The Challenge of Digital Rights Management Technologies
I am going to discuss the challenge of digital rights management (DRM) technologies for the public domain. First I will address the technologies themselves, some of the functions that they can be used to implement, and some of the implications of those functions. Then, I will address the Digital Millennium Copyright Act (DMCA), a law designed to provide DRM technologies with an extra layer of legal protection, and discuss the implications of that extra layer of legal protection.
I should preface my remarks by noting that I disagree with Justin Hughes about how bad the DMCA is.1 I come from a family of scientists and I like data, but sometimes if you wait for a lot of evidence, you have waited too long. One thing that we have seen quite clearly in this symposium is that the scientific enterprise is a very complex system that exhibits enormous path dependencies. That is in large part the message of the other speakers who have argued that making major changes in a complex system that one does not fully understand can be fraught with peril. This can be true even for what could be characterized as “tinkering” with the system if one does not understand all of the path dependencies. When I discuss DRM technologies, the DMCA, and their long-term implications for scientific research and the public domain, I will lay out some of what I think are the worst-case consequences. Not everything that I am about to describe is happening yet. Many of the technologies that I will mention are in experimental use somewhere, usually in markets for video games or digital music files rather than in markets for scientific databases. In my view, the best way to prevent the worst case consequences of DRM technologies and the DMCA is to make sure that everybody sees them coming.
DIGITAL RIGHTS MANAGEMENT TECHNOLOGIES
DRM technologies include, first, technologies that can be used to impose direct functionality restrictions on digital content. A simple example is encryption technology that restricts access to a database to those individuals or devices having the appropriate password or key, but DRM technologies also can impose more complex restrictions. For example, they can be designed to prevent users from taking particular actions with the data, or to regulate the manner in which they make take those actions. Thus, DRM technologies can prevent or limit the acts
See Chapter 12 of these Proceedings, “Legal Pressures in Intellectual Property Law,” by Justin Hughes.
of copying, extracting some of the data, or transferring some of the data to a different document or to a different device, such as another computer or a personal digital assistant.
Second, DRM technologies can be used to effectuate “click-wrap” contractual restrictions. It is possible to use a combination of direct functionality restrictions and click-wrap contract restrictions to produce a fairly broad range of regulation of the behavior of database users. Click-wrap restrictions might be used to implement a pay-per-use scheme that allows metered access, and possibly some copying, for a fractional fee. Alternatively, they might be used to impose narrower restrictions, such as a prohibition against disclosure of the data to the public, or against use of the data for a commercial purpose, or against use of the data to reverse engineer a computer program. One recent case brought by the New York State attorney general involved a click-wrap contract restriction prohibiting the publication of a critical review of a software package.2
Finally, DRM technologies can be designed to effectuate what I will call self-help, such as disabling access to the database or to some portion of the database if the system detects an attempt to engage in some sort of impermissible action, or detects unauthorized files residing on the user’s computer. For example, if a copyright holder can detect unauthorized MP3 files somewhere on an individual’s system, it might use that fact to disable access to a lawful subscription service. A lot of myth and legend surround the potential capabilities of self-help technologies, and I have not heard anything (yet) to suggest that these capabilities are being implemented in the scientific database realm, but certainly they are the subject of experimentation elsewhere in the market for DRM.
IMPLICATIONS OF DRM TECHNOLOGIES FOR SCIENTIFIC RESEARCH
What are some implications of these technologies for access to and use of public-domain information? First of all, direct functionality restrictions will have some obvious implications for access to and use of unprotected, uncopyrightable information. Authentication restrictions can inhibit initial access to the information, allowing access based on the user’s device or domain or on possession of a valid subscriber identification. In cases involving collaborative research, this can generate added transaction costs because researchers will have to make sure that everyone with whom they want to collaborate is coming from an authorized device, domain, or subscriber identification. If the DRM restrictions prevent excerpting or extraction of the data, this will hinder research efforts that require extraction and manipulation. If the DRM software or hardware is designed to require proprietary file formats for any data that are extracted, these restrictions may cause other kinds of problems. Papers intended for publication may be subject to limits imposed by the demands of the DRM system. Direct functionality restrictions also raise the risk of loss of access to data, either because a subscription has expired or because the system has invoked self-help functionality to disable itself. Loss of access in turn raises the possibility of damage to other files or programs that may reside on the researcher’s system.
Pay-per-use provisions and other click-wrap restrictions also have some important long-term implications for research. First, the pricing of some of these subscriptions can represent a significant cost. In addition, the use of click-wraps to restrict subsequent use and disclosure raises concerns about secrecy and freedom to publish.
It is worth separately highlighting some of the potential effects of DRM technologies on libraries. Libraries will have the headache of managing all of the authentication restrictions. They also will need to worry about loss of access to back issues of journals and databases when subscriptions expire. That is not how their print and microfiche collections have worked, and it is a fairly significant concern for obvious reasons. Libraries also need to be concerned about loss of control over the formats for archival storage, search, and retrieval of data. Search tools have to be able to interact with the file structure of the databases they are designed to search. If the file structures are proprietary for reasons related to the imposition of DRM, then a search engine capable of interacting with that proprietary wrapper may also be considered a proprietary tool. This in turn raises questions about who will be permitted to develop those tools, and what restrictions will be placed on their use. All of these issues are critical to libraries’ mission of facilitating access to information by their user communities.
THE DIGITAL MILLENNIUM COPYRIGHT ACT
One might respond to this “parade of horribles” by noting that nothing can be built that cannot be hacked. So far, that has been true, but Congress and the content industries have fought back. In 1998, Congress enacted the DMCA, which has four main types of provisions.
First, the DMCA has an anti-circumvention provision, which is relatively simple. It prohibits circumvention of a technological measure that effectively controls access to a protected work. Note what this provision does not say. It does not say: “Thou shalt not circumvent a technological measure that effectively protects the right of the copyright owner in a protected work, such as the right to copy the protected work.” Circumvention of such copy-control measures is not prohibited. The statute prohibits only circumvention of access-control measures. But consider the different ways that a DRM system can be designed to work. Access to a database may be provided via a click-wrap system that treats every act of opening up the database and using it as a separate act of access to the database. If so, then arguably the anti-circumvention provision applies to each instance of use, even by an authorized user. So too if the DRM measure requires the application of some sort of password or key every time one wants to use the database. One cannot circumvent that password for any reason, because it is a technological measure that effectively controls access to a protected work.
Second, the DMCA contains what I will call anti-device provisions. These provisions are somewhat more complex. They prohibit manufacturing, distributing, or trafficking in a technology that meets any one of three criteria: (1) it is primarily designed or produced for circumvention of a technological protection measure; (2) it has only limited commercially-significant purpose or use other than to circumvent; or (3) it has been knowingly marketed for use in circumvention. The anti-device provisions apply both to devices for circumventing access-control measures and to devices for circumventing DRM measures that effectively protect rights of the copyright owner, such as the right to copy. Think back to the wording of anti-circumvention provision. One is not allowed to circumvent to unlawfully gain access to a work. In theory at least, nothing prohibits circumvention to get around a technology that protects a right of the copyright owner. But where are users going to get the tools that would allow them to undertake lawful acts of circumvention? The anti-device provisions exist to ensure that such tools cannot be offered on the market.
Technically, the anti-device provisions protect only DRM measures that are applied to copyrighted works. Some types of databases may not be covered by copyright. But database providers still may apply DRM measures to these databases, and if they use DRM standards that are also widely used for copyrighted works, then the anti-device provisions probably will prevent the sale of circumvention technologies anyway.
Third, the DMCA includes some exceptions to the anti-circumvention and anti-device provisions. An exception for nonprofit libraries allows some circumvention of access control technologies, but only to decide whether or not to make an acquisition of a work, not subsequent to the acquisition decision. Libraries are not exempted from the anti-device prohibitions so they cannot develop circumvention tools in any case.
As one might predict, there is a reasonably broad exemption for law enforcement, intelligence agencies, and the like to circumvent DRM measures, and to develop circumvention tools.
Another exception allows circumvention and the development of circumvention tools for the purpose of reverse engineering computer software to create interoperable software, subject to some conditions: (1) the copy of the software must have been lawfully obtained; (2) the interoperability information must not previously have been readily available; (3) the circumvention and tools are for the sole purpose of reverse engineering; and (4) the information and tools can be shared with other people only for that purpose.
The DMCA also includes an exception for “good faith encryption research,” with some fairly stringent conditions on who can qualify. The research has to satisfy a criterion of necessity, and the researcher must have made a good-faith effort to obtain authorization from the copyright owner to undertake the circumvention. There are “manner” limits on the dissemination of information and circumvention tools that are similar to the ones that apply to the reverse engineering exception. The researcher can disseminate the information gained from the circumvention only in a manner that is calculated to further the research, and not in a manner likely to facilitate infringement. The “good faith encryption research” exception also includes some credentialing requirements for the researchers themselves. One thing that helps the court determine whether someone qualifies to claim the
exemption is whether that person is engaged in a legitimate course of training, study, or research in computer science and therefore (by necessary implication) not just some hacker somewhere. Finally, the information that is gained from the research must be shared with the copyright owner.
There is also an exception for computer security testing, which is subject to conditions similar to those that apply to the reverse engineering and good faith encryption research exceptions. The circumvention must satisfy a sole purpose criterion and there are manner limitations on subsequent dissemination of the information gained.
Finally, the DMCA contains some provisions identifying other rights that it supposedly does not affect. These include limitations or defenses to copyright infringement, such as fair use, rights of free speech or the press, and principles governing vicarious or contributory liability for the design of electronics, computing, or telecommunications equipment.
RECENT DMCA LITIGATION
What do all of these provisions actually mean, and what are their implications for the use of public-domain and scientific and technical (S&T) data and for collaborative research? Three recent high-profile cases shed some light on these questions.
The first case, Universal City Studios v. Reimerdes,3 is often referred to as the “DeCSS case.” A 15-year-old Norwegian, Jon Johansen, developed a technology called DeCSS, which circumvents the Content Scrambling System (CSS) that protects the movies encoded on DVDs. According to his later court testimony, he did this to create a Linux-based DVD player; i.e., an open-source DVD player. The initial decryption program, however, was a Windows-based program, because Johansen was working from a Windows-based DVD player. Johansen shared this program, DeCSS, fairly widely. One of the organizations that ended up with DeCSS was a hacker magazine based in New York City called 2600.com, which put the program on its Web site. 2600.com and its principals were promptly sued by members of the Motion Picture Association of America, and were permanently enjoined from posting the program. The court also enjoined the defendants from knowingly providing links to any other Web site that provided DeCSS. Both parts of that injunction were upheld on appeal.
The second case involved Professor Ed Felten, who took the “SDMI challenge.” The Strategic Digital Music Initiative (SDMI) was a project to develop a secure technology for protecting digital music files. The Recording Industry Association of America (RIAA) challenged researchers to try and crack the prototype SDMI technology. Professor Felten and his team at Princeton succeeded. Rather than submit their results confidentially to the technology provider and claim a cash prize, Felten decided to publish them and arranged to present the paper initially at a computer security conference. The RIAA notified the conference organizers and Princeton University’s legal counsel of the possibility of a lawsuit if the paper was presented. Felten withdrew the paper from that conference and publicized the circumstances, generating considerable uproar within the scientific community. The RIAA immediately issued a press release stating that it did not intend to sue. Felten filed a declaratory judgment suit against the RIAA and the technology provider, challenging the lawfulness of what he claimed was a threatened suit or possible prosecution for violation of the DMCA. He also arranged to present the paper at a different conference, and did so. Subsequently, the court granted the RIAA’s motion to dismiss the suit. It ruled that there was no credible threat of suit or prosecution after the other parties disclaimed intent to sue.4
The final case, United States v. Elcom,5 was the first criminal prosecution under the DMCA. It involved a Moscow-based software firm, Elcom, which developed a technology that disabled certain DRM features of Adobe’s eBook Reader software so that one could, for example, make a copy of an eBook to back it up or to transfer it to a different device. Elcom distributed its software via a Web site that was accessible in the United States. Shortly thereafter, one of its leading programmers, Dmitry Sklyarov, came to the United States to attend a software conference. Sklyarov was arrested at the airport, extradited to the Northern District of California, and
arraigned under the criminal provisions of the DMCA. He subsequently cut a deal securing his release in exchange for agreement to testify in the government’s prosecution of Elcom, his employer. The court denied defense motions to dismiss the case on constitutional grounds and also on the ground that the court lacked personal jurisdiction over Elcom for actions taken in Russia. Ultimately, however, the jury acquitted Elcom of all charges, finding that even if Elcom had violated U.S. law, it had not done so willfully.
What do these cases tell us? First, they tell us some things about the general scope of the DMCA’s prohibitions. In the DeCSS case, defendants argued that the CSS for DVDs could not possibly be the kind of technological measure protected by the statute because it was so easy to hack. Specifically, they noted that the statute refers only to “effective” technological measures, and argued that CSS was relatively ineffective. It probably will not surprise you that the court ruled this cannot possibly be what the DMCA means, because otherwise the statute would not protect very much. To be protected under the DMCA, an “effective” technological measure does not have to be hack-proof. This, though, means that given the broad language of the statute, virtually anything could qualify as the kind of technological measure that is protected by the DMCA. The statute protects any measure that requires the application of authorized information or an authorized process to gain access to the work, or that prevents or restricts the exercise of a right of the copyright owner. A simple password requirement that one could get around quite easily might qualify. The DMCA, therefore, potentially covers many kinds of DRM gateways.
Also under the heading of general scope, the cases establish that one can be liable for knowingly linking to another site that offers a circumvention tool. According to the Reimerdes court, the requirement of knowledge is intended to avoid First Amendment problems, and parallels the requirements for defamation liability. Here it is important to remember that knowledge can be established based on notice, and that the copyright industries are fairly diligent about sending out such notices. Even if the server hosting a circumvention tool is located outside the United States, then, a copyright owner can use notices to ensure the disruption of links that might lead U.S.-based users to the circumvention tool.
A final thing that we know about the general scope of the DMCA is prosecutors can rely on it to arrest people from other countries when they get off the plane in the United States, and that courts will uphold personal jurisdiction over those arrested. Elcom suggests, however, that the harshness of this rule may be mitigated in practice by the difficulty of establishing willfulness directed specifically toward U.S. law.
Second, the cases tell us some things about the relationship of the DMCA to the doctrines of fair use and contributory copyright infringement, both of which are designed to avoid overly broad infringement liability that might threaten other important public policies. The courts have concluded that there is no general fair use defense available under the DMCA. As already noted, the DMCA does have a provision stating that defenses to copyright infringement, including fair use, are not affected. The courts have reasoned, however, that a cause of action under the DMCA is not a cause of action for copyright infringement. Instead, it is a separate and distinct cause of action for circumventing DRM measures or for manufacturing or distributing a circumvention technology. Nowhere in the DMCA did Congress provide a fair-use defense to either of those causes of action. Therefore, the DMCA contains no open-ended safety valve, comparable to the fair-use doctrine, designed to avoid overly broad anti-circumvention liability.
Contributory copyright infringement is a doctrine that protects technology providers in certain circumstances. One can sue a technology provider for providing a technology that facilitates copyright infringement, but there will be no liability if the technology is capable of substantial non-infringing use. In the Sony Betamax case,6 the Supreme Court held that the VCR was capable of many substantial non-infringing uses; therefore, Sony could not be held liable simply because people could also use VCRs to engage in unlawful copying. In contrast, the courts have read the DMCA’s anti-device provisions to say that there is no “substantial non-infringing use” defense to a charge of manufacturing or distributing circumvention tools. Recall that the anti-device provisions cover technologies that are primarily designed for circumvention, that have only limited commercially significant use other than to circumvent, or that are knowingly marketed for circumvention. Those are very different standards than whether the technology has “substantial non-infringing” uses. Therefore, the court in the DeCSS case concluded that the
contributory infringement doctrine has been overruled by Congress in the circumvention context to the extent of any inconsistency with the new statute.
Third, the first wave of DMCA litigation highlights the narrowness of the reverse engineering and encryption research exceptions. The defendants in the DeCSS case argued that they could claim both of those exceptions. They noted that DeCSS was developed in the course of reverse engineering and for encryption research intended to produce a Linux-compatible DVD player. The court rejected this argument on the ground that the defendants, as third parties not involved in the reverse engineering process, lacked standing to invoke either exception. The clear import of the court’s ruling is that disseminating information to the general public to solicit participation in a process of reverse engineering or encryption research will not shield the recipients of that information.
Fourth, the courts have uniformly rejected constitutional challenges to the DMCA. In all three cases, the challengers argued that the statute was facially overbroad and therefore violated the First Amendment because it regulated far more speech (in the form of computer code) than was necessary to achieve the legitimate purpose of preventing infringement. In Reimerdes and Elcom, the courts reasoned that defendants lacked standing to argue overbreadth on the basis that others might use the disputed technologies to make fair uses of copyrighted works. Since defendants themselves had not done so, whether the statutory prohibitions might be unconstitutional as applied to somebody else was irrelevant. This issue remains unresolved, and it is difficult to predict how the courts might rule on it. The Felten case, however, suggests a way for courts to avoid doing so.
The only party who clearly was making a fair use, Felten, had to surmount the initial threshold of demonstrating that there was some reasonable likelihood of suit or prosecution based on his activities. As already noted, the court did not think that any chilling effect on Felten’s speech existed once the RIAA issued its press release stating that it would not sue. That seems inconsistent with some other First Amendment case law about chilling effects. For the present, however, it seems that in DMCA cases, courts will require more than a threat hastily retracted following bad publicity to demonstrate a chilling effect. To a very real extent, this ruling insulates the copyright industries from suit, and the DMCA from constitutional threat, by bona fide fair users.
The Reimerdes and Elcom courts also rejected arguments that under Article I of the Constitution, Congress lacked the power to enact the DMCA in the first place. Again, they reasoned that since defendants themselves did not seem to be making any fair uses of protected works, there was no need to consider whether there would be constitutional problems if the statute prevented others from making fair uses. The courts also opined that “horse and buggy” fair use would save the statute in any event. By this, I mean the kinds of fair uses that one can make without direct copying. For example, one can point a video camera at a DVD playing on one’s computer screen, or directly transcribe by hand the contents of a protected eBook. The courts opined that the fair-use privilege does not give users the right to make the best technological kind of fair use that they could possibly want to make.
Finally, the early DMCA cases shed some light on the ways that the DMCA is likely to be deployed in the future. Whatever the differences between these three cases, the bottom line is that all of these cases have involved the anti-device provisions. They have all involved people who were charged with or, in Felten’s case, threatened with charges for creating technologies that could be used by other people to circumvent access-control or copy-control measures. As I noted earlier, the main purpose of the statute seems to be making sure that actual or potential circumvention tools do not get created or disseminated. In holding that technology providers have no standing to invoke possible fair uses by others to support constitutional defenses, courts reinforce this message, and ensure that would-be fair users who are not technologically savvy are out of luck. Even though users technically retain circumvention privileges in cases involving copy controls (as opposed to access controls), they have to be able to develop the tools themselves.
IMPLICATIONS OF THE DRM/DMCA REGIME
If these first few DMCA cases hold up, what are the long-term implications of DRM plus the DMCA for research and innovation? I am going to talk briefly about four issues.
First, the new regime of DRM controls backed by law intensifies the impediments to information sharing and collaboration previously discussed. It is helpful to keep in mind that we are talking about two different kinds of information: (1) ordinary information, i.e., the content that is actually protected by the DRM technology, such as
weather or fisheries data; and (2) technical information with circumvention potential, such as cryptographic systems or computer security information. For the former, if DRM restrictions apply, circumvention is either prohibited (for access controls) or impossible as a practical matter for most people. For the latter, there is very limited standing to invoke the reverse engineering, encryption research, and security testing exceptions. It seems that they can be invoked only by the person who actually does the initial act of circumvention, and the scope of dissemination of that information is quite limited. Further, some technical investigations will require permission of or sole use by the rights holder.
Second, does Felten mean that there is nonetheless a zone of safety for academic computer science researchers? Some have argued that Felten was never really in any danger of being sued, and therefore that other academic researchers are in no danger. I certainly agree with Justin Hughes’ comment that the RIAA’s initial threat to sue Felten was monumentally stupid. It is not completely clear to me, though, that no future threats remain. Academic researchers still must determine when an academic research paper containing technical information with circumvention potential is also a prohibited technology. If a research paper contains computer code, as many such papers do, I do not think that the language of the statute would clearly exempt it. For that reason, I think there is certainly a residual chill that applies to those researchers who want to put code in their papers. Some notable foreign computer scientists filed declarations in the Elcom case saying that they would no longer attend conferences in the United States because they were afraid of being arrested. Some of that was theater. Evaluation of threats, however, is partly subjective. If people say they are afraid, the fact that a well-trained copyright lawyer might conclude that their fears are boundless may in some cases be beside the point.
Third, it is worth noting separately that the DMCA is profoundly hostile to the open-source software community. Focusing on the language of the reverse engineering, encryption research, and computer security testing exceptions makes that crystal clear. The way that collaboration works within open-source communities is that researchers put information they have learned on the Web or on discussion lists and invite anybody who is interested to help with the project at hand. Such widespread sharing of information does not seem to fall within the kind of behavior contemplated by the exceptions. The exceptions direct courts to consider whether the information is disseminated to others in a manner calculated to further research or, alternatively, in a manner calculated to further infringement. I think that it is going to be very hard to argue that sharing information about cryptography research or reverse engineering with the open-source community as a whole, which includes anybody who wants to join it, satisfies that condition. In addition, the encryption research exception includes a credentialing provision, which directs the court to consider whether the person claiming the exception is employed or engaged in a legitimate source of study in computer science. The computer science research community is far broader than that, and this wording seems clearly to privilege a certain kind of scientific elite over others who might want to tinker with and improve software and enhance understanding of programming techniques. I think we all understand that is not the way that scientific progress historically has worked in this country. Our scientific tradition includes many people who invented pretty cool stuff in their garages. The encryption research exception seems to contemplate a very different sort of regime.
Finally, it is important to consider the potential network effects of DRM systems and standards. Recall, once again, that the universe of scientific and technical innovation is a very complex system that exhibits a lot of path dependencies. One cannot just drop DRM technology into the world of computer software and networking and expect nothing else to happen. We need to consider the effects these standards are going to have, both as initially implemented in discrete areas of the system and as they start to migrate deeper into the network.
An initial class of network effects relates to the modification of other standards and technologies to increase their interoperability with DRM systems and increase the efficacy of the larger DRM/DMCA system. All consumer electronics equipment and blank media will have to be made interoperable with these technologies. Manufacturers who decline to comply with DRM standards may be shut out of content markets; manufacturers who design their equipment and media to override or ignore DRM standards may be vulnerable to charges that they have created circumvention tools. This has implications for researchers even if you think that the most egregious instantiations of DRM will apply only to such things as music files and video games. Quite possibly, the same blank media that researchers want to use to write their research papers will be encoded with DRM protection at the behest of copyright owners who simply want to make it more difficult to copy music. In other words, the standards
do not have to penetrate all the way into markets for S&T data in order to have an effect on the conduct of research and innovation.
What happens if DRM standards do gradually extend into S&T markets, or if they migrate even deeper into the various technical layers of computers and computing networks? Some people who are developing DRM systems have realized that they are relatively easy to circumvent if they are implemented in particular applications or peripheral devices, and that they would be harder to circumvent if embedded in computer operating systems and even harder to circumvent if one could wire them into hardware or embed them in the basic Internet protocol.
More widespread extension of DRM regimes will reshape the ways in which information storage, retrieval, and exchange are handled. Earlier, I raised the question of who will develop search tools that can interact with individual DRM systems. We now can extend this point to network searches more generally. If one needs a license to develop a search engine, what kinds of consequences will that have for the development of innovative search technologies? If archiving and storage become proprietary activities, will the risks of format obsolescence increase? Maybe we do not have enough data to answer these questions. It is certainly a change from the way the development of search tools has worked so far.
If DRM functionality continues to migrate deeper into the computing layer, we also may see decreased penetration of open-source systems simply because it is going to be difficult legally to create the kinds of interoperability that are necessary for open-source systems to attain greater market share. In the pre-DMCA world, if consumers wanted their DVD players or their word processing program to behave in a certain way, the open-source community could do that relatively easily. If members of that community wanted to make it happen, they would. But if the information about how to make these systems interoperate with other components of the computing platform is protected under the DMCA, achieving interoperability will be much more difficult.
It is usually easy to convince academics and researchers that the worst-case potential consequences of a phenomenon are worth studying more closely. Yet the worst-case consequences of DRM regimes and the protection given them under the DMCA are worth more than further study. The culture of scientific research is in some ways extraordinarily robust, but in other ways it is extraordinarily fragile. In particular, it is premised on a series of assumptions about the public domain, and about access to and use and sharing of information, that may soon warrant serious revision. In my view, waiting for these worst-case consequences to materialize would be a terrible mistake.