James Gannon is a lawyer at McCarthy Tétrault LLP; he blogs at jamesgannon.ca
One of the federal government’s main stated objectives in enacting Bill C-32, the Copyright Modernization Act, is to implement the rights and protections for authors, performers and sound recording makers found in the WIPO Internet Treaties. Bill C-32 would amend the Canadian Copyright Act in several significant ways pursuant to the obligations set out in the WIPO Internet Treaties, which Canada signed in December 1997. Of these amendments, the aspect of implementing the treaties into Canadian copyright law that has attracted the most attention from commentators since the Bill’s tabling in June has been the contracting parties’ obligation to implement legal protection for technological measures.
The argument is sometimes made that legal protection for TPMs is unnecessary since liability should only lie with the underlying acts of infringement the devices are intended to prevent. Creating an additional cause of action for “protecting the protection”, it is said, is redundant. However, a survey of existing Canadian law regarding computer protections and encryption finds that this notion of “protecting the protection” has ample precedent in Canadian law, both in the civil and criminal contexts. For whatever reason, lawmakers in the recent past have often concluded that prohibiting the circumvention of protection technologies is an effective method of providing legal protection to the underlying data.
One of the first countries to ratify the WIPO Internet Treaties was the United States. The Digital Millennium Copyright Act (DMCA) was signed into law by President Bill Clinton on October 28, 1998, and amended the US Copyright Act to prohibit TPM circumvention. At the time of the enactment of the DMCA, circumventing a TPM (or a “digital lock”) was often analogized at Congressional hearings to breaking a physical lock. In arguing that the fair use defense allows limited copying of a work but does not grant the right to legal access to that work, the US Register of Copyrights noted:
Section 1201 [of the DMCA] has therefore been analogized to the equivalent of a law against breaking and entering. Under existing law, it is not permissible to break into a locked room in order to make fair use of a manuscript kept inside.
The analogies between protection for “digital locks” and physical locks would continue in DMCA jurisprudence dealing with TPM circumvention. In 321 Studios v. MGM Studios, Inc., the respondent 321 Studios argued that due to the ubiquitous availability of the DeCSS circumvention program, the CSS encryption that it was designed to bypass could no longer effectively be called a “protection measure” under the DMCA. In rejecting this line of argument, the US District Court ruled:
321, in a footnote, questions whether CSS is an effective control or protection of DVDs, since the CSS access keys are widely available on the internet. However, this is equivalent to a claim that, since it is easy to find skeleton keys on the black market, a deadbolt is not an effective lock to a door.
Interestingly, Canadian criminal law requires the commission of an indictable offense, or at least the intent to commit, in order for a defendant to be found guilty of breaking and entering. However, the related offense of “Being unlawfully in a dwelling house” creates a rebuttable presumption that someone who breaks into a home had the requisite intent to commit an offense therein. A similar presumption exists against anyone caught with a “break-in instrument”, analogous to the prohibitions found in Bill C-32 against possession or distribution of circumvention technologies.
Other criminal provisions create similar presumptions of guilt for circumventing protection devices without having to prove an underlying offense. Under the computer hacking provision of the Criminal Code, a defendant is guilty if they are found to have accessed a computer system “fraudulently and without colour of right”. There is no requirement to prove that any of the computer system’s data was damages, deleted or copied; the liability is attached to the act of hacking the computer’s protection itself. Similarly, under the Criminal Code prohibition against “Theft of a telecommunication service”, the simple act of obtaining unauthorized access to a telecommunication service suffices to give rise to criminal liability. There is no need to prove a disruption or other tampering with the telecommunication service. And, as with physical breaking and entering, both the computer and telecommunication hacking prohibitions also have rebuttable liabilities for possession of circumvention or hacking devices.
Instances where the law protects the protection, in addition to misappropriation of protected entity itself, are also found under Canadian federal regulatory law. Under the Radiocommunication Act, the act of decrypting a network signal without authorization is an offence punishable upon summary conviction:
9. (1) No person shall (…)
(c) decode an encrypted subscription programming signal or encrypted network feed otherwise than under and in accordance with an authorization from the lawful distributor of the signal or feed;
Unlike the criminal code provisions, the presumption against lawful intent for circumventing or decrypting the protective device cannot be rebutted under the Radiocommunication Act. As long as the content is decrypted without the lawful distributor’s permission, the act of decryption itself is sufficient to entail punitive liability. Similar prohibitions are found for manufacturing, importing or distributing decryption devices.
As these examples show, the notion of legal protection for protection technologies finds a number of incarnations in Canadian law. The current drafting of Bill C-32 would extend this concept to protecting the devices that are increasingly relied-upon in the artistic, entertainment and software industries to safeguard their products against unauthorized access and copying. Canadian law currently defends the locks, firewalls and encryptions we use to protect our homes, computers and broadcast signals (as well as outlawing the devices used to circumvent these protections). There is no reason why we ought not to extend this logic to devices used to protect our valuable creative works as well.
 Bill C-32, An Act to Modernize the Copyright Act, 3rd Session, 40th Parliament, available at http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=4580265
 The pair of treaties commonly referred to as the “WIPO Internet Treaties” are the World Intellectual Property Organization’s (WIPO) Copyright Treaty (WCT) and Performance and Phonograms Treaty (WPPT).
 See, Government of Canada, “Copyright Modernization Act – Backgrounder”, available at http://www.ic.gc.ca/eic/site/crp-prda.nsf/eng/h_rp01151.html
 “Technological measures” are software or hardware devices often called “Technological Protection Measures” (TPMs) or “Digital Rights Management” (DRM). Their goal is generally to enforce existing copy and access rights to digital works through technological means.
 WIPO Copyright Treaties Implementation Act and Online Copyright Liability Limitation Act: Hearing on H.R. 2281 and H.R. 2280 (1997), statement of Hon. Marybeth Peters at para 49
 307 F. Supp. 2d 1085 (N.D. Cal. 2004)
 Ibid., at 1075
 Criminal Code, R.S., 1985, c. C-46, s.348
 Criminal Code, s.349(2)
 Criminal Code, s.351(1)
 Bill C-32, supra note 1, s.41.1(b) and (c)
 Criminal Code, s.342.1(1)
 Criminal Code, s.326(1)(b)
 Criminal Code, s.327 and 342.2
 Radiocommunication Act, R.S., 1985, c. R-2, s.9(1)(c)
 Radiocommunications Act, s.10(1)(b)