March 05, 2004

What DVD CCA v. Bunner is NOT.

Downstream republishers of cracked secrets take limited comfort from the 2/27/04 decision for Andrew Bunner by the Court of Appeal in California. Limited to a ruling on a preliminary injunction, the opinion finds "little question" that the sharing of DeCSS "is unethical and and that it probably violates other laws." But an injunction against information no longer secret "can be justified only on a rationale of punishment and deterrence * * * ordinarily inappropriate in trade secret actions."

The opinion invites further research and analysis around its apparent limitations:

  • It does not protect one who is the first to crack a secret and then misappropriate or share it.
  • It does not protect those who share misappropriated secrets in a closed community.
  • It does not protect one from potential liability under laws other than the Uniform Trade Secret Act (UTSA). Those might include federal laws such as the Digital Millenium Copyright Act (DMCA) or state laws such as California Penal Code Sections 499c or 1203.33 or proposed federal or state laws protecting databases.

    (Read more ... )


    On February 27, 2004, a California appeals court ruled that an injunction against Andrew Bunner's publication of DeCSS constituted an improper prior restraint. The decision was in large part based upon the finding that the encryption algorithm affected by DeCSS had lost its "trade secret" status due to extensive publication of DeCSS over the Internet to "a worldwide audience ready and waiting to download and repost it." Electronic Frontier Foundation has the Court of Appeals decision in PDF.


    Bunner was sued under California's Uniform Trade Secrets Act ("UTSA"), (Civ. Code §3426 et seq.) which protects information that is valuable because it is unknown to others. The Court decided only the propriety of an injunction against Bunner's disclosure of the information, not the propriety of other forms of deterrent sanctions.

    The Court of Appeals found the element of secrecy important for two reasons, in both of which a temporal element was important:

  • One cannot be liable for misappropriation of a trade secret if the information in question is no longer secret when one publishes it;
  • One cannot be enjoined under the UTSA from publishing information if it is no longer secret at the time the injunction is to take effect.

    According to the Court, the record showed that Bunner was a downstream discloser of information that had already passed into public knowledge. The Court quoted July discussions on Slashdot about interest in cracking CSS as evidence of "a worldwide audience ready and waiting to download and repost" DeCSS when it first appeared on October 6, 1999. By November 1999, DVD CCA had spotted and noticed 66 websites hosting either DeCSS or links to it, and Wired magazine had written that DeCSS was on the Net. See "DVD Piracy: It Can Be Done" (Wired November 1, 1999)

    Bunner does not shield the original cracker.

    None of these facts would apply to the original cracker. The Court noted the common theory that Jon Johansen, a Norwegian resident, cracked the CSS code by means of reverse engineering and was the original source of the DeCSS code. Had not "DVD Jon" shared DeCSS, it would not have become public knowledge.

    In December, a Norwegian appeals court affirmed the acquital of Jon Johansen on criminal charges of breaking the CSS copy protection on DVDs he bought. The charges were brought by the Norwegian Economic Crime Unit (ØKOKRIM) under Norwegian Criminal Code 145(2), upon the complaint of DVDCCA and the Motion Picture Association of America (MPAA). The Norwegian court ruled that his action was legal under Norwegian law. An earlier acquittal had been appealed by the government. See "Legal victory for 'DVD hacker," BBC News 12/22/03, and " and "DVD-Jon" Defeats Hollywood: Consumer Rights Upheld in Norway," IP Justice.

    Questions for further study:

    • To what extent can United States law (or another sovereign's law that may differ from that of Norway) be applied to a nonresident whose activity was lawful in the jurisdiction where he or she resides and acted, if it has an effect on a United States rights holder?
    • Could "DVD Jon" be liable under the UTSA for misappropriation of a trade secret?
    • Could "DVD Jon" be charged with violation of the DMCA's anti-circumvention provisions?

    The case of Russian programmer Dmitri Sklyarov is illustrative. While in Russia, Sklyarov allegedly programmed a bypass of Adobe's technical protection measures ("TPM"). While in the United States at a DEF CON conference speaking about the resulting software, Sklyarov was arrested and charged with a criminal violation of the DMCA, based upon a complaint by Adobe. The Justice Department later dropped charges against Sklyarov, allegedly in return for his testimony against his employer ElcomSoft (a software company based in Moscow) on a similar charge. At a jury trial in December 2002, ElcomSoft was acquitted. Post-verdict interviews with the jury indicated that they found that the ElcomSoft code was probably illegal, but that the DMCA was sufficiently confusing that they were not convinced that ElcomSoft's Russian managers knew that sharing the code they wrote was criminal.

    The Bunner Court was careful to distinquish a case cited by the plaintiff, Underwater Storage, Inc. v. United States Rubber Co., 371 F.2d 950 (D.C.Cir. 1966). In that case, a Navy contractor took trade secrets and republished them as its own know-how. The Underwater Storage Court rejected the argument that subsequent publication insulated the defendant from liability for misappropriation, saying: "Once the secret is out, the rest of the world may well have a right to copy it at will; but this should not protect the misappropriator or his privies." 371 F.2d. at 955.

    Questions for further study:

    • Q: How many people does it take, how broad a distribution is required, before information loses its status as secret?
    • Q: At what "degree of separation" do downstream recipients of information qualify as "general public?"

    Bunner does not shield sharing in a closed community.

    In the Bunner case, the enthusiasm and anticipation of the global programmer community for a CSS decoder, together with the culture of free code sharing, meant that whatever the threshold between "public knowledge" and "still secret" was quickly crossed. The Bunner Court did not attempt to define that threshold. Doing so will be more pertinent in a case in which the information was held more closely.

    The Court noted that this case "does not fit neatly into classic business or commercial law concepts." Typically in trade secret cases, a competitor wrongfully takes trade secrets to exploit them, and has no interest in sharing the advantage with others (except perhaps for a sufficiently valuable consideration). Had DeCSS been held more closely and shared only among a controlled circle of users, it may never have reached the level of public disclosure that sacrificed its status as a trade secret.

    Consider, hypothetically, a secret resale or exchange of code exploiting a trade secret, or confidential data wrongfully obtained. Such might be distributed through a controlled access "darknet" or among a limited number of conspirators -- none of which put it on the open Net. Would such breach the "public knowledge" threshold?

    As holders of intellectual property rights and security organizations become more aggressive in monitoring and enforcing casual sharing of protected content, they may tend to drive "warez" swappers and users underground, into closed, "virtually gated" online communities. Entry to such communities may require exchange of valuable consideration, either in the form of cash, copyrighted code or secret data. The exclusivity and secrecy of such private networks may itself disqualify them from the protection of the Bunner decision's logic. Such networks may also be usefully analyzed under state, federal and international laws regarding conspiracy and racketeering.

    Bunner does not shield against liability under other laws.

    The Court's decision made clear that its decision was limited to the propriety of an injunction under the UTSA, and that the disclosure of the DeCSS code "is unethical and that it probably violates other laws. But what is in the public domain cannot be removed by action of the states under the guise of trade secret protection." Citing Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 at 481 (1974)

    The DVD CCA did not bring claims under the DMCA, and there was no indication of complaints under the California law criminalizing theft of trade secrets (California Penal Code §499c) or the Economic Crime Act (California Penal Code §1203.33), which has been interpreted to cover theft of trade secrets valued over $50,000. People v. Farell, 48 P.2d 1155 (Cal. 2002). The narrow scope of the Court's decision leaves open the possibility of civil or criminal prosecution of original and "midstream" distributors of the DeCSS code under those statutes or others like them in force either inside or outside of the United States.

    Copyfight has links to a variety of commentators on the decision: Copyfight: the Politics of IP

    See also:

  • The Importance of...: DeCSS Injunction Lifted in Trade Secrets Case
  • Freedom to Tinker: "California Court: DeCSS Not a Trade Secret"
  • EFF: "Court Overturns Ban on Posting DVD Descrambling Code, Finding a Free-Speech Violation"
  • LawGeek: "EFF wins DVD-CCA v. Bunner Appeal"
  • IP Justice: "Court Rules DeCSS Injunction Violated Freedom of Expression Rights"

    Due to the volume of comment spam, I have turned off comments on this posting. Trackbacks are welcome, as are private comments via email.

    Posted by dougsimpson at March 5, 2004 07:58 AM | TrackBack
  • Comments