On January 3, George Hotz, or geohot as he calls himself, a hacker previously involved in the effort to jailbreak the iPhone, released the private key to the PlayStation 3, using techniques described by the group fail0verflow at the 2010 Chaos Communication Congress. Essentially, possession of the key allows users to create and run signed software on their PS3s without the use of any sort of external USB device–i.e., to run the software as if it had been distributed by Sony.
There is every indication that this is why the parties involved exploited the, well, exploit–so that they and others would be able to use the machines that they own to run whatever software they want to write for it or share with each other (fail0verflow claims to have developed the hack in order to allow PS3s of all firmware versions to run Linux). Of course, one of the side effects of the release of the key is that users can now, if they so choose, use it to run pirated versions of PlayStation 3 games on their machines, which Sony is loathe to allow.
In a response eerily reminiscent of that of Universal and its cohorts following the release of DeCSS and of that of the MPAA and AACS LA following the release of the AACS cryptographic key (the key that protects Blu-Ray DVDs), the corporate machine leapt into action (after one embarrassing gaffe on Twitter), and fired off lawsuits against both fail0verflow and geohot, causing the latter to start a legal defense fund.
This case lies much closer to that of AACS than that of DeCSS–the court ruled, in Universal v. Corley, that DeCSS was not protected speech because, among other things, the DMCA’s restrictions on circumventing technologies was “content-neutral,” and DeCSS seemed to have been distributed for the purpose of redistributing copyrighted DVDs, at least according to the District Court. In the case of the AACS key, while the MPAA and AACS LA issued numerous DMCA takedown notices (notably to Digg), this was the only legal action taken: no lawsuits were filed, and the legal status of the key remains up in the air.
In the case of the PS3, the stated purpose for circumventing the “technological measures” that “effectively control” access to the PS3 was to get the machine to run Linux–undoubtedly, this is not in violation of any copyright law. But will this be its primary use? The court tells us in MGM v. Grokster that we must consider not only whether a noninfringing use exists, but its relative frequency compared to that of infringing uses.
Will most users use the key to play pirated games? More importantly, does it matter?
Similar to the avalanche of posts of “09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0” on Digg following the MPAA’s response to the release of the key, a…flurry? of “46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4 CD B2 C2” posts appeared on Reddit in the aftermath of geohot’s publication of the key. Both communities felt a sense of injustice that posting a 128- or 160-bit key, a number short enough to scrawl on the back of one’s hand, should subject the poster to prosecution.
On the other hand, the DeCSS program, in its shortest incarnation, is only 434 bytes, or 3472 bits, only about 20 times as long as the AACS and PS3 keys, and the court found that it was illegal–just as a clever Digg user created a flag using the hexadecimal key, or how I shamelessly copied the idea to make a flag of my own, so too did protestors of the DeCSS decision create MIDIs, plays, and even a haiku of the program.
When everything is expressed in terms of numbers, anything can be expressed in terms of anything else. The court has ruled that some numbers are illegal, so where exactly is the line? If I write some protection protocol with a cryptographic key of “1”, can I go around issuing DMCA takedown notices to every website that has the audacity to post a “1” somewhere? Would that even count as an effective technological measure? Probably, since knowledge of the key is generally not enough to crack the code–one must also know where to put it, which requires some amount of proficiency with computers (arguably more proficiency than most users possess).
So where is the line? Is it at 10 bits? 100? 1000? We already know it can’t be any greater than 3472. The problem is, wherever the line is drawn, it will be arbitrary–any attempt to exclude some kinds of speech from protection will, when taken to its logical extent, inevitably result in some sort of restriction that seems ridiculous and unfair. There will always be some tricky end case.
And programmers are great at coming up with tricky end cases.