Pay-TV clone decryption becomes illegal in Europe

Markus Kuhn – March 1998

Industry lobbyist groups have managed to persuade the European Commission to introduce rather radical new legislation for protecting pay-TV broadcasters against unauthorized reception by consumers. Not only the commercial advertising and sale of pirate devices is to be prohibited (this has already been the case in a number of member countries and is perfectly acceptable), but also the private possession or use of clone decoders as well as any private exchange of information about the security properties of pay-TV encryption systems and other Information Society services will become illegal and punishable under the proposed EU conditional-access directive.

This constitutes a serious cut in the existing right of, for example, German consumers to receive satellite radio signals on their premises and to demodulate them in any way they want. It would also ban the use of non-commercial software currently available freely on the Internet to receive say UK TV programs in Central Europe for which a normal subscription is not at all available outside the UK and where the unauthorized reception does therefore not represent a direct theft of service. It also denies security experts and hobby electronic fans the right to experiment with access-control systems and discuss their results publicly. Existing Internet Web pages and discussion groups would suddenly become criminal offenses and industry would have managed to legally ban public discussion of weaknesses in their systems. The conditional-access industry will use our tax money and the legal system to compensate the technical flaws in the designs of their security hardware. I feel this is a highly concerning development of how industry consortias are gaining power over consumer rights and I ask my representatives in the European and German parliaments not to pass this EU directive, especially not the recently proposed Anastassopoulos amendments.

Commercial TV broadcasters and multimedia service providers should use the available highly effective technical means to protect their revenue and not the legal system. The proposed legal protection is unproportional and unnecessary. It is also counterproductive for the further technical advance of secure communication systems. The TV monopoly deregulation has given pay-TV broadcasters the privilege to use precious parts of the radio spectrum for their commercial purposes, which would otherwise have been available for open-access stations. They should be happy with this privilege and it is in my opinion inappropriate for the pay-TV broadcasters to demand further legal protection of their business model from our society.

Background information

The Digital Video Broadcasting Project developed the new technical specifications for digital television broadcasts. As part of this project, several pay-TV broadcasters, conditional-access system manufacturers, and Hollywood film studios formed a lobbying group to persuade European governments to introduce strict legal protection of encrypted broadcast signals against unauthorized access.

The result of this intensive lobbying effort was the text

Legal Protection for Encrypted Services in the Internal Market, European Commission Green Paper, 1996-03-06.

which discussed the current legal protection of pay-TV providers in Europe and proposed a very hard legal protection for service providers against unauthorized access. This Green Paper proposes to prohibit the manufacture, sale, possession for commercial or private purposes, installation, and marketing of decoding devices intended to permit access to encrypted services as well as the decoding of encrypted broadcasts without authorization of the encryptor. It suggests effective and deterrent penalties for the breach of these provisions and suggests to enable encryptors to bring a claim for damages and interest.

This Green Paper tries to demonstrate the need for such regulation in a rather biased way. It presents completely unrealisticly high numbers about the amount of pay-TV piracy going on in Europe without giving any verifiable source for these numbers. It also lacks a state-of-the-art discussion of the opportunities to prevent pay-TV piracy by a significantly better technical protection than that used by the currently fielded analog systems that were developed in the mid 1980s. For instance the quoted number of clone decoders claimed to be in circulation does not describe which fraction of these decoders is still operational; successful electronic countermeasures of pay-TV operators have so far often rendered pay-TV pirate smartcards useless within a few days. A reasonable estimate for the number of operational unauthorized decoders in circulation would have to be at least two orders of magnitude lower. It is true that the currently used EEPROM smartcards are indeed not very secure and can be penetrated at a cost of up to around 100 000 USD for the best models. However, the Green Paper fails to mention that there are upcoming new technologies (SRAM cryptobuttons such as the DS1954 to name just one example) that are likely to evolve shortly into devices that even the most powerful hackers and even government laboratories will not be able to penetrate any more. In addition, significant progress has been made in the study of broadcast encryption cipher systems in the early 1990s in the academic research community, which has not been utilized by the conditional access industry so far.

The Green Paper requested comments, and some private consumers and independent experts replied and documented their concerns:

Unfortunately, these concerns about the undue restrictions of personal freedom by the proposed legislation and the bad effects of a reduced pressure on the conditional access control industry to develop better technical protection measures instead of being allowed to rely on legal protection remained unanswered.

The new proposed EU directive

Proposal for a European Parliament and Council Directive on the Legal Protection of Services based on, or consisting of, Conditional Access (presented by the Commission), COM(97) 356 final, 1997/359, 09.07.1997, 22 pages.

seems to implement most of the legal protections demanded by the DVB pressure group. However, the DVB lobbyists were not satisfied with the result as the proposed directive did not criminalize the private use and possession of clone decoder devices. Further lobbying efforts resulted in an amendment to the directive known as the Anastassopoulos Report dated 1998-02-09. It extends the protection beyond pay-TV broadcasts and includes a very general and wide description of the illegal activities related to multimedia services. For instance, the amendment prohibits “the advertising and provision of information concerning activities and measures facilitating unauthorized access” or “any unauthorized access whatsoever in the knowledge that it is unauthorized” (Amendment 12, sections c2 and c3). In addition, the formulation “for commercial purposes” that restricted in the original proposal the scope of an infringing activity is now replaced by the open-ended “for direct or indirect financial gain” which seems to be targeted at covering private non-commercial activities as well.

The Anastassopoulos Report clearly proposes a much more significant restriction of the rights of individual consumers than the original directive. Making the provision of information related to technical weaknesses in pay-TV conditional access systems illegal is a serious restriction of the rights of free speech, as well as the freedom of journalism and research.

The pay-TV industry has obviously welcomed these proposals, tries to extent them via the World Intellectual Property Organisation (WIPO) into the rest of the world and requested even stricter prohibition of the private possession of decryption devices which apparently has led to the Anastassopoulos Report.

What should the European Union do instead?

Considering today’s realistic technical feasibility of designing low-cost tamper-resistant conditional-access modules, it seems that no additional legislation at all is required and that it might even be harmful. It is certainly not the responsibility of the European Parliament to save the pay-TV industry the cost for the necessary innovative research and the replacement of the installed insecure legacy decoder base, which by the way will have to be replaced for the introduction of digital TV anyway. On the contrary, a delay of research in conditional-access security that the directive might cause will in the long-term do more harm to both industry and society: Future information-society services, such as electronic cash, that are about to be introduced use exactly the same technologies and will be compromised as well if no much more secure technologies have been accepted by the market by then. Pay-TV encryption allows the industry to develop and field test those more secure technologies today with limited risk. Pay-TV encryption is the first large scale use of cryptography in the consumer market. It has a pilot function for demonstrating the suitability of the technology for considerably more sensitive areas, such as mobile financial transactions. The European Parliament should not delay a fast technical solution of the pay-TV piracy problem by attempting a legislative solution.

Under no circumstances should the proposed amendments in the Anastassopoulos Report be accepted. They impose significant and unjustified restrictions on individual private consumers, for which there exists no justification but the lobbying efforts of the industry. Restrictions on the provision of information and private possession and use of decoding devices would violate the constitutions of various EU member countries anyway.

What can we do?

The proposed directive as amended by the Anastassopoulos Report is about to become effective in the next few months. The various deadlines are:

We have now our best chance to express our concerns to our representatives in the European and in our national parliaments. The most effective way to influence this directive is to contact prior to 18 March 1998 the Members of the Legal Affairs Committee and to politely express our concerns.

It was also suggested to me that it is a good idea to voice concerns through consumer protection organizations such as

Responses and opinions

Here are a number of public reactions posted to various Internet discussion groups:

A number of people have started to write letters to members of the European Parliament and the letters will be published here as soon as they have been released by the respective authors:

If you plan to write a letter to members of the Legal Affairs Committee, please note that this should best be done before 11 May 1998!

Further developments

created 1998-03-09 – last modified 2002-02-04 –