Declaration]:
Reply Decl. of John J. Hoy
NY1:\866045\01\$K8T01!.DOC\62130.0216
WEIL, GOTSHAL & MANGES LLP
JARED B. BOBROW (State Bar No. 133712)
CHRISTOPHER J. COX (State Bar No. 151650)
2882 Sand Hill Road, Suite 280
Menlo Park, California 94025
Telephone: (650) 926-6200
Facsimile: (650) 854-3713
WEIL, GOTSHAL & MANGES LLP
JEFFREY L. KESSLER
ROBERT G. SUGARMAN*
767 Fifth Avenue
New York, New York 10153
Telephone: (212) 310-8000
Facsimile: (212) 310-8007
Attorneys for Plaintiff
DVD COPY CONTROL ASSOCIATION, INC.
SUPERIOR COURT OF THE STATE OF CALIFORNIA
COUNTY OF SANTA CLARA
DVD COPY CONTROL ASSOCIATION, INC., a
not-for-profit trade association,
Plaintiff,
v.
ANDREW THOMAS MCLAUGHLIN, an individual; ANDREW BUNNER, an individual; JOHN
V. KEW, an individual; SCOTT KARLINS, an individual; GLENN ROSENBLATT, an
individual; DALE EMMONS, an individual, EMMANUEL GOLDSTEIN, an individual;
DOUGLAS R. WINSLOW, an individual; JONATHAN BLANK, an individual; ROGER KUMAR,
an individual; ROBERT JONES, an individual; EN HONG, an individual; MATTHEW
ROBERT PAVOLICH, an individual; IAN A. GULLIVER, an individual; JON HANSON,
an individual; DAVID M. CHAN, an individual; CAMERON SIMPSON, an individual;
TOM VOGT, an individual; CYRIL AMSELLEM, an individual; THORSTEN FENK, an
individual; ADRIAN BAUGH, an individual and Does 1-500, inclusive.
Defendants.
____________________________
* Pro Hac Vice App. Submitted |
REPLY DECLARATION OF
JOHN J. HOY
Date: January 18, 2000
Time: 1:30 p.m.
Dept. 2
Honorable William J. Elfving |
I, JOHN J. HOY, hereby declare and state as follows:
1. I make this Reply Declaration in further support of Plaintiff DVD Copy
Control Association's ("DVD CCA") application for a Preliminary Injunction
for two reasons: first, to correct certain factual misstatements and reply
to the contentions made in the Declarations and papers submitted on behalf
of Defendants Andrew McLaughlin and Andrew Bunner in opposition to DVD CCA's
application for a preliminary injunction; and second, to provide further
clarification of the stringent measures taken by DVD CCA, and its predecessor,
to secure the trade secrets of the CSS technology which it licenses. As stated
in my previous Declaration submitted in support of DVD CCA's application
for a preliminary injunction ("Hoy Decl."), I am the President of DVD CCA
and have been intimately involved in all issues relating to the adoption
of the DVD format and specifically in all aspects of the implementation and
protection of CSS technology. (Hoy Decl., ¶¶ 1-4).
The Original "Hack" of CSS was Through the Xing
License
2. Two postings on the Internet, one dated October 6,
1999 and one dated October 25, 1999, reveal that the original access to the
CSS technology was a "hack" around the license issued by Xing Technology
Corporation ("Xing"). (A true and correct copy of the October 6, 1999 posting
is attached hereto as Exhibit A. A true and correct copy of the October 25,
1999 posting is attached hereto as Exhibit B.)
3. The October 6, 1999 posting appeared at
http://mmadb.no/hwplus, the web
site which, on information and belief, was authored by Jon Johansen, the
original Norwegian hacker. That posting required the "object code" to be
downloaded. Object code is a code that computers understand.1
With respect to the information downloaded from this posting, performed the
following tests to determine whether it included the Xing "master key." First,
took a DVD disc of a motion picture and played it on the DVD drive of a personal
computer ("PC") to determine that the PC and DVD drive actually worked. The
motion picture played properly on the PC. Second, using the DeCSS program
which had been posted on October 6, 1999, I copied the digital images from
the DVD disc onto the hard drive of the same PC. Again, the motion picture
played properly, thus proving that DeCSS could descramble the digital images
from the DVD disc. Third, I then "zeroed out" (i.e., nullified) the Xing
"master key" in the DVD ROM buffer memory and, using the same DeCSS program,
copied the digital data from the DVD disc and the other "master keys" onto
the hard drive of that PC. When I attempted to use the copied digital data,
a message appeared on the computer screen stating that the motion picture
could not be played. Finally, I "zeroed out" all of the other "master keys
in the DVD ROBA buffer memory, but activated the Xing "master key" only.
Using the same DeCSS program, copied the digital data from the DVD disc and
the Xing key onto the computer's hard drive. When I attempted to play the
motion picture from the hard drive this time, it played properly. From this
experiment, I concluded that the October 6, l999 posting contained both the
CSS technology and only the Xing "master key."
___________________
1 Programmers write computer programs in a form called "source code."
The source code consists of a set of instructions in a particular language
like "C" or "FORTRAN." Compilers change the source code into an intermediary
form called "object code," which is understood by a particular type of computer.
The object code is then transformed into a low-level language] called [machine
language which the computer actually executes.
4. The October 25, 1999 posting (an anonymous posting to the Livid mailing
list at
http://livid.on.openprojects.net)
contained "source code." Source code is the language in which programmers
write computer programs. From looking at the text of this posting (without
performing a test as that described in Paragraph 3 above), I can determine
(i) that it contains the Xing "master key" and (ii) and that it does
not contain any other "master key."
I am informed and believe that the code posted on October 25, 1999 operates
as a CSS descrambler module.
5. Thus, as of October 25, 1999, the date which DVD CCA alleges in its Complaint
that CSS technology first appeared in source code form on the Internet
(Complaint, ¶ 45) -- and the date which Frank A. Stevenson claims (through
his Declaration filed on behalf or defendants Bunner and McLaughlin, see
discussion at ¶¶ 6-14,
infra) was the first date on which cryptanalysis of CSS ciphers was
publicly disclosed on the Internet -- there was a posting of CSS source
code which contained only the Xing "master key." I am not aware of any other
posting of the CSS technology on the Internet as of October 25, 1999 which
contained any of the other "master keys." Access to CSS technology was thus
obtained in violation of the specific provision in the Xing end-user license
"click wrap" agreement which prohibits reverse engineering. (See Reply Decl.
of Chris Eddy, ¶ 7 and Ex. A).
Declaration of Frank A Stevenson
6. Declarant Frank A. Stevenson ("Stevenson") states that to the best of
his knowledge, he is the "first person that publicly disclosed the
cryptanalysis on the CSS ciphers. (Stevenson Decl., ¶ 3). Mr. Stevenson's
Declaration demonstrates that both he, and others working to hack CSS through
the Livid project (a forum whose sole purpose was "to provide Video and
DVD playback capabilities to the linux computing platform", id.,
¶ 4) knew, or had reason to know,
that CSS was proprietary trade secret technology that was protected by a
series of "master keys."
7. For example, as demonstrated in the Reply Declaration
of Jonathan S. Shapiro, Esq. ("J. Shapiro Decl."), members of the Livid project
were aware as early as July 25, 1999 that CSS technology -- the trade secrets
that are at the heart of this action -- was protected by a series of "master
keys" and that the only way to access the CSS encryption codes was to hack
through those keys, each belonging to a company that had entered into a license
agreement with DVD CCA's predecessor. (Hoy Decl., ¶¶ 14-15). On
July 25, 1999, one member of the Livid project wrote:
I am new to this list, and with great interest, I read about your progress
on CSS unlocking and decrypting.
There is one thing I don't understand. Why don't you take a look at the
existing software decoders that are available for windows? I've got
installed 4 of them (XingDVD, WinDVD, Cinmaster engine, PowerDVD) and each
one is capable of playing every CSS encrypted DVD I own. In theory it should
be possible to take out the CSS decrypting code part and use it in the LiViD
project. Even copyright reasons hold you back from re-using the code, it
should help to learn a lot about the process.
(J. Shapiro Decl., ¶ 53) (emphasis added). To my
knowledge, all of the software licensees of CSS technology, including Xing,
require end users to enter a "click wrap" license which specifically prohibits
reverse engineering.
8. Moreover, the Internet postings of those individuals
who were developing and/or discussing the means to hack through the master
keys to gain access to CSS technology, referred to in the Shapiro Reply
Declaration, demonstrate that they knew, or had reason to know, that such
actions were wrongful.
9. For example, postings on slashdot.org as early as July 1999 clearly establish
the state of mind of the hacker community. The following is a sample of posts
made on July 15, 1999:
With DVD all the decoding is done locally, and if the decoding can be done
in software (which it often is, under windows, anyway) than that code can
be RIPPED and ported to other platforms. Period. The Law? F**k the law.
Someone will do it regardless and post it to USENET and ftp servers
in countries where US law is meaningless, and the SW will spread and no
one will be able to stop it. The secret nature of DVD decoding is already
doomed and has been since day one when software was released to do it. If
they really wanted to keep it secret, they'd have had a better chance if
they kept all the decoding in hardware. But it's too late now. The genie
is out of the bottle. (by root at megami dot org) (emphasis in original).
My impression is that the decryption algorithms for
DVD are kept as a big secret to prevent movie piracy (which as most of
us know is becoming the next big thing on the net). In order for linux to
get a decoder, it would have to come from either (a) hardware or (b) some
group who has access to the decryption scheme.... (by
spam2(itheresistance.net) (emphasis added).
There is an incorrect perception that copyright and
patent and RE reverse engineering laws are universal. They are not.
If someone in say, Taiwan, or some other non-Berne non-WIPO country REs
the code and posts it to the usenet, how is this illegal? Now I suppose
it's illegal for Joe US Citizen to download and use this code, but
the genie will be out of the bottle so to say, and it will then be impossible
to suppres sic the knowledge anymore. (by anonymous coward) (emphasis added).
Yes, it is true, we have now all the needed parts for
software decoding of DVDs, but any software doing so will be illegal and/or
non-free....
The information about CSS is obtained by reverse engineering
some DVD software decoder. Reverse engineering is nearly
every time prohibited by license agreements, and
for example european law allows reverse engineering only for software
compatibility issues. So the CSS source was not obtained
in a legal way, and it is at least a very problematic
issue if we may use this source however. I'm unsure if CSS is also protected
by patents. (by kjuZ)debian dot org) (emphasis added).
I'm sure Matthew P. and the source codes 'creator' will
be contacted to cease and desist distribution of the code. The anonymous
source (who isn't entirely anonymous, as far as I know, as he made himself
known on other forums), will be at the most risk here for legal problems.
Best idea now is to download the code. Get it spread around
as widely as possible. It may not be able to be used legally when all is
said and done, but at least it will be out there for others to work with.
(by Sontas) (emphasis added).
What are the laws regarding reverse engineering,
specifically reverse engineering a piece of software that has a specific
clause in it's usage license not to reverse engineer or dissasemble sic
the code? Are there any ways around a reverse engineering
clause of a software product? (by Sontas) (emphasis
added).
. . . I don't see how Reing [reverse engineeringj
the CSS mechanisms in a DVD player would be considered legal. You
are not maintaining any kind of compatibility. The only way
I can see it being able to be legal under that law Norway is to claim you
did it for maintaining compatibility with other DVD authoring software. Even
then, one could only legally RE the encryption algorithm used and perhaps
where on the disc hone has to place the disc and title keys. (by Sontas)
(emphasis added).
What if I buy a machine with software already installed?
These are shipped ready-to-run, and don't present all the EULA screens that
the setup programs offer. Nobody could prove I even saw a
license agreement, let alone approved it. (by artg)
(emphasis added).
The windows EULA says you cannot reverse engineer. It
also says that if you do not agree to the terms of the agreement, you are
entitled to a refund. How many people actually got refunds? If microsoft
doesn't honor their side of the agreement, legally you don't have to either.
(by nagumo@.linuxstart.com).
What are the laws of reverse engineering, specifically
reverse engineering a piece of software that has a specific clause in it's
usage license not to reverse engineer or dissasemble sic the code? (by
r.e.wolffE).BitWizard.nl/).
I think criminal charges are up to 3 years in jail
and $10,000 per violation. That would of course be for serious
violations, or if someone was out to destroy you. (by anonymous coward)
(emphasis added).
(J. Shapiro Reply Decl., at ¶¶ 18-22, 24-28).
10. Declarant Stevenson states that on or about October
25, 1999, anonymous post of CSS C source code was made to the Livid project
mailing list. Stevenson posted a copy of this on his Web site. (Stevenson
Decl., ¶ 14). Stevenson states that the "anonymous source" could not
"be executed as a program" and did "not contain any player keys" (id.,
¶ 7), a clear acknowledgement that the means to obtain the CSS
technology was through one of the keys owned by the licensees of the CSS
technology. (A portion of Stevenson's posting to the Internet, attached as
Exhibit C to his Declaration, is titled "The Divide and conquer attack, Deviced
and written by Frank A. Stevenson 26 Oct 1999 . . . Released under the GPL
license.")
11. Stevenson then states that he posted a "break on
the CSS cipher used for encrypting movie files" on October 27, 1999. (Id.,
¶ 15). He states that this "attack reduced the workload for finding
a CSS key used to encrypt an individual block of movie data . . ."
(id.), thus again recognizing the importance of the "master
keys" as the means to gain access.
12. On October 28, 1999, Stevenson made a post, titled
"Working PlayerKey cracker," "describing a break on the player keys to the
Livid mailing list," stating that "this attack will enable a competent
programmer to derive all 400 or so player keys from a single known player
key in 5 to 10 minutes on an ordinary PC." (Id., ¶ 16 and
Ex. E) (emphasis added).
13. On October 30, 1999, Stevenson made another post
"describing an attack on the disk hash" to the Livid project. (Id.,
¶ 17). He states: "This attack described a method for extracting
a title key directly from this hash, thus negating the need for any player
keys when viewing a DVD movie." (Id.) (emphasis added).
Thus again, Stevenson recognizes that the purpose and intent of those hacking
into to the CSS technology was to "negate" the need for the "master keys"
which DVD CCA and its predecessor had put into place for the specific purpose
of protecting the CSS technology -- the trade secrets at issue here.
14. Although Mr. Stevenson states that "there are a variety of methods
that can achieve the cracking of the encryption scheme without ever seeing
or agreeing to a Xing license agreement,"
(id., ¶
19), he fails
to state any. In any event, that is beside the point. His Declaration clearly
proves that he was aware that CSS was technology that was licensed pursuant
to an agreement that contained anti-reverse engineering provisions and that
the "master keys" were the means used to protect it.
Declaration of Defendant Andrew Bunner
15. Defendant Andrew Bunner submitted a Declaration
in which he fails to state where he actually obtained the trade secrets which
he disseminated on his web site. He states only that he became aware of the
"deCSS program" on or about October 25, 1999 by reading and participating
in discussions held on the slashdot.org web site. (Bunner Decl., ¶ 3-4).
As set forth in Paragraphs 4-5 above, an October 25, 1999 posting of DeCSS
included information that it came from the Xing software, a fact that has
been discussed on slashdot.org. (See Shapiro Reply Decl.,
¶¶ 48-96). In any event, as demonstrated above,
as well as in the Shapiro Reply Declaration, the discussions on slashdot.org
contained numerous references to the wrongful nature and questionable legality
of the CSS hack. Given these facts, Bunner's statement that at the time he
posted the DeCSS program on his web site, he had "no information suggesting
that the 'deCSS' program contained any trade secrets" and had "no reason
to believe the 'deCSS' program was not either properly reverse engineered
or independently created" (id.,
¶¶ 13-14) is not credible.
Defendant Andrew McLaughlin Fails to Submit Any Declaration
16. Defendant Andrew McLaughlin has submitted no Declaration explaining how
he acquired the CSS trade secrets. McLaughlin's pre-litigation comments on
his web site -- "Mark of the scofflaw! Here's my local copy of CSS decryption
software, enjoy!" -- establish that he knew he was in possession of and was
freely disseminating material that he had wrongfully obtained. (See Complaint,
¶ 50). That statement has now been replaced with "Here's the disputed
code" and is followed by copies of the DeCSS program.
Declaration of David Wagner
17. Although Declarant David Wagner ("Wagner") states that he has worked
extensively reporting "serious flaws" in the techniques used for encrypting
credit card numbers and in the privacy codes of U.S. and European digital
cellular phones (Wagner Decl., ¶¶ 5-7), and that he has been "closely
watching this case" (id. ¶ 14), he has never made any contact
with me, or to my knowledge, any employee of DVD CCA or its predecessor,
any of the creators of CSS technology or any of the licensees of that technology
to report the alleged weaknesses which he proclaims to have known. Similarly,
I know of no academic research published by Mr. Wagner on the subject of
CSS encryption technology. If Mr. Wagner was truly concerned that "as electronic
commerce becomes more prevalent, criminals gain an increasing financial incentive
to exploit security vulnerabilities in our critical systems" (id. at
¶ 8) and believed that "it is the scientific community's duty
to study these issues and to report on systemic risks that the public at
large may not be aware of," (id. at ¶ 10), he should have reported
his concerns of the alleged weaknesses in CSS encryption to DVD CCA.
18. In contrast to Mr. Wagner's assertions, DVD CCA
is not attempting to "ban research into DVD security systems" or to "ban
the publication of the DVD security weaknesses which are the results of that
research." (Id. at ¶ 14). DVD CCA would welcome such research.
Rather, DVD CCA is seeking to stop something quite different -- the illegal
publication of the trade secrets for the CSS technology which DVD CCA licenses.
The publication of DVD CCA's trade secrets serves no academic or scientific
interest. Instead, Defendants have published and distributed these trade
secrets for one purpose only -- to enable Defendants and others to violate
the intellectual property of the motion picture industry.
19. Mr. Wagner's Declaration in fact supports DVD CCA's assertion that the
CSS technology is a trade secret. He states his "understanding . . . that
the DVD security design relies in part on distributing software in
an 'obscured' form -- hidden in locations that are not obvious." (Id.
at ¶ 21 ) (emphasis added). Wagner states further:
. . . I am aware of tools and techniques which apparently
allow interested parties to bypass the standard installation
process and gain access to the DVD player software without ever seeing or
agreeing to any license agreements that may restrict reverse engineering.
I am also aware of a tool which purports to allow one to continue the standard
installation process without agreeing to any license agreement (see, e.g.,
http://picosoft.freeservers.com /No License htm).
(Id., ¶ 27) (emphasis added).
The fact that one must "bypass" a license agreement to gain access to the
installation software indicates a conscious decision to evade one of the
principal protection mechanisms required by DVD CCA to protect the trade
secrets which it licenses.
20. Mr. Wagner criticizes CSS because it uses a 40-bit encryption system.
(Id. at 25). However, at the time CSS technology was
developed and put into place, the export laws of many industrialized countries,
including the United States, prohibited the export of any encryption system
that was longer than 40 bits. Because CSS technology is exported throughout
the world, a security system longer than 40 bits would have been
illegal.2 Thus, the maximum encryption system permitted by law
was put into place. Mr. Wagner does not state any additional facts to support
his allegation that "CSS was extremely poorly designed" (id.
at ¶ 31) and that there was "sloppy
workmanship in the DVD security measures." (Id. at
¶ 32).
____________________
2 Indeed, Mr. Stevenson recognizes this fact in his November 8, 1999
posting to the Internet. attached as Exhibit A to his Declaration. He states:
"CSS was designed with a 40 bit keylength to comply with US government export
regulation, and as such it is easily compromised through brute force attacks
(such are the intentions of export control)."
21. Mr. Wagner's conclusions about the effects of the "hack" of CSS technology
are contradictory. On one hand, he states that "the ability to break the
CSS revealed in October 1999 does not appear to make large-scale piracy
significantly easier today." (Id. at 33). Yet, in the
next paragraph, he states that "it is fundamentally impossible to secure
software DVD players against copying and piracy by dedicated individuals.
Even if the CSS had been designed properly, the unpleasant truth is that
it will still be a straightforward cryptanalysis exercise to
circumvent the DVD copy protection measures by
technical means." (Id. at ¶
34) Thus, Mr. Wagner again recognizes that the way to gain access
to the trade secrets which DVD CCA seeks to protect in this action is through
"circumvention," not by any proper means.
Declaration of John Gilmore
22. The Declaration of John Gilmore ("Gilmore Decl.") is premised on the
incorrect statement that "there are many legitimate reasons" for allowing
one to use the DeCSS software for windows and the "similar 'readdvd' software"
for the linux operating system to make copies of a DVD disc onto his or her
hard drive by circumventing the products of CSS licensees. (Gilmore Decl.
at ¶ 9-10). CSS is proprietary technology licensed by DVD CCA. The only
proper way to gain access to that technology is by using the products properly
licensed by DVD CCA and its predecessor.
23. Gilmore goes on to state that "one major reason
for making such copies is to allow linux developers and users to watch
their DVDs on their non-windows computers." (Id.
at 10). linux is an alternative operating system
to windows. It was developed as an "open" system which is available at no
charge to the user. To date, no person or entity has taken a license from
DVD CCA or its predecessor to use CSS in a linux application. If a person
or entity were prepared to take a license on the same terms as existing
licensees, such a license would be granted. At that point, linux users could
lawfully view motion pictures on their non-windows operating system. Until
then, linux users have no "right," via a "hack" around other software licenses,
like the Xing license, to gain access to this proprietary technology.
24. Mr. Gilmore attempts to minimize the significance
of the illegal activities of the linux defendants by stating that the current
state of technology does not support large-scale piracy. (Id.
at ¶¶ 19-20). First,
this argument virtually concedes that the actions of these defendants is
illegal. Second, this argument ignores the prospect that sophisticated and
well-funded entities can indeed use the stolen trade secrets to support
large-scale piracy. Finally, the technology for the transmission of motion
pictures over the Internet is developing quickly. The potential for large-scale
piracy through that medium is overwhelming.
25. Mr. Gilmore purports to criticize the CSS system although he admits that
he "does not yet have access to the actual specifications of the DVD Content
Scrambling System." (Id. at
¶ 30). Like Wagner, his only real criticism of the
CSS system appears to be that it is protected by a 40-bit key. As discussed
above, the trade regulations of the United States and other industrialized
countries prevented the export of an encryption product with more than 40
bits. DVD CCA and its predecessor complied with the governing regulations
regarding security at the time CSS was developed and implemented.
26. Both Mr. Gilmore and Mr. Wagner appear to have
a fundamentally flawed view as to the development and implementation of trade
secrets. Gilmore states that "modern day encryption systems are shielded
by law from scientific inquiry." (Id.
at 36). Wagner states that "the DVD industry elected
to keep its inner workings secret." (Wagner Decl.,
¶ 26). The CSS technology was created under the
strictest security for the very purpose of preserving trade secret protection.
After its development, access to the technology was strictly limited to licensees
who agreed to comply with the stringent security specifications set forth
in the CSS License Agreement. (See Hoy Decl.,
¶¶ 14-19; see also discussion
at ¶¶ 24-27,
infra).
27. Mr. Gilmore does get one thing right. He states: "Miscreants are free
to discover and exploit weaknesses, whether to listen in on 'private' cell
phone calls, to steal intellectual property, etc." (Gilmore Decl., ¶
41). That is exactly the point of this lawsuit. The defendants in this action
have gained access to DVD CCA's trade secrets with knowledge that this
information has been gained illegally. The discussions on the Internet among
the defendants and others about the "hack" of CSS does not have any semblance
of an "educational" or "scientific" inquiry into encryption. Rather, the
sustained comments of these defendants proves that the intent of this community
was and is to misappropriate the trade secrets licensed by DVD CCA and to
use those trade secrets to violate the copyright of the motion picture industry.
As Mr. Wagner states in his Declaration: "It appears that, because there
was no commercial entity creating DVD software for linux, the programmers
did it for themselves." (Wagner Decl., ¶ 26).
DVD CCA and its Predecessor Took Substantial Steps To Protect the Trade
Secret Status of the CSS Technology.
28. As described in my Declaration submitted in support of DVD CCA's Application
for a Preliminary Injunction, dated December 24, 1999, DVD CCA's predecessor
began licensing CSS technology on our about October 31, 1996. (Hoy Decl.,
¶ 14). A true and correct copy of the Amended and Restated CSS Interim
License Agreement that each of the licensees of CSS has executed ("The CSS
License Agreement") is attached hereto as Exhibit C.3 (See Hoy
Decl., ¶¶ 14-19).
____________________
3 For reasons of confidentiality, the names of all companies mentioned
in the Agreement have been redacted. Additionally, the CSS Agreement consists
of both the CSS License Agreement and an agreement pertaining to specifications
for the CSS technology. Because the latter agreement contains highly confidential
proprietary information that is not at issue in this lawsuit, it is not
attached.
29. Section 5.4 of the CSS License Agreement requires all licensees
to comply with all applicable rules and regulations of the United States
and other countries and jurisdictions "relating to the export or re-export
of commodities, software and technical data insofar as they relate to the
activities under this Agreement, and shall obtain an approval required for
such rules and regulations whenever it is necessary for such export or
re-export." At the time that DVD CCA's predecessor began licensing CSS
technology, the United States and other industrialized countries provided
that no exported product containing encryption technology could contain
more than 40 bits (See ¶¶ 20, 25 supra).
30. The CSS License Agreement specifically prohibits licensees
from reverse engineering the CSS technology. Section 5.3 of
that agreement provides:
Licensee shall under no circumstances reverse engineer, decompile, disassemble
or otherwise determine the operation of CSS Specifications, including, without
limitation, any encryption/decryption or scrambling/descrambling algorithm
or logic of CSS, except that Licensee may, to the minimum extent necessary
for the purposes of testing, debugging, integration or tuning of Licensee's
own CSS Compliant Product to ensure that it works in its intended operational
environment with other CSS Compliant Products (the 'Analysis Purpose'), conduct
performance or electrical analyses with respect to the operation of other
CSS Compliant Products that form part of such intended operational environment
('Analysis'), subject to the following conditions:
(a) Licensee shall not perform any Analysis, in whole
or in part, for the purpose of deriving or discovering CSS Specifications
that have not been made available and licensed by DVD CCA to Licensee hereunder
(the 'Derived Information').
(b) To the extent Licensee obtains Derived Information,
inadvertently or otherwise, Licensee shall immediately notify DVD CCA, and
upon instruction of DVD CCA, Licensee shall within ten (10) days thereafter
return or destroy any portion of Derived Information that is not solely necessary
for the Analysis Purpose and cease any use of same for any purpose.
(c) Subject to Section 5.3(b) above, the Derived Information: (i) shall only
be used for the Analysis Purpose and for no other purpose; and (ii) shall
be treated as confidential in the manner corresponding to the same type of
information as specified in Section 5.2.
(d) Nothing herein shall be construed as an inducement for Licensee to reverse
engineer any products of any CSS Licensee or third party.
(e) For purposes of this Section 5.3: (i) 'testing' shall mean a process
of evaluating Licensee's CSS Compliant Product to ensure proper operation;
(ii) 'debugging' shall mean a process of finding the cause of an error in
a Licensee's or other's CSS Compliant Product, but not analysis for the purpose
of exposing possible design features; (iii) 'integration' shall mean a process
of evaluating the performance of Licensee's CSS Compliant Product in combination
with other CSS Compliant Products to ensure that they properly operate together;
and (iv) 'tuning' shall mean a process of evaluating and improving Licensee's
CSS Compliant Products to work more efficiently with other CSS Compliant
Products.
Clearly, the end users of the products manufactured
by the licensees under the CSS Licensee Agreement can have no greater rights
than the licensees have under the CSS License Agreement.
31. Section 5.2 of the CSS License Agreement
contains the confidentiality restrictions imposed on the licensees to protect
the trade secret status of the CSS technology. The CSS License Agreement
requires licensees to maintain the confidentiality of certain defined pieces
of information, such as the algorithms and "master keys." As such, licensees
are subject to a stringent set of rules to ensure the maintenance of
confidentiality within the group of licensees:
(a) Among the safeguards taken is the requirement that only those licensees
that absolutely need to know a particular algorithm and/or key are provided
with such information. For example, a manufacturer of semiconductor chips
for descrambling CSS content in stand-alone DVD players is provided with
information necessary for manufacturing such chips but not with information
concerning the scrambling process itself or the authentication between DVD
drives and the descrambling module used for computer-based implementations.
Companies that merely assemble parts and components produced by others may
be required to be licensees in order to purchase such parts and components,
but these companies are not provided with the proprietary CSS information
at issue.
(b) The CSS License Agreement mandates that licensees
only provide the proprietary CSS technology at issue to the strictest minimum
number of licensee's employees who require access to the information, beginning
with only three employees and expanding beyond three only upon notification
to the licensor of the names of the additional employees Licensees who violate
these requirements are subject to liquidated damages in the amount of $1
million per violation (with a cap based on profits made from the sale of
licensed products).
(c) Licensees implementing authentication and descrambling
functions in software are required to do so only in a manner that obscures
the proprietary CSS technology at issue, so as to effectively frustrate anyone
seeking to obtain such proprietary information. Specific means of accomplishing
this protection requirement are provided to licensees to illustrate the types
of measures to be taken and the level of technical skill that must be employed
to defeat any such measures. Failure to abide by these operating restrictions
can subject the licensee to injunctions prohibiting the sale of the product
in which the failure occurs, through actions brought either by the licensor
or by third party beneficiary content owners (motion picture companies that
are licensees under the CSS License Agreement and have made copyrighted content
available on DVD discs encrypted using CSS technology).
I declare under penalty of perjury that the foregoing
is true and correct.
Dated: January 13, 2000
Morgan Hill, California
Signature
John J. Hoy