Friday, 15 September 2006
This is one of a series of posts on how the TPM Exposure Draft affects particular groups. First, I want to talk about consumers.
Summary: consumers are worse off under the Exposure Draft than they are under current law. This is because they now risk liability where they did not before (liability for the individual act of circumvention has been introduced). This is the intended effect of the laws, and was inevitable under the FTA. The hot-button issues for consumers, however, are:
- region-coding: here, the result is a little murky;
- spare parts (printer cartridges, garage door openers): problem avoided;
- the making of back-ups: there will be no such right. Unfortunate, but probably inevitable. But note that so far, the making of more than one copy or provision of replacement copies is tending to be accommodated (iTunes).
One important point to note for consumers is that there is little in this package to protect us from malfunctioning TPMs, or even evil wicked mean and nasty Sony Root-kit type TPMs.
What consumers might say to the government: thanks for trying to restrict the ambit of these laws and relate it directly to copyright. I can see you’ve really tried here, and you appear to have listened to the concerns expressed by the LACA, and taken a restrictive view of the laws you have to introduce. As a consumer, I think that’s pretty good, really. But there are still a couple of areas where I think the score card reads ‘must try harder’:
- Please explain why you are protecting malfunctioning or evil nasty destructive TPMs at all? Apparently, no one is allowed to help me get past a malfunctioning or obsolete TPM.
- I’d like some assurance that if a Sony Rootkit Fiasco ever happens here, Australian law will provide me with a remedy. Please publish the analysis that indicates that the Sony Rootkit scenario would be illegal under Australian law, or tell us how you are going to address the issue.
The first thing to note about a consumer under these laws is that, of course, consumers are now at risk of liability. They weren’t before: Australia’s pre-FTA anti-circumvention laws made it illegal to circulate circumvention devices, but not actually to circumvent TPMs. Suddenly, an individual consumer’s private activities in the privacy of their home – even their non-copyright-infringing activity – is potentially a breach of the Act. But let’s face it. Few consumers are likely to be sued for this. The more important issues for consumers, in many respects, relate to what people can sell them. Really, as a consumer, what you want to know is just how far the protection offered by the law extends.
First, let’s talk about the number one hot button consumer issue with TPMs: region-coding. We all know by now what this is: it’s the coding on some copyright content that prevents people from playing even legitimate content purchased overseas on local players. It’s used, at the moment, on commercial (Hollywood) DVDs and computer games.
From a consumer perspective, region-coding is just plain offensive. It prevents a perfectly legitimate activity: buying, at full price, copyright material such as movies overseas and bringing them home to watch. It’s insulting, because it shows complete disregard for the interests of paying customers (notable in industry submissions on region-coding has been the argument that any inconvenience to consumers is slight and unimportant compared to industry interests). It’s particularly offensive in a small market like Australia: not all material is available for Region 4. So far it’s been rendered slightly less offensive by the wide availability here of multi-region players, although there is no guarantee that this will continue. The industry response that Australians could just buy multiple DVD players is pretty offensive too (as the LACA noted, ‘it is ludicrous to envisage a situation where an individual’s only option to use legally acquired genuine non-zone 4 DVDs will be to purchase a DVD player tuned to each of the other regions.’) Region-coding also facilitates price discrimination, which in general is not helpful to Australian consumers.
What’s the TPM issue with region-coding? In short, the technology which makes it impossible to play a Region 1 disk on a Region 4 player is perhaps an ‘access control’ – a technology used to control access to copyright works. It might, therefore, be a TPM. It might be illegal to circumvent region-coding, or sell a device to circumvent region-coding. This, too, is a FTA-generated shift. In Australia, after the Stevens v Sony case, it was at least arguable that the technology used to implement region-coding wouldn’t be protected, because the result of the case was that to be a protected TPM the technology had to prevent a subsequent act of infringement. Since merely rendering an electronic copy to view it is not infringement (although there can be debate), Stevens v Sony appeared to exclude this kind of technology from protection. Meaning selling devices to avoid this kind of technology would be legit.
So is the region-coding issue fixed by this draft? Well, there’s no doubt that the government has really, really tried, taking two steps in particular:
- They’ve adopted the Stevens v Sony approach to defining the scope of what counts as a TPM, by (arguably) protecting only those technologies which actually directly, technically prevent subsequent copyright-infringing acts. This will potentially exclude some of the measures from the scheme entirely – as it did with the measures used in Stevens v Sony.
- They’ve also included a ‘legislative note’ to the definitions of TPM and ACTPM which says that ‘to avoid doubt, a device, product or component (including a computer program) that is solely designed to control market segmentation is not an access control technological protection measure’. Although you wouldn’t necessarily know it from those words, this is certainly aimed at least at ‘geographic’ segmentation (the same words were used in Singapore). If there is another kind of segmentation intended, I’d love to know what it is.
Now, if the Stevens v Sony interpretation does stand – if the technology must technically prevent an actual act of infringement to be an ACTPM – then the first possibility is that CSS, the technology currently protecting DVDs, isn’t going to be an ACTPM at all. In that case, region-coding wouldn’t be in the picture at all.
If not (and I’m not sure about the infringement question), the million dollar question is whether in fact the kinds of technology that are used to impose region-coding are ‘solely’ designed to control market segmentation.
My understanding has always been that the same access codes are used both to prevent the playing of ‘extra-region’ material and to prevent the playing of ‘pirate’ disks: the player looks for the right code. That’s what I always thought. That wouldn’t mean that region coding is compulsory for the copyright owners (it isn’t – they can activate it or not, whatever they prefer). But that’s not the point. From a liability point of view, the question is whether the same bit of technology does region-coding. And here’s the problem. I don’t know. Do you? Even AG’s could only say that it depended on the technology.
A second, important consumer issue is the ‘spare parts/aftermarkets’ issue. This is the problem that anti-circumvention law in the US – because it is drafted to protect any access control on a copyright-protected thing (and copyright protects a lot of things, including software embedded in consumer products), it has been abused. Companies have instituted software-generated ‘handshakes’ and then argued that any device that bypasses the ‘handshake’ is an infringement of the DMCA. Even if it is a printer cartridge trying to work with a printer (Lexmark), or a garage door trying to work with a garage door (Skylink) (see the EFF’s report on these cases, here). These are not copyright infringement cases. But they have been prosecuted – sometimes through multiple appeals – under the US DMCA. For the most part, in the US, these cases have failed. But as Australian consumers, we don’t want these lawsuits succeeding here, because they reduce competition in ordinary consumer products.
This, the government have dealt with under the Exposure Draft. The explicit requirement of a link to copyright infringement in the various definitions is designed to achieve this, and probably, I think, succeeds. No one sensible wants the law to cover that kind of scenario, and no matter what changes are made to the Exposure Draft, I think we can probably rest assured that the government will, at the very least, ensure that these kinds of cases do not happen under our Act.
A third consumer issue is the making of backup copies – the copies you use when your original one is damaged. The consumer’s ‘right’ to make backups is strongly contested. Industry constantly points out that you don’t get back up analogue books. True. Consumer advocates argue right back that digital copies are far more fragile than the industry admits, and given the extremely low marginal cost of making new copies, the absence of backups does seem a little bit like greediness/gouging. Honestly, why should I pay $30 twice for a DVD, when I know that making each copy costs a matter of a couple of dollars at most? It was probably inevitable that circumvention for back-ups would not be allowed. Any device that circumvents to make a copy pretty directly implicates copyright owners’ rights. Note too that we have little right to make back-ups outside the very particular context of computer programs at the moment. This may be less of a concern than you think, however. The fact is that quite a few of the DRM systems being discussed and implemented these days allow a small number of copies. Think about Apple’s FairPlay system. The need for multiple copies is one of those ‘visible’ issues that consumers see and that can be a selling point for consumers. Believe it or not, this may be an issue the market can solve.
Another issue for consumers is what happens when TPMs malfunction, or become obsolete, or the company managing them goes out of business. No consumer wants to be stuck without access to something they’ve paid for because the technology fails. Huh? You might ask? Surely that kind of TPM isn’t protected from circumvention? Well, strange as it might seem, yes they are protected. This is just plain silly. Even relatively conservative academic commentators (Ginsburg, Reinbothe & von Lewinski) have noted that there probably shouldn’t be protection for such things. And you might assume that the treaty language, which refers to measures which are ‘effective’ and which provide protection ‘in the normal course of their operation’. Surely, once they’re ‘abnormal’ and ineffective to fulfil their design purposes, they should just be excluded?
Apparently not. The government did know about the issue. You might even think they’ve taken care of it, because in the recently released regulations, we have this exception created to the bans in s 116AK and 132APA, where circumvention is for the purpose of:
(j) the gaining of access to copyright material to which a TPM has been applied if:
(i) the TPM is not operating normally; and
(ii) a replacement TPM is not reasonably available
Problem solved? Not really. You see, despite this friendly-sounding exception, no one can legally provide you, the consumer, with the means to do this. It’s not an exception to the device or service bans in the legislation.
Far better would have been to simply exclude such TPMs from protection.
Another issue for consumers is malicious or dangerous DRMs: the issue highlighted by the ‘Sony Rootkit Fiasco’, in which Sony released CDs which, when inserted into a computer, installed computer programs which displayed all the properties of the most evil computer viruses: installing themselves surreptitiously, being impossible to remove, making the computer vulnerable to other security attacks (discussed by Felten and Halderman in their paper)
Are there any guarantees against abuse? It is interesting that there is nothing in the legislation – and the government has said very little – about how destructive or dangerous DRM such as that used by Sony might be dealt with. At the time of the Sony fiasco, which occurred while these laws were in the pipeline, the government’s response to questions was as follows:
First of all, as we understand that particular issue, it occurred in the United States. From a briefing from Sony BMG in Australia, we understand that the same TPM does not occur on CDs made available in Australia and we have not heard if there is any problem. We know people travel and they may have brought back a CD that does contain that particular problem TPM, but the government has not heard anything at this stage about whether that is a problem in Australia. The approach I think the department would take in advising the government on implementing the new TPM provisions under the act is to accord with our treaty obligations and no more. I do not think the problem that occurred in the United States in relation to Sony BMG related to how the law operates in the United States. I think it was just about the characteristics of that particular TPM (Helen Daniels, AGs Dept)
Think about it. It’s really not that satisfying a response, is it? Note that there’s nothing in there that says what would happen under Australian law if in fact someone did release such DRM in Australia. Particularly strange is the assertion that the department is only concerned with implementing the treaty obligations. Huh? If you decide to strengthen protection for TPMs, why not at the same time consider what limits need to be placed on their use? What’s to stop a government from specifically considering, as part of the ‘payoff’ for protection, what limits copyright owners must observe here? Do we have so much faith in the force of the PR machine? Remember that Sony’s first reaction to the revelations was ‘well, people don’t know what rootkits are so why should they be worried?’. And Sony in Canada appear to be resisting, more recently, settling on terms as strong as the ones in the US. Arguably, this is our obvious chance to deal with the issue.
It is, actually, an issue. You have to wonder why it is that the government is unwilling to deal with it. When I previously analysed the issue on this blog, at the height of the Sony fiasco, I wasn’t at all confident that our laws would create liability here. While we do have criminal laws against unauthorised modification of computers, proving the relevant offences beyond reasonable doubt would be a real issue. After that, we fall back on general consumer protection law and perhaps negligence, but such general laws aren’t obviously fitted to the situation.
Again, the government was aware of the issue of malicious DRM, and did provide an exception in the recent set of regulations to allow the circumvention of such DRM: circumvention of an access control is allowed for the purpose of:
(k) the gaining of access to copyright material that is protected by a TPM that interferes with or damages a product in which it is installed (the host product) or another product used in conjunction with the host product:
(i) to prevent damage, or further damage, to the host product or another product by the TPM; or
(ii) to repair the host product or another product (if circumvention of a TPM is necessary to enable the repair to be carried out).’
Again, we have a pretty fundamental problem. That is, no one can legally help you do this. If they help you do this for their own commercial purposes, they are committing a crime. Stupid. Again, such things should simply be excluded from all legal protection. Will people get sued in this scenario? Of course not. But isn’t there a problem where it is a crime to help people undo the damage done to their computer by destructive, security-threatening DRM?
A final thing that consumers are, or should be, concerned with is the rather more general issue of competition. As consumers, we want there to be competition, because, as a rule, it means lower prices for us. We want multiple makers of consumer electronics devices, computer operating systems, software, etc etc. The overall effect of these laws on competition is rather hard to predict. In general, anti-circumvention laws have a potentially deleterious effect on competition, most importantly because the big thing that copyright owners get, under these laws, is the power to dictate which devices can decrypt their material. That creates the potential for them to impose additional conditions, or even just refuse some people the right to manufacture devices to read their stuff (compare, say, video, or CDs, where that wasn’t the case). DRM’d content is often linked to specific hardware (think iTunes and iPods), leaving consumers unable to transfer content between devices. This can create big potential barriers to entry to device markets (would you buy another music player when you’ve invested in a portfolio of iTunes songs? Not every music player will be able to do what Microsoft is proposing, and replace your music collection). There are a couple of ways in which the government have sought to protect competition, through:
- Two exceptions for interoperability: one which allows circumvention for the purposes of ensuring interoperability between computer programs (in the Act) and another which allows circumvention for the purpose of reproducing a computer program, to achieve interoperability of an independently created article with the program (I’ve not quite worked out the implications of this latter one yet);
- Limiting the concept of TPM so that not all access controls are protected.
- trying to exclude things like region-coding (and maybe other ‘market segmentations’) from protection.
- Creating an action for ‘groundless threats of legal proceedings’ so that people who wrongly threaten to sue under these provisions can be subject to damages claims. This is something I don’t think they have in the US, but it’s not a bad idea!
I think, however, in the long term, the effects on competition will be something to be seen. For one thing, it’s not clear that companies will continue to put up with the exclusive locking between devices and content (see Michael Geist’s comments on this). There are other things that the government might want to think about in the longer term. For example, the government might want to consider whether a specific cause of action for misuse of DRM might be needed. In addition, since competition requires full information, the government might want to consider the need for clear labelling of DRMd content: full disclosure of everything the content will and won’t do may seem a minor thing, in many ways, but let’s encourage truth in labelling here. This was also suggested by a recent UK Report.
A couple of last pats that the consumer should apply to the government’s back. For one thing, it’s interesting to see criminal liability under these provisions only applied in the case of acts done for a commercial purpose/financial advantage. Criminal liability won’t apply to consumers, in other words, and where you circumvent an access control only, you don’t risk jail. that’s quite nice, really, from the consumer’s perspective.
And I also want to reiterate that, as consumers, we do like the fact that the government has restricted protection, and really made an effort not to just write a law like the DMCA. They really have tried to relate the issue to copyright. That is not an insignificant step to take, and I’m sure it won’t be uncontroversial.
That’s it for the consumer perspective on this Exposure Draft. More perspectives to come.
2 Responses to “The TPM Exposure Draft: What does it mean for … consumers?”
Leave a Reply
Do not post material that is defamatory or obscene, that infringes any third party's copyrights, trademarks or other proprietary rights, or that violates any other right of any other person.
We reserve the right to remove or edit any comment for any reason.
Note: Posting more than two links in a comment may cause it not to appear because it will be submitted for moderation. Also, links in comments will not be counted by Google, so spamming is pointless.
September 18th, 2006 at 5:39 pm
Hi Kim,
Excellent article; we engineers always love reading legal opinions of some of these vague sentence structures and concepts!
Here is my answer to your technical query:
‘My understanding has always been that the same access codes are used both to prevent the playing of ‘extra-region’ material and to prevent the playing of ‘pirate’ disks: the player looks for the right code. That’s what I always thought. That wouldn’t mean that region coding is compulsory for the copyright owners (it isn’t – they can activate it or not, whatever they prefer). But that’s not the point. From a liability point of view, the question is whether the same bit of technology does region-coding. And here’s the problem. I don’t know. Do you?’
Region codes are enforced differently between systems. For DVD players the older (RPC1) models simply matched the player’s region code with one byte stored in a text file on the DVD – and was very easy to get around. Newer (RPC2) models actually read the code from another area of the disc (a CPR_MAI byte) – read only by the DVD-ROM component’s firmware itself and that is passed to the player for verification against its region – harder to circumvent.
However things like games consoles take this one level further by putting the region coding behind other access control ‘walls’. I.e. in order circumvent region-coding for games console software you must first breach surrounding access controls – often ones put there to prevent copyright infringement.
The legislation needs to explicitly emphasize that if region-coding is included _at all and in any form_ that must exclude the whole device from legal protection.
Also, what do you think of our chances in having software back-ups permitted for personal non-commercial purposes?
Best regards,
Richard
September 18th, 2006 at 11:31 pm
Addendum
In answering your question as to whether the same codes are used to distinguish regional information from whether a disc is a pirate copy – no they are not. A pirate copy of a DVD video cannot be distinguished by the player at all. It can usually be ‘determined’ by the fact that pirate copies tend to be unencrypted – however there is no mechanism for a playback device to determine a pirate DVD because non-pirate copies can also be unencrypted. The DVD region information is separate and is NEVER encrypted.
The DVD copy protection _relies_ on not being able to decrypt the original video in the first place – so when a Scandinavian programmer achieved this in about 1997 it was game over for DVD copy protection.
Regards,
Richard