Uses and Abuses of Technical Protection Measures (TPMs)

By Russell McOrmond

Last updated: October 15, 2005

(October 10 version of this article published on Digital-copyright.ca and p2pnet)

Introduction

One of the most controversial aspects of the 1996 WIPO treaties (WPPT and WCT) is the articles on legal protection for technical protection measures. These provisions have been implemented in the copyright acts of many countries, with considerable harmful unintended consequences. This legislation has also been passed without policy makers or the general public having a firm grasp on what technical protection measures are, what they can do, and what they can't accomplish.

To talk about TPMs without putting them in context is similar to talking about literature without ever differentiating between romantic poetry and unlawful hate speech. There are both helpful and harmful uses for TPMs, and we must differentiate between them. Unfortunately most people in the copyright debate confuse the harmful and helpful consequences. These people do not understand how anyone can be strongly opposed to legal protection for TPMs in the copyright act, and yet also be supporters of (or are even providers of) specific types of TPMs that are useful to copyright holders.

There is an assumption that these treaties require legal protection for controversial types of DRM (Digital Restrictions Management). These are abuses of technology which excessively control and/or monitor the private activities and choices of technology users, attacking their privacy, property and other rights.

If instead of assuming the suggested changes be made to the copyright act we make changes in other acts, I believe it is possible to protect the legitimate uses of technical measures without protecting the abuses.

In the case of Canada and Bill C-60 there are questions raised about the constitutionality of legal protection being added to the copyright act. TPMs do not protect copyright directly, but protect issues relating to contracts, digital signatures, e-commerce and tangible property law, all of which are provincial jurisdiction. For an in-depth analysis please read Constitutional Jurisdiction Over Paracopyright Laws by Jeremy F. DeBeer, which is chapter four of In the Public Interest: The Future of Canadian Copyright Law.

As you read the following analysis, keep in mind the wording used in the WIPO Copyright Treaty article 11, Obligations concerning Technological Measures.

Contracting Parties shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restrict acts, in respect of their works, which are not authorized by the authors concerned or permitted by law.

Appropriate uses of technical measures

Authors have many legitimate uses for technical measures. An example would be a website or other network service where they wish to limit access to subscribers. Using the digital locks analogy, a subscriber would have a key which would allow them to prove that they are a subscriber (provide authentication). Digital locks would also be used to keep private the conversation between the subscriber and the copyright holder, protecting from any third party eavesdropper who might otherwise be able to receive information without authorization.

If protection from an eavesdropper is not considered important, an access control can be as simple as a password or a cookie stored in the subscribers' browser.

How technology is configured by a copyright holder needs to be understood as being as important in indicating what uses they are authorizing as any legalistic copyright license agreement. If they wish to receive payment for access, then they must indicate this in how they configure the technology, using a technical measure to limit access to those who have paid.

This use of a TPM is what is required for copyright holders to differentiate between providing of information to subscribers, where a royalty fee can be expected, and the parts of the Internet where the audience is anonymous (unknown) and thus the expectation and collection of a royalty fee is not reasonable.

Many media companies provide free subscriptions to online services. In this case the intent is not to charge a royalty for access, but to use technology to appropriately indicate that third parties such as Google or Archive.org are not authorized to make copies, archive or index the content.

There are currently discussions about the attempt by Access Copyright to add a levy to the Internet. The claim from Access Copyright is that their members do not wish to use appropriate technical methods to indicate that royalties may be expected, but want to extract a levy anyway. Access Copyright is best understood as an administrative body for a very narrow business model that is most often inappropriate for use on the Internet.

There are other types of technical measures, such as digital watermarking, which can be used in identifying objects.

If you look closely at the legitimate uses of technical measures by copyright holders, they do not differ from what other Canadians may use this technology for. These technical measures protect the privacy of Canadians, and provide identifying information for people or objects.

In order to offer legal weight to these technical measures it would be appropriate to add them to legislation that deals with privacy and identity. Examples would be to modernize our federal and provincial privacy legislation, to enhance legislation to protect digital signatures for contracts (and copyright licenses) for e-commerce, and so-on.

Abuses of technical measures

Many people do not consider the controversial abuses of technical measures to be related to copyright at all. Examples include the use of access control technical measures where the key is not intended to be in the hands of the subscriber, but embedded within "authorized" access technologies sold to the public. Another is government mandated detection of watermarks or "flags" (such as the controversial Broadcast Flag) which forces technology creators to ask permission from regulators to add features to their technology.

These abuses of technical measures are always easy to circumvent for a technically sophisticated person. Once circumvented by one out of the 6.5 billion people who share this planet, the unlocked content can be redistributed as if the protection measure did not exist. Whether this redistribution is lawful or not is a matter of traditional copyright law.

While these abuses of technical measures are always ineffective, they do have considerable harmful consequences for law-abiding citizens. (For more details on why access controls will not deter copyright infringement, see my letter to Scott Simms, MP, about Bill C-60)

It is important to recognize the difference between an abuse of an access control and the legitimate uses discussed earlier. A TPM protecting the communication between a copyright holder and a subscriber has three parties: the sender of information (copyright holder), the authorized recipient of information (subscriber), and a third party attacker. The technical measures exist to protect against the attacker.

In the case of the abuses there are only two entities: the sender and an authorized recipient who is claimed to also be the attacker. While technical measures are important to protect against third party attackers, only traditional copyright law can protect a copyright holder from the unlawful activities of an authorized recipient.

Abuses of Access Control TPMs

Focusing in on access controls which seek require the use "authorized" access technologies, the harm is understood by looking to economic analysis. The technique being used is very similar to the techniques discussed in section 77 of our Competition Act under exclusive dealing and tied selling. Rather than keys being provided to authorized recipients of content, the keys are instead embedded within authorized tools. This creates a new type of regulation that never existed in copyright before, the ability to control exactly which tools are used to access content.

Never before in our history has the limited monopoly of copyright allowed copyright holders to dictate any aspect of the environment used to access works. This meant that copyright holders could not claim the right to authorized the use of contact lenses or glasses while reading a traditional book, or authorize what brands of software are used to read an e-Book.

Michael Geist provides detail on the competition policy implications of technical protection measures in chapter 7 of In the Public Interest: The Future of Canadian Copyright Law.

There are many current examples of this type of abuse of access control TPMs including the Content Scrambling System (CSS) used by the self-called "DVD Copy Control Association" (What they offer is an access control that is unrelated to copying), the Advanced Access Content System (AACS) that will replace DVD CSS for next generation DVD formats, Apple's FairPlay DRM, or Microsoft's Windows Media DRM.

This abuse of TPMs, more commonly referred to as DRM, has some monopolistic entity that manages the digital keys used to lock and unlock content. While some copyright holders assume that they will control these keys, this will not be the case. Copyright holders would need to negotiate to have their individual keys embedded within all "authorized" access tools. Given it will be near impossible for them to successfully negotiate this, the entity that controls the keys will certainly be a third party technology provider.

Before offering keys, this technology provider will have contracts with copyright holders who wish to lock their content, and also with tool creators/manufacturers who wish to unlock content. This technology provider will quickly be in a market conditions to be able to dictate terms to both copyright holders and tool creators, and will be able to refuse keys to competitors or anyone else who does not protect their private monopoly interests.

It is important for copyright holders to realize that this monopolistic behaviour will harm their interests as much (if not more) than those of their audiences. Understanding this effect, it is hard to understand why the "Canadian" Recording Industry Association (CRIA) is lobbying to have legal protection for TPMs added to copyright law, rather than lobbying to be protected from abuses of TPMs.

The major labels currently make their money through a stronghold on the methods of distribution and marketing for recorded music. DRM technology providers will be able to easily replace that traditional roll. This means DRM vendors such as Apple, Microsoft, IBM, Intel, Matsushita, or Toshiba will eventually replace CRIA members such as EMI (UK), Universal Music Group (France), Warner Music Group (WMG - US), or Sony BMG Music (US). (We should always remember how little "Canadian" content there is in the self-called "Canadian" recording industry association).

Authors using modern methods of production, distribution and funding of software such as those using Free/Libre and Open Source Software (FLOSS) licensing will be systematically excluded. The features of FLOSS may not yet be familiar to everyone, but are no more radical a requirement for software than Access to Information laws are for governments. With FLOSS the users' (and follow-on authors) freedom to run, copy, distribute, study, change and improve the software ensures that owners of digital devices are able to be in control of their own technology through being able to control the software. In our example the digital keys are provided to tool creators who agree to not allow the owner of the device access to the keys or to be in control of their own technology, making this abuse of TPMs is incompatible with the transparency and accountability of FLOSS.

Technology regulations (abuses of watermarks and other flags)

Another type of abuse of technical measure could have worse consequences, and that is a government mandate that recording devices be "disabled" if they detect watermarks or other "flags". The intent is obvious: someone trying to record a movie in a theatre or trying to record a program from their television or the radio would be stopped by the technology from doing so. Copyright is far too complex to automate in this way, and just because a watermark exists does not in any way indicate that recording would be an infringement.

Take an example entirely outside of copyright. If a criminal (or the government) wished to hide activities from the police or journalists they could simply wear devices that would broadcast watermarks. When a camera honouring watermarks is pointed at the controversial event it would automatically be "disabled" as soon as it detected the watermark. There are many times where the ability to record things without the permission of the subject is critical to law enforcement or the accountability of government. It is also not just journalists and police that need unencumbered recording devices, given it is often private citizens or accidental recordings that are used to expose important events.

I believe it should be obvious that the unintended consequences of this type of regulation are far more harmful to the public interest than any amount of copyright infringement.

Regardless of the type of abuse of a TPM it is important to remember that the regulation will only affect the activities of law abiding citizens. A technically sophisticated lawbreaker will always be able to trivially extract keys or otherwise modify technology to remove any limits. Once one person out of the 6.5+ billion people have disabled a TPM (decoded content, modified a camera) it is then possible for a non-technically sophisticated person to make use of the result.

It is only traditional copyright law that can protect the rights of copyright holders, and any legal protection for these abuses of TPMs will harm the interests of copyright holders and the general public far more than it could theoretically help them.

Providing legal protection from abuses of technical measures

Canadians must be legally protected from abuses of technical measures. We should have laws which positively protect our property rights in the content and communications tools that we purchase. We should have laws which positively protect our privacy rights, including from abuses of TPMs which spy on audiences without their clear permission.

Access controls should be used to grant access to authorized persons. There should be a legal protection against the abuse of access controls to limit access to "authorized" tools. There should be a positive right to circumvent DRM for non-infringing purposes, including a protected right for the lawful owner of an access tool to legally posses and use any keys embedded within the tool.

There must be a protected right to create, distribute and sell software (sometimes called a "device", a "product" or a "service" depending on context) to help other people to express these rights. The authors of these multi-purpose tools must not be held liable for any potentially infringing uses by third parties.

The interests of users of technology, including authors and copyright holders of other works, are protected by having a healthy free market. Canada must modernize and aggressively enforce competition law to protect against any technology provider being able to abuse a dominant position to control and/or monitor the legitimate activities of Canadians. There should be a protected right for software authors to reverse engineer existing software to create compatible software. Copyright and patents should be excluded from interfaces, whether they be programming interfaces, user interfaces, file formats, communications protocols or interfaces with hardware.

Since the legitimate uses for technical measures are not unique to copyright holders, and the abuses should be prohibited, technical measures should not be protected in a copyright act at all. Technical measures should only be protected in appropriate legislation that protects privacy and authenticity (identity), including legislation to give legal weight and protection to digital signatures.

Further suggestions to the Canadian Government

I believe that Canada should reject the 1996 WIPO treaties, as this laundered policy overly-protects legacy methods of production, distribution and funding of creativity against modern competition. These treaties also attacks our legitimate property rights in content and communications technology. It was also authored at a time when most policy makers did not understand the technologies they were proposing to regulate.

Canada should be joining with the countries that support the WIPO Development Agenda, working to set more appropriate international copyright norms.

Contrary to the opinion of some, we are under no obligations to ratify these treaties. It is quite normal for a country to sign a treaty indicating interest and then decide at a later date that the treaty is not in the interests of that country.

Considerable pressure is being exerted from the United States on Canada to not only ratify these treaties, but to use the US implementation as the model. We need to remember that this is the same country that has not ratified the norms for international law such as the International Court of Justice or the International Criminal court, nor have they ratified other far more important treaties such as the Ottawa Convention on Landmines or the Kyoto protocol.

I believe it is a case of misguided priorities to feel pressure from the United States who has signed (but not ratified or withdrawn) Kyoto, and never signed the Landmines treaty. We should not ratify WIPO treaties simply because we signed them, but only if these treaties are in the best interests of Canadians (including Canadian authors) which I strongly believe they are not.

I believe that if parliament gives in to the pressure to ratify these treaties that it is still possible to follow the letter of the treaty in regard to TPMs and provide legal protection for the legitimate uses of TPMs, while at the same time protecting Canadians from the harmful abuses.

(See also: Legal protection for TPMs has no place in copyright law )

If you agree that Canadians should be protected from abuses of TPMs, please write your member of parliament and tell them. Parliamentarians should be encouraged to reject Bill C-60 and direct policy makers to come back with appropriate modernizing copyright legislation. If you have not yet signed the Petition for Users' Rights, please do so. There are also other suggestions of what you can do to help fight against this bad policy.



Creative Commons License This work is licensed under a Creative Commons Attribution 2.0 Canada License.