Reverse engineering copyright law (Updated)

One reason Aereo decided to launch its broadcast TV streaming service in New York is because that is the home of the federal Second Circuit Court of Appeals, which in 2008 handed down the decision in the Cablevision network DVR case that established a service providers’ right to offer cloud-based recording and playback capability under certain circumstances. The 2nd Circuit’s opinion in that case became the blueprint from which lawyers and engineers for Aereo designed their service, knowing that the inevitable legal challenge to Aereo would be heard by a district court that was bound to follow the Cablevision precedent. Any appeal of the district court’s ruling, moreover, would be heard by the very same 2nd Circuit court that had handed down Cablevision.

Lawyers for Aereo, in fact, are anything but shy about their role in reverse engineering the 2nd Circuit’s opinion to design Aereo. “It was something we had been thinking about for a long time, really since Cablevision: How could you design a system for streaming broadcast channels that complied with the law?” Seth Greenstein, an attorney with Aereo’s outside firm Constantine Cannon told me when I ran into him at CES. “So when [Aereo CEO] Chet [Kenojia] came to us, we had a pretty good idea of how it would have to work.”

That sort of legal reverse-engineering is now becoming a fad, it seems. Mega, the new encrypted online file-locker service launched by MegaUpload founder Kim Dotcom, seems seems to have been carefully engineered around a string of DMCA cases running from Perfect 10 v. CCBill in 2007 through Viacom v. YouTube in 2010 that have held that online service providers cannot be held liable for secondary copyright infringement based on a general awareness that their platforms were being used for infringing purposes. Instead, the courts ruled, liability can only attach where a service provider has particularized knowledge that a specific file on its servers is infringing.

As described in this Eric Limer post on Gizmodo,  Mega seems to have devised its automated encryption system specifically to avoid its ever gaining such knowledge:

The new Mega is designed around a “see no evil” principle. All your uploads are encrypted on their way up to the server, and downloads are encrypted on the way down, only to be opened afterward. While they’re out there floating around in the cloud, they’re encrypted using the private seed you and only you have: your password.

Don’t lose your Mega password, because you won’t be getting it back; Mega doesn’t have it. The service’s carefully calculated ignorance hinges on this point. Your password is—indirectly and complicatedly—used to generate your login credentials and to encrypt all your files on their way to the cloud. Mega won’t know so much as the file names, and neither will anyone else ever again if you lose that password.

Aereo’s reverse-engineering has worked to shield it from liability, at least so far. Whether that will be the case for Mega when the inevitable legal challenge comes is unclear. While the DMCA requires specific knowledge of infringement to assign liability, it also draws a line at willful blindness on the part of the operator. At some point, it will likely be up to a court to decide whether Mega’s efforts cross that line.

Update: Here’s another tell, from Mega’s terms of service, as flagged by Lee Hutchinson at Ars Technica

Mega’s terms of service contain the following puzzler:

8. Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service. In that case, you will access that original data.

This sounds a lot like deduplication—only storing each unique chunk of data once to save storage space. The AES-128 encryption used for the node data blocks should ensure that every encrypted block is unique, even encrypted blocks made up of two copies of the same file. If Mega only sees encrypted data, which by definition is all completely unique, how then can they be “deduplicating” it? Is something fishy going on?

Not really. It’s just that Mega’s paramount concern is liability, not security.