Stanford CIS

Effective TPMs the Finnish way

By Zohar Efroni on

A district court in Finland ruled yesterday that the Content Scrambling System (CSS) - the standard technological protection measure for movies distributed on DVDs -  is “ineffective.” That means that the CSS is not covered by the Finnish anticircumvention laws. According to the story posted here by Mikko Välimäki, defendants’ attorney, it all started as a joke by some guys posting on their website instructions how to crack the CSS, then going to the police telling that they probably have just violated copyright law. To their surprise, they were taken seriously and the case reached court litigation.

The 2005 amendment of the Finnish copyright law adopted the European Information Society Directive of 2001, which bans circumvention and trafficking related to “effective technological measures.” Article 6(3) of the Directive provides:

Technological measures shall be deemed ‘effective’ where the use of a
protected work or other subject-matter is controlled by the rightholders
through application of an access control or protection process, such as
encryption, scrambling or other transformation of the work or other
subject-matter or a copy control mechanism, which achieves the
protection objective.

(emphasis added)

It follows that the technological restrictions that do not  achieve the “protection objective” are not covered. This language is susceptible to multiple interpretations and the interesting part of the story here is the court’s reasoning. Accordingly, the CSS is not “effective” since circumventions tools are widely available on the Internet and are integrated in certain open operating systems that do not recognize the CSS standard. Therefore,  the measure no longer achieves the protection objective.

This decision is important because the same effectiveness standard was inserted verbatim into the laws of many E.U. members who have already transposed the Directive. According to the defendant’s counsel, the decision is technology-neutral, so it might apply also to next-generation technologies such as Blu-Ray and HD-DVD (see description of the ruling here). This is apparently the first European court to interpret the Directive’s definition of “effective technological measure” and this beginning is quite startling. The reason that CSS circumvention tools are now widely available is that someone has cracked it and distributed the tools at a time point where the TPM was still “effective” since cracking tools were not yet widely available…

It is true that Jon Johansen (aka DVD-John) has already done it to the CSS years ago, long before anticircumvention law were introduced in Europe. But this does not make the court’s reasoning less circular. If Johansen did the same thing today to another TPM and had the code spread all over cyberspace, thereby arguably violating anticircumvention provisions, does this mean that those who follow shall not be found liable for violating anti-trafficking bans merely because the original violation was too successful?

This is a somewhat confusing. The effectiveness standard, to my understanding, indeed involves a factual inquiry asking who difficult it is to compromise the technological protection and still do what the TPM is there to prevent. But if you have the proper circumvention tools it shouldn’t be all that difficult, should it? The message to rightholders using TPMs is that they must enjoin these activities immediately, perhaps before people even have the chance to digg circumvention tools. The question whether such rule is good as a matter of policy may be open to debate, but it is hard to see how this interpretation serves the purpose of the legal norm, and for that matter, discourages conducts that the law prohibits.

In the near future, European courts will surely produce more decisions analyzing the effectiveness threshold requirement. My guess is that at least some of them will take a different stance on the issue.