09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

According to the Motion Picture Association of America (MPAA) this seemingly innocent 32-digit hexadecimal number is verboten. Slashdot reports they sent out DMCA takedown notices (sample at chillingeffects.org) to several sites that spread the number 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

The DMCA, or Digital Millennium Copyright Act is a U.S. copyright law. A takedown notice is a letter or other message that a legitimate copyright holder can send to an internet service provider, requesting that specific infringing material be taken off the Net.

So why and how would an association of the motion picture, home video and television industries attempt to maintain and defend their copyright in a 32-digit hexadecimal number, 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0?

Obviously, 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 is not a movie, nor is it the title or any other essential element of one. Rather, it’s a key, the HD-DVD Processing Key for many movies released on next-generation DVDs so far. And the MPAA does not really claim copyright, they say the string is a circumvention device. They employ a content scrambling system named Advanced Access Content System, or AACS in short. AACS is a successor of the Content Scramble System (CSS) used with traditional DVDs. Both schemes encrypt the contents of disks, supposedly allowing copyright owners of the conntents to manage and enforce access permissions.

As a side effect, rights management schemes like CSS and AACS make it difficult to implement and distribute independent players. While it is technically easy to implement the respective standards, participation in the underlying management and licensing chemes requires resources that open source projects and other independent parties lack. Consequently, CSS had been reverse-engineered by a teenager to lay the foundations for independent implementations. Linux and BSD users want to watch DVDs, too.

CSS had been broken because its design violated fundamental concepts of information security: it relied on the hope that nobody would ever try. To be fair, this is hard to avoid. Not only the CSS scheme is broken, the requirements it is built upon are. Millions of copies of movies of are to be transmitted to millions of players. The system is supposed to prevent the movie from being played on any unauthorized player and from being modified during transport.

For such a system to be secure it must withstand at least a small number of compromised players. Authorized players are an essential element of the requirements: an authorized player is assumed to observe and enforce any access or use limitations defined within the contents. With millions of devices in the field it just does not make sense to assume none of them would be compromised. Content scrambling itself is not the security mechanism here, it just supports the primary objective and mechanism, which is control over platforms.

AACS improves on the key management but does not solve the fundamental issue. No matter what encryption scheme one uses, no matter how keys are managed, one ultimately has to bring two things together in a single device: encrypted contents and the matching key. In a device that is possibly compromised. For contents that is distributed on mass-manufactured disks, one like the other, piece by piece.

So far we have no evidence that technology can solve this problem at all. That’s why the MPAA attempts to control 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. They resort to legal measures where technology fails. As a general approach this makes sense and is common. There are many things that we technically could do but aren’t allowed to.

Usually, however, the law targets those doing wrong and is specific about the things it prohibits. This is not the case here. Are we allowed to say, write or paint 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 at all? If not, what are the conditions under which we are or are not allowed to do so? Are we allowed to register 09f911029d74e35bd84156c5635688c0.com as a domain for instance? Mention it without context? Print it on t-shirts perhaps? Or operate sites where people tell each other the number? Use it as a tag for related stories?

Update: The Net reacts as usual.

