My blog is in leetspeek! Reading it constitutes a breach of the DMCA!
September 30, 2008 6:57 PM   Subscribe

What is the difference (legal or otherwise) between "decoding" and "decrypting?"

I understand that for purposes of making more money and whatnot, the MPAA and RIAA would like "decrypting" their media to be illegal.

What I wonder though, is what is the difference between "decryption" and mere "decoding"? Music is encoded on a CD, and a CD player or computer decodes it back into music, right? So why, when on a DVD, is the movie considered "decryption"?

Is it seriously possible to make something legally "encrypted" just by ROT13ing it, and is there a legal distinction between the two concepts?
posted by explosion to Law & Government (13 answers total)
The movie is decrypted because it is (ineffectively) encrypted with a key-based encryption system. It's decrypted because one step involves taking something intended to be secret and shifting it to something seen publicly.

The data are encoded as an mpeg-2 stream.
The data are encrypted by CSS.

Decoding, in your context, is when you take data in one form and transform it to another as the person who gave you the data intended you to do.

Decryption is taking data that has been in some way intentionally obfuscated and making it clear, either because the person giving you the data wanted you to, or in spite of their effort to conceal the data from you.

ISTR that Adobe actually used ROT13 as encryption for PDFs, but I could recall incorrectly.

Decoding, in another context, is taking something in a code and turning it back into the original message. You intercept a transmission that's gibberish. You decrypt it and find that the plaintext of the message is WOMBAT FIREFLY SIGNIFICANCE 131 TANNHEUSER. You would then decode your decrypted message to find out that those words decode to "I love you, honey! Smooches!"
posted by ROU_Xenophobe at 7:16 PM on September 30, 2008

Encryption is a subset of encoding.

Encoding, broadly, is just transferring a specific representation of an idea in format "A" to format "B". So if you burn a bunch of mp3s (format A) to a cd (format B), you're encoding it. If you make a screenplay out of a novel, you're encoding it (roughly). Translating from English -> French: encoding.

Encryption, on the other hand, is encoding with the caveat that you're making it hard/impossible for someone to read it without some secret knowledge (the "key").

On a dvd, there is encryption. You'll want to check out CSS for more info. An analogy would be:

All television signals are encoded over the airwaves, but the Skinemax channel isn't watchable without paying for the tuner thingie. Why? It's encrypted.

Not sure of the legal definition of encrypted, but my guess is that any definition will have a clause saying something like "a reasonable person will not be able to decrypt it", so ROT13 is out because it's obvious, using a good key but then publishing your key probably wouldn't count as encrypted either. But it's probably not a specific rule, nor should it be.
posted by Lemurrhea at 7:19 PM on September 30, 2008

Prior to DeCSS, the idea of simply "ripping" a DVD wasn't a household thing. The Content Scrambler System was intended to scramble content digitally copied to MPEG, thereby forcing the consumer to use approved devices (i.e., DVD players) that contained the decryption mechanism.

From the link:

The chief complaint against DeCSS (and similar programs) is that once the unencrypted source video is available in digital form, it can be copied without degradation, so DeCSS can be used for copyright infringement. However, lossless digital image copying of DVDs without decrypting them was already widespread before DeCSS, especially in East Asia. Furthermore, various DVD backup utilities that made use of "licensed" CSS decoding routines were also widely available.

Compact Discs, save for a few failed efforts, have never had real encryption mechanisms.
posted by softsantear at 7:20 PM on September 30, 2008

"Decode" can mean to "decrypt" as in they might both use complicated math or cyphers to alter the data in an attempt to digitally sign or make unreadable that data. But "decode" can also apply to a method of converting data from one format to another where neither would be attempting to hide or secure the data from others. In the case of ripping DVDs, "decoding" would generally be the process of converting from the DVD native MPEG-2 format and re-encode into a compressed video format like DivX. This would make the data easier to transport and store, but not hide it at all. Similarly, CDs store their data in PCM format and can be decoded and re-encoded in MP3 format for portability. But the accessability in either format is the same.

DRM is a form of encryption that is integrated with media players (software and hardware) that might make data-conversion "decoding" of that media difficult or impossible. Just to confuse things more, certain codecs (used for data-conversion encoding) may also have an integral DRM componant (used for data-security encoding).

On preview: good answers!
posted by cowbellemoo at 7:27 PM on September 30, 2008

Response by poster: To clarify then:

English to French is encoding because people know French, but English to Navajo (for example, in WW2) is encryption because people (the Japanese) don't know Navajo?

Are legal cases really being determined by this sort of reliance on security-by-obscurity?
posted by explosion at 7:31 PM on September 30, 2008

Here is a better, ultra-basic example: thoughts are encoded by a speaker into English spoken-word sounds, transmitted through the air, which the listener hears. The listener's ear and mind are decoding this "transmission" into meaningful ideas in their head.

Now, if on top of that basic encode/decode process, the speaker were speaking in Pig Latin, this is the encryption that happens on top of the encoding and decoding. Fortunately, the listener happens to know the way to "crack" (read: decrypt) the code of Pig Latin, and so deconstructs it into English, then into meaningful thoughts in his head. Encryption/decryption adds another layer to the process. If another person walks into the scene that doesn't have the "keys" to how Pig Latin should be interpreted, all they can do is decode the sound waves as speech, but the signal is scrambled.

Unfortunately, the use of the phrase "cracking the code" is something of a misnomer, or at least misleading to the neophyte, because we're trying to differentiate between encoding and encrypting as two separate things here.
posted by softsantear at 7:43 PM on September 30, 2008

I suppose you could say that the part about speaking in English constitutes another level of encryption from the base of _sound_, but I didn't want to get picky ;)
posted by softsantear at 7:46 PM on September 30, 2008

The pig latin metaphore is really bad (sorry softanter).

Like Lemurrhea said, encryption is an encoding where you need a small secret (the "key") in order to decode.

In order to qualify as an encryption, your encoding has to prove mathematically that it is absolutely impossible to decode the message without the key. Until you have that proof, your encoding is a cipher: it may be hard to decode, but you never know when it might be defeated. The history of war has hundreds of story where leaders encoded their messages with some cipher, only to have them decoded by a brillant code-breaker. Hitler was defeated, in parts, because his enigma cipher was defeated by the Allies.

DVDs use honest-to-goodness encryption. They decryption key is deep in the guts of your DVD player, where it was expected to stay secret. The only reason you can play DVD on Linux is because a group of anonymous hardware hackers managed to read a key out of one player, so the key is no longer a secret.

Many DRM schemes are much less rigorous. As ROU_Xenophobe mentioned, Adobe ran ROT13 on their PDF files and tried to call it an encryption, which is just silly.

Legally, however, all bets are off. One reason why people are so angry at the DMCA is that it never defines what it means by "encryption," and some interpretations have been absurdly inclusive. According to some interpretations, it is illegal to run ROT13 on a PDF, or to copy an MP3 files whose "copyrighted" bit is on.
posted by gmarceau at 8:44 PM on September 30, 2008

Encoded = data of one type, represented by data of another type.
Encrypted = data of one type, hidden somehow.
posted by pompomtom at 9:21 PM on September 30, 2008

IANAL, so take this with a big grain of salt. In the United States, the DMCA is the law that prohibits unauthorized decryption. Actually, it says that "No person shall circumvent a technological protection measure that effectively controls access to a work," and then goes on to define what all those terms mean. You can read the text yourself if you want; see section 1201. But be aware that this is not the whole law: it's also shaped by case law, rulings made by the Library of Congress (because the said they should do that), etc.

"Technological protection measure" is pretty much the accepted legal term of art, so that's what you want to search for if you want to learn more about this. It often means encryption, but it doesn't necessarily have to be that way; there have been a couple of cases where hardware manufacturers have sued under the DMCA because someone figured out a system that, to the best of my knowledge, had no encryption on it at all, just proprietary algorithms or signals. See the Lexmark and garage door opener cases for examples.

The upshot of all this is: focusing on encoding versus encryption is convenient technical shorthand, but when you really get down to it, what really matters, legally, is whether a device or piece of software circumvents a "technological protection measure," and that's all defined by the law in ways that may or may not apply well to the world of programming.
posted by brett at 9:24 PM on September 30, 2008

As ROU_Xenophobe mentioned, Adobe ran ROT13 on their PDF files and tried to call it an encryption, which is just silly.

On googling, that turns out not to be the case.

What seems to be the case is that a publisher of PDF ebooks -- not Adobe, but some Russian publishing house -- released some ebooks that were ROT13'd.

Speculation is that they publishing house did this because they confused a toy example in Adobe's ebook SDK documentation with an actual encryption method.
posted by ROU_Xenophobe at 5:39 AM on October 1, 2008

The only reason you can play DVD on Linux is because a group of anonymous hardware hackers managed to read a key out of one player, so the key is no longer a secret.

This is not true. No one uses DeCSS anymore.

These days DVD decryption is handled in open source through the libdvdcss library. It's a reverse-engineering of CSS that exploits its shallow keyspace to perform brute-force attacks. It is not based off a stolen key. It generates many potential keys and keeps trying until it gets through.
posted by jbrjake at 7:03 AM on October 1, 2008

Best answer: The original question asks about making something “legally” encrypted and whether there is a “legal distinction” between “decoding” and “decrypting”. I think this is really a question about the DMCA’s prohibition on circumventing access control devices.

The DMCA does not use the terms “decrypt” or “decode”. Rather, it says, “No person shall circumvent a technological measure that effectively controls access to a work.” 17 USC 1201(a)(1)(A). 17 USC 1201(a)(3)(B) further provides that “a technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.”

In the original DVD-CSS case (Universal v. Reimerdes), the defendant argued that because CSS used a weak encryption scheme, it didn’t “effectively” control access. This didn’t fly. The district court opinion says that to “effectively” control access you need to look at the intended function of the access control. Under Reimerdes, just because you can circumvent something doesn’t mean that it is not an “effective” access control. See Universal v. Reimerides, 111 F.Supp.2d 294.

There is not really that much case law interpreting what constitutes an “effective” access control, but by all accounts the bar is pretty low. If you implement access control by implementing ROT13, I wouldn’t be surprised if a court would agree that ROT13 is an “effective” access control because the function of that technology is to implement access control, and non-hackers (i.e., Grandma) would just see gibberish.

This is a long-winded answer, but I think the distinction you’re driving at is that you might want to “encode” some data for purposes other than control access to the data (i.e., encoding something into a particular character set, encoding an audio file to mp3 as discussed above, etc.). Thus, “encoding” is not always going to be an “effective” access control (because we’re looking at the intended purpose of the encoding). But when you “encrypt” something the purpose is to control access – so “encryption” is an effective access control (and “decryption” exposes you to liability under the anti-circumvention provisions of the DMCA).

IAAL and am really disappointed I can't bill this to anyone. You are not my client.
posted by QuantumMeruit at 8:00 AM on October 1, 2008 [1 favorite]

« Older I'm an experienced copywriter -- how do I find a...   |   Financial crisis: Government intervention or... Newer »
This thread is closed to new comments.