EFF says Section 1201 of the DMCA is Unconstitutional?

Last week, the Electronic Frontier Foundation filed suit against the federal government, naming the DOJ and the Copyright Office as defendants.  The EFF filed on behalf of plaintiffs Dr. Mitchell Green, a computer scientist and researcher at Johns Hopkins; Andrew Huang, an engineer and inventor; and Huang’s company Alphamax LLC.  The crux of the suit argues that Section 1201 of the DMCA, which prohibits circumventing technical protection measures (TPM), or trafficking in devices used for circumventing these measures that are designed to protect copyrighted works violates the First Amendment and is, therefore, unconstitutional.

The most common type of TPM consumers tend to be aware of are applications like the software on a DVD that prevents or mitigates illegal copying of the contents; but TPM are increasingly used in a broad range of devices and products because, of course, computers and software increasingly run everything we touch. For this reason, 1201 applies to a wide range of classes of copyrightable works, including software itself, and so the debate over the law invariably conflates movies and medical devices or cellphones and tractors, which means the public dialogue can be rather confusing for most of us.

We read a brief assertion in an article by Cory Doctorow—or even an opposing view—and the nitty-gritty may be ten pages of complex analysis by the Copyright Office that few people will read let alone fully understand.  Meanwhile, consumers should keep in mind that absent the provisions in 1201, products like DVDs, iPods, and Kindles would simply not exist because rights holders would not have licensed their works for distribution on these platforms. And it is characteristic of the EFF and its colleagues to focus on the restrictive aspects of a legal framework while ignoring the productive ones.

In simple terms, it is illegal to circumvent TPM, whether the copyrighted material being protected is entertainment media like an eBook or it’s the software that runs a medical device or the systems in your car. The EFF’s criticism weighs heavily on the fact that it is a violation of 1201 to circumvent TPM even if the intent is not to infringe copyright, but there are also permanent and termporary exemptions in force, recommended by the Register of Copyrights, that allow for circumvention in a number of circumstances. Every three years, the Copyright Office reviews applications for exemptions, though this process itself has been called “onerous” by the EFF and others and is likewise implicated in the question of constitutionality of the 1201 statute.

As mentioned, there are three named plaintiffs in this suit, though one can think of Andrew Huang and his company Alphamax as representing the same interests.  But in an effort to keep this post under 2,000 words, I’ll focus on the complaint regarding Dr. Green and EFF’s broad complaint that the Copyright Office triennial review process is itself stifling free speech.

That Dr. Matthew Green’s Security Research is Being Stifled

Likely, the most compelling and easiest to understand complainant is that of Dr. Green, who conducts important research into, among other things, the security systems of automobiles. This was the focus of his application for an exemption to 1201 during the last triennial session.

Dr. Green explains on his blog that because the Copyright Office failed to grant the exemptions he applied for, that a project underway in the Fall of 2015 had to be conducted in a manner less efficacious and less thorough than the best method available. He also implies that the opposition to his application from the Business Software Association might have carried undue, industry weight in the decision-making process.  But a review of the Register of Copyright’s analysis and conclusions regarding the relevant class of exemptions reveals that the Copyright Office was substantially more sympathetic to the testimony of Dr. Green and his co-applicants than it was to the opposition arguments of either the software or automotive industries.

In fact, the Copyright Office, in its Final Rule issued on October 28, 2015, recommended a broad exemption for “good faith” research like the work being conducted by Dr. Green, but it also recommended a 12-month waiting period to implement this exemption.  Although this delay may be a source of frustration for researchers and the EFF, it was not proposed due to industry opposition to the exemptions. Instead, the Copyright Office recommended the one-year delay in deference to various federal agencies that had weighed in with concerns regarding some of the proposed exemptions.

For instance, the EPA stated that certain aspects of the work to be conducted could “slow or reverse gains made under the Clean Air Act.”  How?  I have no idea.  But neither does the Copyright Office because they’re not authorized to have an opinion about the environment. So because some of the concerns raised are outside copyright’s purview, the Register proposed  the delay in order to give other federal agencies time to review. That’s what they’re supposed to do, and neither Dr. Green nor the EFF appear to acknowledge that there is an extent to which this research is being slowed by federal agencies which have nothing to do with copyright or Section 1201.

Moreover, the timing of EFF’s big play to argue the unconstitutionality of the entire law is odd in light of the fact that the Copyright Office is largely in agreement with applicants like Dr. Green. In fact, the Copyright Office could not have been more clear in its agreement that the current permanent exemptions for security research are not sufficient to protect Dr. Green and his colleagues from liability.  But when the office called for recommendations to 1201 in the beginning of this year, neither the EFF nor any of its sister organizations filed comments with a view toward amending these permanent exemptions.

So, one question worth asking is why the EFF does not use its considerable resources to seek amendment(s) to the permanent exemptions rather than work toward the less likely outcome that the entire statute will be declared unconstitutional?  After all, as a practical matter, if the real interest is enabling people like Dr. Green to work at his best as soon as possible, fixing the permanent exemptions is a far more practical enterprise than the prospect of having the Supreme Court vitiating all of 1201 several years from now. This seems especially true when the Register already agrees that the current statutes are inadequate.

That the Triennial Review Process is Stifling Speech

Roughly one-third of the EFF’s complaint focuses on the alleged inadequacy of the triennial review process itself. Their contention is that the process is so cumbersome and slow that it fails to fulfill its purpose to provide an adequate counter-balance to 1201’s restrictions and also constitutes a prior restraint on speech by delaying applicants’ ability to engage in otherwise legal, non-infringing research or publication.

Two things seem odd about this section of the complaint.  The first is that it focuses on 1201’s alleged, broad infringement of the speech of filmmakers* and teachers despite the fact that the named plaintiffs in the lawsuit applied for exemptions having nothing to do with filmmaking or teaching.  The second is that the Copyright Office actually did recommend exemptions for a large number of requests pertaining to filmmakers and teachers, though, apparently these did not go far enough for the EFF, which scorns rejections—like an exemption for “narrative filmmakers”—as evidence that 1201 is stifling speech.  Of course, considering this particular class of filmmaker begs detailed analysis because the majority of narrative film uses are not generally fair uses. So, this part of the complaint begins to sound like EFF may be making its usual free speech mountain out of a copyright molehill.

Also, with regard to the alleged onerousness of the review process, the public should note that the process is a rather large task resulting in decisions that have far-reaching implications throughout the market.  Exemptions apply to everyone, not just the applicants.  So, when the CO said that it’s cool for a K-12 teacher to “rip” film clips from his DVD collection to bring into class to teach film or cultural studies, that circumvention is now kosher for all teachers doing the same thing across the country. So, because these rulings are not narrow decisions (like fair use judgments), it seems reasonable that reviews happen triennially and that applicants bear some substantial burden to argue their cases for various exemptions.  The CO’s complete review of the last round of applications is over 400 pages long.  How frequently should the agency engage in that level of detailed analysis and make recommendations that have considerable effect in the market, and which must conform to existing laws beyond the scope of copyright?

And once again, the timing of this complaint is curious because the Register earlier this year recommended that, going forward, all successful petitions not opposed in the next review cycle need not be re-litigated.  This is relevant because the EFF specifically cites the need to re-apply for exemptions every three years as evidence of undue burden, but it ignores the fact that the Copyright Office acknowledges the issue and is making recommendations to mitigate the problem.  So, the big question reprises:  Why is EFF more eager to try to strike down the entire law than it is to work with the Copyright Office to address some of the very flaws the Register agrees exist?

Based on just the complexities I have tried to articulate here—and which only scratch the surface—it seems unlikely the First Amendment complaint will make as much progress as it will make noise. Yes, we want to protect fair use for expression and the ability of researchers to ensure our safety and security while living with our computerized products. But the record indicates that the Copyright Office is in synch with these views.  We’ll see what the courts say.

“Don’t Use Our Songs”

There was no way I could not share this. I recommend watching all the way through to the end.  Is the message entirely on solid ground copyright-wise?  Not quite.  Is the sentiment in the right place?  I think so.  And it’s funny as hell and includes a nice shout out to one of my favorite bands, The Dropkick Murphys.

Happy Monday.

DN

 

DCA’s New Report on Enabling Malware

Enabling Malware

Andrew Orlowski reports at The Register that last week Google quietly suspended its legal action to “muzzle” an investigation by Mississippi Attorney General Hood into whether or not the search giant was abiding by the terms of its 2012, non-prosecutorial settlement with the government over illegal online sales of prescription drugs.  Any explanation of Google’s change in strategy or the future of that investigation are subjects for another day.  But the fact that AG Hood was ultimately not stymied—either by litigation or by a brazen attempt in the State House of Representatives to legislatively tie his hands—is probably good news for American consumers because State Attorneys General “often act as the de facto consumer protection arm in their respective states,” notes a new report published yesterday by Digital Citizens Alliance.

Following up on its December report, which presented a look into the scope of the malware hazard for consumers who visit content-theft sites, DCA and RiskIQ have again collaborated to begin looking at the hosting services that either inadvertently or knowingly support illegal sites, which then endanger consumers.  The hosting services in this regard are particularly relevant because they are not shadowy operators based in hard-to-reach geographies but are legal corporations with offices in the United States.  As such, the news that Google will now look to “cooperate with AG Hood” rather than remain on the offensive comes at a good moment for consumers.  This is because DCA notes that state AGs will be the first authorities who may choose to investigate US-operating hosting services to determine their role in fostering the dissemination of malware.

The December report called Digital Bait revealed the likelihood (about 30% in some cases) that users of content theft sites would infect their devices with malware, and the report also identified the various types of malware being deployed in order to steal information and/or assets from consumers.  Digital Bait also presented a glimpse into the dark web-based economy where criminals engage in transactions like selling the IP addresses of a girl’s computer or even a cybercriminal paying content-theft site owners to deliberately host malware on their sites.  The report contains some eye-opening statistics like the one from the DOJ, which states that 16.2 million American consumers have been victims of identity theft, incurring financial losses of more than $24.7 billion.

The report released yesterday, Enabling Malware, looks at two hosting companies, each of which responded very differently when DCA contacted them with their findings.  The first was CloudFlare, which is “known for its willingness to support, or at least overlook, illicit activities,” the report states.  CloudFlare is a hosting service that is specifically designed to mask the identity of site owners and of the true hosting site of any content, whether the content is legal or not.  The site’s blog reads, “Signing up for CloudFlare is like taking your number out of the phone book, and putting in CloudFlare’s number under your name.”

This type of service can be (and is) used by journalists or bloggers operating in locations with authoritarian governments or other hazards to free speech and reportage.  But it is also a natural hosting choice for content-theft site owners, thus earning the service the nickname “CrimeFlare” among cyber-security experts. DCA contacted CloudFlare with regard to its hosting sites like Putlocker and Animex, both of which were identified in the Digital Bait report as delivering malware to users.  CloudFlare did not respond until a day or two before the release of this new report and wrote the following:

“CloudFlare’s service protects and accelerates websites and applications. Because CloudFlare is not a host, we cannot control or remove customer content from the Internet. CloudFlare leaves the removal of online content to law enforcement agencies and complies with any legal requests made by the authorities. If we believe that one of our customers’ websites is distributing malware, CloudFlare will post an interstitial page that warns site visitors and asks them if they would like to proceed despite the warning. This practice follows established industry norms.”

In other words, CloudFlare is not going to do anything unless authorities make them.

The other hosting service DCA and RiskIQ looked at was HawkHost, whose support includes watchfreemoviesonline.top, which was found to have a 32% malware exposure rate in the research conducted for the Digital Bait report. When DCA contacted HawkHost, the company’s response was very different from CloudFlare’s, stating that the sites identified by DCA would be taken down because they “clearly violate our TOS/AUP,” according to CTO Cody Robertson. Additionally, executives at HawkHost have agreed to meet with DCA to discuss findings linking malware with content theft sites and to look for ways to better protect consumers.  DCA commends HawkHost, stating that they find the company’s response “an encouraging sign.”

DCA and RiskIQ will continue to study the link between content-theft sites and malware, as well as the legal hosting services that operate in the United States, which may be supporting malware-infested sites. These findings will be presented to State Attorneys General, who then have the authority to investigate the extent to which a particular hosting service may or may not be willfully turning a blind eye to illegal enterprise that is directly harming American consumers.  So, as mentioned, beyond any implications regarding the Google investigation itself, last week’s affirmation of AG Hood’s authority in that case is likely a good sign for protecting consumers in general from the chronic I-Didn’t-Know-Defense too-often employed by various OSPs.