August 26, 2003  ·  Lessig

So like bored guests at a dinner party, everyone seems keen to change my subjects. (If I believed in smileys I’d insert one here, but I don’t.) So ok, let’s talk about what YOU want to talk about.

As you likely know, the Supreme Court of California has held that a preliminary injunction in a trade secret case does not necessarily violate the first Amendment. The decision was in the context of deCSS code that enabled the decryption of CSS protections for DVDs. The opinion is here and worth a read.

Two points, one annoying and one important.

Annoying first: Gaggles have written me asking how is it that if “code is speech” the First Amendment doesn’t guarantee that code can’t be regulated? This is an argument that has been around for a long time, and its staying power is something I don’t quite get. Sure, code is speech. But why do you think speech can’t be regulated? Mickey Mouse is speech. But just try posting copies of Mickey Mouse films without Disney’s permission, and you’ll see how far that gets you. The truth is, the Constitution notwithstanding (“Congress shall make no law…”), Congress (and states) make law all the time regulating speech. Thus, calling it speech is just a first step in the analysis. The real question is what burden the government must bear in justifying the regulation.

Important second: The court assumed a bunch of important facts. In particular it assumed:

“First, the court concluded that the CSS technology contained protectable trade secrets because it derived independent economic value from its secrecy and because DVD CCA made reasonable efforts to maintain its secrecy. Second, the court found that Johansen had obtained these trade secrets through reverse engineering in violation of a license agreement and therefore acquired these secrets by improper means. Third, the court found that the defendants, including Bunner, knew or should have known that Johansen acquired these trade secrets by improper means when they posted DeCSS on their Web sites. Fourth, the court held that the trade secret status of the CSS technology had not been destroyed because it had been posted on the Internet.”

But the Court goes on to say (unanimously) that it was wrong for the District Court to simply assume these facts. Indeed, it was the duty of the District Court to independently determine whether each of these facts was true. If any of these facts is not true, then as a matter of trade secret law, there is no right to a preliminary injunction.

  • john

    “knew or should have known that Johansen acquired these trade secrets by improper means”

    I’m probably posting way before I have dug deep enough to answer my own question…but how is it proven that a party “should have known” something, especially when it comes to the actions of an unrelated 3rd party ?

    Of course, if Johansen expressed to them that he *had* reverse-engineered the code, then I guess that’s enough ?

  • Pravin Sathe

    i can understand regulating speech (yelling fire in a crowded place) but I am confused about how prevelent the usage of “trade-secrets” as a label is used in the law to circumvent 1st Amendment. Wouldn’t most algorithms derive “independent economic value” from their secrecy? So where does it end?
    cheers

  • Robert Morris

    Pravin, I think you’re correct, but I’m not sure where you want it to end. I mean, algorithms are a *great* example of trade secrets. It’s exactly the kind of thing the whole concept was invented for. It’s just like Coke’s formula. It’s not known outside of the company that has the source code (recipe), it’s vital to the performance (taste) of the product, and heck, you can figure it out through strenuous efforts — reverse engineering (mass spectroscopy).

    Frankly, though I’m aghast at some of the things going on in IP law right now, giving the DeCSS algorithm trade secret protection isn’t one of them. It’s way better than resorting to software patents or the DMCA or other badness. It might be better to allow reverse-engineering (as I believe parts of the EU do) explicitly, but until the US does so, I think this is an ok decision.

    Cheers!

  • Brian Sniffen

    Three of those make sense to me: I can see a court investigating and demonstrating that the CSS scheme had economic value, that DVDCCA made reasonable efforts to maintain secrecy, that Johansen had agreed to a license which prohibited reverse engineering, and that Bunner should have known this. But how could a court prove or refute the statement “the trade secret status of the CSS technology had not been destroyed”?

    Naively, the nature of CSS technology certainly appears to be out and open now. Even if Johansen-DeCSS is found to be undistributable, what prevents me from reverse engineering a hardware DVD player?

  • Brian

    Isn’t Johansen goverened by Norwegian law? Would that in a sense make the license agreement with his DVD null/void in Norway if the laws do not protect it there? I do believe Norwegian law makes reverse engineering legal on something you have purchased. Am I wrong?

  • Fuzzy

    Dear Prof. Lessig,
    My understanding, which is probably flawed, is that only the initial person who violates a trade-secret can be prosecuted for this violation. Further use of the trade-secret by others cannot be prosecuted. Is that correct?
    It is also my understanding that, in the absence of other agreements, that reverse engineering is legal in the United States and its territories. Is that correct?
    If so, then at least one question arises: is a shrink-wrap license which prohibits reverse engineering valid? Since California did not pass UCITA – is not a cut and dried case. We know that in NY, at least, a license cannot forbid publishing unapproved reviews of software.
    Assuming it is valid, a second question would be: did the person reverse-engineering the software even need to see/agree to the shrink-wrap license in order to access the original software? At least for some software packages, you can access the software without going through the shrink-wrap license. If they did not agree to the license then how can they be held to the license?

  • Dave

    It would be funny if it turns out that no one can prove who agreed to the license. If a friend of Mr. Johansen’s Mom installed (and therefore agreed) to the license, how would you show that the license is binding upon the younger Johansen?

    I have no idea if this is the case.

    -Dave

  • http://docbug.com/blog/ Bug

    Pravin: you might want to check out Eugene Volokh’s blog post on this ruling, and especially the articles he links to at the bottom of the post. (I’m no lawyer, but he is.)

    Fuzzy: This decision specifically ducked the question about whether Bunner actually violated trade secret law, leaving that for the Court of Appeals to examine. However, Justice Moreno’s concurring opinion (last 14 or so pages of the decision) brings up the same issues you do, and I would be surprised if the Court of Appeals doesn’t rule for Bunner on those factual grounds.

  • Fuzzy

    Thank you Bug for the pointing out Justice Moreno�s opinion.
    It answered my first question quite nicely:
    <quote>
    The general rule is that “[o]nce the secret is out, the rest of the world may well have a right to copy it at will; but this should not protect the misappropriator or his privies.”
    </quote>
    (I do note the “may well” – so it is definitely not an absolute)
    <quote>
    Courts that have considered the matter have agreed that, generally speaking, a party not involved in the initial misappropriation of a trade secret cannot be prosecuted under trade secret law for downloading and republishing proprietary information posted on the Internet, primarily because the information is in the public domain and is no longer secret.
    </quote>

  • Edward Bryant

    I just read the decision and there is one thing that doesn’t deel right.

    When the court distinguishes the Bartnicki decision, involving the third-party publishing of an illegally intercepted union negotiation, the court did so by reasoning that the DVD CCA’s trade secret was not a matter of public concern.

    While this might be true of a large portion of the public, many consider open source software’s access to such a widely used medium to be clearly important. Isn’t the public importance of DVD trade secret at least on par with a private union negotiation. Admittedly, the Supreme Court’s express mention of trade secrets as “purely private concern” inevitably lead to this conclusion.

    Yet, I have to wonder about the assumption that all trade secrets (whether or not you see this one as one of them) are always a purely private matter, especially in light of such a practicular form of speech as computer code.

    What if the protected code in question was programming for a electronic polling machine (perhaps in Florida)?

    Any thoughts Professor?

  • http://www.cs.duke.edu/~justin/ Justin

    To follow up on Edward’s post, what if someone posted detailed schematics on the design of the Ford Explorer during the Ford/Bridgestone back-and-forth? While extremely technical in nature, they would shed light on the debate of who was to blame. Is it not unreasonable to argue that DeCSS sheds light on the DMCA debate, and how low the bar is set for “control[ling] access to” copyrighted material? And I’m still at a loss as to how someone other than the person whole actually disclosed the trade secrets can be punished for redistributing the material.

    BTW, if I reverse-engineer a DVD disc and/or player without using current DVD-playing software, am I liable for violation of trade secrets? Has the court handed trade secrets immunity to clean-room implimentations, a la patents? As far as I know my DVD player and discs don’t come with a EULA…

    Just wondering.
    -jdm

  • Rob

    The design of the Ford Explorer is not a trade secret. You can go to any auto parts store and buy a complete maintenance manual that goes through every part of the vehicle in detail. You cannot go to Borders or CompUSA and buy a book on the CSS specification.

    This whole CSS-DeCSS kerfuffle reminds me of the old BIOS wars back in the early days of PCs. Originally the BIOS that governs how the system runs was a trade secret of IBM; other computer makers tried to make their systems compatible with IBM software but couldn’t until Compaq succeeded in cloning the BIOS. Here’s what old-computers.com says about that historic event:

    The system’s BIOS was developed from scratch by using a team of 18 persons (only one guy was “dirty” and he was not allowed to do any part of the code and could only answer vaguely to questions). They took IBM’s BIOS apart and made notes of the system calls contained within it. That way, Compaq was able to develop a PC compatible without any risk of a lawsuit from IBM, since the code was written from scratch (reverse engineering). It cost them $1 million to do it.

    IANAL so take this with a grain of salt, but in my opinion DeCSS has very little to do with the DMCA; in fact, the DMCA might actually be seen as helping Bunner’s case, as it has a clause that says:

    Notwithstanding the provisions of subsections (a)(2) and (b), a person may develop and employ technological means to circumvent a technological measure, or to circumvent protection afforded by a technological measure, in order to enable the identification and analysis under paragraph (1), or for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute infringement under this title.

    Emphasis mine. That was what DVD-Jon Johansen was trying to do with DeCSS; he wanted to make a DVD player for the Linux OS. You can reverse engineer a DVD player all you want; without some way of decoding the CSS encryption, you will not be able to play DVDs you buy or rent. Your DVD player and disks don’t come with a EULA, true; instead, they come encrypted with CSS and require a special chip or software to decode that encryption.

    What the DVDCCA is contending is that since Jon Johansen didn’t use a “clean-room” approach like Compaq did when it cloned the IBM BIOS, his DeCSS program violates their trade secret rights over CSS. Bunner knew or should have known that Johansen’s code was “dirty”. From their complaint:

    59. Defendants knew or should have known when they posted the DeCSS program on their web sites or provided �links� to other sites posting this program, that such program was created through the unauthorized use of proprietary CSS information, which was illegally �hacked.�

    You can rest assured that if Jon Johansen shows up in the United States someday, he will be almost immediately arrested and indicted for illegally distributing his “illegally hacked” DeCSS program which “enables piracy.” In fact the Norwegian Justice Department equivalent has already done so, and lost in court (though they are appealing); but that won’t stop our boys in blue from trying it here. In the meantime, Bunner and his co-defendants who committed the crime of being within reach of the long arm of the U.S. law are being dragged through the courts for re-publishing DeCSS. The DVDCCA already has a victory in the 2600 case to point to.

    The whole sordid story is available on the EFF site.

  • Rob

    Getting back to Prof. Lessig’s post, I think of the four “facts improperly assumed by the District Court,” only the first is indisputable. It is obviously true that “it [CSS] derived independent economic value from its secrecy and because DVD CCA made reasonable efforts to maintain its secrecy.” I don’t think it’s at all been proven that “Johansen had obtained these trade secrets through reverse engineering in violation of a license agreement”, in fact in Norway the opposite was found (so far). Therefore point 3 falls, as if it has not been determined that Johansen violated anything then Bunner et al probably could not have known that it was illegal unless they were IP lawyers, and I don’t think you can reasonably demand that. Point 4 is probably defensible if they emphasize that the real secret is the encryption keys. But I think a strong argument can be made that the genie is out of the bottle; everyone knows or can know what CSS is and how it works.

    Anyway, all this haggling over the preliminary injunction seems a little dumb to me; the real issue is about the legality of DeCSS and the legality of republishing it, isn’t it? Doesn’t all a preliminary injunction do is to prevent publishing while the case is litigated? If so, it seems kind of wasteful to spend all this time and effort on something aside from the main matter. But I guess that’s the American system of justice for you.

  • petar

    i can’t say for sure but i believe i read somewhere that during 2600′s dvd/decss case the prosecution actually had copies of the CSS algorithm or code or something in court. if anyone saw these without an NDA of some kind, doesn’t this violate the trade secret bit? could be thinking about something else though. =[

    on an unrelated subject, i found the JS on this page to be humorous:
    <input type=”checkbox” name=”bakecookie” />Remember Me<br />

  • http://nanocrew.net/blog/ Jon Lech Johansen
  • john

    Rob — it’s a minor point, and off-topic, but the Ford analogy, although it gets your point across fine, is technically a bit flawed.

    “The design of the Ford Explorer is not a trade secret.”

    actually, it is secret, maybe not in the legal sense of ‘trade secret’. The *construction* of the car is not. How deep the curve in the fender, how the metal for the A-pillar is treated (or not) is unknown to anyone who buys a manual or buys the car. The decision on body shapes with regards to aerodynamics cannot be found to just anyone with a wind tunnel and some fluid dynamics books.

    Volvo has done a good job for many many years on keeping its crashworthiness a secret, even tho they sell the cars. You can see _what_ they made, just not WHY or HOW they came to decide to make it that way.

  • Kevin Fisk

    (� 3426.1 subd. (b)(2)(C)) of California’s trade secrets act says that disclosure is not permitted where the recipient knew or had reason to know that the secret was �[d]erived from or through a person who owed a duty to the person seeking relief to maintain its secrecy or limit its use�.

    The president and the lawyers owed a duty to maintain the secrecy of the information and, in fact, according to the order and the attorneys, failure to seal the source code and keys that were included in the president’s presentation was an inadvertent error. This fact is bolstered by the fact that in every other instance the information was asked to be sealed showing clear intent to maintain the secret.

    I guess I don’t believe the court will hold that the inadvertent disclosure invalidates the trade secret. Also, it SEEMS that subd. (b)(2)(C) says that trade secrets released by accident or mistake are still protected, though I can’t say that the law is entirely clear in this area because of a phrase “before a materoal change of his or her position.”

    Either way, I believe a court will construe the law and the error to mean that the trade secret is still protected and anyone who uses the information from the court documents has misappropriated the trade secret and is subject to the same limits being applied to the information released by Jon Johansen.

    In reference to another poster’s comment, I believe “knew or should have known” means that the fact is easily discoverable. Despite the fact that the DeCSS debacle was very public, even at this early time, bunner would have received a cease and desist letter advising him of the trade secret. At that point, he had an obligation to take down the information. If I recall the facts correctly, he only removed DeCSS after being served with the suit. But, at the point the suit was filed, he “knew or should have known.”

    Any comments on my speculation and analysis are certainly welcome. Do you have any comment on this topic Professor?

    Kevin