The $58,000 TV bill: When DirecTV sued O.J. Simpson for piracy

Imagine the life of a federal judge in the Southern District of Florida back in 2005. On Monday, you hold a hearing on contested legislation. On Tuesday, you rule in a national security case. But on Wednesday—bah, there’s just something about Wednesday—you have to spend a sunny day indoors, reading technical affidavits on satellite TV bootloaders, electronic countermeasures, and smartcard voltage dips that take place 522 clock ticks after startup.

Tedious, really. Not the kind of thing one seeks a federal judgeship for. A satellite TV piracy case. Against some random dude in Miami.

You flip through the papers on your desk with a sigh but stop when you see the case caption. DirecTV is not suing some random dude in Miami. It’s suing someone famous, perhaps one of the most famous people in the world now, thanks in large part to that murder charge—though of course he had beaten the rap. Still, a celebrity of his stature surely has the money to pay for satellite TV?

Wednesday promises to be more interesting than usual. You settle into your leather chair and begin reading the filings in DirecTV, Inc. v. O.J. Simpson.

O.J. Simpson on December 4, 2001, while his home was being searched.

Credit: Getty Images

Strange trouble

Over the last several decades of his life, former football star O.J. Simpson got himself into a truly wide-ranging set of difficulties. After the killings of his ex-wife and her friend, “the Juice” led police on his infamous white Bronco freeway chase (1994), was charged with murder (1994), was acquitted of murder (1995), was sued for “wrongful death” (1996), was found liable for “wrongful death” (1997), defaulted on his California mortgage (1997), had his Heisman Trophy auctioned (1999), and eventually moved to Florida (2000), which had strong laws protecting homes and pensions from creditors and court judgments.

Then came a period of relative calm. Simpson avoided major legal drama, though he still managed to get charged with battery (2001—later acquitted) and for speeding in a boat through a manatee zone (2002—bench warrant issued, later reduced to a $130 fine).

Eventually, though, he headed back out into the storm. After trying to seize some sports memorabilia in Las Vegas he said had been stolen from him, Simpson was charged with robbery, kidnapping, and assault (2007), leading to his conviction (2008) and then a Nevada prison term that ran until his eventual parole (2017). He died of cancer in 2024.

I knew the basic parameters of Simpson’s life from national news stories over the years, of course. But not until this month did I stumble across a Simpson controversy I hadn’t known about: He was an accused satellite TV pirate who had been sued in federal court, much like the various music file-sharing defendants I covered so often during the 2000s.

The difference was that in Simpson’s case, his whole home had been searched by the feds—and with the help of the private company that would later sue him civilly.

The raid itself took place during that interlude of relative calm when Simpson lived on 112th Street in Miami. On December 4, 2001, Simpson’s home was one of 13 locations searched by the FBI after a two-year drugs-and-pirate-TV investigation. According to the LA Times, Simpson “was in a white bathrobe when he greeted officers” and “was not arrested” during the search.

No drugs were found, but Simpson’s home address had also come up during the investigation as one potentially linked to the purchase of satellite TV pirating equipment. So when law enforcement descended on his place, they didn’t do so alone. They brought with them James Whalen, then a senior director for DirecTV’s Office of Signal Integrity.

Whalen was there, he said later, because he was “asked by the FBI to accompany law enforcement” so that he could “assist in the identification of counterfeit or illegal materials associated with the theft of telecommunications services.”

And he found some.

Countermeasures

DirecTV records indicate that Simpson had maintained a subscription from 1995 into 1998. At the time of the raid, though, he had no “legitimate DirecTV account at his Florida residence,” DirecTV said. Yet when Whalen walked through Simpson’s home that day, he found two DirecTV receiver/descrambler units (also known in the industry as “IRDs”) hooked up to televisions.

For these descramblers to work, they each needed an access card—a smartcard that told the descrambler which channels to unlock. Enterprising pirates had found ways to produce their own access cards. These could give access to certain channel sets, so long as one didn’t plug the descrambler’s modem into the phone jack. (This could alert DirecTV that an unauthorized unit was in place at a location with no subscription.)

But even if you kept the descramblers from phoning home, DirecTV had a way of crippling illicit access cards. It could electronically “knock them out” using electronic countermeasures (ECM). These were bits of code embedded into the main, over-the-air satellite feeds and executed automatically by the receiver/descrambler hardware. The code would typically write data to illicit access cards in such a way that the cards failed security checks and became useless for piracy.

Days before the 2001 Super Bowl, DirecTV rolled out an extremely powerful ECM. It was so successful that January 21, 2001, was known in the pirate community as “Black Sunday.” Huge numbers of illicit access cards were knocked out. A Slashdot story from the time cataloged the damage:

One week before the Super Bowl, DirecTV launched a series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream… that hunted down hacked smart cards and destroyed them. The IRC DirecTV channels overflowed with thousands of people who had lost the ability to watch their stolen TV. The hacking community by and large lost not only their ability to watch TV, but the cards themselves were likely permanently destroyed.

Some estimate that in one evening, 100,000 smart cards were destroyed, removing 98 percent of the hacking communities’ ability to steal their signal. To add a little pizzazz to the operation, DirecTV personally “signed” the anti-hacker attack. The first eight computer bytes of all hacked cards were rewritten to read “GAME OVER.”

Years later, Wired tracked down the man who had helped develop the Black Sunday ECM. He designed the code to be sneaky so that pirates wouldn’t know what was about to hit them until it was too late. “Instead of being delivered all at once like other measures,” the story noted, “the Black Sunday attack code was sent to pirate cards in about five dozen parts over the course of two months, like a tank transported piece by piece to a battlefield to be assembled in the field.”

Enter the bootloader

But pirates are crafty folk. To bring their “dead” access cards back to life, they invented bootloaders, small hardware devices that could sit between the descrambler hardware and the access card. A bootloader worked electrical magic that would allow a “killed” access card to function after all.

In his walkthrough of Simpson’s home, Whalen said that he “personally observed two (2) bootloaders in operation.” The bootloaders were plugged into the two DirecTV descramblers, and Whalen “personally checked the channels being received by the respective televisions,” he said in an affidavit, “and was able to view DirecTV pay-per-view programming and other channels which Simpson was not authorized to receive.” Whalen then handed the bootloaders over to FBI agents.

The bootloaders themselves are curious pieces of technology, and DirecTV hired electronics experts to figure out how they worked. In Simpson’s case, the company filed an affidavit from engineer David Simon, who described a device known as the “Atomic Bootloader.”

The Atomic Bootloader with inserted smartcard.

This device had pins that fit into the access card slot of a DirecTV receiver/descrambler; its circuit board held an Atmel AT90S1200 microcontroller and a few resistors; and it had a terminal of its own into which an ISO 7816 smartcard could be inserted.

When he got the bootloader hooked up to an oscilloscope and a logic analyzer, Simon saw something strange. The bootloader followed the ISO 7816 specs in every way but one:

Exactly 522 pulses on the ISO 7816 CLK (“clock”) signal after the smartcard is inserted and the ISO 7816 RST (“reset”) signal is set high, the Atomic Bootloader briefly reduces the voltage that provides the electrical power for the inserted smartcard from the standard 5 volts down to about 2 volts. There is no expected behavior of smart cards in the face of such a “brownout.”

The pirates had used an unexpected behavior, however, to create a voltage glitch.

Microchips rely on clock pulses to keep everything in the circuit in sync. The bootloader’s Atmel microcontroller had one job: It brought several resistors into the circuit 522 clock cycles into the smart card’s boot cycle. When this happened, voltage flowing from the descrambler to the smartcard dropped from 5 volts to 2.1 volts for 500 nanoseconds before returning to standard.

The “voltage glitch” in operation.

At this unexpectedly low power level, the smartcard did not reset, but its microchip experienced a fault and could not fully execute that cycle’s command.

Hackers had figured out that a crucial smartcard security check was always called at this point in the boot process. By force-skipping this instruction, the smartcard booted again.

Simon had been given “several P2/H cards that were disabled on Black Sunday,” he said, and he put one of them to the test in the Atomic Bootloader.

He plugged a card into a standard smartcard reader. It failed to boot.

Then he stuck the same card into the Atomic Bootloader; it started right away.

The Atomic Bootloader’s circuit layout.

Signal integrity

In 2001, DirecTV grew more aggressive about piracy, filing over 100 lawsuits against individuals like Simpson. Many of the targets for these cases came from raids on distributors who had sold the access cards and bootloaders.

At the time, DirecTV’s Office for Signal Integrity was run by former FBI agent Larry Rissler. The same month that Whalen was in Miami, walking through O.J.’s home, Rissler gave an interview with the Los Angeles Business Journal, which described the office’s work:

Rissler wouldn’t disclose his budget, but pointed to the 10 people in his office, a network of private investigators around the country, three law firms on retainer and personnel in DirecTV’s engineering and legal divisions as proof of the company’s commitment to controlling piracy.

DirecTV, Rissler wanted to make clear, was serious about going after pirates. The recording and pornography industries would later try to show the same seriousness by following this model, going after individuals and not just middlemen, but all would learn the same lesson: Federal lawsuits are long, complex, and expensive, and you don’t always collect much in the end.

In this case, it took more than two years after the raid for DirecTV to file its case against Simpson and another year and a half to get a judgment.

Simpson doesn’t appear to have mounted a spirited defense. DirecTV complained about filings being made late or not at all. Simpson did claim that the TVs in his home were “not turned on” during the raid, though what this had to do with the issue of owning and operating illicit decryption devices was not clear. At one point, he tried mediation with DirecTV, but the mediator noted that both sides reached an “impasse.”

Judge Joan Lenard eventually ruled in DirecTV’s favor through summary judgment, saying that there wasn’t a genuine controversy of fact for a jury to decide.

The judge noted that DirecTV’s Whalen had “personally checked the channels being received by the respective televisions and was able to view DTV pay-per-view programming and other channels.” At the same time, “Simpson did not have a legitimate DTV account at his Florida residence.”

Since Simpson “has not provided any Affidavits or other sworn testimony calling into doubt the Affidavit of James Whalen,” and since he admitted that the bootloaders were found in his home, the judge found the matter quite clear.

“The only reasonable inference is that the bootloaders were connected to the television to receive DTV programming unlawfully,” she wrote.

Simpson’s lawyer told the press after the ruling that the judge “basically denied us our right to a jury trial… They say he did it; we say he didn’t. A jury should be able to make that decision.” But little seems to have come of this complaint.

The campaign

By the time Simpson’s case ended in 2005, DirecTV’s mass lawsuit campaign was already winding down. In just a few years, the company had sent 170,000 demand letters to end users and filed more than 24,000 federal lawsuits against individuals.

Given the massive expense of investigations and lawsuits, the value of such campaigns was often said to lie in the deterrent effects they might provide. But huge waves of negative publicity were also a common result as content industries engaged in legal overreach, targeted neutral technologies, or sued the inevitable innocent granny.

DirecTV was already facing this sort of bad publicity by 2003, when it was under heavy criticism from the Electronic Frontier Foundation (EFF). According to the EFF, “DirecTV made little effort to distinguish legal uses of smart card technology from illegal ones,” so the EFF “received hundreds of calls and emails from panicked device purchasers.”

Some of these “panicked device purchasers” paid up but later regretted it. Together, they filed a federal class action claim against DirecTV, saying it had violated the Racketeer Influenced and Corrupt Organizations Act (“RICO”) by mailing demand letters even though the company had no idea what people were doing with the smartcards or bootloaders they had purchased.

The demand letters generally said that no lawsuit would be filed so long as the recipient agreed to:

(1) surrender all illegally modified Access Cards or other satellite signal theft devices in your possession, custody or control;

(2) execute a written statement to the effect that you will not purchase or use illegal signal theft devices to obtain satellite programming in the future, nor will you have any involvement in the unauthorized reception and use of DIRECTV’s satellite television programming; and

(3) pay a monetary sum to DIRECTV for your past wrongful conduct and the damages thereby incurred by the company.

The RICO case went all the way to the 9th Circuit Court of Appeals, which eventually ruled that DirecTV was within its rights to send such letters and that they were not mail fraud.

But other court cases cut into DirecTV’s legal strategy. One of the most important was a case against an individual named Mike Treworgy, who had purchased a “PT2 Pocket Pal Programmer” and a “PT2 Pocket Pal Upgrade Chip” that could have been used to help Treworgy get free DirecTV.

In the O.J. Simpson case, one of its early lawsuit efforts, DirecTV had an investigator on-site who physically turned on Simpson’s TVs and saw the unscrambled DirecTV programming. But this kind of evidence was hugely expensive to collect and required law enforcement help. Most later DirecTV cases were based merely on device purchase lists; DirecTV had no idea what people like Treworgy were actually doing inside the walls of their homes.

In the Treworgy case, both the district court and the 11th Circuit Court of Appeals ruled that simple ownership did not create “a private right of action against a person in possession of access devices in violation of section 2512(1) (b).” In other words, DirecTV couldn’t sue people just for buying a card or a bootloader; they had to show actual illegal activity.

Between the cost of these suits, a growing consumer backlash, and the narrowed legal landscape, DirecTV and the EFF in 2004 reached a joint agreement to modify the lawsuit campaign. According to the EFF:

The company [DirecTV] will no longer pursue people solely for purchasing smart card readers, writers, general-purpose programmers, and general-purpose emulators. It will maintain this policy into the foreseeable future and file lawsuits only against people it suspects of actually pirating its satellite signal. DirecTV will, however, continue to investigate purchasers of devices that are often primarily designed for satellite signal interception, nicknamed “bootloaders” and “unloopers.”

DirecTV also agreed to change its pre-lawsuit demand letters to explain in detail how innocent recipients can get DirecTV to drop their cases. The company also promised that it will investigate every substantive claim of innocence it receives. If purchasers provide sufficient evidence demonstrating that they did not use their devices for signal theft, DirecTV will dismiss their cases.

In the end, though, technology changed DirecTV’s approach the most. Early generations of smartcards were simple devices and easily hackable, but beginning with fourth-gen P4 cards in 2002, the easy hacks came to an end. Smartcards from this point on had much more powerful chips running much more powerful encryption schemes. As piracy rates dropped, DirecTV moved away from mass litigation against end users, and existing cases were concluded or dismissed.