by February 11, 2001 0 comments

Of the legal and ideological issues spawned by the Internet, the one that is
raising a lot of dust is the de-scrambling of DVD (Digital Video Disk) content.
This can be done with a utility called DeCSS (De Content Scrambling System),
which allows DVDs that have support for Windows and Mac systems to be played on
Linux systems. This utility breaks the encryption of DVDs, and allows you to
store the unencrypted content on your hard disk. You can then do anything you
want with it–play it, make copies and distribute them, etc.

This decryption of DVDs has resulted in the movie industry filing cases of
copyright infringement and stealing of trade secrets in the courts of New York
and California, even as DeCSS is available for download at various Internet
sites. While the industry alleges that the utility would lead to large-scale
piracy and claims theft of intellectual property, counter-allegations range from
the fact that the industry is trying to control the Internet, to that they’re
depriving consumers of their right to use products they have legitimately paid
for. So, what does the utility do, and what’s the brouhaha about?

DVD is a medium of optical storage technology that can hold lots of data and
give superior audio and video. It’s most popularly used for distributing
movies for home viewing. Within three years of the introduction of this
technology, DVDs have become a rage in many countries, though they’re still to
find their feet in India. You can play DVDs using a DVD drive on your PC, a
specialized DVD player, or software-based DVD playback utilities, like WinDVD,
ATI DVD, and XingDVD.

Scramble with CSS…

A Content Protection System Architecture (CPSA) protects DVDs against content
copying and piracy. The CPSA comprises six forms of content protection, one of
which, called Content Scrambling System (CSS), is the eye of this storm. The CSS
is a data encryption and authentication system that was intended to prevent the
copying of files directly from the DVD. It’s a licensed system, and those who
want to develop DVD players or DVD-ROM drives have to apply for CSS licenses to
the DVD Copy Control Association (DVD CCA), the licensing authority.

The data on the DVD is encrypted and the decryption keys are stored on the
disk in an ‘obfuscated’ form, that is, they’re hidden in locations that
can’t be directly read by an ordinary DVD drive. To play back a DVD, the CSS
decryption algorithm exchanges keys with the drive unit. This generates an
encryption key that is used to obfuscate the next exchange of keys–called disk
keys and title keys. These are used to actually decrypt and play back the
contents of the DVD.

The DVD’s contents are decrypted using the title key, which is encrypted
with a disk key. The disk key in turn is encrypted with around 400 player keys.
All these encrypted disk keys are stored on the DVD itself, in obfuscated form.
At the same time, each CSS licensee is also given one of these player keys. So,
each player uses its key to decrypt and play back the DVD’s contents. The
advantage of using so many player keys is that if any licensee’s license is
revoked, or one of the keys is discovered by an unauthorized person, the
particular key can be removed from future disks.

…And de-scramble with DeCSS

The CSS has some inherent weaknesses as an encryption system. First, it uses
40-bit encryption keys that provide a low level of security, and have been known
to be broken within hours by cryptography students. Second, all the keys
required to decrypt the data are stored on the disk itself and can be discovered
by anyone who knows how to do it. This is what some programmers did in 1999.

This group of programmers, that called itself Masters of Reverse Engineering
(MoRE), discovered that the player key in Xing DVD, a software DVD player, had
not been encrypted. Using this key, the programmers reverse engineered the
process and broke the CSS algorithm. They were able to guess a host of other
player keys too, so that even if the Xing key were removed from future disks,
the program had other keys to choose from. This program was called DeCSS, and
its source code was anonymously mailed to the Livid (LInux VIdeo) mailing list.
The code was analyzed further here, and cryptoanalyzers were able to blow more
holes, so that the CSS encryption became breakable in under 30 seconds, without
even knowing any player key.

The two sides

The techs… …vs the law
  • DeCSS was created to allow DVDs to be played on Linux systems. It was not meant for piracy

  • Commercial piracy, which was rampant even when the utility wasn’t around, doesn’t need to break the encryption of DVDs

  • Unencrypted DVD content is too large to fit on any portable medium without compromising on quality, and too cumbersome to distribute over the Net. If one were to use blank DVDs to copy the content and distribute it, the price would be much higher than that of a legitimate DVD

  • Reverse engineering is legal in Norway, and the Uniform Trade Secrets Act in the US also considered it a proper means to get at a trade secret

  • CSS is a weak encryption system, and it was a matter of time before someone broke it. The movie industry knew about this much before the encryption was actually broken

  • The right to fair use guaranteed by the US Constitution lets consumers make copies of products for private use. That’s what DeCSS does

  • The security architecture of DVDs, including region codes, doesn’t let consumers make full use of the DVD. DeCSS allows them to do this

  • The industry is trying to control the way the Internet is used, which is supposed to be a no-control system

  • CSS is a trade secret and proprietary information. The ‘click license’ agreement specifies this, and the people who broke the encryption knew or should have known this

  • DeCSS, being based on CSS, amounts to theft of intellectual property.

  • DeCSS would lead to large-scale piracy and distribution of DVD-quality movies over the Net. It would allow movies to be sent to and from any part of the world, leading to heavy losses for the industry

  • It allows consumers to circumvent copy protection on a copyrighted digital work, and gain unauthorized access to it. This is against Section 1201 of the Digital Millennium Copyright Act
    (DMCA), 1998

  • Websites that traffic DeCSS or link to sites that carry DeCSS related information are trafficking a technology that allows users to circumvent copy protection. This is also against Section 1201 of 
    the DMCA.

In October 1999, a Norwegian called Jon Johansen posted the DeCSS source code
on his Website. Websites over the world followed, and the code has since been
spreading like wildfire. This 60 kB Windows utility allows users to copy an
encrypted DVD file (with a VOB extension) and save it on the hard disk without
the encryption. The file can then play on any operating system; all you need is
a DVD-ROM drive and lots of disk space, because each DVD contains about four to
six VOB files, which amounts to 6—9 GB of data.

In the courtroom

As can be expected, the software posed a grave threat to the film industry,
even if only by breaking their security architecture and undermining their
control of the market. In December 1999, notices were sent to 66 Websites to
remove DeCSS and related information from their contents, and 25 of these
complied. In the same month, DVD CCA filed a lawsuit in California seeking a
temporary injunction to prevent Websites from posting and linking to DeCSS
information. The request was denied by a court two days later. In January 2000,
seven top US movie studios backed by the Motion Picture Association of America (MPAA)
filed lawsuits in Connecticut and New York to stop the distribution of DeCSS in
these states. The New York lawsuit won a preliminary injunction, and three days
after this, the California court also reversed its decision and granted a
preliminary injunction. Both injunctions applied to sites with DeCSS
information, and not to linking sites. The grounds for the injunction were that
the code and related information caused irreparable harm to the movie industry.
While the DVD CCA lawsuit was based on misappropriation of trade secrets, the
MPAA lawsuit was based on copyright circumvention.

The ensuing courtroom wrangles raised issues that went much beyond the
breaking of a technology’s encryption. While the movie industry argued that
the tool would lead to large-scale piracy and distribution of DVD-quality movies
over the Net, the defendants argued that this wasn’t feasible at all. A
decrypted movie was too large to fit on any removable media, like CD-ROMs or Jaz
drives. Even if it did fit on media like DAT, it would lead to loss of quality
and other problems. Also, blank DVDs were far more expensive than original movie
DVDs; so, even if they were used, nobody would buy them. Transferring so much
data over the Net, too, would be extremely tedious. Defendants also argued that
CSS was irrelevant to commercial piracy, and that piracy was a reality even when
DeCSS wasn’t around. Professional pirates, who had the necessary financial
resources and equipment, were already making bit-by-bit copies of DVDs–which
copied all the data along with the encryption–and releasing them in the

The DVD CCA claimed that the CSS was proprietary information and a trade
secret, and derived its economic value from being a secret. So, disclosing it to
the public would harm them. Also, the ‘click license’ agreement that the
user had to click on before installing any player software or hardware
prohibited reverse engineering, and that was something the defendants knew or
should have known. Defendants countered this by saying that reverse engineering
was legal in countries like Norway, and even in the US, the Uniform Trade
Secrets Act considered reverse engineering as proper means to discover a trade
secret. Defendants also claimed that the security provided by CSS was weak at
best and the movie industry knew about it much before it became evident to the
general public.

One of the hotly debated topics in the MPAA lawsuit was Section 1201 of the
Digital Millennium Copyright Act (DMCA) vs the right of fair use ensured to
citizens by the US Constitution. This also spawned raging debates on the
Internet on how the industry was trying to control the Internet, and how they
were trying to deprive consumers from using products that had been legitimately
paid for. Section 1201 itself also came under severe criticism.

Section 1201 of the DMCA contains provisions that prevent users gaining
unauthorized access to copyrighted works in digital format. They also prohibit
trafficking in technologies that are designed to circumvent access control or
copyright protection measures. The MPAA claimed that DeCSS circumvented the
movie industry’s copyright protection measures. Defendants claimed that since
DeCSS was meant for private viewing of DVDs on Linux systems, it was within the
purview of consumers’ right to fair use, and this right was supported by
Section 1201. The right to fair use lets consumers make copies for
non-infringing uses, such as backing up a CD-ROM on another, or recording your
favorite songs from various CDs to create another CD, or for open academic
discourse and research.

The defendants asserted that DeCSS didn’t circumvent a technological
measure, because once consumers had bought a DVD, they had the authority to
decrypt or de-scramble the contents. The industry had already benefited from the
purchase, and it shouldn’t matter to them whether the user played the contents
on a licensed or unlicensed player. According to them, if the consumer had
bought a DVD, he should have the right to view it as he wants, even if it
involved decrypting its contents to view them on an unlicensed player.

They also claimed that content protection of DVDs, as incorporated by the
movie industry, prevented consumers from making full, legal use of their DVDs,
even though they’d paid for it. One instance of this is the region code on
DVDs. For the purpose of DVD distribution, the world has been divided into eight
regions, and each DVD has a region code that allows it to be played only on
players in that region. So, for example, if you’ve bought a DVD in Japan, it
won’t play on a DVD player in the US. This is because the releases of movies
in theaters are planned for different times in different parts of the world. So,
a movie that’s on DVD in the US could still be in the theaters in Japan.
Having a region code helps the industry to maximize revenues from both sources.

Defendants argued that once a consumer has bought a DVD, he should be able to
play it in any part of the world. This is what DeCSS allowed him to do.
Similarly, it allowed consumers to skip commercials at the beginning of a DVD,
which wasn’t otherwise possible if the DVD maker so desired.

As things stand now, sites in the US can’t carry DeCSS-related information,
though they can link to sites that carry it. Many other countries too have laws
that make it illegal to traffic software that’s intended to circumvent copy
protection. However, DeCSS is far from dead. You’ll find the code in lots of
places on the Net; you can even buy T-shirts that have the DeCSS source code
written on them. And Linux users in all parts of the world can still view their
DVDs in peace.

Pragya Madan

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.