You could hardly have asked for a clearer demonstration of the futility of copy protection than the events of the past three weeks. The DVD-encryption key that sparked a user rebellion on Digg in early May is now largely moot. Despite having been posted to hundreds of thousands of websites and garnering attention worldwide, the key is now useless, because the industry group that oversees HD DVD and Blu-ray copy protection has changed its encryption scheme to use a different one.
The new key, in turn, has itself already been leaked, even before it was scheduled to go into effect this week.
Perhaps in recognition of the futility of stopping the spread of an obsolete code, the Advanced Access Content System Licensing Administrator (the industry group behind the AACS copy-protection standard) seems to have abandoned its earlier threats of legal action.
"It apparently was highly controversial (for the AACS Licensing Administrator) to send the legal threat letters," says Fred von Lohmann, a senior staff attorney with the Electronic Frontier Foundation. "I assume they would need to have consensus before they could step up to any lawsuits. And, in any event, it's too late for this key -- it's been immortalized as an internet celebrity thanks to the first legal threats, and will likely outlive all of us, no matter how many lawsuits are brought."
The AACS Licensing Administrator seems likely to turn to technical means of defending its copy-protection system now rather than legal ones. Instead of playing Whac-A-Mole, trying to pursue legal actions against people who post the encryption-processing key, the group is now playing keep away, trying to stay one step ahead of the hacker community by releasing new keys and revoking old ones faster than they can be cracked.
AACS Licensing Administrator representatives refused to comment on the group's strategy or lack of legal activity this month.
AACS is the digital rights management standard used by next-generation high-definition movie discs. Both of the two competing high-definition optical disc standards, HD DVD and Blu-ray, employ AACS to protect content from being copied.
AACS uses encryption keys to keep that content locked down. Last month, Digg removed a user's post that contained the encryption key, sparking a widespread revolt as irate web surfers reposted the key all over the internet. Today, a Google search for the 32-character key returns nearly 1.5 million results.
It's not the first time that an industry's attempt to secure its content has been thwarted by a vast army of internet users bent on breaking a copy-protection scheme. The promise of AACS was that it would be more bulletproof than the Content Scrambling System, or CSS, the encryption scheme on DVDs. CSS was broken in 1999 by a trio of computer-security researchers, including Jon Lech Johansen, better known as "DVD Jon," who was all of 15 years old at the time. The program they created, DeCSS, showed DVDs to be easily exploited, and today a wide variety of programs will decrypt and copy DVDs. What's more, attempts to thwart the spread of the DeCSS algorithm resulted in an outpouring of creative publications based on it, including T-shirts and even an epic poem written in haiku stanzas.
AACS is supposed to be superior to CSS in that it uses device- and title-specific keys. Since the AACS Licensing Administrator can revoke device keys on compromised players and issue fresh title keys for new HD DVDs that will not work with compromised players, it would seem to be able to stay one step ahead of the hacker community. A new set of keys was due to be released May 22.
Unfortunately for the AACS Licensing Administrator, the new keys have already been broken and it will be 90 days before the consortium can release another update. As Wired and other sources noted last week, SlySoft, a software publisher that makes tools for getting around copy protection on movies, updated its AnyDVD HD program to exploit an as-yet-unpublished key. According to security expert Ed Felton, SlySoft had likely already found the exploit in a prior version, but kept the attack a secret until all the other keys were blacklisted.
AACS Licensing Administrator refuses to reveal or speculate as to what its next steps might be. A statement released earlier this year is vague as to specifics.
"AACS LA has multiple tools, both technical and legal in nature, available to address threats to the AACS technology. AACS LA views these tools as complementary, and will use them as appropriate under any particular set of circumstances," the statement reads.
"I think that you have to remember AACS is a collection of people who don't actually agree on most of these issues," says von Lohmann. "Anything that AACS can say under its own name is certain to have been negotiated by many lawyers for many days."
"It's a delicate thing to keep all those guys on a single press release," von Lohmann says. "My expectation is that they will probably reign in the legal activity with respect to keys. I think you have to view what happened a few weeks ago as a remarkable failure in that light."
