RICHARD ALLAN HORNING - SB
THOMAS E. MOORE III- SB #115107
MICHAEL W. STEBBINS - SB #138326
TOMLINSON ZISKO MOROSOLI & MASER LLP
200 Page Mill Road, Second Floor
Palo Alto, California 94306
Telephone: (650) 325-8666
Facsimile: (650) 324-1808
ALLONN E. LEVY - SB#187251
HUBER ? SAMUELSON, P.C.
210 N. Fourth Street, Suite 400
San Jose, CA 95112
Telephone: (408) 295-7034
Facsimile: (408) 295-5799
ROBIN D. GROSS - SB#200701
ELECTRONIC FRONTIER FOUNDATION
1550 Bryant Street, Suite 725
San Francisco, CA 95103
Telephone: (415) 436-9333
Facsimile: (415) 436-9993
Attorneys for Defendant
SUPERIOR COURT OF THE STATE OF CALIFORNIA
COUNTY OF SANTA CLARA
DVD COPY CONTROL ASSOCIATION, INC., a not-for-profit trade association,
ANDREW THOMAS MCLAUGHLIN, et al.,
DECLARATION OF JOHN GILMORE IN OPPOSITION TO ORDER TO SHOW CAUSE RE: PRELIMINARY INJUNCTION AGAINST ALL DEFENDANTS
Date: January 14, 2000
Time: 1:30 p.m.
Honorable William J. Elfving
I, JOHN GILMORE, hereby declare under penalty of perjury:
1. I am a computer scientist and entrepreneur in San Francisco, California. I give this declaration in my personal capacity.
2. I have been working in computers since 1972, as a programmer, designer, quality assurance engineer, writer, manager, and executive. I have been involved in computer security since 1980 and in encryption since 1984.
3. In 1981 I was the fifth employee at Sun Microsystems, which has since grown into one of the top ten computer companies in the world. There I wrote firmware, handled hardware/software integration, tested hardware designs, and worked on computer security and electronic mail, both for their products and for their internal network.
4. In 1989, with two partners, I co-founded Cygnus Support, a small
business dedicated to providing commercial support for free software, largely
in the embedded systems market. It has grown from 3 employees to
approximately 180, and was sold in October 1999 to Red Hat, Inc.
The company's main product, the GNU programmer tools, is given away without
cost and without major restrictions on modification or redistribution.
Cygnus's revenues of about $20 million a year are almost all from contracts
to support or develop this freely available software. Cygnus pioneered
this "open source" business model for its intellectual property licensing,
a model which has become fashionable
ten years later.
5. In 1990 I co-founded the Electronic Frontier Foundation (EFF), a nonprofit which defends civil liberties in cyberspace. The foundation continues to exist today, and is providing some of the legal defense in this case. I serve on its Board of Directors.
6. In 1992 I co-founded the Cypherpunks, an informal educational and advocacy group devoted to advancement of privacy and security through greater knowledge and deployment of encryption. The group has been meeting monthly in the San Francisco area since then, maintains several active Internet mailing lists reaching several thousand people, and has spawned similar groups in other areas. Many students and computer scientists who first learned of encryption through the cypherpunks have started encryption companies, become famous through their encryption research, or begun their own civil rights efforts as a result.
7. In 1996 I started a project at EFF to create a "DES Cracker", a custom-designed computer which can recover the key to a message encrypted in the Federal "Data Encryption Standard" in about a week. I led the project, assisted in the chip design, wrote much of the software for the project, edited the book, and wrote major parts of the book. We published the full design through a major book publisher, in the public domain, so that anyone could reproduce it for verification. The purpose of the project was to publicly demonstrate that the DES is easy to crack, so that people would stop believing incorrect government statements that DES provides good privacy. The project was successful, and as one result the National Institute of Standards and Technology (NIST) began an "Advanced Encryption Standard" effort to replace DES, which is still ongoing. This effort also won me the "Public Policy Award" from RSA Data Security at their annual conference, and made the front page of the New York Times.
8. I comment from the perspective of someone who has been active in
the fields of encryption, intellectual property, and business.
THERE ARE MANY LEGITIMATE USES FOR THE SOFTWARE AT ISSUE
9. The DeCSS software for Windows, and the similar "readdvd" software for Linux, permit compressed video images to be copied from a DVD disc onto a hard drive. There are many legitimate reasons to make such copies.
10. One major reason is to allow Linux developers and users to watch their DVDs on their non-Windows computers. Compressed video image files, which DVD discs contain, are not readily visible to humans. A program is required to display the file on the screen, allow the user to fast-forward or rewind through it, etc. Writing such a program is not a trivial exercise, not only because of the complexity of the image compression, but also because the program must be fast, or it will not be able to play back the video in "real time".
11. The Linux developers whose web sites are targeted by this case were in the process of writing such a program. Pieces of the program already exist, and they work to some extent, but they were being constantly refined to eliminate outright errors, handle more different kinds of compression, and to speed up the display so that it could keep up on ordinary personal computers.
12. In order to test and refine a program for displaying compressed video images, one must have a compressed video image to try to display with it. Once a single image has been successfully displayed, it's time to try the program on several other images. Once it works on several images on the original author's computer, then it's time to try it on the computers of several other volunteers around the world, and on their choice of compressed image files. By gradually expanding the circle of testing and repair, a robust and stable program results.
13. It is certainly possible to test such a program with compressed video image files from sources other than DVD discs. I believe the existing Linux programs for displaying these files (such as mpeg2player, xanim, etc) were originally written and tested using other files. But for such a program to be useful to the community in general, it must work well with compressed video image files that come from ordinary commercial DVD discs, since that is the way that a large fraction of ordinary computer users are likely to have compressed video images in their computers. The programmers cannot tell whether their program works on a DVD image without extracting one and trying it. And whenever their program fails to properly display a DVD image, they must have access to that image, to examine its encoding in detail, so they can reproduce the problem themselves, determine why the program fails to handle it properly, craft a proposed change to the program, and then test that the change actually fixes the problem and doesn't introduce any other problems.
14. In all of the above cases, the programmers would be using commercial DVDs which they have purchased (or otherwise have the right to use, if they had borrowed it from a library or a friend, had access to it through their job or school, etc). There is no piracy involved, and nobody's copyrights are violated.
15. I believe that the eventual goal of the Linux programmers and software
distributors targeted by this case is to evolve their software so that a DVD disc can be played on the computer screen merely by inserting it into the DVD reader slot on a personal computer that runs Linux. Such an eventual use of software derived from DeCSS or readdvd would be completely legitimate and would not infringe any copyrights.
16. Some DVD discs only provide encrypted key material that can be decoded by a subset of DVD players. This "regional coding" divides the world into regions, and encourages the sale of players in each region that only contain the keys to play DVD discs intended for that region. The regional coding system is not inherent in the design of the encryption system at issue, but is created by how the secret keys are administered. In my opinion, the regional coding system is designed to restrain trade in DVD discs, for the benefit of theater owners and the companies who rent them movies. It is intended to prevent theaters who are showing first-run movies from facing competition from DVDs imported from other regions where it has been released on DVD.
17. The ability of the software at issue to play DVD discs from various regions does not violate any right or privilege available under law to the copyright owner of the movie on the disc; "code-free" consumer DVD players already exist and offer the same capability. In my opinion, the regional coding system was built as a business strategy, to give a technological edge to theater owners, to the disadvantage of consumers; there are no legal consequences if this intended edge does not materialize in practice.
18. Another legitimate use is to change the video into a format chosen by its owner, or to "space-shift" it to a more convenient physical location. The owner of a music CD is free under the copyright laws to copy it onto a tape cassette to play it in her car (both a format-shift from digital CD to analog tape, and a space-shift from her home to her car). The owner of a DVD is also free under the copyright laws to copy it onto another medium or location of their choice. For example, she could extract from a DVD a 10-second clip of a postman delivering a letter, convert it into a file format that her web browser can play, and a size that fits in a small corner of her screen, and cause her computer to display the clip whenever she get a new email message. The software tools to do this today on Linux are not readily available, or are too hard for an ordinary person to use, but the Linux development community is actively working on improving them, and the software at issue in this case is a key component. Just as the Supreme Court recognized the legitimacy of time-shifting by VCR users who wished to watch a TV show at a more convenient time, format-shifting or space-shifting for the convenience of the user is also recognized as legitimate.
19. Due to the enormous file size, making a verbatim copy of a DVD is impossible in essentially all removable media commonly available today on personal computers. A DVD disc holds an enormous amount of information; this large capacity is the main reason that the format was invented and deployed. A DVD disc can hold 5.2 gigabytes, while common personal computer writeable media can only hold 1 gigabyte (Jaz drives). Even the non-removable hard drives commonly available in PCs can only hold 5, 10, or 18 gigabytes. This means that if a user wished to make a full copy of a DVD disc on their computer, the only place they could put it would be on their hard drive, which would only hold four such movies at most. They would have no way to make copies for friends, or to send the copies over the Internet (uploading a single gigabyte over a 56K modem would take more than 40 hours). The sheer bulk of the material means that technical means to "pirate" it are not commonly available, nor practical.
20. The DVD-RAM medium is a niche medium which stores 4.7 gigabytes on a writeable, removable medium, but blank recordable media are more expensive than buying pre-recorded DVDs. There would be no incentive to copy a $15 DVD onto a $25 blank DVD-RAM rather than buying a second copy at $15. Also, DVD-RAM media, despite their confusing name, cannot be played back on ordinary DVD drives. Most computer buyers are waiting until a truly DVD-compatible recordable format comes out, rather than buy an expensive drive that will write on media which will go obsolete in a few years. There is little point in writing your backup copies on a medium for which you won't be able to buy a new drive after your current drive breaks.
21. Assuming that the advance of technology produces a recordable-DVD drive which uses affordable media and is readable on ordinary DVD drives, and that the courts are not used to keep such drives and media off the market, we then have another clearly legitimate use: backups of purchased DVD discs. It is legitimate to make a personal copy of purchased copyrighted material, to protect against the accidental (and eventually inevitable) loss or destruction of the original. Any household with children has probably already encountered this problem with other existing fragile media, such as cassette tapes, CDs, or VHS video tapes.
22. Also assuming a future large, cheap, and compatible recording medium,
another legitimate use is to mix scenes from various DVD discs onto a single
disc. A Bogart fan might produce a DVD which contains ten of their
favorite Bogart scenes, in the same way that cassette users compose tapes
of their favorite songs by one or more artists, holding their choice of
selections in their choice of order. A music fan might contrast several
video renditions of the same song, or show the evolution of a band over
the years. It is completely legal for individuals to create and enjoy
such compilations under copyright law's Fair Use Privilege that allows
for personal non-commercial use.
ENCRYPTION HISTORY AND THE STRENGTH OF ENCRYPTION SYSTEMS
23. Encryption technology has a long history that reaches back into the pre-Christian era. Succinctly, encryption scrambles information in transit so that it can only be reconstructed by the intended recipient, and/or validates the information so that the recipient can tell whether it has been tampered with. Many battles and diplomatic negotiations have been won or lost based on the use of encryption. Encryption was used by both the British and the Americans during the Revolutionary War; George Washington's writings reveal that he intercepted encrypted British messages and had them cracked by a friend. Ben Franklin published a textbook on encryption, and used it extensively for his dispatches while representing the colonies to France. Thomas Jefferson designed a naval cipher (encryption system) which was still in use by the US Navy until 1967. The time and trouble required to encrypt, decrypt, and to keep your keys and methods secret, tended to limit the use of encryption to diplomatic and military users, though commercial firms have also made substantial use of it. A rapid decrease in the cost of encryption caused by computer technology and digital communication has made encryption quite cheap, and it is now deployed in many millions of products, including cellular phones, ATM machines, satellite TV receivers, and web browsers, where it protects the privacy and/or integrity of communications, largely without the user being aware of it.
24. The capabilities of encryption systems are evaluated by determining
how much work would be required to penetrate their security or privacy.
An encryption system which takes a large amount of work to break is called
"strong"; one which takes a lesser effort, which could be mounted by a
credible adversary, is called "weak". To be generally considered
"strong encryption", a system must have no known way for
any of its adversaries to penetrate it. Dozens of strong encryption systems are known in the scientific literature, and many of these have been deployed in real products. A system that was believed to be strong can become weak over time, both due to general improvements in technology, and due to further research into that particular encryption system.
25. For centuries, encryption systems have been designed based on the principle that a particular method of encryption can be used by many people and can even be known by the adversaries, as long as a small secret key or keys used by each person remain secret. There is a direct analogy to locksmithing here, in which the principles of tumbler locks are well known, but the particular pin settings of a particular door are hard to discover. Encryption keys were originally conceived of as a series of letters or numbers, but in the computer era, they have become a series of bits (zeroes or ones) Many encryption systems are designed with a fixed-length key. For example, the key used by DES is 56 bits long, and that used in the reputed DVD CSS is 40 bits long.
26. If many copies of a "secret" key exist, they are more likely to be revealed; for the best security, secrets should be held by only one or two people.
27. There are many ways to penetrate an encryption system. For example, it can be subverted by bribing someone who knows a secret key. It can be defeated by sophisticated mathematical analysis, which reveals hidden patterns in its random-appearing output. It can be broken by "brute force", by trying every possible key until the right one is found. (Short keys make a system particularly vulnerable to a brute force attack. A well-respected 1996 recommendation by senior cryptographers states that keys shorter than 75 bits are not strong, and for systems designed to protect information for decades, 90 bits.)
28. A penetrated system could be generating keys that are not truly random, which can be predicted or partially predicted by the adversary. Or, It can be circumvented by convincing the two ends to use a key already known to the adversary. It can be bypassed by configuring the system to turn off its encryption features, without the knowledge of the users. The effective strength of an encryption system is limited by its weakest link. Many encryption systems have strong parts, but provide only weak security because of a particular shortcoming that makes a particular attack easy.
THE ENCRYPTION ON DVDs IS WEAK AND PROVIDES LITTLE SECURITY
29. The encryption system at issue in this case is a weak system, that provides little security.
30. Since I do not yet have access to the actual specifications of the DVD Content Scrambling System (CSS), I cannot analyze the actual system used in DVD products. However, I can analyze the system which the plaintiffs are seeking to suppress the publication of information about. (Some of that information may not accurately describe the actual DVD CSS.)
31. The fundamental strength of the system at issue is limited by the short keys which it uses. A 40-bit key provides only 2-to-the-power-40 possible keys, or about trillion keys. Modern computers can try all of these possible keys in hours or days. Andrew Twyman, a student at MIT, used a single $83,000 computer to crack a 40-bit key used in a secure Web browsing session in less than 8 days in 1996. Ian Goldberg, a student at UC Berkeley, used a network of ordinary computers at Berkeley to crack a 40-bit key in 3.5 hours in 1997. As general purpose computers get faster and cheaper, the time and cost of these brute force attacks declines.
32. The security of the system at issue also depends on keeping a set
of secret keys truly secret. However, one or more of these "secrets"
are reproduced in every DVD player sold, in every PC or laptop that can
play DVDs, and in every software DVD player sold. It is surprising
that secrets that are reproduced this many millions of times have lasted
as long as three years.
SCIENTIFIC PROGRESS IN ENCRYPTION REQUIRES PUBLICATION OF REAL WORLD RESULTS
33. Encryption is an old science, which is built on lessons that date
back over 2000 years. Building strong encryption systems is a very
subtle art, which requires many years of study. Because an encryption
system is only as strong as its weakest link, there are many ways to undermine
the design of an encryption system.
34. Experience has shown that everyone who first learns about encryption invents their own new code, which they are sure is unbreakable. Almost without exception, these new codes are easy for experienced scientists to break. This is because the newcomers have not learned from the mistakes of the past, while the experienced scientists have.
35. Only after learning the known ways to break dozens of other peoples' codes will a scientist be qualified to design "unbreakable" codes of their own. Even then, it is easy to make mistakes. A collection of senior cryptographers submitted fifteen designs to NIST in 1998, each hoping to have theirs' picked as the new Advanced Encryption Standard. Within a year, five of the designs were rejected due to serious security weaknesses, as the group of designers turned their talents toward proving that their competitors' designs were flawed.
36. If the strengths and weaknesses of modern-day encryption systems are shielded by law from scientific inquiry, the science will not progress, and the public will be ill-served by poorly designed encryption systems that do not do the job they were intended to do.
37. The encryption scheme at issue in this case is a prime example. Had it seen even a modicum of public scrutiny before being built into millions of discs and players, any professional cryptographer could have pointed out the weaknesses that made it trivial to crack in a week. Because it was kept secret, these weaknesses only came to light when it was too late to fix the scheme. Because the scheme has since been published, and its weaknesses have also been published, future designers (perhaps designing encryption for banking systems, pay-TV, or other forms of intellectual property protection) are much less likely to make the same mistakes.
38. The computer security community has long debated whether it is preferable to publish a discovered security weakness or to keep it secret. The debate is not over and will probably never be over, but experience has shown that weaknesses which are not published are seldom fixed. Even when the manufacturer is notified first, and many months in which to fix security problems, they almost always do nothing until their own paying customers start calling up and complaining, "Why did I read today in the New York Times that the system you sold me is full of holes?" Furthermore, it is well known that many miscreants who trespass on others' systems exchange information constantly among themselves about newly discovered weaknesses. If responsible scientists do not also share the information that they have, they are always running behind the miscreants: duplicating each others' work, and leaving their own systems wide open to attacks which some other scientist has already discovered but not published.
39. If scientists and engineers had reverse-engineered the DVD CSS, identified security weaknesses in it, and rather than publishing, had merely kept quiet about the design and these weaknesses, they would be encouraging the further use of a design which they knew was not adequate. This would not serve their science or their society. It would not serve the owners of the DVD CSS either, who might not have known about these attacks.
40. It is my opinion that claims of "damage" resulting from some manufacturers delaying the deployment of DVD-Audio players until better encryption is devised are without merit. First, the design defects in the system at issue were placed there by the designers, not by the defendants. Second, delay in DVD-Audio deployment is completely at the discretion of the manufacturers involved; the defendants had no part in making that decision. My own opinion is that they are being inappropriately paranoid, particularly given that the much more popular CD format is completely unprotected against people making perfect digital copies. Third, and most important, the plaintiffs should be THANKING the defendants for revealing shortcomings of what would have become the DVD-Audio protection system, while there is still time to change it. Surely the manufacturers' action of delaying reveals that the DVD-Audio community did NOT know that the system they were about to deploy was trivial to crack.
41. Those who follow encryption see this pattern over and over. Security systems are designed in secret, by people with relatively little encryption experience. The details of these systems are kept from the public, frequently as "trade secrets", and "to enhance their security", while extravagant claims are made about their strength. Miscreants are free to discover and exploit weaknesses, whether to listen in on "private" cell phone calls, to steal intellectual property, etc.
42. Some of these security systems reach massive deployment in infrastructures critical to the everyday functioning of society, such as the hundreds of millions of GSM cell phones. Eventually the details of the design come out, and the inherent weaknesses are pointed out publicly. The incompetent designers invariably try to "shoot the messenger", rather than blame their own faulty design process or their own inappropriate secrecy, which brought the problem on themselves and on the people in society who are now dependent on the faulty protection system.
I declare under penalty of perjury of the laws of the State of California that the foregoing is true and correct and that this declaration was executed by me this 7th day of January, 2000, at San Francisco, California.
Please send any questions or comments to firstname.lastname@example.org