Seven lines of code can crack DVD encryption
- 09 March, 2001 17:09
The fight over DVD (digital versatile disc) descrambling and the legal issues involved will seemingly not go away, as the fight gained a new participant this week when a tool to help decrypt DVDs was released onto the Internet.
The program, called 'qrpff,' can simultaneously decode and play DVDs. Qrpff is seven lines of Perl code which, when paired with an encryption key, removes CSS, the Contents Scramble System used to provide digital protection to DVDs and ensure that they are only viewed on approved devices. The code was released as the appeals phase of the DeCSS trial is beginning to gather steam. DeCSS is another program which removes CSS and allows for copying or viewing of DVDs.
The Motion Picture Association of America (MPAA), the industry trade group made up of the major movie studios and the instigating force behind both DVDs and CSS, filed suit against 2600:The Hacker Quarterly, a magazine dedicated to phone and computer hacking, over DeCSS and won a wide-ranging decision in August. 2600, along with its legal backer, the Electronic Frontier Foundation, are appealing the verdict. The U.S. Department of Justice has since joined the fray, siding with the MPAA in a brief filed in late February.
The MPAA is "aware of (qrpff) and is taking a look at it," according to Rich Taylor, an MPAA spokesman. Taylor declined to go into further detail.
Legal scholars and open-source software advocates have decried the rulings against DeCSS, and the law that such rulings affirm -- 1998's Digital Millennium Copyright Act, or DMCA -- as a threat to traditional consumer fair use rights. Fair use is a section of law that allows for quoting and non-commercial sharing of copyrighted materials. DVDs and CSS abridge these rights, they charge, because they require that legally-purchased DVDs can only be viewed on certain approved players. DeCSS was created as DVD playback software for Linux, an open-source operating system which lacked such a player at the time (at least one has since been created).
Qrpff was created by Massachusetts Institute of Technology (MIT) computer science student Keith Winstein and MIT alumnus Marc Horowitz as a demonstration for a seminar Winstein taught at the college called "Decrypting DVD," which discussed the technical and legal issues surrounding the DeCSS decision and the DMCA, Winstein said in an e-mail interview.
Winstein said the program "helps demonstrate the preposterous incongruity" of barring the spread of such computer programs, as has been done with DeCSS. Computer programs, and their source code, ought to be protected as free speech, he argues. Qrpff is a good illustration of this issue because anyone "can write those seven lines of code on a piece of paper and hand them to you," which would, presumably, make them protected speech.
Furthering the free-speech argument, Winstein cited a recent comic strip which posed the question, "'Why is it perfectly legal to post bomb-making instructions on the Internet but it's not okay to post code that descrambles DVDs?'"Qrpff was created to make a legal point, rather than a technical one, Winstein said.
"There's not a lot of technical need for a seven-line slow Perl CSS descrambler. The real 'need', then, is probably in helping to make the argument that no constitutional law could restrict the production and distribution of this kind of expressive speech.'
Of course, others, notably 2600's Eric Corley, have made the same argument and lost. Winstein isn't taking any chances.
"I think there's a reasonable case to be made that even if whatever is enjoined by that injunction in New York (the DeCSS injunction) is in fact illegal, I'm still in the clear. However, I'm not stupid. If they take action against me, I'll get a lawyer," he wrote.
The MPAA, in Encino, California, can be reached at +1-818-995-6600 or http://www.mpaa.org. 'Qrpff' can be found online at Carnegie Mellon University Prof. David S. Touretzky's Gallery of DeCSS descramblers, located athttp://www.cs.cmu.edu/~dst/DeCSS/Gallery/qrpff.pl.