DCA’s New Report on Enabling Malware

Enabling Malware

Andrew Orlowski reports at The Register that last week Google quietly suspended its legal action to “muzzle” an investigation by Mississippi Attorney General Hood into whether or not the search giant was abiding by the terms of its 2012, non-prosecutorial settlement with the government over illegal online sales of prescription drugs.  Any explanation of Google’s change in strategy or the future of that investigation are subjects for another day.  But the fact that AG Hood was ultimately not stymied—either by litigation or by a brazen attempt in the State House of Representatives to legislatively tie his hands—is probably good news for American consumers because State Attorneys General “often act as the de facto consumer protection arm in their respective states,” notes a new report published yesterday by Digital Citizens Alliance.

Following up on its December report, which presented a look into the scope of the malware hazard for consumers who visit content-theft sites, DCA and RiskIQ have again collaborated to begin looking at the hosting services that either inadvertently or knowingly support illegal sites, which then endanger consumers.  The hosting services in this regard are particularly relevant because they are not shadowy operators based in hard-to-reach geographies but are legal corporations with offices in the United States.  As such, the news that Google will now look to “cooperate with AG Hood” rather than remain on the offensive comes at a good moment for consumers.  This is because DCA notes that state AGs will be the first authorities who may choose to investigate US-operating hosting services to determine their role in fostering the dissemination of malware.

The December report called Digital Bait revealed the likelihood (about 30% in some cases) that users of content theft sites would infect their devices with malware, and the report also identified the various types of malware being deployed in order to steal information and/or assets from consumers.  Digital Bait also presented a glimpse into the dark web-based economy where criminals engage in transactions like selling the IP addresses of a girl’s computer or even a cybercriminal paying content-theft site owners to deliberately host malware on their sites.  The report contains some eye-opening statistics like the one from the DOJ, which states that 16.2 million American consumers have been victims of identity theft, incurring financial losses of more than $24.7 billion.

The report released yesterday, Enabling Malware, looks at two hosting companies, each of which responded very differently when DCA contacted them with their findings.  The first was CloudFlare, which is “known for its willingness to support, or at least overlook, illicit activities,” the report states.  CloudFlare is a hosting service that is specifically designed to mask the identity of site owners and of the true hosting site of any content, whether the content is legal or not.  The site’s blog reads, “Signing up for CloudFlare is like taking your number out of the phone book, and putting in CloudFlare’s number under your name.”

This type of service can be (and is) used by journalists or bloggers operating in locations with authoritarian governments or other hazards to free speech and reportage.  But it is also a natural hosting choice for content-theft site owners, thus earning the service the nickname “CrimeFlare” among cyber-security experts. DCA contacted CloudFlare with regard to its hosting sites like Putlocker and Animex, both of which were identified in the Digital Bait report as delivering malware to users.  CloudFlare did not respond until a day or two before the release of this new report and wrote the following:

“CloudFlare’s service protects and accelerates websites and applications. Because CloudFlare is not a host, we cannot control or remove customer content from the Internet. CloudFlare leaves the removal of online content to law enforcement agencies and complies with any legal requests made by the authorities. If we believe that one of our customers’ websites is distributing malware, CloudFlare will post an interstitial page that warns site visitors and asks them if they would like to proceed despite the warning. This practice follows established industry norms.”

In other words, CloudFlare is not going to do anything unless authorities make them.

The other hosting service DCA and RiskIQ looked at was HawkHost, whose support includes watchfreemoviesonline.top, which was found to have a 32% malware exposure rate in the research conducted for the Digital Bait report. When DCA contacted HawkHost, the company’s response was very different from CloudFlare’s, stating that the sites identified by DCA would be taken down because they “clearly violate our TOS/AUP,” according to CTO Cody Robertson. Additionally, executives at HawkHost have agreed to meet with DCA to discuss findings linking malware with content theft sites and to look for ways to better protect consumers.  DCA commends HawkHost, stating that they find the company’s response “an encouraging sign.”

DCA and RiskIQ will continue to study the link between content-theft sites and malware, as well as the legal hosting services that operate in the United States, which may be supporting malware-infested sites. These findings will be presented to State Attorneys General, who then have the authority to investigate the extent to which a particular hosting service may or may not be willfully turning a blind eye to illegal enterprise that is directly harming American consumers.  So, as mentioned, beyond any implications regarding the Google investigation itself, last week’s affirmation of AG Hood’s authority in that case is likely a good sign for protecting consumers in general from the chronic I-Didn’t-Know-Defense too-often employed by various OSPs.

Posted in Law & Policy, Piracy, Security | Tagged , , , , | Leave a comment

IP Skeptic Doctorow Notices a Problem

Last week, Cory Doctorow reported on Boing Boing that Amazon has a growing counterfeit products problem on its hands due to a change in company policy that allows Chinese suppliers to sell direct on the platform, bypassing domestic importers. If accurate, the issue itself is not very surprising. What is surprising is that Doctorow does not acknowledge—at least not in this article—that the counterfeit outbreak he describes is an inevitable result of the anti-IP agenda he has personally supported for years.

At some point, one must toss that copy of The Declaration of the Independence of Cyberspace into the digital dumpster and accept that the internet is not a magical cornucopia whose bounty will flow only so long as it operates beyond the legal limits of the physical world. To the contrary, the virtual increasingly has significant influence on the tangible. Doctorow describes the following:

“In late 2015, there were a spate of warnings about knockoff sex toys on Amazon made from toxic materials that you really didn’t want to stick inside your body. Now this has metastasized into every Amazon category. Sometimes its clothes and other goods that have weird sizing, colors, or poor construction. Sometimes its goods that generate no complaints, but are priced so low that the legit manufacturers can’t compete, and end up pulling out of Amazon or going bust.

Or it can be the worst of both worlds: super-cheap goods that make it impossible for legit manufacturers to compete, coupled with low-quality knockoffs that generate strings of one-star reviews from pissed off customers, meaning that even if the fakes were chased off the service, the sales will never come back.”

Sound familiar? Doctorow observes that Amazon is making money on transactions that may defraud—or even endanger—consumers while simultaneously causing permanent economic harm to legitimate suppliers. Isn’t that what many of us have been saying would happen when IP rights are not enforced online—that the “free culture” fiesta would extend beyond the supposed “harmlessness” of media piracy and eventually manifest as physical goods that can maim, poison, or kill people? Or at least just rip them off?

Unfortunately, the broader battle over IP protection on internet platforms has been distorted by a naive belief in the harmlessness of pirating entertainment media and the assumption that IP only serves the big conglomerates who produce those works. This feeds a sense that IP in general is just a “protectionist” regime for entrenched corporations to slow innovation. When it comes to physical goods, though, suddenly people begin to notice that protecting IP happens to protect consumers. This is why for instance trademark infringement is not a minor transgression. The knock-off Polo shirt won’t get anyone killed, but the knock-off Graco car seat certainly could; and when one distribution service like Amazon is vying to be the “Everything Store,” the possibility for widespread hazard becomes clear.

Presumably, Amazon will recognize the potential loss of consumer confidence if their counterfeit problem grows. The company could take mitigating measures akin to the effective, anti-fraud practices employed by eBay, which weighed heavily in its favor in a 2002 litigation with Tiffany over fraudulent products being sold on that platform. That Doctorow writes the following, however, is the real hypocrisy that needs to be addressed:

“Amazon is bending over backwards to refund customers who get bad fakes, but either can’t or won’t stem the tide of fakes themselves (I run into counterfeit editions of my books on Amazon all the time). It may be that it’s more profitable to offer refunds to customers who get bad products than it is to police the millions of SKUs that are pouring in now that Chinese industry has a direct pipeline to Amazon’s customers.”

Doctorow is criticizing Amazon for tackling the counterfeit problem one infringement at a time while failing to take broader measures to “police” its own platform to “stem the tide.” Is that not a familiar refrain copyright holders have been singing about mass infringement of their works on platforms like YouTube? I think it is. Either these platforms are under the control of their owners or they’re not. Either we want a digital market that protects suppliers and consumers, or we don’t. And we can’t have the former without shedding this naive premise that the technology itself obviates the need for intellectual property enforcement, or that IP is exclusively a barrier to access, information, or innovative services.

This subject actually refers back to the first article I wrote about any of these issues—one that appeared in December 2011 in Stars & Stripes supporting SOPA/PIPA because of their associated provisions designed to mitigate counterfeit products entering the military supply chain. You remember SOPA, right? Certainly, the cadre of “digital rights” activists won’t let you forget it as they chronically insist that all proposals to protect any kind of IP online are basically SOPA in disguise. (See Guide to Critiquing Copyright in the Digital Age).

Likely, nobody remembers that Tittle II of SOPA contained anti-counterfeiting provisions as did a companion bill to PIPA called the Combatting Military Counterfeits Act, authored by Sheldon Whitehouse (D-RI). These provisions and proposed amendments would not be protecting US consumers from Amazon-purchased counterfeits more than the existing statutes (Title 18) already do, but the bills did go further to protect against certain types of counterfeiting, and both bills expanded the principle that trafficking in counterfeits online poses a serious threat to consumer safety.

As Doctorow’s observations forecast, someone’s eventually going to get hurt. And unfortunately, that’s often what it takes for people to demand any kind of action. Or we could change the conversation before that happens.

Posted in Digital Culture, Law & Policy | Tagged , , | 5 Comments

Prison for password sharing? Not likely.

Pond5

After a ruling by the Ninth Circuit Court of Appeals, a number of blogs and articles appeared with headlines announcing that it is now a federal crime if, for instance, your kid uses your Netflix password.  While that kind of headline is good for traffic and buzz, it’s also typically exaggerated and misleading—at least insofar as this recent decision is concerned.

At the heart of the matter is the Computer Fraud and Abuse Act (CFAA), which has been sharply criticized for years by a number of civil liberties advocates who focus on digital-age issues.  The CFAA may also be referred to generically as the anti-hacking law, and there is perhaps legitimate concern that the language in the statute is overly broad and may therefore be abused by a capricious prosecutor to indict people who commit minor offenses (or non-offenses) under a law written to address serious cyber crimes.

The appeals court decision that ignited the recent flurry of headlines, United States v Nosal, concerns David Nosal, a former employee of the executive search firm Korn/Ferry. After being dismissed from the firm, Nosal “convinced some of  his  former  colleagues  who  were  still  working  for Korn/Ferry  to  help  him  start  a  competing  business.  The employees used  their  log-in  credentials  to  download  source lists, names and contact information from a confidential database  on  the  company’s computer,  and  then  transferred  that information to Nosal.”  This is a partial description of facts as stated in the Ninth Circuit’s en banc opinion issued April 2012 in the same case.

There appears to be no dispute in the matter of Nosal’s criminal liability under several other statutes regarding his unauthorized access of Korn/Ferry’s protected data, but the appeal pertaining to CFAA hinges on what critics—and at least some judges—feel is ambiguity over the meaning of “authority” to access a computer.  Because one of Nosal’s former colleagues still had credentials to log into the firm’s computers and because she voluntarily shared those credentials, can Nosal then be charged with violation of CFAA?  Does authority come from the credential holder or the computer owner?  Right there is where civil libertarians and dissenting judges say the ambiguity in the language could jeopardize you and me and every other citizen who voluntarily shares a password with a friend or family member for innocuous access to our personal accounts.  From the EFF

“Nosals colleagues had the authority of an authorized user, the current employee who lent her credentials. Thus, if authoritycan come from the account holderas with a wife who lends her bank credentials to her husband to pay a bill, a college student who uses a parents Hulu or Amazon password, or someone who checks Facebook for a sick friendthen Nosal and his colleagues did not violate the CFAA.”

I wouldn’t call the distinction irrelevant, but neither would I call this case a particularly good reason for everyone to overreact, which has no doubt already happened on social media threads everywhere.  The employee with “authorized” access to Korn/Ferry’s database may well have given her permission to Nosal and others to use her login credentials, but that in itself was a criminal violation and a permission she had no “authority” to grant under any circumstances.  The majority opinion from the court is extensive on this point and argues that its interpretation of “authority” is both clear and consistent with sister circuit court decisions in precedent cases.

Meanwhile, even a very narrow interpretation of “authority” in Nosal’s case is a far cry from comparing these circumstances to the fact that I have a Netflix account which enables up to four devices simultaneous access to the service and that one of these may be used by my college-student son.  That’s what Netflix expects a family to do with an account that allows multi-device access.  Moreover, unlike Nosal’s “inside woman” at Korn/Ferry, I do have authority to give permission to a friend or spouse to log into my Facebook account.  Neither Facebook nor the federal government can mandate that the account holder has to be the individual who types in the credentials—to say nothing of ever proving such evidence—so it seems like gratuitous hyperbole for EFF and other critics to compare these everyday examples to Nosal.  Still, the three-judge panel had one dissenting opinion, which the EFF describes as follows:

“While the majority opinion said that the facts of this case bear little resemblanceto the kind of password sharing that people often do, Judge Reinhardts dissent notes that it fails to provide an explanation of why that is. Using an analogy in which a woman uses her husbands user credentials to access his bank account to pay bills, Judge Reinhardt noted: So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.As a result, although the majority says otherwise, the court turned anyone who has ever used someone elses password without the approval of the computer owner into a potential felon.”

Indeed, we may now be a nation of felons, and if this is so, then Congress better get on that.  But the fact that we are all guilty is the first reason we might want to calm down a bit before reacting to those scary headlines and getting in a big sweat about it.  Also, while I lack the credentials to argue with an appeals court judge, I’m going to a little because the wife in Judge Reinhardt’s example does have her husband’s permission to access the bank account, and the husband has the authority to grant her that permission. Judge Reinhardt knows this, though, and his point is that the statute ought to reflect the distinction between this common, family banking example and the Nosal case in which the individual with the credentials did not have “authority” to grant access.  Reinhardt writes the following in his dissenting opinion:

“The majority [opinion] does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majoritys world of lawful and unlawful password sharing.”

Perhaps Congress will need to review CFAA, but it seems simple enough to observe that “authority” to grant access will be predicated on the relationship between the login credential holder and the data being accessed. Korn/Ferry owns 100% of the data on its computer servers, its employees may only access that data under the conditions and permissions of the firm, and this access may be revoked at the sole discretion of the firm without question.  In short, nothing in the database belongs to any of the employee/users, who therefore have no authority ever to share access with anyone. In such a scenario, only the computer owner can have the “authority” to grant access.

This is very different from the relationship between a bank and a customer vis-a-vis one’s own account information pertaining to one’s own money. The bank owns the servers and the systems just like the bank owns the vault, but the customer owns the account information and assets in the account and has full discretion to use the information or assets as he sees fit, while the bank has very restricted authority to access or exploit either the data or the assets under management. Reinhardt’s comparison might be more compelling if the wife in the scenario were cheating on her husband and so gave the login credentials to a dashing third party to drain the bank account so they could run off to the Caribbean together.  In this soap opera, could said dashing third party (DTP) be indicted under CFAA in addition to other criminal charges? Arguably, the wife had more authority to grant access to the DTP than the Korn/Ferry employee had to grant access to Nosal, so I imagine CFAA would be an over-reach in this situation.

In the case of a Facebook account, the “ownership” question remains a bit vague. Many social media companies lay claim in their Terms of Service to “ownership” of every word and image we share on their platforms, but does that make these companies the “owners” of the data in the same way that Korn/Ferry owns its data?  I would argue it does not, especially since none of our shared social media data can be called “private” or Facebook’s “trade secrets.” As with the banking example, a social media account involves a shared “authority” to access based on the relationship between the data and the account holder; and this would seem to void any assumed violation of CFAA.  Regardless, it will likely be years before these questions are officially resolved, but I wouldn’t lose years of sleep in the meantime worrying about felony charges for common password sharing.

Posted in Digital Culture, Law & Policy | Tagged , , , , | 4 Comments

What Went Down at the DOJ 

“… last week a former Google lawyer at the DOJ anti-trust division against the recommendation of the US Copyright Office rammed through a 100% licensing rule that effectively brings the last of the “free” songwriters under the consent decree.”  

David Lowery at The Trichordist

“The Department of Justice’s position is arrogance at its worst. The decision fails to address the vitally important issue of terminating or reforming outdated consent decrees, and instead broadly expands its interpretation of existing consent decrees.”

— Rep. Doug Collins (R-GA) —

“… the consent decrees were put in place before the transistor radio was invented. They were never meant to, nor could they envision, existing in a world of iPhones, streaming and instant access to practically all music. Unfortunately, the DoJ went the opposite direction and chose the outcome most harmful to songwriters and the creative community.” 

— David Israelite, President & CEO, National Music Publishers Association —

The internet and tech industries like to evangelize a message that creators’ rights laws are “outdated” because they supposedly stand in the way of innovation and competition.  Of course, if a truly outdated law benefits their bottom line or their business models, then they’re only too happy to promote a message that the status quo must be preserved in the name of competition and innovation.  For instance, rights holders would like to see reform to the 1998 DMCA, while OSPs generally want the law to remain as obsolete and ineffective as it is.  But this general hypocrisy may be best dramatized by efforts to entrench the WWII-era federal consent decrees governing music composition and songwriting.

If only a songwriter could buy food and housing at 1940s prices, maybe this rate structure that now earns pennies on the dollar for millions of streaming plays could somehow be justified.  Instead, composers and songwriters remain shackled to a federal, Rate Court system that began when “Boogie Woogie Bugle Boy” was a new hit—one that could never have anticipated the holistic transformation to the music market produced by innovations like digital streaming. For the past few years, the songwriters and composers have been seeking reform to these licensing regimes in order to adapt pricing regimes that reflect the realities of the new market.  That’s how augmenting legal systems is supposed to work.  But on July 1—just in time for Independence Day as David Lowery pointed out—the Department of Justice recommended that American songwriters weren’t quite hampered enough by their rusty handcuffs. (Remember:  this is about regulating songwriters and composers — not weapons, auto, or chemical makers.)

Deputy Assistant Attorney General Renata B. Hesse, a former Google lawyer, issued two key recommendations.  The first is that any of the performance rights organizations PROs — ASCAP, BMI, or SESAC—must license 100% of a song for public performance no matter what percentage of the song the PRO legitimately represents.  Historically, when songwriters collaborate who are signatories to different PROs (which has happened thousands of times to produce songs you love), the associated PROs co-manage the rights so that all parties receive royalties accordingly.  On this matter, music attorney and blogger Chris Castle writes …

“… the [Obama] Administration has to ignore the implications to international trade, replace a voluntary licensing doctrine with a government mandate, ignore written agreements between generations of songwriters, and impose untold transaction costs on songwriters without requiring an increase in royalty rates to permit cost recovery.”

The second recommendation from Hesse is to reject songwriters’ and composers’ requests to withdraw their individual catalogs from digital licensing in order to negotiate fair market rates with services like Spotify, Apple Music, or Google.  This independent negotiation already occurs between the digital service providers and labels and artists who are not signatories to the PROs bound by the WWII-era consent decrees.

The real hypocrisy in this recommendation is that the DOJ is rejecting fair market negotiation for one class of artists on the grounds that such a ruling would be necessary to maintain the antitrust rationale for consent decrees in the first place.  But not only is Hesse looking at the 21st century market through an early 20th century lens (the largest PRO, ASCAP, was formed in 1914), but she is failing even to consider that the companies we now need the government to regulate are Apple, Google, Spotify, et al.  It cannot possibly be news to Hesse or anyone else at Justice that the titans of Silicon Valley are the new prospective monopolists of our times.  On the other hand, Chris Castle pulls no punches here when he argues that Hesse is in violation of Obama’s own Executive Order on Ethics because she is “working on antitrust matters for the benefit of Google, her former client.”

Organizations like Public Knowledge that support the recommendations by the DOJ, say that Hesse has acted properly in the service of the public interest.  Arguing that consolidation in the music publishing industry leads to monopolistic control of large catalogs, Raza Panjwani, Policy Council at PK, writes …

“… it’s refreshing to see that, based on reports, it appears that the Department of Justice is once again demonstrating that robust enforcement of antitrust law in the United States can play an integral role in preventing anticompetitive behavior, whether that’s the development of cable monopolies, price fixing in the ebook market, or collusion in an increasingly concentrated music publishing market. In each case, the ultimate winner is the public.”

I have to say, when I look at the many challenges in the world, I’m glad Public Knowledge is there to protect us from the caprice of songwriters.  I know that’s sarcastic, but seriously?  I think we have to admit that consolidation continues in every sector of the American economy and that the major internet players are only accelerating this phenomenon while paying lip service to the virtues of competition. Meanwhile, what sector more than music has been so dramatically warped by black-market forces that pegged the “natural price” for a song at zero?  To pretend that piracy is not still a bargaining chip for legal streaming services when negotiating with songwriters—if the DOJ would be so kind as to let them negotiate—is a disingenuous assessment of the market.

As is typical of our increasingly short-sighted business culture, the DOJ also fails to recognize that its recommendations are self-defeating—that they would act as disincentives to produce, collaborate, and innovate within this community of artists. Just like her former client, it seems that Hesse is too narrowly focused on the exploitation of existing works while failing to imagine the works that may (or may not) be produced in the future.  As such, her recommendations are unfortunately consistent with the digital market’s tendency to cannibalize older investments rather than to support newer ones. Yes, that’s an oversimplification, and the digital market continues to evolve.  But if history teaches us anything, it’s that the new, disruptive companies quickly become the new dominant forces—as willing and able as any to engage in non-competitive practices or to exploit suppliers.  As such, the DOJ’s recommendation to tighten these 75-year-old regulatory bonds on one class of independent (and often invisible) artists seems far less likely to foster competition than to further subsidize the free ride for America’s billionaires.

Posted in Law & Policy, Music | Tagged , , , , | 4 Comments

Clinton equivocates so Masnick obfuscates.

Last week, Hillary Clinton released her Initiative on Technology and Innovation, brief, which reads a bit like a missive from the Internet Association and does very little to clarify her own views—possibly because she doesn’t have any—on the role of copyright in the digital age.  My general criticism of the whole brief is that it seems to view “technology” as an end rather than a means—still talking about access as its own reward, even in a time when Clinton’s opponent is as much proof as we should ever need that access alone does not necessarily foster a new enlightenment.

That Clinton’s statements are vague is the one criticism I share with Mike Masnick at Techdirt. Of course, what I hear in her rhetoric is that she’s been tippling at the Silicon Valley Kool-Aid, while Masnick seems to feel she hasn’t had quite enough. And that’s fine. We have divergent agendas.  But the substance of Masnick’s rebuttal on the subject of incentives does not accurately reflect the debate from either side, in my opinion.

Clinton’s statement contains the following:

The federal government should modernize the copyright system through reforms that facilitate access to out-of-print and orphan works, while protecting the innovation incentives in the system.  It should also promote open-licensing arrangements for copyrighted material supported by federal grant funding.

And Masnick rebuts …

What are the “innovation incentives in the system” right now? Well, on that, people totally disagree. Some people think that fair use, user rights and DMCA safe harbors are the innovation incentives in the system. Others, of course, argue it’s long copyright terms and insane statutory damages. These two groups disagree and the Clinton platform offers no further enlightenment. 

I’m sure his statement resonates inside Techdirt’s echo chamber, but portraying “long copyright terms and insane statutory damages” as core incentives for rights holders specifically oversimplifies both of these topics and it generally misrepresents creators and their motivations.

“…long copyright terms…”

Yes, the copyright term is part of the incentive rationale, but the actual duration of terms is influenced by various interrelated and dynamic factors—both philosophical and utilitarian—that consider market conditions and, yes, a discussion as to what seems appropriate to grant an author, which has generally extended to two generations of his/her heirs.  Presumably, there is an ideal threshold for terms—too short and incentive may be diminished for various types of works; too long and copyright’s purpose to promote progress may be defeated—but the sweet spot can only be theorized based on a holistic view of the contemporary, global market for the range of protectable works. To boil all that down to say that rights holders think long terms provide an incentive to create and distribute is no more nuanced than Hillary Clinton’s equivocal statement on the matter.

“…insane statutory damages…”

While it’s true that there is no reason to rely on a law that cannot be enforced, Masnick’s reference to “insane statutory damages” is stretching this tautology a bit thin in order suggest that rights holders view the prospect of litigation awards as an incentive to create in the first place. Statutory damages are set, in part, because the burden for a plaintiff to prove “actual damages” is quite steep. And because federal litigation is very expensive, hiring an attorney to represent a claim in which statutory damages may not be awarded can be extremely difficult for many rights holders.

Masnick also glosses over several details with regard to awards, including the fact that a lot of cases settle without awards anywhere near the statutory limits; that many copyright advocates currently support the creation of a copyright small claims court; and that statutory damages only apply in cases in which the works are registered with the Copyright Office. This last point is particularly relevant since Masnick seems eager to end the automatic copyright formalized in the 1976 act when he cites Clinton’s reference to “orphan works” and writes, “the only real solution to the orphan works problem is to go back to … requiring registration to get a copyright.”  But as a practical reality, when it comes to litigation and statutory damages, copyright registration is required, so the real pen-and-paper debate is not exactly defined by the lines Masnick is drawing with his oversized crayons.

“…fair use…”

As for the opposing view on incentives, it’s odd for Masnick to invoke fair use and DMCA safe harbors* when neither subject means anything without an enforceable regime of copyright in the first place. For example, to call fair use an incentive is preposterous absent an enforceably copyrighted work that is being used, so it cannot accurately sit on the opposite side of an imaginary line supposedly contrasting different incentives.  Fair use is a possible consideration, but most of the time, most creators don’t even think about copyright when they begin to author their own expressions.  This is because the idea/expression distinction in the law already has them well covered nearly all of the time—a principle codified into federal copyright law 136 years ago relative to the decade since Web 2.0 supposedly stirred up all this fair use controversy for all manner of creators.

“…DMCA safe harbors…”

I assume Masnick is not saying that the DMCA liability shield (safe harbor) for OSPs directly incentivizes creators.  Presumably, he’s saying that the safe harbor is necessary to provide a foundation to incentivize the blogger or YouTuber to create new works via these platforms, but that’s a pretty big logical leap.  As with the fair use fallacy, this view assumes that infringement is integral to expression and the incentive to express.  Additionally, the safe harbor shield doesn’t technically protect the user/creator at all. As noted in my recent post about Lewis Bond, this conflating of the OSP’s interests with the user’s interests is part of what I think gets some creators into legal hot water.  While, it is true that platforms like YouTube foster new forms of expression (e.g. mashups) that ask new questions about copyright’s boundaries and exceptions, it is misleading to highlight safe harbor as an incentive for those who make these expressions, especially when the liability shield clearly provides an incentive for OSPs to turn a blind eye to obvious infringements.

In my experience the most consistent incentive I’ve encountered among creators I’ve known, or known about, is that copyright inextricably links a given expression to its author.  This is not only a significant motivation for creators—one that often transcends money—but it is also a distinction that benefits society most by preserving the relevance of context—a value Web 2.0 seems well-suited to destroy with alarming frequency.

As for candidate Clinton, Masnick and I clearly want to hear different specifics from her as she progresses toward the White House (I hope).  Based on the choice of rhetoric in the brief, though, I do suspect the internet industry had a hand in its writing.  In particular, the arbitrary reference to “orphan works” is bizarre—as though this arcane bit of copyright flotsam represents some untapped cultural or economic potential for America.  Overall, between the brief and Masnick’s comments, it seems we’re in stuck in the meta-debate about what the debate is about.


*I’m ignoring user rights because it’s too vague and too broad.

Posted in Copyright, Law & Policy | Tagged , , , | Leave a comment