Google selling page rankings and lying about it?

Last Thursday, Google won a motion to dismiss a trademark infringement suit brought by Rescuecom Corporation. The court's decision is here, news coverage is here, and commentary is here. Others have already written about the trademark issues and other fallout (see: 1, 2, 3, 4). I am more interested in a small paragraph on page 4 of the court's decision, which indicates that Google is selling page rankings.

The court wrote:

Defendant [Google] does not always identify sponsored links as advertisements and it designs those appearing at the top of the search results to look like a part of the "non-sponsored" search results. As a result, Internet users may infer, based on a sponsored link's appearance at the top of the list of search results, that a sponsored link is the most relevant website among the search results. An Internet user can "click" on the sponsored link with a mouse to go to the advertiser's website. Advertisers pay defendant based on the number of clicks the sponsored link receives.

Passing off paid ads as relevant search results would mean the end of Google's integrity. If, of course, that is really what is happening. I have not read the parties' briefs, so I do not know where the court learned this "fact". This section of the decision was a summary of the facts alleged in Rescuecom's Complaint, which the court must assume to be true for purposes of this motion — not the court's own conclusions.

For its part, Google insists that its famous PageRank system is unbiased and not for sale and that AdWords ads (keyword-linked ads) appear only to the side of "relevant search results."

This may simply be a case of sloppy writing by the court or by the plaintiff. Or it could be a lie — by the plaintiff (to the court) or by Google (to the public). Either way, I am curious to know the truth.

Don't Download This Song

"Weird Al" Yankovic has been a consistent commentator on pop culture for over two decades. He struck gold with a song from his new album, Straight Outta Lynwood, called "Don't Download This Song", which he has released as an electronic postcard video. Also, I just learned that Al is on MySpace.

Ratings and warnings of "sexually explicit material"

According to a C|Net article, the Senate Commerce Committee approved an amendment to a bill that would require web site operators to place a label on their home pages if the site contains "sexually explicit material" and to "rate 'each page or screen of the website that does contain sexually explicit material' with a system to be devised by the Federal Trade Commission'" ("Senators adopt Web labeling requirement").

There is no hope that a workable system could be based upon that rule. Set aside for the moment the probably-fatal First Amendment concern that "sexually explicit material" is unlikely ever to be defined clearly enough to survive judicial scrutiny and that we would need such a definition for multiple categories of sexually explicit material. The stated purpose of the bill presumes that children do not want to see sexually explicit material. According to the article:

"This will protect children from accidentally typing in the wrong address and immediately viewing indecent material," said Sen. Conrad Burns, a Montana Republican who is the co-founder of the Congressional Internet Caucus.

Have you ever known a child to walk away from something sexually explicit without looking at it? I doubt such a child exists.

Libel suits against bloggers

The Media Law Resource Center (MLRC) has posted a list of lawsuits against bloggers involving libel and other claims. I admire their pluck. Quoth the introduction:

This list, which is an outgrowth of the Pre-Dinner Symposium on Blogging held on Nov. 9, 2005, includes the cases that MLRC is aware of in which bloggers have been sued for libel and related claims; it also includes a criminal case against bloggers in Ohio. The list also includes links to articles reporting on these cases, and court decisions when available.

Via Internet Cases

I've been trolled

In the last 24 hours I received several emails relating to my last blog post, "Piracy Phishing." A couple have informed me (one politely, one hilariously) that I have been trolled. The "email" I received from "Jack Meihoff" of LiquidGeneration is a well-executed spoof. Run to your nearest Flash-enabled browser and check out this explanation of the gag.

Piracy Phishing

"Phishing" is a growing problem. In a cross between spam and scam, an email designed to look like a legitimate query from eBay, your bank, or someone else you trust purports to alert you to some problem and asks you to visit a web site, type in your name and password, and verify some information. The press has spent a lot of ink on this recently.

I just got caught a phish with an interesting twist. The email I received purports to be from the Motion Picture Association of America (MPAA). It accuses me of pirating movies and demands an unspecified payment. Then it provides a link which, I am told, will tell me the exact amount I owe to settle the claims of MPAA. The email is quoted below.

Unfortunately, the MPAA has never heard of the sender, Jack Meihoff, and it also states that it does not handle piracy cases in this manner. Also, the MAC address identified in the email is ficticious, and the domain in the link it points to (saynotopiracy.org) is registered to an entity called LiquidGeneration, Inc., incorporated in Illinois. The only individual person associated with its whois entry is one Bruce Freud. He can apparently be reached at:

Bruce Freud
LiquidGeneration, Inc.
200 E. Ohio, Suite 200
Chicago IL 60611
(312) 573-0123
bruce@liquidgeneration.com

I can find no mention of Jack Meihoff, Bruce Freud, or LiquidGeneration on MPAA's web site, and Google returns no hits for searches on mpaa.org for those keywords. Very likely, LiquidGeneration wants me to click on the link (which contains a long strong of random-looking characters to verify my email address in its spam database. The email originated from db1.liquidgeneration.com (65.61.160.116). Maybe it even has a payment mechanism and would ask me to type in a credit card number. If anyone out there actually cares, you are welcome to investigate the matter further. For my part, I will shortly send an email to the Federal Trade Commission and the California Attorney General with a link to this post.

The email follows:

From: Jack Meihoff
To: [my email address]
Subject: Motion Picture Association of America
Date: Sat, 5 Mar 2005 13:45:36 -0600

Illegal Movie Downloads
Motion Picture Association of America
Encino, California
3/5/2005 1:45:36 PM
Dan Fingerman
MAC ADDRESS: 00-11-2F-41-BD-21
Case No.: IS035HY36NURS0E8

Mr. Fingerman,It has been brought to our attention by John Smythe that you have been involved in the unauthorized downloading and transferring of licensed movies.

Federal laws mandate that you immediately cease and desist all illegal activities pertaining to movie theft. Further, you are required by law to pay all incurred penalties in conjunction with Amendment 34-C, officially passed on January 30, 2005.

In accordance with state jurisdictions, your failure to pay these penalties in full within 30 days of receipt of this notice will result in a warrant for your arrest. We are also required by law to inform you that a second offense will result in a minimum jail sentence of 90 days.

Penalties incurred in your particular case may be reviewed on our government Web site. All cases are deemed confidential. Penalties are assessed by each individual download, charged at a nonnegotiable rate of $1,200 per infraction. Click your specific case number (Case No.: IS035HY36NURS0E8 [link]) to view the total amount due or to dispute your case.

Sincerely,
Jack Meihoff Piracy AgentMotion Picture Association of America

MGM v. Grokster affirmed

Right now I have nothing to add to what is being said on the 9th Circuit's affirmation [pdf] of MGM v. Grokster — except to recommend Ernest's comments, then Derek's Leftovers and Frank's link collection.

...And then let's raise our voices with a collective WOOHOO!!!

CAN-SPAM Library

New: Gigalaw has launched the CAN-SPAM Library (www.canspamlibrary.com) — a collection of law, articles, studies, commentary, discussion, and links on the CAN-SPAM Act. Well worth reading (and linking). Via GrepLaw.

Treasury breaks privacy policy because it's convenient

The Alcohol and Tobacco Tax & Trade Bureau (an arm of the U.S. Treasury Department) lied to us.

Declan explains on C|NET that in March 2003 TTB solicited comments from the general public on "a proposal that could raise the price of malt beverages like Bacardi Breezer and Smirnoff Ice." The Bureau promised: "For the convenience of the public, we will…post comments received in response to this notice on the TTB Web site. All comments posted on our Web site will show the name of the commenter, but will not show street addresses, telephone numbers, or e-mail addresses." Far be it from us to expect an express promise to be kept. Fortunately (for democratic interests) but unfortunately (for TTB), the agency was overwhelmed with comments.

As news of the proposed regulations circulated around malt beverage aficionados online, word-of-mouth took over and comments started flooding in to nprm@ttb.gov. By October, the Treasury Department had received about 9,900 e-mail messages, plus 4,800 comments sent through the U.S. mail or fax — and decided it could no longer keep its promise.

"The unusually large number of comments received…has made it difficult to remove all street addresses, telephone numbers and e-mail addresses from the comments for posting on our Internet Web site in a timely manner," the Treasury Department said in a follow-up notice, published last month in the Federal Register. "Therefore, to ensure that the public has Internet access to the thousands of comments received…at the earliest practicable time, we will post comments received on that notice on our Web site in full, including any street addresses, telephone numbers, or e-mail addresses contained in the comments."

If a private company pulled a stunt like this and published the addresses of 10,000 people, its executives would go to prison. The government, however, has a long history of treating itself differently. See, for example, Congress' eagerness to spam voters a week after passing the CAN-SPAM Act.

Via beSpacific

FBI uses web bug to track extortionist?

Abandoning the incentives not to report cybercrime (see my last blog entry), Best Buy called in the FBI when it received emails threatening to expose security weaknesses in its e-commerce site unless the retail giant forked over $2.5 million. The Bureau worked with Best Buy to snare Thomas E. Ray III, of Mississippi, the would-be scammer. The most interesting feature of this case is in the tools used by the FBI to catch the alleged blackmailer. The Bureau responded to Ray's messages with its own emails laced with something that allowed it to trace the IP address from which he read them.

Unfortunately, the early press reports are unclear as to exactly what that something was. The St. Paul Pioneer Press reports that the investigation "was aided by a computer-tracing technique." The FBI got "permission from the courts to use a specialized e-mail device — called the Internet Protocol Address Verifier — to track down the author." I have no idea what an "Internet Protocol Address Verifier" is, but it sounds an awful lot like a web bug.

Web bugs are tiny pictures embedded in email messages using HTML. When an HTML-enabled mail client opens the message, it renders the HTML — including any image tags. The sender can embed an image tag that will query his own web server for an image file, then examine his server logs to determine from what IP address the query came. For example, I could send an email with HTML tags pointing to images stored on www.danfingerman.com, then record the IP addresses of all requests for that image. After I collect the IP addresses and dates & times the image was accessed, I could take a page from RIAA's playbook and find a way to intimidate ISPs into telling me which individuals were using each IP address at the relevant date and time. Then I would know who read my email, the exact date and time, and I could get more information with some extra effort — like the reader's home address and phone number or the geographic location where he read the message.

Web bugs got the name bug after spammers started using them to verify email addresses. Recording calls to an image stored in a static location on a web server is not very helpful when you send email to millions of addresses and have no good way to link each IP address & time/date combination to a particular email address. (Believe it or not, the DMCA does have limits.) Spammers began to design web server software with dynamic links to a single image measuring 1x1 pixel. The images are tiny so that most people will not notice them (how often do you really view the source code of your email?) and to make them load quickly — before most people could hit the delete key. The relevant HTML tag written into each individual email would include a directory path that included the address to which that message was sent. Then, the web server's log would record the image request with the email address (as a simple text string) as part of the directory path to the image. This made it obvious which email addresses the queries were coming from. "Verified" email addresses are like gold for spammers, and they would use this information to charge higher prices for their services — because they could now guarantee that a higher percentage of their emails were being delivered to addresses where an actual person would see them.

The Pioneer Press article makes the FBI's Internet Protocol Address Verifier sound a bit like a web bug, but it is ambiguous. For example, it calls the verifier "a specialized e-mail device." Furthermore, the St. Paul Star Tribune had this to say ("Feds thwart extortion plot against Best Buy"):

The federal search warrant was obtained the morning of Oct. 24 [2003] and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.

Assistant U.S. Attorney Paul Luehr said the address verifier was one of several investigative tools the government used to track Ray down.

"It was a tool that helped us confirm that other leads were moving in the same direction," said Luehr, who declined to discuss details of the investigation.

Did you see that? The Star Tribune called the verifier "a program." A web bug could never be confused with a "program." The source of my confusion should now be obvious.

If anyone knows what the heck an Internet Protocol Address Verifier really is, please let me know.

Diebold/DMCA summary & analysis

Mary Bridges of the Berkman Center has published "Diebold v. the Bloggers." The essay is a nice summary and analysis of the DMCA's darkest days to date. (Via A Copyfighter's Musings)

Norweigan authorities drop DeCSS case

Mary of bIPlog reports that the Norweigan prosecutors on the DVD Jon case have decided not to appeal his second acquittal. This is wonderful news.

Cyberbullying and school (in)action

The Christian Science Monitor has a feature article by Amanda Paulson on "cyberbullying." The article outlines the problem, analyzes it as merely a new platform for old-fashioned bullying, and discusses the perils of censoring speach for short-term disciplinary goals. I think that analysis is on the right track, but I would like to add a few points.

The article ignores the grandaddy of all cyberbullying cases and the publicity that surrounded it — the case of Jake Baker and the University of Michigan. Mr. Baker's First Amendment defense ultimately led to his exoneration of charges of making threats. (See the EFF case archive for comprehensive information.) The CS Monitor article does, however, discuss the more recent case of "Ghyslain, the Canadian teenager who gained notoriety this year as 'the Star Wars kid.'" This young man videotaped himself goofing around with a broomstick, as if it were a fighting staff.

Some peers got hold of the video, uploaded it to the Internet, and started passing it around. Doctored videos, splicing him into "The Matrix," "The Terminator," or the musical "Chicago," with added special effects and sounds, soon followed. He's now the most downloaded male of the year. According to news reports, he was forced to drop out of school and seek psychiatric help.

"It's one of the saddest examples," says [Glenn Stutzky, an instructor at the Michigan State University School of Social Work]. "He did one goofy little thing, and now it will always be a part of that young man's life."

The article also mentions that (public) schools may lack the authority to shut down off-campus channels of speech used for bullying. The author seems to divide this into two distinct points, one practical and one legal, but it could stand some clarification. First, schools lack the practical ability to censor such centralized speech channels as web-based bulletin boards and instant messaging networks — because the school is not the central entity. These are generally physically controlled by private companies. When it comes to open and decentralized channels (like email, IRC, or usenet), the school has no chance. Second, the legal barriers. Any action that schools take or fail to take can open them up to the modern American passtime, lawsuits. Any course of action necessarily requires the school to make judgments that pit one student's civil rights against another's — specifically, the right of the bully to speak vs. the right of the victim to have a public education free from harassment. Schools are understandably reluctant to break any new ground in this context. If I were a school board lawyer, I might recommend the most conservative course of action I could think of.

However, schools are not always so loathe to target Internet speech that is generated off-campus. Some get trigger happy when a student's web site criticizes teachers or administrators. Just the other day, I blogged on a recent case involving the Oceanport School District in New Jersey. I could probably turn up ten more examples in as many minutes on Google.

Finally, I want to highlight a case described in the article that displays the best the First Amendment has to offer. "J. Guidetti, principal of Calabasas High School, did get involved, after comments on schoolscandals.com caused many of his students to be depressed, angry, or simply unable to focus on school." All of Guidetti's initial efforts failed — as long as he used a law-enforcement approach. Then, he decided to counter speech with speech:

Eventually, a local radio station got involved and put enough pressure on the people running the site — a father-son duo — that they took it down in the spring. Already, there's a schoolscandals2 — relatively harmless, so far. Guidetti checks it regularly for offensive content, one of the ever-growing tasks of a 21st-century principal.

To be clear, I do not advocate publicly shaming people for their speech. However, opinions that wilt in sunlight are exactly the sort that the Framers of the constitution believed could be controlled by encouraging counter-speech. Guidetti engaged in honest public debate, convinced more people than his opponents, and won the day. By taking his case to the airwaves, Guidetti created speech where he had previously tried to destroy it, and liberty had a rare chance to serve a utilitarian purpose.

Congressional spam

The New York Times points out, rather amusingly, that most members of Congress were engaged in sending a massive wave of unsolicited email to their constituents this weekend — barely ten days after unanimously approving the CAN-SPAM Act. Article: "We Hate Spam, Congress Says (Except Ours)."

"They are regulating commercial spam, and at the same time they are using the franking privilege to send unsolicited bulk communications which aren't commercial," David Sorkin, a professor at the John Marshall Law School in Chicago, said. "When we are talking about constituents who haven't opted in, it's spam."

Year 2003 in cyberlaw

Doug Isenberg, founder of GigaLaw, summarizes the year 2003 in cyberlaw: "Internet law in 2003 was full of surprises, with Congress passing an antispam bill, the courts blessing pop-up advertising, the music industry losing lawsuits and the Supreme Court finally upholding an Internet law." (Via Inter Alia)

Commence lobbying

Evan Hansen writes on C|Net: "Will DVD acquittal mean tougher copyright laws?" His answer is yes.

Even before [Norway's prosecution of DVD-Jon] was filed, however, entertainment industry lobbyists had been pressing lawmakers in that country and elsewhere to enact tougher copyright laws, modeled on controversial U.S. legislation that makes it easier for authorities to win prison terms for people who crack encryption schemes or distribute cracking tools. If enacted, proposed legislation in Europe, Canada, Australia and Central and South America would soon hand entertainment companies similar weapons against people caught tinkering with anticopying software.
[…]
In some ways, the Johansen ruling offers a simple reminder that different countries have different laws, and companies can't rely on protections established in one region to protect them elsewhere. But the case also points to an aggressive drive in the entertainment industry to win greater global conformity in copyright law, modeled on the DMCA.
[…]
As Norway illustrates, however, the process can move slowly, leaving the entertainment industry exposed to weaker copyright rules in regions where DMCA-like laws have not yet been passed.

Via Furdlog.

CyberAge Stalking on LLRX

Barbara Fullerton of Locke, Liddell & Sapp has published an interesting article on LLRX called "CyberAge Stalking." She reviews several high-profile cases, the tools used in each case, and the statutes passed in their aftermaths.

DVD-Jon acquitted — again!

The Norweigan newspaper Aftenposten reports that Jon Johansen has been acquitted — again ("DVD-Jon wins new legal victory"). He was being tried for copyright infringement a second time (by an appellate court, this time) for his role in creating DeCSS. The power brokers in the movie industry are, of course, "disappointed."

DC Circuit stumps RIAA

By now the world has heard of the D.C. Circuit decision in RIAA v. Verizon. Previously, the D.C. District Court ruled that Verizon must comply with RIAA's subpoenas, issued under § 512 of the Digital Millennium Copyright Act (DMCA). Those subpoenas are designed to force ISPs to disclose the identities of users whom RIAA suspects of illegally making copyrighted music available for others to download. RIAA can trace users by itself as far as their IP addresses (the sets of numbers that uniquely identifies every computer on the Internet), but it needs the cooperation of ISPs to connect an IP address with an individual's name and address. Once it has that information, it can send a cease & desist letter or file a lawsuit.

Yesterday's Circuit decision reverses the District Court's interpretation of the statute. The appeals court gave the statute an extremely close reading in rendering its decision. The relevant section has a complex sentence structure and many cross references, so it is no wonder that the parties (and two different courts) disagreed as to its meaning. Derek Slater makes a few interesting points, including: "I find it fascinating when opinions contrast in this way — when they see the same issue clearly, unambiguously, but oppositely. [District] Judge Bates, just like [Circuit Judge] Ginsburg, claims to stick to the statute's text and go no further, yet their opinions are night and day."

I think Donna's headline over at Copyfight goes too far: "Verizon Wins Victory for Privacy." I am in Ernest's camp on this one:

The decision is a victory for privacy, but not a victory for privacy as such. The result was reached on a technical reading of the statute, and turned on the fact that a subpoena can only be sent if a DMCA notice-and-takedown letter can also be sent. […] The constitutional issues that would have made this a victory for privacy as such, or for freedom of expression, were not addressed by the court.

The Circuit panel adopted most of Verizon's statutory argument — that § 512(h) authorizes subpoenas only in cases where the plaintiff alleges that the infringing material is stored on media controlled by the ISP. However, when the ISP is a mere conduit for data stored on media controlled by a third party (the ISP's subscriber, in this case), § 512(h) does not permit subpoenas outside of the context of a lawsuit.

This line of reasoning rests on the cross references between § 512(h) and § 512(c). Subsection (h) permits a copyright owner to apply to the Clerk of the court for a subpoena so long as the application contains "a copy of a notification [of claimed copyright infringement, as] described in [§ 512](c)(3)(A)." The relevant language in § 512(c)(3)(A) is: "To be effective under this subsection, a notification of claimed infringement must be a written communication … that includes substantially the following" six elements. The third enumerated element is "(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material." (Emphasis added)

The court agreed with Verizon that this language requires the subpoena application to assert that the ISP has the ability to remove or disable access to the allegedly infringing material. However, most current P2P applications use a decentralized architecture. This means that all shared data is stored on users' computers, not on any central server — except for temporary copies incidental to transmission, which the DMCA permits. Therefore, the ISP has no legal right to remove or disable access to the material shared on the P2P network:

No matter what information the copyright owner may provide [in its subpoena application], the ISP can neither "remove" nor "disable access to" the infringing material because that material is not stored on the ISP's servers. Verizon can not remove or disable one user's access to infringing material resident on another user's computer because Verizon does not control the content on its subscribers' computers.

This holding does have some privacy implications, but they are small compared to Verizon's alternative argument. Having decided this case on statutory grounds, the court ducked the larger First Amendment questions.

So what implications does it have? Dozens of people predict that RIAA will lobby Congress to close what it surely sees as a loophole in the DMCA. Ernest quipped, "[T]he RIAA has nearly hosed itself." The trade group has been trying to consolidate all its DMCA subpoena litigation in Washington, D.C. for administrative convenience. Now, however, it cannot be happy with its "success" in transferring the SBC case to the D.C. District from the Northern District of California in San Francisco — because the Verizon decision is now binding precedent in the nation's capital. This will not stop RIAA from getting users' information, however. It will only make the process slower and more expensive. Instead of paying its lawyers simply to draft subpoena applications, it now has to pay them to draft and file complaints and motions in addition to subpoena applications. These costs will be passed on to consumers in the form of higher average settlements.

John Palfrey sees a broader trend: "Add this development to the Grokster opinion, and the trend of the law in favor of digital rights holders is at least in a holding pattern." The trend may be even broader than Palfrey recognizes — this was a banner week for civil liberties everywhere. (It could, however, be just a blip on the post-9/11 radar screen.) The Dutch supreme court ruled that the makers of Kazaa are not liable under Dutch law for copyright infringement committed by the software's users. A day earlier, the Second Circuit ruled that the U.S. government may not classify Jose Padilla as an enemy combatant — which should assure that his constitutional rights are no longer suspended. Just a few hours later, the Ninth Circuit wrote "that the [Bush] administration's policy of imprisoning about 660 non-citizens on a naval base in Guantanamo Bay, Cuba, without access to U.S. legal protections 'raises the gravest concerns under both American and international law'" (source).

If nothing else, we live in interesting times.

Dutch high court: Kazaa not liable

The Dutch supreme court has ruled that the makers of Kazaa are not liable for illegal use of the software by users. Reuters UK reports ("Dutch Court Throws Out Attempt to Control Kazaa"):

The decision by the Dutch court, the highest European body yet to rule on file-sharing software, means that the developers of the software cannot be held liable for how individuals use it. It does not address issues over individuals' use of such networks. […] The Supreme Court rejected demands by Buma Stemra, the Dutch royalties collection society, that distribution of Kazaa cease and that future versions be modified so that copyrighted materials cannot be exchanged over the network, lawyers representing Kazaa said.

It looks like Matt Oppenheim, a senior vice president of RIAA, has to eat his words from March 2002. Describing the Dutch appeals court action underlying yesterday's supreme court decision, he said: "I don't think this summary decision…will have any more impact than it would have from any other country that doesn't enforce copyright law consistent with the United States." Matt, perhaps you can tell me if I spelled "jingo" correctly.

MS & NY highlight non-preempted state spam laws

Microsoft and New York State Attorney General Eliot Spitzer are going after spammers — in state courts. The claims they intend to file strike at the misleading nature of email marketing, not the commerciality of the messages. In other words, they are suing under state laws that are not preempted under the CAN-SPAM Act. News coverage: C|Net, New York Times, Seattle Times.

CAN-SPAM coauthors respond to criticism

The two coauthors of the CAN-SPAM Act, U.S. Senators Ron Wyden (D-Ore.) and Conrad Burns (R-Mont.), published an essay yesterday in response to criticism of their bill. They state in no uncertain terms what I have been saying all along — that CAN-SPAM is not a silver bullet but that it is a good first step. The money line: "Big-time spammers will inevitably violate the Can-Spam Act because it strikes at the heart of how their sleazy businesses work." (Thanks to GrepLaw for the heads up.)

Also, I did not mention yesterday that President Bush signed the Act.

CRIA Follows Big Brother's Lead

Both Big Brothers, actually. The National Post reports ("Music sharers to face lawsuits"):

The millions of Canadians who share music files on the Internet should be prepared for the possibility of facing a lawsuit early in the new year, the head of the Canadian Recording Industry Association said yesterday. … [Brian] Robertson would not specify how many lawsuits would be filed, but he did say the legal action would be similar to the lawsuits filed in the United States. For some time, CRIA has been using software that tracks and identifies users involved in trading free music files. "Users should be aware that using file-sharing services is a very public process," Mr. Robertson said.

Since Canada has no analog to the Digital Millennium Copyright Act (DMCA), it will be interesting to see whether CRIA's tracking software is anywhere near as effective as RIAA's subpoenas. Neither one, it cannot be pointed out often enough, has any judicial oversight. And both are ripe for abuse.

God Considers Smiting Copyright Pirates

Another item via BoingBoing (a banner day over there, I guess):

God is considering his options for action against Bible pirates. "God did not rule out smiting as a final measure against those who share his most famous work, the Bible, on the Internet," wrote Kristian Werner of BBspot Technology News.

Citing misuse of His word, misquotation, and putting hardworking Bible printers out of work, God said he would now start hunting Bible pirating around the globe. "I have to defend both my world-famous brand — the Bible and its distinctive likenesses — and the livelihood of those who create and distribute legal copies of it. Sure, they live not by bread alone, but website hits — someone else's website mind you — don't pay the bills for these folks."

Since large portions of the Bible are many centuries old, many people believe the work to be in the public domain. Not so, said God. "Look, most copyright laws are based on something like the author's lifetime plus, let's say, 15 years. News flash: I'm still here."

Spam rage defendant pleads not guilty

I would not have picked Charles Booher's way of becoming famous, but famous he is. He also pleaded not guilty the other day to charges of making threats. The San Jose Mercury News has coverage.

Abusable Technologies

Ed Felton (of Freedom to Tinker) wrote yesterday that he is involved with a new venture called the Abusable Technologies Awareness Center. This looks like a great project.

I would like to comment briefly on one post in ATAC's weblog, "Face Recognition and False Positives." This post raises the point of "a classic security mistake: ignoring the false positive problem." I addressed this issue in "Static Measurements & Moving Targets," my law-school thesis paper on biometrics and privacy in the context of consumer banking. In that paper, I looked at the problem from a perspective opposite Ed's. He describes facial recognition in an identification application, where its goals are substantially different from what its goals would be in an authentication application.

The designer of an application that flags passers-by as registered sex offenders has an incentive to overinclude suspects for security reasons — that is, to err on the side of false positives. The designer of an ATM authentication application, on the other hand, has the opposite incentive — to err on the side of false negatives, to prevent fraud. The point is that false positives are not solely a privacy issue: they also represent a security risk, depending on the context.

That said, I do agree with Ed's basic point, as I wrote back in October ("Terrified of Terror Profiling?"). I supported the point there with links to articles by computer security expert Bruce Schneier and mathematician John Allen Paulos.

ECPA permits employer to search stored email

Law.com reports that a Third Circuit panel has interpreted the Electronic Communications Privacy Act (ECPA) to permit an employer to search its employees' email messages that are stored on its network ("Federal Law Allows Employer's Search of Worker's E-Mails"). Such a search, the court held, does not constitute "interception" of messages during "transmission," as prohibited by the ECPA. The full text of the decision in Fraser v. Nationwide Mutual Insurance Co. is available via FindLaw.

Response to Anita Ramasastry's criticism of CAN-SPAM

GrepLaw gives a pointer to Anita Ramasastry's FindLaw article criticizing the CAN-SPAM Act. She scores a few points, but she ignores several important provisions that render her conclusions — in my opinion — wrong.

CAN-SPAM's major faults, in Ramasastry's view:

• Not all spam is prohibited
• Individual consumers cannot file lawsuits to enforce the Act
• Many spammers are already located abroad or will soon relocate abroad — beyond the reach of U.S. authorities
• Many spammers have few assets and are therefore judgment-proof
• Spammers can ignore the hypothetical do-not-spam registry that the FTC has not yet designed and implemented
• The hypothetical registry will be challenged under the First Amendment
• State spam laws are preempted
• Technological solutions to the spam problem are preferable to a statutory one.

First, on the prohibition of some but not all spam. This criticism seems somewhat disingenuous, since Ramasastry later recognizes that the First Amendment would prevent a prohibition of all advertising via email. Furthermore, She appears to assume that any do-not-spam registry will be struck down under the First Amendment. The do-not-call registry is a good model to look at — precisely because its legal status is currently undergoing judicial review. This litigation will, eventually, clarify the law. Besides, if it is struck down, the obvious workaround is to implement the registry in a new way, that deals with the First Amendment problems.

Second, on enforcement by individual consumers. CAN-SPAM expressly provides for enforcement by at least 110 government bodies, plus any ISP "adversely affected" by illegal spam. The public servants will have strong political incentives to file spam lawsuits, and ISPs will have strong economic incentives. Why add hundreds of millions of consumers to this list when their lawsuits will inevitably be less well-funded than the institutional enforcers? With potential damage awards of $6 million for public enforcers and $3 million for private enforcers, those entities will easily be able to recoup their legal costs (even if they are not awarded attorney fees, as provided in the Act).

Third, on the difficulty of enforcing CAN-SPAM against foreign and judgment-proof spammers. The Act's third-party liability provisions will solve much of this problem. The Act attaches liability to (1) any business knowingly promoted via illegal spam and (2) any vendor that provides goods or services to a spamming operation with knowledge that those goods or services will be used to send spam. These provisions give third parties one free bite — before the first potential plaintiff sends a cease & desist letter, putting them on official notice. Much advertising currently distributed via spam promotes products on sale within the U.S. or manufactured or sold by people in the U.S. Once the first such person is prosecuted, the demand for advertising space in spam will decline precipitously. Spam will inevitably decline, as fewer people are willing to pay for it.

Fourth, on the purported shortcomings of the do-not-spam registry. For god's sake, give the thing a chance before you accuse it of failing. As I said above, the FTC can learn from the outcome of the pending do-not-call litigation, and there is an infinite variety of implementations that the do-not-spam registry could take. I proposed one not long ago. Also, the possibility that some spammers will evade it is not a reason not to try. CAN-SPAM's third-party liability provisions do not currently apply to registry violations, presumably because the registry does not exist and the Act only empowers the FTC to consider the idea of the registry. That shortcoming can easily be rectified by an amendment to the statute or FTC rule.

Fifth, on state spam laws. How, exactly, is the fundamental shortcoming of the Westphalian territorial legal system solved by having fifty state laws, no matter how restrictive? What if a spammer in California sent spam only to residents of other states and other countries? No state or country would have jurisdiction. The major complaint in this area that does have some validity is the preemption of California's tough opt-in law with the federal opt-out standard. This is a valid criticism, but it goes to the policy choices that Congress made when it traded opt-in for the possibility of an effective opt-out registry.

Sixth, on technological solutions. You cite Congress's findings on the rapid rise of spam traffic in an era that had no comprehensive spam law. The primary method of dealing with spam has been technological measures. And the volume of spam rose rapidly during that period. One of CAN-SPAM's greatest strengths is that it expressly permits ISPs to implement private mail policies — a provision that should exempt them from tort liability for doing so. It looks somewhat like § 230 of the Telecommunications Act of 1996 in that respect.

Borland on P2P

John Borland of C|Net wrote an interesting column last Thursday, asking whether RIAA's lawsuits against P2P users were having the desired deterrant effect ("RIAA lawsuits yield mixed results"). "At the core of the RIAA's strategy has been the attempt to persuade as many people as possible to stop trading copyrighted files online. This appears to be working in at least some groups, but the evidence is mixed at best." That same day, he also wrote a good summary of the compulsory licensing discussion in Canada: "Should ISP subscribers pay for P2P?"

Finished writing CAN-SPAM summary & comments

I finished writing my formal summary and commentary on the CAN-SPAM Act for the Journal of Internet Law. I would like to thank everyone who posted and emailed comments over the last two weeks; they all helped me clarify the issues. Several of you asked me to post the paper here. I will do so, as soon as I get "permission" — i.e., confirmation that posting it here will not jeopardize its publication next month. Meanwhile, my preliminary thoughts are still available here.

Google files DJ action against American Blind

I love it when companies are willing to spend money to clarify the law in areas where it is murky. Playboy used to be great in this area, filing many suits that pushed copyright and trademark law into the digital age at a time when the Internet had barely entered the popular lexicon. Many of those cases went all the way to judgment and appeal — which gave something back to the public, in exchange for the judicial resources that Playboy consumed.

Now Google has started. Last week the search company filed a declaratory judgment action against American Blind & Wallpaper Factory, asking the U.S. District Court in San José to clarify its rights. American Blind (among many others) has complained recently to Google about Google's sale of keywords to its advertisers. Google has been fairly responsive about such trademark requests, but AB and others frequently claim to have rights in words and phrases that do not precisely match their registered or common law trademarks. They do have some trademark-like rights in such terms, but it is often difficult to discern exactly what they are. This case should help.

Thanks go to GrepLaw for the heads up.

Johns Hopkins still bars publication of Diebold memos

Derek Slater reports the tribulations of Asheesh Laroia, a student at Johns Hopkins University. Despite never having received a cease & desist letter, JHU cut off access to the memoranda. Even after Laroia informed JHU that Diebold had retreated (1, 2), the university persisted, writing that it "cannot allow its resources to be used in violation of copyright law, whether or not the holder of the copyright (in this case Diebold) plans to prosecute."

All I can say is I am glad I am not a student there.

Crimson confirms Diebold will not sue students

Zachary Seward reports in the Harvard Crimson that a Diebold spokesman confirmed that the company will not sue students who posted internal company memoranda on the Internet ("Diebold Won't Sue Students"). Thanks go to John Palfrey for the heads up. The article has one interesting point that bears mentioning here:

In one memorandum from April 23, 1999, [a Diebold] employee acknowledges a flaw in one of the company's electronic ballots. "I don't expect you will see a fix in time for the election," the employee writes, "since it is tomorrow." Diebold will not comment on the memoranda but has said that any imperfections in their systems have subsequently been fixed.

Note that this claim can be interpreted to apply only that those particular ballot problems — tailor-made plausible deniability. It does not claim to have fixed the security flaws found in two independent reviews earlier this year. In one review, researchers at Johns Hopkins and Rice universities found weaknesses that could easily allow someone to cast multiple votes for one candidate. (Report (pdf), press release) The other report, conducted for the State of Maryland, concluded that flaws exist but that they were unlikely to cause practical problems in real elections — but only if external safeguards are in place. (Report (pdf))

Also recall that Diebold is the only manufacturer of ATMs in the world whose machines have become infected with a worm.

More Congressional ineptitude

Yesterday I wrote about one Senator who tried to regulate technologies that he did not understand. Today, I have to rebuke the entire House of Representatives for something far worse.

After reviewing the highlights of the CAN-SPAM Act for my blog last week, I was asked to write a more comprehensive review for the Journal of Internet Law. During my more careful, second reading of the bill, I noticed an inexcusable discrepancy. Early on, the bill defines a "commercial electronic mail message" (its verbose term for spam) as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." § 3(2)(A). A few paragraphs later, the bill states, "It is the sense of Congress that [s]pam has become the method of choice for those who distribute…viruses, worms, and Trojan horses into personal and business computer systems." § 4(c).

This passage shows (1) that the House has no idea what those terms mean or what spam is, and (2) the House has no idea how it defined spam just a few paragraphs earlier!

P2P & anonymity

Four years ago I wrote my senior thesis at Yale, The Futures of e-Politics, in which I complimented several Congressmen and Senators for having done well to educate themselves on digital communications technologies in a relatively short time. Today I may recant that compliment.

I just got around to reading C|Net's coverage of a letter sent last week from several Senators to the executives of several P2P companies. The lawmakers asked the companies to regulate themselves — i.e., to censor their networks for pornography and copyrighted material. C|Net reports (Senators ask P2P companies to police themselves) a quote from Senator Lindsey Graham (R-N.C.) that I did not see reported elsewhere. In a "statement" accompanying the letter, he said (emphasis added):

Purveyors of peer-to-peer technology have a legal and moral obligation to conform to copyright laws, and end the pornographic trade over these networks. These programs expose our children to sexually explicit materials and provide an anonymous venue for child pornographers to hide behind the veil of technology.

If we have learned anything from RIAA this year, it is that P2P activity is not anonymous. If you are going to make national policy, or at least pretend to, it is not unreasonable to ask that you pay attention.

Worm infects Diebold ATMs

Diebold, the very same company being raked over hot coals for its authoritarian response to criticism, now has the ignoble honor of being the first ATM manufacturer to have its machines infected with a worm. (New Scientist: "Cash machines infected with worm")

The controversy over Diebold's electronic voting machines is no longer theoretical (if it ever was). This is a real-world, already-happened, no-excuses problem affecting a Diebold product very similar to its voting machines. How could this happen? Simple — Diebold's ATMs run Windows XP.

Diebold backs down

Diebold filed court papers on Monday, stating that it would not file copyright infringement suits against people who hosted and linked to the infamous cache of damaging documents. Kudos go to the Stanford Cyberlaw Clinic, which represented two Swarthmore students in their lawsuit against the voting machine manufacturer. Too bad Rule 11 does not apply to DMCA notice-and-takedown letters. You have my best wishes if you sue Diebold under anti-SLAPP laws and for intentional infliction of emotional distress.

It has been a busy week for me, and the press has shamefully ignored this development for several days, so I almost missed it. Big thanks go to Siva for mentioning it on Tuesday.

Spam canned throughout the land?

The House of Representatives approved the CAN-SPAM Act on Friday, by a vote of 392-5. The acronym stands for the not-so-clever moniker, "Controlling the Assault of Non-Solicited Pornography and Marketing Act." The Senate is expected to approve the measure this week, and President Bush has agreed "in principle" to sign the bill.

This bill would have been a reasonable first step to take against spam five years ago, and Congress should be ashamed of itself for dawdling so long. We should be debating the second or third revision of the Act by now. What is done is done, however, so let us explore what the CAN-SPAM act says.

Update, 29 Nov 2003. I have been asked to revise and augment this essay for publication in the Journal of Internet Law. Toward that end, I would appreciate any constructive comments from any reader.

The full text of the bill is available at C|Net. The news agency also gives a bullet-point summary amidst its coverage, and the Institute for Spam & Internet Public Policy (ISIPP) gives a ten-point summary. Finally, C|Net gives this brief summary of the entire bill:

If the measure becomes law, certain forms of spam will be officially legalized. The final bill says spammers may send as many "commercial electronic mail messages" as they like — as long as the messages are obviously advertisements with a valid U.S. postal address or P.O. box and an unsubscribe link at the bottom. Junk e-mail essentially would be treated like junk postal mail, with nonfraudulent e-mail legalized until the recipient chooses to unsubscribe.

First, a few preliminary comments before I get into specific provisions. Spam has been a scourge on the 'net since the early 1990s, when non-academics and non-scientists first logged on in large numbers. The volume of commercial email was low at first but has grown exponentially for years. The result has been frustration for users who drown in the flood of messages, higher costs for service providers who must process all the unwanted email, embarrassment for legitimate businesses whose servers are hijacked by spammers trying to disguise their identities, and the corruption of children whose parents try to shield them from pornography and other sex-based products. The Act does not go as far as many people think it should (which is why Congress's long inaction is so lamentable); but it is, as I said above, a reasonable first step. The House seems to have made a genuine effort not to be heavy-handed with the rights of advertisers. Still, the Act has some sharp teeth for consumers and, if it is properly enforced, has the potential to significantly reduce the burdens caused by spam.

Now, some comments on specific provisions. This is not intended to be a comprehensive analysis of the bill — but rather a few thoughts on the provisions I think are important or interesting.

Update (6pm):Several readers have asked me to insert anchors in my subject headings so they can link to specific pieces of this article. Here they are:

• False Header Information
  
• Resource Misappropriation
  
• Meaningful Unsubscribe Mechanism
  
• Harvesting & Random Generation Prohibition
  
• Rights of Action
  
• Preemption of State Laws
  
• Do Not Spam Registry
  
• Private Mail Policies

False Header Information

The "false header information" provision is perhaps the easiest part of the bill for non-technologists to grasp, because you can examine the underlying problem even if you do not understand the technology. Spammers often disguise the origin of their advertising to make it more difficult for individuals and ISPs to use automated methods to filter and delete spam. These disguises also induce recipients to open the spam mail and begin reading — by pretending to be legitimate messages (e.g., with a deceptive or misleading subject line). Imagine paper junk mail, delivered by the post office, that comes in an envelope whose return address seems to be from your bank or your doctor. When you open the envelope, you find a flier for hard core pornography.

When spam is disguised as legitimate mail, more people will open the message and read the first few lines before realizing its true nature. This gives the advertiser a better chance of selling his product, be it pornography, generic viagra, or home mortgage services. As more spam is dealt with by human beings (rather than filtered by computers), more advertisements get read, and more products will be sold — even if most people hit the delete key immediately. In paper based "direct mail" ad campaigns, a response rate of one buyer per 100 mailings is generally enough to break even. The cost of sending email is much lower than the cost of sending paper mail, so a response rate of one buyer per 100,000 mailings is likely to earn a profit. The cost of sending email only seems lower to the sender, however, because most of the costs are shifted to the receiver and the receiver's ISP.

Here is how the technology works, in a nutshell. An email's "header" is the addressing and routing information — such as the to, from, and date fields that you see at the top of each message. Most email software hides the bulk of the header from you, unless you take an extra step to have it displayed. This "hidden" information documents where the email originated and the route it took across the Internet to your inbox. Each computer on the Internet has a unique "IP address" consisting of four numbers separated by dots (periods). Each line of the "hidden header" contains the IP address of each computer that touched the email en route and states the action that computer performed. Usually, these intermediary computers simply receive the message and hand it off to another computer that is "closer" to the recipient; after five or six hops, the email arrives at your inbox, and the process stops. Each intermediary computer adds a line to the top of the header, so the very top line always documents your mail server's delivery to you. Each successive line below that will document where each computer got the message from, going all the way back to the original sender. For example, and email I received this morning has these two lines in its header:

• Received: (from uucp@localhost) by andros.alumniconnections.com [198.212.10.70] (8.11.6+Sun/8.11.6) id hAPEpit20254; Tue, 25 Nov 2003 09:51:44 -0500 (EST)
  
• Received: from voyager.bna.com(149.79.136.49) by andros via smap (V2.1) id xma010225; Mon, 24 Nov 03 15:04:27 -0500

The first line is from my mail forwarding service (which sent the message to my ISP after it added this stamp, and my ISP later delivered the message to me). The name of this computer is andros.alumniconnections.com, which resolves to the IP address 198.212.10.70. Before that, the message was handled by a computer named voyager.bna.com (149.79.136.49). This makes sense because the email in question was an Internet law newsletter from BNA, a publisher of print and electronic news, analysis, and reference products. Also note that each header line has a date & time stamp.

Some automated spam filters take advantage of this stamping process by searching the email header for computers that are known to be used for sending spam. The bottom line of the header should be the original sender, and the identities of the biggest spammers are well known, so it should be an easy matter to delete all messages coming from them. Spammers know this, however, so they go to great lengths to forge these headers and route their mail through other people's servers to disguise its true origin. CAN-SPAM's "false header information" provision would make this illegal. The practice is already arguably illegal under a patchwork of existing laws, which could be interpreted to cover this situation. However, there is no substitute for a clear, specific statute directly on point that removes all doubt.

Resource Misappropriation

The "resource misappropriation" provision is perhaps the most difficult for non-technologists to understand. Congress borrowed this idea from a line of judicial opinions based on a tort called trespass to chattel. A "chattel" is simply the legal term for an item of personal property — a toaster or a chair, for example. I cannot make toast or sit down when someone else is using my chattels without my permission. That property belongs to me, so the common law allows me to sue the person using it. If I prove my case, I would get money for the damages I suffered from the delay in satisfying my hunger or relaxing my legs, and the court would order the trespasser to stop. The crux of this policy is that a computer is a chattel just like a toaster or a chair. Intuitively, we all understand that if someone else is using my laptop, he is blocking me from using it at the same time.

In the spam context, we must look at the technology on a slightly deeper level than this simplistic first approach allows. The Internet relies on powerful computers called servers, which answer queries from many people at the same time. When I read Yahoo!'s home page, the odds are very high that many other people are reading it at the same time. Yahoo!'s web server can dish out thousands of pages at the same time. However, when the number of readers grows too high, even the most powerful server has trouble keeping up, and users experience delays — or worse, the server "crashes."

A similar phenomenon occurs with mail servers — the computers that process email after it is sent and before it is received. Suppose the average email user sends and receives an average of 20 legitimate messages per day and receives an average of 80 spam messages per day. His Internet Service Provider's (ISP) mail server will spend 80% of its time processing spam and only 20% processing the "real" mail — which is what the user (the ISP's paying customer) wants it to process. Instead of buying the server it wanted to buy, the ISP had to buy one with five times the processing power to accommodate the unwanted extra load. This does not increase the cost of the server linearly (by five times), but it does increase the cost of the server by a measurable amount. Similarly, the ISP has to pay for five times the bandwidth (transmission capacity) that its customers want to use. Even if the ISP filters out spam as a service to its customers, it must still pay for all this extra capacity — to receive each piece of mail, look at the contents of each message, and flag each message for deletion or delivery.

The first case to examine spam from this perspective was CompuServe v. Cyber Promotions, 962 F. Supp. 1015 (S.D. Ohio 1997). CompuServe, an ISP, sued Cyber Promotions (CP) over spam that CP was sending to CompuServe's customers. (CP is no longer in that line of business.) That court built on the analysis written by a California Court of Appeals from a year before in Thrifty-Tel, Inc. v. Bezeneck, 56 Cal. App. 4th 1559, 1567 (1996). The California court had held that "Electronic signals generated and sent by computer have been held to be sufficiently physically tangible to support a trespass cause of action." CompuServe, 962 F. Supp. at 1021. In other words, the electric impulses that computers use to communicate constitute a physical invasion of property when they are sent into a privately-owned system without permission. In Thrifty-Tel, a telephone company had sued the parents of children who engaged in "phreaking" — attempting to crack the company's authorization codes in order to make long distance calls without paying for them. The most famous decision in this line of cases is eBay v. Bidder's Edge, 100 F. Supp. 2d 1058 (2000), which extended the same reasoning to web servers.

Meaningful Unsubscribe Mechanism

Two pieces of the bill — the "working unsubscribe" and "anti-resubscribe" provisions — belong under the same conceptual umbrella, which I call the "meaningful unsubscribe mechanism."

The "working unsubscribe" provision would require each piece of spam to include instructions for the recipient to "opt out" of future advertising. This opt-out mechanism must function for 30 days after the spam is sent, to ensure that recipients have a reasonable opportunity to use it. Otherwise, the spammer could shut it down immediately after clicking send — before most people have received the junk mail.

Some spammers get around states' opt-out laws by removing people from lists when they make opt-out requests, then immediately adding the same person to a new list. This new list has a much higher economic value to the spammer because the addresses on it are "verified" — the spammer knows that each one belongs to and is being actively used by a live person. This formalistic interpretation of many state laws' opt-out requirements is not possible under CAN-SPAM's "anti-resubscribe" provision, which bars the spammer from adding opted-out addresses to other lists.

The "working unsubscribe" provision is the most controversial and troubling provision in the Act. A great controversy surrounds the question of whether spam should be an opt-in or an opt-out enterprise. An opt-in system would forbid unsolicited commercial email by requiring spammers to document that the owner of each email address on a mailing list has requested to be placed on that list. An opt-out syste