When Sony released its PlayStation 3 (“PS3″) video game console, it included a feature that allowed customers to install a version of the Linux operating system so that the machine could be used as a general purpose computer. In April 2010, Sony released a system firmware update that removed the “OtherOS” functionality. In late 2010, a group of hackers known as fail0verflow, allegedly working to restore the OtherOS feature, succeeded in circumventing critical technical protection measures (“TPMs”) within the console, allowing users with upgraded PS3s to use the OtherOS feature once again. George Hotz, a rather notorious New Jersey hacker, built on fail0verflow’s work to successfully circumvent the TPMs protecting the PS3’s Master Key, and he posted explanations of his work on Twitter and YouTube in early January 2011. The Master Key grants access to the PS3’s core functionality, so third parties who obtain it may write firmware and application software that appears to the console to be legitimate. Essentially, the release of the key has compromised the system. Though Sony has made efforts to upgrade with security patches, hackers quickly unpacked the updated firmware and began efforts to crack it completely.
Responding to the jailbreak, Sony has sued Hotz and others involved in the decryption of the keys, alleging violations of the Digital Millennium Copyright Act (“DMCA”) and the Computer Fraud and Abuse Act, contributory copyright infringement under 17 U.S.C. § 501, and various California state common law and contract claims. Sony requested damages and a preliminary injunction against distribution of the software. Additionally, Sony sent a DMCA takedown notice to a site hosting source code to tools based on Hotz’s research that could be used to crack the PS3 firmware. There does not appear to be any way for Sony to effectively correct the problem. As Ben Kuchera at Ars Technica explained, “Sony speaks of ‘closing the door,’ but the simple fact is that there is no door to close. The code sought to be restrained will always be a Google search away.” In a demonstration of how easily the key could be spread, a company representative recently posted it to Twitter by mistake. To reduce user demand for unauthorized firmware, Sony is threatening to ban any users found using “unauthorized or pirated software” from its PlayStation Network online service.
The DMCA, 17 U.S.C. § 1201 et seq, recognizes two types of TPMs: those that control access to a work protected by the Copyright Act and those that limit the ability to copy such a work. Section 1201(a) prohibits specific conduct regarding access to copyrighted works protected by TPMs, including circumventing the TPMs and trafficking in devices designed for such circumvention. Section 1201(b) does not prohibit copy control circumvention itself, but it does prohibit trafficking in devices designed for copy control circumvention. Part of the reason the statute emphasizes trafficking in circumvention is the problem of effectively targeting the end-user—the direct infringer. The Supreme Court explained this problem in MGM Studios Inc. v. Grokster, Ltd., 545 U.S. 913 (2005) as follows:
When a widely shared product is used to commit infringement, it may be impossible to enforce rights in the protected work effectively against all direct infringers, so that the only practical alternative is to go against the device’s distributor for secondary liability on a theory of contributory or vicarious infringement.
In this case, Sony alleges both direct circumvention and trafficking. Sony’s TPMs are designed to prevent a third party from playing on the PS3 with “unauthorized or unlicensed software”; from accessing, decrypting or copying Sony’s copyrighted works without authorization; and from playing unauthorized copies of the works.
A common criticism of the DMCA is that is bans noninfringing uses, such as where access to public domain content (not protected under the Copyright Act) within a larger copyrighted work is controlled by a TPM. In this case, breaking the lock to access the public domain work would violate § 1201. There are exceptions to the DMCA, but critics argue that they are narrow, do not lend themselves to a case-by-case analysis, and have potential to quell First Amendment rights.
However, 17 U.S.C. § 1201(a)(1)(C) grants the Librarian of Congress the authority to hold a triennial proceeding to rule on specific uses of copyrighted works that will be considered fair. In 2010, the Librarian of Congress approved a new exemption for: “Computer programs that enable wireless telephone handsets to execute software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset.” This may indicate a spirit of wanting to provide a safe harbor, so to speak, allowing circumvention for interoperability of personal electronic devices that may logically extend to video game consoles in the future.
The outcome of the Hotz case may turn on the procedural question of jurisdiction. Judge Illston delayed ruling this case in January 2011, not on the merits of the federal claims, but on a California district court’s jurisdiction over the defendant. Hotz published his keys on Twitter and YouTube and received payment via PayPal—all three headquartered in California—but did the hacking in New Jersey. On January 27, before deciding the jurisdictional question, the court granted Sony a temporary restraining order (PDF) that ordered Hotz to remove information about the hack from his website and gave him 10 days to turn over his computer equipment to Sony. The judge relied on the concept of “personal direction,” as discussed in Schwarzenegger v. Fred Martin Motor Co., in holding that California can hear the case. Hotz had argued that he directed no harm at California since the PS3 is not made by plaintiff Sony Computer Entertainment of America, but rather Sony, a Japanese company not based in California. Hotz’s attorney announced that he will ask the court to reconsider the ruling, mentioning that court’s order is overkill and compliance is impracticable, if not impossible, since the information in question has spread all over the Internet. On February 10, Judge Illston held a hearing on the issue of the search warrants. Although she upheld the demand that Hotz turn over his entire hard drives to Sony instead of merely providing the data in question, she removed the request that he “retrieve” the information from other users online. A hearing to decide the jurisdictional question is set for April.
Additionally, suspecting that Hotz had not produced all of the information requested, Sony filed a motion on February 4 for further discovery. It included subpoenas for information (PDF) from Hotz’s web host, Google, Twitter, PayPal, and YouTube. The information requested included server logs, identifying information of users who viewed and commented on a YouTube video demonstrating the jailbreaking process, and all tweets and messages of several Twitter users suspected to be members of the fail0verflow team with Hotz. Hotz’s attorney called the requests overbroad. On March 3, U.S. Magistrate Joseph Spero held that Sony could seek the IP address of every visitor an internet site containing information about the PS3 hack from January 2009 to that date, along with the desired Google, YouTube and Twitter data. According to David Kravetz at Wired’s Threat Level, Sony hopes to use the evidence to prove that Hotz distributed information about the hack, and to support its venue argument by proving that many of the downloaders were located in Northern California.