The DMCA and the great AACS digital revolt of 2007: The day an outlawed number almost burned the Internet to the ground.
Despite the popular media stereotype, hackers, by and large, tend to be the law-abiding sort. This is less of a sense of civic duty and more about how you can only get into so much trouble when indoors and typing all day. But the technology professions offer many unique ways to break the law, such as inadvertently sharing an illegal number. And hackers, no matter how law-abiding, also react with scorn to daft concepts like illegal numbers. Even your average citizen on the street would scoff at an illegal number. What are you going to do, go around arresting calculators?
The Day They Outlawed A Number
Once upon a time in 2006, the Motion Picture Association of America (MPAA) worked in partnership with the Advanced Access Content System (AACS) Licensing Administrator to develop a cryptographic key for HD DVDs and Blu-ray disks. Later that year, an anonymous user on an Austrian website published a utility called “BackupHDDVD,” which could be used to circumvent the copy-protection on new DVDs and Blu-Rays. Subsequent updates of that open-source software included the encryption key itself, a shockingly short signed integer a mere 32 hexadecimal digits long. Indeed, many forum posters working together through the site’s network deduced that the key was easy to extract, and worked out methods for decrypting numerous media. By May of 2007, digital pirates and legitimate users alike were handily defeating all kinds of copy-protection.
The magic number, it turned out, was “09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0,” a number quite safe for the present site to post as it’s everywhere on the Internet by now. Just to sink in the fact of how easy this number is to share, here it is in the form of a striped banner:
This banner was created during the backlash over the attempts by DMCA enforcers to suppress the number from being shared. But first, we have to bring everybody up to speed on the DMCA.
The Cure Worse Than the Disease: The DMCA
The Digital Millennium Copyright Act (DMCA) is a 1996 American law passed with the intention of protecting copyrighted intellectual property. But its unique twist is that it does specifically criminalize the production and dissemination of technology, devices, or services which circumvent copy protection, and it also makes it a crime to circumvent any copy protection device on any media, regardless of whether any copyright infringement is taking place. The DMCA became an integral part of Digital Rights Management (DRM) methods.
Pause and consider: There are plenty of reasons why you might want to circumvent copy protection on legal media you own. Users of Apple, Linux, BSD, and just about anything but a Microsoft system can concur, because DRM typically shuts out any niche computer system. Incompatibility from your old media player to a new one is also an issue. Librarians, archivists, and historians also rail against DRM, because it makes their job harder.
In some cases, such as the infamous Sony BMG scandal of 2005, DRM copy protection took the form of an actual rootkit that compromised the security of any computer you ran the media on. Slip a CD into your laptop, enjoy some music, and then your laptop is suddenly part of a botnet because a third party knows how to exploit the vulnerability. Sony actually had to recall some CDs over that one.
The definition of the law is so vague and its abuses of application are so common that it’s become widely controversial. It flies directly in the face of Free Speech as defined by the American constitution, and while citizens don’t mind making exceptions for it when it comes to matters of treason or public safety, they tend to frown on laws designed just to protect some billionaire’s right to make another nickel at great inconvenience and expense to the consumer. It’s been challenged in court multiple times, and recently Congress has been making efforts to repeal the law, because now it’s even compromising government digital security.
Back to our story: In May of 2007, DMCA lawyers sent a cease-and-desist letter to one website, Digg.com. Back at that time, Digg was social media’s star forum website, in exactly the place where Reddit.com is now. Digg was instructed to remove all references to the illegal number on their website. Digg.com, remember, was the first user-curated social news site of its kind. So the powers that be shrugged and started restricting users from posting the outlawed number, with no foresight of the effect that would have.
Meet the Streisand Effect
Guess what happens when you take the Internet’s most liberal social network and tell its residents that a corporate association they already don’t like is forbidding them to share a short, easily-memorized number? If your answer was any one of “chaos,” “bedlam,” “mass hysteria,” or “howling pandemonium”: ding, you are correct. Dozens of users immediately posted the number. Scores of editors and moderators deleted those posts. Hundreds of users reposted the number. They started getting banned. Thousands of new accounts were created with a mysterious obsession with the number. They were getting kill-filed almost, but not quite, as fast as they could create new accounts. “Aaaaaaah-09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0-choo!” commented one user dryly, and immediately got banned. Meanwhile, the rest of the Internet got to do this:
Numerous bloggers on the web pointed out that it was simply impossible to make one out of only (2^128) numbers illegal to transmit. Your wifi network has probably bounced that number around at least once since you started reading this article. The mathematical constant Pi could inevitably contain it, since it’s supposed to contain all positive integers. Concurrent to the Digg user revolt, the number began popping up in protest songs, T-shirts, tattoos, and of course half the blogs out there. Google search hits for the number from May 1, 2007, to May 4, went from a mere 9000 to 700,000 pages. It was the top trending phrase on Twitter.
“The Steisand Effect,” we now know, is the ironic effect in which publicly forbidding people to share a piece of information creates a backlash which makes the information far more commonly known than if you’d never forbid anyone from sharing it in the first place. In other words, any attempt to suppress information on the Internet immediately calls attention to it. Digital activists say “information wants to be free,” and by coincidence it also wants to anthropomorphized.
A few websites attempted to suppress the number too, with predictable results. Wikipedia itself locked down the number’s page, and then from the backlash had to pretty much shut down the entire site temporarily because users were editing the number into every open page. Google got, and wisely ignored, a cease-and-desist order to quit returning search hits on the number. By the end of May 1, 2007, the founding owner of Digg.com posted the following to his account, waving the white flag of surrender:
…interestingly enough, Kevin Rose soon afterward sold the domain Digg.com and retired from the social media business. Presumably he still wakes up nights in a sweaty panic, screaming hexadecimal digits.
What Have We Learned?
DRM has been a pretty hard wall for the Internet to bash down, and we still see outrage over it today. The bitter war between Internet activists and corporate DRM interests raged throughout most of the 2000s, and was partly responsible for the rise of open source software, the swelling popularity of the Electronic Frontier Foundation, the #OccupyWallStreet movement, and all sorts of “hacktivism.” Today DRM is more carefully handled; YouTube still gets into tussles with the MPAA (and the RIAA for music) regularly, but lawyers and website maintainers know better than to use such heavy-handed tactics to try to control the unruly Internet ever again.
Thanks for reading, and chill on the tattoos. They don’t date very well.