[AnthonyMouse]

> But if you distribute a DVD decryption tool, then you're harming the protection of copyrighted DVDs, so you can't distribute a decryption tool even though some jackass might try to functionally recopyright public domain material with DVD CSS.

I don't think you're appreciating how crazy that is.

Suppose some implements a DRM system that works like this. They have a server that speaks ordinary HTTPS and has a standard HTML page that serves content to anyone, but their proprietary client will filter the page on the client side and only show content after a user signs in and buys a license. The content is encrypted with ordinary TLS. If you visit the page using a standard browser instead of the vendor's proprietary client, it doesn't know anything about the filtering system but does implement the "encryption" (i.e. TLS/HTTPS) so it will "bypass" the DRM. Are web browsers now illegal?

Suppose someone implements a DRM system that works like this. The content comes unencrypted on a hard drive inside a computer that asks for a login. The computer is screwed shut with pentalobe screws. Are pentalobe screwdrivers now illegal? What if they sealed the computer with phillips screws?

Suppose I got saddled with a contract with someone saying I would encrypt their content, but I'm lazy so instead of designing a DRM system I just copy the on-disk format of Bitlocker and use a key of all zeros for everything. Anyone with a copy of Windows can decrypt all the content. Do I get to sue Microsoft?

Suppose a ransomware organization uses the same DRM system as a copyright holder. Illegal to provide anyone with tools to break the encryption?

It's absurd.

[kmeisthax]

DMCA 1201 has a knowledge requirement, so in the first example, someone just viewing the website normally has no knowledge of the DRM and thus isn't circumventing anything. However, if they had known of the proprietary client beforehand and used a regular web browser to circumvent the DRM, then that would violate DMCA 1201's anti-circumvention provisions. However, keep in mind that anti-circumvention is the sane half of the law where all the actual exceptions for fair use and all that live. And also the half of the law that's significantly harder to enforce.

The second half of the law is the anti-trafficking provision. This is a lot stricter because it has no fair use exception. However, the actual requirement for violating this law is that the tool has to either...

- Be only capable of violating the DRM scheme

- Have limited commercial purpose other than violating the DRM scheme

- Be advertised as being capable of violating the DRM scheme

Just selling a pentalobe screwdriver is not enough to trip the anti-trafficking part of DMCA 1201. Either your DRM system has to have special screws that only that particular device uses[0], or you have to specifically sell it as a way to steal music. Pentalobe screwdrivers have all sorts of significant commercial uses other than just breaking this hypothetical DRM scheme.

For the same reason, you misusing Bitlocker does not make Microsoft liable for violating DMCA 1201, because Bitlocker has a very wide commercial purpose outside of circumvention. However, if someone says "hey the key is all zeroes", they are liable for trafficking in circumvention tools. Generally speaking, DRM needs to be narrowly tailored to avoid overlap with commonly-available and thus legal circumvention tools. If you abuse existing functionality to make DRM in a way that is trivially circumvented then you gain very little from anti-circumvention. For the same reason, those little right-click blockers people used to put on their website don't mean that Chrome DevTools is illegal[1].

Your ransomware-by-FairPlay example is actually legally interesting. I could see it going all the way to SCOTUS. If I were a cybercriminal, I would absolutely do this just to see people hold off on releasing unlock tools. That being said, I don't think a judge would actually find a security vendor liable here. There's a very basic principle in law that illegal activity is afforded no protection by the law[2]. So I can't sue a drug dealer because he spiked my heroin with fentanyl, or sue a game developer for using my unauthorized fanart of their characters without permission[3]. The criminals who released the ransomware cannot sue the security vendor, the DRM system vendor would have to be baited into doing so. Furthermore, "decrypting shit that was encrypted without my knowledge or permission" would be a perfectly valid commercial purpose. So as long as the security vendor does not say "this tool decrypts DRM" it's probably fine for them to release this.

[0] For various economic reasons in screw manufacturing, this is highly unlikely to ever exist.

[1] I'm pretty sure just mentioning this is committing one of my three felonies for the day.

[2] This does not mean that criminals have no protection under the law at all, of course. Someone who burgles your house and gets injured can still sue for damages, because it's illegal to set up traps to kill people.

[3] Under US law, if an artistic work is a derivative of another artistic work, the derivative is afforded copyright protection if and only if it is licensed. If it is unlicensed you own nothing.

[AnthonyMouse]

> For various economic reasons in screw manufacturing, this is highly unlikely to ever exist.

Did pentalobe screws even exist before Apple started using them? They certainly didn't have a large installed base of manufacturing capacity.

> Either your DRM system has to have special screws that only that particular device uses

But isn't that the core of the issue? You have your special screws for your DRM system. Bob comes along and starts using them on his bicycles to try to force people to have them repaired at the dealer. Can Alice sell special screw drivers? If not, what happened to "that only that particular device uses"? If so, anyone can distribute circumvention tools as soon as a third party uses the same DRM system for something else.

And do you see what I mean by First Amendment issues? We're having a policy discussion, the core of protected speech, and yet:

> I'm pretty sure just mentioning this is committing one of my three felonies for the day.

How do you have a discussion about the effectiveness of a censorship law if describing the facts of its application is illegal?

Suppose the security vendor of the ransomware decryptor wants to make customers aware of its potentially precarious legal status, and then has to explain why.