The secret code resided on a single computer at Canal+ Technologies' labs in the Paris neighborhood of Montparnasse. During two years of development in the mid '90s, programmers kept the computer off all networks--to protect it from hackers--and stored copies of the code in a steel vault.
Why such fuss? This software was digital armor for the company's tiny subscription cards. These cards, built around a computer chip, fit into set-top boxes and unscrambled the signals for pay-TV. The French company spent $35 million to make them uncrackable--and to defend its $4.1 billion annual business. Yet six years after the release of its encrypted subscriber cards, a thriving black market in pirated cards is undermining Canal+, the European television arm of Vivendi Universal.
A case of gifted hackers? Canal+ (CNPLF) claims it's nothing less than industrial espionage. In a civil suit filed on Mar. 11 in U.S. district court in Northern California, Canal+ charges that its key rival, NDS Group, a majority-owned division of News Corp. (NWS), hired a team of Israeli hackers to break its code. Then, according to the suit, NDS broadcast the secret to would-be pirates everywhere by launching it on the Web. In charges that NDS vehemently denies, Canal+ claims that its well-financed rival systematically conspired to destroy its business--and led to losses topping $1 billion. NDS Chief Executive Abraham Peled responds that the woes of Canal+ stem from its "inferior" technology.
Arguments rage to and fro. But the key question is whether the struggling Canal+, its digital fortress breached, can manage to rebuild its business simply by bolstering its encryption. Canal+ already is Europe's biggest pay-TV operator, with 15.6 million subscribers in 11 countries from Spain to Poland.
Vivendi boss Jean-Marie Messier needs effective encrypted chips not only to make money from TV, but also to follow through with the next stage of his plan: to turn millions of set-top boxes into living room malls. He hopes to offer instant messaging, online banking--even gambling. Early versions of set-top technology from Canal+, British Sky Broadcasting, and America's DirecTV now reach 80 million subscribers worldwide. This should grow to 210 million by 2005, predict analysts at brokerage Robertson Stephens. With an eye toward expanding interactive TV in the U.S., Messier spent $1.5 billion last December for a stake in Echostar Communications Corp.
For now, Canal+ is a millstone for Messier. The company registered pretax losses of $336 million in 2001. On Mar. 5, Messier wrote off $5.4 billion of the $12 billion Vivendi invested in Canal+ just two years ago. And it's not just the pay-TV business that's hurting. Canal+ Technologies, which makes the controversial chip cards for other pay-TV companies, has a mere 10% of the global market, far behind NDS and Switzerland's Kudelski Group.
The pirating story starts, according to the Canal+ suit, in Israel, the hub of the global encryption business. In 1998, NDS, a British company founded in Israel, sent copies of the Canal+ smart cards to its Israeli labs. There, according to Canal+, researchers extracted the machine code embedded in the chips--the ones and zeros that control access to Canal+ programming. With this information, any pirate could turn encrypted digital fog into crystal-clear images of copyrighted programming.
Such sleuthing, say industry sources, is commonplace. "Every major company in the security field has teams that try to crack the codes of the competitor," says Shimon Grupper, executive vice-president at Tel Aviv-based Aladdin Knowledge Systems Ltd. That way they keep up-to-date on the latest defenses.
But according to Canal+, NDS went far beyond simply cracking the code. It created a computer file called Secarom.zip and sent it on a long and mysterious cyber-journey. First it went to NDS Americas Inc. in Newport Beach, Calif. From there, the suit alleges, the file made its way to a hackers' Web site called dr7.com. On Mar. 26, 1999, dr7 published the file on its site, and the wave of Canal+ pirating began. dr7 subsequently closed down, but the genie was out. Small labs throughout the world began assembling clones of the Canal+ card.
NDS calls the Canal+ version of events "outrageous." In a statement, CEO Peled attributes the pirating to vulnerable code at Canal+. "The clear evidence is that the pirate community targeted Canal+ early in 1998 and succeeded without any help from anyone, particularly NDS," he says. He adds that Canal+ approached NDS late last year with a plan to merge the two companies and "used these baseless allegations to gain leverage in the negotiations." Sources close to Canal+ confirm only that merger talks took place. Peled says NDS is planning a countersuit against Canal+ for "tortious conduct."
While the legal wrangling continues, Canal+ is taking a licking in the marketplace. Like its European competitors, including Britain's BSkyB and Germany's Kirch, Canal+ is suffering from the sky-high fees it must pay for rights to soccer matches and Formula One races. But for Canal+, pirating adds to the pain. In Italy, cable installers routinely offer pirated Canal+ cards at an immense discount. These cards now account for one-third of Italian viewers, estimates Ovum, a British consultancy.
How does it work? Like many cell-phone providers, TV companies practically give away set-top boxes, and then count on making money from subscriptions, which range from $30 to $100 per month. In the counterfeit world, customers let legal subscriptions lapse and then plug in pirated cards. They're widely available and cost about $100. "People are proud to have pirated cards," says Ovum analyst Dario Betti. "It's as if they beat the system."
Pirating, of course, has long been rampant in the analog systems that still account for most pay-TV subscriptions. But with the exception of Canal+, digital TV has proven far harder to crack. NDS and Kudelski, which both change cards regularly to foil pirates, have suffered no major security breaks. "When they break into ours, they only get a segment of the service," says Andre Kudelski, CEO of the Kudelski Group. "But once they get past Canal+ defense, they get everything."
The French company is hurrying to launch a new generation of subscriber cards within a month. And, say sources close to the company, one goal of the suit recently filed in California is to enjoin NDS researchers from taking a crack at the new code. Sure, Canal+ is also looking for a rich settlement. But cold cash alone won't put this Vivendi unit on the right track--not until the company figures out how to stump the pirates. By Stephen Baker in Paris, with Kerry Capell in London and Neal Sandler in Jerusalem