Sunday, November 07, 2004

Universal City Studios, Inc. v. Corley

Sometimes life gives you these little detours... I thought I was going to write about Lexmark Int'l v. Static Control Components, but I was wrong. I'm actually going to write about Universal City Studios, Inc. v. Corley, which was a DeCSS case.


Eric Corley publishes a magazine called 2600 (also see, and in November 1999 he wrote an article about DeCSS. The article included DeCSS source code and links to other web sites where you could download the software. The US District Court in New York found that Corley was guilty of violating the anti-trafficking provision of the DMCA § 1201(a)(2). And in May 2001, the US Court of Appeals for the Second Circuit upheld the District Court decision.

What I think has happened...

I think the recent Skylink and Lexmark decisions have resulted in a legal framework that invalidates the earlier DMCA cases Universal City Studios, Inc. v. Corley, and Universal City Studios, Inc. v. Reimerdes. Both cases are DeCSS cases and involve "unauthorized access", "circumvention", and "trafficking". I just don't see how those rulings can be preserved in light of these newer cases.

DMCA cases in the last few years seem to be getting much more sophisticated in their analysis of the language of the Act itself. This has happened primarily because the courts have not wished to rule the DMCA unconstitutional, so they have been continually narrowed the scope of the statute in order to have a rational legal framework to work with... Remember, the only restraint on Congress' exercise of their constitutional authority with regards to copyright is that their actions must be "rational" (see Eldred v. Ashcroft).

With the recent Skylink and Lexmark rulings, I think we are at the point where there is no possibility of having a rational legal framework for interpreting the DMCA that also happens to match the original intent of Congress.

This kind of thing happens all the time in physics. You come up with a nice elegant theory, and as you begin poking around in the corners you find little inconsistencies. So you extend the theory, and now everyone is happy again...

Except that every new inconsistency results in a new extension of the original theory until you reach a point where the extensions outweigh the theory. Now the tail is wagging the dog, and your nice little elegant theory is big, complicated, and unwieldy. It isn't pretty anymore... and it's time to toss it all in the trash bin and re-write it from first principles.

On the Horns of a Dilemma:

Unfortunately, according to the folks at EFF, there is currently no legal procedure for challenging the Corley ruling. And it would also be necessary to overcome the fact that the MPAA did successfully argue that CSS qualified as an access control under the DMCA.

But that doesn't mean they were right. It just means that the MPAA pitched CSS as a copy control mechanism and the Judge bought it...

My position is that CSS doesn't prevent copying and, conversely, DeCSS doesn't enable it. Neither of these facts has ever been explained to my satisfaction in court, and this is why I think CSS' status as an "access control" needs to be reviewed.

As best as I can tell, there is a two-horned dilemma here and the Corley decision gets skewered on either one...

Horn #1: CSS is an "access control"

If the courts want to continue treating CSS as an "access control" under the DMCA, then the Skylink decision says that there is no DMCA circumvention liability for owners of the original DVD media. Decryption is authorized for the owner of the media because it's necessary to watch the movie (Skylink rulez!).

The part of the Skylink decision that I am relying on is in The Chamberlain Group, Inc. v. Skylink Technologies, Inc., pg. 43, paragraph 2 (paraphrased):
The Copyright Act authorized [consumers] to use the copy of [the protected work] that they purchased. [Consumers, who have obtained the work legitimately,] are therefore immune from § 1201(a)(1) circumvention liability. In the absence of allegations of either copyright infringement or § 1201(a)(1) circumvention, [distributors of DeCSS] cannot be liable for § 1201(a)(2) trafficking.
If this legal standard had been applied in the Corley case, I believe the ruling would have gone the other way.

This doesn't completely eviscerate the DMCA, however. The only remaining scenario where there is circumvention liability for DeCSS is when someone uses DeCSS to view a movie that they have obtained illegitimately. Also, the idiot who "shared" the movie has infringed the copyright by re-distributing it.

Horn #2: CSS is NOT an "access control"

On the other hand, the recent Lexmark ruling, Lexmark Int'l v. Static Control Components, makes a very strong argument that CSS should not be classified as an "access control" because there is no security measure in place to prevent literal (or raw) copying.

It turns out that "access" isn't defined in the DMCA itself, or anywhere else for that matter, and prior cases have been depending on the Webster definition of "access", which is "to make use of". The Lexmark ruling recognizes that "access" might mean "to make use of", or it could also mean "to obtain a copy of"... Since CSS only controls the ability to "make use of" the work, and does not actually prevent anyone from "obtain[ing] a copy of" it, then § 1201(a)(2) does not naturally apply to DeCSS

The relevant portion of the ruling, Lexmark Int'l v. Static Control Components, is on pg. 16 in paragraph 3.
Because the statute refers to "control[ling] access to a work protected under this title," it does not naturally apply when the "work protected under this title" is otherwise accessible. Just as one would not say that a lock on the back door of a house "controls access" to a house whose front door does not contain a lock and just as one would not say that a lock on any door of a house "controls access" to the house after its purchaser receives the key to the lock, it does not make sense to say that this provision of the DMCA applies to otherwise-readily-accessible copyrighted works. Add to this the fact that the DMCA not only requires the technological measure to "control[] access" but also requires the measure to control that access "effectively," 17 U.S.C. § 1201(a)(2), and it seems clear that this provision does not naturally extend to a technological measure that restricts one form of access but leaves another route wide open.
Paragraph 2, on the same page is also a doozie. This is the exact quote from the ruling:
We disagree. It is not Lexmark's authentication sequence that "controls access" to the Printer Engine Program. See 17 U.S.C. § 1201(a)(2). It is the purchase of a Lexmark printer that allows "access" to the program. Anyone who buys a Lexmark printer may read the literal code of the Printer Engine Program directly from the printer memory, with or without the benefit of the authentication sequence, and the data from the program may be translated into readable source code after which copies may be freely distributed. Maggs Hr g Test., JA 928. No security device, in other words, protects access to the Printer Engine Program Code and no security device accordingly must be circumvented to obtain access to that program code.
This is how I would paraphrase the above paragraph for the Corley DeCSS case:
We disagree. It is not DVD CCA's "css data", or even the purchase of a licensed DVD player that authorizes access to the protected work. It is the legitimate purchase of the DVD product itself that authorizes "access" to the protected work. Anyone who buys a DVD reader/player may read the literal content of the DVD directly from the media itself, with or without the benefit of the "css data", and copies of that literal content (encrypted binary data) may be freely distributed. No security device, in other words, protects access to the literal content of the DVD and no security device accordingly must be circumvented to obtain access to it.

In it's simplest terms, if CSS qualifies as a protection measure under § 1201(a)(1), then Skylink protects consumers (and Linux users) from circumvention liability under § 1201(a)(1) because consumers who obtained the work legitimately are authorized to "access" the work.

Lexmark, I think, makes a strong case that CSS does not qualify as a "technical measure that effectively controls access" to the work, and in that instance both the Corley and Reimerdes cases fall to the floor in little tiny pieces.

No matter which horn of the dilemma you take, the end result is that the movie studios cannot depend on the DMCA to prevent consumers from making use of DVD movies in ways that they don't like.

This is where things get interesting, because as I alluded to earlier, the only rational legal interpretation of the DMCA that is left to us in this post-Skylink/Lexmark era no longer resembles Congress' original intent (or what the movie studios paid them to do).

We've got to start over.