US Copyright law faces constitutional challenge

Originally published by Spicy IP on August 5, 2016. You may read EFF’s lawsuit here.

Decoding DRM

If you own a Netflix account and travel a lot, you may have been denied access to some TV shows depending on the country you logged in from. While that restriction can perhaps be gotten around by using VPNs, there exist other technological measures that prevent you from fixing your own automobile to sharing/making copies of an e-book that you supposedly bought. Such technological protection measures are commonly known as Digital Rights Management (DRM). These go back twenty years, and it was in 1996 when the first DRM appeared in the form of geo-access restrictions on DVD play.

Soon thereafter, it became de rigeur for businesses dealing in IP to apply all kinds of DRMs to their products. It was largely an embarrassing and a pointless saga of implementing software embedded restrictions to stem piracy (remember the Sony BMG rootkit fiasco?), given how blatantly they were discovered and circumvented. And now since technology is beginning to dwell even in our shoes, DRMs have been slapped onto these as well. So if you discover a bug causing a miscalculation in your step count, you are not only prohibited under law from probing the code and fixing it yourself, but you also may get jailed for doing so. Imagine such how such prohibition impacts and limits our daily lives and the work of professional researchers.

Clearly, DRM is not just a mere trifle to be brushed aside via smarter code– its ramifications go much farther. DRMs come with the problem of masking vulnerabilities, compromised security of the device and user-privacy, and trampled consumer rights, fair use and free speech. Further, the poor design of DRMs makes them unable to distinguish between illegal use and fair-use. Progressive cutting down of users’ rights to store, reproduce, distribute media has become especially problematic for developing countries because of our greater dependence on free-er terms for sale, lending and donation. On the other hand, DRMs continue to become more ubiquitous(could be incorporated in the HTML 5 standard soon).

However, in an exciting development, the first major legal battle to kill DRM has begun!

Because finally in an unprecedented move, a constitutional challenge has been lodged in the US against DRM provisions, on the grounds that they restrict free speech and fair-use of copyright materials (the fair-use doctrine allows copyright law to co-exist with the first amendment). The complaint has been filed by EFF on behalf of Matthew Green (a security researcher) and Andrew “bunnie” Huang (a technologist)

The rejection that prompted a legal challenge..

Sections 1201-1205 of the Digital Millennium Copyright Act (DMCA) lay down provisions relating to circumvention of DRM. Uniquely, the DMCA vests power in the Librarian of Congress to periodically enact rules granting exemption from the anti-circumvention provisions to legitimate non-infringing use of works (known as DMCA Rulemaking). It was under this particular instance of rulemaking in 2015, wherein the Librarian failed to grant an exemption for “…speech using clips of motion pictures, for the shifting of lawfully-acquired media to different formats and devices, and for certain forms of security research.” The rejection triggered the challenge against ‘Rulemaking’, ‘anti-circumvention’ and ‘anti-trafficking’ provisions of the DMCA, namely sections 1201(a), 1203, and 1204 . (This exemption was applied for by EFF, which has been seeking (and been granted) exemptions since 2003.)

In fact, universally, DRM provisions pose questions of free speech, consumer rights, privacy and copyright law. In the following section I will examine and compare the US and Indian copyright regime on DRM protection.

WCT and DMCA were used to push DRM protection into Indian Copyright Act

The Indian Copyright Act, 1957 provisions on DRM are based in sections 2(xa), 65A and 65B, which were introduced through the Copyright Amendment Act, 2012. The sections define ‘Rights Management Information’, provide for ‘Protection of technological measures’ and ‘Protection of Rights Management Information’, respectively. It must be noted that the WIPO Copyright Treaty (WCT) was the first instrument to conceive rules on DRM protection (Articles 11, 12). US was the first country to import WCT provisions into its copyright law via DMCA, which even went above the WCT standards. Soon, Hollywood-backed USTR wanted India to follow suit, and the provisions were queued up for an amendment to India’s copyright law. Please note that India is NOT a party to the WCT, and was under no obligation to enact laws on DRMs. Nevertheless, the Indian provisions with some changes and added limitations were loosely lifted from the equivalent WCT articles.

It is worth noting that the Indian DRM provisions have better safeguards than the DMCA provisions:

1) The Indian provisions (s. 65A+ 65B) do not make building and distribution of circumvention tools illegal. Only the act of circumvention attracts criminal liability. However, there is a duty on the person facilitating circumvention for another person to maintain a record of the same, including the purpose for which the facilitation occurred. The purpose should not be expressly prohibited under the Copyright Act, 1957.

Regardless, being criminally liable for circumventing DRM is a major threat to small businesses and developers. In one instance, when some Indian developers had built an open source software “PlayFair” to bypass Apple’s FairPlay DRM, they were threatened with legal action under the US’ DMCA. Despite the DMCA having no jurisdiction in India, the developers shut shop.

2) Clauses 65A(1) and 65A(2)(a) confine violation of technological protection measures to rights enumerated in the act, only. This means that the section does not restrict circumventions which attempt to get access to the underlying work.

While India has not seen major challenges to this provision, in 2013 the Delhi High Court injuncted persons from jailbreaking into Sony Playstations. Amlan analysed the order and questioned it in terms of the Court finding the act of ‘modifying the playstation without Sony’s consent’ illegal. Because, if you read section 65A (emphasis supplied is mine):

65A. Protection of Technological Measures

(1) Any person who circumvents an effective technological measure applied for the purpose of protecting any of the rights conferred by this Act, with the intention of infringing such rights, shall be punishable with imprisonment which may extend to two years and shall also be liable to fine.

(2) Nothing in sub-section (1) shall prevent any person from:

(a) doing anything referred to therein for a purpose not expressly prohibited by this Act:

Provided that any person facilitating circumvention by another person of a technological measure for such a purpose shall maintain a complete record of such other person including his name, address and all relevant particulars necessary to identify him and the purpose for which he has been facilitated; or

(b) doing anything necessary to conduct encryption research using a lawfully obtained encrypted copy; or

(c) conducting any lawful investigation; or

(d) doing anything necessary for the purpose of testing the security of a computer system or a computer network with the authorisation of its owner; or

(e) operator; or [sic]

(f) doing anything necessary to circumvent technological measures intended for identification or surveillance of a user; or

(g) taking measures necessary in the interest of national security.

Clause (1) clearly states that the law is only applicable to such technological protection measures applied to protect any of the rights conferred by the copyright act. Which raises the questions of which rights are affected when OS of the playstation is modified, and how does the modification amount to copyright infringement? One may perhaps draw that the Court in this order placed the ‘consent’ of Sony above the law.

3) S. 65A(2) safeguards certain acts which also exist as exceptions granted in the Copyright Act. These enumerated acts may be performed without attracting liability: for instance, circumventions for purposes of encryption research, security testing, lawful investigation, evading surveillance by DRM are kosher. Note that s. 65A(2)(g) permits circumvention in the interest of national security.

(For a detailed exegesis of these provisions, please read this piece.)

A look at the draconian DMCA provisions

As I mentioned earlier, the DMCA provisions on DRMs are much stricter compared to the Indian copyright act. Both circumvention(s. 1201(a)(1)), and building and distribution of circumvention tools(s. 1201(a)(2)) are illegal and punishable. The DMCA also meticulously defines circumvention, in terms of “circumventing a technological measure” and “circumventing protection afforded by a technological measure.”

More alarmingly, these provisions envisage access controls as well as use controls. So a person decrypting a DVD to gain access to the work would be held liable for infringement (unlike in India where only the act of copying or modifying the work would trigger infringement). It is also worth noting that there is no clause stating that circumvention (and tools) of only those DRMs is illegal when the DRMs protect rights conferred under the DMCA.

While s. 1201(c) states that the section shall not affect “…rights, remedies, limitations or defenses to copyright infringement, including fair-use…” Further, there do exist exemptions to clauses(a)(1) and (2):

1. Exemption for nonprofit libraries, archives and educational institutions; and

2. Exemption for the purposes of law enforcement, intelligence and other government activities, reverse engineering (solely for the purposes of achieving interoperability), restricting internet access to minors, protecting personally identifiable information, security testing, encryption research, etc.

While the list seems to permit circumvention for a wide range of purposes and fair-use, the vague and narrow language has failed the implementation of these exemptions. EFF lists a bunch of these instances where the DRM provisions have been not necessarily used against pirates, but also scientists, consumers and legit competitors.

Further, the DMCA left it entirely to the US copyright agencies to carve exemptions for non-infringing uses of works on a triennial basis. This rulemaking procedure has received heavy criticism, and as a result of the 2015 rejection the Library of the Congress finds itself in a legal soup.

Finally, the EFF lawsuit also illustrates the violations of the plaintiffs rights to free speech and fair-use, as a direct result of the provisions and the Rulemaking process. Armed with a strong case, and as Cory Doctorow puts it, we may witness the eradication of DRM in our lifetime. And I will be following the developments closely and keep our readers updated.