In response to widespread Internet postings of the key, the AACS LA issued various press statements, praising those websites that complied with their requests for acting in a "responsible manner" and warning that "legal and technical tools" were adapting to the situation.
The controversy was further escalated in early May 2007, when aggregate news site Digg received a DMCA cease and desist notice and then removed numerous articles on the matter and banned users reposting the information.[12]
This sparked what some describe as a digital revolt[13] or "cyber-riot",[14] in which users posted and spread the key on Digg, and throughout the Internet en masse, thereby leading to a Streisand effect. The AACS LA described this situation as an "interesting new twist".[15]
Background
Because the encryption key may be used as part of circumvention technology forbidden by the DMCA, its possession and distribution has been viewed as illegal by the AACS, as well as by some legal professionals.[7][16] Since it is a 128-bitnumerical value, it was dubbed an illegal number.[17][18][19] Opponents to the expansion of the scope of copyright criticize the idea of making a particular number illegal.[20]
Commercial HD DVDs and Blu-ray discs integrate copy protection technology specified by the AACS LA. There are several interlocking encryption mechanisms, such that cracking one part of the system does not necessarily crack other parts. Therefore, the "09 F9" key is only one of many parts that are needed to play a disc on an unlicensed player.
AACS can be used to revoke a key of a specific playback device, after it is known to have been compromised, as it has for WinDVD.[21] The compromised players can still be used to view old discs, but not newer releases without encryption keys for the compromised players. If other players are then cracked, further revocation would lead to legitimate users of compromised players being forced to upgrade or replace their player software or firmware in order to view new discs. Each playback device comes with a binary tree of secret device and processing keys. The processing key in this tree, a requirement to play the AACS encrypted discs, is selected based on the device key and the information on the disc to be played. As such, a processing key such as the "09 F9" key is not revoked, but newly produced discs cause the playback devices to select a different valid processing key to decrypt the discs.[22]
Timeline of AACS cracking
2006
On December 26, 2006, a person using the alias muslix64 published a utility named BackupHDDVD and its source code on the DVD decryption forum at the website Doom9.[23] BackupHDDVD can be used to decrypt AACS protected content once one knows the encryption key.[24] muslix64 claimed to have found title and volume keys in main memory while playing HD DVDs using a software player, and that finding them is not difficult.[25]
2007
On January 1, 2007, muslix64 published a new version of the program, with volume key support.[26] On January 12, 2007, other forum members detailed how to find other title and volume keys, stating they had also found the keys of several movies in RAM while running WinDVD.
On or about January 13, a title key was posted on pastebin.com in the form of a riddle, which was solved by entering terms into the Google search engine. By converting these results to hexadecimal, a correct key could be formed.[27] Later that day, the first cracked HD DVD, Serenity, was uploaded on a private torrent tracker.[28] The AACS LA confirmed on January 26 that the title keys on certain HD DVDs had been published without authorization.[29]
Doom9.org forum user arnezami found and published the "09 F9" AACS processing key on February 11:
Nothing was hacked, cracked or even reverse-engineered btw: I only had to watch the "show" in my own memory. No debugger was used, no binaries changed.
This key is not specific to any playback device or DVD title. Doom9.org forum user jx6bpm claimed on March 4 to have revealed CyberLink's PowerDVD's key, and that it was the key in use by AnyDVD.[31]
The AACS LA announced on April 16 that it had revoked the decryption keys associated with certain software high-definition DVD players, which will not be able to decrypt AACS encrypted disks mastered after April 23, without an update of the software.[32][33]
On May 17, one week before any discs with the updated processing key had reached retail, claims were reported of the new keys having been retrieved from a preview disc of The Matrix Trilogy.[34] On May 23, the key 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2 was posted on Edward Felten's Freedom to Tinker Blog[35] and confirmed a week later by arnezami on Doom9 as the new processing key (MKB v3).[36]
As early as April 17, 2007, AACS LA had issued DMCA violation notices, sent by Charles S. Sims of Proskauer Rose.[37][38] Following this, dozens of notices were sent to various websites hosted in the United States.[39]
On May 1, 2007, in response to a DMCA demand letter, technology news site Digg began closing accounts and removing posts containing or alluding to the key. The Digg community reacted by creating a flood of posts containing the key, many using creative ways of disguising the key,[40][failed verification] by semi-directly or indirectly inserting the number, such as in song or images (either representing the digits pictorially or directly representing bytes from the key as colors) or on merchandise.[41] At one point, Digg's "entire homepage was covered with links to the HD-DVD code or anti-Digg references."[42] Eventually the Digg administrators reversed their position, with founder Kevin Rose stating:
But now, after seeing hundreds of stories and reading thousands of comments, you've made it clear. You'd rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won't delete stories or comments containing the code and will deal with whatever the consequences might be.[43][44][45]
Legal opinions
Lawyers and other representatives of the entertainment industry, including Michael Avery, an attorney for Toshiba Corporation, expressed surprise at Digg's decision, but suggested that a suit aimed at Digg might merely spread the information more widely.
If you try to stick up for what you have a legal right to do, and you're somewhat worse off because of it, that's an interesting concept.
The American Bar Association's eReport published a discussion of the controversy,[47] in which Eric Goldman at Santa Clara University's High Tech Law Institute noted that the illegality of putting the code up is questionable (that Section 230 of the Communications Decency Act may protect the provider when the material itself is not copyrighted), although continuing to allow posting of the key may be "risky", and entertainment lawyer Carole Handler noted that even if the material is illegal, laws such as the DMCA may prove ineffective in a practical sense.
Impact
In a response to the events occurring on Digg and the call to "Spread this number", the key was rapidly posted to thousands of pages, blogs and wikis across the Internet.[48][49] The reaction was an example of the Streisand effect.[50]
Intellectual property lawyer Douglas J. Sorocco noted, "People are getting creative. It shows the futility of trying to stop this. Once the information is out there, cease-and-desist letters are going to infuriate this community more."[47] Outside the Internet and the mass media, the key has appeared in or on T-shirts, poetry, songs and music videos, illustrations and other graphic artworks,[51] tattoos and body art,[52] and comic strips.[53] The Linux kernel also incorporated a copy of the key for 17.5 years, originally added in 2007 by David Woodhouse as part of the red zone logic[54] and subsequently removed as a routine cleanup in 2024.[55]
On Tuesday afternoon, May 1, 2007, a Google search for the key returned 9,410 results,[56] while the same search the next morning returned nearly 300,000 results.[9] On Friday, the BBC reported that a search on Google shows almost 700,000 pages have published the key,[15] despite the fact that on April 17, the AACS LA sent a DMCA notice to Google, demanding that Google stop returning any results for searches for the key.[57][58]
Widespread news coverage[42][59][44][60][61] included speculation on the development of user-driven websites,[62] the legal liability of running a user-driven website,[63] the perception of acceptance of DRM,[64] the failure as a business model of "secrecy based businesses ... in every aspect" in the Internet era,[65] and the harm an industry can cause itself with harshly-perceived legal action.[66]
Until the Digg community shows as much fervor in attacking intellectual piracy as attacking the companies that are legitimately defending their property, well, we do not want to be promoting the site by using the "Digg It" feature.
Media coverage initially avoided quoting the key itself. However, several US-based news sources have run stories containing the key, quoting its use on Digg,[68][69][70][71][72][73]
though none are known to have received DMCA notices as a result. Later reports have discussed this, quoting the key.[74]Current TV broadcast the key during a Google Current story on the Digg incident on May 3, 2007, displaying it in full on screen for several seconds and placing the story on the station website.[75]
Wikipedia, on May 1, 2007, locked out the page named for the number "to prevent the former secret from being posted again. The page on HD DVD was locked, too, to keep out The Number."[76] This action was later reversed.[77][78] No one has been arrested or charged for finding or publishing the original key.[40][unreliable source?]
AACS LA reaction
On May 7, 2007, the AACS LA announced on its website that it had "requested the removal solely of illegal circumvention tools, including encryption keys, from a number of web sites", and that it had "not requested the removal or deletion of any ... discussion or commentary". The statement continued, "AACS LA is encouraged by the cooperation it has received thus far from the numerous web sites that have chosen to address their legal obligations in a responsible manner."[79]BBC News had earlier quoted an AACS executive saying that bloggers "crossed the line", that AACS was looking at "legal and technical tools" to confront those who published the key, and that the events involving Digg were an "interesting new twist".[15]
^Thompson, Jeff (August 13, 2011). "AACS encryption key". Jeff Thompson. Archived from the original on September 24, 2015. Retrieved September 24, 2015. An example of this is the so-called 'Free Speech Flag', seen above.
^jx6bpm (March 3, 2007). "PowerDVD private key". Doom9's Forums. Archived from the original on September 29, 2007. Retrieved April 9, 2007.{{cite web}}: CS1 maint: numeric names: authors list (link)