Norway

[NO] Verdict in DVD Case

IRIS 2003-2:1/27

Peter Lenda

Norwegian Research Centre for Computers & Law, Faculty of Law, University of Oslo

A verdict has finally come in the so-called "DVD-case" in Norway. The case concerned the actions of (at the time of the act) a 15-year-old Norwegian, Jon Johansen. He was indicted for having gained unlawful access to movies and player keys contained on region 1-encoded DVD-discs by breaking the DVD protective device, CSS. The question was whether this was a punishable offence in accordance with Section 145(2) of the Norwegian Penal Code.

The indictment also included contribution to similar offences by users of his program utility, DeCSS. DeCSS is a software tool that circumvents the CSS protective device, allowing access to the data on a DVD-disc. The program consists of two main algorithms that were given to Johansen by two persons over the Internet. The original player key used was obtained through the reverse engineering of a software player. Johansen fused the code for these two algorithms and added a graphical user interface. DeCSS enables copying of copyrighted material on the DVD and playback on unlicensed DVD-players. Johansen finally distributed DeCSS on the Internet.

The application of Section 145(2) has two requirements. First, that a protective device has been breached, Center for and second, that the resulting access to data has been unlawful. On 7 January of this year, Oslo City Court found that Johansen's own access to the movies was justified by his right to view the movies on his own legitimately purchased DVDs. Therefore, he could not be convicted for having used DeCSS to gain access to the contents of the DVDs.

The Court also came to the conclusion that since DeCSS is a tool that can be used both for legal and illegal purposes, Johansen could only be made subject to contributory liability for others' use of DeCSS if his intent in distributing the program was solely for illegally purposes. The Court found the evidentiary value of IRC-statements (IRC stands for Internet Relay Chat) to be little, and cited reasonable doubt in concluding that Johansen had not intended DeCSS to be used only for unlawful purposes. As to the reverse engineering in relation to Section 145(2), the Court also held that no protective device could be said to have been breached when accessing this player key. The software player in question had no protection of the player key aside from being distributed solely in object code. This, the Court said, would be enough for a protective device to be present, had it only been proven which was not the case here - that the developer had intended it to act as a protection.

The Court also found that the access to the rest of the player keys had been lawful, and cited the user's right to view the movies.

As a result, Johansen was acquitted of all charges. The case has been appealed by the district attorney. Moreover, it is difficult to estimate the precedential value of the case due to the implementation of Directive 2001/29/EC (on the harmonisation of certain aspects of copyright and related rights in the information society) and its rules on circumvention devices. There have also been changes in the legislation since the acts committed by Johansen, aiming for more protection in a digital environment. Thus, it is not certain that the outcome of the case would have been the same under existing legislation.