Surveillance State

For copyright activists, Christmas comes but once every three years: a chance to ask Santa for a new exemption to the much-hated Digital Millennium Copyright Act's prohibitions against hacking, reverse engineering, and evasion of digital rights management (DRM) schemes protecting all kinds of digital works and electronic items.

Judging from the list of 19 exemptions requested this year, some in the cyberlaw community are thinking big. (Disclosure: One of the DMCA exemption requests was submitted on behalf of this blogger by Harvard University's Cyberlaw Clinic.)The requests include the right to legally jailbreak iPhones to use third-party software, university professors wishing to rip clips from DVDs for classroom use, YouTube users wishing to rip DVDs to make video mashups, a request to allow users to hack DRM protecting content from stores that have gone bankrupt or shut down, and a request to allow security researchers to reverse-engineer video games with security flaws that put end users at risk.

Electronic Frontier Foundation uber-lawyer Fred von Lohmann told Wired News earlier this week that the government "has repeatedly dismissed any consumer-oriented fair uses, such as making backup copies of DVDs or video games, as well as requests for exemptions to enable copying DVDs to laptops and portable devices." He also told them that the DMCA exemption process is "hopelessly broken."

That depressing outlook doesn't seem to have stopped Lohmann from co-authoring two significant requests (PDF) to the copyright office for exemptions squarely targeted at members of the public.

The highlights
The 19 requests are too lengthy to blog, and so only the most noteworthy (to this blogger) have been presented here. Those wishing to read through the others can find all of the submitted exemption requests at the Copyright Office's Web site.

First, the EFF has asked that consumers be allowed to jailbreak or hack smartphones to run lawfully obtained third-party software on the devices. Such an exemption, if granted, would be great news for the estimated 1 million users who have hacked their iPhone, and risked the wrath of Steve Jobs as his engineers played cat-and-mouse to stop the jailbreaking. Such an exemption would also be fantastic news for Mozilla, which is currently prohibited by Apple's terms of service from bringing the popular Firefox browser to iPhone.

In the EFF's second request, the group has asked the Copyright Office to permit end users to circumvent the DRM protecting DVDs, for the purpose of creating noncommercial videos that fall squarely within the protections of fair use. While such circumvention is already trivially easy to do with tools such as Handbreak, it is technically illegal to do so. For the millions of YouTube users who remix and mash up snippets of copyrighted works (including Sen. John McCain), such an exemption would mean digital freedom.

In complementary filings, representatives from Duke University (PDF), the University at California at Berkeley (PDF), Middle Tennessee State University (PDF) and the Library Copyright Alliance (PDF) asked for a similar exemption for DVD ripping, but solely for professors who wish to create compilations of digital film clips for classroom use. A more limited professor exemption was granted back in 2006, but only for those teaching film studies. Both groups would like to see that exemption expanded to professors and K-12 teachers from all fields.

The Cyberlaw Clinic at Harvard University, representing this blogger, has asked (PDF) the Copyright Office to allow end users to circumvent the DRM protecting music, video, software, and games in the event that a central authenticating server is shut down. This has happened several times in the past few years, including Microsoft's MSN Music Store, Google's Video store, Yahoo Music, and Wal-Mart. The team also asked that researchers be permitted to reverse engineer functioning DRM stores (such as Apple's iTunes) before any shuttering is announced, for good-faith documentation purposes.

Finally, Professor J. Alex Halderman has expanded his successful "Sony Rootkit" 2006 request, and has asked (PDF) that security researchers be allowed to circumvent the DRM in digital works, software or games that create or exploit security vulnerabilities on the computers of end users. While his request is broad, the main focus is on DRM schemes such as SafeDisc and SecuROM, which are widely used in the video game industry (such as in Electronic Arts' Spore).

Next steps
During the next few months, the Copyright Office will allow members of the public to submit comments on the exemptions requested during this cycle. Later, in March, two public hearings will be held, in Washington, D.C., and California. There will likely be appearances by several public-interest groups and law school clinics speaking in support for their exemptions requests, while representatives from the recording, motion picture, and software industries are likely to show up to fight against such efforts to weaken the DMCA. At the very least, the hearings promise to be quite a spectacle.

Update 2: MobiTV has backed down, and appears to have kissed and made up with HowardForums. See below.

Updated to include a statement from MobiTV (see below)

In a fantastic demonstration of the Streisand Effect, Silicon Valley startup MobiTV is currently engaged in an almost comedic yet futile effort to scrub a 31 character "secret" URL from the Internet.

MobiTV sells a streaming TV subscription service to mobile phone users. For $9.99 a month, Sprint, AT&T and Alltel customers can view low bandwidth streams of a number of TV channels right on their handsets. The licensed content is transmitted to the customer via a "secret" Internet address -- that is, anyone who knows the URL can view the company's mobile channels with or without a subscription.

In late February, a user on the popular HowardForums discussion site posted the ultra secret link on MobiTV's website, and included instructions for obtaining the individual URLs for each TV channel that the company provides its customers.

By following the extremely easy instructions, a user on a non-authorized mobile network (such as T-Mobile or Verizon), or even a home PC user, can watch Animal Planet or CSPAN without paying MobiTV's monthly subscription fee.

On March 4, lawyers from MobiTV sent a Digital Millennium Copyright Act (DMCA) takedown letter to Howard Chui, the owner of the popular mobile-phone web forum. MobiTV's lawyers claim that by posting the URL, the HowardForum users have violated the company's copyright, trademark and trade secret rights.

In an email posted on the forum, one of MobiTV lawyers writes that "these are not publicly available links. Nowhere on Mobitv.com are any of these available. It takes a hacker and debugging by your users to get this information."

In addition to threatening Mr. Chui with legal action, the lawyers also contacted Howard's hosting provider, and stated that they would contact ICANN - the organization in charge of Internet domain names in order to have howardforums.com suspended.

A Moot Point

So, before jumping into the analysis of the issues. Let us clarify the situation.

Customers who pay MobiTV a monthly fee get to install a piece of sotware on their phone, which merely visits a "secret" URL on mobitv.com to stream the TV content.

The only security mechanism the company has put in place is its weak attempt to keep the URL secret - this is the dictionary definition of security through obscurity.

At the very least, the company could have created individual urls for each of the major licensed wireless carriers, and then only permitted customers to access those urls from the IP addresses owned by Sprint and AT&T. It didn't do this.

Instead, the company has decided to sic its lawyers on an extremely active and vocal Internet community. Furthermore, HowardForums is the largest collection of early adopters and phone geeks in the US. These should be MobiTV's target market, not their enemy.

While the issue of deep linking is certainly a legal grey area, the moment the company sends a DMCA takedown, it becomes a moot point, due to the Streisand effect.

Just as the efforts to wipe DVD and HD-DVD decryption codes from the Internet flopped, and the absurd effort to take the entire Wikileaks website offline resulted in far more publicity for the confidentiality seeking Swiss Bank that filed the lawsuit -- this effort by MoviTV is similarly doomed to failure.

Lawyers do a horrible job at PR, and they do an even worse job when it comes to dealing with Internet mobs. DMCA takedowns only invite the attention of Digg and Slashdot.

When will these companies learn?

As of press time, a message left with MobiTV's legal counsel had not been returned.

Update: MobiTV has issued the following comment to describe its actions:

"MobiTV takes the issue of security very seriously and we're actively implementing additional security measures to address this unauthorized access as well as the isolated issue of certain content feeds posted on Howardforums.com and on other websites. It is our responsibility to ensure that our service and the programming entrusted to us by our content providers is protected at all times."

"MobiTV took standard legal steps to request that the information which facilitates the unauthorized access to our paid, subscription service be removed, but our intent was only to remove the specific information and NOT to interrupt or shutdown the valuable service the entire site provides to mobile users around the world."

Update 2: Howard posted a message to his site, and said that the President of MobiTV had spoken to him on the phone and sorted everything out. It looks like they've realized the PR damage of releasing their legal hounds on the HowardForums community.

Slate, a popular news site, seems to be openly violating the Digital Millennium Copyright Act.

That law, much hated in cyberrights and computer security circles, is a thorn in the side to many researchers. The interesting question that we must ask is: Will Hollywood let Slate's probable violation slide, or will they lawyer up and go after the site owned by The Washington Post Co.?

A few days ago, Slate released a video mashup of footage of Hillary Clinton and a few scenes from the movie Election, starring Reese Witherspoon. The video is mildly amusing, and did at least remind me that Election is a funny film that I should probably watch again soon.

Cynthia Brumfield over at IP Democracy discusses the video mashup and briefly explores the issue of fair use:

"It quite literally fits [NBC Universal lawyer Rick Cotton's] idea of what wouldn't be considered fair use under a redefinition. [Columbia Law Professor Tim Wu's ] definition, however, would permit this video under fair use because nothing about it is a substitute for the original 'Election' film. It also, I would argue, enhances the film's value for those who have not seen it."

While I think she brings up an interesting point, I'm fairly certain the issue of fair use, at least in this case, is going to be cut and dry: Slate is in the wrong, and is being pretty blatant in its open infringement of copyright.

The few clips of Election in the Slate video are very high quality. The video is crisp, the sound is clear. As a result, I'd be willing to bet a few bottles of La Fin Du Monde that Slate got the video clips from a DVD. It's almost certainly not from a video cassette tape, and I highly doubt that the Slate team made a digital copy from cable TV.

DVD ripping software is widely available. Personally, I'm a big fan of Handbrake, but there are many other free software solutions out there. These software packages allow people to make a local video copy of a DVD movie. This is not as simple as it sounds, given that all Hollywood DVD discs are encrypted with a once-secret algorithm. The MPAA and others have vigorously gone after anyone who reverse engineered (or even published information on) the inner workings of the CSS algorithm used to encrypt DVDs.

Which brings me to my "favorite" law: the Digital Millennium Copyright Act (DMCA). This law, among its many horrible features, makes DVD copying a crime. DVD-ripping software is classed as a circumvention device, the use of which is a big no-no. Section 1201(a)(1)(A) of the U.S. code makes this pretty clear:

No person shall circumvent a technological measure that effectively controls access to a work protected under this title.

Ok, so we've now established that if Slate used DVD footage in its video mashup, then it is almost certainly violating the DMCA. What does that have to do with any possible fair-use defense to a copyright infringement claim? It turns out that to make a successful fair-use claim, you need to have a legitimate, licensed copy of the original work. As the courts wrote:

To invoke the fair use exception, an individual must possess an authorized copy of a literary work (Atari v. Nintendo 975 F.2d 832).

If Slate used DVD-ripping software, its unencrypted, DRM-free copy of the work (which they would have needed to cut and paste bits into their mashup) is in no way authorized. This means, unfortunately for Slate, that it would have no fair-use defense, and could thus face a copyright infringement lawsuit.

While I've spent the majority of this blog post describing potential illegal acts by Slate, the real criminal here is the U.S. Congress for passing the DMCA, and in one single act, putting hundreds of computer security and cyberrights activists at risk. As a Ph.D. student, the DMCA is a complete pain in my ass and makes my research extremely difficult. As a result, I routinely have to submit my projects to Indiana University's general counsel for a sign-off.

So why am I making this blog post? Most people have no idea that DVD ripping is illegal. Most artists, mashup creators, and video-bloggers are in the dark about the potential crimes they may be committing. Furthermore, the RIAA and MPAA have a long history in going after the little guy.

Slate (owned by The Washington Post Co.) has deep pockets. If the MPAA tries to make an issue out of this, it would create huge amounts of publicity, and perhaps lead to calls for an overhaul of the DMCA. (I can dream, right?) At the least, it would force the MPAA to burn through a few bucks.

Disclaimer: I am not a lawyer. This is neither legal advice nor real legal analysis. Don't make decisions based on my blog ramblings. However, this issue is essentially straight from the final exam in my copyright-law class from last year, so I'm fairly confident that I'm right.

Also, a tip o' the hat goes to Public Knowledge's Alex Curtis, whose offer of a T-shirt inspired this blog post.

Slate could not immediately be reached for comment.

With Steve Jobs' recent announcement of his intention to fight off the independent iPhone developers, the question that must be asked is how will Apple try to defeat the hackers: Frequent and disruptive software updates, or lawsuits? Will Apple risk losing its most frequently (ab)used legal tool, the Digital Millennium Copyright Act, to try to punish the developers of the iPhone unlocking tools?

The wait is over. After being teased over the past few weeks with rumors that Apple would turn a blind eye to iPhone hacking or *gasp* even encourage it, the news is in and it ain't good for the hackers.

At the official U.K. launch of the iPhone Tuesday, CEO Steve Jobs made it clear that Apple will fight attempts to use the popular device on unauthorized networks. "It's a cat-and-mouse game," said Jobs. "We try to stay ahead. People will try to break in, and it's our job to stop them breaking in."

anySIM iPhone unlocker

(Credit: iPhone Dev Team/Hackintosh)

For the loose-knit community of iPhone developers, the last few months have been an around-the-clock hacking session. As a result, programmers have released a plethora of applications. Some, including an instant-messaging tool, a general purpose application installer and even a Nintendo game emulator, can be seen simply as developers releasing applications that Apple just didn't get around to writing itself. Other hacks, such as the much hyped iPhone Dev Team's anySIM unlocking tool, or the numerous free-ringtone tutorials that have been floating around the Net, can be more accurately described as a developer-lead attack upon Apple's revenue streams.

Apple has sunk a significant amount of developer time and marketing dollars into creating a product so drool-worthy that fans spent days queuing outside stores around the nation. Because of the significant hype surrounding the device, and the millions of customers who would flock to whichever wireless carrier with whom Apple signed an exclusive distribution deal, Jobs and his negotiation team were able to extract highly favorable, if not downright obscene amounts of money from the wireless carriers. While AT&T agreed to give Apple up to $11 per month for new customers who came to the carrier due to an iPhone purchase, some media reports are suggesting that Jobs was able to extract 40 percent of the monthly subscription fees that U.K. network O2 is charging its customers.

O2 is charging customers between $70 and $110 for its different monthly iPhone plans. With an 18-month contract, Apple is looking at between $500 to $800 in revenue share per customer. While the approximately $250 that AT&T will give Apple for a new customer over the lifetime of a 2-year contract is rather paltry in comparison, it still provides enough of a financial incentive for Apple to do all that it possibly can to lock the devices down, and keep hackers from unlocking the platform. Furthermore, if keeping open-source tinkerers away from the guts of the iPhone can also protect Apple's new, but potentially hugely profitable venture into the mobile phone ringtone market (99 cents per ringtone for each song already purchased), even better for Mr. Jobs and his stockholders.

Now that Jobs has declared war on the iPhone hackers, the only question that remains is the approach that Apple will take: software updates that'll break the iPhone hacks, or lawsuits against the trouble-making developers. To answer this question, we to look to the law and, most importantly, the Digital Millennium Copyright Act.

The most powerful weapon in Apple's legal arsenal is the Digital Millennium Copyright Act (DMCA). This law, much hated by open-source developers and much loved by copyright holders and mega corporations, was passed by a unanimous vote in the U.S. Senate before being signed into law by President Bill Clinton in 1998.

DRM protest outside Apple store

(Credit: Quinn Norton)

The DMCA is fairly complicated, but there are two main parts that seriously threaten researchers, hackers and hobbyists. First, the law makes it a crime to circumvent the technological locks that control access to copyrighted works. Second, the law makes it a crime for anyone to "traffic" or share such circumvention tools. That is, it's a crime to break the encryption protecting a copyrighted work, and it's an additional crime to share the software that breaks the encryption with anyone else.

While the law was originally intended to protect music and movie owners who were scared of infringement in the Digital Age, it has been used to try to block the sale of third-party printer cartridges, universal garage door openers, and even Web sites that publish leaked copies of scanned fliers for post-Thanksgiving "black Friday" sales. A few years ago, a number of prepaid mobile phone companies started using the DMCA to go after people who were buying their subsidized phones, stripping off the software and re-selling them to others.

When it passed the DMCA, Congress empowered the Librarian of Congress to issue exemptions to the anti-circumvention provision of the law. This power is intended to protect the public from access-control technologies that substantially interfere with their right to make non-infringing uses of copyrighted works. Current exemptions include the right for users to hack restrictive e-book digital rights management technology to allow for inter-operation with screen-readers and other helpful technologies used by blind and disabled people.

In 2006, Stanford professor (and now EFF cyber-lawyer) Jennifer Granick petitioned the Librarian of Congress to permit mobile phone customers to hack their own phones. Citing a need to reduce environmental waste due to prematurely disposed locked phones, and the needs of business travelers to be able to communicate around the world without carrying a phone for each country, the Copyright Office agreed with Granick, and granted mobile phone customers an exemption to the anti-circumvention rule.

That should be the end of it, right? An exception to the anti-circumvention rule exists for mobile-phone inter-network interoperability, and thus Apple should have no DMCA-related leg to stand on. The problem lies in the fact that the DMCA has two nasty provisions: the anti-circumvention rule and the anti-trafficking rule. As crazy as it may sound, while it's perfectly legal for a blind programmer to reverse engineer Adobe's e-book technology, it's illegal for her to share it with another, perhaps less technically savvy blind friend. As far as the law is currently concerned, if you don't have the technical skills to reverse engineer, you're not permitted to free your e-books or your mobile phone.

Unless this legal snafu is some kind of incentive-via-necessity based plan to turn every blind American into a reverse-engineering uber-hacker, the law is clearly broken. It is most likely an unfortunate oversight on the part of the 100 senators who unanimously voted for the DMCA, perhaps without fully understanding how it would be used in the future. Thus, we now find ourselves in a situation where it is perfectly legal to hack your own iPhone, but most probably illegal to share software with others that will automate the process.

With the DMCA most likely on Apple's side, Steve Jobs and his band of merry lawyers should have already filed a number of lawsuits against the iPhone Dev Team for its anySIM unlocking tool. Given the noticeable absence of lawsuits, one has to ask: Why hasn't Apple sued?

Apple likes the DMCA, a lot. Were there some sort of DMCA frequent-flier mile scheme, Steve Jobs would have earned himself at least a few free flights to Tahiti. While Apple is on solid legal ground when it goes after programmers for reverse engineering the Mac OS to run on cheap Dell PCs, any sort of DMCA action against the iPhone Dev Team would be far more problematic. Despite the fact that the Librarian of Congress does not have the power to create exemptions to the anti-trafficking provision of the DMCA, Congress clearly did not intend to create this artificial barrier between those with programming skills and those without. Quite simply, the law is broken. If Apple begins filing DMCA iPhone lawsuits, it could soon find itself in the unpleasant position where the courts--or worse, Congress--end up re-evaluating the merit and legality of the DMCA.

My suspicion is that Apple will not want to risk losing the golden egg-laying DMCA goose, and thus, will stick to frequent software updates for the iPhone that break community written applications. Why sue when you can patch?