Cryptome DVDs. Donate $25 for two DVDs of the Cryptome collection of 47,000 files from June 1996 to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, cryptome.info, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,100 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.


30 December 1999


Date: Wed, 29 Dec 1999 20:06:32 -0800
From: Lucky Green <shamrock@cypherpunks.to>
Subject: DeCSS Court Hearing Report
To: "cypherpunks@Algebra. COM" <cypherpunks@Algebra.COM>
Cc: "Cryptography@C2. Net" <cryptography@c2.net>, John Gilmore <gnu@toad.com>

Today, I attended a fascinating hearing in State of California Superior Court (county of Santa Clara). The issue at bar was a request by the "DVD Copy Control Association, Inc." (DVDCCA) to issue a temporary restraining order (TRO) against various named and unnamed operators of websites and other individuals distributing copies of [De]CSS source code. DeCSS was originally published to allow for playback of DVD's on computers running the Linux operating system.

The lines appear drawn rather clearly: a "Copy Control Association" vs. the Open Source community. But the hearing left the audience, and I suspect the judge, with many open questions.

First, let's introduce the players (I didn't take many notes. Other may have more detailed information).

The DVDCCA's attorneys arrived at the courthouse after the Cypherpunks contingent and had to make their way through a rather impressive crowd (especially given that we had less than a day notice) to file their complaint. One of the attorneys carried several boxes with copies of the complaint. The complaint was sizable. Each copy stacked up almost 3 inches.

The plaintiff's attorneys were clearly surprised by the publicity their action had generated. All three attorneys were visibly nervous and apprehensive while waiting in the hallway for the courtroom to open. This is significant, because these folks are professionals. Unlike some random person who suddenly finds himself in court and might reasonably be nervous, these guys crush people for a living. Yet our presence gave them the jitters.

This is perhaps not /that/ surprising, given that only a single defendant of the 500 alleged defendants bothered to show up in court. Chances are the plaintiff assumed that none of the defendants would appear in court. Had that happened, the plaintiff's attorneys would have present their case, requested a TRO, and absent an opposing party the TRO would have been granted. A mere formality. In and out of the court room in 15 minutes.

However, what took place was far from a formality. Instead of the judge rubber-stamping the TRO, the plaintiffs found themselves faced with not only a defendant, but two attorneys for the defendant that in oral arguments framed the issue at bar in very different terms than the "evil hackers are conspiring to cause millions of dollars in damages to the movie industry by distributing software that allows for illegal copies to be created" put forward by the plaintiff. The defendant's attorneys turned a potential "open and shut" case into a First Amendment issue. Not at all what the plaintiffs had in mind. Big thanks go to the EFF for providing for a defense literally overnight.

Trying to sum up the arguments made during the hearing by both sides is somewhat challenging, which is probably at least in part due to the fact that the plaintiff's complaint has no merit. Nonetheless, I will try to provide an attempt at summary below.

The plaintiff concedes that reverse engineering CSS from an implementation is in principle lawful. However, they also claim that:

1. CSS was reverse engineered from Xing's DVD player.

2. Xing's player requires the user to click on a button accepting a license agreement prohibiting reverse engineering.

3. Reverse engineering could not have been performed without accepting this license agreement.

All taken together, the reverse engineering was supposedly performed in violation of the license agreement to which the person performing the reverse engineering allegedly agreed. It probably will not come as a surprise to many readers of this post that the plaintiff failed to provide even a shred of evidence for even a single one of these claims, much less all of them, as would be required by the legal theory advanced by the plaintiff.

Next, the plaintiff alleges that since the CSS trade secret was therefore obtained by illegal means (breach of contract) the trade secret is still afforded protection. Similarly to a trade secret that has been leaked by a person under NDA.

Furthermore, the plaintiff alleges that every single webmaster that presently mirrors CSS is aware of this supposed illegal origin of the CSS source. The plaintiff conceded that once a webmaster that is unaware of the supposed illegal origin of CSS mirrors the CSS source, the plaintiff's complaint based on trade secret (as found in the Universal Commercial Code) can no longer be made. The plaintiff then requested a TRO to prevent the spread of the CSS source before such a situation occurs.

The counsel for the defendant argued that source code is speech, that the theory that CSS was obtained illegally was questionable at best, and that issuing a TRO would chill the speech of not just the individuals presently mirroring CSS, but of webmasters in general.

The line of argument made by the plaintiff left the audience rather puzzled. First, basing the litigation on trade secret seems sub-optimal. Not that a different legal argument would be anywhere near compelling, but it appears that an argument based on copyright would have been a better approach. In addition, the plaintiff's choice of venue is simply abysmal. Of the many jurisdictions in which they could have filed a complaint, they chose the 9th Circuit, which as ruled that source code is speech.

However, the plaintiff's actions may make more sense when seen in the light of some comments made repeatedly by the plaintiff during the oral argument. The first comment was that the DVDCCA attorneys allege that since the sole purpose of the DVDCCA is to license CSS, a freely downloadable CSS implementation would put the DVDCCA out of business. I would be inclined to concede this point. It is not quite clear to me why this would be a matter of concern, since the DVDCCA is a non-profit organization. (Somebody needs to obtain their financial statements, which, due to their non-profit status must be public).

The second, and probably more significant, comment made repeatedly by both the plaintiff  and the attorneys for the Motion Picture Association in the affidavits accompanying the complaint, is that the studios would not have agreed to releasing movies on DVD if it hadn't been for the DVD consortium's assurance that DVD technology implements an effective copy protection scheme. It appears the DVD consortium is experiencing a lot of heat from the copyright holders over DeCSS and is in dire need of a scapegoat. Since the DVD consortium's own technical incompetence in fielding a copy protection scheme that is both subject to trivial reverse engineering and cryptanalysis is not considered a desirably admission to make to the studios, the blame needs to be shifted elsewhere. Blaming Does 1-500 appears to have been the fastest excuse the DVD consortium could come up with.

[Sidebar: I have just been informed that the judge denied the TRO. This is good news. But the work has just begun].

Even though the judge denied the TRO, our side needs to submit briefs to the Court by January 7th for the preliminary hearing to be held on the 14th. For this to happen we will need two things: technical expertise and money. Today, we caught the plaintiff's attorneys of guard. That won't happen again. According to an affidavit by Harvey Shapiro of Sarogy, Stein, Rosen & Shapiro for the MPAA and MPA, this firm alone has 9 attorneys working on DeCSS. And those aren't just some guys with a law degree. This law firm has been representing the MPAA for 50 years. They are the very embodiment of high-powered American corporate lawyers serving multi-billion dollar clients. I doubt such attorneys run less than $250/hour. If so, the MPAA's legal team alone costs almost $550k per month. The DVDCCA's attorneys are unlikely to be much cheaper. Neither law firm going to make the same mistake twice.

I don't envy the DVDCCA/MPAA for the situation they are facing. They must win this case. Otherwise, the almost mythical reputation of invincibility in the courtroom the MPAA has enjoyed for so long will be lost. And the sharks have been waiting for a long time, indeed. Yet, the plaintiffs have a serious problem: their complaint is without merit. This probably wouldn't be the first time they won a case without merit, but I sincerely doubt it will happen this time. At least it won't if we do what needs to be done.

I believe the it is crucial for us to do the following:

[Disclaimer: I am not an attorney licensed to practice law in the State of California. The preceding represents my personal opinion and should not be considered legal advice].

--Lucky Green <shamrock@cypherpunks.to>

"Among the many misdeeds of British rule in India, history will look upon the Act depriving a whole nation of arms as the blackest."

- Mohandas K. Gandhi, An Autobiography, pg 446

http://www.citizensofamerica.org/missing.ram


[Cyberia-L is a legal list.]

Date: Wed, 29 Dec 1999 11:59:58 -0800
From: "Bret A. Fausett" <baf@FAUSETT.COM>
Subject: Re: EFF's take on DVD situation
To: CYBERIA-L@LISTSERV.AOL.COM

The interesting thing about this lawsuit is that it is purely a trade secrets case. As EFF points out:

> The case itself is organized as a "theft of trade secrets" case; it doesn't
> use the Digital Millennium Copyright Act and doesn't appear to rely otherwise
> on copyright law. The root of the case is their allegation that the original
> reverse-engineering of the DVD CSS system was "improper" (paragraph 18),
> "unauthorized" (para. 20), "wrongfully appropriating proprietary trade
> secrets" (para. 21), "unauthorized use of proprietary CSS information, which
> was illegally "hacked" (para. 22). However, they provide no proof of these
> allegations, and they are unlikely to be true. If the original
> reverse-engineering was legal, which we believe is true, then the subsequent
> republication of the information is also legal, and the case is merely a tool
> to harass people exercising their legal rights.

Does anyone know the standard here? From the news reports I read when the DeCSS matter was first disclosed, the authors had no inside information about the CSS encoding scheme. Does that, in itself, insulate them from trade secrets liability?

        -- Bret


Date: Wed, 29 Dec 1999 12:08:17 -0800
From: Sean Donelan <sean@DONELAN.COM>
Subject: Re: EFF's take on DVD situation
To: CYBERIA-L@LISTSERV.AOL.COM

On Wed, 29 December 1999, "Bret A. Fausett" wrote:

> Does anyone know the standard here? From the news reports I read when the
> DeCSS matter was first disclosed, the authors had no inside information
> about the CSS encoding scheme. Does that, in itself, insulate them from
> trade secrets liability?

I believe the claim is the XING software had a click-wrap license which forbad reverse-engineering.  By reverse-engineering in violation of the license they were able to obtain the "trade secret" information stored in the software.


Date: Wed, 29 Dec 1999 15:20:40 -0500
From: Seth Finkelstein <sethf@MIT.EDU>
Subject: Re: EFF's take on DVD situation
To: CYBERIA-L@LISTSERV.AOL.COM

> Sean Donelan <sean@DONELAN.COM>
> I believe the claim is the XING software had a click-wrap license which
> forbad reverse-engineering.

Yes. From http://douglas.min.net/~drw/css-auth/legal-info/

47. On information and belief, this proprietary information was obtained by willfully "hacking" and/or improperly reverse engineering software created by CSS licensee Xing Technology Corporation ("Xing").  Xing's software is and was licensed to users under a license agreement which specifically prohibits reverse engineering.

Note the intent claims (as well as being great quotes:)

50. Information posted on Defendants' web sites establishes that they are fully aware that, in posting or "linking" to the DeCSS program, they are wrongfully appropriating proprietary trade secrets.  For example:
(a) Defendant McLaughlin explains to visitors of his site:  "Mark of the scofflaw!  Here's my local copy of the CSS decryption software, enjoy[;]"

(b)  Defendant Baugh acknowledges that "I may very well be sued."

(c)  Doe defendant 14 challenges:  "I have the money to go to court. Your call[;]"

(d) in response to the MPA and DVD CCA's anti-piracy efforts, including cease and desist letters, defendants Vogt, Blank, and Doe defendants 4, 9, 23 and 37 provide a "Note to the lawyers and other scum It was the DVD consortium that f***up, [;]"

(e) similarly, defendant Jones explains "Listen, lawyers, and those you represent:  This is none of your concern.  The horse has been let out[;]" mocking the "trained weasels you call lawyers[;]"

(f) Doe defendant 35 states:  "F[_ _ _] da feds! "[h]uh?  Aren't these files legal?  Oh, well, I didn't know that!"

----------------==-------------------------------------------------------

Seth Finkelstein  Consulting Web Programmer, afraid of the potential here

----------------==-------------------------------------------------------


Date: Thu, 30 Dec 1999 06:47:15 -0500
From: "Andrew C. Greenberg" <werdna@GATE.NET>
Subject: Re: EFF's take on DVD situation
To: CYBERIA-L@LISTSERV.AOL.COM

>Does anyone know the standard here? From the news reports I read when the
>DeCSS matter was first disclosed, the authors had no inside information
>about the CSS encoding scheme. Does that, in itself, insulate them from
>trade secrets liability?

That would depend.  The use or disclosure of information obtained from a third party can constitute misappropriation under some circumstances.  The Uniform Trade Secrets Act (adopted in about 40 states) provides:

(1) "Improper means" includes theft, bribery, misrepresentation, breach or inducement [of a breach of a confidential relationship or other duty to maintain secrecy] of a breach of duty to maintain secrecy, or espionage through electronic or other means.

(2) "Misappropriation " means: (i) acquisition of a trade secret of another by a person who knows or has reason to know that the trade secret was acquired by improper means; or (ii) disclosure or use of a trade secret of another without express or implied consent by a person who (A) used improper means to acquire knowledge of the trade secret; or (B) at the time of disclosure or use knew or had reason to know that his knowledge of the trade secret was (I) derived from or through a person who has utilized improper means to acquire it; (II) acquired under circumstances giving rise to a duty to maintain its secrecy or limit its use; or (III) derived from or through a person who owed a duty to the person seeking relief to maintain its secrecy or limit its use; or (C) before a material change of his position, knew or had reason to know that it was a trade secret ad that knowledge of it had been acquired by accident or mistake.

I don't know if there is much judicial gloss on the phrase "from or through," or "accident or mistake."


To: cypherpunks@toad.com, gnu@toad.com
Subject: Re: DVD legal maneuvers (decss and the lawyers)
Date: Thu, 30 Dec 1999 02:02:24 -0800
From: John Gilmore <gnu@toad.com>

An anonymized person posted:

> The EFF avoids mentioning plaintiff's strongest argument ...
> The reverse engineering of the Xing software was illegal under the
> software license which its users agreed to.

There is no evidence that the unknown person(s) who are alleged to have reverse-engineered the Xing software agreed to such a license. (We don't know exactly who was on the teams who did the rev-eng, nor know for certain that they used Xing software; all such "evidence" that I've examined, including what the DVD CCA lawyers submitted, was hearsay, stated without personal knowledge of the facts.)

It is certainly possible to buy software in a box, read the CDROM yourself, and extract the software for disassembly and reverse-engineering, without ever running the "easy-installer" that refuses to proceed unless you click "AGREE" to ten pages of legalese you've never read.  Such software is not subject to the license agreement (you never agreed to it); it is only subject to copyright law.

If the box included a shrink-wrap license, these are not valid in most jurisdictions, because the user gets no credible chance to agree or disagree with it before being committed to its provisions.  A deemed "agreement" that was not made with free will is not an enforceable agreement.  (The UCITA, UCC-2B, and other proposed state law changes are attempts by the industry to alter this part of the law, so they can subject you to a license you've never seen, and you'll be deemed to have accepted it.)

All software industry lawyers know these licenses are hollow at the core.  The main reason for those long licenses and the check-boxes is to scare the uneducated and snare the unwary.  Many DVD-CSS web sites voluntarily took down their pages upon receipt of a lawyer-letter that had no legal force at all.  Intimidation often works, no matter what the actual legal rights of the parties involved are.

Even properly-agreed-to licenses that purport to use copyright laws to deny people rights that copyright laws do not control, have been ruled unenforceable by US courts -- see Sega v. Accolade in the 9th Circuit. In that case the court ruled that a license prohibition on reverse-engineering was unenforceable, because the copyright law underlying the license gives the seller no control over whether the buyer is permitted to reverse-engineer.  Copyright law controls only verbatim copying, not the extraction or reproduction of the ideas contained in the copyrighted work.  If a license for a copyrighted work could contain any provision, there would be no limit to the reach of copyright law, which is in actuality limited by the Constitution and by Congress.  This is why companies attempt to get you to "AGREE" to a license -- on the theory that rather than being terms and conditions for a license under copyright, it has magically become a voluntarily entered contract that's independent of copyright law and that might be able to include any sort of provisions.  I think the courts generally see through this subterfuge.

> However, now that they have been apprised of the facts, their proper
> course of action is clear.  The should remove the software and cease
> its distribution.
>
> This is undoubtedly what the judge will order.

He ordered the opposite.  Have any other undoubtable predictions, Ms. Anonymous?

John

PS:  I am not a lawyer, but I employ lawyers.  Why, some of my best friends are lawyers!


Date: Thu, 30 Dec 1999 12:43:56 -0500
From: "Stephen T. Middlebrook" <Stephen.Middlebrook@FMS.TREAS.GOV>
Subject: Re: DVD encryption
To: CYBERIA-L@LISTSERV.AOL.COM

I finally read the complaint.  In my opinion, it's really poorly written.  Some questions for those of you who are more learned on the law in this area.

(1)  Where's the assertion that the California court has jurisdiction over these defendants?  I seem to remember California's long arm statute being coextensive with the due process clause.  Even then, there's nothing in the complaint that asserts the defendants have sufficient contacts with California to support personal jurisidiction.

(2) Where's the assertion that the California court has jurisdiction over these causes of action?  There's some mumbo-jumbo about how the effect of the defendants' bad acts will be felt in California where the motion picture industry is centered.  But there's no assertion that any of the actions of piracy or reverse engineering or publication took place in California. I wonder if the Xing license has a forum provision??

(3) I'm confused about the various licenses that are alleged to have been abridged.  Paragraph 47 says that the DeCSS program was reverse engineered from the Xing software, in violation of the license between Xing and its users.  What does that have to do with the CSS licences discussed in Paragraphs 34-39?  Isn't all they need to assert is that the defendants don't have a valid license? Is the other stuff just to show that the DVD CCA has taken steps to protect their trade secret?

(4) The complaint seems to skirt the issue of the difference between source code and working object code.  I'm assuming that the source code on its face could misappropriate a trade secret.  But all the harms to the motion picture industry seem to flow from people pirating DVDs.  There's no assertion that the source has ever been compiled, that it works, that DVDs have been pirated using it, etc. etc.  There is something about the CSS providing for liquidated damages of $1M for a violation.  What's the source of their damages?

(5) By mentioning Defendant Johansen first (in paragraph 45) before any of the other defendants, the complaint suggests that he is the source of the program, not somebody in the United States.  The program "first appeared" in the United States on the same date on Pavolich's web site.  What does "first appeared" mean.  Did Pavolich post the source code or a link?  Who do they think wrote the damn program?  Come on guys, you have to tell a coherent story.

(6) The complaint alleges that the DeCSS program appropriates trade secrets. There is no assertion that a web page providing a copy of the program misappropriates trade secrets.  There is no asertion that a web page linking to another web page providing a copy of the program misappropriates trade secrets. No one is said to have been the author of the program.  At least one person is said to have published the source code.  The other people either published the code or provided a link -- who did what is never really clear.  Taken as a whole, is there actually an assertion that the defendants misppropriated trade secrets?

stm