(more colloquially, “DVDs”) which had been scrambled using a rudimentary form of digital encryption known as the “Content Scramble System,” or “CSS.” DeCSS made it possible for users to decrypt (and thereafter to view or copy in unencrypted form) the content of a CSS-encrypted DVD even if the user had not paid a licensing fee to the DVD Copy Control Association (“DVDCCA”), an industry group, for an authorized decryption key.
Set-top DVD players produced by consumer electronics manufacturers included lawful, DVDCCA-licensed decryption keys. Jon Johansen, a Norwegian teenager, acting in concert with unidentified others, obtained such a licensed DVD player and “reverse engineered” it to discover the algorithm employed by the CSS encryption system. The practical necessity of designing DVD players to be able to play back encrypted DVD discs effectively ensured that such reverse engineering would be successful—that is, that it would be possible from studying the input (an encrypted DVD) and the output (the decrypted video content) to draw correct inferences about the decryption algorithm that was being employed. The result of Johansen’s work was the DeCSS program,
- See Reimerdes, 111 F. Supp. 2d at 308 (describing CSS). The weak form of encryption employed by CSS led some cryptographic experts to express skepticism as to “[w]hether CSS is a serious cryptographic cipher. . . .” Frank A. Stevenson, Cryptanalysis of Contents Scrambling System (Nov. 8, 1999), http://www.cs.cmu.edu/~dst/DeCSS/FrankStevenson/analysis.html.
- See Reimerdes, 111 F. Supp. 2d at 310-11 & n.60; see also DVD Copy Control Ass’n Inc. v. Bunner, 10 Cal. Rptr. 3d 185, 188 (Cal. Ct. App. 2004) (explaining content industry’s reliance on exclusive licensing scheme to limit dissemination of decryption keys).
- See Reimerdes, 111 F. Supp. 2d at 310.
- Id. at 311. The court’s reference to “a licensed DVD player,” id., presumably signifies either a hardware or software DVD player that Johansen and his collaborators had purchased. Although the district court remarked that “[n]either Mr. Johansen nor his collaborators obtained a license from the DVD CCA[,]” id., the significance of this finding is unclear; having lawfully purchased a licensed DVD player, the parties surely had no reason to think themselves obliged to purchase a second license to make use of their purchased player. Cf. infra notes 132-135 and accompanying text.
- Reimerdes, 111 F. Supp. 2d at 311. “Reverse engineering”—ascertaining the likely content of a computer program based on inferences from studying its inputs and outputs—has been commonly recognized not to present a copyright problem, even where some intermediate copying of copyrighted works occurs, particularly where the effect of the “reverse engineering” is to aid in the development of new platforms for the use of copyrighted content and thereby to foster competition. See, e.g., Sony Computer Entm’t, Inc. v. Connectix Corp., 203 F.3d 596, 602-08 (9th Cir. 2000) (finding reverse engineering of plaintiff’s copyrighted software code lawful under fair use doctrine notwithstanding possible losses to plaintiff due to competition with defendant’s unlicensed platform for its software); Sega Enters. Ltd. v. Accolade, Inc., 977 F.2d 1510, 1523-24 (9th Cir. 1992) (rejecting plaintiff’s claim that defendant’s reverse engineering infringed its copyright, and observing that “an attempt to monopolize the market by making it impossible for others to compete runs counter to the statutory purpose of promoting creative expression and cannot constitute a strong equitable basis for resisting the invocation of the fair use doctrine”); cf. Vault Corp. v. Quaid Software, Ltd., 847 F.2d 255, 270 (5th Cir. 1988) (finding state statute authorizing contractual prohibitions on reverse engineering preempted as incompatible with purposes of the Copyright Act). But cf. Atari Games Corp. v. Nintendo of Am. Inc., 975 F.2d 832, 844 (Fed. Cir. 1992) (noting limits on lawful reverse engineering); see also infra notes 129-131 (noting courts’ concern with interpreting the DMCA to avoid harm to competition).
- See, e.g., Cory Doctorow, Microsoft Research DRM Talk, June 17, 2004,
http://craphound.com/msftdrm.txt (“At the end of the day, all DRM systems share a common vulnerability: they provide their attackers with ciphertext, the cipher and the key. At this point, the secret isn’t a secret anymore.”). Princeton University computer scientist Edward Felten made the same point during the Bunner litigation over the trade secret status of CSS:
Decl. of Prof. Edward W. Felten in Supp. of Def.’s Mot. for Summ. J., part V ¶¶ 5-6 (Nov. 28, 2001), available at http://w2.eff.org/IP/Video/DVDCCA_case/20011128_felten_decl.html.
Because so many people have the skills and tools to reverse-engineer programs, [DVDCCA’s] decision to authorize the release of CSS in software form made it virtually inevitable that somebody, somewhere, would reverse engineer it. . . . Once CSS became public knowledge, its keys inevitably also would have become public knowledge. . . . It is common knowledge that use of a forty-bit key allows an easy brute-force search to determine the key, given a sample of encrypted material (e.g., a DVD movie disk).