As discussed in the case study, NFC toys are often intended to support interactions with copyrighted, digital content, and so there may be legal subtleties when we want to use them for our own purposes. We should be able to play with our toys as we see fit, and it's up to us to assert our rights to do so.
The case study already examines two concerns:
- that the data on the toy may be copyrightable, and so using the NFC tag keys or passwords may be an anti-circumvention violation; and
- that the NFC tag keys or passwords may be an effective access control for copyrighted video game content, and so using the NFC tag keys or passwords may be an anti-circumvention violation.
In the former case, the case study argues that using the NFC tag keys or passwords to access the tag is using them as intended, and therefore not a circumvention. In addition, it demonstrates how the NFC tags store only facts and figures, which are not copyrightable.
In the latter case, the case study additionally argues that the NFC tag keys or passwords are not intended or used to protect game content. As different NFC toys can control access to video game content with misapplied, different, or even no NFC tag keys or passwords, they cannot be considered intended (effective) access controls.
Again, citing the 2013 Department of Justice Prosecuting Intellectual Property Crimes manual, fourth edition:
To prove a violation of 17 U.S.C. §§ 1201(a)(2) and 1204, the government must establish that the defendant
- manufactured or trafficked in
- a technology, product, service, or part thereof
- that either:
a. is primarily designed or produced for the purpose of
b. “has only limited commercially significant purpose or use other than” or
c. “is marketed by that person or another acting in concert with that person with that person’s knowledge for use in”
- circumventing an access control without authorization from the copyright owner
- for commercial advantage or private financial gain.
(A civil action doesn't need to address #1 or #6.)
Section 1201(a)(2) states that “[n]o person shall manufacture, import, offer to the public, provide, or otherwise traffic in” a technology or service that unlawfully circumvents an access control. To “traffic” in such technology means to engage either in dealings in that technology or service or in conduct that necessarily involves awareness of the nature of the subject of the trafficking.
Any sort of distribution or linking, where I know what it is and what it does, counts as trafficking.
Section 1201(a)(2) prohibits trafficking “in any technology, product, service, device, component, or part thereof” that unlawfully circumvents access controls. This language is “all-encompassing: it includes any tool, no matter its form, that is primarily designed or produced to circumvent technological protection.”
This element is not limited to conventional devices but instead includes “any technology,” including computer code and other software, capable of unlawful circumvention.
Do written descriptions of algorithms count as tools, or does only the sample code count? It's unclear.
Given the arguments in the case study, plus the above notes, the argument seems to be against trafficking as well:
|Requirement||Our best guess|
|for data on the toy||for video game content|
|2. manufactured or trafficked in||Maybe?||Maybe?|
|3. a technology, product, service, or part thereof||Maybe?||Maybe?|
|4. that either:|
|a. is primarily designed or produced for the purpose of||Maybe not?||Maybe not?|
|b. “has only limited commercially significant purpose or use other than” or||Maybe not?||Maybe not?|
|c. “is marketed by that person or another acting in concert with that person with that person’s knowledge for use in”||Maybe not?||Maybe not?|
|5. circumventing an access control without authorization from the copyright owner||Maybe not?||Maybe not?|
|6. for commercial advantage or private financial gain.||Maybe not?||Maybe not?|
Because we need to tick all the boxes, if the data on the NFC toy is not a copyrighted work, and if the NFC tag passwords are not considered the only access control protecting the game content, and believing that being able to use the NFC tags as NFC tags is not a limited purpose, then perhaps we're not violating the DMCA trafficking provisions, either civilly or criminally.
That doesn't mean we can't be sued for this anyway! It just means if we can afford to defend ourselves, we might have a defensible case.
Librarian of Congress
The Librarian of Congress promulgates regulatory exemptions every three years that apply only to § 1201(a)(1)(A)’s prohibitions against circumventing access controls.
In support of this work, I participated in the Copyright Office's latest call for Exemptions to Permit Circumvention of Access Controls on Copyrighted Works via a survey from the Cyberlaw Clinic at Harvard Law School.
The submitted comment was published here: https://www.regulations.gov/document?D=COLC-2017-0007-0099
Reverse engineering for interoperability
This work is positioned to demonstrate a reasonable argument in favor of legitimate and legal reverse-engineering for interoperability with regards to the NFC toys themselves. Specific arguments include:
Section 1201(f) contains three reverse engineering or “interoperability” defenses for individuals using circumvention technology “‘for the sole purpose’ of trying to achieve ‘interoperability’ of computer programs through reverse engineering.” The key term for these defenses, “interoperability,” “means the ability of computer programs to exchange information, and of such programs mutually to use the information which has been exchanged.”
General purpose data storage is the very definition of a mechanism to exchange information mutually, and NFC tags are general purpose data storage devices.
The first interoperability defense allows a person “who has lawfully obtained the right to use a copy of a computer program ... for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to th[at] person” to circumvent an access control without violating the DMCA’s anti- circumvention prohibition set forth in § 1201(a)(1)(A).
The toys are legally purchased.
Second, § 1201(f)(2) exempts violations of the DMCA’s anti-trafficking provisions (§ 1201(a)(2), (b)) for those who “develop and employ technological means” that are “necessary” to enable interoperability.
We're only discussing the NFC tag keys and passwords, and not the data encryption. I don't need to know what's on the toy to erase it and put my own data on it. Only the NFC tag passwords are necessary for interoperability.
Third, § 1201(f)(3) authorizes one who acquires information through § 1201(f)(1) to make this information and the technical means permitted under § 1201(f)(2) available to others “solely for the purpose of enabling interoperability of an independently created computer program with other programs.” 17 U.S.C. § 1201(f)(3). Significantly, § 1201(f)(3) “permits information acquired through reverse engineering to be made available to others only by the person who acquired the information.”
I have followed a clean room process to acquire and make available the algorithms described in the case study.
If, on the other hand, the defendant’s program actually performs functions that the original program did not, courts are more inclined to find that defendants have satisfied the “independently created computer program” requirement.
The documentation on nfc.toys includes videos which demonstrate interoperability with systems and software that the toys could never otherwise be used with.
In addition to not discussing the data encryption, it also is not necessary to discuss working with the NFC reader hardware, variously called the portal, base, or pad, as these are not necessary for NFC tag interoperability.
However, this analysis affords us the ability to examine how that might successfully come about. Were we to work with the reader hardware under the DMCA's interoperability provisions, it seems like it would be legally safest to publish a full suite of software that supports reader hardware interoperability, like a driver that enabled using the lights and speakers and NFC readers in our own applications, which also included working demonstrations which have nothing to do with the video games or any data on the toys that isn't our own. To de-risk as much as possible, we'd perhaps primarily demonstrate using non-toy, but compatible, NFC tags. Or, perhaps we'd leave out any ability to write to the figures, or maybe even read them, from both our code and our documentation. We also wouldn't mention the possibility of doing anything with regards to the game, anywhere.
United States Department of Justice Computer Crime and Intellectual Property Section, Prosecuting Intellectual Property Crimes, Fourth Edition, Office of Legal Education, Executive Office for United States Attorneys, 2013, https://www.justice.gov/criminal/cybercrime/docs/prosecuting_ip_crimes_manual_2013.pdf
Brandon Wilson, "Hacking RFID Video Games the Crazy Way", BSides Knoxville 2018, Main Track (Scruffy), 5:24:11-5:52:28, https://bsidesknoxville.com/, also available directly at https://www.youtube.com/watch?v=hhniUz5xG24