[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [dvd-discuss] Are CSS licensees stillunderconfidentialityrestrictions?
- To: dvd-discuss(at)lweb.law.harvard.edu
- Subject: Re: [dvd-discuss] Are CSS licensees stillunderconfidentialityrestrictions?
- From: "John Zulauf" <johnzu(at)ia.nsc.com>
- Date: Fri, 07 Dec 2001 18:03:21 -0700
- References: <OF78B2F7ED.1BEED871-ON88256B1B.0081A423@aero.org>
- Reply-to: dvd-discuss(at)cyber.law.harvard.edu
- Sender: owner-dvd-discuss(at)cyber.law.harvard.edu
My curiousity was spark to see if the was a master list of keys...
checking one of the DeCSS mirrors http://www.free-dvd.org.lu/#files
proved fruitful and I found the file of keys.
Next, I mailed our corporate counsel the following question. Given that
(a) we are liable for losses based on the use of our master key and (b)
all master keys (including ours) are in the list; what happens if a
hacker posts a DVD cracking tool and just randomly (bad luck) picks OUR
KEY? We can't prove a negative (that we didn't leak the key), and the
Confidentiality Exemption Clause has no provision for the general public
knowledge of the keys. This only gets worse if the secrecy requirements
are considered the basis for criminal as well as civil liability. I'm
sure glad I'm not one of the three who know the National key. (Well
after looking at the list, I don't know SPECIFICALLY which one is the
National
key.)
So... how is any DVD CCA licensee to defend themselves from breach
accusations, as all the keys are now known. None of us can prove we
didn't conspire to release all of our super secret information.
Yikes!
.002
Michael A Rolenz wrote:
>
> The language make my head hurt just reading it....Suppose somebody builds
> a complete DVD player REed squeeky clean, doesn't infringe upon any
> patents (you can't patent what something does only how it does it) and
> THEN offered it for sale. Are THEY selling circumvention devices too? You
> buy the DVD and play it on their machine just the same as anybody elses
> machine.
>
> Let's take this one step further on the RE keys.
>
> Suppose I had a program that ran through the keys entering them into the
> machine
>
> Enter valid DVD key-0000001-Bad Key
> Enter valid DVD key-0000002-Bad Key
>
> etc
> etc
> and several butcher's aprons
>
> Enter valid DVD key -24532464-Good key
>
> If this is done with a computer then presumably THAT program becomes a
> circumvention device. But what of your list of REe'd keys. I can punch in
> one of those can't I? Does that file become a circumvention device too
> merely because it holds data? What of my editor that allows me to read
> that file? So I write a shell script to call up the editor on that file
> automatically or do a dialog "what kind of DVD player do you want to be
> today?""natsushita 3424xprt","the key is 4534534535". All of this is
> circumvention right? But what if the key has been revoked for my player?
> Would somebody who makes players that plays cds issued after a key has
> been revoked be creating a circumvention device? I have the authority of
> the copyright holder only to play a DVD on machines made with the
> authority of the copyright holder who has decided that he doesn't want to
> give the the authority to play new DVDs on my old machine. enough
> blathering on......
>
> What's making my head hurt even more now is wondering "What's a
> circumvention device?"
>
> "John Zulauf" <johnzu@ia.nsc.com>
> Sent by: owner-dvd-discuss@lweb.law.harvard.edu
> 12/07/01 02:47 PM
> Please respond to dvd-discuss
>
>
> To: dvd-discuss@lweb.law.harvard.edu
> cc:
> Subject: [dvd-discuss] Are CSS licensees still under confidentiality restrictions?
>
> Looking at the DVD-CCA license agreement, the following caught my eye:
>
> <blockquote>
>
> (h) Confidentiality Exceptions. The confidentiality restrictions
> contained in Sections 5.2(a), (b) and (c) herein shall not apply to
> information that Licensee can demonstrate: (i) is either Confidential or
> Highly Confidential Information which is or becomes generally known to
> the public through no breach of Licensee's obligations owed to [Blank]
> hereunder and which [Blank] failed to remove from public availability or
> to enjoin such public disclosure within ninety (90) days after the date
> such information is or becomes generally known as set forth above; or
> (ii) is or has been developed by Licensee's employees (whether
> independently or jointly with others) without having access (whether
> directly or through any intermediaries) to any such Confidential
> Information or Highly Confidential Information (or any translation,
> derivation or abstractions of Confidential Information or Highly
> Confidential Information) and without any breach of Licensee's
> obligations to [Blank] , provided that the confidentiality restrictions
> shall continue to apply to DVD Keys provided to Licensee.
>
> </blockquote>
>
> (1) Continuing confidentiallity requirements?
> The key phrase is "failed to remove from public availability or to
> enjoin such public disclosure within ninety (90) days after the date
> such information is or becomes generally known". Does the word "enjoin"
> mean to obtain an injunction of, or to seek an injunction the release of
> the information. Clearly this information has been available for far
> more than 90 days, and with the recent court decision, it's not going
> away.
>
> IANAL -- those who are, are the CSS licensee's still under
> confidentiallity constraints.
>
> (2) doesn't (h) (ii) leave open the door for a licensee to do a clean
> room CSS decoder, or in fact use DeCSS, as long as they don't release
> the keys? Or is it saying, once a clean room CSS is developed, the
> confidentiality is dead?
>
> How does this play against Kaplan's argument about DeCSS as bad and CSS
> good simply because of their authorization? Kaplan referred to the used
> of unauthorized "keys" as key. Thus if a DeCSS implementation didn't
> include the key's it wouldn't be banned? So adding a dialog, "please
> enter authorized DVD key" would turn DeCSS from sinner to saint?
>
> Here's the *really* *wierd* *part*
>
> <blockquote> (5.2) (b) (ii) (3)
> Notwithstanding any contrary provision, Licensee shall under no
> circumstances disseminate any DVD Keys (as defined in CSS
> Specifications) to more than three (3) Authorized Employees
> </blockquote>
>
> This would seem to say that even if keys become common knowledge, the
> licensee's are still required to keep them secret. Is that
> enforceable? What makes the keys different from the CSS algorithm or
> other DVD-CCA license agreement elements. If I read on the web an RE'd
> list of all of the DVD player keys (has anyone posted them?) I still
> must honor the secrecy of these keys... hmmm.
>
> .002