Enemy At The Gates?

The raid on Jan. 23, 2000, was nothing like the movies — no guns, no sirens, no man on a megaphone telling Jon Johansen, 16, to come out with his hands up. "It was very nice and quiet," Johansen says, recalling the day when three officers — two from Økokrim, Norway's economic-crime investigation unit, and one local policeman — visited his house in Steinsholt, a small town about an hour and a half southwest of Oslo. They went into his basement office and confiscated two computers, some data CDs, a cell phone and its charger. What had Johansen done? He'd just watched some movies.

Later this year, Johansen, now 18, will stand trial for hacking. Prosecutors say that's what he did by co-authoring a program called DECSS, which decrypts DVDs so that he can watch the movies — which he bought legally — on his computer. Some may have called that money-saving ingenuity — he didn't have to buy a stand-alone DVD player — but the entertainment industry saw it as a threat to its revenue stream and Norwegian authorities saw it as a crime. Because it's one of the first cases of its kind, Johansen's trial could set a precedent for how industry and innovation will coexist in the digital age.

Johansen and his two co-writers (who have remained anonymous to avoid prosecution and never used their real names even with each other) knew their work on DECSS could lead to a clash with DVD makers, who are fiercely protective of their lucrative technology. They expected repercussions, which came in the form of the raid a few months after the code was published online. Johansen was surprised it didn't happen sooner. "If I had done something illegal, that would have been more than enough time to get rid of any evidence," he says.

Økokrim claims that Johansen violated laws aimed at those who illegally access other people's computers. "We see this as a hacker case," says Økokrim chief prosecutor Inger Marie Sunde. Yes, he owned the DVDs, but "he broke a protective device in order to gain access to computer data." Perhaps, says Johansen's lawyer, Halvor Manshaus, but that's not illegal under Norwegian law. Copyright statutes even allow copying if it's not for financial gain. "It certainly isn't illicit to access a film he has a right to view," he says. That will change. Johansen's work violates the European Copyright Directive, which makes it illegal to break into a mechanism to gain access to copyrighted work. But the directive will not be implemented in Norway and across the E.U. until the end of the year. For now, Johansen is safe, Manshaus says, because "Jon hasn't done anything for pecuniary reasons." Whatever his motives, the Motion Picture Association — which notified Økokrim about DECSS — has highly pecuniary reasons to fight such activity. The studios contend that DECSS could spawn a filmic Napster if users decode DVDs into reproducible — and distributable — format. Losses could be huge: research firm Screen Digest estimates that in 2002 Europeans will spend more than ?5.2 billion on DVDs. Programs like DECSS, says MPA chairman Jack Valenti, "destroy crucial protection and expose industry to the real risk of further massive losses due to piracy."

Big business feels the same way about the work of other programmers, from upstarts like Johansen to academics who make a living by probing, tinkering and reverse engineering — which is one reason it lobbied for the E.U.'s copyright directive. The law brings the E.U. into line with the World Intellectual Property Organization's Internet treaties by including provisions to ensure that copyrights on everything from movies to e-books to music are respected in the digital realm. But many in the computing community complain that the rules are too heavily weighted in industry's favor, to the detriment of research in fields like cryptography, which uses techniques like code breaking to find systemic flaws.

For signs of what may come, look to the other side of the Atlantic, where the directive's U.S. counterpart, the Digital Millennium Copyright Act of 1998, has spawned lawsuits involving threatened research. The E.U. directive, too, offers little explicit protection for computer scientists, says intellectual-property law expert Thomas Vinje. "I would not want to be representing them."

That's bad news for researchers like Dutch cryptographer Niels Ferguson. Last year, he wrote a paper detailing weaknesses in an Intel encryption system. Fearful of legal liability in the U.S. if a hacker used his work to exploit those flaws, Ferguson chose not to publish. He calls the situation "Orwellian": "Given the problems we have with lack of computer security, we need more research into it, not less." "We're seeing an erosion of the right to practice computer science," says Princeton's Ed Felten, who withheld research on flaws in security technology after the music industry threatened to sue. "You hear terms like tampering and hacking used to describe things that have long been done for legitimate purposes." The developing legal framework discourages such research by failing to distinguish well between legitimate and illegitimate exploitation. But when programmers intentionally infringe copyright, especially for commercial reasons, Felten says, "sympathy [among computer scientists] evaporates." One example may be the case of Russian Dmitry Sklyarov and his employer, ElcomSoft, the first criminal prosecution under the DCMA.

WIPO director-general Kamil Idris says intellectual property can "turn creativity and inventiveness into social, cultural and economic wealth." But for whom? "Some people think copyright is the absolute right to control whatever intellectual property you've created — or in the case of DCMA proponents, mostly purchased," says Linus Torvalds, a pioneer of the open-source operating system Linux. "Never mind the rights of consumers." The ability to transfer a CD from your stereo to your PC or to copy a newspaper article for private use "is a matter that concerns us all," says copyright expert P. Bernt Hugenholtz of the University of Amsterdam. "Such freedoms are — or should be — inherent qualities of any information product." Johansen agrees, which is why he felt justified in playing DVDs on his PC. The industry thinks the potential cost of such freedom is too high, but the cost of stifling it may be higher. "Many — even most — real innovations in our field are done in academia or by freelancers," says Ferguson. "These innovations are then picked up by companies, or people set up companies to pursue them." Linux is proof of the possibilities — and commercial dangers. Once seen as a threat to the software giants, it has spurred a wave of innovation and commercial opportunity. The many individual contributions that helped build Linux are "a beautiful thing," says Torvalds. "New ideas come from bouncing an idea off another person and seeing it modulated by that other person's idea."

That's a thought to be pondered by media giants, which are vexed by how to profit from offering copyrighted content online. If a certain Norwegian programmer has a few good ideas about digital security and delivery, media moguls should be ringing his doorbell, not sending in the econo-cops. So is Jon Johansen an enemy at the gates, or could he be the industry's new best friend? The court of consumer opinion, as much as the Norwegian judges, will have to decide.