any technology, product, service, device, component, or part thereof that
that -

    (A) is primarily designed or produced for the purpose of circumventing a
technological measure that effectively controls access to a work protected
under this title;

    (B) has only limited commercially significant purpose or use other than
to circumvent a technological measure that effectively controls access to a
work protected under this title; or

    (C) is marketed by that person or another acting in concert with that
person with that person's knowledge for use in circumventing a technological
measure that effectively controls access to a work protected under this
title.

The AACS-LA presumably would argue that the key is a "component" or "part"
of a "technology" that circumvents AACS. Moreover, AACS-LA would likely
argue that the key was "primarily ... produced" to circumvent AACS, that is
has no other commercially significant purpose, and that it is being
"marketed" for use in a circumvention technology. The takedown letters seem
to take the position that both the poster and the hosting provider are
engaged in "trafficking."

The AACS-LA will also doubtless point to the DMCA cases brought against 2600
magazine for posting the DeCSS code back in 2000 (EFF was counsel to the
defendant). In that case, both the district court and court of appeals
concluded that posting DeCSS to a website violated the DMCA.

Who can sue over the posting of the key? The DMCA entitles "anyone injured
by a violation" to bring a civil lawsuit seeking damages (including
statutory damages ranging between $200 and $2500 for each "offer"). In
addition, if a person violates the DMCA "willfully and for purposes of
commercial gain," a federal prosecutor could bring criminal charges (with
the famous exception of the Sklyarov case, however, criminal prosecutions
have generally been limited to situations where the DMCA violation was also
accompanied by evidence of commercial piracy).

What about just linking to a place where the key is posted? The courts in
the DeCSS case wrestled with the proper test to apply when someone links to
a location where a circumvention tool can be found. Ultimately, the district
court held that an injunction against linking could be issued after a final
judgment if a the plaintiff could show, by clear and convincing evidence,

    "that those responsible for the link (a) know at the relevant time that
the offending material is on the linked-to site, (b) know that it is
circumvention technology that may not lawfully be offered, and (c) create or
maintain the link for the purpose of disseminating that technology."


The court of appeals upheld that ruling, while admitting that the issue
presented a difficult First Amendment question.

What about the DMCA safe harbors? While no court has ruled on the issue,
AACS-LA will almost certainly argue that the DMCA safe harbors do not
protect online service providers who host or link to the key (the AACS-LA
takedown letters do not invoke the DMCA "notice-and-takedown" provisions,
nor do they include the required elements for such a takedown, thereby
signaling the AACS-LA position on this). The DMCA safe harbors apply to
liabilities arising from "infringement of copyright." Several courts have
suggested that trafficking in circumvention tools is not "copyright
infringement," but a separate violation of a "para-copyright" provision.

It's difficult to say how a court would rule on this question, but it does
create a specter of monetary liability for hosting providers, even if they
otherwise comply with the "notice-and-takedown" procedures required by the
DMCA safe harbors.

Is the key copyrightable? It doesn't matter. The AACS-LA takedown letter is
not claiming that the key is copyrightable, but rather that it is (or is a
component of) a circumvention technology. The DMCA does not require that a
circumvention technology be, itself, copyrightable to enjoy protection.

For more information about the continuing melt-down of AACS generally, as
well as details regarding the various keys and how they interact, be sure to
read the coverage on Doom9's forums, Freedom to Tinker, and Engadget, which
have been doing the best job reporting on developments.