Somewhere inside a vast colonnaded marble courthouse in Manhattan, just down the street from City Hall and the Brooklyn Bridge, three federal appeals court judges are pondering the details of a case that promises to shape the future of life on the Internet.
The parties involved represent a broad swath of the American media establishment, from Time Warner and Disney to a revered underground hacking 'zine. Noted computer scientists, security experts, and open-source advocates have all become passionately involved and are waging a fierce campaign to see that their side prevails.
The plaintiffs, who constitute the majority of the movie industry in the United States say their very ability to do business hangs in the balance. Supporters of the defendants say no less is at stake than our First Amendment rights.
The two-year-old dispute (see our timeline) is, at its most basic level, about whether a Web site can link to a hacking tool. But the judges' decision will extend far beyond that, influencing the future of publishing on the Internet, online movie distribution, copyrights for digital works, the legality of linking (see sidebar, "Are Hyperlinks Dangerous?"), and whether computer code is covered by the First Amendment. Critics say it could cripple the open-source movement, ending the ability to build programs that compete with proprietary software.
"The very future of technology is at stake here," says Eric Corley, editor of hacker magazine 2600 and a main defendant in the case. "The outcome determines the direction we move in the years ahead, toward open-source innovation or proprietary restrictions everywhere we look."
"This is a case of theft," says Jack Valenti, president and CEO of the Motion Picture Association of America. "We are determined to defend the technology that protects artists' and intellectual property holders' rights. If you can't protect that which you own, then you don't own anything."
Cracking The DVD Code
The story begins in September 1999, when Jon Johansen, a 16-year-old Norwegian hacker, decided he wanted to be able to watch DVD movies on his computer. But that posed a problem because of an unusual scheme that regulates how DVDs are played.
A DVD movie is encrypted by a program called the Content Scramble System (CSS), which assures that only authorized players--those approved and licensed by a trade group called the Digital Video Disc Copy Control Association (DVD CCA), which represents the movie industry--can decode and play the contents.
While DVD players were available for Windows and Macintosh-based computers, there were none available for users of the Linux operating system.
So Johansen, working with two fellow Linux hackers he met on the Internet, decided to make an end run around the DVD manufacturers through the auspices of a group he and the other hackers called "MoRE," or "Masters of Reverse Engineering."
A German member of the group began reverse-engineering existing DVD-playing software, and in a stroke of luck, found that the XingDVD player for Windows (manufactured by Xing Technologies, a subsidiary of RealNetworks Inc.) had been sloppily constructed in such a way that the keys to the CSS lock were left exposed. From there, it was a simple matter to crack the encryption. Johansen then created a program called DeCSS that cracked an encrypted disk, allowing it to be viewed on unauthorized players. Then he distributed the hack on the Internet so that other Linux users could benefit from it as well.
The response from the Linux community was enthusiastic. The crack was posted on a number of Web sites and widely recognized as a neat hack. But the movie industry--led by the Motion Picture Association of America--dissented.
Cease, Desist, and Publish
In November, arguing that the program made it possible to make illegal copies of movies, the MPAA began sending cease-and-desist letters to the owners and operators of Web sites who had distributed the DeCSS code, ordering the sites to remove the program or face criminal prosecution.
The letters were seen as bullying by many members of the Linux community, and an uproar rose on the Web, criticizing the MPAA's tactics. But most recipients of the letter removed the program from their sites anyway, fearful of an expensive and painful lawsuit.
At this point, the fracas had become large enough to attract the attention of 2600, a quarterly magazine for hackers, founded in 1984 by independent journalist Emmanuel Goldstein, whose real name is Eric Corley.
"We came in when we saw lots of people being intimidated, when we saw it wasn't just the significance of the hack, but the reaction that some people were having and the way that people were being made to take down the source code and the executables from their Web sites," explains 2600 Webmaster Macki at the magazine's "Hackers On Planet Earth" conference in July of 2000.
On Nov. 12, 2600 posted an article on its Web site, discussing the cease-and-desist letters and the DeCSS hack.
"In the last few days there have been numerous reports of movie-industry lawyers shutting down sites offering information about DeCSS," read the article. "2600 feels that any such suppression of information is a very dangerous precedent. That is why we feel it's necessary to preserve this information."
As such, the editors included on the site a direct link to the DeCSS code and links to other sites that also had the software.
"It's called backing up the story with facts," explains Corley. "Imagine a story where the whole focus is on a picture, and then deciding not to run the picture. It would unnecessarily weaken the story. Every photo printed in a magazine or newspaper serves the same purpose as our link."
The cease-and-desist letters continued, and 2600 continued to post links to those sites that still housed the code.
On Dec. 27, the DVD CCA filed a complaint in the state of California, county of Santa Clara, seeking an injunction against distributing the DeCSS code, alleging that they had "misappropriated the CSS technology trade secrets." The complaint named 21 individuals, including Eric Corley, 72 Web sites, and 500 John Does, all of whom had posted the software online.
In the complaint, the DVD CCA alleged "that defendants have disclosed, and continue knowingly and willingly to disclose, proprietary information on their Internet Web sites as part of a scheme to defeat DVD encryption software which thus enables users to illegally pirate copies of DVD videos."
Examining The Issues
Essentially, the DVD CCA alleged that the Linux hackers were pirates. It contended that if they continued to distribute DeCSS, it would lead to widespread illegal copying of DVD movies, thus injuring the profitability of the movie industry.
The problem with that argument, though, is that the encryption only hinders playback. Anyone with the proper equipment can copy and reproduce DVDs without the benefit of DeCSS. Additionally, the process of copying DVDs, while simple from a technological standpoint, is unworkable for economic reasons; a video-capable DVD writer is expensive, and blank DVD media cost around $50 per disc, more than it would cost to buy the movie in a store.
"The fact is pirates just copy a DVD with the protections intact," says Harold Abelson, a computer-science professor at MIT who signed a friend of the court brief on behalf of 2600. "They don't need DeCSS."
"Decrypting doesn't make it any easier to copy," said Corley at the Hackers On Planet Earth conference. "It allows you to bypass things like the country restriction that forbids you from watching a DVD in a different country, it allows you to watch a DVD on a Linux machine... it allows you to skip over commercials... it's not about copying."
Abelson agrees that those access issues are what the DVD CCA is really trying to protect. "Copyright was never about controlling access," he says. "The movie industry's real motivation is control."
In a way, DeCSS does aid in piracy, helping make it possible to distribute DVDs online in digital form such as MPEG files. That's a point the movie industry has been quick to argue. MPAA lawyer Charles Sims, a partner at the law firm of Proskauer Rose LLP, says the instances of this sort of infringement is "quite substantial," and describes hackers as "the biggest threat to copyright today."
But again, critics say the technology and massive bandwidth needed to trade full-length movies online makes it prohibitive.
Furthermore, the Linux community has argued that even if they were using DeCSS for copying disks, that activity should be covered by the consumer right of Fair Use, as set down in the Berne Convention on Copyright.
"Anyone is allowed to make backup copies or copies onto another media of movies or music they bought, as long as those copies are only for private use," argues a statement at opendvd.org, a Web site set up by supporters of the Linux hackers. "This is useful if, for example, the kids scratch a DVD disk, or if you want to watch the DVD movie in the bedroom, where you only have VHS. You already bought the movie and should not have to buy it again. This is what fair use is about. The DVD industry is trying to take that consumer right away."
A Spin In Court
On Dec. 29, Superior Court Judge William J. Elfving denied the MPAA's motion for a preliminary injunction against the hackers.
Meanwhile, the hacker community was taking action of its own, distributing the DeCSS code worldwide and posting it on hundreds of Web sites. The Internet community responded to the pending legal threat with means previously unavailable to non-digital defendants, instantly copying and sending the contested files across the world, reaching so many jurisdictions that it would be impossible to censor it.
And the hackers were endlessly creative in how they distributed the file. Realizing that some media are harder to censor than others, people printed DeCSS on T-shirts, wrote songs with the code as the lyrics, turned the code into haiku, and even, rumor has it, had it tattooed on their bodies. Dr. David Touretzky, a computer-science professor at Carnegie Mellon University who testified on behalf of 2600, has collected many of these efforts into a "DeCSS gallery," which he presents on his Web site as a discourse on the expression content of code.
The next salvo was fired on Jan. 14, 2000, when the Motion Picture Association of America filed two lawsuits on its own, seeking preliminary injunctions to stop the distribution of the DeCSS code and seeking $2,500 in damages for "each act of circumvention."
The request, filed in Connecticut and the Southern District of New York, named four individuals as defendants, including Eric Corley. All four were operators of Web sites that had posted the DeCSS code.
The MPAA's suit (filed on behalf of Universal, Paramount, MGM, Tristar, Columbia, Time Warner, 20th Century Fox, Disney, and others) differed from the DVD CCA requests in that they were seeking action under the Digital Millennium Copyright Act (DMCA), a 1998 U.S. law that makes it illegal to distribute tools which can be used to circumvent copy protection.
"The DMCA affords protection to digital works," says Charles Sims. "The first line of protection is the technology, and the law backs that up."
But the defendants, now represented by the nonprofit Electronic Frontier Foundation, argued that DeCSS is in fact protected by the DMCA, under a clause that provides exceptions for software produced via reverse engineering. Furthermore, they argued, DeCSS is expression protected under the first amendment.
Round One: The MPAA Wins
In the first round, the MPAA won. On Jan. 20, Federal Judge Lewis Kaplan of the Southern District of New York granted a preliminary injunction to the MPAA and restrained 2600 from posting the DeCSS code.
In a 30-page opinion, Judge Kaplan criticized the defendants for offering what he called a "frivolous" argument, siding entirely with the prosecution.
"There arguably is no First Amendment objection to prohibiting the dissemination of means for circumventing technological methods for controlling access to copyrighted works," he wrote.
He also complained bitterly about the continued distribution of DeCSS: "Members of the hacker community... stepped up efforts to distribute DeCSS to the widest possible audience in an apparent attempt to preclude effective judicial relief."
The defense was alarmed by this decision, the repercussions of which could affect hundreds of thousands of computer programmers and users around the world, particularly those who use open-source operating systems such as Linux.
"If Judge Kaplan's reading of the DMCA holds, then it will become illegal to build open-source products that can interoperate and/or compete with proprietary ones for displaying copyrighted content," said John Gilmore, co-founder of Electronic Frontier Foundation, a nonprofit public-interest group that is representing 2600.
Meanwhile, the movie industry continued to act aggressively against those who created and distributed DeCSS. On Jan. 25, Jon Johansen was arrested at his home in Norway due to a complaint from the international arm of the MPAA. His father was arrested as well, because the Web site Jon used to post the program was registered in his name. The two had already removed the code from the site when they received a cease-and-desist letter from the MPAA.
On Jan. 26, the MPAA filed another request for injunction, this time seeking to outlaw even linking to pages that posted the DeCSS software. This time, Kaplan refused.
Then, on July 17, 2000, the trial began. The MPAA opened by setting forth its main argument: that DeCSS was a circumvention tool, and thus distributing it constitutes illegal "trafficking" under the DMCA. It posited that if the program was allowed to be distributed, it would mean rampant piracy, irrevocably harming its industry.
"This case relates to the protection of artistic works and to the health of the American motion picture industry," argued Leon Gold, an attorney for the plaintiffs. "While the computer and the Internet are extraordinary developments that have an impact on every person in the world every day, still the computer and the Internet are machines and systems with no moral sense and no ability to choose the ends to which they are put.
"Like the old machines and the old systems, these new technologies can be used to promote artistic expression, economic growth, and educational opportunities, or they can be used to steal and invade the rights guaranteed by our Constitution and our laws," he continued. "Congress has made some critically important policy decisions with respect to some of these matters. The Digital Millennium Copyright Act is one of those decisions."
The defense, in turn, made a number of arguments. They said DeCSS allowed individuals to decrypt DVDs for fair-use purposes, such as backup. They said the DeCSS should be exempt from the DMCA under provisions regarding encryption research. And they also argued that DeCSS should be protected as speech under the First Amendment.
"The issue that we are facing I think is a little more complicated than I think Mr. Gold makes it out to be," argued defense attorney Martin Garbus. "I think the issue is how do you balance the need for copyright protection?"
On Aug. 17, 2000, Judge Kaplan issued his decision. In a 93-page opinion, he sided with the studios, stating that DeCSS was a piracy tool, and ordering 2600 not to link to the code, or to other sites that had the code.
"There is little room for doubting that broad dissemination of DeCSS threatens ultimately to injure or destroy plaintiffs' ability to distribute their copyrighted products on DVDs, and, for that matter, undermine their ability to sell their products to the home video market in other forms," he wrote.
He also dismissed the argument that DeCSS should be protected under the First Amendment. "Computer code is not purely expressive any more than the assassination of a political figure is purely a political statement," he wrote.
In a statement, MPAA president Jack Valenti cheered the ruling. "Today's landmark decision nailed down an indispensable Constitutional and Congressional truth: It's wrong to help others steal creative works. The court's ruling is a victory for consumers and for legitimate technology."
"I think it was the correct decision," says Jim Burger, a lawyer specializing in computing issues with the firm of Dow, Lohnes & Albertson, who consulted on the creation of the DMCA, but is not involved in the case. "If you look at the purpose of the act, and you look at CSS, it seems to fit well under the act."
But computer scientists are worried about the ruling. "For people writing code, it puts tremendous restrictions on not only what kind of code you can write, but what you can talk about," says Dr. Abelson. "What you have now is a new category of prohibited speech, and that prohibited speech potentially encompasses academic research."
Round Two: Reading Judicial Tea Leaves
However, in a landmark case such as this, the conflict is rarely resolved in just one trial. On May 1, 2001, Stanford University law school dean Kathleen Sullivan appeared before the U.S. Court of Appeals for the Second Circuit to argue on behalf of 2600, seeking to overturn Kaplan's decision. Sullivan described the injunction placed on 2600 as analogous to banning blueprints of copy machines because they might lead to copyright infringements, and defended DeCSS as a tool with legitimate uses, covered under fair-use clauses of copyright law.
"The record is quite clear that there is no finding that anyone in the world has used DeCSS to infringe on copyrights," she told the court. "The key thing to remember here is that there are many lawful uses for it." Sullivan argued that by forbidding 2600 from publishing or linking to the code, the government is abridging the magazine's First Amendment rights. That point hinges on whether or not computer code is protected speech, an issue the judges will have to consider.
In turn, lawyers for the movie industry argued that DeCSS is primarily a tool for pirating movies and that 2600 should be forbidden from helping to distribute it.
"DeCSS is a digital crowbar created for the sole purpose of ripping open DVDs... for fair-use perhaps, but more likely for creating copies," said assistant U.S. attorney Daniel Alter, representing the justice department.
Following the hearing, civil-liberties groups expressed their disagreement with Hollywood's case. "The fundamental issue here is: Who is responsible for a criminal act?" says Electronic Frontier Foundation's Gilmore. "Is it the person who committed the act or the person who provided the tool?"
On May 8, the appeals panel issued a set of 11 questions to both sides of the case, asking for clarification on a number of the First Amendment questions. Some observers think the nature of these questions can help provide clues to what the panel is thinking.
"They're asking the right questions," says Andrew Appel, a professor of computer science at Princeton University who testified on behalf of 2600. "That they're asking those questions shows they're seriously considering the First Amendment issues."
MPAA attorney Charles Sims disagrees. "I don't think the questions are useful at all," he says. "They were more skeptical of the First Amendment issues."
Both sides of the case filed their answers to the panel's questions on May 30. The appeals panel is now considering them, along with the previous content of the case, and is expected to release its decision soon.
When, exactly, could it come? "It's up in the air," says Sims. "The earliest would be about a month from now. It could be several months."
Sims expects the verdict to be to his liking. He says if the court struck down the DMCA it would be "extraordinary," and the Supreme Court would probably reverse the decision.
Burger is hesitant to make predictions. "It's the famous judicial tea-leaf reading," he says. But he doesn't expect upheaval. "I think they'll generally affirm Kaplan," he says. "The question is how you deal with the linking... that could go either way." Burger agrees the case will probably head to the Supreme Court.
Meanwhile, the movie industry is continuing to fight against the distribution of DeCSS in other venues, with the DVD CCA's case in California and the MPAA's suit in Connecticut still pending.
In any case, Corley says he's ready to press on. "We put ourselves in the position where we challenge certain injustices," he explained at the HOPE conference. "We publish information, and we have to fight for that right."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.