EFF Says Section 1201 of DMCA is Unconstitutional

capitolLast week, the Electronic Frontier Foundation filed suit against the federal government, naming the DOJ and the Copyright Office as defendants.  The EFF filed on behalf of plaintiffs Dr. Mitchell Green, a computer scientist and researcher at Johns Hopkins; Andrew Huang, an engineer and inventor; and Huang’s company Alphamax LLC.  The crux of the suit argues that Section 1201 of the DMCA, which prohibits circumventing technical protection measures (TPM), or trafficking in devices used for circumventing these measures that are designed to protect copyrighted works violates the First Amendment and is, therefore, unconstitutional.

The most common type of TPM consumers tend to be aware of are applications like the software on a DVD that prevents or mitigates illegal copying of the contents; but TPM are increasingly used in a broad range of devices and products because, of course, computers and software increasingly run everything we touch. For this reason, 1201 applies to a wide range of classes of copyrightable works, including software itself, and so the debate over the law invariably conflates movies and medical devices or cellphones and tractors, which means the public dialogue can be rather confusing for most of us.

We read a brief assertion in an article by Cory Doctorow—or even an opposing view—and the nitty-gritty may be ten pages of complex analysis by the Copyright Office that few people will read let alone fully understand.  Meanwhile, consumers should keep in mind that absent the provisions in 1201, products like DVDs, iPods, and Kindles would simply not exist because rights holders would not have licensed their works for distribution on these platforms. And it is characteristic of the EFF and its colleagues to focus on the restrictive aspects of a legal framework while ignoring the productive ones.

In simple terms, it is illegal to circumvent TPM, whether the copyrighted material being protected is entertainment media like an eBook or it’s the software that runs a medical device or the systems in your car. The EFF’s criticism weighs heavily on the fact that it is a violation of 1201 to circumvent TPM even if the intent is not to infringe copyright, but there are also permanent and termporary exemptions in force, recommended by the Register of Copyrights, that allow for circumvention in a number of circumstances. Every three years, the Copyright Office reviews applications for exemptions, though this process itself has been called “onerous” by the EFF and others and is likewise implicated in the question of constitutionality of the 1201 statute.

As mentioned, there are three named plaintiffs in this suit, though one can think of Andrew Huang and his company Alphamax as representing the same interests.  But in an effort to keep this post under 2,000 words, I’ll focus on the complaint regarding Dr. Green and EFF’s broad complaint that the Copyright Office triennial review process is itself stifling free speech.

That Dr. Matthew Green’s Security Research is Being Stifled

Likely, the most compelling and easiest to understand complainant is that of Dr. Green, who conducts important research into, among other things, the security systems of automobiles. This was the focus of his application for an exemption to 1201 during the last triennial session.

Dr. Green explains on his blog that because the Copyright Office failed to grant the exemptions he applied for, that a project underway in the Fall of 2015 had to be conducted in a manner less efficacious and less thorough than the best method available. He also implies that the opposition to his application from the Business Software Association might have carried undue, industry weight in the decision-making process.  But a review of the Register of Copyright’s analysis and conclusions regarding the relevant class of exemptions reveals that the Copyright Office was substantially more sympathetic to the testimony of Dr. Green and his co-applicants than it was to the opposition arguments of either the software or automotive industries.

In fact, the Copyright Office, in its Final Rule issued on October 28, 2015, recommended a broad exemption for “good faith” research like the work being conducted by Dr. Green, but it also recommended a 12-month waiting period to implement this exemption.  Although this delay may be a source of frustration for researchers and the EFF, it was not proposed due to industry opposition to the exemptions. Instead, the Copyright Office recommended the one-year delay in deference to various federal agencies that had weighed in with concerns regarding some of the proposed exemptions.

For instance, the EPA stated that certain aspects of the work to be conducted could “slow or reverse gains made under the Clean Air Act.”  How?  I have no idea.  But neither does the Copyright Office because they’re not authorized to have an opinion about the environment. So because some of the concerns raised are outside copyright’s purview, the Register proposed  the delay in order to give other federal agencies time to review. That’s what they’re supposed to do, and neither Dr. Green nor the EFF appear to acknowledge that there is an extent to which this research is being slowed by federal agencies which have nothing to do with copyright or Section 1201.

Moreover, the timing of EFF’s big play to argue the unconstitutionality of the entire law is odd in light of the fact that the Copyright Office is largely in agreement with applicants like Dr. Green. In fact, the Copyright Office could not have been more clear in its agreement that the current permanent exemptions for security research are not sufficient to protect Dr. Green and his colleagues from liability.  But when the office called for recommendations to 1201 in the beginning of this year, neither the EFF nor any of its sister organizations filed comments with a view toward amending these permanent exemptions.

So, one question worth asking is why the EFF does not use its considerable resources to seek amendment(s) to the permanent exemptions rather than work toward the less likely outcome that the entire statute will be declared unconstitutional?  After all, as a practical matter, if the real interest is enabling people like Dr. Green to work at his best as soon as possible, fixing the permanent exemptions is a far more practical enterprise than the prospect of having the Supreme Court vitiating all of 1201 several years from now. This seems especially true when the Register already agrees that the current statutes are inadequate.

That the Triennial Review Process is Stifling Speech

Roughly one-third of the EFF’s complaint focuses on the alleged inadequacy of the triennial review process itself. Their contention is that the process is so cumbersome and slow that it fails to fulfill its purpose to provide an adequate counter-balance to 1201’s restrictions and also constitutes a prior restraint on speech by delaying applicants’ ability to engage in otherwise legal, non-infringing research or publication.

Two things seem odd about this section of the complaint.  The first is that it focuses on 1201’s alleged, broad infringement of the speech of filmmakers* and teachers despite the fact that the named plaintiffs in the lawsuit applied for exemptions having nothing to do with filmmaking or teaching.  The second is that the Copyright Office actually did recommend exemptions for a large number of requests pertaining to filmmakers and teachers, though, apparently these did not go far enough for the EFF, which scorns rejections—like an exemption for “narrative filmmakers”—as evidence that 1201 is stifling speech.  Of course, considering this particular class of filmmaker begs detailed analysis because the majority of narrative film uses are not generally fair uses. So, this part of the complaint begins to sound like EFF may be making its usual free speech mountain out of a copyright molehill.

Also, with regard to the alleged onerousness of the review process, the public should note that the process is a rather large task resulting in decisions that have far-reaching implications throughout the market.  Exemptions apply to everyone, not just the applicants.  So, when the CO said that it’s cool for a K-12 teacher to “rip” film clips from his DVD collection to bring into class to teach film or cultural studies, that circumvention is now kosher for all teachers doing the same thing across the country. So, because these rulings are not narrow decisions (like fair use judgments), it seems reasonable that reviews happen triennially and that applicants bear some substantial burden to argue their cases for various exemptions.  The CO’s complete review of the last round of applications is over 400 pages long.  How frequently should the agency engage in that level of detailed analysis and make recommendations that have considerable effect in the market, and which must conform to existing laws beyond the scope of copyright?

And once again, the timing of this complaint is curious because the Register earlier this year recommended that, going forward, all successful petitions not opposed in the next review cycle need not be re-litigated.  This is relevant because the EFF specifically cites the need to re-apply for exemptions every three years as evidence of undue burden, but it ignores the fact that the Copyright Office acknowledges the issue and is making recommendations to mitigate the problem.  So, the big question reprises:  Why is EFF more eager to try to strike down the entire law than it is to work with the Copyright Office to address some of the very flaws the Register agrees exist?

Based on just the complexities I have tried to articulate here—and which only scratch the surface—it seems unlikely the First Amendment complaint will make as much progress as it will make noise. Yes, we want to protect fair use for expression and the ability of researchers to ensure our safety and security while living with our computerized products. But the record indicates that the Copyright Office is in synch with these views.  We’ll see what the courts say.

Posted in Copyright, Free Speech, Law & Policy | Tagged , , , , | 6 Comments

“Don’t Use Our Songs”

There was no way I could not share this. I recommend watching all the way through to the end.  Is the message entirely on solid ground copyright-wise?  Not quite.  Is the sentiment in the right place?  I think so.  And it’s funny as hell and includes a nice shout out to one of my favorite bands, The Dropkick Murphys.

Happy Monday.

DN

 

Posted in Music, Politics | Tagged , | 2 Comments

DCA’s New Report on Enabling Malware

Enabling Malware

Andrew Orlowski reports at The Register that last week Google quietly suspended its legal action to “muzzle” an investigation by Mississippi Attorney General Hood into whether or not the search giant was abiding by the terms of its 2012, non-prosecutorial settlement with the government over illegal online sales of prescription drugs.  Any explanation of Google’s change in strategy or the future of that investigation are subjects for another day.  But the fact that AG Hood was ultimately not stymied—either by litigation or by a brazen attempt in the State House of Representatives to legislatively tie his hands—is probably good news for American consumers because State Attorneys General “often act as the de facto consumer protection arm in their respective states,” notes a new report published yesterday by Digital Citizens Alliance.

Following up on its December report, which presented a look into the scope of the malware hazard for consumers who visit content-theft sites, DCA and RiskIQ have again collaborated to begin looking at the hosting services that either inadvertently or knowingly support illegal sites, which then endanger consumers.  The hosting services in this regard are particularly relevant because they are not shadowy operators based in hard-to-reach geographies but are legal corporations with offices in the United States.  As such, the news that Google will now look to “cooperate with AG Hood” rather than remain on the offensive comes at a good moment for consumers.  This is because DCA notes that state AGs will be the first authorities who may choose to investigate US-operating hosting services to determine their role in fostering the dissemination of malware.

The December report called Digital Bait revealed the likelihood (about 30% in some cases) that users of content theft sites would infect their devices with malware, and the report also identified the various types of malware being deployed in order to steal information and/or assets from consumers.  Digital Bait also presented a glimpse into the dark web-based economy where criminals engage in transactions like selling the IP addresses of a girl’s computer or even a cybercriminal paying content-theft site owners to deliberately host malware on their sites.  The report contains some eye-opening statistics like the one from the DOJ, which states that 16.2 million American consumers have been victims of identity theft, incurring financial losses of more than $24.7 billion.

The report released yesterday, Enabling Malware, looks at two hosting companies, each of which responded very differently when DCA contacted them with their findings.  The first was CloudFlare, which is “known for its willingness to support, or at least overlook, illicit activities,” the report states.  CloudFlare is a hosting service that is specifically designed to mask the identity of site owners and of the true hosting site of any content, whether the content is legal or not.  The site’s blog reads, “Signing up for CloudFlare is like taking your number out of the phone book, and putting in CloudFlare’s number under your name.”

This type of service can be (and is) used by journalists or bloggers operating in locations with authoritarian governments or other hazards to free speech and reportage.  But it is also a natural hosting choice for content-theft site owners, thus earning the service the nickname “CrimeFlare” among cyber-security experts. DCA contacted CloudFlare with regard to its hosting sites like Putlocker and Animex, both of which were identified in the Digital Bait report as delivering malware to users.  CloudFlare did not respond until a day or two before the release of this new report and wrote the following:

“CloudFlare’s service protects and accelerates websites and applications. Because CloudFlare is not a host, we cannot control or remove customer content from the Internet. CloudFlare leaves the removal of online content to law enforcement agencies and complies with any legal requests made by the authorities. If we believe that one of our customers’ websites is distributing malware, CloudFlare will post an interstitial page that warns site visitors and asks them if they would like to proceed despite the warning. This practice follows established industry norms.”

In other words, CloudFlare is not going to do anything unless authorities make them.

The other hosting service DCA and RiskIQ looked at was HawkHost, whose support includes watchfreemoviesonline.top, which was found to have a 32% malware exposure rate in the research conducted for the Digital Bait report. When DCA contacted HawkHost, the company’s response was very different from CloudFlare’s, stating that the sites identified by DCA would be taken down because they “clearly violate our TOS/AUP,” according to CTO Cody Robertson. Additionally, executives at HawkHost have agreed to meet with DCA to discuss findings linking malware with content theft sites and to look for ways to better protect consumers.  DCA commends HawkHost, stating that they find the company’s response “an encouraging sign.”

DCA and RiskIQ will continue to study the link between content-theft sites and malware, as well as the legal hosting services that operate in the United States, which may be supporting malware-infested sites. These findings will be presented to State Attorneys General, who then have the authority to investigate the extent to which a particular hosting service may or may not be willfully turning a blind eye to illegal enterprise that is directly harming American consumers.  So, as mentioned, beyond any implications regarding the Google investigation itself, last week’s affirmation of AG Hood’s authority in that case is likely a good sign for protecting consumers in general from the chronic I-Didn’t-Know-Defense too-often employed by various OSPs.

Posted in Law & Policy, Piracy, Security | Tagged , , , , | Leave a comment

IP Skeptic Doctorow Notices a Problem

Last week, Cory Doctorow reported on Boing Boing that Amazon has a growing counterfeit products problem on its hands due to a change in company policy that allows Chinese suppliers to sell direct on the platform, bypassing domestic importers. If accurate, the issue itself is not very surprising. What is surprising is that Doctorow does not acknowledge—at least not in this article—that the counterfeit outbreak he describes is an inevitable result of the anti-IP agenda he has personally supported for years.

At some point, one must toss that copy of The Declaration of the Independence of Cyberspace into the digital dumpster and accept that the internet is not a magical cornucopia whose bounty will flow only so long as it operates beyond the legal limits of the physical world. To the contrary, the virtual increasingly has significant influence on the tangible. Doctorow describes the following:

“In late 2015, there were a spate of warnings about knockoff sex toys on Amazon made from toxic materials that you really didn’t want to stick inside your body. Now this has metastasized into every Amazon category. Sometimes its clothes and other goods that have weird sizing, colors, or poor construction. Sometimes its goods that generate no complaints, but are priced so low that the legit manufacturers can’t compete, and end up pulling out of Amazon or going bust.

Or it can be the worst of both worlds: super-cheap goods that make it impossible for legit manufacturers to compete, coupled with low-quality knockoffs that generate strings of one-star reviews from pissed off customers, meaning that even if the fakes were chased off the service, the sales will never come back.”

Sound familiar? Doctorow observes that Amazon is making money on transactions that may defraud—or even endanger—consumers while simultaneously causing permanent economic harm to legitimate suppliers. Isn’t that what many of us have been saying would happen when IP rights are not enforced online—that the “free culture” fiesta would extend beyond the supposed “harmlessness” of media piracy and eventually manifest as physical goods that can maim, poison, or kill people? Or at least just rip them off?

Unfortunately, the broader battle over IP protection on internet platforms has been distorted by a naive belief in the harmlessness of pirating entertainment media and the assumption that IP only serves the big conglomerates who produce those works. This feeds a sense that IP in general is just a “protectionist” regime for entrenched corporations to slow innovation. When it comes to physical goods, though, suddenly people begin to notice that protecting IP happens to protect consumers. This is why for instance trademark infringement is not a minor transgression. The knock-off Polo shirt won’t get anyone killed, but the knock-off Graco car seat certainly could; and when one distribution service like Amazon is vying to be the “Everything Store,” the possibility for widespread hazard becomes clear.

Presumably, Amazon will recognize the potential loss of consumer confidence if their counterfeit problem grows. The company could take mitigating measures akin to the effective, anti-fraud practices employed by eBay, which weighed heavily in its favor in a 2002 litigation with Tiffany over fraudulent products being sold on that platform. That Doctorow writes the following, however, is the real hypocrisy that needs to be addressed:

“Amazon is bending over backwards to refund customers who get bad fakes, but either can’t or won’t stem the tide of fakes themselves (I run into counterfeit editions of my books on Amazon all the time). It may be that it’s more profitable to offer refunds to customers who get bad products than it is to police the millions of SKUs that are pouring in now that Chinese industry has a direct pipeline to Amazon’s customers.”

Doctorow is criticizing Amazon for tackling the counterfeit problem one infringement at a time while failing to take broader measures to “police” its own platform to “stem the tide.” Is that not a familiar refrain copyright holders have been singing about mass infringement of their works on platforms like YouTube? I think it is. Either these platforms are under the control of their owners or they’re not. Either we want a digital market that protects suppliers and consumers, or we don’t. And we can’t have the former without shedding this naive premise that the technology itself obviates the need for intellectual property enforcement, or that IP is exclusively a barrier to access, information, or innovative services.

This subject actually refers back to the first article I wrote about any of these issues—one that appeared in December 2011 in Stars & Stripes supporting SOPA/PIPA because of their associated provisions designed to mitigate counterfeit products entering the military supply chain. You remember SOPA, right? Certainly, the cadre of “digital rights” activists won’t let you forget it as they chronically insist that all proposals to protect any kind of IP online are basically SOPA in disguise. (See Guide to Critiquing Copyright in the Digital Age).

Likely, nobody remembers that Tittle II of SOPA contained anti-counterfeiting provisions as did a companion bill to PIPA called the Combatting Military Counterfeits Act, authored by Sheldon Whitehouse (D-RI). These provisions and proposed amendments would not be protecting US consumers from Amazon-purchased counterfeits more than the existing statutes (Title 18) already do, but the bills did go further to protect against certain types of counterfeiting, and both bills expanded the principle that trafficking in counterfeits online poses a serious threat to consumer safety.

As Doctorow’s observations forecast, someone’s eventually going to get hurt. And unfortunately, that’s often what it takes for people to demand any kind of action. Or we could change the conversation before that happens.

Posted in Digital Culture, Law & Policy | Tagged , , | 5 Comments

Prison for password sharing? Not likely.

Pond5

After a ruling by the Ninth Circuit Court of Appeals, a number of blogs and articles appeared with headlines announcing that it is now a federal crime if, for instance, your kid uses your Netflix password.  While that kind of headline is good for traffic and buzz, it’s also typically exaggerated and misleading—at least insofar as this recent decision is concerned.

At the heart of the matter is the Computer Fraud and Abuse Act (CFAA), which has been sharply criticized for years by a number of civil liberties advocates who focus on digital-age issues.  The CFAA may also be referred to generically as the anti-hacking law, and there is perhaps legitimate concern that the language in the statute is overly broad and may therefore be abused by a capricious prosecutor to indict people who commit minor offenses (or non-offenses) under a law written to address serious cyber crimes.

The appeals court decision that ignited the recent flurry of headlines, United States v Nosal, concerns David Nosal, a former employee of the executive search firm Korn/Ferry. After being dismissed from the firm, Nosal “convinced some of  his  former  colleagues  who  were  still  working  for Korn/Ferry  to  help  him  start  a  competing  business.  The employees used  their  log-in  credentials  to  download  source lists, names and contact information from a confidential database  on  the  company’s computer,  and  then  transferred  that information to Nosal.”  This is a partial description of facts as stated in the Ninth Circuit’s en banc opinion issued April 2012 in the same case.

There appears to be no dispute in the matter of Nosal’s criminal liability under several other statutes regarding his unauthorized access of Korn/Ferry’s protected data, but the appeal pertaining to CFAA hinges on what critics—and at least some judges—feel is ambiguity over the meaning of “authority” to access a computer.  Because one of Nosal’s former colleagues still had credentials to log into the firm’s computers and because she voluntarily shared those credentials, can Nosal then be charged with violation of CFAA?  Does authority come from the credential holder or the computer owner?  Right there is where civil libertarians and dissenting judges say the ambiguity in the language could jeopardize you and me and every other citizen who voluntarily shares a password with a friend or family member for innocuous access to our personal accounts.  From the EFF

“Nosals colleagues had the authority of an authorized user, the current employee who lent her credentials. Thus, if authoritycan come from the account holderas with a wife who lends her bank credentials to her husband to pay a bill, a college student who uses a parents Hulu or Amazon password, or someone who checks Facebook for a sick friendthen Nosal and his colleagues did not violate the CFAA.”

I wouldn’t call the distinction irrelevant, but neither would I call this case a particularly good reason for everyone to overreact, which has no doubt already happened on social media threads everywhere.  The employee with “authorized” access to Korn/Ferry’s database may well have given her permission to Nosal and others to use her login credentials, but that in itself was a criminal violation and a permission she had no “authority” to grant under any circumstances.  The majority opinion from the court is extensive on this point and argues that its interpretation of “authority” is both clear and consistent with sister circuit court decisions in precedent cases.

Meanwhile, even a very narrow interpretation of “authority” in Nosal’s case is a far cry from comparing these circumstances to the fact that I have a Netflix account which enables up to four devices simultaneous access to the service and that one of these may be used by my college-student son.  That’s what Netflix expects a family to do with an account that allows multi-device access.  Moreover, unlike Nosal’s “inside woman” at Korn/Ferry, I do have authority to give permission to a friend or spouse to log into my Facebook account.  Neither Facebook nor the federal government can mandate that the account holder has to be the individual who types in the credentials—to say nothing of ever proving such evidence—so it seems like gratuitous hyperbole for EFF and other critics to compare these everyday examples to Nosal.  Still, the three-judge panel had one dissenting opinion, which the EFF describes as follows:

“While the majority opinion said that the facts of this case bear little resemblanceto the kind of password sharing that people often do, Judge Reinhardts dissent notes that it fails to provide an explanation of why that is. Using an analogy in which a woman uses her husbands user credentials to access his bank account to pay bills, Judge Reinhardt noted: So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.As a result, although the majority says otherwise, the court turned anyone who has ever used someone elses password without the approval of the computer owner into a potential felon.”

Indeed, we may now be a nation of felons, and if this is so, then Congress better get on that.  But the fact that we are all guilty is the first reason we might want to calm down a bit before reacting to those scary headlines and getting in a big sweat about it.  Also, while I lack the credentials to argue with an appeals court judge, I’m going to a little because the wife in Judge Reinhardt’s example does have her husband’s permission to access the bank account, and the husband has the authority to grant her that permission. Judge Reinhardt knows this, though, and his point is that the statute ought to reflect the distinction between this common, family banking example and the Nosal case in which the individual with the credentials did not have “authority” to grant access.  Reinhardt writes the following in his dissenting opinion:

“The majority [opinion] does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majoritys world of lawful and unlawful password sharing.”

Perhaps Congress will need to review CFAA, but it seems simple enough to observe that “authority” to grant access will be predicated on the relationship between the login credential holder and the data being accessed. Korn/Ferry owns 100% of the data on its computer servers, its employees may only access that data under the conditions and permissions of the firm, and this access may be revoked at the sole discretion of the firm without question.  In short, nothing in the database belongs to any of the employee/users, who therefore have no authority ever to share access with anyone. In such a scenario, only the computer owner can have the “authority” to grant access.

This is very different from the relationship between a bank and a customer vis-a-vis one’s own account information pertaining to one’s own money. The bank owns the servers and the systems just like the bank owns the vault, but the customer owns the account information and assets in the account and has full discretion to use the information or assets as he sees fit, while the bank has very restricted authority to access or exploit either the data or the assets under management. Reinhardt’s comparison might be more compelling if the wife in the scenario were cheating on her husband and so gave the login credentials to a dashing third party to drain the bank account so they could run off to the Caribbean together.  In this soap opera, could said dashing third party (DTP) be indicted under CFAA in addition to other criminal charges? Arguably, the wife had more authority to grant access to the DTP than the Korn/Ferry employee had to grant access to Nosal, so I imagine CFAA would be an over-reach in this situation.

In the case of a Facebook account, the “ownership” question remains a bit vague. Many social media companies lay claim in their Terms of Service to “ownership” of every word and image we share on their platforms, but does that make these companies the “owners” of the data in the same way that Korn/Ferry owns its data?  I would argue it does not, especially since none of our shared social media data can be called “private” or Facebook’s “trade secrets.” As with the banking example, a social media account involves a shared “authority” to access based on the relationship between the data and the account holder; and this would seem to void any assumed violation of CFAA.  Regardless, it will likely be years before these questions are officially resolved, but I wouldn’t lose years of sleep in the meantime worrying about felony charges for common password sharing.

Posted in Digital Culture, Law & Policy | Tagged , , , , | 4 Comments