Universal City Studios, Inc. v. Reimerdes

(S.D. N.Y 2000)


111 F. Supp. 2d 294

Decided August 17, 2000

Lewis A. Kaplan, District Judge.

Plaintiffs, eight major United States motion picture studios, distribute many of their copyrighted motion pictures for home use on digital versatile disks ("DVDs"), which contain copies of the motion pictures in digital form. They protect those motion pictures from copying by using an encryption system called CSS. CSS-protected motion pictures on DVDs may be viewed only on players and computer drives equipped with licensed technology that permits the devices to decrypt and play--but not to copy--the films.

Late last year, computer hackers devised a computer program called DeCSS that circumvents the CSS protection system and allows CSS-protected motion pictures to be copied and played on devices that lack the licensed decryption technology. Defendants quickly posted DeCSS on their Internet web site, thus making it readily available to much of the world. Plaintiffs promptly brought this action under the Digital Millennium Copyright Act (the "DMCA") to enjoin defendants from posting DeCSS and to prevent them from electronically "linking" their site to others that post DeCSS. Defendants responded with what they termed "electronic civil disobedience" --increasing their efforts to link their web site to a large number of others that continue to make DeCSS available.

Defendants contend that their actions do not violate the DMCA and, in any case, that the DMCA, as applied to computer programs, or code, violates the First Amendment. This is the Court's decision after trial, and the decision may be summarized in a nutshell.

Defendants argue first that the DMCA should not be construed to reach their conduct, principally because the DMCA, so applied, could prevent those who wish to gain access to technologically protected copyrighted works in order to make fair--that is, non-infringing--use of them from doing so. They argue that those who would make fair use of technologically protected copyrighted works need means, such as DeCSS, of circumventing access control measures not for piracy, but to make lawful use of those works.

Technological access control measures have the capacity to prevent fair uses of copyrighted works as well as foul. Hence, there is a potential tension between the use of such access control measures and fair use. Defendants are not the first to recognize that possibility. As the DMCA made its way through the legislative process, Congress was preoccupied with precisely this issue. Proponents of strong restrictions on circumvention of access control measures argued that they were essential if copyright holders were to make their works available in digital form because digital works otherwise could be pirated too easily. Opponents contended that strong anticircumvention measures would extend the copyright monopoly inappropriately and prevent many fair uses of copyrighted material.

Congress struck a balance. The compromise it reached, depending upon future technological and commercial developments, may or may not prove ideal. But the solution it enacted is clear. The potential tension to which defendants point does not absolve them of liability under the statute. There is no serious question that defendants' posting of DeCSS violates the DMCA.

Defendants' constitutional argument ultimately rests on two propositions--that computer code, regardless of its function, is "speech" entitled to maximum constitutional protection and that computer code therefore essentially is exempt from regulation by government. But their argument is baseless.

Computer code is expressive. To that extent, it is a matter of First Amendment concern. But computer code is not purely expressive any more than the assassination of a political figure is purely a political statement. Code causes computers to perform desired functions. Its expressive element no more immunizes its functional aspects from regulation than the expressive motives of an assassin immunize the assassin's action.

In an era in which the transmission of computer viruses--which, like DeCSS, are simply computer code and thus to some degree expressive--can disable systems upon which the nation depends and in which other computer code also is capable of inflicting other harm, society must be able to regulate the use and dissemination of code in appropriate circumstances. The Constitution, after all, is a framework for building a just and democratic society. It is not a suicide pact.

* * *

II. The Digital Millennium Copyright Act

A. Background and Structure of the Statute

In December 1996, the World Intellectual Property Organization ("WIPO"), held a diplomatic conference in Geneva that led to the adoption of two treaties. Article 11 of the relevant treaty, the WIPO Copyright Treaty, provides in relevant part that contracting states "shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restrict acts, in respect of their works, which are not authorized by the authors concerned or permitted by law."

The adoption of the WIPO Copyright Treaty spurred continued Congressional attention to the adaptation of the law of copyright to the digital age. Lengthy hearings involving a broad range of interested parties both preceded and succeeded the Copyright Treaty. As noted above, a critical focus of Congressional consideration of the legislation was the conflict between those who opposed anti-circumvention measures as inappropriate extensions of copyright and impediments to fair use and those who supported them as essential to proper protection of copyrighted materials in the digital age. The DMCA was enacted in October 1998 as the culmination of this process.

The DMCA contains two principal anticircumvention provisions. The first, Section 1201(a)(1), governs "the act of circumventing a technological protection measure put in place by a copyright owner to control access to a copyrighted work," an act described by Congress as "the electronic equivalent of breaking into a locked room in order to obtain a copy of a book." The second, Section 1201(a)(2), which is the focus of this case, "supplements the prohibition against the act of circumvention in paragraph (a)(1) with prohibitions on creating and making available certain technologies . . . developed or advertised to defeat technological protections against unauthorized access to a work." As defendants are accused here only of posting and linking to other sites posting DeCSS, and not of using it themselves to bypass plaintiffs' access controls, it is principally the second of the anticircumvention provisions that is at issue in this case.

B. Posting of DeCSS

Section 1201(a)(2) of the Copyright Act, part of the DMCA, provides that:

"No person shall . . . offer to the public, provide or otherwise traffic in any technology . . . that--

"(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under [the Copyright Act];

"(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under [the Copyright Act]; or

"(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under [the Copyright Act]."
In this case, defendants concededly offered and provided and, absent a court order, would continue to offer and provide DeCSS to the public by making it available for download on the 2600.com web site. DeCSS, a computer program, unquestionably is "technology" within the meaning of the statute. "Circumvent a technological measure" is defined to mean descrambling a scrambled work, decrypting an encrypted work, or "otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner," so DeCSS clearly is a means of circumventing a technological access control measure. In consequence, if CSS otherwise falls within paragraphs (A), (B) or (C) of Section 1201(a)(2), and if none of the statutory exceptions applies to their actions, defendants have violated and, unless enjoined, will continue to violate the DMCA by posting DeCSS. . . .

Perhaps the centerpiece of defendants' statutory position is the contention that DeCSS was not created for the purpose of pirating copyrighted motion pictures. Rather, they argue, it was written to further the development of a DVD player that would run under the Linux operating system, as there allegedly were no Linux compatible players on the market at the time. The argument plays itself out in various ways as different elements of the DMCA come into focus. But it perhaps is useful to address the point at its most general level in order to place the preceding discussion in its fullest context.

As noted, Section 1201(a) of the DMCA contains two distinct prohibitions. Section 1201(a)(1), the so-called basic provision, "aims against those who engage in unauthorized circumvention of technological measures . . . . [It] focuses directly on wrongful conduct, rather than on those who facilitate wrongful conduct . . . ." Section 1201(a)(2), the anti-trafficking provision at issue in this case, on the other hand, separately bans offering or providing technology that may be used to circumvent technological means of controlling access to copyrighted works. If the means in question meets any of the three prongs of the standard set out in Section 1201(a)(2)(A), (B), or (C), it may not be offered or disseminated.

As the earlier discussion demonstrates, the question whether the development of a Linux DVD player motivated those who wrote DeCSS is immaterial to the question whether the defendants now before the Court violated the anti-trafficking provision of the DMCA. The inescapable facts are that (1) CSS is a technological means that effectively controls access to plaintiffs' copyrighted works, (2) the one and only function of DeCSS is to circumvent CSS, and (3) defendants offered and provided DeCSS by posting it on their web site. Whether defendants did so in order to infringe, or to permit or encourage others to infringe, copyrighted works in violation of other provisions of the Copyright Act simply does not matter for purposes of Section 1201(a)(2). The offering or provision of the program is the prohibited conduct--and it is prohibited irrespective of why the program was written, except to whatever extent motive may be germane to determining whether their conduct falls within one of the statutory exceptions.

Earlier in the litigation, defendants contended that their activities came within several exceptions contained in the DMCA and the Copyright Act and constitute fair use under the Copyright Act. Their post-trial memorandum appears to confine their argument to the reverse engineering exception. In any case, all of their assertions are entirely without merit.

Reverse engineering

Defendants claim to fall under Section 1201(f) of the statute, which provides in substance that one may circumvent, or develop and employ technological means to circumvent, access control measures in order to achieve interoperability with another computer program provided that doing so does not infringe another's copyright and, in addition, that one may make information acquired through such efforts "available to others, if the person [in question] . . . provides such information solely for the purpose of enabling interoperability of an independently created computer program with other programs, and to the extent that doing so does not constitute infringement . . . ." They contend that DeCSS is necessary to achieve interoperability between computers running the Linux operating system and DVDs and that this exception therefore is satisfied. This contention fails.

First, Section 1201(f)(3) permits information acquired through reverse engineering to be made available to others only by the person who acquired the information. But these defendants did not do any reverse engineering. They simply took DeCSS off someone else's web site and posted it on their own.

Defendants would be in no stronger position even if they had authored DeCSS. The right to make the information available extends only to dissemination "solely for the purpose" of achieving interoperability as defined in the statute. It does not apply to public dissemination of means of circumvention, as the legislative history confirms. These defendants, however, did not post DeCSS "solely" to achieve interoperability with Linux or anything else.

Finally, it is important to recognize that even the creators of DeCSS cannot credibly maintain that the "sole" purpose of DeCSS was to create a Linux DVD player. DeCSS concededly was developed on and runs under Windows--a far more widely used operating system. The developers of DeCSS therefore knew that DeCSS could be used to decrypt and play DVD movies on Windows as well as Linux machines. They knew also that the decrypted files could be copied like any other unprotected computer file. Moreover, the Court does not credit Mr. Johansen's testimony that he created DeCSS solely for the purpose of building a Linux player. Mr. Johansen is a very talented young man and a member of a well known hacker group who viewed "cracking" CSS as an end it itself and a means of demonstrating his talent and who fully expected that the use of DeCSS would not be confined to Linux machines. Hence, the Court finds that Mr. Johansen and the others who actually did develop DeCSS did not do so solely for the purpose of making a Linux DVD player if, indeed, developing a Linux-based DVD player was among their purposes.

Accordingly, the reverse engineering exception to the DMCA has no application here.

Encryption research

Section 1201(g)(4) provides in relevant part that:
"Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to--
"(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and

"(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2)."
Paragraph (2) in relevant part permits circumvention of technological measures in the course of good faith encryption research if:
"(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;

"(B) such act is necessary to conduct such encryption research;

"(C) the person made a good faith effort to obtain authorization before the circumvention; and

"(D) such act does not constitute infringement under this title . . . ."
In determining whether one is engaged in good faith encryption research, the Court is instructed to consider factors including whether the results of the putative encryption research are disseminated in a manner designed to advance the state of knowledge of encryption technology versus facilitation of copyright infringement, whether the person in question is engaged in legitimate study of or work in encryption, and whether the results of the research are communicated in a timely fashion to the copyright owner.

Neither of the defendants remaining in this case was or is involved in good faith encryption research. They posted DeCSS for all the world to see. There is no evidence that they made any effort to provide the results of the DeCSS effort to the copyright owners. Surely there is no suggestion that either of them made a good faith effort to obtain authorization from the copyright owners. Accordingly, defendants are not protected by Section 1201(g).

Security testing

Defendants contended earlier that their actions should be considered exempt security testing under Section 1201(j) of the statute. This exception, however, is limited to "assessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting [of a] security flaw or vulnerability, with the authorization of the owner or operator of such computer system or computer network."

The record does not indicate that DeCSS has anything to do with testing computers, computer systems, or computer networks. Certainly defendants sought, and plaintiffs' granted, no authorization for defendants' activities. This exception therefore has no bearing in this case. . . .

C. Linking to Sites Offering DeCSS

Plaintiffs seek also to enjoin defendants from "linking" their 2600.com web site to other sites that make DeCSS available to users. Their request obviously stems in no small part from what defendants themselves have termed their act of "electronic civil disobedience" --their attempt to defeat the purpose of the preliminary injunction by (a) offering the practical equivalent of making DeCSS available on their own web site by electronically linking users to other sites still offering DeCSS, and (b) encouraging other sites that had not been enjoined to offer the program. The dispositive question is whether linking to another web site containing DeCSS constitutes "offering [DeCSS] to the public" or "providing or otherwise trafficking" in it within the meaning of the DMCA. Answering this question requires careful consideration of the nature and types of linking.

Most web pages are written in computer languages, chiefly HTML, which allow the programmer to prescribe the appearance of the web page on the computer screen and, in addition, to instruct the computer to perform an operation if the cursor is placed over a particular point on the screen and the mouse then clicked. Programming a particular point on a screen to transfer the user to another web page when the point, referred to as a hyperlink, is clicked is called linking. Web pages can be designed to link to other web pages on the same site or to web pages maintained by different sites.

As noted earlier, the links that defendants established on their web site are of several types. Some transfer the user to a web page on an outside site that contains a good deal of information of various types, does not itself contain a link to DeCSS, but that links, either directly or via a series of other pages, to another page on the same site that posts the software. It then is up to the user to follow the link or series of links on the linked-to web site in order to arrive at the page with the DeCSS link and commence the download of the software. Others take the user to a page on an outside web site on which there appears a direct link to the DeCSS software and which may or may not contain text or links other than the DeCSS link. The user has only to click on the DeCSS link to commence the download. Still others may directly transfer the user to a file on the linked-to web site such that the download of DeCSS to the user's computer automatically commences without further user intervention.

The statute makes it unlawful to offer, provide or otherwise traffic in described technology. To "traffic" in something is to engage in dealings in it, conduct that necessarily involves awareness of the nature of the subject of the trafficking. To "provide" something, in the sense used in the statute, is to make it available or furnish it. To "offer" is to present or hold it out for consideration. The phrase "or otherwise traffic in" modifies and gives meaning to the words "offer" and "provide." In consequence, the anti-trafficking provision of the DMCA is implicated where one presents, holds out or makes a circumvention technology or device available, knowing its nature, for the purpose of allowing others to acquire it.

To the extent that defendants have linked to sites that automatically commence the process of downloading DeCSS upon a user being transferred by defendants' hyperlinks, there can be no serious question. Defendants are engaged in the functional equivalent of transferring the DeCSS code to the user themselves.

Substantially the same is true of defendants' hyperlinks to web pages that display nothing more than the DeCSS code or present the user only with the choice of commencing a download of DeCSS and no other content. The only distinction is that the entity extending to the user the option of downloading the program is the transferee site rather than defendants, a distinction without a difference.

Potentially more troublesome might be links to pages that offer a good deal of content other than DeCSS but that offer a hyperlink for downloading, or transferring to a page for downloading, DeCSS. If one assumed, for the purposes of argument, that the Los Angeles Times web site somewhere contained the DeCSS code, it would be wrong to say that anyone who linked to the Los Angeles Times web site, regardless of purpose or the manner in which the link was described, thereby offered, provided or otherwise trafficked in DeCSS merely because DeCSS happened to be available on a site to which one linked. But that is not this case. Defendants urged others to post DeCSS in an effort to disseminate DeCSS and to inform defendants that they were doing so. Defendants then linked their site to those "mirror" sites, after first checking to ensure that the mirror sites in fact were posting DeCSS or something that looked like it, and proclaimed on their own site that DeCSS could be had by clicking on the hyperlinks on defendants' site. By doing so, they offered, provided or otherwise trafficked in DeCSS, and they continue to do so to this day.

* * *

VI. Conclusion

In the final analysis, the dispute between these parties is simply put if not necessarily simply resolved.

Plaintiffs have invested huge sums over the years in producing motion pictures in reliance upon a legal framework that, through the law of copyright, has ensured that they will have the exclusive right to copy and distribute those motion pictures for economic gain. They contend that the advent of new technology should not alter this long established structure.

Defendants, on the other hand, are adherents of a movement that believes that information should be available without charge to anyone clever enough to break into the computer systems or data storage media in which it is located. Less radically, they have raised a legitimate concern about the possible impact on traditional fair use of access control measures in the digital era.

Each side is entitled to its views. In our society, however, clashes of competing interests like this are resolved by Congress. For now, at least, Congress has resolved this clash in the DMCA and in plaintiffs' favor. Given the peculiar characteristics of computer programs for circumventing encryption and other access control measures, the DMCA as applied to posting and linking here does not contravene the First Amendment. Accordingly, plaintiffs are entitled to appropriate injunctive and declaratory relief.



Stay Up-To-Date with the New Digital 11th Edition!


10th Edition Print Format
Paperback and Hardcover

Available from VitalSource, the leader in electronic textbooks, downloadable to your reading device to read offline and automatically updated each time you log in. Includes Text-to-Speech and Search functions. Available in paperback and hardcover from Amazon, Barnes & Noble, and other fine retailers, the 10th Anniversary Edition is current through 2015.

Issues in Internet Law: Society, Technology, and the Law 11th Edition

2017 Edition. (686 pages)
Published by Amber Book Company LLC

Issues in Internet Law

2015 Edition. (586 pages, 7x10)
Published by Amber Book Company LLC



Hardcover Buy from Barnes & Noble

Softcover Buy from Amazon

EBOOK VitalSource eBook

or Order at your local bookstore - Ask For:
ISBN 978-1-935971-24-7 softcover
ISBN 978-1-935971-31-3 hardcover

Order from: VitalSource eBook

United States

United Kingdom



Issues in Internet Law home page         Amber Book Company