Cracking DVD Code

Illustration by Tavis Coburn

In the 1995 film Hackers, a cunning security expert working for an oil company hatches an embezzlement scheme. Everything is going according to plan until teenage hackers (including a young Angelina Jolie) break into the corporation’s database and uncover the plot, at which point the corporation enlists the FBI to arrest and prosecute them. While the FBI is all too willing to believe the corporation’s allegations against the hyperactive cyber geeks, the lead hacker’s parent stands by him during the FBI manhunt. Ultimately, the hackers unveil the corporate treachery to the naive, easily duped state authorities, and justice and information freedom prevail. Significantly, Hackers’ tag line was "Their only crime was curiosity."

Amazingly, this plot line was reenacted two weeks ago in real time, but with certain casting changes. Acting on a complaint filed by the Motion Picture Association of America (MPAA) (and Sony, Universal, MGM and Warner Bros.), Norway’s economic and environmental crimes unit raided the home of 16-year-old Jon Lech Johansen, confiscating his computers and Nokia cell phone and interrogating him and his father for several hours. Johansen and his father were accused of developing and disseminating a program — called DeCSS — that cracks the DVD encryption code CSS, in theory enabling users to bootleg DVDs. Johansen, for his part, insists that DeCSS was developed by his cracker collective MoRE (Masters of Reverse Engineering) only so DVDs can be viewed on the Linux operating system. (Currently, the discs are formatted for Windows and Macitosh OS only.) Nevertheless, Johansen and his father have been charged with breaking Norwegian Criminal Code Section 145(2), which makes it illegal to "break a security arrangement" to access data; they also face charges of contributory copyright infringement.

Apart from making l’affaire Johansen the first Internet cause célèbre of the new millennium, the events in Norway are significant as an escalation in the MPAA’s ongoing clampdown on ISPs, coders and Internet sites that design or disseminate the DeCSS code. The MPAA insists that DeCSS violates the 1998 Digital Millennium Copyright Act, while civil-liberties groups represented by the Global Internet Liberty Campaign are fighting in New York federal court and elsewhere to show that the MPAA’s interpretation violates the First Amendment right of free speech. As Robin Gross, staff attorney for the Electronic Frontier Foundation (EFF), puts it: "Code is speech. To tell people they can’t give out information is prior restraint."

While the legal battles may drag on for years, and wind up on the steps of the Supreme Court, the immediate effect of the MPAA’s bold Norwegian action has been to galvanize the hacker community against the film group. Johansen, though clearly intimidated by the long arm of the MPAA — "I never thought Norwegian police would act as if Norway was the 51st state of the U.S.," he exclaimed soon after his release from police custody — maintains an unswerving dedication to his reverse-engineering ideals and reveals a canny understanding of the politics behind the current brouhaha.

In an exclusive e-mail interview with the L.A. Weekly conducted the weekend after his arrest, Johansen argued that the MPAA’s purported concern over piracy is really a smoke screen for a broader desire for exclusive control over the worldwide DVD market: "An important question that someone on Slashdot brought up was, ‘How did we end up getting the movie industry to design the next-generation video format with themselves in mind, and not consumers?’" Johansen wrote in fluid English, "What ã this case is really about is that encryption on DVDs does not prevent copying, it prevents playback. That’s because the DVD industry seeks to maintain an oligopoly on DVD players and who gets to make them . . . The porn industry does not use CSS encryption on their DVDs, because they want as many people as possible to see their movies. So you’ve been able to watch porn under Linux but not standard movies."

What Johansen is alluding to is a possible chasm between the MPAA’s avowed objectives of preventing piracy and a more insidious agenda involving DVD price gouging. In a widely read article in Linux Journal, Jason Kroll made the case that "Encryption would allow the industry to put regional codes into DVDs, preventing American DVDs from running in Europe (where movies come out several months later and at higher prices), or preventing Indian DVDs (which cost less since India has less money) from running in America. In essence, it’s an attempt to ‘extract the consumer surplus’ by a technique known as ‘price discrimination’ (which is in fact illegal, according to U.S. and much international law as well). If DVDs cost the same the world over, prices would be lower for consumers." For Kroll, the MPAA’s protestations over copyright infringement conceal a lusty desire for "complete domination over the DVD-player market."

Whatever the MPAA’s real objectives, one can argue that the organization has gone after the wrong people. In the shadows of the DVD dispute are Matsushita Electric Industrial Company and Toshiba, both of which developed the decidedly second-rate CSS encryption system that crackers were able to unravel without breaking a sweat. One EFF news brief cites a cryptographer, David Wagner, as saying CSS is "so flawed that it would make a fine homework exercise for a university-level class in cryptography and code breaking." Johansen, for his part, confirmed the vulnerability of CSS, not just to decryption, but to simple interception.

"The point is, in this case you didn’t have to break any encryption. DVD movies have to be viewable to the end user, which means decryption has to take place somewhere. And that will always be possible to monitor." In fact, MoRE was able to break CSS by intercepting the data as they passed through a piece of hardware unencrypted. Since neither Johansen nor any of the other parties implicated in the MPAA-led clampdown have actually pirated DVDs, their only obvious crime so far has been — well, curiosity.

In spite of recent events, Johansen is confident that, aided by the EFF’s legal team, he will be vindicated. "I think the Norwegian authorities’ biggest problem in this case is that their computer competence is equal to (or below) zero. On TV today, Norwegian TV humorist Trond Kirkvaag joked, ‘Late-breaking news: 16-year-old gets his equipment back — police could not figure out how to switch his computers on.’ They do have some competent computer engineers, though, who are capable of telling the truth from MPAA’s propaganda, and the case will probably be dismissed and the charges dropped." Johansen is buoyed by the backing of his co-defendant, his father. "My father used to be a politician and has among other things fought against communism and suppression in Poland, 10 years ago. In his opinion, the large multinational corporations are as great a threat to people’s freedom as communism. He supports me 100 percent."