, SecurityFocus 2000-09-19
Makers of a free barcode scanner say legal threats are ending unsanctioned tinkering.
They all pulled the code from their sites... It was a very swift, very quick shutdown.
"We had to make a bold statement up front that we didn't authorize you to do this, we encrypted our cat data, and you're not allowed to take over that output," says David Mathews, vice president of new technology at Dallas-based Digital Convergence.
Digital Convergence's mouse-sized "CueCat" device allows consumers to scan special barcodes within articles or advertisements, called "cue codes," and be transported to related web sites, with the company acting as a central switching point. When last month the company began shipping the CueCats, along with software, to hundreds of thousands of Wired Magazine and Forbes subscribers, and distributing them through 7000 Radio Shack stores, hobbyists and experimenters gleefully set upon them.
Hackers quickly figured out the simple base64+XOR system used to scramble the CueCat's output, and wrote a Linux device driver for the scanner. Others launched web sites that could read the cat's output. Another programmer pitched in with a decoder written in skintight Perl code. Nevada engineer Stephen Satchell published a detailed analysis of the barcode cues themselves, and a Wisconsin hardware hacker physically dissected his CueCat and discovered a way to neuter the device's electronic serial number with a careful slice of an X-Acto knife. "The serial EPROM is easily accessible," said Michael Guslick. "By cutting one of the traces, that effectively disables the serial number."
Digital Convergence was aghast. "If people take over our cat and start using their own databases, the world becomes cloudy," says Mathews. "Our revenue model is being the gate keeper between codes and their destinations online."
By way of example, Mathews points to one hack, created by network engineer Michael Rothwell, that allows users to scan the ISBN number on the back of a book with the CueCat. "You could swipe a code, and it would serve up a page on Amazon.com. But what if [the publisher] doesn't want it to go to Amazon.com, they want it to go to web site under their control... By the Linux community taking over and redirecting where these swipes go to, they were circumventing our software."
On August 30th, the company's attorneys at New York law firm Kenyon & Kenyon fired off a handful of cease and desist letters accusing the hobbyists of offering services and information "in conflict with intellectual property owed by Digital Convergence." Mathews argues that by scrambling the CueCat's output, even weakly, the company erected a legally enforceable no-trespassing sign. "We used an inexpensive algorithm that was easily hacked," Mathews acknowledges. "But we had to use it to let people know that they should not be in there tinkering with the cat output code."
The argument smacks of the Digital Millennium Copyright Act (DMCA), a 1998 law that banned devices designed to circumvent a copy protection scheme, even if that scheme is minimal. "The DMCA doesn't require that anyone really try really hard to protect their intellectual property," says Robin Gross, an attorney with the Electronic Frontier Foundation (EFF). "It just simply requires that they do something."
But it's unclear how the DMCA could be applied in this case. "They'd have to claim that there is some sort of copyrighted material that's protected, and that [the hobbyists] are circumventing access to that copyrighted material," says Ernest Miller, a resident fellow at the Information Society Project at Yale law school, who's been following the CueCat affair. "I can't imagine what that would be in this case."
Despite the unanswered legal questions, hackers responded quickly to the threat of litigation, and the coding projects assumed a lower web profile. Michael Rothwell changed the name of his CueCat Decoder project to FooCat BarCode. "I figured the only thing I could possibly be infringing on is the name CueCat," says Rothwell, who nevertheless eventually pulled the program off of his web site,
Pierre-Philippe Coupard, a senior software engineer at open source company Lineo, says he removed a Linux device driver he wrote for the CueCat after receiving the letter, at least temporarily. "We answered that we didn't understand what intellectual property we had infringed, and that they would have seven days to answer us."
"They all pulled the code from their sites," says Mathews. "Freshmeat, Flyingbuttmonkeys, and a slew of individuals all pulled their data... It was a very swift, very quick shutdown."
The EFF's Gross attributes the hackers' quick acquiescence to a sea change brought on by the landmark DeCSS lawsuit. In August, the Motion Picture Association of America won a DMCA case against 2600 Magazine, resulting in a judgment barring 2600 from publishing a program that descrambles DVD movies. The EFF funded the defense, and continues to finance the appeal.
"I think we've seen a real chilling effect as a result of the DeCSS injunction," says Gross. "A lot of individuals have taken that as a sign that they're powerless now."
For his part, Coupard was surprised to learn that Digital Convergence considered the matter resolved. After Digital Convergence's attorneys failed to respond to Lineo's request for more information, Coupard put his CueCat device driver
"They visited the site on the 13th, and they haven't been back since," said Coupard, who, like many open source CueCat developers has taken to monitoring his web logs for visits from Digital Convergence. "I thought they had swallowed their pride and shut up."