DMCA anti-circumvention provisions are regarding tools that circumvent effective access controls.
I realize that broken encryption is considered an effective access control in this context despite it being broken, but apps like Newpipe aren't even breaking encryption, right?
What aspect of the YouTube servers' behavior can be construed as an effective access control? Is there even a rudimentary secret, that never gets served to clients typically but that apps like Newpipe figured out?
Unofficial cable TV descramblers are illegal despite simply reconstructing the missing sync signal, but that's because they facilitate theft of services that are normally paid. YouTube is free.
Access to YouTube videos is only "authorized" through YouTube's site and official apps (or yada yada), and YouTube videos are copyrighted material. YouTube has technological measures to ensure that you only watch YouTube videos that way. If you circumvent those technology measures, that's prima facie a DMCA violation, no?
The definition of circumvention of a technology measure is extremely broad including "to avoid, bypass, remove, deactivate, or impair a technological measure".
I'm pretty much of the opinion that the DMCA is a piece of crap as a law, but it doesn't lack for breadth and generality in those definitions.
DMCA 1201 isn't just a crap law. It's completely unworkable, as has been known since before it was passed.
Suppose Bob is in the business of duplicating public domain US government works. He downloads videos from the NASA website, presses them onto DVDs and sells them on eBay. He can do this without anybody's permission because DVDs are from the mid-90s and the patents are expired. He uses the same DVD format as Hollywood so people can watch them on their existing DVD players, but he also makes a free DVD player app for Linux so people can watch his DVDs or rip them or do whatever they want because they're in the public domain. It can also do the same with any other DVDs, because it's the exact same format. Is Bob breaking the law?
Now suppose Bob is a jerk who is doing this with public domain works without providing anyone a way to exercise their right to copy them, or doing it to enforce contractually unlawful license terms or something like that. Is someone who makes a tool to thwart Bob breaking the law? If so the law could have (more) First Amendment problems, to say nothing of the obvious unreasonableness. But if not then it's a worthless law because anyone could use that as a justification to break anything. Which it is regardless because it has never been effective at suppressing the availability circumvention tools, only at should-be-impermissible abuses like prohibiting interoperability to prop up existing monopolies.
It's also notable that NASA publishes many videos on YouTube. As in, only on YouTube.
DVD supports both encrypted and unencrypted video, so Bob is only breaking the law if he's releasing a decryption tool. The entire DeCSS case hinged on video decryption specifically, everything else was already implemented by other parties.
Now, if Bob decides to encrypt those DVDs, then you have an interesting legal area where half the law applies and the other half doesn't. DMCA 1201 only applies to things that protect copyrighted works[0], not just any kind of access control measure. And it comes in two parts: one that makes it illegal to break encryption, and another that makes it illegal to provide tools to break encryption. So if you put uncopyrightables behind DVD CSS's encryption algorithm, you can't sue someone for decrypting that particular DVD. But if you distribute a DVD decryption tool, then you're harming the protection of copyrighted DVDs, so you can't distribute a decryption tool even though some jackass might try to functionally recopyright public domain material with DVD CSS.
More interesting than the NASA case would be Kevin MacLeod. He releases Creative Commons music under a CC-BY license, and that license has a clause specifically prohibiting the distribution of Creative commons material with DRM on it. A lot of YouTubers use his music, probably didn't know about this clause, and definitely didn't know that the music industry would rugpull everyone by claiming that dynamic download URLs are a DMCA 1201 technical protection. So if these music industry cases succeed, it also means that a lot of YouTubers are open to some copyleft trolling on Kevin's part. I doubt he'd actually do that, but it's still shitty that this is possible.
> But if you distribute a DVD decryption tool, then you're harming the protection of copyrighted DVDs, so you can't distribute a decryption tool even though some jackass might try to functionally recopyright public domain material with DVD CSS.
I don't think you're appreciating how crazy that is.
Suppose some implements a DRM system that works like this. They have a server that speaks ordinary HTTPS and has a standard HTML page that serves content to anyone, but their proprietary client will filter the page on the client side and only show content after a user signs in and buys a license. The content is encrypted with ordinary TLS. If you visit the page using a standard browser instead of the vendor's proprietary client, it doesn't know anything about the filtering system but does implement the "encryption" (i.e. TLS/HTTPS) so it will "bypass" the DRM. Are web browsers now illegal?
Suppose someone implements a DRM system that works like this. The content comes unencrypted on a hard drive inside a computer that asks for a login. The computer is screwed shut with pentalobe screws. Are pentalobe screwdrivers now illegal? What if they sealed the computer with phillips screws?
Suppose I got saddled with a contract with someone saying I would encrypt their content, but I'm lazy so instead of designing a DRM system I just copy the on-disk format of Bitlocker and use a key of all zeros for everything. Anyone with a copy of Windows can decrypt all the content. Do I get to sue Microsoft?
Suppose a ransomware organization uses the same DRM system as a copyright holder. Illegal to provide anyone with tools to break the encryption?
DMCA 1201 has a knowledge requirement, so in the first example, someone just viewing the website normally has no knowledge of the DRM and thus isn't circumventing anything. However, if they had known of the proprietary client beforehand and used a regular web browser to circumvent the DRM, then that would violate DMCA 1201's anti-circumvention provisions. However, keep in mind that anti-circumvention is the sane half of the law where all the actual exceptions for fair use and all that live. And also the half of the law that's significantly harder to enforce.
The second half of the law is the anti-trafficking provision. This is a lot stricter because it has no fair use exception. However, the actual requirement for violating this law is that the tool has to either...
- Be only capable of violating the DRM scheme
- Have limited commercial purpose other than violating the DRM scheme
- Be advertised as being capable of violating the DRM scheme
Just selling a pentalobe screwdriver is not enough to trip the anti-trafficking part of DMCA 1201. Either your DRM system has to have special screws that only that particular device uses[0], or you have to specifically sell it as a way to steal music. Pentalobe screwdrivers have all sorts of significant commercial uses other than just breaking this hypothetical DRM scheme.
For the same reason, you misusing Bitlocker does not make Microsoft liable for violating DMCA 1201, because Bitlocker has a very wide commercial purpose outside of circumvention. However, if someone says "hey the key is all zeroes", they are liable for trafficking in circumvention tools. Generally speaking, DRM needs to be narrowly tailored to avoid overlap with commonly-available and thus legal circumvention tools. If you abuse existing functionality to make DRM in a way that is trivially circumvented then you gain very little from anti-circumvention. For the same reason, those little right-click blockers people used to put on their website don't mean that Chrome DevTools is illegal[1].
Your ransomware-by-FairPlay example is actually legally interesting. I could see it going all the way to SCOTUS. If I were a cybercriminal, I would absolutely do this just to see people hold off on releasing unlock tools. That being said, I don't think a judge would actually find a security vendor liable here. There's a very basic principle in law that illegal activity is afforded no protection by the law[2]. So I can't sue a drug dealer because he spiked my heroin with fentanyl, or sue a game developer for using my unauthorized fanart of their characters without permission[3]. The criminals who released the ransomware cannot sue the security vendor, the DRM system vendor would have to be baited into doing so. Furthermore, "decrypting shit that was encrypted without my knowledge or permission" would be a perfectly valid commercial purpose. So as long as the security vendor does not say "this tool decrypts DRM" it's probably fine for them to release this.
[0] For various economic reasons in screw manufacturing, this is highly unlikely to ever exist.
[1] I'm pretty sure just mentioning this is committing one of my three felonies for the day.
[2] This does not mean that criminals have no protection under the law at all, of course. Someone who burgles your house and gets injured can still sue for damages, because it's illegal to set up traps to kill people.
[3] Under US law, if an artistic work is a derivative of another artistic work, the derivative is afforded copyright protection if and only if it is licensed. If it is unlicensed you own nothing.
> For various economic reasons in screw manufacturing, this is highly unlikely to ever exist.
Did pentalobe screws even exist before Apple started using them? They certainly didn't have a large installed base of manufacturing capacity.
> Either your DRM system has to have special screws that only that particular device uses
But isn't that the core of the issue? You have your special screws for your DRM system. Bob comes along and starts using them on his bicycles to try to force people to have them repaired at the dealer. Can Alice sell special screw drivers? If not, what happened to "that only that particular device uses"? If so, anyone can distribute circumvention tools as soon as a third party uses the same DRM system for something else.
And do you see what I mean by First Amendment issues? We're having a policy discussion, the core of protected speech, and yet:
> I'm pretty sure just mentioning this is committing one of my three felonies for the day.
How do you have a discussion about the effectiveness of a censorship law if describing the facts of its application is illegal?
Suppose the security vendor of the ransomware decryptor wants to make customers aware of its potentially precarious legal status, and then has to explain why.
Sure, but I'm trying to grok the essence of the technological measure being used by YouTube.
I have to imagine that merely offering terms of service doesn't constitute a technological measure, and nor would merely slicing up the response in a DASH-like manner [0].
Well... here's the dumb thing. The DASH-like manner (or, "rolling cipher" as they like to call it) has currently held up as being an effective protection measure. It comes up all the time when RIAA in particular sues YouTube stream-rippers.
Very interesting. I feel like any type of digital storage or transmission format (PCM audio formats like CD Audio, packet switched networks like Internet Protocol, etc.) could also be described thusly, given that a typical human can't readily consume it. We use a tool that parses it using some algorithm, not a tool that avoids/breaks the algorithm. The error correction of a CD or the sequence number of a packet surely rolls way more rapidly than those DASH slices, too. Are those more common formats also considered effective access controls, since humans have severe difficulty interacting with them without the help of a tool?
Granted, I suppose the difference there is that the creators of those formats/protocols did publish the spec, whereas YouTube didn't. Or did they, though? The JavaScript that YouTube serves is the instruction for parsing the DASH response, available publicly, hardly different from publications like IEC 60908 ("Red Book" CD-DA spec) or an RFC 791 (IP spec) -- a different language, is all.
YouTube implemented the rolling cypher to satisfy music industry demands that the files were not permanently downloadable (and it appears they were able to provide abundant evidence that Google has communicated that to them in court, I don't think this is a controversial point).
If the rolling cypher they implemented truly exceeds DASH in such a way as to exert control, then I think that would convey intent. If it's substantially DASH alone and DASH requires the equivalent of a rolling cypher just to work, that's rather meaningless; the intent of implementing DASH certainly would've had most to do with adaptive bitrate UX.
Based on some other comments, it sounds like they added something like this for music videos and the like, so it may hold up.
But I'm armchair judging at this point, and IANAJ.
Isn't a rolling code how RF locks (car fob, garage opener, etc.) operate? Those are actually good at keeping out third parties, though.
> I realize that broken encryption is considered an effective access control in this context despite it being broken, but apps like Newpipe aren't even breaking encryption, right?
Encryption isn't the only access control. "Access control" is a pretty loose term. I think of it as being similar to what (in the US) counts as "breaking" in a breaking-and-entering charge: you've "broken into" a place if you had to move anything in order to enter. Even a door that is partially ajar and you had to slightly move it to slip by.
I don't know in this particular piece of software. I'm just saying that an "effective access control" can be something very trivial. It doesn't have to be anything as sophisticated as encryption.
Just to speculate, it could be something like using the user's login credentials.
>What aspect of the YouTube servers' behavior can be construed as an effective access control? Is there even a rudimentary secret
My understanding is that YouTube does implement a trivial sort of DRM/encoding with a rolling cypher to the actual location of video file. This is what tools like youtube-dl implement, and what get their DCMA from the RIAA. It's supposedly very light weight in terms of DRM, and notably I don't think Google has ever attempted to change it to break downloaders.
> YouTube does implement a trivial sort of DRM/encoding
Nope. Youtube break their streams up into a number of tiny pieces so they can adjust bandwidth dynamically extremely easily.
It's just the RIAA and friends looking for an excuse, so they've attempted (and likely will continue attempting) to make people believe that's "sort form of DRM".
Since an effective access control would by definition not be subject to circumvention, there is no conceivable situation where someone might be guilty of circumventing an effective access control.
Well, the thing YouTube does (whether you call it an access control or not) does actually have a measurable "effect" on people. It makes those people seek out third-party tools when they don't perceive any other reasonable way of downloading the work. So by that logic, it's pretty effective.
Nothing is ever 100% effective -- even the best encryption is technically a compromise -- other than OTP. YouTube just happens to be on the low end of effectiveness; the third-party tools likely wouldn't exist if it were on the high end. But I guess even slight effectiveness is enough for DMCA purposes.
As I understand the 'cipher' is in how you find the next tiny piece of stream. I haven't grasped fully how that works for Youtube but it is certainly more than 'increment a counter'. I believe it is something like 'read a variable in the previous packet and decode it'.
If they wanted any semblance of an argument, decoding that variable should require a session key that is set on log-in or after a captcha. But I doubt they do that, it would be a horrible hassle to handle the session dependant encoding.
Interesting. So instead of authorizing the fetching of pieces by way of authentication, they're just saying "you can have another piece if we've been talking since the very first piece". I guess that's a bit of a control, just not secret whatsoever.
I feel conditioned to equate the two, but they're distinct concepts I suppose. A CAPTCHA is an access control, and one that doesn't rely on secrets.
Doesn't it more boil down to "if the available bit rate is above ABC then grab the next piece $foo, else if the available bit rate is above DEF then grab the next piece $bar, else if the available bit rate ..." (etc)?
Not really sure where you're getting "authentication" from for this?
I'm saying they're controlling access via a control that is not authentication, and not secret, it's simply knowledge of the previous chunk.
I can see arguments on both sides as to whether such a thing is (or isn't) a form of access control. IMHO, it's so weak that it shouldn't even be considered a control. But if the DMCA (and legal precedent) says that there merely needs to be intent and some effect, then perhaps it is a form of control, if some aspect of the scheme was added specifically to thwart casual downloading and it had the effect of people seeking out third-party tools -- a form of access control that falls outside the usual mechanisms such as authentication and/or secrets.
A bit like a building with a lock that is totally pickable by the most amateur picker: it's no secret how to open it, so unauthorized people routinely let themselves in, but legally it's established that the intent of any lock is keeping unauthorized people out, and the presence of the lock does have the effect of keeping most people out, so therefore it's an effective control (to some reasonable extent) and therefore it's illegal to enter without authorization.
You keep using words like "controlling", "authorization" and "authentication" for something that doesn't even have those concepts included in its design. At all.
And from that incorrect addition of your words, you're trying to spring board to saying the DMCA applies.
I'd argue that even YouTube users who aren't paying for premium are paying too, just with their personal data instead of state currency. But it's still an exchange of value. Which IIRC, is the whole reason Newpipe exists, to circumvent that exchange of value.
It's not just data. Watching ads is paying, because it increases the viewers' cumulative likeliness to spend money with the brands whose ads they see.
The way money leaves your wallet is through probability, spread out in time and with the viral ability to spread to others. Compared to a fixed subscription or one-time payment, this is a lot harder to notice or control, but it's money leaving your wallet nonetheless.
I realize that broken encryption is considered an effective access control in this context despite it being broken, but apps like Newpipe aren't even breaking encryption, right?
What aspect of the YouTube servers' behavior can be construed as an effective access control? Is there even a rudimentary secret, that never gets served to clients typically but that apps like Newpipe figured out?
Unofficial cable TV descramblers are illegal despite simply reconstructing the missing sync signal, but that's because they facilitate theft of services that are normally paid. YouTube is free.