DirecTV lost an important case on Tuesday. Programmers, security researchers, and anyone who believes in a limited government won.
In a 2-1 split decision, the 9th Circuit Court of Appeals tossed out a default judgment against a pair of alleged DirecTV television pirates, saying an "unauthorized decryption device" law the company invoked against them does not apply. That law promises statutory damages of $100,000 per violation.
The two defendants, Hoa Huynh and Cody Oliver, may eventually be held liable for copyright infringement or lesser violations, of course. But now DirecTV will have to fight harder for it, and the legal risk to legitimate researchers has been reduced.
The reason this could be an important decision is because it strikes at the heart of DirecTV's dubious strategy of treating purchasers of smart-card programmers as if they were necessarily criminals themselves.
In a dragnet of cases filed over many years, DirecTV has been suing people who dared to buy smart-card programmers. Those can, it's true, be used to repair pirate access cards disabled by DirecTV countermeasures (this type of card is sometimes called an "unlooper").
They also have perfectly benign uses. ISO 7818 smart cards are simply cards with both memory and a set of simple circuits. Many European countries use these or similar systems for payment cards. New York, San Francisco and Washington, D.C., use "contactless" smart cards to store subway fares. Electronic voting, medical records and cryptographic key storage are other common uses.
Obviously, to use a smart card, you need to program it. Sites like HackersCatalog.com sell ISO 7818 smart-card readers and programmers for between $50 and $70.
So why is DirecTV hassling people who buy smart cards? Well, they managed to obtain the customer lists from vendors--including one named "White Viper"--and then apparently assumed that every customer must necessarily be a criminal. The company sent more than 170,000 demand letters (demanding a check for at least $3,500) and filed lawsuits against more than 25,000 people nationwide.
The tactics DirecTV used were disturbing. An affidavit prepared by former DirecTV investigator John Fisher says: "On one occasion, I learned from some other investigators that (DirecTV) was trying to obtain a settlement from a letter recipient who had bought a plastic pouch that could be used to carry a smart card programmer."
Another Fisher excerpt: "I had finally fully realized that the end user campaign was an elaborate extortion racket. The letters were full of lies or misrepresentations and we investigators were required to coerce people into paying money for stealing services when we had no proof whether they had done so or not."
This principle, that the mere act of buying a smart-card programmer should not be viewed as evidence of illicit activity, is an important one to uphold. Using DirecTV's logic, anyone who downloaded a debugger could be viewed as likely to have bypassed copy protection technology. Disassemblers and tools like "objdump" should be viewed with suspicion as well.
Now, I'm not arguing that we should be applauding blatant DirecTV piracy. Neither is the Electronic Frontier Foundation, which entered this case on the side of the defendants. If DirecTV can prove that Huynh and Oliver were watching TV shows for free, they should pay reasonable damages. But they shouldn't face six-figure fines for merely buying a smart-card programmer.
P.S.: The case revolved around Section 605(e)(4) of the Federal Communications Act, which has been in place since at least 1988. It says:
Any person who manufactures, assembles, modifies, imports, exports, sells, or distributes any electronic, mechanical, or other device or equipment, knowing or having reason to know that the device or equipment is primarily of assistance in the unauthorized decryption of satellite cable programming, or direct-to-home satellite services, or is intended for any other activity prohibited by subsection (a) of this section, shall be fined not more than $500,000 for each violation, or imprisoned for not more than 5 years for each violation, or both. For purposes of all penalties and remedies established for violations of this paragraph, the prohibited activity established herein as it applies to each such device shall be deemed a separate violation.
DirecTV had argued that 605(e)(4) applied to someone who merely inserted a pirated access card into a receiver, therefore "assembling" it. That's what the 9th Circuit rejected.
P.P.S.: I note this particular decision didn't make its way onto DirecTV's "Anti-Fraud and Anti-Piracy Enforcement Actions" Web site.