Skip to main content
zero to three sad copyright onions

YouTube Obfuscating A URL Is Probably Legally Enforcable DRM

DMCA 1201 is broader than you think.

Submitted by kmeisthax on Sat, 10/24/2020 - 19:26 in News

Recent events involving the takedown of software that allows you to download other people's YouTube videos have prompted what is quite frankly a disturbing lack of understanding of how this is even possible or even what YouTube is doing. Most people seem to think "DRM means encryption" and that you can't take down YouTube downloader software for breaking what isn't DRM'd. There are several other non-DRM problems with the software in question which would allow it to be taken down. For example, several of it's test cases were "can we steal music", which is inducement and carries contributory liability. However, for the sake of sanity we're going to restrict ourselves to this one particular problem and explore the depths of the question "What is DRM, anyway?"

First off, let's stop using the letters "DRM", because that isn't the actual term of art in the law. DMCA Section 1201(a)(3) defines the term "technological measure" and the act of "circumventing" said measures as following:

(3) As used in this subsection—
(A) to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and
(B) a technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.

Note that this definition is extremely broad. Encryption and "scrambling" is mentioned as a way by which a technological measure may be constructed but is not the only way a technological measure may be recognized by a court of law. Remember that it took nearly a decade for the Supreme Court to recognize that code to keep you from refilling printer cartridges does not constitute a DMCA 1201 technological measure. All that has to be present in a technological measure is a copyrighted work and some thing that prohibits you from copying it, and then anything you do to prevent that thing from doing it's job is circumvention.

I'm going to prove that you can build technological measures with legal force using open standards, and that you can be considered by the law to have circumvented them despite it being easy to do so. DMCA 1201 really is broader than you think.

Okay, But What If The DRM Is Just Some JavaScript?

Hey, remember old webpages that didn't let you right click on things? It was fairly common for particularly young and naive web developers to put JavaScript on their webpages that prevented you from right-clicking the page. Ignoring the fact that most of what was being "protected" wasn't copyrightable or was already stolen from something else, this actually constitutes a technological measure when applied to copyrightable works in the form of HTML and JavaScript.

However, it's also patently easy to work around. Text and images can still be highlighted, copied, and pasted; developer tools can still be opened, and so on and so forth. This is probably why a lot of programmers wouldn't consider it "DRM". This does have some weight to it, too: technological measures have to effectively control access to the work in order to have legal force. If it's possible to get access to the content in an unprotected form after the technological measure has done it's job, then it's probably not an act of circumvention to do so. Recording a song protected with iTunes FairPlay DRM off an old iPod through the headphone jack doesn't circumvent the DRM.

This isn't a weird hypothetical driven by old petty web scripts, though. There's plenty of more modern scripts applied to websites to defeat things like ad-blockers. Those would also likely constitute a technological measure: they keep you from viewing the content if the ads are missing. Furthermore, most ad-blockers don't attempt to bypass such measures, as DMCA 1201 contains a separate paragraph which regulates tools that can bypass technological measures:

(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—
(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
(C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

Note that this isn't regulating the act of circumvention, but the tools that you would employ in order to engage in circumvention. This is a distinction that means that, for example, it's OK for certain institutions to decrypt DVDs but not for someone else to give them the tools needed to do it. The law seems to expect that technological measures will be easy enough to circumvent that people authorized to do so can write their own tools. It also means that certain tools that interact with webpages, such as ad-blocking extensions, need to worry about if they constitute a circumvention tool and therefore are violating the law by distributing it.

(When someone inevitably tries to sue the makers of uBlock Origin over this, please don't DDoS my website for telling you it could happen.)

Okay, But What If The DRM Is Part Of A Flash Game?

Let's stay on the subject of old web stuff and talk about Flash, a particularly prolific browser plugin that enabled animations, videos, and other interactive content before the glory days of HTML5 and open web standards. Now, it was fairly common for people to copy Flash content and rehost it on other websites, and plenty of creators tried to stop that. The Flash equivalent of a no-right-clicking script is called a domain lock: a piece of ActionScript that asks Flash Player what website domain it's running on, and if it isn't the creator's, stops the movie and plays a message saying the movie has been stolen.

I don't think "domain locks are DRM" would be as controversial among web developers as "no-right-clicking is DRM", purely because of the fact that SWF (the Flash file format) went without official documentation for so long that it goes in the same mental bucket as video encryption technologies like CSS (no not that one, the DVD one), AACS, and HDCP. However, the file format was reverse engineered very early on, contains no actual encryption, and was eventually published by Adobe in the middle of the mobile Flash wars to try and prove Steve Jobs wrong.

Is SWF a technological measure? No. It does not control access to anything, much less a protected work. You don't put a movie in Flash Player and then Flash Player checks to see if the movie is authorized to play. It just plays. The movie itself contains the technological measure. Thus, removing that part of the movie is circumvention. This isn't just a weird hypothetical consideration, either: I'm a developer on Ruffle, a Free Software reimplementation of Flash Player. We have to support these domain locks in order for people's old games and movies to work (and, as far as I can tell, most people want them to work).

Is Ruffle a circumvention tool? Probably not - otherwise, I wouldn't have authored the PR that lets domain locks work. Going back to that legal definition of circumvention tools...

  • Ruffle isn't "primarily designed... for the purpose of circumventing a technological measure" - our purpose is to make Flash movies run in modern browsers.
  • Ruffle doesn't have "limited commercially significant purpose or use other than to circumvent a technological measure" - the project has a number of sponsors that pay us money specifically because they want to be able to host Ruffle on their website to make old movies play in modern browsers
  • Ruffle isn't "marketed... for use in circumventing a technological measure". In fact, I did the opposite. I specifically designed the APIs Ruffle provides to websites so that webmasters cannot easily tell Ruffle to lie about domain locks. We fetch the movie ourselves from your URL and we tell the movie the URL we got it from.

If Ruffle was a circumvention tool, then so would Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, and Opera... Opera be a circumvention tool. They contain tools that can be abused to break technological measures. However, that's not enough - it has to be the only thing the tool does, the only thing people want the tool for, or the developers have to specifically market the tool for circumvention. Merely being the substrate a technological measure relies upon isn't enough. A browser extension that detected and disabled no-right-click scripts, or stripped domain locks out of SWF files and played them in Ruffle would be.

Okay, But What If The DRM Is An Obfuscated URL?

YouTube obfuscates the URL that gives you the video content as a means of preventing casual video downloading. YouTube makes it clear in their TOS that they don't want people downloading videos off their platform (outside of some very specific mobile apps with heaps more DRM than the web player). The RIAA in their complaint against YouTube-DL alleges that this URL obfuscation counts as a technological measure and thus that YouTube-DL is a circumvention tool. I personally find this somewhat persuasive.

Astute readers will point out that YouTube-DL was not the only way to copy YouTube content. YouTube provides standard-format video data to the browser via Media Source Extensions and video could be captured that way without directly defeating the technological measure; or you could use screen capture software like OBS or XSplit to record and re-encode the video at normal playback speed. In each case, whether or not the act would be considered circumvention, and whether or not the tools needed to perform the act would be prohibited would differ. For example, there's plenty of legal things you can do with OBS, but a Media Source Extensions dumping tool has a purpose more in line with getting around the obfuscation.

For what it's worth, the lawyer whose livestream inspired me to write this article thinks that screen capture tools would not be circumvention. I'm not so sure of that. There's nothing in the statute that talks about what happens if the DRM just doesn't protect anything. You could argue that the technological measure failed to "control access to a work", but that's the sort of argument that would only prevail after an appeal, possibly even a writ of certiorari. I also don't have access to the YouTube-DL source code nor have I reviewed it in the past to see how it works and what measures it actually bypasses. So there are questions of law here, and this is not an open-and-shut case against them - at least, if someone like the EFF gets involved and works pro-bono.

Nevertheless, the fact that YouTube wrote code that makes it harder to copy a copyrighted work is probably enough to justify a DMCA takedown. If a court finds that the tool is not a circumvention tool, you probably won't see fee-shifting happen, much less punitive damages on the part of the RIAA for misrepresentation. Yes, DRM can be as simple as the programming equivalent of a post-it note saying "please no copy", and that could be enough to trigger DMCA 1201.

copyright law