DMCA triennial exemptions

Every three years, the Librarian of the Congress revisits the exemptions to the Digital Millennium Copyright Act (DMCA). These exemptions list the cases when circumventing technological measures that protect copyright works is not illegal. On October 28, 2015, the Librarian has issued the new list valid for three years. The new exemptions (compared to six years ago) are:

  • The jailbreaking of cellphones to be used on other carrier networks has been extended to tablets, wearable devices, and connected TVs.
  • Jailbreaking portable devices to execute lawfully acquired software
  • Owners can circumvent diagnosis and repair software for cars and farm equipment
  • For research purpose on consumer devices, medical devices, and cars
  • For sourcing ink for 3D printers from alternative suppliers

The previous exemptions are still valid.

Is French HADOPI law dead ? (11)

Pierre Lescure, former CEO of French broadcaster Canal +, has delivered  to the French minister of culture and communication his report “Contribution aux politiques culturelles à l’ère numérique” (i.e. contribution to cultural policies in the digital area).  Obviously, among the 88 recommendations, numerous proposals tackle copyright issues.  These recommendations got the headlines of French press.


Pierre Lescure and his team have deeply analyzed the current French graduated response, its organization HADOPI, and its efficiency.  Let’s navigate among the 700 page document and highlights some interesting points.

In section A-5: The release window

The report highlights that the audience wants the pieces of content as early as possible.  furthermore, VOD is drastically increasing.  Thus, they propose to reduce the current release window  of VOD by one month.  Interestingly, they would offer this earlier release only to “good citizen” operators.

Plus précisément, il est proposé d’avancer la fenêtre de la vidéo à la demande, éventuellement en réservant cette mesure aux services les plus vertueux, c’est-à-dire à ceux qui acceptent de prendre des engagements volontaristes en termes de financement de la création et d’exposition de la diversité.

Furthermore, they propose the concept of premium week end when a piece of content would be available as VOD one or two weeks after theatrical release for 30€ (40$).


Section A-14 tackles the issue of DRM.  They propose to extend the scope of the DAVDSI law to games and public domain content.  They recommend also to create an open standard for DRM.

Personal note:  the problem with open standard is that it cannot enforce a compliance and robustness regime that is mandatory for any DRM to be efficient Sad smile.

They highlight that DRM and French right to private copy are not well co-existing.

Section B-7 tackles the issue of the private copy levy.

As cloud computing is becoming more and more present, storage in the cloud will become prevalent.  Therefore, the current private copy levy will become useless.   Thus, the report suggests to create a levy for every connected device regardless of its internal storage capabilities.

In section C2: “Appraisal of the graduated response”.

La réponse graduée (articles L.331-24 et suivants du CPI) a pour fondement non pas l’acte de contrefaçon en lui-même, mais le  manquement à l’obligation de surveillance  du titulaire de l’abonnement Internet de son poste d’accès …
La notion de  négligence caractérisée permet ainsi, au terme de la procédure de réponse  graduée, de sanctionner le titulaire de l’abonnement sans avoir la preuve qu’il est bien l’auteur du délit de contrefaçon, dès lors qu’il n’a pas pris les dispositions pour sécuriser sa ligne.

They highlight that the cornerstone of the French graduated response is not the counterfeiting act but the fact of characterized negligence to secure his/her Internet access.  Being negligent to secure the network does not mean the owner of the network was the infringer.


At February 2013, content owners detected 35 millions  for 4.7 millions IP addresses.  1.6 millions first warning and 139,000 second warnings were issued with 29 cases passed to the Court.  Only two cases were sentenced with a 150€ fine.    In 2012, the direct cost of the graduated cost was 6M$, with an additional bill of 2.5Me from the three main ISPs.  This evaluation does not include the cost of TMG detecting the supposed infringing IP addresses that is bared by the content owners.

They must conclude that the efficiency is mixed.  The use of P2P has visibly declined by 40% in three years.  Nevertheless, this may just mean that the traffic moved to direct download/streaming sites that HADOPI does not monitor.

In section C-3: “Lightening the graduated response”

The report acknowledges that suppressing the graduated answer would have many advantages.  nevertheless, the disadvantages are more important.  The report proposes to clarify the concept of “characterized negligence”.  You would have to put something in place, you not to be successful. They propose also to rather focus on the counterfeiting rather than on the negligence.  The counterfeiting act should be proven and for monetary gain.

Dans l’immédiat, il pourrait être demandé aux Parquets de n’engager des poursuites pour contrefaçon que lorsqu’ilexiste des  indices sérieux et concordants tendant à prouver l’existence d’un enrichissementpersonnel ou collectif, dans le cadre d’un réseau contrefaisant.

The educational element of the graduated response should be enhanced.  Thus, the ultimate punishment, i.e. suppression of Internet access, should be replaced by throttling.  Furthermore, the fine should be reduced from 1,500€ to 60€.

The report proposes to close the HADOPI organization and forward its mission to the Conseil Supérieur de l’Audiovisuel (High Council of Audiovisual).  We anticipated that in August 2012.

Section C-4: “the fight against online commercial piracy” is going in the right direction.  It clearly highlights that direct download, streaming and referee sites are making money through piracy, estimated between 52 to 71M€ each year in France.  According to the report, these sites are the real money makers of digital piracy.  Despite the laws exist, suing these site owners is difficult. The State should be proactive in this fight.

Section C-5: “The responsibility of hosting sites”.   Currently, European and French laws imply that the hosting site cannot be responsible:

  • if it was not aware that content was infringing
  • if it did not take down infringing content once notified.

La  responsabilitécivile ou pénale des hébergeurs ne peut être engagée « s’ils n’avaient pas effectivement connaissance » du caractère illicite des contenus stockés ou « si, dès le moment où elles en ont eu cette connaissance, elles ont agi promptement pour retirer ces données  ou en rendre l’accès impossible ».

The report does not recommend to modify this status.  Nevertheless, it recommends to facilitate good practices such as using fingerprint to detect illegal content (The French INA signature is highlighted).  The report recommends that the French State support a common initiative to set up an organization that would create a database of reference fingerprints and send take down notifications to sites.

In Section C-6, the report recommends that search engines should present the legal offers in a predominant position compared to counterfeiting offers.  Currently, search engines have in Europe light responsibilities in this field.

Section C-7 highlights the role of payment organizations and advertisement agencies.  they indirectly facilitate and benefit from digital piracy.  The report calls these intermediaries to be good citizens.  Google has already proven that it may accept to play this game.

Section C-8 tackles the issue of blocking a site and domain names.  Although possible with French regulation, the report does recommend to use them only as ultimate solution.



  • Is HADOPI dead?   It seems that this time, it is a serious blow against it.  It is only  a report, not a set of decisions.   We know the French minister of culture is not HADOPI-friendly.   Thus the likelihood of its near death is high.
  • Is the French graduated response dead?   It will continue, in its current form or in a new way, regardless of its future hosting organization.

Court rules against ReDigi

The resale locker, ReDigi, has been convicted of copyright infringement by the US District Court of New York in its case with Capital records.   ReDigi proposes to the user to sell the digital audio tracks that they do not want anymore, as if they would resale a CD.  On January 2012, Capitol Records filed a suit against ReDigi.

On 30 March 2013, the District Judge, Richard Sullivan, granted Capitol’s motion and denied ReDigi’s one.  His memorandum and order document is extremely interesting as it sheds some light on the rationales behind his decision.  He summarizes the question: Can a digital music file, lawfully made and purchased, be resold by its owner?  The Court determines that it cannot.

The first issue was to know if ReDigi violates Capitol Records’ reproduction rights.  According to the Court, the transfer of a music file to a new hard drive is equivalent to a physical copy.

Because the reproduction right is necessarily implicated when a copyrighted work is
embodied in a new material object, and because digital music files  must be embodied in a new material object following their transfer over the Internet, the Court determines that the embodiment of a digital music file on a new hard disk is a reproduction within the meaning of the Copyright Act.

According to the judge, any transfer from one computer to another computer or server is a reproduction, regardless that the initial one has been erased and does not anymore exist.

The second issue was about the applicability of fair use.   As the operation is related to a sale, according to the judge, it falls out of the scope of fair use.  Furthermore, this sale may be slightly detrimental to the initial market.

In sum, ReDigi facilitates and profits from the sale of copyrighted commercial recordings, transferred in their entirety, with a likely detrimental impact on the primary market for these goods. Accordingly, the Court concludes that the fair use defense does not permit  ReDigi’s users to upload and download files to and from the Cloud Locker incident to sale.

The third issue was about the first sale.  In a nutshell, if you have purchased a physical item, you can resale it.  ReDigi defends that it is applying the first sale doctrine.   The judge believes that the first sale is only applicable to physical goods.

… the first sale defense is limited to material items, like records, that the copyright owner put into the stream of commerce. Here, ReDigi is not distributing such material items; rather, it is distributing  reproductions  of the copyrighted code embedded in new material objects, namely, the ReDigi server in Arizona and its users’ hard drives.

ReDigi complained that the law was not taking into account technological changes and became ambiguous.  the judge estimates that it is still not ambiguous.  Although technical changes may render a law unsatisfactory to consumers is not an argument.  Furthermore, changing it is a legislative prerogative.

The judge decided that ReDigi directly infringed Capitol distribution and reproduction rights.  The judge decided that ReDigi was not liable for its users’ direct infringements.

Thus, some interesting outcomes to keep in mind.

  • Transferring a digital from a copyrighted piece of content is a reproduction, even if the source piece of content has been deleted.  This may be extremely controversial, for instance when buffering a file during progressive download are you making a reproduction?   Have you the reproduction rights?  I am sure that we will have additional debates on this topic.
  • First sale doctrine is only valid for physical goods.   Will the US Congress propose an evolution to cover digital goods?

This is a serious stroke against ReDigi but also to a potential new market of “digital” songs.   We will wait for its reaction.  Next post, I will examine the ideas of two big players who wanted to enter this arena: Apple and Amazon.


Unlocking phone in the US: is it illegal?

In 2010, the Librarian of Congress ruled that unlocking a phone to be able to move to another carrier was legal.   On 26th October 2012, the Librarian of Congress has changed his mind.  Unlocking phones purchased after January 2013 will be again illegal.


In the same ruling, the Librarian of Congress allowed the jailbreaking of iPhones for interoperability, but did forbid it for iPads!

Wireless telephone handsets – software interoperability
Computer programs that enable wireless telephone handsets to execute lawfully obtained  software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications with computer programs
on the telephone handset.

This exemption is a modification of the proponents’ proposal. It permits the circumvention of computer programs on mobile phones to enable interoperability of non-vendor-approved software applications (often referred to as “jailbreaking”),but does not apply to tablets – as had been requested by proponents – because the record did not support it.

Recently, the White House officially announced that it was

Time to Legalize Cell Phone Unlocking

How the White House will try to revert the Librarian ruling is unclear.

Once more, we see that interpretation of DMCA is complex and evolving with time.  Some decisions may even seem strange: authorizing mobile phone but not tablets (despite they use the same OS, and may act as phones), is difficult to understand for consumers.

Security Newsletter 22 is available

The  Security Newsletter 22 is available. We are proud to have as guest Joan DAEMEN. Joan is one of the authors of KECCAK, the new algorithm selected by NIST to become the new official SHA-3 function. Mohamed is presenting this new hash function. SSL is the most deployed security protocol on the Internet, thus it is highly scrutinized by the community. Olivier, Christoph and Benoit have a deep dive into the latest attacks against SSL.

Hoping that you will enjoy its reading. Do not hesitate to comment.

Twitter and DMCA

As Google with its transparency program, Twitter is also offering a better transparency when removing twitters following a DMCA notification.  Previously, the infringing tweet was removed without any explanation.  For a month, Twitter has changed its policy.   In case that Twitter decides it is legitimate to takedown a tweet, the following process is applied:

  1. The affected user is notified once the tweet is removed
  2. The affected user received the complaint as well as the procedure to file a counter-notice
  3. A copy is sent to Chilling Effects;  Chilling effects is a project from EFF and many US universities (Harvard, Stanford, Berkeley…) that collects all the Cease & Desist (C&D) in the World
  4. The with held tweet is clearly marked


Since 2010, Twitter became a convenient vector for distributing pointers to shared infringing content.  Soon, content owners emitted C&D.  

Like Google, Twitter tries to find a tradeoff between the content owners and their users.  Transparency is probably a good solution. the resale locker

indexI must confess that I became aware of this interesting initiative only this summer, although ReDigi operates since October 2011.

ReDigi is a site that allows you either to resell your music songs that you do not want anymore, or purchase music songs that people do not want anymore.  In other words, a second-hand market for music.

How does it work, from the user point of view:

  1. Alice user subscribes to the service
  2. ReDigi locates the songs Alice may resell (either purchase with iTunes, or ReDigi)
  3. Alice selects the songs to sell and reDigi stores them in the cloud while wiping out the copies on the computers
  4. As long as the song is not yet sold, Alice can stream it
  5. Once Bob purchased it, she cannot anymore listen to it.
  6. If ever a copy of the sold song appears again on Alice’s device(s), she is notified.


How does it work (partly using the details provided by ReDigi in a court trial, an interview, and my guesses)

  1. She has to install a software called Music Manager
  2. Music Manager explores the directories and spots the iTunes and ReDigi songs.  It most probably directly jumps to the FairPlay protected directory to find the licenses.  It checks if it is legal (in other words if it can access the key, then meaning that it was bound to the device)
  3. It uploads the file (and probably the license) to the cloud and erases the accessible song.  At next sync, all iTunes copies should disappear.
  4. The uploaded copy is marked as such until it is sold
  5. Mark it for somebody else.  I would like to know if they rebuild their own license or a new iTunes license.
  6. During phase 3, it extracts a fingerprint of the song.  Music Manager scouts the hard drive to find copies.  I was not able to find if the fingerprint is a basic crypto hash (md5) or a real audio fingerprint.  If it is the second case, then funny things may happen. 
    Alice purchased Song1 on iTunes.  Later she purchase the full album on a CD.  Thus, she resells the iTunes song1, and rips her CD.  A legit copy of Song1 will reappear on her drive.  Music Manager will complain (ReDigi claims that after numerous complaints that would not be obeyed, i.e., the song is erased, the subscription is cancelled)
    Obviously, if it is just the hash, then the system can be easily bypassed.


The interesting question is not if the system can be bypassed.  I am sure that the readers of this blog have already guessed at least one or two ways to hack it.  It is not complex, and I will not elaborate on it.


The interesting question is to know if it is legal to resell a digital song.  There is a US first sale doctrine that allows to resell your own goods, nevertheless the answer may perhaps not be so trivial.  See this article.  We will soon have a (first) answer.  On January 2012, Capitol Records filed a suit against ReDigi.  On February 2012, the district court rejected the preliminary injunction.  Oral arguments should start on October 5.  This article gives a good summary of the legal case.