Forgot your password?
typodupeerror
DRM Your Rights Online

German Court: Open Source Project Liable For 3rd Party DRM-Busting Coding 178

Posted by samzenpus
from the damned-by-association dept.
Diamonddavej writes "TorrentFreak reports a potentially troubling court decision in Germany. The company Appwork has been threatened with a 250,000 Euro fine for functionality committed to its open-source downloader (JDownloader2) repository by a volunteer coder without Appwork's knowledge. The infringing code enables downloading of RTMPE video streams (an encrypted streaming video format developed by Adobe). Since the code decrypted the video streams, the Hamburg Regional Court decided it represented circumvention of an 'effective technological measure' under Section 95a of Germany's Copyright Act and it threatened Appwork with a fine for 'production, distribution and possession' of an 'illegal' piece of software."
This discussion has been archived. No new comments can be posted.

German Court: Open Source Project Liable For 3rd Party DRM-Busting Coding

Comments Filter:
  • by mwvdlee (775178) on Friday December 06, 2013 @04:14AM (#45616799) Homepage

    You keep using that word. I do not think it means what you think it means.

    Doesn't the concept of "effective" mean that code breaking the DRM cannot exist?

    • by fuzzyfuzzyfungus (1223518) on Friday December 06, 2013 @04:25AM (#45616845) Journal
      One would like to think so; but the courts haven't (CSS is how broken now, and for how long?) I assume that the argument is that it's 'effective' because you still need a specially designed tool to break it, not unlike a lockpick. What isn't clear, under that reasoning, is why essentially all file formats of remotely nontrivial complexity don't count as 'effective technological measures', since virtually nothing in digitized form is remotely human readable without specialized software transformation. Your odds of turning an RTMP stream into video with your brain are basically as good as your odds of doing the same with an RTMPE stream, and neither are high.
      • by Kjella (173770) on Friday December 06, 2013 @05:36AM (#45617063) Homepage

        A book written in Greek and a book written in English using a cipher are both gibberish to me, but understanding one depends on a parser and the other on a decryption key. In short the understanding of "effective technological measure" seem to be that the protocol is trying to use a secret (CSS key, AACS key, HDMI key etc.) to protect the content. So if you took any file format and wrapped it in AES with a static key with no memory protection whatsoever then decrypting it in any other program would be a DMCA violation, geeks all get caught up in "effective" but in context it just means a measure intended to have that effect specifically to exclude all other attempts at interpreting a protocol as "cracking" it.

        • Re: (Score:3, Insightful)

          by Gr8Apes (679165)
          And yet, I can easily hook up a camera and video the TV and hook directly into the sound pickups, and voila - a copy is made without circumventing anything. Depending upon hardware, it may actually be a reasonably good copy. And if I wish to go one step further, I can hook into the screen's display and record the raw video directly too, resulting in a perfect copy. Again - no circumvention required of anything the DCMA protects digitally. IOW, it's ineffective and only causes harm to those that wish to use
          • by Wootery (1087023)

            And if I wish to go one step further, I can hook into the screen's display and record the raw video directly too, resulting in a perfect copy.

            Not easy to do. HDMI's 'HDCP' scheme requires that hardware frustrate attempts to defeat the content protection requirements [google.com]. Can never be bullet-proof, of course, but it'd be a hurdle.

            • by vux984 (928602)

              Not easy to do. HDMI's 'HDCP' scheme requires that hardware frustrate attempts to defeat the content protection requirements. Can never be bullet-proof, of course, but it'd be a hurdle.

              Point a good camera at a good TV under good lighting in a controlled environment. HDCP defeated. You lose a bit of 'fidelity' during the digital analog digital conversion, but its a one time loss. Future copies of the copy won't lose anything further, and only one person has to do it once. That's not much of an obstacle.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Meanwhile in the crypto world, if someone breaks a cipher, the creator will admit defeat like an honorable man, he won't go cry to a judge like a baby.

        • In digital restrictions management cases like this, it's usually not the cipher that ends up broken* but the handling of player keys.

          * CSS is the big exception, as it was cryptanalyzed fairly easily, but that's from when the United States didn't allow exporting crypto stronger than 40-bit.

      • I assume that the argument is that it's 'effective' because you still need a specially designed tool to break it, not unlike a lockpick.

        Actually, in many cases, the "lockpick" is the original key.

    • by Anonymous Coward on Friday December 06, 2013 @04:26AM (#45616853)

      German speaking guy here. You're absolutely right, I have the exact same opinion, but they really use this "wording" (sorry if I didn't get that expression right). It's stupid. I believe that it is written like this deliberately. So they can use any $drm scheme, doesn't matter how cheap, it could be as cheap as, any 12 year scriptkidde can circumvent it, if it says $drm, you can be sued for the circumvention of it. Or the other possibility is, they really just have no idea. Maybe they compared drm to the physical world. Burglers can smash in your window just like that, enter your house and steal everything of value/easily movable. Doesn't mean they couldn't be sued for it, because security doors + windows are an effective counter measure against burglars.

      • by Anonymous Coward

        Yes, "wording" is the correct word :)

      • by their definition, ROT13 is an "effective" DRM scheme...
        • by squiggleslash (241428) on Friday December 06, 2013 @08:27AM (#45617581) Homepage Journal

          Well perhaps, but to play Devil's advocate: this isn't a game.

          There are two parts to DRM when combined with an anti-circumvention law. The first is the one that exists anyway: to attempt to make it as difficult as practically possible for someone to gain unrestricted access to the raw content. The other - which the DMCA (and its apparent German equivalent) adds - is to add legal liabilities for creating, possessing and/or using the tools, however easy, that break that encryption, should they ever come into being.

          Us nerds have a tendency to misread laws and assume that rather than it being a reflection of the intent of the authors, that the language used is arbitrary and written by dolts to be interpreted in the widest possible context. Specifically we look at words like "effective" and rather than interpreting it in the context of the rest of the law, we go off on tangents and ask whether something is effective using other definitions within different contexts.

          Is, for example, CSS effective? Well, I'd argue it is in context. It requires you use a specialized tool, designed specifically to break CSS, in order to access the content. It meets the definition in context. It doesn't meet the definition if you change the subject and say "Well, in 1998 it protected content, but does it now? Is it easy to find the tools needed to circumvent it?", but that's not the definition of effective that's implied by the context of the legislation - which is why better lawyers than us are not making that claim when protecting, say, Real Networks.

          As for ROT-13.... well, maybe it is, maybe it isn't. My guess is it wouldn't, because ROT-13 doesn't require knowledge of any secrets beyond the fact it's being used to begin with, and the "tool" used to decrypt it is already built-in to a billion email, USENET, and so on clients. At the very least, if SuperdooperRayVD 4K discs in 2020 are encrypted using ROT-13, they'd have great difficulty persuading judges that millions of pre-existing USENET clients from the 1990s are illegal.

      • by sumdumass (711423) on Friday December 06, 2013 @06:54AM (#45617299) Journal

        The law is a direct result of the WCT or WIPO Copyright Treaty. The judge is likely interpreting "effective" within respect to that. It is under article 11 I think but i'm on my phone right now and it is a bit hard to check.

        Anyways, i believe effective would mean anything non trivial or ancillary at the time of creation. So if a cipher is so easy to break that they teach doing so as part of security lessons, using that couldn't be effective. But requiring something that isn't known or readily done could be if it isn't blatently obvious.

    • by Sockatume (732728)

      It presumably has a technical legal definition which the article, according to its footnotes, doesn't have available.

    • by Kat M. (2602097) on Friday December 06, 2013 @09:46AM (#45617953)

      Section 95a (2) [gesetze-im-internet.de] of the German copyright law defines specifically what an effective technological measure is. It specifically includes "encryption, scrambling or other transformation". It does not require that the encryption etc. need to be unbreakable, just as a physical lock does not have to pose an unsurmountable barrier in order to make breaking it illegal.

    • Pretty much. It's ineffective.
      • Confucius says, "The programmatic equivalent of waving my dick at it and having it decrypt doesn't work if you're a woman."

    • Re: (Score:2, Interesting)

      by Sloppy (14984)

      No. Obviously German courts are free from US precedent and could theoretically use a layman's definition of "effective" but it's likely that the US lobbyists who wrote the German law, had their shit together and knew how German courts would interpret that word.

      In the US, we had the matter of "effective"'s meaning settled way back in the DeCSS case. It doesn't mean what you think it means. It means what they want it to mean, and judges have agreed. That battle is over (or at least until people start taki

    • Doesn't the concept of "effective" mean that code breaking the DRM cannot exist?

      The very concept of DRM is a form of corporate welfare. It's as 'effective' as the enforcing government wants it to be.

    • by Holi (250190)

      No, not at all.
      I am effective at coding, does that mean all of my code is perfect?

  • by Anonymous Coward on Friday December 06, 2013 @04:16AM (#45616811)

    Is it legally possible to author and licence an opensource project without disclosing your identity? All the licences I've see have a place for the copyright holder (the person or other entity that is granting the rights detailed in the license). I presume its possible and legal to do this without including your actual name right? If you don't care about getting credit for it (or suing for damages), you can avoid this potential liability by having the project copyright controlled by some nameless entity. As long as you don't need to re-licence it in the future, I think that is safe.

    I suppose you could have the copyright in some arbitrary name (your friend's dead pet, whatever), but still require the license to credit you. A lot of opensource projects really don't care who holds the copyright, so if its a liability, the developers shouldn't hold it. GPL type projects have to be careful, since the copyright holder could use it themselves however they want, or reissue it under some other license. This approach makes much more sense for permissive licenses like public domain, or MIT/BSD.

    • by mwvdlee (775178) on Friday December 06, 2013 @04:21AM (#45616825) Homepage

      Open source licenses use copyright.
      Only the owner of a copyright can enforce it.
      If somehow copyright would be assigned to a non-existant entity, nobody could enforce it and it would effectively become public domain.

      • by HiThere (15173)

        IIRC, in Germany anyone can bring suit to enforce a copyright, not just the owner. In fact, I seem to recall that they can even do it when the owner of the copyright declines to enforce it. And that they can claim a share of the winnings for enforcing it. And that there are some companies of lawyers that do almost nothing else.

        It was a few years ago, so the details are hazy, but I read about it on Slashdot, and I seem to recall that they were enforcing one of SuSE's pattents against the will of the compa

    • by fuzzyfuzzyfungus (1223518) on Friday December 06, 2013 @04:34AM (#45616873) Journal
      Section three of Article 7 of the Berne Convention states:

      "(3) In the case of anonymous or pseudonymous works, the term of protection granted by this Convention shall expire fifty years after the work has been lawfully made available to the public. However, when the pseudonym adopted by the author leaves no doubt as to his identity, the term of protection shall be that provided in paragraph (1). If the author of an anonymous or pseudonymous work discloses his identity during the above-mentioned period, the term of protection applicable shall be that provided in paragraph (1). The countries of the Union shall not be required to protect anonymous or pseudonymous works in respect of which it is reasonable to presume that their author has been dead for fifty years."

      Virtually everyone is a Berne Convention signatory; but actual implementation in domestic law has been both spottier and more...complex... than the convention text itself. It seems unlikely that something of clearly recent authorship would find itself presumed to be uncopyrighted merely because an author could not be found; but I'd imagine that, in practice, the more risk-averse would be very, very, jumpy about taking 'anonymous coward' at his word that they are authorized to use a given piece of code under the terms of whatever license, that he is even the author, and so forth. That might hinder adoption.
      • by WWJohnBrowningDo (2792397) on Friday December 06, 2013 @05:06AM (#45616971)

        Easy, public key cryptography. Instead of using "anonymous coward" as the pseudonym, use "anonymous coward who posses the private key to the following public key.

        -----BEGIN PUBLIC KEY-----

        MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0

        FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/

        3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB

        -----END PUBLIC KEY-----"

        Oh who am I kidding, we're talking about law makers who criminalized a piece of software. "public key cryptography" probably sounds like "thermonuclear weapons" to them.

      • the more risk-averse would be very, very, jumpy about taking 'anonymous coward' at his word that they are authorized to use a given piece of code under the terms of whatever license, that he is even the author, and so forth. That might hinder adoption.

        That's why SQLite [sqlite.org] and other programs have so many problems with adopting a "public domain"
        license: For all intents and purposes the public domain can not contain new works. Even if I say my code is in the public domain, I can change my mind at any later point and sue you. MIT, GPL, etc. is needed because you must expressly permit use to assure the users they won't be sued.

        From SQLite copyright:

        Even though SQLite is in the public domain and does not require a license, some users want to obtain a license anyway. Some reasons for obtaining a license include:

        You are using SQLite in a jurisdiction that does not recognize the public domain.
        You are using SQLite in a jurisdiction that does not recognize the right of an author to dedicate their work to the public domain.
        You want to hold a tangible legal document as evidence that you have the legal right to use and distribute SQLite.
        Your legal department tells you that you have to purchase a license.

        If you feel like you really have to purchase a license for SQLite, Hwaci, the company that employs the architect and principal developers of SQLite, will sell you one.

        Yay! Open source you need to pay a license fee for to cover your ass! Public Domain? No thanks. Note that to

    • by ImdatS (958642)

      As I understand, you can actually create something and immediately put it into Public Domain. You may need to use the right wording (ask a lawyer) such as "non-revocable", "unlimited", "unrestricted", etc., but your lawyer may be able to help.

      Also, you could use something like this if you don't want to put it into Public Domain:

      Copyight (c) 2013 by "KJDFOIQWEPOSODKFLKWE)(#I$KJLKDSFMNCVK" (GPG-Encrypted)

      This could be use for situations where you might consider keeping certain rights (i.e. not putting into Pu

      • by lgw (121541)

        As I understand it, public domain does not imply that derive works are public domain.

        You create a game, and make it public domain. Someone modifies your code and sells it as commercial software, then sues anyone distributing the original for violating their copyright. This is more or less what happened with some crappy Unix game back in the day to push RMS over the edge.

    • Is it legally possible to author and licence an opensource project without disclosing your identity?

      What's a more pertinent question is: Shouldn't it be legal to distribute source code since end users that have to compile and run it to break the law themselves?

      To put it another way: Shouldn't it be legal to distribute data, even if it's executable, because distribution and analysis of information shouldn't be a crime?

      To put it another way: Shouldn't it be legal to publish books without going to jail for their content?

      To put it another way: Shouldn't it be legal to have public discussions without going to

  • by Chrisq (894406) on Friday December 06, 2013 @04:24AM (#45616843)
    contributions to open source products should be just like posts to websites. If someone posts something illegal then the authorities should issue a "take down" notice to the project. If they remove it then only the original poster should be liable.
    • by Anonymous Coward

      You're presuming law based on reason. German lawmakers are firmly in the pockets of publishers. The occasional win of the MPAA or RIAA is nothing compared to the systemic level of corruption in that country.

    • by shentino (1139071)

      But that would reduce the leverage of the big boys to shut out competition. This whole scheme of being liable for the acts of outsiders is specifically to discourage them from contributing, or the projects from accepting contributions. They WANT projects to be paranoid about accepting outside contributions.

  • by dunkelfalke (91624) on Friday December 06, 2013 @04:36AM (#45616885)

    is known for its cowtowing to the intellectual property holders. That is why they try to go to that particular court if they sue for copyright infridgement.

    • Re: (Score:2, Funny)

      by qbast (1265706)
      What property holders do with all those cows that court towed to them? Making hamburgers as side business?
    • Copyright infridgement is where the copyright has a cooling off period, amirite?
      • by Anonymous Coward

        You must feel very smart for criticizing the linguistic skill of someone who doesn't speak English as their native language.

        • Re: (Score:2, Insightful)

          by hawkinspeter (831501)
          And I feel very smart for criticising the critical reasoning of an Anonymous Coward who doesn't understand a joke when he/she sees one.
        • Actually, typos have nothing to do with anyone's linguistic skills. If you want to improve your linguistic skills, you buy something like this [amazon.com], not a spell checker.
      • Heh, fair enough, my English was particularly bad this morning.

    • by couchslug (175151)

      "is known for its cowtowing to the intellectual property holders. That is why they try to go to that particular court if they sue for copyright infridgement."

      How wonderfully American of them. (barfs)

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Or to put it differently: Hamburg is the East Texas of Germany.

    • That is why they try to go to that particular court if they sue for copyright infridgement.

      Man, that's cold.

    • Hamburg regional court
      is known for its cowtowing to the intellectual property holders. That is why they try to go to that particular court if they sue for copyright infridgement.

      And Hamburg is known as the birthplace of the hamburger, which is made from beef, which is raised in large quantities in Texas, and the most prosecution-friendly venue for patent lawsuits in the US is East Texas...

      Aha! We've found the causal link!

      ...

      But now I wonder what the basic legal trends are for the Frankfurt regional court. :-P

      Cheers,

  • Just post the name of the judge, and be done with it. Other will contribute home address, place where his kids go to school, etc, and from there we can move on.
  • good decission (Score:4, Interesting)

    by SuperDre (982372) on Friday December 06, 2013 @04:42AM (#45616899) Homepage
    Maybe it's not great because this time it's about busting DRM, but ofcourse it shouldn't be like an opensource project wouldn't be liable for any illegal activity while a closed source project would be fined.. Open source doesn't mean it doesn't have to obey laws..
    • by N1AK (864906)
      Your exactly right. Unfortunately far too many people on here have already decided that anything open source is perfect and thus anything negative being reported, happening to or being linked to open source must be attacked.

      Being open source isn't an excuse for breaking the law. Open source advocates will often highlight the fact that the code is available as meaning that it can be checked to ensure there's nothing hidden in there after all. You wouldn't have people on here defending Microsoft if they go
    • by stenvar (2789879)

      If the law makes source code illegal, it's a bad law.

    • True, but unjust laws should not be obeyed by either FOSS or proprietary code.
    • by HiThere (15173)

      That's a real problem when different areas have different laws. It means that you are responsible for knowing all possible laws that might affect you in every country of the world, and that's actually impossible. Because you don't know what a law means until a court decides what it means....and the next court may decide something different.

  • Not 3rd party code (Score:2, Insightful)

    by Anonymous Coward

    It stopped being 3rd party code the moment Appwork accepted the contribution and started spreading the code itself. That is the moment they became liable. If they do not like that, they should not spread "just anybody's code" without verification.

    We may not like it, it makes the life of open source projects more difficult, but that is the way it works. For good reasons.

    • by 3247 (161794)

      How is that different from hosting a web forum where anyone can post content.

      If I post illegal content here, should Slashdot become liable because it "accepted the contribution and started spreading the [content] itsself"? Shouldn't Slashdot stop spreading "just anyone's" content "without verification"?
      Even worse, Slashdot allows posting as "Anyonymous Coward", and thereby facilitates such abuse.

  • by Stolpskott (2422670) on Friday December 06, 2013 @04:55AM (#45616933)

    In the world of athletics, the athlete is responsible for verifying beforehand that any substances entering their body are free from performance-enhancing drugs and a range of other substances. In this case, that same rule seems to have been applied to software - the admins are responsible for code entering the body of the application.
    Aside form anything else, my opinion is that someone on the project should have oversight of new code submissions before they are committed to the main codebase. If that is not happening here, then this is a lesson in stupidity for the admins. If it is happening, then the admins really are facilitating, because they have explicitly allowed that functionality into the application. Flipping the coin again, if the admins explicitly allowed the content without realizing what it does, then they have commited code without understanding the purpose or impact of the code, and we are back to the lesson in stupidity again...

    • I did wonder about this. How does any code get into the release branch of any project (Open Source or not) without some form of code review or understanding of the functionality behind it? How is it tested? (I assume it is tested!). This is not a problem of Open Source, this is a problem of poor Configuration Management!

      To compare - I expect nothing gets into the Linux kernel main branch (as maintained by Linus Torvalds) without being discussed, agreed, reviewed by someone, tested, and signed off.
      • A gross, high-level summary would be that jDownloader automates "interesting" data file extraction and retention from the World Wide Web. In essence, a file ripper from websites. But it automates a lot of the "nonsense" you have to go through (click-thru this, wait for that timer, etc., etc.). It's this automation that makes this advantageous over wget, for example.

        But, there are TONS of websites that all work slightly differently. So there are literally hundreds or thousands of modules customized for a

  • unreviewed code (Score:5, Insightful)

    by feds (3005861) on Friday December 06, 2013 @05:20AM (#45617003)
    Actually this is worrisome for the open source community not because they ended up in court but because Appwork accepted code without reviewing it and actually without even knowing what it does. How can they assure users that installing the application they don't become part of a 15 million users botnet?
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Did they actually accept the code? Is it a fork? We don't seem to know and I suspect that this was more along the lines of code being submitted, not yet reviewed by core contributors, etc. But because it was public... the court decided to convict. The code probably would not have ever gotten into a binary or official / stable release of the code.

    • It's not bad code. It might have been reviewed by someone who knows security and someone who knows functionality and stability but doesn't know arcane laws.
    • Actually this is worrisome for the open source community not because they ended up in court but because Appwork accepted code without reviewing it and actually without even knowing what it does. How can they assure users that installing the application they don't become part of a 15 million users botnet?

      I'm betting that they knew exactly what the code did and this is a legal excuse to try to get them off the hook because they know they can't pay the fine. I know nothing about the German legal system, so I can't comment on how likely this ruling is to stand, but I am sure that they are just trying to get out from under the ruling by claiming ignorance. That excuse wouldn't work in the USA, but again, I don't know how the German legal system works. By the way, we have a rather infamous court here in the U

  • Hamburg Court (Score:5, Interesting)

    by Tom (822) on Friday December 06, 2013 @05:59AM (#45617135) Homepage Journal

    he Hamburg Regional Court decided

    You can stop reading there.

    This particular court is the laughing stock of the german legal system, and its decisions are routinely overturned at the higher courts. They are famous for "creative" interpretations of the copyright laws.

    Source: I live in Hamburg, Germany and I've been following copyright-related civil rights matters for more than a decade.

  • by deviated_prevert (1146403) on Friday December 06, 2013 @06:15AM (#45617185) Journal
    The warez in question is a java app with binaries available to be loaded at time of install from a script. So the setup starts with a set of jars that get extracted. YOU CAN INSTALL IT TO /HOME and view the entire process which downloads more binaries as the install takes place, at least on Linux if you install unpriviledged it will just install in a created directory and do everything from $ directory without requiring logging elsewhere or so you can easily track everything the software does.

    I ran Wireshark on it and it does not do the ET phone home crap that most spyware does so it is what the writers say it is.

    If you boot it up and do not leave it in the sys tray it does not leave active processes hanging around. HOWEVER you can run it as a background process to snoop your RTMPE and have them automatically download the vids. On youtube it downloads the whole smash including the webM html5 streams and all available vid size pieces of a vid including any mp3 or other audio files.

    Best stream ripper out there IMO. EAT MY SHORTS MPAA, RIAA and all your ill begotten drm bullshit nonsense. This video is a great one and as a result I will order her works online she is one hot guitarist! Fantasia la Traviata [youtube.com] a little beyond the reach of most musicians, eat your heart out if you like guitar!

    • by fatphil (181876)
      > On youtube it downloads the whole smash including the webM html5 streams and all available vid size pieces of a vid including any mp3 or other audio files.

      > Best stream ripper out there IMO.

      These two sentences seem in direct contradiction. The best one would only download your preferred media format, not all the poorer-quality, larger file size, or unviewable content.
  • by Murdoch5 (1563847)
    If the original authors didn't put that feature in and never intended to then just show the different in code revisions from version a -> b. Once the court sees the authors didn't do it they are ( or should be ) off the hook.
  • What I think is most disturbing about this is that a company could seed/pay some fly by night person to upload come code to an OSS competitor and basically bring the project to a close, killing a competing product.

All this wheeling and dealing around, why, it isn't for money, it's for fun. Money's just the way we keep score. -- Henry Tyroon

Working...