6 June 2000
Source: Frankfurt, Garbus, Klein & Selz for 2600.

See related files:

http://www.eff.org/pub/Intellectual_property/DVD/
http://cyber.law.harvard.edu/openlaw/dvd/
http://www.2600.com
http://jya.com/cryptout.htm#DVD-DeCSS

[13 pages; exhibits omitted here.]

Leon P. Gold (LG-1434)
William M. Hart (WH-1604)
PROSKAUER ROSE LLP
1585 Broadway
New York, New York 10036
(212) 969-3000 Telephone
(212) 969-2900 Facsimile

Jon A. Baumgarten
PROSKAUER ROSE LLP
1233 20th Street, N.W., Suite 800
Washington, DC 20036-2396
(202) 416-6800 Telephone
(202) 416-6899 Facsimile

Attorneys for Plaintiffs

Second Supplemental Declaration of Robert W. Schumann

I declare, under penalty of perjury, as follows:

1. I am the President and Chief Executive Officer of Cinea, LLC, a digital content security firm. This Declaration is submitted in further support of plaintiffs' motion to modify the preliminary injunction issued in this case on January 20, 2000 and in opposition to defendants' motion to vacate that injunction. In this Declaration, I focus on the following:

a. Defendants' claim that DeCSS has no use in connection with the copying or "piracy" of DVD movies.

b. Defendants' claim that widespread proliferation of DeCSS is justified because there is legitimate academic, commercial or scientific value in doing so.

2. I make this Declaration based upon my own personal knowledge. including my review of the declarations submitted on behalf of the defendants discussed below, as well as other documents and things referred to in this declaration. I could and would competently testify to the matters set forth below should I be called as a witness before this Court.

3. Defendants claim that there is no evidence of copying or piracy as a result of the use of DeCSS. In doing so, defendants ignore one fundamental truth which is inescapable - - that DeCSS is designed and functions to decrypt and copy the DVD content to the computer hard drive. This copying process was described in detail in my original declaration in this action, dated January 19, 2000. See ¶¶ 2-4. Indeed, as I noted, "[s]uch copying is not an essential step to decryption or viewing of CSS-protected DVD content and would not be desirable from a functional standpoint if the purpose of the utility was to allow playback rather than copying."

4. Defendants premise that DeCSS does not enable "piracy" is mistaken unless defendants intend to exclude the real threat faced by content owners in the Internet era: the unauthorized copying and transmission by and among a vast number of individual computer users of copyrighted works utilizing compression technologies that enable a considerable amount of data to be copied, stored and transferred in a much more manageable form. Compare Stevenson Decl. at ¶ 21 ("I've seen no direct evidence indicating any commercial piracy using that utility [DeCSS]. In part, I believe this is because 'pirates' who wish to sell movies need to put them on media that is convenient for distribution.")

5. As explained below, the explosive growth of the Internet as a means to 'pirate' copyrighted works of entertainment does not depend, at all, upon the creation of counterfeit discs but, instead, relies entirely on computer-based storage and file transfer technologies, without the need to ever reduce the unauthorized copy to a physical disc, such as a DVD or CD. Perhaps the best known example is the use of so-called "MP3" (which is itself a compression technology) that has become ubiquitous in the digital copying and transmission of audio recordings on the Internet. Such technologies are not, however, confined solely to use in connection with audio recordings. For example, the well-known "Napster' system over which there has been considerable press coverage, see Exh. 1, (and which is the subject on ongoing litigation) also has a recently released variant, referred to as "Wrapster," which enables the digital copying and Internet transmission of other types of copyrighted material including audiovisual works. See e.g., Exh. 2.

6. Even more threatening, however, is the emergence of high ratio compression technologies, such as DivX. This compression technology enables users to take a full length movie and "shrink" it considerably in size, far reducing the amount of storage space and transfer time required to make a movie available on the Internet. See, e.g., "Movie pirates hitting prime time (Thanks to new compression scheme, film piracy thrives on the Net)," CNBC & The Wall Street Journal.Business, May 10, 2000, Exh. 3 hereto. One of defendants' many declarants recognized as much: "there are also indications that future codecs (compression methods) will allow full-length movies to be stored on a single CD-Rom . . .". See Stevenson Decl., ¶ 28.

7. Moreover, while the various examples cited in defendants' papers rely on fairly low bandwidth devices, such as 56K modem connections, the real users of these technologies already enjoy and have access to systems of far greater bandwidth. For example, most colleges and universities provide 100Mbps ethernet connections to all dorm rooms, and the cost of 100 Mbps ethernet adaptors for PCs is well under $30. A 5 gigabyte DVD disc image can be transferred over a 100 Mbps ethernet link in under 7 minutes, and can be easily watched over that same link without even requiring storage on the receiving computer. That same 5 gigabyte DVD image when compressed using a high compression Codec such as DivX will have a size of approximately 1.2 gigabytes allowing it to be transferred on that same 100 Mbps link in under 2 minutes, or stored for posterity s sake on 2 CD-R discs which currently cost less than $1 each.

8. As may already be apparent, the most concentrated activity in the unauthorized digital copying and Internet transmission of pirated copies occurs among college-age students. This is not only because of the demographics of age and interest, but also because access to wideband systems is readily available to them. See Exh. 4. These wideband systems are becoming increasingly common elsewhere. See Exh. 5.

9. A front page article of the New York Times was recently devoted to the emergence of a host of new "file-sharing" technologies, such as Gnutella, Imesh, FreeNet and others. See Exh. 2. One of the principal threats posed by many of these technologies is their anonymity. They enable users to copy and transfer digital content in a manner that is virtually undetectable because there is no central index or server through which information or content is routed. As a result. these technologies enable users who download the enabling software to host, transmit, request and receive any variety of copyrighted matter, including audiovisual content, through an almost infinite network of computers containing like software. These systems are decentralized and structured in such a way that no one user can ascertain the identity or location of the files of any of the thousands or millions of other users with whom he or she is connecting, much like a "spy network" prevents any one participant from knowing more than a few contacts that can be "compromised." These technologies have received considerable attention since their emergence in the past two or three months precisely because of the threat posed to content owners. See, also The Washington Post, "E-Power to the People, New Software Bypasses Internet Service Providers," May 18, 2000, Section A, pg. 1, Exh. 6 hereto.

10. The value of DeCSS in this context has not gone unnoticed. A recent article in the Toronto Star explains precisely how a computer user can take advantage of the DivX compression technology described above, in combination with DeCSS to enable the decryption, copying and storage of DVD movies. See Exh. 3. See, also, "DVD 'Ripping ' Revisited, Toronto Star, May 4, 2000, Exh. 7 hereto (explaining how DivX compression technology can be used in conjunction with DeCSS to decrypt and compress DVD movies).

11. In effect, these file-sharing technologies enable users to highly compress and transmit unauthorized copies of movies over the Internet via broadband connections (any single transmission to a single student on a college campus will then suffice as a ready source for proliferation throughout that entire community). DeCSS, as a decryption device, enables the user to decrypt and copy the DVD film in digital form to accomplish this.

12. The impact of these new technologies is obvious. Indeed, many of them were not even publicly known at the time of the January 20 hearing in this matter. These technologies are not only being refined and further developed constantly, see, e.g., Exh. 8, but the combination of increased bandwidth, high ratio compression devices and DeCSS, makes the unauthorized digital copying and electronic transmission of DVD movies a reality. A decryption device such as DeCSS is an essential element of this form of piracy. Just like the unauthorized copying and file-sharing of MP3 audio recordings, which until recently were confined to the fringe elements of the Internet, the ready availability of DeCSS to decrypt DVD movie content threatens to create a huge market for the widespread unauthorized copying and electronic transmission of copyrighted DVD films.

13. Defendants contend that the use of DeCSS in connection with such Internet piracy of movies is impractical, if not impossible. Thus, in paragraph 10 of Matt Pavlovich's Declaration, there is a statement to the effect that "[a]ny effort to simply play the unencrypted content stored on a harddisc or other large medium would be futile, due to the fact that there is no known player that can play from anything but a DVD disc." This is wrong. Using DeCSS I copied and decrypted all of the files from the movie "You've Got Mail" to the hard drive of a new Windows 98-based PC. After the copying was complete. I attempted to play back the decrypted movie from the files on the hard drive using a variety of commercial DVD software. All of the packages used allowed me to view the basic movie content and one of the packages (XingDVD) allowed me to play back the entire set of files with full DVD functionality. The playback devices included the Windows MediaPlayer software which ships with the Windows 98 operating system. The playback software that I tested was: PowerDVD, XingDVD, Windows MediaPlayer, and WinDVD. All of these software packages are readily available for downloading from the Internet. The audio-video playback was flawless and of exactly the same quality as that experienced when the content was viewed directly from the DVD disc itself.

14. Defendants claim that existing writeable DVD technologies are incompatible with each other and with commercially available DVD players. Although defendants are incorrect in large part (DVD-R is compatible with all existing DVD drives and DVD-RW will be readable in newer generation drives), defendants seem to ignore the real point. That is, there is no need for someone to copy or "burn" movie content onto a portable disc such as a DVD or CD-Rom when it can be stored and accessed via the Internet. Compare Gilmore Decl. at ¶ 21; Stevenson Decl. at ¶ 21. Indeed, this is precisely the pattern now engaged in with respect to unauthorized audio recordings on the Internet and is effectively the same model upon which the new "file-sharing" technologies described above are based, with the capability to share video files. In this context, the alleged incompatibility of various storage media is largely irrelevant since movie files can be stored on digital tape, on accessory hard drives or the like and accessed and transmitted via the Internet without the need to access or play a particular type of physical disc as part of the process. One can store compressed video files on the following storage media at little cost: Online storage using hard drives, the most expensive option, can be had for as little as $210 for a 30 Gigabyte disc drive, enough storage for 20 DivX compressed motion pictures. Offline storage is considerably cheaper. For example, 4MM DAT tapes for the Sony DD2-2 tape drives cost as little as $9 each: each tape is capable of holding 3-5 DivX compressed motion pictures. Finally writeable CDs are widely available for less than $1 each, with only two of them needed to hold a DivX compressed motion picture.

15. Defendants also contend that one need not use DeCSS to achieve this result. Chris DiBona's Declaration, ¶¶ 16-21 suggests that even a CSS licensed DVD player enables copying of the file data into the hard drive. What Mr. DiBona does not make clear in his declaration, however, is that this data remains encrypted and thus, cannot be played from the hard drive, at least in a CSS licensed DVD player. Thus, contrary to Mr. DiBona's suggestion, an authorized DVD playing program is not "a DeCSS equivalent," since DeCSS decrypts and copies the unencrypted data to the hard drive or other storage medium. As explained above, in paragraph 3 of this declaration, the copying of the unencrypted data is neither necessary nor appropriate to such a playback function. For this reason, CSS licensed Linux players (there are at least two to my knowledge, see Exh. 10) follow the regime mandated for CSS licensed DVD players in preventing user access to the unencrypted data file for any purpose other than playback. The quality problems experienced by Mr. DiBona and other of the declarants have nothing to do with CSS or DeCSS and are purely a function of the player environment. DeCSS would not cause a diminution in playback quality of either audio or video elements. One does not "play back" through DeCSS as such, because DeCSS is not a player.

16. Although defendants justify the indiscriminate proliferation of DeCSS as part of a legitimate reverse engineering effort to develop an unlicensed Linux-based DVD player, the fact remains that unrestricted distribution of this utility does little to serve such a reverse engineering process, for a number of reasons. First, the premise that DeCSS has value in analyzing the operation of the DVD player itself is suspect. There are a considerable number of DVD discs that are released without CSS encryption and can be and have been used in the development of the DVD player function. See Exh. 11. It is also possible to create and analyze any set of DVD structures by creating test content using a variety of low-cost authoring tools. These include tools such as the "Sonic DVDit!" tool which is already bundled with consumer PCs. See Exhibit 12. It is particularly cumbersome to conduct reverse engineering of DVD by means of unencrypted movie content stored on a hard drive. To "debug" from such a file containing billions of bits is literally like looking for a needle in a haystack. It is far more helpful to use DVD analysis tools instead. To the extent that the study of CSS itself is relevant, defendants declarant, Wagner, acknowledges that there is little need to do so because DeCSS "effectively . . substituted for or constituted that part of the entire job of reverse engineering a DVD player." Wagner Decl., ¶ 16. That is, DeCSS is not being used for study, but rather for its decryption/copy function. Moreover, as another of defendants' declarants acknowledged in a comment he made on the Internet about the value of reverse engineering in this context:

[since] most cryptanalysts don't have the skills for reverse-engineering (I find it tedious and boring), they never bother analyzing the systems. This is why COMP128, CMEA, ORYX, the Firewire cipher, the DVD cipher, and the Netscape PRNG were all broken within months of their disclosure (despite the fact that some of them have been widely deployed for many years); once the algorithm is revealed, it's easy to see the flaw, but it might take years before someone bothers to reverse-engineer the algorithm and publish it. Contests don't help.

Statement of Bruce Schneier, August 26, 1999, Exh. 13.

17. This becomes even more apparent when one considers the proliferation of DeCSS in object code form. As Mr. Wagner acknowledges, there is little to be discerned from object code iterations of DeCSS: "[H]igh-level source code is much easier for humans to understand than the low-level computer instructions found in DVD players". See Wagner, ¶ 16. Arguments concerning the need to proliferate DeCSS as part of a reverse engineering effort thus fall short of justifying widespread dissemination of the object code utility.

18. Nonetheless, defendants' declarants seem to focus almost entirely on source code, rather than the object code versions of DeCSS that are being proliferated. Thus, Dr. Touretzky's site, apparently created after the Court's January 20, 2000 injunction, is one which he claims does not make "the binary executable file for the program known as DeCSS'' available. Touretzky Decl. at ¶ 2. Posting source code is not, however, always the norm. The curriculum vitae attached to Mr. Stevenson's declaration makes clear that he considered his hack (of a Norwegian security company's encryption system) as one which "deemed keeping the details of this finding secret as the most responsible course of action." The persons who were engaged in development of an unlicensed Linux DVD player expressed similar concerns about the propriety of posting DeCSS to the Internet. See, e.g, attachments to Exh. B of my earlier Reply Declaration.

19. I am troubled by the notion that academic, scientific or other interests would enable persons to furnish a decryption program (in source or object code) with impunity, particularly where its publication is a subterfuge for providing the utility. I believe that Dr. Touretzky actually makes this point quite clearly in his declaration. He claims to have assembled a variety of different source code iterations of DeCSS and to have posted them to his web site solely to prove that any of these source code versions can be readily converted or compiled into an executable utility. I do not regard this as an exercise in reverse engineering. I am also hard-pressed to understand why commentary on code would necessarily require posting or linking to it in a manner which enables others to download and use it as a utility. I find it ironic that, on the one hand, defendants claim that CSS was an ineffective security device but on the other hand, that there is great interest in studying it and, for that reason, its wholesale proliferation on the Internet should be justified.

20. As I explained in my recent deposition, CSS is certainly not a weak encryption program; it was not "cracked" until some three years after it was embodied in authorized DVD players and discs and then, as stated above, only after the algorithm was disclosed. See Exh. 14.

21. The suggestion that CSS was a weak system because it was cracked is a meaningless test of its "effectiveness." As declarant Wagner acknowledges, the whole purpose of cryptography and security testing is to defeat security systems. According to Wagner, it is "fundamentally impossible" to secure any such system against the efforts of dedicated individuals. If this premise were in any way controlling, there would be absolutely no need for any law whatsoever with respect to hacking or circumvention. Just because a small set of individuals can break the code does not mean that CSS is ineffective as an encryption device. This would be like saying that just because certain professional safe-crackers are capable of '"cracking" a bank vault, that bank vaults are not considered effective security devices.

22. Defendants also suggest that DeCSS is not unique and that there are other readily available utilities which perform essentially the same function. See, e.g., Stevenson Decl., ¶¶ 16-18, where Stevenson claims that DODsripper "predates DeCSS" but, at the same time, claims that until DeCSS was made available, existing tools were impractical to use. In fact, DODsripper and the later "PowerRipper" discussed in ¶ 18 of Mr. Stevenson's declaration do not perform the same function as DeCSS, for the following reasons: PowerRipper is fundamentally different in that it does not even perform the actual decryption. PowerRipper requires the use of separate DVD playback software to actually read and decrypt the content. PowerRipper then parasitically attaches itself to the legitimate player and takes the decrypted content from the computer's RAM and send it to the hard-drive for storage. PowerRipper is significantly less functional than DeCSS in several respects, including a very cumbersome and difficult to use environment due to the multitude of programs required. More importantly, PowerRipper is only able to extract the content actually "viewed" through the normal player, thus many additional features, additional soundtracks, etc. are not available. DOD's SpeedRipper solved some of the deficiencies in Power Ripper. most notably that SpeedRipper performed the CSS decryption itself, thus not requiring an external "viewer" program. SpeedRipper has several problems though, which made it a far less useful device than DeCSS as a stand-alone decryption device. It did not have a Windows user interface and is very cumbersome to use, and most importantly does not have a complete CSS decryption implementation. SpeedRipper was unable to decrypt the movie "The Matrix," as noted in one of the postings attached as Exhibit C to my January 19, 2000 Reply Declaration. DeCSS solved these deficiencies in SpeedRipper, providing a more robust CSS decryption capability and a standard, and easily used, Windows interface. Some of the other software mentioned in Stevenson's Declaration (paragraph 14), includes CSS_auth which is not a decryption device, CSS_ descramble.c which is source code for the CSS decryption algorithm; anonymous source.c which is also CSS source code for the decryption algorithm and CSS_cat, which will, with other tools, perform a decryption function, but has no real user interface, unlike DeCSS. There is also a program called readdvd (Gilmore, paragraph 14) which also has no real user interface. I believe that the reason why DeCSS is being so widely proliferated is because it is in the Windows environment and is far more effective and far easier to use than any other unauthorized program that could be used to decrypt CSS.

23. As I also stated in my recent deposition, CSS and the decryption of it via DeCSS has nothing to do with protecting so-called regional coding or any mechanism which prevents consumers from fast-forwarding through the initial audiovisual information contained on a DVD disc (which includes copyright infringement warnings. and the like). Defendants are incorrect in their claim that DeCSS is necessary to bypass what they regard as an offensive restriction on their ability to play DVD discs universally or to bypass some alleged inability to fast-forward through promotional trailers at the beginning of a disc. See Exh. 15. I note that Mr. Corley claims not to even own a DVD player or to have utilized DeCSS, so I am not sure why he believes this to be the case.

24. Finally, defendants suggest that browser programs of users automatically convert plaintext references to hyperlinks without any action on the part of the person who posted the plaintext reference, e.g., on a web page. This statement is attributed to Professor Moglen. From my reading of his declaration, he made no such claim. (There is an unsupported statement to this effect in ¶ 5 of the Fries declaration.)

25. In my previous Supplemental Declaration of April 3, at paragraph 5, I discussed that some commercially available software will automatically convert plaintext references to worldwide web addresses into hyperlinks, but only for authoring or non-browser software such as Word. While theoretically possible for a browser to perform this function, this seemed to me not only to be unlikely, but unnatural and counter to the basic function of a browser, which is to display the received HTML following the specific instructions contained within the HTML command syntax. HTML has very clear distinctions between "plaintext" and hyperlinked, or other specialized. text. To test this, I built a small text string described as both a "hyperlink" and as plaintext. I have attached as Exh. 16 the results of viewing this HTML document on the two most popular browsers used (Netscape, versions 6.0b1 and version 4.6, and Internet Explorer v3.03). As is evident, none of these browsers converts the plaintext, "www.yahoo.com" or "http://www.yahoo.com" into hyperlinks. As Professor Moglen well knows, links do not admit of any discretion in the sense that Professor Moglen suggests. Professor Moglen's arguments (¶ 10 of his Declaration) about the lack of control that the linking party has over the content contained on the "linked to" site would seem to have nothing to do with the issues in this case. See my April 3, 2000 (First) Supplemental Declaration at ¶ 8.

I declare under penalty of perjury, that the foregoing is true and correct.

Dated: June 1, 2000

[Signature]

Robert W. Schumann