As the continued leaking of AACS keys demonstrates, protection measures that may appear, in a vacuum, to prevent unauthorized access to and copying of copyrighted works often don’t hold up terribly well in the wild. The fact that no one has yet succeeded in developing an unbreakable protection measure raises important questions for courts interpreting the DMCA and its various international counterparts.
Under the DMCA and its analogs, enacted pursuant to Article 11 of the WIPO Copyright Treaty, the prohibitions on circumvention and trafficking apply only to technological protection measures deemed “effective.” Before getting into the particulars of the statutory definitions of “effective,” it’s worth considering broadly the ways in which effectiveness can be gauged. A couple of general approaches to effectiveness seem worth considering.
First, we might ask whether a protection measure, in the absence of acts of circumvention, is designed in a way that limits access and copying. This metric of inherent effectiveness assumes an idealized environment in which pesky 15 year olds and academic researchers don’t throw a wrench into your lovingly-designed DRM scheme. Since effectiveness is measured only within this unchanging hypothetical environment, it is static. Once a protection measure is deemed effective under this test, that status isn’t up for reexamination, regardless of intervening changes in the real world.
This is a forgiving standard, but not an empty one. It isn’t – or at least shouldn’t – be enough that the designer of the protection measure intend or hope that it limit access or copying. Indeed, a rigorous application of this standard would likely render some widely deployed protection measures ineffective. The once-popular CD-based copy protection schemes, which limited use only on Windows machines with autorun enabled while allowing Mac users, home stereo users, and shift key pushers unrestricted access, are good candidates for failed efforts at effectiveness even measured statically.
But assuming a particular protection measure is effective in the static sense, there is a second question we could ask: given real world conditions, does that measure remain effective? 1 This dynamic assessment of effectiveness takes into account developments in circumvention technology that could undermine the real world utility of protection measures that at the time of initial deployment were otherwise effective. If circumvention tools become widely available, from this dynamic perspective, it no longer makes much sense to insist that a measure is effective.
A Finnish court recently decided that CSS, the long-cracked technological measure protecting DVDs, is not effective. There the court relied on a dynamic analysis rather than a static one. According to the court, since DeCSS has led to a proliferation of circumvention tools that enable the average computer user to avoid the constraints imposed by CSS, that measure is no longer reasonably termed effective.
This approach is very different from that adopted by U.S. courts with respect to the DMCA. Here courts, at best, analyze the effectiveness of DRM from the static perspective, often without taking a particularly hard look at the question. They certainly have not weighed previous acts of circumvention and the availability of circumvention tools, which are themselves prohibited under the DMCA, in determining the effectiveness of protection measures.
Of course, U.S. courts are not unilaterally opposed to the notion that prior infringements of intellectual property rights can lessen or even vitiate future claims. Repeated infringements of trademarks can lead to loss of protection. And as Bunner demonstrates, once a trade secret has been misappropriated on a sufficiently public scale, the owner no longer has effective rights. But with respect to the DMCA, widespread circumvention does not lessen one’s legal rights.
As Ed Felten points out in this thoughtful post, the difference between the U.S. approach and that adopted by the Finns is in large part the result of statutory definitions. Under the DMCA, a protection measure:
‘effectively controls access to a work’ if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work
The EU copyright directive builds upon this definition but imposes what appears to be an important additional requirement:
Technological measures shall be deemed ‘effective’ where the use of a protected work or other subject-matter is controlled by the rightholders through application of an access control or protection process, such as encryption, scrambling or other transformation of the work or other subject-matter or a copy control mechanism, which achieves the protection objective.
I don’t read this definition as mandating the Finnish court’s determination that CSS is ineffective. But there is no doubt that this subtle but important definitional distinction provided that court with the discretion necessary to deny the effectiveness of CSS. Undoubtedly, in most instances, CSS still does achieve its protection objective, so had the court chosen to rule the other way, it would have been justified as a matter of the statutory text.
The more interesting question is one of motivation. What would drive a court to opt for the dynamic approach over the static one? Given the likely inability of any copyright holder to deploy a DRM system that stands up to the efforts of determined circumventers, the implications of a dynamic definition of effectiveness seem to be that any protection from circumvention will be temporary. And if the history of AACS is any example, very temporary.
So if you are opposed to the very notion of lending the coercive power of the law to DRM, adopting a dynamic definition of effectiveness might be a clever way of complying with the letter of the WIPO Copyright Treaty without interfering much with domestic circumvention. After all, if prior distribution of circumvention tools is sufficient to render a protection measure ineffective, those who circumvent or traffic outside of the U.S. could easily avoid liability in most instances. Whether, from a policy perspective, lax enforcement is preferable isn’t the topic of this post, but it seems likely that the Helsinki District Court has fairly strong opinions on that question.
- We could also account for the impact of likely future circumvention through a modified static analysis of a protection measure. Even absent any real world circumvention, we could posit a reasonably skilled and reasonably motivated would-be circumventer and decide whether the protection measure would withstand attack. This objective “weak cipher” test could add the benefit of consistent application over time, but would pose some serious line drawing problems for courts, who are not particularly well situated to determine the technical merits of a DRM scheme. [↩]
Post a Comment