BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £5, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

United Kingdom Journals


You are here: BAILII >> Databases >> United Kingdom Journals >> Legal limits of technological protection measures in Europe – open questions based on the ongoing Finnish CSS cases (2009) 6:3 SCRIPTed 702
URL: http://www.bailii.org/uk/other/journals/Script-ed/2009/6_3_SCRIPTed_702.html
Cite as: Legal limits of technological protection measures in Europe – open questions based on the ongoing Finnish CSS cases

[New search] [Printable PDF version] [Help]


Legal limits of technological protection measures in Europe – open questions based on the ongoing Finnish CSS cases

Mikko Välimäki*

 
Cite as: Mikko Välimäki, "Legal limits of technological protection measures in Europe – open questions based on the ongoing Finnish CSS cases", (2009) 6:3 SCRIPTed 702, http://www.law.ed.ac.uk/ahrc/script-ed/vol6-3/valimaki.asp 
 

Download  options

DOI: 10.2966/scrip.060309.702
© Mikko Välimäki 2009.
Creative Commons License
This work is licensed under a Creative Commons Licence. Please click on the link to read the terms and conditions.
 

1. Introduction

In May 2007 Helsinki District Court gave an interesting judgment in a case about the circumvention of technological protection measures. The District Court found that the Content Scrambling System (CSS), which is used to restrict the viewing of DVDs among other things, was not “effective” as defined in national law and based on the EU Copyright Directive.1

At the district court the litigation was a rather simple set-up: a lone prosecutor against two defendants before one judge, and two lay judges. Charge: distribution of the CSS algorithm on the Internet. There were two expert witnesses, one for each side. The first came from the criminal police computer technology unit, and the second from a technical university. The resulting judgment was only a few passages based on common sense argumentation. The crucial part read:

...since a Norwegian hacker succeeded in circumventing CSS protection used in DVDs in 1999, end-users have been able to get with ease tens of similar circumventing software from the Internet even free of charge. Some operating systems come with this kind of software pre-installed…. CSS protection can no longer be held “effective” as defined in law.

It was evident that this would not be the end of the issue in the Finnish courts. It was only the start of the story as a legally interesting and potentially precedent-setting pioneer case. The Helsinki Court of Appeal overturned the decision in June 2008. Then another case based pretty much on the same facts followed and Helsinki District Court found that the third defendant – following the recent appeals court judgment – guilty as well.1

At this stage many hoped the Finnish Supreme Court would intervene and give a precedent or make a referral to the European Court of Justice. Somewhat surprisingly, it denied leave of appeal in December 2008 and closed the first case in the Finnish courts. It was generally thought that the cases were over. However, in another surprise move, the Helsinki Court of Appeal ordered a full oral hearing in the second CSS case in May 2009. This is the same court that overturned the first case without any oral hearing. The new hearing is set for December 2009 and a judgment is expected in January 2010. The first case continues its life before the European Court of Human Rights where it was appealed in June 2009.2 Thus, the question on the legal limits of technological protection measures hangs open before the courts.

This article explains the process after the district court decision and sums up what one can learn from the cases. The cases show from a procedural viewpoint how difficult it is to argue cases against major multinational media companies and how difficult it is to get clear technical facts correct in even simple circumvention cases. From a more academic viewpoint the cases give those interested in the subject a set of open questions on the legal limits of technological protection measures in Europe. Finally, the article discusses how the scope of anti-circumvention can be limited in practice. In addition to interpretative arguments within the anti-circumvention regulation, one can think of the limitations which come from constitutional law, consumer law and competition law. Also the growing popularity of creative commons and open source licensed works may limit the possibilities to use technological protection measures in the future.

2. Process in the Finnish Courts after the First Decision

Things started to build up rather quickly after the first District Court decision. The prosecutor appealed and asked for help from two sources: the Finnish Copyright Council3 and the local antipiracy centre.4

2.1. The Finnish Copyright Council

The Finnish Copyright Council held three meetings to discuss the case and finally gave a unanimous opinion.5 Not surprisingly, in a lengthy opinion the council presented arguments for the prosecutor but carefully avoided to reach any actual conclusion. The most interesting thing in the council opinion was, however, the fact that it developed novel arguments that could be considered in the legal interpretation about whether a given technological protection measure is effective. Obviously, the district court decision was so straightforward and common sense in both the law and the facts that merely stating it erred with references to travaux préparatoires (this is how the council usually works) was no longer possible.

Defendants in the case had no role in this process. The council did not hear what was said during the oral proceedings in the district court. Instead, it relied solely upon the written material submitted by the prosecutor, including two new expert opinions advancing her case.6

The council started with an attack against an undisputed statement in the preparatory materials that accidental circumvention is legal. With the following logic, the council thought CSS cannot be circumvented by accident:7

One feature of an effective protection measure is that by fitting a protection measure, the author or other right holder communicates that he himself considers the use of the work restricted… In the case under review there is no uncertainty that the persons involved in the circumvention were fully aware of the fact that they were dismantling a protection expressly fitted by the right holders (or their representatives or assignees) to protect the work against the will of the right holders… For example, dismantling by accident, which was mentioned in the preparation of both the Directive and the amendment to the Finnish Copyright Act with regard to the appraisal of effectiveness, cannot be the case here. (emphasis added)

Anyone familiar with CSS encryption knows that most people circumvent it with an open source player without knowing a system called CSS exists in the first place. One downloads, for example, VLC player or Mplayer, inserts a DVD, and views the movie. CSS is easily circumvented. However, the council adopted a subjective approach, saying, that if one is aware of a protection measure, then he cannot circumvent it by accident, even if thousands of fellow citizens do. One can ask if this means that a protection measure may be ineffective to “ignorants”, and they can thus circumvent it legally.

It sounds also somewhat strange to first speak about communicating a protection objective and then state that a right holder’s subjective action when just to design a technical protection measure inside a product is enough. A more common sense approach would have blown the prosecutor’s case. Anyone who owns a DVD can confirm that neither the case nor the disc inside communicates any information on CSS or the fact that the disc has technical viewing restrictions and can be played only with a licensed player. Has anyone seen this kind of information in stores, for that matter?

The council followed its subjective logic with the following statement of facts:8

In the light of the material presented at the District Court, it is obvious that as such the information needed to circumvent TPMs is readily accessible in general information networks. However, this alone does not give a clear enough picture of how easy or prevalent the circumvention of protection measures actually is. The documents submitted to the court of first instance include two A4 pages of commands written in a computer programming language which, when performed, remove the protection. In the opinion of the Copyright Council, it is justified to ask how many private persons in actual fact could perform these operations without familiarising themselves extensively with programming and the operation of the computer, despite the fact that the sequence of commands as such is easily accessible.

Following the council’s logic even a non-workable and accidentally circumvented protection measure becomes effective against those who present a technically obscure circumvention method. In this case those two A4 pages included (actually quite pedagogically written) Haskell-code.9 It must be also stressed that the council made this strong statement of facts without hearing the proceedings in the district court and without hearing the defendants, thus essentially without anyone explaining how most people circumvent CSS.

Finally, and quite interestingly, the council thought that official CSS licensing must be taken into account. Apparently the council thought that since DVD CCA only gives out very restrictive licences for playing DVDs, and has so far refused to licence anyone any right to copy the content, then this reveals something about the effectiveness of CSS. It said:

Licensing and the extent to which licensing has taken place are a factor in the matter. Similarly, if licensing with regard to the other operating systems has for example been more restricted in terms of operation (e.g. only for enabling an appropriately acquired DVD to be played privately on the computer) than the extent in which the defendants have used the dismantling program and distributed it to the public, a comparison with other operating systems will lead to an erroneous conclusion as to the inefficacy of the CSS protection system.

Indeed, one can agree that in this sense CSS is effective. But one can also claim that CSS is used here not as a technological protection measure with an objective to curb illegal copying, but merely as an effective tool to enforce a player manufacturing monopoly. And a player manufacturing monopoly is hardly the objective – as stated in preparatory materials – of technological protection measures or copyright law.

2.2. Prosecutor’s Appeal with New Expert Opinions

The prosecutor appealed the district court judgment. She attached the Council’s opinion as well as two new expert opinions in the appeal. The first opinion was a technical statement signed by Lindsay Holman, managing director of Futurmatix Ltd.10 The prosecutor quoted the following part from the conclusions of Holman’s statement:11

CSS was conceived as part of a regime whose aim was to ensure that the average consumer would not be able to make unauthorised copies of purchased DVDs and then redistribute them over the Internet. This regime comprises the CSS content scramble technology, together with the CSS license agreements and is further supported in operation by potential recourse to legal remedies.

Given that the vast majority of the DVD-buying public continue to purchase and enjoy DVD content without being able to make unauthorized copies, it can be concluded that this regime has indeed been and will continue to be wholly successful in achieving its original aim, and in this respect, it can seen [sic] that CSS is clearly and undeniably “effective”. (emphasis added)

This is a strong empirical – not technical – statement. If true, it would indeed make CSS “effective” from a common sense perspective. Interestingly enough, this statement contradicted what the district court had concluded and what the prosecutor’s witness had said in the oral hearing in the district court. Anyone familiar with CSS must obviously question this statement. Indeed, the statement did not include any empirical study, references to any studies, nor did it mention the fact that CSS was circumvented in 1999 in the first place. The opinion merely discussed how CSS was designed technically, and then jumped to the surprising empirical conclusion.

The prosecutor also referred to Holman’s statement to stress that CSS was a copy protection system, and the question was not about a restriction on viewing DVDs. The defendants had claimed that their code only circumvented that part of CSS that restricts viewing, and such restrictions can be circumvented legally in any case. However, the prosecutor also contradicted herself when she went on to claim that legally licensed DVD players only allowed viewing and not copying. In other words, she admitted CSS can be circumvented partially.

The second opinion was even more interesting. A prominent pro-copyright advocate Mihály Ficsor submitted a 33-page long and strongly worded legal policy statement about the whole case.12 He did not want to get into the technical details of CSS circumvention. Instead, Ficsor had the big picture in mind:13

The issue is much broader and fundamental. The anti-copyright-oriented hacker communities and various “copyleft” movements oppose the protection of technological protection measures… They oppose it in spite of the fact it is (i) prescribed by the WIPO Treaties adopted by the international community; (ii) foreseen by the Informational [sic] Society Directive adopted by European Parliament and the Council (iii) provided for by national laws …. They are of the view that the international community, the European Parliament and the Council, as well as the national legislators – all of them – have been wrong. (emphasis original)

Although his rant went off course at times, Ficsor’s openly advocated disgust with open licensing initiatives and user-generated content services is worth quoting:14

Free access and distribution which many “copyleft” groups would like to achieve would, of course, lead to free access to already existing works, to the creations of those who use social networking forums, blogs, You-Tube-type systems to make available their contributions created usually as a marginal activity to their money-earning work, to open source and creative commons productions freely offered because the creators and distributors thereof cannot afford doing so due to other sources available to them, etc.

Somehow this brings to mind Bill Gates’ infamous “open letter to hobbyists” from 1976.15 Just remember that Ficsor’s letter was written in the summer of 2007. Also note that Ficsor was one those orchestrating the WIPO 1996 treaties and has served as the deputy chairman at WIPO.

In another way, Ficsor’s opinion expressly clarified the legal policy tensions that have surrounded technological protection measures ever since they were introduced in the legislation. It was the existing multinational media company power in international forums against the dissenting voices of individual activists at the national level who felt their voices were not heard. Defendant Mikko Rauhala, who opened the Internet discussion forum and invited others to submit circumvention instruction, did everything for the purpose of clarifying the legal policy. His goal was, as Ficsor suggests, encouraging an interpretation in favour of the general public, including “hacker communities” and “copyleft groups”.16

2.3. Court of Appeal Decision

The defendants gave a written answer to the prosecutor’s appeal. They denied the prosecutor’s claims but agreed that the main legal issues were subject to interpretation. Thus, the defendants that demanded the court make a reference to the European Court of Justice for a preliminary ruling. The defendants also asked for an oral hearing should the court consider reinterpreting the facts based on the prosecutor’s new written testimonies.

The Helsinki Court of Appeal court gave its judgment 22 May 2008. It did not arrange an oral hearing nor did it make a reference to the European Court of Justice.17 With this background, it was definitely surprising to the defendants to read the earlier decision of the district court was overturned.

Interestingly, the appeals court did not refer to any testimonies of the parties and not even to the oral hearing in the district court. In its legally narrow decision, which avoided taking any opinion on the defendants’ other arguments such as the freedom of speech, the appeals court first stated that the main question was whether CSS was an effective technological measure. Then it started to go through the government’s law proposal, the main document in travaux préparatoires of the Finnish law amendment that introduced technological protection measures.

The court noted that the right holders had effectively communicated their intention to protect DVDs when they had continued to use CSS after it was circumvented in 1999. It also noted that circumvention by accident was allowed. The court then followed the copyright council adopting a subjective approach regarding accidental circumvention and said that in the present case the circumvention had required computer programming. From this, the court concluded:18

In this case a normal user can not be considered to be able to circumvent the technological protection measure by accident. Thus, and because CSS protection was intended in its normal use to prevent or restrict acts on works or other material protected by copyright, the protection must be considered, taking in account the time when the circumvention took place, as such which has achieved its protection objective.

This interpretation brings the law in accordance to the United States law: the intention of the right holders is enough for a protection measure to become “effective”.19 In other words, the language “achieves its protection objective” has no meaning, and the interpretation of the word “effective” has no relation to its ordinary common sense meaning. Also, accidental circumvention defence applies only if the circumventing act in question was accidental; one cannot refer to even widespread accidental circumvention to prove a technological measure ineffective.

The court further explained its interpretation with the following legal policy statement, something that is rarely found in Finnish judgments:20

The court notes that studying the concept of an effective technological protection measure only from the perspective of end users, as was done by the district court, would imply that after a protection measure has been illegally circumvented it would be held almost by a rule ineffective. This perspective does not match the exemplary statement in the preparatory materials…[that a circumventing act as such would render a protection measure ineffective].

It must be emphasised that this rather progressive interpretive approach was used here in the context of criminal procedures against individual defendants. The court had to argue strongly that illegal circumvention was the only possible interpretation; if it had been a close call between two legally possible interpretations, the principles of criminal procedure would have required an acquittal.

The court also took note of the claim the defendants had only circumvented a viewing protection:

Even though CSS protection with the lack of licenses obviously restricts the viewing and listening of DVDs on Linux systems, it has been clarified that one of the main original goals of the protection has been to make sure that consumers who buy DVDs do not copy or distribute them without authorization. Thus the object of CSS protection is also to restrict acts relevant from copyright perspective.

Thus, the court found both defendants guilty of illegally circumventing an effective technological protection measure and offering a service (the Internet discussion forum) for circumvention. Regarding remedy, the court said that because the service did not cause any substantial change to CSS, it was only run only for limited time, and the defendants turned themselves in to the police voluntarily, no fines were appropriate in this particular case. The defendants had only to pay their legal fees.

2.4. Second CSS Case in the District Court

Meanwhile, the prosecutor brought another case in the Helsinki District Court against a third individual defendant who had been a member of the same Internet forum where the CSS circumvention instructions had been posted. He had posted in the forum another circumventing implementation, this time in C programming language, including a public plea for others to continue publishing. He also posted the circumventing code on his own website. The only major difference to the first case was merely procedural: the charges included not only illegal circumvention but also a public plea to commit crime.

The Helsinki District Court gave its judgment on 21 October 2008. The arguments and material presented were pretty much the same as in the appeals court in the first case. Also the main grounds of the ruling were identical, almost copied word by word from the appeals court. The only relevant difference was the oral hearing. The prosecutor had changed her witness. Nothing new came up, except that the court missed the difference between an access control and a copy control technology. Again, freedom of speech arguments did not get any review from the court.

Regarding remedy, the court noted that because of the public plea the defendant must face serious punishment. It ordered thirty day fines as the justified remedy.21

2.5. Supreme Court Denial and Future Proceedings

The defendants in the first case appealed to the Supreme Court. It was widely believed that the Finnish Supreme Court would take the case in and either set a precedent on its own or alternatively would submit a referral to the European Court of Justice.22 Neither of these options was realised, however. In December 2008, the Supreme Court denied leave to appeal. Then the defendants tried the other option and asked the Supreme Court to annul the first decision because of errors in the procedure and the reading of the facts. Again, the effort was unsuccessful.23 The final option was an appeal to the European Court of Human Rights. Building on freedom speech arguments, both defendants filed independent appeals in June 2009.

The second case continues its life before the Helsinki Court of Appeal. In another surprise move, in May 2009, the court ordered a full oral hearing, which is to take place in early 2010. A new judgment would follow within a month after the hearing. The Appeals Court filing was basically the same as the defendants used at the Supreme Court in the first case. The Appeals Court will have three judges, and it looks like they are seriously considering the facts and the interpretation of the law once again. After the court’s decision the door is again open for a Supreme Court appeal.

3. Open Questions on the Legal Limits of Technological Protection Measures

The process in the Finnish courts has brought up many open questions on the legal limits of technological protection measures in Europe. If one day the European Court of Justice would be to interpret the Copyright Directive’s article 6, at least some of the following questions could be asked.24

3.1. Questions on “Effectiveness”

The main open question here is the following: what test could be used to determine whether a given technological protection measure is “effective” and “achieves its protection objective” as set out in article 6(3) of the Copyright Directive? Based on arguments used in the Finnish CSS cases, this question can be further divided in the following sub-questions.

(a) Is it relevant if a right holder has intended to use a technological protection measure, and communicates this intention by continuing to use the measure?

This is how the appeals court interpreted the law. The defendants questioned the approach, as the intention and actual use of a protection measure are always present. They should have no relevance in the legal analysis of “effective” if that word is to have some meaning. In other words, if the actual empirical effectiveness or the awareness of average users of the existence of a protection measure has no relevance, then the wording of article 6 should be changed. A measure cannot become “effective” when a right holder just used something he calls a technological protection measure and thus “privately” communicated he considers it effective. Otherwise, any technological measure is always effective by definition.

(b) Is it relevant if an average computer security expert is able to circumvent a given protection measure?

This is how the defendants approached the interpretation in the first place. If an average computer security expert is able to circumvent a software-based protection measure, then the measure should lose its “effectiveness”. This interpretation would follow the standards of secure software development. When an average computer security expert can independently and publicly confirm that a security hole exists, then it is not meaningful to claim that an average computer user remains safe from an attack because he has yet to experience the security hole himself.

Granted, this interpretation would bring the regulation of technological protection measures much in par with trade secret law. In the case of CSS, that interpretation could be actually appropriate. DVD CCA originally initiated litigation against the individuals who independently circumvented CSS and distributed the circumvention algorithm as if the question was about illegal publication of trade secrets.

(c) Is it relevant if an average user, against whose acts the technological protection measure was designed for, is able to circumvent a given protection measure?

This was the district court’s interpretation and it can be said to be consistent with the ordinary common sense meaning or “effectiveness”. This approach would require an empirical finding of facts about how commonplace the circumvention actually is among average users. In some sense, this approach would bring the analysis of “effective” in line with empirical assessments in trademark law.25 Thus, it would appropriately fit in with the existing principles of intellectual property laws.

(d) Is it relevant if the one who circumvents a given protection measure is aware of the existence of the measure and thus circumvents the measure knowingly?

In the case of CSS the circumvention may require a simple action from the side of the user: the installation of a software DVD player. However, an average user would probably never think of circumventing any technical protection measure.

The Finnish Copyright Council thought differently: it interpreted the facts not from the perspective of an average user but from the subjective perspective of the one who did the circumventing act. In the Finnish CSS case the defendants had published computer programming source code and not, for example, fully functional DVD player software. The defendants argued in the Supreme Court complaint that this approach cannot be correct: otherwise some users – technical experts aware of the measure and how to circumvent it – would breach the law while others – average end-users who merely view a DVD with a software player – would not. The technological protection measure is either “effective” or it is not. It cannot be at the same time effective to some users and ineffective to others.

(e) Is it relevant if the manufacturer of a given protection measure or other parties with appropriate legal standing stop attempts to seek enforcement against those who circumvent the protection measure?

The defendants argued in their Supreme Court appeal that this should be taken into account. In the case of CSS, the lawsuits against those who publish the CSS algorithm ceased soon after the algorithm became public knowledge.

The Finnish CSS cases seem like exceptions to that trend. In Finland, the public prosecutor initiated the cases alone without copyright holders’ or DVD CCA’s involvement. Later on and only after the prosecutor had lost in the district court, the copyright holders ran for help and filed their opinions to support the prosecutor. Apparently their only motivation was political, as expressed in the Ficsor’s opinion, not an individual case where the actions of the defendants would have directly harmed their interests. Thus, if the right holders have no actual interest to pursue those who continue to publish circumvention instructions and easy-to-use circumvention software, then it would be strange to claim there is any reason – legal or political – to hold them liable for illegal circumvention.

(f) Is it relevant if the manufacturer of the protection measure has a licensing market for a secret circumvention method and its open provision to the public would harm this market?

This was one of copyright council’s interpretation criteria. The defendants argued in their Supreme Court appeal that the licensing market is an especially inappropriate argument because the market can be extended to other uses than the subject matter of copyright law. In the case of CSS, the main motivation for right holders is not to prevent illegal copying by average users but to collect royalties from the manufacturing of DVD players: all manufacturers have to licence the official CSS algorithm from DVD CCA. In other words, the existence of a licensing market has in this case nothing to do with copyright unless the goal of copyright is to guarantee to the creator of publicly available works a monopoly to manufacturer the devices, which are capable of viewing those works.

3.2. Questions on “Provision of Services”

The main question here is the following: what test could be used to determine the extent of “provision of services” as set out in article 6(2) of the Copyright Directive? Based on arguments used in the Finnish CSS cases, this question can be further divided in the following sub-questions.

(a) Is it relevant if the service consists of a public discussion forum, which also includes detailed written descriptions of circumvention measures such as computer programme source code, taking into account the protection of free speech referred to in the article 10 of the European Convention of Human Rights?

Both the directive and national laws leave the definition of “provision of services” rather open. The government’s law proposal had quite progressively said that an “organised discussion” of technological protection measures was an illegal provision of services. This statement served as the main inspiration to the whole provocation: the discussion forum was founded and CSS circumvention information published to show that the government must be wrong. Prohibiting “organized discussion” on technological protection measures in the name of anti-circumvention regulation would be a clear misuse of the law.

The defendants argued consistently through the process that the state of Finland effectively tried to suppress their freedom of speech. Unfortunately none of the Finnish courts – rather questionably, but in accordance with the Finnish “tradition” – made any comment on the freedom of speech arguments.26 However, the Copyright Council noted the following: “the Copyright Act does not limit free exchange of opinions about the drawbacks in the Act or about the shortcomings of the regulation concerning technological measures.”

The defendants argued in the Supreme Court appeal that this interpretation would mean that one can only speak generally about a bad law but making written statements with concrete examples that show how the law is problematic would be prohibited. The only way to speak exactly about a particular technological protection measure may require the use of computer code samples or mathematical formulas in communication. Statements including source code should be treated as any speech under the constitutional right to the freedom of speech. Freedom of speech was especially relevant in this case where the source code was published with comments on a discussion forum. Further, all the source code examples published in the discussion forum were either direct copies or derivative variants of source codes published all over the Internet since 1999. The defendants argued that they had not made any confidentiality agreements with the right holders or DVD CCA nor did they have to keep secret any information they had learned on the Internet.

(b) Is it relevant if the circumvention measure provided in the service is a freely available computer program installable by users and the service does not include any installation help?

The defendant who opened the discussion forum had given a nominal 5 euro cents to those who published circumvention information and source codes on the forum. The motivation was to make sure there must be a decision on the meaning of “services”.

The defendants argued that one must take the actual nature of the service into account. A nominal fee on an open discussion forum cannot change the fact that a non-commercial pure information service is not “provision of services”. The law was meant to prohibit for example commercial services where game consoles are physically modified to bypass various technological protection measures.

3.3. Questions on “Acts”

The main question here is the following: how should one interpret the language “is designed to prevent or restrict acts, in respect of works or other subject-matter, which are not authorised by the right holder of any copyright or any right related to copyright as provided for by law …” as set out in article 6(3) of the Copyright Directive? Based on arguments used in the Finnish CSS cases, this question can be further divided in the following sub-questions.

(a) Does article 6 cover only such technological protection measures, which control acts that are within the subject matter of copyright law (such as reproduction and communication to the public) or does article 6 cover also such technological protection measures, which control only access to a work, independent of the subject matter of copyright law (which does not for example cover the viewing of a work)?

This question was answered unanimously by courts and the copyright council in accordance with the government’s law proposal: the law covers only such measures, which control acts within the scope of copyright law, and not any pure access controls. The defendants agreed. In other words, this creates a “copyright control”/“access control” dichotomy in the tradition of an idea/expression dichotomy.

(b) Does article 6 cover technological protection measure systems in their whole, when the system includes independent and independently circumvented parts, which restrict access to a work, and independent and independently circumvented parts, which restrict acts that are within the subject matter of copyright law?

If the “copyright control”/“access control” dichotomy is accepted, the next logical question is to ask how it can be applied in practice. The defendants argued that CSS consists of many separate parts or “steps” which can be circumvented independently. For example CSS authentication controls essentially whether a drive can read the DVD. To compare, CSS encryption essentially controls the viewing of the content. In addition, DVDs include a code system, which is an additional technological protection measure or step on top of CSS. Region codes control the distribution of DVDs into geographically separate markets.

Obviously, only CSS authentication and the region control system have something to do with “copyright control”.27 To compare, CSS encryption is only about “access control”. The defendants, well aware of these facts, only posted source code that circumvented CSS encryption.

The courts struggled to find the facts here correctly. The appeals court however maintained that because CSS, taken as a whole, obviously had something to do with the prevention of unauthorised copying, then the circumvention of any part of it was illegal circumvention. The defendants’ tried to open this question in the Supreme Court appeal. It may be opened in the second CSS case currently pending at the appeals court.

4. Towards Limiting the Scope of Anti-Circumvention Laws

4.1. Why Are Limits Needed?

Those high-level powerbrokers like Mihály Ficsor, who years ago wrote the legislative origins of technological protection measures, perhaps never anticipated that its practical usage in national courts would be in criminal procedures against individual political activists. Little did they know that the leading cases would start from provocation.

What the Finnish CSS cases have proved, if nothing else, is that the courts are ill equipped to handle these kinds of cases. In the opinion of this author, the Finnish CSS cases should have never been litigated in the first place. Many think that the cases have been excellent examples of how the anti-circumvention laws can be misused, freedom of speech stumped, and the general image of copyright in society broken further. Thus, it is time to think how one can put sensible limits to the scope of anti-circumvention laws.28

4.2. Limits from within the Anti-Circumvention Regulation

The first sources of limits are court and administrative decisions within the anti-circumvention regulation. The Finnish CSS cases started with the district court deciding on a clear and sensible common sense limitation to the scope of technological protection measures as defined in law. The district court’s limit did not hold, however, and later decision blurred the picture. One can only hope that the European Court of Justice will one day intervene. DVD encryption could be a good pilot case because it affects millions of individuals.

One example of a sensible administrative limitation to technological protection measures comes from the United States. There, the Library of Congress has ruled a number of exceptions to the anti-circumvention law.29 One exception covers the circumvention of operator-lock software in the telecommunications network. Thus, for example all those hundreds of thousands of individuals who have circumvented the operator-lock in Apple’s popular iPhone and used other operators have probably done nothing illegal.

4.3. Limits from Constitutional, Consumer and Competition Laws

As a second source for limits one can identify a number of other laws. Constitutional laws, especially the freedom of speech, should guarantee that anyone can freely debate technological protection measures, use concrete examples, teach about them, research them, and so on. The European Court of Human Rights could possibly intervene to limit the scope of anti-circumvention regulation in this regard.

Also consumer and competition laws can bring forth clear and sensible limits. If the activists in the Finnish CSS cases would have operated a company that had developed and distributed a DVD player based on “unauthorised” circumventing source code, perhaps they could have successfully argued that the prosecutor and rights holders are essentially trying to use technological protection measures here to limit competition in separate markets for DVD players.30 In other contexts, it has been debated whether consumer or competition laws should limit how companies can use technological protection measures to lock consumers to buys from one vendor.31

4.4. Limits from Market Trends

Mihály Ficsor noted in his opinion the emergence of “open source and creative commons productions”. He however refused to acknowledge how important the efforts of “copyleft groups” are to the major multinational media companies. It is namely not only political activism but also market trends combined with specific licensing terms.

One could say that user or community created content has become the driving force of popular sharing and social networking services. There are currently hundreds of millions of works on the Internet freely available with Creative Commons licensing terms. The content in these services is most commonly distributed with rather liberal Creative Commons licences, which require that the use of the works cannot be restricted with technological protection measures.32 Also, popular open source software, which is used increasingly as the software backbone in content delivery systems licences, has licence clauses that are in conflict with technological protection measures.33 It is thus a possibility that the efforts of “copyleft groups” will eventually limit the possibilities of technology and media companies to use technological protection measures – regardless of any laws and court decisions.

 


* Research Fellow, Department POLIS, University of Eastern Piedmont, Italy, and adjunct professor, Helsinki University of Technology, Finland. The author acted as the defence counsel in the first case and advised the defence counsel in the second Finnish CSS case discussed in this article.

1 See M Välimäki, “Keep on Hacking: a Finnish court says technological measures are no longer “effective” when circumventing applications are widely available on the Internet”, SCRIPTed (2007), available at http://www.law.ed.ac.uk/ahrc/script-ed/vol4-2/valimaki.asp (accessed 1 Oct 09).

1 Legal briefs, written testimonies and judgments in the cases can be found at http://www.valimaki.com/org/docs/css/ (accessed 1 Oct 09). Some of them are in English.

2 Technically there are two appeals because there were two defendants.

3 See http://www.minedu.fi/OPM/Tekijaenoikeus/tekijaenoikeusneuvosto/?lang=en (accessed 1 Oct 09). According to the homepage: “The Finnish Government appoints the Copyright Council for three years at a time to assist the Ministry of Education in copyright matters and to issue opinions on the application of the Copyright Act. The Council is composed of representatives of the major right holders and users of protected works. The chair, vice-chair and at least one member are impartial.” In this case one must note that the council had deciding members representing the members of DVD CCA, essentially a party having a strong interest in this case. DVD CCA licences “official” CSS implementations and has litigated in the United States at least against individuals who distribute the CSS decryption algorithm. The “users” in the council are institutional users such as major broadcasters. There was no one representing end-users or consumers.

4 http://www.antipiracy.fi/ (accessed 1 Oct 09).

5 Finnish Copyright Council 2007, at 9.

6 The opinions are discussed below in section 2.2.

7 Council opinion, at 11.

8 Ibid.

9 The code probably does not work; at least it was not meant to be used to view actual DVDs. One defendant wrote it on the Internet forum just to express his criticism of the law amendment.

10 Lindsay Holman: “Technical Opinion regarding Content Scramble System (CSS)”, 6 August 2007. Futurmatix is a UK company that claims on its website http://www.futurmatix.com/ (accessed 10 Jun 09) to be a “technology research services company”. The website gives no names of any people who work in the company or details of any actual work done.

11 Holman statement, at 9.

12 Ficsor was very familiar with the details and background of the case. He quoted, for example, the author’s prior article, at note 2.

13 Ficsor statement, at 2, emphasis original.

14 Ficsor statement, at 3.

15 For scanned copies, see Wikipedia with the search term “open letter to hobbyists”.

16 Rauhala, who works as a system administration at the University of Helsinki, Department of Computer Science, was a board member of Electronic Frontier Finland, and recently he has been active in the Finnish Pirate Party. His blog is available at http://rauhala.org/blog/ (accessed 1 Oct 09).

17 The reason why an oral hearing was not arranged was that the court considered facts fully argued. The reason why the reference to a preliminary ruling was not made was purely procedural: the court said it had no obligation to ask for the ECJ’s opinion; the only court with this kind of obligation would be the Finnish Supreme Court.

18 Appeals court judgment, at 7.

19 See e.g. M Välimäki, note 2 above.

20 Appeals court judgment, at 7.

21 According to the Finnish criminal procedure, day fines are calculated from one’s daily income. In practice, the sums can be very low for students and unemployed and very high for those who have for example received high bonuses in the previous year. In this case the defendant was in the former category and the actual fine was 30 times 6 euros meaning a total of 180 euros.

22 For example, a former Finnish antipiracy centre lawyer and current private attorney Ilkka Vuorenmaa published a lengthy summary and future speculation about the cases starting with a wrong claim that “The Supreme Court has granted the leave to appeal in the case”. One week after Vuorenmaa’s article was published, the Supreme Court denied the leave to appeal. See Ilkka Vuorenmaa: “Teknisten suojakeinojen asema hahmottuu - Oikeudelliseen statukseen lisävaloa oikeuskäytännöstä” (2008), IPR Info 5/2008 [In Finnish].

23 It is rare for the Supreme Court to annul a lower court judgment. Usually an annulled judgment has a very clear and grave legal error. The Supreme Court can also annul its own decisions; this has sometimes happened when there is a new conflicting decision from a further appeal to the European Court of Human Rights.

24 Most of the questions are based on the defendants’ Supreme Court appeal in the first CSS case.

25 For example, the ECJ has decided on several trademark cases which fine tune the principles about how words such as “origin”, “distinctiveness” and “confusion” should be empirically assessed.

26 Finland has a number of freedom of speech cases pending before the European Court of Human Rights.

27 Interestingly, the government’s law proposal argued that region codes have nothing to do with copyright law and can be thus legally circumvented. Obviously this was written because the Ministry of Education, who wrote the proposal, had public pressures to counter at least some of the critique against the law. – In Laserdisken ApS v Kulturministeriet, C-479/04, 12.9.2006, the ECJ clarified that the importation of DVDs from other regions without right holder’s authorisation was against the principle of regional exhaustion in the first sale doctrine.

28 For the sake of realism, the legislative option is not considered.

29 See “Rulemaking on Exemptions from Prohibition on Circumvention of Technological Measures that Control Access to Copyrighted Works”, available at http://www.copyright.gov/1201/ (accessed 1 Oct 09).

30 This argument was used unsuccessfully in two cases in the United States: Real Networks v. DVD CCA (US District Court, Northern District of California, 11 August 2009) and DVD CCA v. Kaleidescape (California Court of Appeal 6th district, 12 August 2009). A difference in the facts of the Finnish CSS cases is that in the US cases the companies had contractual relationships with DVD CCA and wanted to extend it to develop and distribute a product that not only views but also copies DVDs.

31 See M Välimäki and V Oksanen, “DRM Interoperability and Intellectual Property Policy in Europe” (2006), 26 European Intellectual Property Review, 562-568.

32 See Creative Commons, legal code, version 3, restrictions: “When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License”.

33 See e.g. GNU General Public License, version 3, section 3: “Protecting Users' Legal Rights From Anti-Circumvention Law”.

 


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/uk/other/journals/Script-ed/2009/6_3_SCRIPTed_702.html