Access to YouTube videos is only "authorized" through YouTube's site and official apps (or yada yada), and YouTube videos are copyrighted material. YouTube has technological measures to ensure that you only watch YouTube videos that way. If you circumvent those technology measures, that's prima facie a DMCA violation, no?
The definition of circumvention of a technology measure is extremely broad including "to avoid, bypass, remove, deactivate, or impair a technological measure".
I'm pretty much of the opinion that the DMCA is a piece of crap as a law, but it doesn't lack for breadth and generality in those definitions.
DMCA 1201 isn't just a crap law. It's completely unworkable, as has been known since before it was passed.
Suppose Bob is in the business of duplicating public domain US government works. He downloads videos from the NASA website, presses them onto DVDs and sells them on eBay. He can do this without anybody's permission because DVDs are from the mid-90s and the patents are expired. He uses the same DVD format as Hollywood so people can watch them on their existing DVD players, but he also makes a free DVD player app for Linux so people can watch his DVDs or rip them or do whatever they want because they're in the public domain. It can also do the same with any other DVDs, because it's the exact same format. Is Bob breaking the law?
Now suppose Bob is a jerk who is doing this with public domain works without providing anyone a way to exercise their right to copy them, or doing it to enforce contractually unlawful license terms or something like that. Is someone who makes a tool to thwart Bob breaking the law? If so the law could have (more) First Amendment problems, to say nothing of the obvious unreasonableness. But if not then it's a worthless law because anyone could use that as a justification to break anything. Which it is regardless because it has never been effective at suppressing the availability circumvention tools, only at should-be-impermissible abuses like prohibiting interoperability to prop up existing monopolies.
It's also notable that NASA publishes many videos on YouTube. As in, only on YouTube.
DVD supports both encrypted and unencrypted video, so Bob is only breaking the law if he's releasing a decryption tool. The entire DeCSS case hinged on video decryption specifically, everything else was already implemented by other parties.
Now, if Bob decides to encrypt those DVDs, then you have an interesting legal area where half the law applies and the other half doesn't. DMCA 1201 only applies to things that protect copyrighted works[0], not just any kind of access control measure. And it comes in two parts: one that makes it illegal to break encryption, and another that makes it illegal to provide tools to break encryption. So if you put uncopyrightables behind DVD CSS's encryption algorithm, you can't sue someone for decrypting that particular DVD. But if you distribute a DVD decryption tool, then you're harming the protection of copyrighted DVDs, so you can't distribute a decryption tool even though some jackass might try to functionally recopyright public domain material with DVD CSS.
More interesting than the NASA case would be Kevin MacLeod. He releases Creative Commons music under a CC-BY license, and that license has a clause specifically prohibiting the distribution of Creative commons material with DRM on it. A lot of YouTubers use his music, probably didn't know about this clause, and definitely didn't know that the music industry would rugpull everyone by claiming that dynamic download URLs are a DMCA 1201 technical protection. So if these music industry cases succeed, it also means that a lot of YouTubers are open to some copyleft trolling on Kevin's part. I doubt he'd actually do that, but it's still shitty that this is possible.
> But if you distribute a DVD decryption tool, then you're harming the protection of copyrighted DVDs, so you can't distribute a decryption tool even though some jackass might try to functionally recopyright public domain material with DVD CSS.
I don't think you're appreciating how crazy that is.
Suppose some implements a DRM system that works like this. They have a server that speaks ordinary HTTPS and has a standard HTML page that serves content to anyone, but their proprietary client will filter the page on the client side and only show content after a user signs in and buys a license. The content is encrypted with ordinary TLS. If you visit the page using a standard browser instead of the vendor's proprietary client, it doesn't know anything about the filtering system but does implement the "encryption" (i.e. TLS/HTTPS) so it will "bypass" the DRM. Are web browsers now illegal?
Suppose someone implements a DRM system that works like this. The content comes unencrypted on a hard drive inside a computer that asks for a login. The computer is screwed shut with pentalobe screws. Are pentalobe screwdrivers now illegal? What if they sealed the computer with phillips screws?
Suppose I got saddled with a contract with someone saying I would encrypt their content, but I'm lazy so instead of designing a DRM system I just copy the on-disk format of Bitlocker and use a key of all zeros for everything. Anyone with a copy of Windows can decrypt all the content. Do I get to sue Microsoft?
Suppose a ransomware organization uses the same DRM system as a copyright holder. Illegal to provide anyone with tools to break the encryption?
DMCA 1201 has a knowledge requirement, so in the first example, someone just viewing the website normally has no knowledge of the DRM and thus isn't circumventing anything. However, if they had known of the proprietary client beforehand and used a regular web browser to circumvent the DRM, then that would violate DMCA 1201's anti-circumvention provisions. However, keep in mind that anti-circumvention is the sane half of the law where all the actual exceptions for fair use and all that live. And also the half of the law that's significantly harder to enforce.
The second half of the law is the anti-trafficking provision. This is a lot stricter because it has no fair use exception. However, the actual requirement for violating this law is that the tool has to either...
- Be only capable of violating the DRM scheme
- Have limited commercial purpose other than violating the DRM scheme
- Be advertised as being capable of violating the DRM scheme
Just selling a pentalobe screwdriver is not enough to trip the anti-trafficking part of DMCA 1201. Either your DRM system has to have special screws that only that particular device uses[0], or you have to specifically sell it as a way to steal music. Pentalobe screwdrivers have all sorts of significant commercial uses other than just breaking this hypothetical DRM scheme.
For the same reason, you misusing Bitlocker does not make Microsoft liable for violating DMCA 1201, because Bitlocker has a very wide commercial purpose outside of circumvention. However, if someone says "hey the key is all zeroes", they are liable for trafficking in circumvention tools. Generally speaking, DRM needs to be narrowly tailored to avoid overlap with commonly-available and thus legal circumvention tools. If you abuse existing functionality to make DRM in a way that is trivially circumvented then you gain very little from anti-circumvention. For the same reason, those little right-click blockers people used to put on their website don't mean that Chrome DevTools is illegal[1].
Your ransomware-by-FairPlay example is actually legally interesting. I could see it going all the way to SCOTUS. If I were a cybercriminal, I would absolutely do this just to see people hold off on releasing unlock tools. That being said, I don't think a judge would actually find a security vendor liable here. There's a very basic principle in law that illegal activity is afforded no protection by the law[2]. So I can't sue a drug dealer because he spiked my heroin with fentanyl, or sue a game developer for using my unauthorized fanart of their characters without permission[3]. The criminals who released the ransomware cannot sue the security vendor, the DRM system vendor would have to be baited into doing so. Furthermore, "decrypting shit that was encrypted without my knowledge or permission" would be a perfectly valid commercial purpose. So as long as the security vendor does not say "this tool decrypts DRM" it's probably fine for them to release this.
[0] For various economic reasons in screw manufacturing, this is highly unlikely to ever exist.
[1] I'm pretty sure just mentioning this is committing one of my three felonies for the day.
[2] This does not mean that criminals have no protection under the law at all, of course. Someone who burgles your house and gets injured can still sue for damages, because it's illegal to set up traps to kill people.
[3] Under US law, if an artistic work is a derivative of another artistic work, the derivative is afforded copyright protection if and only if it is licensed. If it is unlicensed you own nothing.
> For various economic reasons in screw manufacturing, this is highly unlikely to ever exist.
Did pentalobe screws even exist before Apple started using them? They certainly didn't have a large installed base of manufacturing capacity.
> Either your DRM system has to have special screws that only that particular device uses
But isn't that the core of the issue? You have your special screws for your DRM system. Bob comes along and starts using them on his bicycles to try to force people to have them repaired at the dealer. Can Alice sell special screw drivers? If not, what happened to "that only that particular device uses"? If so, anyone can distribute circumvention tools as soon as a third party uses the same DRM system for something else.
And do you see what I mean by First Amendment issues? We're having a policy discussion, the core of protected speech, and yet:
> I'm pretty sure just mentioning this is committing one of my three felonies for the day.
How do you have a discussion about the effectiveness of a censorship law if describing the facts of its application is illegal?
Suppose the security vendor of the ransomware decryptor wants to make customers aware of its potentially precarious legal status, and then has to explain why.
Sure, but I'm trying to grok the essence of the technological measure being used by YouTube.
I have to imagine that merely offering terms of service doesn't constitute a technological measure, and nor would merely slicing up the response in a DASH-like manner [0].
Well... here's the dumb thing. The DASH-like manner (or, "rolling cipher" as they like to call it) has currently held up as being an effective protection measure. It comes up all the time when RIAA in particular sues YouTube stream-rippers.
Very interesting. I feel like any type of digital storage or transmission format (PCM audio formats like CD Audio, packet switched networks like Internet Protocol, etc.) could also be described thusly, given that a typical human can't readily consume it. We use a tool that parses it using some algorithm, not a tool that avoids/breaks the algorithm. The error correction of a CD or the sequence number of a packet surely rolls way more rapidly than those DASH slices, too. Are those more common formats also considered effective access controls, since humans have severe difficulty interacting with them without the help of a tool?
Granted, I suppose the difference there is that the creators of those formats/protocols did publish the spec, whereas YouTube didn't. Or did they, though? The JavaScript that YouTube serves is the instruction for parsing the DASH response, available publicly, hardly different from publications like IEC 60908 ("Red Book" CD-DA spec) or an RFC 791 (IP spec) -- a different language, is all.
YouTube implemented the rolling cypher to satisfy music industry demands that the files were not permanently downloadable (and it appears they were able to provide abundant evidence that Google has communicated that to them in court, I don't think this is a controversial point).
If the rolling cypher they implemented truly exceeds DASH in such a way as to exert control, then I think that would convey intent. If it's substantially DASH alone and DASH requires the equivalent of a rolling cypher just to work, that's rather meaningless; the intent of implementing DASH certainly would've had most to do with adaptive bitrate UX.
Based on some other comments, it sounds like they added something like this for music videos and the like, so it may hold up.
But I'm armchair judging at this point, and IANAJ.
Isn't a rolling code how RF locks (car fob, garage opener, etc.) operate? Those are actually good at keeping out third parties, though.
The definition of circumvention of a technology measure is extremely broad including "to avoid, bypass, remove, deactivate, or impair a technological measure".
I'm pretty much of the opinion that the DMCA is a piece of crap as a law, but it doesn't lack for breadth and generality in those definitions.