Effective Technological Measures: It Means What It Says, Says Finnish Court
Effective Technological Measures: It Means What It Says, Says Finnish
It's the phrase that rules over both the DMCA and Europe's equivalent, the European Copyright Directive EUCD. Under both it's illegal to circumvent "effective technological measures" used by rightsholders to restrict access to their works.
But what happens when the measures don't measure up? Part of the irony of the DMCA in the United States has been that generous court interpretations of "effective" has led DRM designers to craft the flimsiest of programming tricks to control access. (Some have even gone so far as to suggest that the DMCA would extend to simple ciphers, such as ROT13). Those companies then hide behind the DMCA's provisions that eliminate public discussion of the measure's flaws. In the absence of criticism, rightsholders are gulled into believing that such snake-oil will save their works from commercial piracy, even though circumvention is often trivially simple.
In Finland, at least, that absurdity has been challenged. In a case in the Helsinki district court, activists running a site offering DVD decryption code were prosecuted under Finland's implementation of the EUCD, and successfully defended their case on the argument that DeCSS was an ineffective protection.
The court agreed (PDF), saying:
"...since a Norwegian hacker succeeded in circumventing CSS
protection used in DVDs in 1999, end-users have been able to obtain with ease
tens of similar circumventing software from the Internet even free of charge.
Some operating systems come with this kind of software pre-installed CSS
protection can no longer be held 'effective' as defined in law."
It's a refreshing example of how the practical realities of copy-protection can be accepted by a court, in an attempt to work out a reasonable way to apply anti-circumvention law. If a copy access is so vulnerable that it can be broken in a few lines of easily conveyed code, or the act of pressing the shift key when rebooting, or by obtaining a key that is on thousands of sites across the globe, is it really the legal system who should bear the impossible burden of protecting the unprotectable?