Category: Security

Nintendo sues another modchip reseller

GamePolitics reports that Nintendo is suing NXPGame Inc, New York based reseller of Nintendo DS modchips, as well as its owner apparently.  It is seeking $150,000 for infringement of each copyright work and $2 million for infringement of each Nintendo trademark.
We’ve previously discussed the legality of modchips on this blog.  In the UK, the sale of modchips is quite clearly illegal as there is a specific legal prohibition on the use of devices like modchips which are intended to circumvent “technical measures” designed to prevent copyright infringement.  In the USA, the DCMA imposes broadly similar restrictions on the sale of modchips.  Doesn’t sound too hopeful for NXPGame, eh?
Follow us at http://www.twitter.com/gamerlaw or subscribe to our weekly email newsletter here

Teen convicted of crashing PlayStation site in banhammer

In March this year we wrote about a Pennsylvania teenager who pleaded guilty to criminal offences over his hacking and crashing of a Playstation web site in 2008, which he did in revenge for being kicked out of a tournament for the PS2 game SOCOM US Navy Seals for using a cheat mod.  
Now, Nukezilla reports that the teenager has been sentenced to a $5,000 fine as well as 250 hours of community service and 12 months probation.  So that’s that then.

It’s worth bearing in mind that in the UK and EU he would have faced similar criminal proceedings.  In the UK for example there are specific criminal penalties under the Computer Misuse Act 1990.  We wrote about Runescape and the Computer Misuse Act some time ago, check it out for more info

Follow us at http://www.twitter.com/gamerlaw or subscribe to our weekly email newsletter here

Teen admits crashing Playstation site in banhammer revenge

Thanks to Kotaku for this one: a US teen has pleaded guilty to criminal offences over his hacking and crashing of a Playstation web site in 2008, which he did in revenge for being kicked out of a tournament for the PS2 game SOCOM US Navy Seals for using a cheat mod. 


Apparently, he carried out his attack by infecting the site’s servers with a virus.  Clearly, he was savvy enough to carry out the attack, but not savvy enough to hide his tracks, meaning that he was found out and has now pleaded guilty to four felonies: unlawful use of a computer, criminal use of a computer, computer trespassing and the distribution of a computer virus (this was part of a plea bargain and prosecutors have therefore dropped 11 other counts in exchange for the four guilty pleas).  Silly boy.


The case gives us an opportunity to remind everyone of the legal position in the UK.  The Computer Misuse Act 1990 is the principal legislation for hacking and it criminalises the following main actions:

(i) Intentional attempts to cause a computer to perform any function with intent to obtain unauthorised secure access to a computer or data on it (e.g. phishing),

(ii) Same as (i) but with the intent to carry out a further criminal offence (e.g. hacking a PC in order to commit fraud), or

(iii) acting in any way which causes the unauthorised modification of the contents of any computer, with the intent to impair the operation of any computer/programme or to hinder access to data on any computer (e.g. uploading a virus to a PC or server).

This Act was most recently used publicly by the UK police to swoop in on a group of Runescape players who had been hacking/phishing Runescape accounts for criminal purposes (more on that, and the Computer Misuse Act, here).


This is one of those posts when the legal lesson of the day seems blindingly obvious, but here goes anyway: hacking someone else’s computer or web site is a criminal offence, so don’t do it!



Follow us at www.twitter.com/gamerlaw or subscribe to our weekly email newsletter here

Nintendo ‘wins’ Australian modchip lawsuit, but are modchips actually illegal Down Under?

GamePolitics reports that the Australian Federal Court “has ordered RSJ IT Solutions, operators of the website GadgetGear, to stop selling R4 mod chips for the Nintendo DS and to pay Nintendo $520,000 AU in damages“.
You might fairly assume from that headline that modchips are illegal in Australia.  Not so.  When we previously discussed the legality of modchips previously at Gamer/Law, we saw that in the last-reported Australia case on modchips, the Australian High Court ruled that modchips for the Playstation 2 were not illegal.  As I understood it, the Court’s reasoning was that, since the Playstation 2 technology had only ever sought to stop players playing unauthorised games but had not sought to stop them copying those games, a modchip which assisted players to play but not copy unauthorised games was not an attempt to circumvent “technological protection measures” under Australian law. 
Does this Nintendo case overrule that law?  Apparently not.  According to Australia’s ITNews, the Nintendo case was actually settled out of court, meaning that all the Court was doing in the order which GamePolitics referred to was setting out what RJS IT Solutions had agreed to pay to Nintendo in the settlement.  It would not therefore mean the court has changed Australian law.  If that’s right, then it seems to me that modchips are presumably still legal in Australia (although, of course, Nintendo may well have had powerful arguments in the litigation that the law should actually be changed – modchips are illegal in the UK and USA after all).  Glad to hear from anyone with greater Australian legal experience who knows different…
Follow us at www.twitter.com/gamerlaw!

Are modchips illegal?

[This article was first posted on Gamaustra here]

This article is about modchips: is their sale/use illegal or not?  We look at three recent cases in England, Spain and France – which show an interesting divergence of European opinion as to the legality of modchips: not every country thinks that modchips are a bad thing.  More below…

What is a modchip anyway? 
Wikipedia has a succinct definition:

A modchip (short for modification chip) is a small electronic device used to modify or disable built-in restrictions and limitations of many popular videogame consoles. It introduces various modifications to its host system’s function, including the circumvention of region coding, digital rights management, and copy protection (homebrew) software checks for the purpose of running software intended for other markets, copied game media, or unlicensed third-party.” 

Modchips exist for other devices (e.g. dvd players) but for today’s purposes we’re only talking about modchips which are used in games consoles and which are intended to circumvent games copy-protection: in other words, modchips which fool a console into thinking that the player owns an authentic, licenced copy of a game when it fact he/she does not.  An example of such a modchip is the wiikey, which (funnily enough) mods the Wii.

Why are modchips a problem?
Modchips are seen as a problem by the games industry because: (i) they are said to facilitate games piracy by allowing players to play unauthorised/pirated copies of games; and (ii) they enable a player to tamper with the innards of a games console.  The games industry periodically takes action to stamp out modchipping – for example, Microsoft banned a lot of Xbox Live accounts of owners of chipped consoles last year.
Of course, gamers may (and do) take a rather different approach.  Many argue: (i) it’s my console and I should be able to do what I want with it, including playing pirated games or modifying my console; and (ii) I didn’t ask console manufacturers to install arbitrary mechanisms for controlling what I can do with my console.  And so forth.

Still, the purpose of this post is not to debate the merits of these arguments, but simply to summarise what the legal position is regarding modchip in different jurisdictions.  (Caveat:  the following really is just a summary, so it should not be taken as a authoritative analysis of the law of these jurisdictions!)
England
Use and sale/distribution of modchips is illegal in England.
Section 296ZB of the Copyright, Designs and Patents Act 1988 (CDPA) makes it a criminal offence to sell or distribute “any device, product or component which is primarily designed, produce, or adapted for the purpose of enabling or facilitating the circumvention of effective technological measures” (this provision was introduced as part of the EU-wide anti-DRM laws introduced by the EU Copyright Directive of 2001).
So, under English law the sale or distribution or such devices intended to circumvent “effective technological measures” is a criminal offence.  Does this apply to modchips?  Yes, is the answer.  We know this thanks to recent case-law in the English courts. 
In a case called Gilham v the Queen, the Court held that that selling or hiring modchips will be a criminal offence under s296ZB CDPA if it is established that:
(1) The game is or includes copyright works.
(2) The playing of a counterfeit DVD on a game console involves the copying of a copyright work.
(3) Such copying is of “the whole or a substantial part” of a copyright work.
(4) The game consoles include effective technological measures designed to protect those copyright works.
(5) The offender sold or hired the modchip device in the course of a business.
In Gilham v the Queen, the jury found that modchips met of all of these requirements – and so they convicted Gilham.  He appealed, arguing that using a modchip does not lead to copyright infringement because there is no “substantial” copying of the game – all that happens when you play a chipped game is that a fragment of the game is copied to the console’s RAM at any point, which is insufficient to establish copyright infringement.
 This gave rise to tricky legal issues as to whether copying lots of little pieces of a copyright work (so-called “little but often” copying) could in some way turn into “substantial” copying.  Tough question…which the Court side-stepped by instead holding that the game drawings which appear on the screen, and the audio recordings which are played, are themselves copyright works which are “substantially” copied in playing the game.
So, selling modchips is illegal under English law.  What about just using a modchip in your console but not selling/distributing them?  You’re no better off really, because (following the logic in Gilham) using a modchip in your console would involve copyright infringement – which could have civil (and possibly criminal) legal implication of its own.
Verdict: sale or distribution of modchips in England is a criminal offence.  The use of  modchips in your own console would likely constitute copyright infringement.
Spain
Since Spain is also subject to the EU Copyright Directive (which led to the introduction of the law in England that has made modchips illegal -see above), you may expect to see Spanish law also ruling that modchips are  illegal.  Si?
Apparently…no.  Admittedly I’m by no means a Spanish lawyer, but I understand that the Spanish Penal Code does contain measures intended to prevent the circumvention of “effective technical measures“.  However, a Spanish court case in 2009 seems to have gone the opposite direction to the English courts.
The case followed a criminal complaint by Nintendo against Movilquick, a Spanish modchip distributor. The judge decided that flash carts could be used for “both legitimate and illegitimate purposes, but not only illegitimate” purposes.  He held that flash carts could be used for “pirated games” but may also have  “legitimate functions of employment” such as “backing up original games or other various functions such as managing photos, music or performance of [free] software“.  On that basis, he dismissed the criminal complaint.
Why is this interesting?  Well, it is not often that one sees the judiciary coming down on the side of gamers.  The judgement was not set out in great detail, so it is not at all clear why the judge decided to do so.  In particular, it is not clear how this decision can be reconciled with the EU Copyright Directive (or with the Spanish law that implements it). It is also not clear whether this is the only case-law on the subject – it may be that there are other Spanish cases elsewhere that go the other way. Still, I imagine it made Spanish gamers happy…
Verdict: using or selling a modchip/flash cart may be legal, but just wait for Nintendo’s lawyers to get the appeal going…
France
Ah, La France, home of la loi Hadopi (also known popularly as ‘3 strikes’) and also a subject of the EU Copyright Directive.  Do its judges sympathise with their English or their Spanish colleagues when it comes to modchips?
Answer: Spain, apparently. 
Details so far are sketchy (no sign of the actual judgment yet) but summary as follows: in December 2009, a Paris criminal court ruled that Divineo, a company which makes Nintendo DS flash carts – essentially, a type of modchip – did not break the law (i.e. presumably they do not “circumvent effective technical measures“).
The Court’s logic seems to have been that flash carts in fact extend the utility of the DS and that the user should therefore be free to use them as he or she wishes – a lot closer to the reasoning of the Spanish than the English court.  But, in the absence of more details being made public (especially the Court’s formal judgment), it is not entirely clear on what legal basis the Court made its judgment.
For completeness: Nintendo said it would appeal the decision and pointed out that Divineo has already been banned from selling flash carts by a Hong Kong court and ordered to pay damages to Nintendo.
So, are modchips illegal then?

It is pretty clear from the above that there is a divergences of opinion within the EU as to the legality of modchips.  The legislation is there (i.e. the EU Copyright Directive) to make modchips illegal, but that legislation has been interpreted (or possibly simply ignored) in different ways.

As often happens in the EU when different Member States take different approaches to legal issues, the answer may only come when the EU itself takes the opportunity to clarify the position (whether through a case before the European Court of Justice or through further legislation from the Commission)…but those opportunities are relatively few and far between.  Until then, that uncertainty seems set to continue…
What about modchips in other countries?
For those of you who are interested, here is a quick round-up of developments in the treatment of modchips in other jurisdictions:
  • USA: in principle, use of modchips may fall foul of the Digital Millenium Copyright Act (DCMA), which has been used previously to get at sellers of modchips (example here)
  • In Italy, back in 2005 a court ruled that the purpose of modchips was to ‘avoid monopolistic positions and improve the possibilities for use of the PlayStation’. The court said: ‘It’s a little like Fiat marketing its cars while banning them from being driven by non-European citizens or outside towns.’ “
  • In Australia, the Australian High Court ruled in 2005 that modchips for the Playstation 2 were not illegal.  As I understand it the Court’s reasoning was that, since the Playstation 2 technology had only ever sought to stop players playing unauthorised games but had not sought to stop them copying those games, a modchip which assisted players to play but not copy unauthorised games was not an attempt to circumvent “technological protection measures” under Australian law.  (As far as I’m aware, that position has not been contradicted in any subsequent case-law).

    (In England, the Court took a rather simpler approach by holding that the very act of playing a game using a modchip constitutes copying infringement – but there may have been good reasons why this
    argument was not adopted in Australia).


Closing thoughts
  • Even without having to get into a detailed legal review of the laws of different jurisdictions, it is clear that some countries have adopted a relatively hardline approach to modchips (e.g. the UK or USA).  In particular, the UK has made it clear that the sale of modchips may be a criminal offence.
  • But, maybe surprisingly, other countries appear to have taken a more neutral/favourable approach to modchips, recognising that modchips are not just about playing pirated games.  With games companies apparently remaining keen to shut down modchip sellers (as with the French action above), it will be interesting to see what 2010 brings…

Runescape, the Computer Misuse Act and theft

The background:

Details here.  A group of Runescape players mount a phishing scam, obtain other players’ accounts, strip those accounts of gold and loot.  Presumably they make an in-game or real-world profit.  Then the UK Police (specifically the Central Police e-crimes unit) swoop in.  They arrest a caution an individual in Avon and Somerset “on suspicion of a number of computer misuse offences”.

Police pwn players

This appears to have been the first time that a UK games company has gone to the police to protect the integrity of its game.  Not much at all has been said about exactly what offences have been alleged. 

UPDATE: I had initially thought that one way in which the Police could go after the accused would be to prosecute for theft.  However, on a closer look (and thanks to the guys in the comment thread), it seems that a better way may be under the Computer Misuse Act 1990 – with which I must admit I was previously unfamiliar.  Thanks!

What is the Computer Misuse Act 1990? (CMA)

In the late 1980s there was controversy in the UK regarding the legality of hacking, following a UK case called R v Gold and Schifreen – in a nutshell, two guys were able to hack a British Telecom system but, as the law stood at the time, hacking was not expressly illegal and therefore they were acquitted.  This was a factor in the Parliament of the day passing the CMA.

As a very quick summary, the CMA was intended to criminalise three kinds of conduct:

(i) Intentional attempts to cause a computer to perform any function with intent to obtain unauthorised secure access to a computer or data on it (the section 1 offence)

(ii) Same as (i) but with the intent to carry out a further criminal offence (e.g. hacking a PC in order to commit fraud) (the second 2 offence), and

(iii) acting in any way which causes the unauthorised modification of the contents of any computer, with the intent to impair the operation of any computer/programme or to hinder access to data on any computer (the section 3 offence).

Carrying out any of the above renders you liable to a fine and/or imprisonment (between six months and five years depending on how you plead to the offence).

Is the phisher/account-ninja covered?

‘Yes, but the wording isn’t brilliant’, seems to be the general answer.  Certainly phishing could be said to fall under the section 1 offence under the argument that the phisher sets programmes running which find out the account details etc of the innocent person(s).  To the extent that the phisher had intent to use those details to commit further criminal offences then he/she could also fall under section 2 – which carries harsher penalties.  Then there is the somewhat more nebulous section 3: does phishing or ninjaing someone’s account “impair” or “hinder” any other computer or program?  Maybe – perhaps if having your account details “hinders” your ability to use the programme?

But this gets even more interesting

Anyway, what we want to do is focus on section 2.  If the phisher stole Runescape account details with a view to somehow trying to gain access of others’ computers or stealing their bank details, then there would in principle be a case for arguing that they had had intent to commit further criminal offences under section 2.  But what if the phishers only intended to enrich themselves in-game by, for example, turning the stolen accounts’ assets into gold and transferring that gold to themselves or even selling it on the black market (which would be a breach of the EULA etc but not necessarily illegal as such).  Could enriching yourself in-game or in the real-world through a game by unauthorised means be classified as an offence?

That is the really interesting part to this case and, if the Police are interested in pushing for the strongest sentence possible against these phishers, they will need to consider this sometime soon – if they haven’t already.

That’s exciting, isn’t it?  Makes us think about adding a chapter to that book on virtual law which we’ll have to write one day…

In the meantime, the story goes on…

Little more has been announced since the Police announcement earlier this week, but no doubt further details will follow in due course.  It’s also worth bearing in mind that Jagex has stated that this is part of a long-term investigation in both the USA and UK – so there may be further twists in the tale yet…