End of the line for video essays

mostlysignssomeportents:

mostlysignssomeportents:

mostlysignssomeportents:

mostlysignssomeportents:

mostlysignssomeportents:

ALT

If you ’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2026/02/07/aimsters-revenge/#effective-means-of-access-control

What if there was a way for a business to transform any conduct it disliked into a felony, harnessing the power of the state to threaten anyone who acted in a way that displeased the company with a long prison sentence and six-figure fines?

Surprise! That actually exists! It’s called Section 1201 of the Digital Millennium Copyright Act, the “anticircumvention” clause, which establishes five-year sentences and $500k fines for anyone who bypasses an “effective access control” for a copyrighted work.

Let’s unpack that: every digital product has a “copyrighted work” at its core, because software is copyrighted. Digital systems are intrinsically very flexible: just overwrite, augment, or delete part of the software that powers the device or product, and you change how the product works. You can alter your browser to block ads; or alter your Android phone to run a privacy-respecting OS like Graphene; or alter your printer to accept generic ink, rather than checking each cartridge to confirm that it’s the original manufacturer’s product.

However, if the device is designed to prevent this – if it has an “access control” that restricts your ability to change the software – then DMCA 1201 makes those modifications into crimes. The act of providing someone with a tool to change how their own property works (“trafficking in circumvention devices”) is a felony.

But there’s a tiny saving grace here: for DMCA 1201 to kick in, the “access control” must be “effective.” What’s “effective?” There’s the rub: no one knows.

The penalties for getting crosswise with DMCA 1201 are so grotendous that very few people have tried to litigate any of its contours. Whenever the issue comes up, defendants settle, or fold, or disappear. Despite the fact that DMCA 1201 has been with us for more than a quarter of a century, and despite the fact that the activities it restricts are so far-reaching, there’s precious little case law clarifying Congress’s vague statutory language.

When it comes to “effectiveness” in access controls, the jurisprudence is especially thin. As far as I know, there’s just one case that addressed the issue, and boy was it a weird one. Back in 2000, a “colorful” guy named Johnny Deep founded a Napster-alike service that piggybacked on the AOL Instant Messenger network. He called his service “Aimster.” When AOL threatened him with a trademark suit, he claimed that Aimster was his daughter Amiee’s AOL handle, and that the service was named for her. Then he changed the service’s name to Madster, claiming that it was also named after his daughter. At the time, a lot of people assumed he was BSing, but I just found his obituary and it turns out his daughter’s name was, indeed, “Amiee (Madeline) Deep”:

https://www.timesunion.com/news/article/Madster-creator-Cohoes-native-who-fought-record-11033636.php

Aimster was one of the many services that the record industry tried to shut down, both by filing suit against the company and by flooding it with takedown notices demanding that individual tracks be removed. Deep responded by “encoding” all of the track names on his network in pig-Latin. Then he claimed that by “decoding” the files (by moving the last letter of the track name to the first position), the record industry was “bypassing an effective access control for a copyrighted work” and thus violating DMCA 1201:

https://abcnews.go.com/Entertainment/story?id=108454&page=1

The court didn’t buy this. The judge ruled that pig Latin isn’t an “effective access control.” Since then, we’ve known that at least some access controls aren’t “effective” but we haven’t had any clarity on where “effectiveness” starts. After all, there’s a certain circularity to the whole idea of “effective” access controls: if a rival engineer can figure out how to get around an access control, can we really call it “effective?” Surely, the fact that someone figured out how to circumvent your access control is proof that it’s not effective (at least when it comes to that person).

All this may strike you as weird inside baseball, and that’s not entirely wrong, but there’s one unresolved “effectiveness” question that has some very high stakes indeed: is Youtube’s javascript-based obfuscation an “effective access control?”

Keep reading

ALT

ALT

ALT