Piracy is a big concern for a lot of development companies. The amount of money reportedly lost each year at the hands of pirates is staggering. Naturally, developers take the matter seriously and guard the security of their code-based assets as fiercely as they can.
One progressive way to guard software assets is to place the code into the public domain under some form of open-source licensing scheme. Thus, piracy becomes a moot point, and development takes more of a front seat to profits.
However, many firms develop code that could not feasibly be protected under an open-source scheme. Instead, their products' protection must rely on honesty or secrecy. Take, for example, the DVD-based Content Scrambling System (CSS) software technology, which relies on secrecy for protection. Developers use CSS to encrypt DVD-based media so that only DVD players can decrypt and play that media. This approach minimizes unauthorized duplication. But in November 1999, someone posted a program called DeCSS that can decrypt media that is copy protected with CSS.
The release of DeCSS has caused quite a ruckus in the computer industry as well as in the motion picture industry. Naturally, Hollywood wants to protect its movies from unauthorized duplication and is going to extremes to do so. In late December 1999, the DVD Copy Protection Association filed a lawsuit in California suing Web site operators who had posted copies of the DeCSS program. The association also sued Web site operators who merely posted links to sites that had the program online for download. The courts handed down an injunction prohibiting US sites from posting the code.
But hackers and supporters have struck back hard. Attorneys for the defendants wanted the CSS code submitted as evidence in the case, which would make the code a matter of public record because civil lawsuits are public information. In addition, hackers from Australia will soon air the source code on Australian television. Australian law does not prohibit such action.
I think Hollywood has the right to sue the developers of DeCSS and people who distribute the program, but I also think the developers of DeCSS have the right to tell the world what they discovered. After all, the developers of DeCSS weren't the people who said the CSS technology was secure—they only proved that it wasn't.
That statement leads me to an interesting thought: What about the people who developed and promoted CSS as a secure technology in the first place? Aren't they to blame, too? If a company claims its technology is secure, but it turns out that the product is not, could the company be sued for fraud?
The case raises so many questions that it likely will set more than one precedent for the computer industry and the Internet. I think those precedents will include new legal views on antipiracy and reverse engineering, which could dramatically impact the way security-related problems are discovered and reported in the future. If you're a developer or a company that sells security-related solutions (whether software, hardware, or services), be sure to keep an eye on the DeCSS case. It might change the way you do business.