1201(a)(2).^1048 The court rejected the defendants’ argument that CSS did not “effectively
control” access to the plaintiffs’ copyrighted works because it was based on a 40-bit encryption
key, which the defendants argued was a weak cipher. The court noted that Section 1201(a)(3)(B)
provides that a technological measure “effectively controls access to a work” if it requires the
application of information or a process with the authority of the copyright owner to gain access
to a work. Because one cannot gain access to a CSS-protected work on a DVD without the
application of three keys that are required by the player software and are made available only
under license, CSS satisfied this definition. The court refused to import into the statute any
requirement for a technologically “strong means” of protection.^1049
The court also rejected the defendants’ argument that DeCSS was written to further the
development of a DVD player that would run under the Linux operating system, as there
allegedly were no Linux-compatible players on the market at the time. The court ruled that, even
if there were so, it would be immaterial to whether the defendants had violated Section
1201(a)(2) by trafficking in DeCSS.^1050 “The offering or provision of the program is the
prohibited conduct – and it is prohibited irrespective of why the program was written, except to
whatever extent motive may be germane to determining whether [the defendants’] conduct falls
within one of the statutory exceptions.”^1051
The court rejected a number of other defenses under the DMCA asserted by the
defendants. First, for the reasons set forth in Section II.G.1(g) above in the discussion of Section
1201(f), the court rejected the defendants’ argument that the reverse engineering exception of
Section 1201(f) was applicable.
Second, the defendants asserted the encryption research defense under Section 1201(g),
which requires a showing that the person asserting the defense lawfully obtained the encrypted
copy of the work being studied, the circumvention act at issue is necessary to conduct encryption
research, the person made a good faith effort to obtain authorization before the circumvention,
and the act does not constitute copyright infringement. The court held that the defendants had
failed to prove that any of them were engaged in good faith encryption research, nor was there
any evidence that the defendants made any effort to provide the results of the DeCSS effort to
the copyright owners (which Section 1201(g)(3) instructs the court to take into account in
assessing whether one is engaged in good faith encryption research), nor any evidence that any
of them made a good faith effort to obtain authorization from the copyright owners.^1052
Third, the defendants asserted the security testing defense under Section 1201(j). The
court rejected this defense, which is limited to “assessing a computer, computer system, or
computer network, solely for the purpose of good faith testing, investigating, or correcting [of a]
(^1048) 111 F. Supp. 2d at 317-19.
(^1049) Id. at 318. The court cited legislative history to the effect that a technological measure “effectively controls
access” to a copyrighted work merely if its fu nction is to control access. Id. at 317-18.
(^1050) Id. at 319.
(^1051) Id.
(^1052) Id. at 320-21.