Pay-TV clone decryption becomes illegal in Europe

Markus Kuhn – March 1998

Industry lobbyist groups have managed to persuade the European Commission to introduce rather radical new legislation for protecting pay-TV broadcasters against unauthorized reception by consumers. Not only the commercial advertising and sale of pirate devices is to be prohibited (this has already been the case in a number of member countries and is perfectly acceptable), but also the private possession or use of clone decoders as well as any private exchange of information about the security properties of pay-TV encryption systems and other Information Society services will become illegal and punishable under the proposed EU conditional-access directive.

This constitutes a serious cut in the existing right of, for example, German consumers to receive satellite radio signals on their premises and to demodulate them in any way they want. It would also ban the use of non-commercial software currently available freely on the Internet to receive say UK TV programs in Central Europe for which a normal subscription is not at all available outside the UK and where the unauthorized reception does therefore not represent a direct theft of service. It also denies security experts and hobby electronic fans the right to experiment with access-control systems and discuss their results publicly. Existing Internet Web pages and discussion groups would suddenly become criminal offenses and industry would have managed to legally ban public discussion of weaknesses in their systems. The conditional-access industry will use our tax money and the legal system to compensate the technical flaws in the designs of their security hardware. I feel this is a highly concerning development of how industry consortias are gaining power over consumer rights and I ask my representatives in the European and German parliaments not to pass this EU directive, especially not the recently proposed Anastassopoulos amendments.

Commercial TV broadcasters and multimedia service providers should use the available highly effective technical means to protect their revenue and not the legal system. The proposed legal protection is unproportional and unnecessary. It is also counterproductive for the further technical advance of secure communication systems. The TV monopoly deregulation has given pay-TV broadcasters the privilege to use precious parts of the radio spectrum for their commercial purposes, which would otherwise have been available for open-access stations. They should be happy with this privilege and it is in my opinion inappropriate for the pay-TV broadcasters to demand further legal protection of their business model from our society.

Background information

The Digital Video Broadcasting Project developed the new technical specifications for digital television broadcasts. As part of this project, several pay-TV broadcasters, conditional-access system manufacturers, and Hollywood film studios formed a lobbying group to persuade European governments to introduce strict legal protection of encrypted broadcast signals against unauthorized access.

The result of this intensive lobbying effort was the text

Legal Protection for Encrypted Services in the Internal Market, European Commission Green Paper, 1996-03-06.

which discussed the current legal protection of pay-TV providers in Europe and proposed a very hard legal protection for service providers against unauthorized access. This Green Paper proposes to prohibit the manufacture, sale, possession for commercial or private purposes, installation, and marketing of decoding devices intended to permit access to encrypted services as well as the decoding of encrypted broadcasts without authorization of the encryptor. It suggests effective and deterrent penalties for the breach of these provisions and suggests to enable encryptors to bring a claim for damages and interest.

This Green Paper tries to demonstrate the need for such regulation in a rather biased way. It presents completely unrealisticly high numbers about the amount of pay-TV piracy going on in Europe without giving any verifiable source for these numbers. It also lacks a state-of-the-art discussion of the opportunities to prevent pay-TV piracy by a significantly better technical protection than that used by the currently fielded analog systems that were developed in the mid 1980s. For instance the quoted number of clone decoders claimed to be in circulation does not describe which fraction of these decoders is still operational; successful electronic countermeasures of pay-TV operators have so far often rendered pay-TV pirate smartcards useless within a few days. A reasonable estimate for the number of operational unauthorized decoders in circulation would have to be at least two orders of magnitude lower. It is true that the currently used EEPROM smartcards are indeed not very secure and can be penetrated at a cost of up to around 100 000 USD for the best models. However, the Green Paper fails to mention that there are upcoming new technologies (SRAM cryptobuttons such as the DS1954 to name just one example) that are likely to evolve shortly into devices that even the most powerful hackers and even government laboratories will not be able to penetrate any more. In addition, significant progress has been made in the study of broadcast encryption cipher systems in the early 1990s in the academic research community, which has not been utilized by the conditional access industry so far.

The Green Paper requested comments, and some private consumers and independent experts replied and documented their concerns:

• Markus Kuhn comment on the Green Paper, 1996-05-23.
• Massimo Macucci et al. comment on the Green Paper, 1996-05-30.
• Dr. Josep Domingo-Ferrer et al. comment on the Green Paper.

Unfortunately, these concerns about the undue restrictions of personal freedom by the proposed legislation and the bad effects of a reduced pressure on the conditional access control industry to develop better technical protection measures instead of being allowed to rely on legal protection remained unanswered.

The new proposed EU directive

Proposal for a European Parliament and Council Directive on the Legal Protection of Services based on, or consisting of, Conditional Access (presented by the Commission), COM(97) 356 final, 1997/359, 09.07.1997, 22 pages.

seems to implement most of the legal protections demanded by the DVB pressure group. However, the DVB lobbyists were not satisfied with the result as the proposed directive did not criminalize the private use and possession of clone decoder devices. Further lobbying efforts resulted in an amendment to the directive known as the Anastassopoulos Report dated 1998-02-09. It extends the protection beyond pay-TV broadcasts and includes a very general and wide description of the illegal activities related to multimedia services. For instance, the amendment prohibits “the advertising and provision of information concerning activities and measures facilitating unauthorized access” or “any unauthorized access whatsoever in the knowledge that it is unauthorized” (Amendment 12, sections c2 and c3). In addition, the formulation “for commercial purposes” that restricted in the original proposal the scope of an infringing activity is now replaced by the open-ended “for direct or indirect financial gain” which seems to be targeted at covering private non-commercial activities as well.

The Anastassopoulos Report clearly proposes a much more significant restriction of the rights of individual consumers than the original directive. Making the provision of information related to technical weaknesses in pay-TV conditional access systems illegal is a serious restriction of the rights of free speech, as well as the freedom of journalism and research.

The pay-TV industry has obviously welcomed these proposals, tries to extent them via the World Intellectual Property Organisation (WIPO) into the rest of the world and requested even stricter prohibition of the private possession of decryption devices which apparently has led to the Anastassopoulos Report.

What should the European Union do instead?

Considering today’s realistic technical feasibility of designing low-cost tamper-resistant conditional-access modules, it seems that no additional legislation at all is required and that it might even be harmful. It is certainly not the responsibility of the European Parliament to save the pay-TV industry the cost for the necessary innovative research and the replacement of the installed insecure legacy decoder base, which by the way will have to be replaced for the introduction of digital TV anyway. On the contrary, a delay of research in conditional-access security that the directive might cause will in the long-term do more harm to both industry and society: Future information-society services, such as electronic cash, that are about to be introduced use exactly the same technologies and will be compromised as well if no much more secure technologies have been accepted by the market by then. Pay-TV encryption allows the industry to develop and field test those more secure technologies today with limited risk. Pay-TV encryption is the first large scale use of cryptography in the consumer market. It has a pilot function for demonstrating the suitability of the technology for considerably more sensitive areas, such as mobile financial transactions. The European Parliament should not delay a fast technical solution of the pay-TV piracy problem by attempting a legislative solution.

Under no circumstances should the proposed amendments in the Anastassopoulos Report be accepted. They impose significant and unjustified restrictions on individual private consumers, for which there exists no justification but the lobbying efforts of the industry. Restrictions on the provision of information and private possession and use of decoding devices would violate the constitutions of various EU member countries anyway.

What can we do?

The proposed directive as amended by the Anastassopoulos Report is about to become effective in the next few months. The various deadlines are:

• 18 March 1998: Deadline for introduction of amendments to the Anastassopoulos report by members of the Legal Affairs Committee (LAC)
• 14 to 16 April 1998: Discussion and vote in the LAC
• 11 to 16 May 1998: most likely session for the vote in the European Parliament plenary

We have now our best chance to express our concerns to our representatives in the European and in our national parliaments. The most effective way to influence this directive is to contact prior to 18 March 1998 the Members of the Legal Affairs Committee and to politely express our concerns.

It was also suggested to me that it is a good idea to voice concerns through consumer protection organizations such as

• Bureau Européen des Unions de Consommateurs (BEUC), Avenue de Tervueren 36 Bte 4, B-1042 Brussels, phone +32 2 743 1590, fax +32 2 735 7455
• UK Consumers Association, 2 Marylebone Road, Lonon NW1 4DF, phone 0171 830 6000, fax 0171 830 6220
• Arbeitsgemeinschaft der Verbraucherverbände, Heilsbachstraße 20, D-53123 Bonn, phone +49 228 6489-0, fax +49 228 644258

Responses and opinions

Here are a number of public reactions posted to various Internet discussion groups:

• Axel H. Horns in krypto@rhein.de (in German)
• Ulrich Sandl in krypto@rhein.de (in German)
• Ross Anderson in ukcrypto@maillist.ox.ac.uk
• David Hendon in ukcrypto@maillist.ox.ac.uk
• David Hendon in ukcrypto@maillist.ox.ac.uk
• Stefek Zaba in ukcrypto@maillist.ox.ac.uk
• Weld Pond in cypherpunks@toad.com
• Mijo Saftic in alt.satellite.tv.crypt

A number of people have started to write letters to members of the European Parliament and the letters will be published here as soon as they have been released by the respective authors:

• Letter by Michael Bauer (in German)
• Letter by dr. Gabor S. Aschner
• Letter by Massimo Macucci
• Letter by Dr Brian Gladman
• Letter by Stefek Zaba
• Letter by Markus Kuhn, Reply by G. Anastassopoulos

If you plan to write a letter to members of the Legal Affairs Committee, please note that this should best be done before 11 May 1998!

Further developments

• 1998-04-08: Tony Dyer, Principal Private Secretary at the UK Department for Culture, Media and Sport replied to Ross Anderson’s letter. He notes that the UK has already pay-TV piracy laws in place: “Under the provisions of the Copyright, Design and Patents Act 1988 as amended by the Broadcasting Acts 1990 and 1996, it is a criminal offence to make import, advertise, sell or let for hire an unauthorized decoder. The effect of the proposed Directive will be simply to require an extension of this list to include possession, installation, maintenance or replacement for commercial purposes of an illicit device and will also require an extention of the protection afforded to include services transmitted from any place within the EU.” In reply to Ross Anderson’s concern that the Anastassopolous amendments might extend the scope of the proposed directive, he assured that the UK “would not be prepared to support amendments to extend its scope”.
• 1998-04-21: After the Legal Affairs Committee meeting in mid April, Mr. Anastassopoulos has published Report A4-0136/98, which contains the new amendments to the European Commission’s proposal that have been approved. It seems the criminalization of the “provision of information concerning activities and measures facilitating unauthorized access” and of the private possession of illicit devices have been removed from this most recent set of amendments. In addition, there is a new amendment 3 that says “conditional access systems should not be used for the sole purpose of refusing access for consumers in some Member States to services which are freely available in other Member States”, as well as many other changes.
• 1998-04-30: Short report about the ongoing debate in the European Parliament
• 1998-05-11: A highly interesting RISKS 19.73 article by Simson L. Garfinkel illustrates the unpleasant consequences of currently discussed new U.S. copyright legislation that introduces as a new crime the circumvention of copying protection mechanisms of digital media and allows publishers to severely restrict the fair-usage provisions of traditional copyright laws. The EU Conditional Access Directive is clearly heading in the same direction as these new U.S. laws.
  Read also Richard Stallman’s scary short story The Right to Read that appeared in the February 1997 issue of Communications of the ACM (Volume 40, Number 2).
• 1998-06-28: A PC Week Online article by Jim Kerstetter reports about how the proposed U.S. Digital Millennium Copyright Act would make real-world testing of security software illegal.
• 1998-09-24: The European Parliament’s Committee on Legal Affairs and Citizens’ Rights publishes a Recommendation for Second Reading of the European Parliament and Council Directive on the legal protection of services based on, or consisting of, conditional access (C4-0421/98 - 97/0198(COD)).
• 1998-11-20: The European Parliament and the Council of the European Union have adopted Directive 98/84/EC on the legal protection of services based on, or consisting of, conditional access. The directive has been published on 1998-11-28 in the Official Journal of the European Communities (OJ L 320/98 EN pp 54-57). The directive requires member states in article 4 to “prohibit on their territory all of the following activities:
  1. the manufacture, import, distribution, sale, rental or possession for commercial purposes of illicit devices;
  2. the installation, maintenance or replacement for commercial purposes of an illicit device;
  3. the use of commercial communications to promote illicit devices.”
  where according to article 2 “illicit device shall mean any equipment or software designed or adapted to give access to a protected service in an intelligible form without the authorisation of the service provider”. “Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 28 May 2000.”
• 1998-12-07: Markus Kuhn’s comment, as posted on the tv-crypt mailing list: “I am actually quite happy with the final Directive 98/84/EC and I think that almost all points that we made have been fixed. These are especially:
  • Only commercial activities related to pay-TV piracy are required to become punishable. This means that this directive does not require member states to ban either private non-commercial hobbyist hacking or academic research on the subject of conditional access tamper resistance. I expect member states will follow the wording of the directive quite closely and will not add additional restrictions.
  • Both hardware and software are covered now. (Leaving out software was an obvious loophole in the old directive.)
  • Exchange of abstract information related to illicit decryption techniques for non-commercial purposes is clearly not required to be banned by member states, so for instance member states will not be required to ban the tv-crypt mailing list as a criminal organization.
  • Only ‘equipment or software designed or adapted to give access to a protected service in an intelligible form without the authorisation of the service provider’ are covered, so general purpose smartcard emulation tools without any specific pay-TV software clearly are still not required to be banned.

  Altogether, the directive is significantly better than the first drafts that we have seen, and I like to think that some of this is connected to our activism.”

• 2000-02-24: UK Implementation of Conditional Access Directive 98/84/EC (archive link)
• 2002-02-04: German Implementation (Zugangskontrolldiensteschutz-Gesetz)

created 1998-03-09 – last modified 2002-02-04 – http://www.cl.cam.ac.uk/~mgk25/ca-law/