As I and others have noted: the Australian government has finally released the Exposure Draft of the OzDMCA: the Australian version of the DMCA anti-circumvention law, required as a result of the Australia-US FTA. It’s a big, complex piece of legislation, on a really hard area. What follows are my first thoughts on the Exposure Draft. I’ll be interested to hear what other people think. None of what follows represents a concluded view. There’s just too much there to have reached that point yet.

In summary, I think that the AG’s Department has written a piece of legislation which aims to be narrow in its application, and which aims to exclude from its clutches technologies and acts that are not related to copyright. Under this law, we will not be getting garage door opener cases or printer cartridge cases. Clearly, someone in government was listening to concerns raised by opponents of the legislation; to the LACA in its critical report; perhaps to the High Court in the Stevens v Sony case. There is a lot of language in here that seeks to tie the legislation to copyright.

Nevertheless, the government has also:

  1. Written a complex piece of legislation, aspects of which are very subtle and which are going to take a while to work out.
  2. Not fixed the region-coding problem: it is highly likely that region-coding technologies will still be protected, and circumvention of these banned;
  3. Not fixed the exceptions problem: if you have a right to circumvent an access control, you are still going to either (a) need to be a geek or (b) need to look overseas to make use of it, I suspect.
  4. Continued the present trend of writing highly complex legislation which will be very difficult for the average person to understand.

Over the fold: more comments.

The most controversial aspects of the law: how do you make the link between the law and copyright?

One of the most controversial things about anti-circumvention law, or ‘paracopyright’, is the whether, and how, you ensure that the law which prevents circumvention is related to the exercise of copyright rights. On one view, you really might think this was obvious. If these laws are meant to be there to assist copyright owners to enforce their copyright and target piracy, their purported aim, surely circumvention is only illegal where it actually leads to or is related to infringement? It’s not as obvious as it seems, however, because not all anti-circumvention laws are actually drafted that way. This is important for two key reasons.

First, in the United States there have been a whole range of cases where people have tried to use the DMCA in circumstances that had nothing to do with protecting copyright works: to prevent people from making compatible ink cartridges or refilling them for example; to prevent people from servicing computer systems or making universal garage door openers. Quite often, these lawsuits were brought for the collateral reason of restricting competition in markets for non-copyright goods or services. Ensuring there is a link between these laws and copyright ensures this can’t happen.

Second, there are a whole lot of acts that are perfectly legitimate in ‘ordinary’ copyright law, but which might be prevented by a technical measure. These include all those things we have copyright exceptions for (archival use, fair dealing, etc etc etc), but also things like making players (eg, video players, CD players, DVD players) that read and render consumer copies of music, movies, television – even data like word processing documents or photos. If TPMs are defined broadly, and exceptions narrowly, some of this can go away, and we can potentially have the problems that arise where competition is removed from a market.

US law isn’t written explicitly to link anti-circumvention law and copyright – but US courts have read the law that way (eg Storage Technology Corporation v Custom Hardware Engineering & Consulting Inc (Fed. Cir. 24 August 2005). But there’s some basis in the text of the FTA for making a link somehow – in particular, the ‘chapeau’ to Article 17.4.7 which says that the provisions is aimed at ensuring ‘adequate legal protection and effective legal remedies against the circumvention of effective technological measures that authors, performers, and producers of phonograms use in connection with the exercise of their rights and that restrict unauthorised acts in respect of their works, performances, and phonograms’.

There are basically two ways you can link copyright infringement and anti-circumvention law:

  1. The first is to exclude from the protected technologies those technical measures which are unrelated to copyright infringement. This is what our law currently does (see s116A). The advantage of that approach is that you can very clearly exclude measures like the ones that have given rise to litigation in the United States.
  2. The second approach is to limit liability for circumvention to those activities which have a link to copyright – for example, make it illegal to circumvent where the circumvention is aimed at, or leads to, infringement of copyright.

The Australian government have mostly chosen the first, not the second option, although there is an interesting little twist in the liability part of the provisions, which I’ll come back to. (notably, while the US doesn’t explicitly link copyright to copyright infringement, interpretations by the courts have tended to exclude from liability situations where the defendant’s activities don’t relate to copyright infringement – ie, the US courts have taken the second option, not the first).

There are two questions: first, is the Australian approach a good one, and second, will the drafting work?

Is this the best approach?

My view is that linking copyright infringement to the definition of TPM is not the best approach. As I’ve said before, the problem with linking copyright to the definition of TPM is that it is an all or nothing approach. Once a TPM is used in any way related to copyright protection, its circumvention for any reason might be banned regardless of the reason for the circumvention or the type of control exercised. For example, if the same technical component acts to prevent the use of both ‘pirate’ DVDs or games, and DVDs or games bought in another geographical region, if you circumvent, even if just to avoid region coding, you act illegally.

The law thus encourages copyright owners to use the same technical measures to protect copyright rights, and to extend control to prevent acts unrelated to copyright.

This doesn’t happen where you link liability to copyright infringement, by the way. On that approach, you can limit liability to the ‘bad guys’: if an individual is out there circumventing to infringe – or marketing or promoting devices for the purposes of infringement, then they go down. Conversely, the manufacturer of a device that does no more than access legitimately purchased material should be safe.

Will the drafting work?

Taking the government’s chosen approach as something of a given, let’s turn to the second: whether the drafting put forward by the government will work. Let’s look at the definition of ‘access control technological protection measure’ (or ACTPM):

Access control technological protection measure means a device, product or component (including a computer program) that:
(a) is used by, with the permission of, or on behalf of, the owner or the exclusive licensee of the copyright in a work or other subject-matter; and
(b) is designed, in the normal course of its operation, to prevent or inhibit the doing of an act:
(i) that is comprised in the copyright; and
(ii) that would infringe the copyright;
by preventing those who do not have the permission of the owner or exclusive licensee from gaining access to the work or other subject matter.

There’s also a ‘note’ to this definition, which seems to be designed to get around the problem that region-coding technologies might be protected. I’ll come back to that when I talk about region-coding.

The first thing this definition shows is that the government really have tried to ensure these laws are applied only in cases where a TPM is linked to protecting copyright works. There are all kinds of different little quirks in the language here that we have not seen in previous anti-circumvention legislation. Every qualification they could put in, they have. It has to be related to a copyright right. It has to prevent or inhibit infringing acts. It has to prevent people without permission of the owner from gaining access to the work. If anything, it’s a little over-earnest, don’t you think?

A really interesting (and controversial) move is that the definition reproduces language used in the current definition of TPM – that the device has to ‘prevent or inhibit’ certain acts. That language has been interpreted by the Australian High Court in a narrow way in the Stevens v Sony case – according to the Court, it means inhibit in a ‘technical’ sense (make more difficult, eg degrade a copy or something like that) – not, for example, make the act of infringement pointless eg by denying access to infringing copies. The effect of including it here might be to keep the Stevens v Sony idea that the ‘preventing’ of infringement must be technical and in effect, ‘post’ access. In fact, if anything, this drafting would seem to adopt and affirm the High Court reasoning from Stevens v Sony. This doesn’t, by the way, mean that the result in Stevens v Sony is preserved – the scope of what is an infringement has changed since that judgment.

This stuff is really hard to think about in the abstract. So, let’s think about how this definition applies to some of things that people might argue are ACTPMs.

  1. An access code/password system on an online journal database: such a system clearly prevents access without permission, and is used ‘on behalf of’ (or directly by) a copyright owner. Does it prevent infringement? Probably yes – the copies of individual articles made or downloaded without permission after access. Yes, this would be an ACTPM.
  2. The Content Scrambling System (CSS): this encryption is applied to movies released on DVD. Like most encryption systems, it prevents access unless you have the ‘key’ to unscramble the movie, and it is used with permission of copyright owners. Does it prevent or inhibit some act falling within the copyright owner’s rights that would be infringement of copyright? Well, CSS on its own doesn’t prevent a person copying the work (you can copy the scrambled file, you just can’t read it), nor does it prevent a person from ‘communicating’ the work to the public (you could put the encrypted file on your website, although people without the key couldn’t read it). Maybe you could say that it prevents a person without permission from ‘rendering’ the movie, and there are aspects of the ‘rendering’ which are an infringement: for example, temporary copies made in temporary memory when an infringing copy is played, or a ‘public’ rendering (public performance) (for an extended discussion of the ‘temporary copy’ provisions, see a previous post). Or maybe you say that the ‘ACTPM’ is not CSS on its own, but CSS plus elements of a DVD player. But is there a problem with this – that the device that just decrypts CSS-encrypted files is not captured? Maybe not if you say that any program, or device, designed to decrypt a CSS-encrypted file is thus ‘circumventing’ (avoiding, bypassing etc) the CSS system. Unclear.
  3. Apple’s FairPlay system that allows iTunes songs to be played only on iPods. This is like CSS, really. Every file bought from the iTunes Music Store with iTunes Software is encoded with FairPlay, which digitally encrypts AAC audio files. The master key required to decrypt the encrypted audio stream is stored in encrypted form in the file. Each time a customer uses iTunes Software to buy a track a new random user key is generated and used to encrypt the master key. The random user key is stored, together with the account information, on Apple’s servers, and also sent to iTunes Software on the user’s computer, which stores these keys in its own encrypted key repository. Using this key repository, iTunes is able to retrieve the user key required to decrypt the master key. Using the master key, iTunes Software is able to decrypt the AAC audio stream and play it. The software imposes certain restrictions on what you can do: you can copy it to as many iPods as you like, but only 5 computers, etc. This looks like an ACTPM to me. What you have is encryption/software which prevents access unless you have the ‘key’ to unscramble the music, and it is used with permission of copyright owners. What is more, the FairPlay system restrains acts which would be copyright infringement – like making copies onto computers (it restricts how many computers you can copy to). Thus, probably an ACTPM
  4. A system that allows only ‘authorised’ and authenticated copies of games to be used in an online multiplayer gaming environment (see the Bnetd case). This one’s more tricky. First, what is the ‘work’ to which ‘access’ is being denied? It can’t be the game itself – it must be some program or the like which is held on the central server (eg, the computer program that allows multiplayer gaming). And what is the infringing act being prevented? Perhaps some central program or copyright work has to be downloaded to enter the multiplayer environment? Maybe. It’s not at all obvious though.
  5. What about the Lexmark Printer Cartridge example? There you had uses an “authentication sequence” that performs a “secret handshake” between each Lexmark printer and a microchip on each Lexmark toner cartridge. Lexmark argued that its authentication sequence constituted a “technological measure” controlling access to two copyrighted computer programs that made the printer run, by controlling the consumer’s ability to make use of these programs. I would say that such an item wouldn’t be an ACTPM: it is not designed to prevent copyright infringing acts by preventing people without permission from gaining access to the work. The ‘secret handshake’ is designed to prevent the computer program from running, but that’s not actually something ‘comprised in the copyright’. No ACTPM, I think.
  6. The legacy data issue: What if you have Software Provider A, who has written the database program used to store Company B’s data. Company B puts the data in, and insofar as there is copyright, probably owns copyright. What if Software Provider A’s program encrypts the data so that only A’s software can read it? Is this an ACTPM? Maybe. First, note that the fact that this encryption is applied to B’s data won’t get there: the measure is not applied ‘on behalf of’ B, nor with their real permission, nor is it designed to ensure that people without B’s permission can’t gain access. It’s there to protect A. So there would need to be something in the file in which copyright belonged to A. With databases, though, there might well be – eg there might be a copyright-protected data structure, access to which is protected by the encryption. In short: not clear whether we have an ACTPM here.

This brief review of a few scenarios suggests that some, but not all things that have been argued in the real world to be TPMs would be covered by this legislation.

A couple of further points about the technologies covered.

First: why didn’t the government exclude obsolete or malfunctioning TPMs from the definition? Would have been better than trying to work out exceptions for such things.

Second: despite comments made before the LACA inquiry last year, there is no apparent exclusion for broadcasts from this scheme. Thus, while the government seemed to suggest it would not be including broadcasts, because it didn’t have to under the FTA, and while in the US the DMCA doesn’t apply to broadcasts, because they’re not copyright – this whole scheme applies to broadcasts too, I think. Bring on the broadcast flag….

But you know what is even weirder about the inclusion of broadcasts? There’s already a whole Division of the Act already dealing with ‘broadcast decoding devices’ (it’s Part VAA, ss 135AL – 135AU). And it’s broader. The Act there bans selling manufacturing, dealing in, and using broadcast decoding devices. What is a broadcast decoding device? A device (including a computer program) that is designed or adapted to enable a person to gain access to an encoded broadcast without the authorisation of the broadcaster by circumventing, or facilitating the circumvention of, the technical means or arrangements that protect access in an intelligible form to the broadcast. Notice anything about that definition? It’s broader than the proposed definitions for ACTPM and TPM. No reference to copyright infringement at all. Now, I’ve not done any kind of real analysis on which of these two is broader, but I’m just not clear on why we need two regimes protecting technology that protects broadcasts. If you ask me, it’s just plain weird.

Other aspects of this legislation

There’s a bunch of other things that are interesting about this draft legislation which we need to think about. Apart from the definitions of what counts as a TPM, there are 3 other areas where the government had choices to make:

  1. What activities the law prohibits: The scope of the prohibited activities: for example, do you ban the act of circumvention, or just ‘trafficking’ of circumvention devices? What counts as ‘trafficking’?
  2. The scope of the exceptions: How many exceptions will there be, what for, and how will they work?
  3. The remedies: when will a remedy be granted, and what kinds of remedies are made available.

So let’s look at what the government is proposing to do in each of these areas.

What activities are prohibited?

As it must, the government is prohibiting:

  1. Circumventing an ACTPM
  2. Trafficking a circumvention device (to circumvent TPMs which aren’t ACTPMs) – meaning manufacturing or importing a device to provide it to another person, distributing, offering, providing, or communicating it to another person
  3. Providing a circumvention service (to circumvent TPMs that aren’t ACTPMs)

There’s a couple of interesting things about the way the bans are drafted. Let’s look first at the ban on circumventing an access control (s116AK). It’s drafted like this:

(1) An owner or exclusive licensee of the copyright in a work … may bring an action against a person if:
(a) The work … is protected by an access control technological protection measure; and
(b) The person does an act that results in the circumvention of the ACTPM when the person knows, or ought reasonably to know, that the act would have that result
(2) Subsection (1) does not apply to the person if the person has, or has reasonable grounds to believe that the person has, the permission of the copyright owner or exclusive licensee to circumvent the access control technological protection measure.

A couple of things are worth noting:

  1. It has to be the copyright owner/licensee who sues, unlike the US, where ‘any person injured by a violation’ of the ban can sue. This cuts both ways: on the one hand, the Australian version means that the creators of ACTPMs, or device manufacturers, or others can’t sue. On the other hand, in the US version, the person has to be injured to bring a suit.
  2. There is no requirement that the person suing have proof that access was obtained to their copyright work – so long as the same ACTPM is covering their copyright, they can sue here (which could lead to a strange situation or two…)
  3. What is the effect of the ‘permission’ exception in sub(2)? Does this mean that if a person has purchased a copy of copyright material (eg, a DVD) they have reasonable grounds to believe that they are allowed to ‘circumvent’ (ie descramble) to view? So that anything they do to view is ok? Cf the US legislation, which bans circumventing without authority (but there’s no qualification there where a person thinks they have authority).
  4. Why, oh why, does the government insist on drafting these rules in terms of ‘doing acts that result in’ circumvention? It just makes a reader wonder how direct the ‘results’ has to be. Why not confine liability to a person who circumvents, period?

A few interesting questions there.

Now, let’s look at the trafficking ban. This rule (s 116AL) makes it illegal to do the following in relation to ‘circumvention devices’:

  1. Make one (with the intention of providing to another person);
  2. Import one (with the intention of providing it to another person); or
  3. Distribute, offer, provide or communicate one to another person

A ‘circumvention device of a person is a device, component, product or computer program that:

  1. Is promoted, advertised or marketed by the person (or by another person acting in concert with the person) as having the purpose of circumventing the TPM;
  2. Has only a limited commercially significant purpose or use other than the circumvention of the TPM; or
  3. Is primarily or solely designed or produced for the purpose of enabling or facilitating the circumvention of the TPM

What’s interesting about this? Well, here’s a few thoughts:

  1. First and most obviously the gaps are making devices for your own use, or importing for personal use. These are the only things you can do, it would seem (this, by the way, is backed up by the fact that s 116AN ensures that the provisions apply ONLY to acts done in Australia);
  2. Again, who can bring a suit is limited. You have to be the copyright owner/licensee of a work which is protected by that particular TPM, although you don’t have to prove that the protection on your particular work was circumvented;
  3. There are some situations where the same device is going to be a circumvention device in the hands of John, but not in Peter’s hands. Imagine that you have a component which has uses other than circumvention, and is not designed primarily for circumvention. Such a device does NOT fit parts (b) or (c) of the definition of circumvention device. That device will then vary: in the hands of person A (who advertises ‘copy all your Hollywood DVDs!’) it is a circumvention device. In the hands of person B, who does not do any such marketing or promotion, it is not. Quite possibly this is the intended effect, and it might well be quite sensible, although I query whether some would be happy with a situation where person B can keep selling a device once it is commonly known (following A’s promotions) to be useful for circumvention.

What does all this mean for region coding?

In his press release, the Attorney-General said:

‘”Region coding” devices aimed solely at stopping people from playing legitimate DVDs or computer games bought from overseas will not be protected by the regime.’

This is a reference to a ‘note’ to the definition of ACTPM/TPM. But don’t be fooled by this weasel wording. The key term here is ‘solely’. Frankly, I’m not aware of any technology or component that is designed solely to effect region-coding. Currently, with respect to movies, region-coding is enforced using a combination of CSS and contracts that require the makers of DVDs to enforce Regional Playback Control (for details, see my submission to the TPM Inquiry last year). CSS is also designed to prevent use of unauthorised disks. In fact, when it comes to next generation DVD technology (HD DVD or BluRay), the same system is going to be used to enforce all kinds of controls – including region-coding. In that event, this ‘qualification’ in the Note will simply not be useful.

I can see where this language comes from: it comes from the Singapore FTA and the Singapore legislation, which is expressed in identical terms. It’s pretty clear that the government has chosen this language based on the view that they are more likely to get away with it given its use in another FTA country.

Now here’s a question, though. Is there another way under this Exposure Draft that circumventing region-coding would be ok? Well, it’s interesting. Think about the ban on circumvention. Liability only arises where you circumvent an ACTPM, and:

  1. You know, or ought reasonably to know, that you are circumventing an ACTPM, and
  2. you don’t have permission to circumvent, or reasonable grounds for thinking you have permission to circumvent.

Now, if you’re in a situation where you are just trying to watch a legitimately purchased movie from overseas – are you going to be liable? Even if you have to take a few steps (googling, installing some software from online) that lets you watch the movie? I wonder…. It might depend on circumstances…

Is this draft consistent with the AUSFTA?

The million dollar question is, of course: is this draft consistent with Article AUSFTA Art 17.4.7? The bits of the AUSFTA which are relevant here are for one thing, 17.4.7(b) which seems to define technological measures as those which ‘control access to a work … or protect any copyright’. No mention of copyright, or infringement there. The other relevant bit is Art 17.4.7(d): which requires that violations are separate from and independent of copyright infringement.

I would guess that the provisions might arguably be consistent, on the basis of that introductory text to Art 17.4.7, which talks about protecting copyright (the chapeau), the intention of the WIPO Treaties on which these provisions are based, and US caselaw which has directly sought to relate the laws to copyright.

But I would also guess that there’s room for controversy. In particular, the apparent affirmation of the Stevens v Sony reasoning isn’t uncontroversial. Consider these comments from the IP Advisory Committee after the AUSFTA was concluded, on Australia’s anti-circumvention laws, reflecting to some extent what USTR was hearing was important in copyright/anti-circumvention:

‘It was critical to achieve Australia’s agreement to adhere to, and fully implement the provisions of, the WCT and WPPT, along the same lines as the U.S. had in the DMCA in 1998. Unfortunately, in consideration of these issues in the last three years, Australia had strayed in a particularly key area from what industry and the U.S. government considered to be full and correct implementation of the obligations of those treaties’

Or this:

A principal objective of the negotiation was to close a damaging loophole that Australia had enacted [in its current implementation providing protection for technological protection measures]. This was done…

Of course, just because it isn’t what certain US interests might hope for doesn’t mean it is inconsistent with the AUSFTA. It does make it controversial, however. I suspect, though, that the government would have some pretty strong advice on consistency from their international law office.

Scope of exceptions

The final matter I want to comment on today is the question of exceptions to the ban. We only have a partial sense of what the exceptions are going to be so far: some are in the Exposure Draft, others are expected in the form of regulations – which are yet to be published even in draft form. Without repeating everything in the exceptions, here are a few things to note:

  1. Of the list of exceptions in the FTA, the only one the government has not transferred across is the exception for the purpose of preventing access by minors to inappropriate material. No surprises there – that’s a very American kind of exception;
  2. The interoperability exception is pretty narrow (see also Brendan Scott on Groklaw). It is confined to circumventing measures applied to protect computer programs – and the extended definition of ‘computer program’ to include essential data (s 47AB of our Act) doesn’t apply here. That means, I think, that you could not circumvent an access control on a data file (eg, stuff stored in a database) in order to make an interoperable computer program
  3. It’s amusing to see that the government has interpreted its own exception (under the FTA, Article 17.4.7(e)(vi) (which applies to ‘law enforcement, intelligence, essential security, or similar governmental purposes) to write an exception that covers any act done for the purposes of ‘performing a statutory function, power, or duty’. That’s ‘similar’ to ‘essential security’ and law enforcement? Isn’t that a little broad? It will, at least, take care of the Tax Office’s concerns (see their submission) – although general exceptions for government wasn’t something that the LACA supported in its report, from memory.

Two key, further observations on exceptions.

First, the government has not fixed the ‘lamentable and inexcusable flaw’ described by LACA. It is still the case that you can have right to circumvent an access control, but no one in Australia is allowed to help you exercise that right. You can import something from o/s, or do it yourself. That would appear to be it, unless I’m missing something.

Second, there is the question of how the government is going to create new exceptions. Here, I think, the legislation really is a little bizarre. Basically, it would appear to say that:

  1. It is the Attorney-General who will decide whether additional exceptions are ever required
  2. If you want one, you send a submission to the AG and
  3. He has to decide within 4 years of receiving that submission whether to create an exception for you

Huh? I guess the intention here is that the AG is given the power to hold 4 yearly reviews (if he feels like it), but can also create ad hoc exceptions if he thinks it necessary. And on the face of the legislation, there is no hurry – the AG could just sit on a submission for several years. No process is set out in the legislation – it’s not clear whether there will be a chance for copyright owners to make submissions on proposed exceptions, or what kind of notice would be required… This is all very ad hoc – extraordinarily so. But it is possible that more will be included in the Regulations. So we should not really jump to conclusions.

Final comments

There is an awful lot in this legislation. There are subtleties of language, and much of the language in this Exposure Draft is quite unlike anything I’ve seen in any other country’s implementation. It is reflective of the care and though the AG’s Department has put into it – and also their determination not to implement a DMCA. I think we will be struggling to work through the implications in the three weeks we have.

These comments are very much a first stab – they highlight things that I’ve noticed on a first glance. There is no doubt more, much more, and nothing here is a concluded view at this point.