Re: Teen Offers Way to Crack Blocking Software

On 4/29/97, Lee Tien <tien[_at_]well.com> wrote:
>
> Wouldn't any infringements that occur from using the program be
> contributory infringements associated with the posting of the program?

Doesn't/shouldn't this depend on the foreseeability of misuse of the program, and whether or not there are substantial noninfringing uses? (cf. _Sony v. Universal Studios_.)

> The program at issue decrypts the encrypted list, so there's a
> modification of the list itself. If the list's part of CyberSitter,
> then the program modifies CyberSitter, right?

I wouldn't call it a "modification" because the original list is left intact, and I wouldn't call it simply a "copy" because it's a transformed/modified copy, which seems to be another way of saying "derivative work".

But no matter what we call it, it seems to be [potentially] an infringement of Solid Oak's exclusive rights under 17 USC 106, with the argument about whether it's infringing the "copying" right or the "preparing a derivative work" right left for another day.

> I assume the law on modifying/decrypting programs is well-settled
> after the years of computer game "cracker" and "booster" patches?
> These programs disable copy-protection or allow you to alter game
> parameters beyond normal.

_Galoob v. Nintendo_ 964 F2d 965 (9th Cir, 1992) held that the in-memory modification of a Nintendo program by third-party hardware did not create a derivative work, and hence did not violate Nintendo's section 106 exclusive rights. It went on to suggest that the creation of a derivative work, especially in a noncommercial context, may still be considered a fair use.

I think that end users of Haselton's program have a strong fair use argument that their use of the program is noninfringing - applying the section 107 factors, what I see is:

1. The purpose/character of the use is noncommercial, and serves both public policy (discussion about whether or not blocking software is a useful technology, vis-a-vis pending Federal and Texas legislation which would force ISP's to provide it to customers, and its prominence in the debate about the utility/constitutionality of the CDA) and consumer education purposes. (favoring "fair use")
2. The copyrighted work is more functional than expressive. (favoring "fair use")
3. The amount and substantiality of the work (assuming the work is Cybersitter as a whole - which seems reasonable, since I don't think Solid Oak will sell the list by itself, and otherwise treats it as a component, not a work in itself) - the list is only a part of the package (which includes software, (presumably) a manual, and an update service), and the list is not a useful replacement or substitute for the entire package (because, by itself, it can't block *anything*). (favoring "fair use")
4. The effect of the use on the market for the original work - while end users' use of the program (and publicity about that use) may erode some of Cybersitter's market, it does so not by competing with Cybersitter, but by educating consumers and facilitating commentary about the original work. This use is similar to quoting from a book in an unfavorable review of a book - the fact that the review may harm the market for the book does not mean that the reviewer cannot quote from the book (perhaps to illustrate why the book is not a good purchase). (favors, or as at worst neutral, re "fair use").

So, from my perspective, third parties who use Haselton's program to better understand their legal copies of Cybersitter are committing no infringement; and such a use is a substantial noninfringing use of Haselton's program, which suggests that he should not be liable for contributory infringement for its development/distribution, even if the program is also used by a competitor of Solid Oak's for a non-fair-use purpose.

Another argument for copyright liability on Haselton's part is one for direct infringement - that in creating his program, he may have made one or more copies of [parts of] Cybersitter, and those copies infringed Solid Oak's exclusive section 106 rights. I see _Sega v. Accolade_ 977 F2d 1510 (9th Cir., 1992) as directly on point here, saying that intermediate copies, made for the purpose of discovering underlying unprotected elements of a copyrighted program, are not infringing if they were essential to reaching/discovering the unprotected elements. In this case, the "unprotected elements" were the algorithm used to encrypt the data. However, given the simplicity of the algorithm, it's possible he didn't even need to take this step. But if he did, _Sega_ seems to say he's safe.

> If it's not part of CyberSitter, it's still arguably an unauthorized
> derivative work. I've never heard of anyone claiming decrypting an
> encrypted text is an infringement of copyright, but I guess it could be.

I think it's not precisely the decryption, but the creation of a copy/derivative work that's an infringement. (Modulo _MAI v. Peak_ and _Triad Systems_ in the Ninth Circuit, which would suggest that even decryption into RAM creates an infringing copy. Grr.) What's interesting (or just confusing :) is the way that encryption can make something appear noncreative/nonprotectible, while copyright law (presumably) protects the underlying creative work. I imagine that if Solid Oak attempted to register the contents of their site list in encrypted format (without explaining what they were up to) that it'd be rejected. The ciphertext output of a strong encryption process should be indistinguishable from random data. However, with the appropriate transformation, that apparently random data turns back into a protected/protectible work. Perhaps widespread use of encryption will lead to a rejection of the Berne Convention's rejection of a notice requirement. In an unencrypted state, it's now reasonable to assume that any creative work one encounters is protected by copyright. But if all files are indistinguishable to third parties, and a third party who wants to be responsible/fair with respect to copyright can't tell if they're looking at an unprotectible/unprotected data file, or a protected work .. what should a third party (like an ISP or a copy service) do?  

> That assumes the list is protected, as Solid Oak seems to think. On
> the face of it it's copyrightable as an original selection -- someone
> decided which sites to block, just as someone decides the order of
> songs on an album.

Agreed, subject to the fair use argument above.

> It could be a trade secret. So the student could be violating
> copyright by facilitating the copying of the decrypted list and
> trade secrecy by enabling people to read the list.

I disagree re trade secret, on two grounds:

1. The list is not protectible as a trade secret, because the knowledge embodied in it is publically available, obvious to anyone who cares to look for it, and already known (in large part) to Cybersitter's competitors.

(See _Gary Van Zeeland Talent v. Sandas_ 84 Wis.2d 202, 267 N.W. 242 (1978) (list of nightclubs not protectible as trade secret because it was readily available to anyone who cared to make inquiries from established sources); _Colorado Supply v. Stewart_ 797 P2d 1303 (Colo.App. 1990) (customer list not trade secret, where it was developed by independent contractor and can be obtained through telephone directories and other research); _American Printing Converters v. Jes Label & Tape_ 477 NYS2d 660 (A.D.2 Dept 1984) (customer list which was gained by canvassing existing market or by reference to existing publications, not by creating new market, was not protectible as trade secret); _Hamer Holding Group v. Elmore_ 202 Ill.App.3d 994, 560 NE2d 907 (Ill.App. 1990) (customer list not protectible as trade secret where it could be "distilled" from publically available sources, even where plaintiff testified to spending $60K to "distill" list); _Computer Care v. Service Systems Enterprises_ 982 F2d 1063 (7th Cir., 1992) (where plaintiff could not show alleged trade secrets were not "within the realm of general skills and knowledge" and not "readily duplicated without involving considerable time, effort, or expense", information/processes were not protected as trade secrets))

2. Even if the list were protectible as a trade secret, Solid Oak has failed to take adequate precautions to retain its status as secret. (_Acuson v. Aloka_ 257 Cal Rptr 368 (1989) (internals of product made available to general public without confidentiality agreement were not trade secret, even where internal padlocks made access/disassembly more difficult); _Secure Services Tech v. Time and Space Processing_ 722 F.Supp 1354 (E.D.Va 1989) (where TEMPESThardened  fax machine was sold without reservation of proprietary rights, proprietary protocol used therein was no longer eligible for trade secret protection))

The encryption used in Cybersitter is incredibly weak (the algorithm is: "XOR with 0x94", according to Declan McCullagh), and the information was made available via the WWW/Internet without any restriction on its use. (I was able, per Haselton's instructions on his web page, to download a copy from a Cybersitter site in England without entering into any form of shrinkwrap/clickwrap user agreement. And it's not necessary to run the Cybersitter program even a single time to get the file which Haselton's program decrypts. Further, Cybersitter itself can be used to [re]discover the information, by merely turning on its "log Internet activity" function, and spending an afternoon browsing sites which one suspects might be blocked. Cybersitter dutifully compiles a list of sites to which it's blocked access, and provides it in a (somewhat) attractive format.

> Other possible claims: some economic tort like interference with
> economic advantage; a shrinkwrap provision of some kind.

Don't the "business interference" torts generally require that the defendant have used improper/illegal means, or acted with hostile or illegitimate motives? Reverse engineering is a legal method of gaining access to others' trade secrets ("state law encourages [reverse engineering] by giving to the competitor who invests substantial resources in reverse engineering the opportunity to hold in legally protected confidence the results of its labor", _Acuson_, supra, 257 Cal Rptr at 380); and I think Haselton wins the "motive" argument; he strikes me as much more interested in the social/political issues at play here than in harming Solid Oak per se, or stealing Solid Oak's business for himself.

(this is not, of course, intended as legal advice. I just like to write about this stuff.)

--
Greg Broiles                | US crypto export control policy in a nutshell:
gbroiles[_at_]netbox.com         | 
http://www.io.com/~gbroiles | Export jobs, not crypto.
                            |