EFF Breaking News
Tech News World
Chris Rush Cohen
E.D. Tex. Weblog
Hacking the Law
Online Liability Blog
Promote The Progress
Tech Law Advisor
Tech & Marketing
Cocktail Party Physics
Freedom to Tinker
Lawyers Don't Get It
Tech Liberation Front
Numbers Guy, The
Dump & Chase
On Frozen Blog
Off Wing Opinion
View From The Cheap Seats
Regret the Error
TiVo/Gizmo Lovers Blog
Monday, 26 March 2007
Sanctions against KinderStart
I just learned that Google has won a dismissal and sanctions in the lawsuit brought by KinderStart. The dismissal order was without leave to amend, meaning that KinderStart's claims are dead. The court also ordered that KinderStart and its attorneys will be sanctioned.
KinderStart asserted a panoply of claims, including violation of the First Amendment, the Sherman antitrust act, unfair competition and unfair business practices under California law, and defamation. KinderStart's complaint specifically alleges that Google manipulates search results to censor political and religious speech and to boost the search results of companies that pay Google or comply with demands that Google makes. It also alleges that Google reduced KinderStart's position in search results and assigned it a PageRank of zero.
The sanctions come under Rule 11 of the Federal Rules of Civil Procedure. Rule 11 authorizes the court to "impose an appropriate sanction upon the attorneys, law firms, or parties that" file any paper without an appropriate factual or legal basis. "A sanction imposed for violation of this rule shall be limited to what is sufficient to deter repetition of such conduct or comparable conduct by others similarly situated."
In this case, the court found that several allegations made by KinderStart and its attorney, Gregory Yu, are "factually baseless and [that] Yu failed to perform an adequate investigation before filing them." The court will fix the amount of the sanction after it receives supplemental papers from Google "identifying the fees associated with its motion for sanctions and with other motion practice related to the sanctionable allegations. The Court will determine the amount of monetary sanctions after receiving Google's submission and Yu's response."
Tuesday, 27 February 2007
Posner's GPS society
I finally got around to reading U.S. v. Garcia, Case No. 06-2741 (7th Cir. February 2, 2007). I figured the hysterical blog posts were overstating Judge Posner's opinion for the Seventh Circuit. But I may have been wrong.
In Garcia, the defendant was charged with crimes relating to making methamphetamine. The police had received tips that the defendant was making meth, and they gathered evidence by tracking his car. Instead of assigning an officer to follow the car, they placed a GPS device under the rear bumper.
The police placed a GPS (global positioning system) "memory tracking unit" underneath the rear bumper of the Ford. Such a device, pocket-sized, battery-operated, commercially available for a couple of hundred dollars (see, e.g., Vehicle-Tracking, Incorporated, "GPS Vehicle Tracking with the Tracking Key,"www.vehicle-tracking.com/products/Tracking_Key.html, visited Jan. 21, 2007), receives and stores satellite signals that indicate the device's location. So when the police later retrieved the device (presumably when the car was parked on a public street, as the defendant does not argue that the retrieval involved a trespass), they were able to learn the car's travel history since the installation of the device. One thing they learned was that the car had been traveling to a large tract of land. The officers obtained the consent of the tract's owner to search it and they did so and discovered equipment and materials used in the manufacture of meth. While the police were on the property, the defendant arrived in a car that the police searched, finding additional evidence. [Slip Op. at page 2]
The court held that this did not constitute either a "seizure" or a "search" under the Fourth Amendment. The police therefore were not required to have a warrant or probable cause — or even a reasonable suspicion that Mr. Garcia had committed a crime.
Under this rule, the police are free to attach GPS tracking devices to any car at any time, and they can probably do it for any purpose. So long as they avoid direct harassment or a similar misstep, they can track protesters who exercise their First Amendment rights. They can track citizens with information embarassing public officials. They can track ethnic Arabs. And it's (apparently) legal.
I think I agree with the court on the seizure question. The police installed the device without the defendant's knowledge, so he was not deprived of the free use of the car. The device didn't take up any space in the passenger or storage compartments, so it didn't diminish his enjoyment of the car. I suppose the slight additional weight may reduce the car's gas mileage, so it might have imposed a slightly increased cost of operating the car. But that cost is probably negligible, impossible to measure, and overwhelmed by the weight of other cargo. So I would have a hard time calling this a "seizure" of the car.
I think I disagree on the search question, however. Judge Posner wrote (slip op. at pages 4–6):
The Supreme Court has held that the mere tracking of a vehicle on public streets by means of a similar though less sophisticated device (a beeper) is not a search. United States v. Knotts, 460 U.S. 276, 284-85, 103 S. Ct. 1081, 75 L. Ed. 2d 55 (1983). But the Court left open the question whether installing the device in the vehicle converted the subsequent tracking into a search. Id. at 279 n. 2. […]
Fourth Amendment jurisprudence grew up in an era when practical constraints (like manpower and cost) limited surveillance to situations where crime was reasonably probable. Our society's balance between liberty and government power depended on these practical constraints. When a constraint is removed, the balance is upset. This is one of the most fascinating themes of science fiction literature. Imagine some activity that is limited today by practical constraints. Then imagine a technology that removes the constraint and examine the implications of our current laws and values when the activity is unrestrained. Unfortunately, Judge Posner is writing law and not science fiction.
Judge Posner recognizes that a tipping point will come when some new technology allows police to gather information quickly and cheaply on a massive scale where it would otherwise require expensive efforts. At that time, Judge Posner writes, we will have to reexamine the Fourth and Fifth Amendments to see if sui generis violations occur. He even acknowledges that "programs of mass surveillance of vehicular movements" may require the courts "to decide whether the Fourth Amendment should be interpreted to treat such surveillance as a search." (Slip op. at page 8)
Unfortunately, Garcia precludes this possibility and requires its own reversal whenever Judge Posner feels that day has come. If one instance of an act is not a search under the Fourth Amendment, as Judge Posner insists, then two instances of the same act is also not a search. How many does it take? I can't think of a good reason to pick any number. Either the act has Fourth Amendment implications or it doesn't.
The court expressly ignored the possibility that a trespass occurred because Mr. Garcia didn't raise it. (The court assumed the GPS device was retrieved while the car was parked on a public street.) Initially, I thought this might be the answer to my troubling Fourth Amendment concerns, but it isn't. Even if the police retrieve the device while the car is parked in a public place, the fact of tracking on a private road might provide some basis for finding that a search occurred. I don't think this makes me feel better, however, for two reasons. First, most people simply don't drive on many private roads. Second, I don't think Fourth Amendment rights should be that serendipitous — my rights could be different on Tuesday and Wednesday, depending on my schedule.
I don't have a good answer to these issues yet. The only thing I can say for sure is that Judge Posner's reasoning makes me uncomfortable because it is absolute.
Saturday, 7 October 2006
Google selling page rankings and lying about it?
Last Thursday, Google won a motion to dismiss a trademark infringement suit brought by Rescuecom Corporation. The court's decision is here, news coverage is here, and commentary is here. Others have already written about the trademark issues and other fallout (see: 1, 2, 3, 4). I am more interested in a small paragraph on page 4 of the court's decision, which indicates that Google is selling page rankings.
The court wrote:
Defendant [Google] does not always identify sponsored links as advertisements and it designs those appearing at the top of the search results to look like a part of the "non-sponsored" search results. As a result, Internet users may infer, based on a sponsored link's appearance at the top of the list of search results, that a sponsored link is the most relevant website among the search results. An Internet user can "click" on the sponsored link with a mouse to go to the advertiser's website. Advertisers pay defendant based on the number of clicks the sponsored link receives.
Passing off paid ads as relevant search results would mean the end of Google's integrity. If, of course, that is really what is happening. I have not read the parties' briefs, so I do not know where the court learned this "fact". This section of the decision was a summary of the facts alleged in Rescuecom's Complaint, which the court must assume to be true for purposes of this motion — not the court's own conclusions.
For its part, Google insists that its famous PageRank system is unbiased and not for sale and that AdWords ads (keyword-linked ads) appear only to the side of "relevant search results."
This may simply be a case of sloppy writing by the court or by the plaintiff. Or it could be a lie — by the plaintiff (to the court) or by Google (to the public). Either way, I am curious to know the truth.
Saturday, 30 September 2006
Don't Download This Song
"Weird Al" Yankovic has been a consistent commentator on pop culture for over two decades. He struck gold with a song from his new album, Straight Outta Lynwood, called "Don't Download This Song", which he has released as an electronic postcard video. Also, I just learned that Al is on MySpace.
Wednesday, 28 June 2006
Ratings and warnings of "sexually explicit material"
According to a C|Net article, the Senate Commerce Committee approved an amendment to a bill that would require web site operators to place a label on their home pages if the site contains "sexually explicit material" and to "rate 'each page or screen of the website that does contain sexually explicit material' with a system to be devised by the Federal Trade Commission'" ("Senators adopt Web labeling requirement").
There is no hope that a workable system could be based upon that rule. Set aside for the moment the probably-fatal First Amendment concern that "sexually explicit material" is unlikely ever to be defined clearly enough to survive judicial scrutiny and that we would need such a definition for multiple categories of sexually explicit material. The stated purpose of the bill presumes that children do not want to see sexually explicit material. According to the article:
"This will protect children from accidentally typing in the wrong address and immediately viewing indecent material," said Sen. Conrad Burns, a Montana Republican who is the co-founder of the Congressional Internet Caucus.Have you ever known a child to walk away from something sexually explicit without looking at it? I doubt such a child exists.
Monday, 5 December 2005
Libel suits against bloggers
This list, which is an outgrowth of the Pre-Dinner Symposium on Blogging held on Nov. 9, 2005, includes the cases that MLRC is aware of in which bloggers have been sued for libel and related claims; it also includes a criminal case against bloggers in Ohio. The list also includes links to articles reporting on these cases, and court decisions when available.
Via Internet Cases
Tuesday, 15 March 2005
I've been trolled
In the last 24 hours I received several emails relating to my last blog post, "Piracy Phishing." A couple have informed me (one politely, one hilariously) that I have been trolled. The "email" I received from "Jack Meihoff" of LiquidGeneration is a well-executed spoof. Run to your nearest Flash-enabled browser and check out this explanation of the gag.
Saturday, 5 March 2005
"Phishing" is a growing problem. In a cross between spam and scam, an email designed to look like a legitimate query from eBay, your bank, or someone else you trust purports to alert you to some problem and asks you to visit a web site, type in your name and password, and verify some information. The press has spent a lot of ink on this recently.
I just got caught a phish with an interesting twist. The email I received purports to be from the Motion Picture Association of America (MPAA). It accuses me of pirating movies and demands an unspecified payment. Then it provides a link which, I am told, will tell me the exact amount I owe to settle the claims of MPAA. The email is quoted below.
Unfortunately, the MPAA has never heard of the sender, Jack Meihoff, and it also states that it does not handle piracy cases in this manner. Also, the MAC address identified in the email is ficticious, and the domain in the link it points to (saynotopiracy.org) is registered to an entity called LiquidGeneration, Inc., incorporated in Illinois. The only individual person associated with its whois entry is one Bruce Freud. He can apparently be reached at:
I can find no mention of Jack Meihoff, Bruce Freud, or LiquidGeneration on MPAA's web site, and Google returns no hits for searches on mpaa.org for those keywords. Very likely, LiquidGeneration wants me to click on the link (which contains a long strong of random-looking characters to verify my email address in its spam database. The email originated from db1.liquidgeneration.com (22.214.171.124). Maybe it even has a payment mechanism and would ask me to type in a credit card number. If anyone out there actually cares, you are welcome to investigate the matter further. For my part, I will shortly send an email to the Federal Trade Commission and the California Attorney General with a link to this post.
The email follows:
Thursday, 19 August 2004
MGM v. Grokster affirmed
Right now I have nothing to add to what is being said on the 9th Circuit's affirmation [pdf] of MGM v. Grokster — except to recommend Ernest's comments, then Derek's Leftovers and Frank's link collection.
...And then let's raise our voices with a collective WOOHOO!!!
Thursday, 6 May 2004
New: Gigalaw has launched the CAN-SPAM Library (www.canspamlibrary.com) a collection of law, articles, studies, commentary, discussion, and links on the CAN-SPAM Act. Well worth reading (and linking). Via GrepLaw.
Friday, 9 January 2004
Declan explains on C|NET that in March 2003 TTB solicited comments from the general public on "a proposal that could raise the price of malt beverages like Bacardi Breezer and Smirnoff Ice." The Bureau promised: "For the convenience of the public, we will…post comments received in response to this notice on the TTB Web site. All comments posted on our Web site will show the name of the commenter, but will not show street addresses, telephone numbers, or e-mail addresses." Far be it from us to expect an express promise to be kept. Fortunately (for democratic interests) but unfortunately (for TTB), the agency was overwhelmed with comments.
As news of the proposed regulations circulated around malt beverage aficionados online, word-of-mouth took over and comments started flooding in to firstname.lastname@example.org. By October, the Treasury Department had received about 9,900 e-mail messages, plus 4,800 comments sent through the U.S. mail or fax — and decided it could no longer keep its promise.
If a private company pulled a stunt like this and published the addresses of 10,000 people, its executives would go to prison. The government, however, has a long history of treating itself differently. See, for example, Congress' eagerness to spam voters a week after passing the CAN-SPAM Act.
Wednesday, 7 January 2004
FBI uses web bug to track extortionist?
Abandoning the incentives not to report cybercrime (see my last blog entry), Best Buy called in the FBI when it received emails threatening to expose security weaknesses in its e-commerce site unless the retail giant forked over $2.5 million. The Bureau worked with Best Buy to snare Thomas E. Ray III, of Mississippi, the would-be scammer. The most interesting feature of this case is in the tools used by the FBI to catch the alleged blackmailer. The Bureau responded to Ray's messages with its own emails laced with something that allowed it to trace the IP address from which he read them.
Unfortunately, the early press reports are unclear as to exactly what that something was. The St. Paul Pioneer Press reports that the investigation "was aided by a computer-tracing technique." The FBI got "permission from the courts to use a specialized e-mail device — called the Internet Protocol Address Verifier — to track down the author." I have no idea what an "Internet Protocol Address Verifier" is, but it sounds an awful lot like a web bug.
Web bugs are tiny pictures embedded in email messages using HTML. When an HTML-enabled mail client opens the message, it renders the HTML — including any image tags. The sender can embed an image tag that will query his own web server for an image file, then examine his server logs to determine from what IP address the query came. For example, I could send an email with HTML tags pointing to images stored on www.danfingerman.com, then record the IP addresses of all requests for that image. After I collect the IP addresses and dates & times the image was accessed, I could take a page from RIAA's playbook and find a way to intimidate ISPs into telling me which individuals were using each IP address at the relevant date and time. Then I would know who read my email, the exact date and time, and I could get more information with some extra effort — like the reader's home address and phone number or the geographic location where he read the message.
Web bugs got the name bug after spammers started using them to verify email addresses. Recording calls to an image stored in a static location on a web server is not very helpful when you send email to millions of addresses and have no good way to link each IP address & time/date combination to a particular email address. (Believe it or not, the DMCA does have limits.) Spammers began to design web server software with dynamic links to a single image measuring 1x1 pixel. The images are tiny so that most people will not notice them (how often do you really view the source code of your email?) and to make them load quickly — before most people could hit the delete key. The relevant HTML tag written into each individual email would include a directory path that included the address to which that message was sent. Then, the web server's log would record the image request with the email address (as a simple text string) as part of the directory path to the image. This made it obvious which email addresses the queries were coming from. "Verified" email addresses are like gold for spammers, and they would use this information to charge higher prices for their services — because they could now guarantee that a higher percentage of their emails were being delivered to addresses where an actual person would see them.
The Pioneer Press article makes the FBI's Internet Protocol Address Verifier sound a bit like a web bug, but it is ambiguous. For example, it calls the verifier "a specialized e-mail device." Furthermore, the St. Paul Star Tribune had this to say ("Feds thwart extortion plot against Best Buy"):
The federal search warrant was obtained the morning of Oct. 24  and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.
Did you see that? The Star Tribune called the verifier "a program." A web bug could never be confused with a "program." The source of my confusion should now be obvious.
If anyone knows what the heck an Internet Protocol Address Verifier really is, please let me know.
Tuesday, 6 January 2004
Diebold/DMCA summary & analysis
Monday, 5 January 2004
Norweigan authorities drop DeCSS case
Monday, 29 December 2003
Cyberbullying and school (in)action
The Christian Science Monitor has a feature article by Amanda Paulson on "cyberbullying." The article outlines the problem, analyzes it as merely a new platform for old-fashioned bullying, and discusses the perils of censoring speach for short-term disciplinary goals. I think that analysis is on the right track, but I would like to add a few points.
The article ignores the grandaddy of all cyberbullying cases and the publicity that surrounded it the case of Jake Baker and the University of Michigan. Mr. Baker's First Amendment defense ultimately led to his exoneration of charges of making threats. (See the EFF case archive for comprehensive information.) The CS Monitor article does, however, discuss the more recent case of "Ghyslain, the Canadian teenager who gained notoriety this year as 'the Star Wars kid.'" This young man videotaped himself goofing around with a broomstick, as if it were a fighting staff.
Some peers got hold of the video, uploaded it to the Internet, and started passing it around. Doctored videos, splicing him into "The Matrix," "The Terminator," or the musical "Chicago," with added special effects and sounds, soon followed. He's now the most downloaded male of the year. According to news reports, he was forced to drop out of school and seek psychiatric help.
The article also mentions that (public) schools may lack the authority to shut down off-campus channels of speech used for bullying. The author seems to divide this into two distinct points, one practical and one legal, but it could stand some clarification. First, schools lack the practical ability to censor such centralized speech channels as web-based bulletin boards and instant messaging networks because the school is not the central entity. These are generally physically controlled by private companies. When it comes to open and decentralized channels (like email, IRC, or usenet), the school has no chance. Second, the legal barriers. Any action that schools take or fail to take can open them up to the modern American passtime, lawsuits. Any course of action necessarily requires the school to make judgments that pit one student's civil rights against another's specifically, the right of the bully to speak vs. the right of the victim to have a public education free from harassment. Schools are understandably reluctant to break any new ground in this context. If I were a school board lawyer, I might recommend the most conservative course of action I could think of.
However, schools are not always so loathe to target Internet speech that is generated off-campus. Some get trigger happy when a student's web site criticizes teachers or administrators. Just the other day, I blogged on a recent case involving the Oceanport School District in New Jersey. I could probably turn up ten more examples in as many minutes on Google.
Finally, I want to highlight a case described in the article that displays the best the First Amendment has to offer. "J. Guidetti, principal of Calabasas High School, did get involved, after comments on schoolscandals.com caused many of his students to be depressed, angry, or simply unable to focus on school." All of Guidetti's initial efforts failed as long as he used a law-enforcement approach. Then, he decided to counter speech with speech:
Eventually, a local radio station got involved and put enough pressure on the people running the site a father-son duo that they took it down in the spring. Already, there's a schoolscandals2 relatively harmless, so far. Guidetti checks it regularly for offensive content, one of the ever-growing tasks of a 21st-century principal.
To be clear, I do not advocate publicly shaming people for their speech. However, opinions that wilt in sunlight are exactly the sort that the Framers of the constitution believed could be controlled by encouraging counter-speech. Guidetti engaged in honest public debate, convinced more people than his opponents, and won the day. By taking his case to the airwaves, Guidetti created speech where he had previously tried to destroy it, and liberty had a rare chance to serve a utilitarian purpose.
Sunday, 28 December 2003
The New York Times points out, rather amusingly, that most members of Congress were engaged in sending a massive wave of unsolicited email to their constituents this weekend — barely ten days after unanimously approving the CAN-SPAM Act. Article: "We Hate Spam, Congress Says (Except Ours)."
"They are regulating commercial spam, and at the same time they are using the franking privilege to send unsolicited bulk communications which aren't commercial," David Sorkin, a professor at the John Marshall Law School in Chicago, said. "When we are talking about constituents who haven't opted in, it's spam."
Wednesday, 24 December 2003
Year 2003 in cyberlaw
Doug Isenberg, founder of GigaLaw, summarizes the year 2003 in cyberlaw: "Internet law in 2003 was full of surprises, with Congress passing an antispam bill, the courts blessing pop-up advertising, the music industry losing lawsuits and the Supreme Court finally upholding an Internet law." (Via Inter Alia)
Even before [Norway's prosecution of DVD-Jon] was filed, however, entertainment industry lobbyists had been pressing lawmakers in that country and elsewhere to enact tougher copyright laws, modeled on controversial U.S. legislation that makes it easier for authorities to win prison terms for people who crack encryption schemes or distribute cracking tools. If enacted, proposed legislation in Europe, Canada, Australia and Central and South America would soon hand entertainment companies similar weapons against people caught tinkering with anticopying software.Via Furdlog.
CyberAge Stalking on LLRX
Barbara Fullerton of Locke, Liddell & Sapp has published an interesting article on LLRX called "CyberAge Stalking." She reviews several high-profile cases, the tools used in each case, and the statutes passed in their aftermaths.
Monday, 22 December 2003
DVD-Jon acquitted — again!
The Norweigan newspaper Aftenposten reports that Jon Johansen has been acquitted — again ("DVD-Jon wins new legal victory"). He was being tried for copyright infringement a second time (by an appellate court, this time) for his role in creating DeCSS. The power brokers in the movie industry are, of course, "disappointed."
Saturday, 20 December 2003
DC Circuit stumps RIAA
By now the world has heard of the D.C. Circuit decision in RIAA v. Verizon. Previously, the D.C. District Court ruled that Verizon must comply with RIAA's subpoenas, issued under § 512 of the Digital Millennium Copyright Act (DMCA). Those subpoenas are designed to force ISPs to disclose the identities of users whom RIAA suspects of illegally making copyrighted music available for others to download. RIAA can trace users by itself as far as their IP addresses (the sets of numbers that uniquely identifies every computer on the Internet), but it needs the cooperation of ISPs to connect an IP address with an individual's name and address. Once it has that information, it can send a cease & desist letter or file a lawsuit.
Yesterday's Circuit decision reverses the District Court's interpretation of the statute. The appeals court gave the statute an extremely close reading in rendering its decision. The relevant section has a complex sentence structure and many cross references, so it is no wonder that the parties (and two different courts) disagreed as to its meaning. Derek Slater makes a few interesting points, including: "I find it fascinating when opinions contrast in this way — when they see the same issue clearly, unambiguously, but oppositely. [District] Judge Bates, just like [Circuit Judge] Ginsburg, claims to stick to the statute's text and go no further, yet their opinions are night and day."
The decision is a victory for privacy, but not a victory for privacy as such. The result was reached on a technical reading of the statute, and turned on the fact that a subpoena can only be sent if a DMCA notice-and-takedown letter can also be sent. […] The constitutional issues that would have made this a victory for privacy as such, or for freedom of expression, were not addressed by the court.
The Circuit panel adopted most of Verizon's statutory argument — that § 512(h) authorizes subpoenas only in cases where the plaintiff alleges that the infringing material is stored on media controlled by the ISP. However, when the ISP is a mere conduit for data stored on media controlled by a third party (the ISP's subscriber, in this case), § 512(h) does not permit subpoenas outside of the context of a lawsuit.
This line of reasoning rests on the cross references between § 512(h) and § 512(c). Subsection (h) permits a copyright owner to apply to the Clerk of the court for a subpoena so long as the application contains "a copy of a notification [of claimed copyright infringement, as] described in [§ 512](c)(3)(A)." The relevant language in § 512(c)(3)(A) is: "To be effective under this subsection, a notification of claimed infringement must be a written communication … that includes substantially the following" six elements. The third enumerated element is "(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material." (Emphasis added)
The court agreed with Verizon that this language requires the subpoena application to assert that the ISP has the ability to remove or disable access to the allegedly infringing material. However, most current P2P applications use a decentralized architecture. This means that all shared data is stored on users' computers, not on any central server — except for temporary copies incidental to transmission, which the DMCA permits. Therefore, the ISP has no legal right to remove or disable access to the material shared on the P2P network:
No matter what information the copyright owner may provide [in its subpoena application], the ISP can neither "remove" nor "disable access to" the infringing material because that material is not stored on the ISP's servers. Verizon can not remove or disable one user's access to infringing material resident on another user's computer because Verizon does not control the content on its subscribers' computers.
This holding does have some privacy implications, but they are small compared to Verizon's alternative argument. Having decided this case on statutory grounds, the court ducked the larger First Amendment questions.
So what implications does it have? Dozens of people predict that RIAA will lobby Congress to close what it surely sees as a loophole in the DMCA. Ernest quipped, "[T]he RIAA has nearly hosed itself." The trade group has been trying to consolidate all its DMCA subpoena litigation in Washington, D.C. for administrative convenience. Now, however, it cannot be happy with its "success" in transferring the SBC case to the D.C. District from the Northern District of California in San Francisco — because the Verizon decision is now binding precedent in the nation's capital. This will not stop RIAA from getting users' information, however. It will only make the process slower and more expensive. Instead of paying its lawyers simply to draft subpoena applications, it now has to pay them to draft and file complaints and motions in addition to subpoena applications. These costs will be passed on to consumers in the form of higher average settlements.
John Palfrey sees a broader trend: "Add this development to the Grokster opinion, and the trend of the law in favor of digital rights holders is at least in a holding pattern." The trend may be even broader than Palfrey recognizes — this was a banner week for civil liberties everywhere. (It could, however, be just a blip on the post-9/11 radar screen.) The Dutch supreme court ruled that the makers of Kazaa are not liable under Dutch law for copyright infringement committed by the software's users. A day earlier, the Second Circuit ruled that the U.S. government may not classify Jose Padilla as an enemy combatant — which should assure that his constitutional rights are no longer suspended. Just a few hours later, the Ninth Circuit wrote "that the [Bush] administration's policy of imprisoning about 660 non-citizens on a naval base in Guantanamo Bay, Cuba, without access to U.S. legal protections 'raises the gravest concerns under both American and international law'" (source).
If nothing else, we live in interesting times.
Friday, 19 December 2003
Dutch high court: Kazaa not liable
The decision by the Dutch court, the highest European body yet to rule on file-sharing software, means that the developers of the software cannot be held liable for how individuals use it. It does not address issues over individuals' use of such networks. […] The Supreme Court rejected demands by Buma Stemra, the Dutch royalties collection society, that distribution of Kazaa cease and that future versions be modified so that copyrighted materials cannot be exchanged over the network, lawyers representing Kazaa said.It looks like Matt Oppenheim, a senior vice president of RIAA, has to eat his words from March 2002. Describing the Dutch appeals court action underlying yesterday's supreme court decision, he said: "I don't think this summary decision…will have any more impact than it would have from any other country that doesn't enforce copyright law consistent with the United States." Matt, perhaps you can tell me if I spelled "jingo" correctly.
Thursday, 18 December 2003
MS & NY highlight non-preempted state spam laws
Microsoft and New York State Attorney General Eliot Spitzer are going after spammers — in state courts. The claims they intend to file strike at the misleading nature of email marketing, not the commerciality of the messages. In other words, they are suing under state laws that are not preempted under the CAN-SPAM Act. News coverage: C|Net, New York Times, Seattle Times.
Wednesday, 17 December 2003
CAN-SPAM coauthors respond to criticism
The two coauthors of the CAN-SPAM Act, U.S. Senators Ron Wyden (D-Ore.) and Conrad Burns (R-Mont.), published an essay yesterday in response to criticism of their bill. They state in no uncertain terms what I have been saying all along — that CAN-SPAM is not a silver bullet but that it is a good first step. The money line: "Big-time spammers will inevitably violate the Can-Spam Act because it strikes at the heart of how their sleazy businesses work." (Thanks to GrepLaw for the heads up.)
Also, I did not mention yesterday that President Bush signed the Act.
Tuesday, 16 December 2003
CRIA Follows Big Brother's Lead
The millions of Canadians who share music files on the Internet should be prepared for the possibility of facing a lawsuit early in the new year, the head of the Canadian Recording Industry Association said yesterday. … [Brian] Robertson would not specify how many lawsuits would be filed, but he did say the legal action would be similar to the lawsuits filed in the United States. For some time, CRIA has been using software that tracks and identifies users involved in trading free music files. "Users should be aware that using file-sharing services is a very public process," Mr. Robertson said.Since Canada has no analog to the Digital Millennium Copyright Act (DMCA), it will be interesting to see whether CRIA's tracking software is anywhere near as effective as RIAA's subpoenas. Neither one, it cannot be pointed out often enough, has any judicial oversight. And both are ripe for abuse.
Monday, 15 December 2003
God Considers Smiting Copyright Pirates
God is considering his options for action against Bible pirates. "God did not rule out smiting as a final measure against those who share his most famous work, the Bible, on the Internet," wrote Kristian Werner of BBspot Technology News.
Citing misuse of His word, misquotation, and putting hardworking Bible printers out of work, God said he would now start hunting Bible pirating around the globe. "I have to defend both my world-famous brand the Bible and its distinctive likenesses and the livelihood of those who create and distribute legal copies of it. Sure, they live not by bread alone, but website hits someone else's website mind you don't pay the bills for these folks."
Spam rage defendant pleads not guilty
Saturday, 13 December 2003
I would like to comment briefly on one post in ATAC's weblog, "Face Recognition and False Positives." This post raises the point of "a classic security mistake: ignoring the false positive problem." I addressed this issue in "Static Measurements & Moving Targets," my law-school thesis paper on biometrics and privacy in the context of consumer banking. In that paper, I looked at the problem from a perspective opposite Ed's. He describes facial recognition in an identification application, where its goals are substantially different from what its goals would be in an authentication application.
The designer of an application that flags passers-by as registered sex offenders has an incentive to overinclude suspects for security reasons — that is, to err on the side of false positives. The designer of an ATM authentication application, on the other hand, has the opposite incentive — to err on the side of false negatives, to prevent fraud. The point is that false positives are not solely a privacy issue: they also represent a security risk, depending on the context.
That said, I do agree with Ed's basic point, as I wrote back in October ("Terrified of Terror Profiling?"). I supported the point there with links to articles by computer security expert Bruce Schneier and mathematician John Allen Paulos.
Friday, 12 December 2003
ECPA permits employer to search stored email
Law.com reports that a Third Circuit panel has interpreted the Electronic Communications Privacy Act (ECPA) to permit an employer to search its employees' email messages that are stored on its network ("Federal Law Allows Employer's Search of Worker's E-Mails"). Such a search, the court held, does not constitute "interception" of messages during "transmission," as prohibited by the ECPA. The full text of the decision in Fraser v. Nationwide Mutual Insurance Co. is available via FindLaw.
Tuesday, 9 December 2003
Response to Anita Ramasastry's criticism of CAN-SPAM
GrepLaw gives a pointer to Anita Ramasastry's FindLaw article criticizing the CAN-SPAM Act. She scores a few points, but she ignores several important provisions that render her conclusions — in my opinion — wrong.
CAN-SPAM's major faults, in Ramasastry's view:
First, on the prohibition of some but not all spam. This criticism seems somewhat disingenuous, since Ramasastry later recognizes that the First Amendment would prevent a prohibition of all advertising via email. Furthermore, She appears to assume that any do-not-spam registry will be struck down under the First Amendment. The do-not-call registry is a good model to look at — precisely because its legal status is currently undergoing judicial review. This litigation will, eventually, clarify the law. Besides, if it is struck down, the obvious workaround is to implement the registry in a new way, that deals with the First Amendment problems.
Second, on enforcement by individual consumers. CAN-SPAM expressly provides for enforcement by at least 110 government bodies, plus any ISP "adversely affected" by illegal spam. The public servants will have strong political incentives to file spam lawsuits, and ISPs will have strong economic incentives. Why add hundreds of millions of consumers to this list when their lawsuits will inevitably be less well-funded than the institutional enforcers? With potential damage awards of $6 million for public enforcers and $3 million for private enforcers, those entities will easily be able to recoup their legal costs (even if they are not awarded attorney fees, as provided in the Act).
Third, on the difficulty of enforcing CAN-SPAM against foreign and judgment-proof spammers. The Act's third-party liability provisions will solve much of this problem. The Act attaches liability to (1) any business knowingly promoted via illegal spam and (2) any vendor that provides goods or services to a spamming operation with knowledge that those goods or services will be used to send spam. These provisions give third parties one free bite — before the first potential plaintiff sends a cease & desist letter, putting them on official notice. Much advertising currently distributed via spam promotes products on sale within the U.S. or manufactured or sold by people in the U.S. Once the first such person is prosecuted, the demand for advertising space in spam will decline precipitously. Spam will inevitably decline, as fewer people are willing to pay for it.
Fourth, on the purported shortcomings of the do-not-spam registry. For god's sake, give the thing a chance before you accuse it of failing. As I said above, the FTC can learn from the outcome of the pending do-not-call litigation, and there is an infinite variety of implementations that the do-not-spam registry could take. I proposed one not long ago. Also, the possibility that some spammers will evade it is not a reason not to try. CAN-SPAM's third-party liability provisions do not currently apply to registry violations, presumably because the registry does not exist and the Act only empowers the FTC to consider the idea of the registry. That shortcoming can easily be rectified by an amendment to the statute or FTC rule.
Fifth, on state spam laws. How, exactly, is the fundamental shortcoming of the Westphalian territorial legal system solved by having fifty state laws, no matter how restrictive? What if a spammer in California sent spam only to residents of other states and other countries? No state or country would have jurisdiction. The major complaint in this area that does have some validity is the preemption of California's tough opt-in law with the federal opt-out standard. This is a valid criticism, but it goes to the policy choices that Congress made when it traded opt-in for the possibility of an effective opt-out registry.
Sixth, on technological solutions. You cite Congress's findings on the rapid rise of spam traffic in an era that had no comprehensive spam law. The primary method of dealing with spam has been technological measures. And the volume of spam rose rapidly during that period. One of CAN-SPAM's greatest strengths is that it expressly permits ISPs to implement private mail policies — a provision that should exempt them from tort liability for doing so. It looks somewhat like § 230 of the Telecommunications Act of 1996 in that respect.
Sunday, 7 December 2003
Borland on P2P
John Borland of C|Net wrote an interesting column last Thursday, asking whether RIAA's lawsuits against P2P users were having the desired deterrant effect ("RIAA lawsuits yield mixed results"). "At the core of the RIAA's strategy has been the attempt to persuade as many people as possible to stop trading copyrighted files online. This appears to be working in at least some groups, but the evidence is mixed at best." That same day, he also wrote a good summary of the compulsory licensing discussion in Canada: "Should ISP subscribers pay for P2P?"
Finished writing CAN-SPAM summary & comments
I finished writing my formal summary and commentary on the CAN-SPAM Act for the Journal of Internet Law. I would like to thank everyone who posted and emailed comments over the last two weeks; they all helped me clarify the issues. Several of you asked me to post the paper here. I will do so, as soon as I get "permission" i.e., confirmation that posting it here will not jeopardize its publication next month. Meanwhile, my preliminary thoughts are still available here.
Friday, 5 December 2003
Google files DJ action against American Blind
I love it when companies are willing to spend money to clarify the law in areas where it is murky. Playboy used to be great in this area, filing many suits that pushed copyright and trademark law into the digital age at a time when the Internet had barely entered the popular lexicon. Many of those cases went all the way to judgment and appeal — which gave something back to the public, in exchange for the judicial resources that Playboy consumed.
Now Google has started. Last week the search company filed a declaratory judgment action against American Blind & Wallpaper Factory, asking the U.S. District Court in San Josι to clarify its rights. American Blind (among many others) has complained recently to Google about Google's sale of keywords to its advertisers. Google has been fairly responsive about such trademark requests, but AB and others frequently claim to have rights in words and phrases that do not precisely match their registered or common law trademarks. They do have some trademark-like rights in such terms, but it is often difficult to discern exactly what they are. This case should help.
Thursday, 4 December 2003
Johns Hopkins still bars publication of Diebold memos
Derek Slater reports the tribulations of Asheesh Laroia, a student at Johns Hopkins University. Despite never having received a cease & desist letter, JHU cut off access to the memoranda. Even after Laroia informed JHU that Diebold had retreated (1, 2), the university persisted, writing that it "cannot allow its resources to be used in violation of copyright law, whether or not the holder of the copyright (in this case Diebold) plans to prosecute."
All I can say is I am glad I am not a student there.
Monday, 1 December 2003
Crimson confirms Diebold will not sue students
Zachary Seward reports in the Harvard Crimson that a Diebold spokesman confirmed that the company will not sue students who posted internal company memoranda on the Internet ("Diebold Won't Sue Students"). Thanks go to John Palfrey for the heads up. The article has one interesting point that bears mentioning here:
In one memorandum from April 23, 1999, [a Diebold] employee acknowledges a flaw in one of the company's electronic ballots. "I don't expect you will see a fix in time for the election," the employee writes, "since it is tomorrow." Diebold will not comment on the memoranda but has said that any imperfections in their systems have subsequently been fixed.Note that this claim can be interpreted to apply only that those particular ballot problems tailor-made plausible deniability. It does not claim to have fixed the security flaws found in two independent reviews earlier this year. In one review, researchers at Johns Hopkins and Rice universities found weaknesses that could easily allow someone to cast multiple votes for one candidate. (Report (pdf), press release) The other report, conducted for the State of Maryland, concluded that flaws exist but that they were unlikely to cause practical problems in real elections but only if external safeguards are in place. (Report (pdf))
Also recall that Diebold is the only manufacturer of ATMs in the world whose machines have become infected with a worm.
Saturday, 29 November 2003
More Congressional ineptitude
After reviewing the highlights of the CAN-SPAM Act for my blog last week, I was asked to write a more comprehensive review for the Journal of Internet Law. During my more careful, second reading of the bill, I noticed an inexcusable discrepancy. Early on, the bill defines a "commercial electronic mail message" (its verbose term for spam) as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." § 3(2)(A). A few paragraphs later, the bill states, "It is the sense of Congress that [s]pam has become the method of choice for those who distribute…viruses, worms, and Trojan horses into personal and business computer systems." § 4(c).
This passage shows (1) that the House has no idea what those terms mean or what spam is, and (2) the House has no idea how it defined spam just a few paragraphs earlier!
Friday, 28 November 2003
P2P & anonymity
Four years ago I wrote my senior thesis at Yale, The Futures of e-Politics, in which I complimented several Congressmen and Senators for having done well to educate themselves on digital communications technologies in a relatively short time. Today I may recant that compliment.
I just got around to reading C|Net's coverage of a letter sent last week from several Senators to the executives of several P2P companies. The lawmakers asked the companies to regulate themselves — i.e., to censor their networks for pornography and copyrighted material. C|Net reports (Senators ask P2P companies to police themselves) a quote from Senator Lindsey Graham (R-N.C.) that I did not see reported elsewhere. In a "statement" accompanying the letter, he said (emphasis added):
Purveyors of peer-to-peer technology have a legal and moral obligation to conform to copyright laws, and end the pornographic trade over these networks. These programs expose our children to sexually explicit materials and provide an anonymous venue for child pornographers to hide behind the veil of technology.If we have learned anything from RIAA this year, it is that P2P activity is not anonymous. If you are going to make national policy, or at least pretend to, it is not unreasonable to ask that you pay attention.
Thursday, 27 November 2003
Worm infects Diebold ATMs
Diebold, the very same company being raked over hot coals for its authoritarian response to criticism, now has the ignoble honor of being the first ATM manufacturer to have its machines infected with a worm. (New Scientist: "Cash machines infected with worm")
The controversy over Diebold's electronic voting machines is no longer theoretical (if it ever was). This is a real-world, already-happened, no-excuses problem affecting a Diebold product very similar to its voting machines. How could this happen? Simple — Diebold's ATMs run Windows XP.
Diebold backs down
Diebold filed court papers on Monday, stating that it would not file copyright infringement suits against people who hosted and linked to the infamous cache of damaging documents. Kudos go to the Stanford Cyberlaw Clinic, which represented two Swarthmore students in their lawsuit against the voting machine manufacturer. Too bad Rule 11 does not apply to DMCA notice-and-takedown letters. You have my best wishes if you sue Diebold under anti-SLAPP laws and for intentional infliction of emotional distress.
Tuesday, 25 November 2003
Spam canned throughout the land?
The House of Representatives approved the CAN-SPAM Act on Friday, by a vote of 392-5. The acronym stands for the not-so-clever moniker, "Controlling the Assault of Non-Solicited Pornography and Marketing Act." The Senate is expected to approve the measure this week, and President Bush has agreed "in principle" to sign the bill.
This bill would have been a reasonable first step to take against spam five years ago, and Congress should be ashamed of itself for dawdling so long. We should be debating the second or third revision of the Act by now. What is done is done, however, so let us explore what the CAN-SPAM act says.
Update, 29 Nov 2003. I have been asked to revise and augment this essay for publication in the Journal of Internet Law. Toward that end, I would appreciate any constructive comments from any reader.
The full text of the bill is available at C|Net. The news agency also gives a bullet-point summary amidst its coverage, and the Institute for Spam & Internet Public Policy (ISIPP) gives a ten-point summary. Finally, C|Net gives this brief summary of the entire bill:
If the measure becomes law, certain forms of spam will be officially legalized. The final bill says spammers may send as many "commercial electronic mail messages" as they like as long as the messages are obviously advertisements with a valid U.S. postal address or P.O. box and an unsubscribe link at the bottom. Junk e-mail essentially would be treated like junk postal mail, with nonfraudulent e-mail legalized until the recipient chooses to unsubscribe.
First, a few preliminary comments before I get into specific provisions. Spam has been a scourge on the 'net since the early 1990s, when non-academics and non-scientists first logged on in large numbers. The volume of commercial email was low at first but has grown exponentially for years. The result has been frustration for users who drown in the flood of messages, higher costs for service providers who must process all the unwanted email, embarrassment for legitimate businesses whose servers are hijacked by spammers trying to disguise their identities, and the corruption of children whose parents try to shield them from pornography and other sex-based products. The Act does not go as far as many people think it should (which is why Congress's long inaction is so lamentable); but it is, as I said above, a reasonable first step. The House seems to have made a genuine effort not to be heavy-handed with the rights of advertisers. Still, the Act has some sharp teeth for consumers and, if it is properly enforced, has the potential to significantly reduce the burdens caused by spam.
Now, some comments on specific provisions. This is not intended to be a comprehensive analysis of the bill but rather a few thoughts on the provisions I think are important or interesting.
Update (6pm):Several readers have asked me to insert anchors in my subject headings so they can link to specific pieces of this article. Here they are:
The "false header information" provision is perhaps the easiest part of the bill for non-technologists to grasp, because you can examine the underlying problem even if you do not understand the technology. Spammers often disguise the origin of their advertising to make it more difficult for individuals and ISPs to use automated methods to filter and delete spam. These disguises also induce recipients to open the spam mail and begin reading by pretending to be legitimate messages (e.g., with a deceptive or misleading subject line). Imagine paper junk mail, delivered by the post office, that comes in an envelope whose return address seems to be from your bank or your doctor. When you open the envelope, you find a flier for hard core pornography.
When spam is disguised as legitimate mail, more people will open the message and read the first few lines before realizing its true nature. This gives the advertiser a better chance of selling his product, be it pornography, generic viagra, or home mortgage services. As more spam is dealt with by human beings (rather than filtered by computers), more advertisements get read, and more products will be sold even if most people hit the delete key immediately. In paper based "direct mail" ad campaigns, a response rate of one buyer per 100 mailings is generally enough to break even. The cost of sending email is much lower than the cost of sending paper mail, so a response rate of one buyer per 100,000 mailings is likely to earn a profit. The cost of sending email only seems lower to the sender, however, because most of the costs are shifted to the receiver and the receiver's ISP.
Here is how the technology works, in a nutshell. An email's "header" is the addressing and routing information such as the to, from, and date fields that you see at the top of each message. Most email software hides the bulk of the header from you, unless you take an extra step to have it displayed. This "hidden" information documents where the email originated and the route it took across the Internet to your inbox. Each computer on the Internet has a unique "IP address" consisting of four numbers separated by dots (periods). Each line of the "hidden header" contains the IP address of each computer that touched the email en route and states the action that computer performed. Usually, these intermediary computers simply receive the message and hand it off to another computer that is "closer" to the recipient; after five or six hops, the email arrives at your inbox, and the process stops. Each intermediary computer adds a line to the top of the header, so the very top line always documents your mail server's delivery to you. Each successive line below that will document where each computer got the message from, going all the way back to the original sender. For example, and email I received this morning has these two lines in its header:
The first line is from my mail forwarding service (which sent the message to my ISP after it added this stamp, and my ISP later delivered the message to me). The name of this computer is andros.alumniconnections.com, which resolves to the IP address 126.96.36.199. Before that, the message was handled by a computer named voyager.bna.com (188.8.131.52). This makes sense because the email in question was an Internet law newsletter from BNA, a publisher of print and electronic news, analysis, and reference products. Also note that each header line has a date & time stamp.
Some automated spam filters take advantage of this stamping process by searching the email header for computers that are known to be used for sending spam. The bottom line of the header should be the original sender, and the identities of the biggest spammers are well known, so it should be an easy matter to delete all messages coming from them. Spammers know this, however, so they go to great lengths to forge these headers and route their mail through other people's servers to disguise its true origin. CAN-SPAM's "false header information" provision would make this illegal. The practice is already arguably illegal under a patchwork of existing laws, which could be interpreted to cover this situation. However, there is no substitute for a clear, specific statute directly on point that removes all doubt.
The "resource misappropriation" provision is perhaps the most difficult for non-technologists to understand. Congress borrowed this idea from a line of judicial opinions based on a tort called trespass to chattel. A "chattel" is simply the legal term for an item of personal property a toaster or a chair, for example. I cannot make toast or sit down when someone else is using my chattels without my permission. That property belongs to me, so the common law allows me to sue the person using it. If I prove my case, I would get money for the damages I suffered from the delay in satisfying my hunger or relaxing my legs, and the court would order the trespasser to stop. The crux of this policy is that a computer is a chattel just like a toaster or a chair. Intuitively, we all understand that if someone else is using my laptop, he is blocking me from using it at the same time.
In the spam context, we must look at the technology on a slightly deeper level than this simplistic first approach allows. The Internet relies on powerful computers called servers, which answer queries from many people at the same time. When I read Yahoo!'s home page, the odds are very high that many other people are reading it at the same time. Yahoo!'s web server can dish out thousands of pages at the same time. However, when the number of readers grows too high, even the most powerful server has trouble keeping up, and users experience delays or worse, the server "crashes."
A similar phenomenon occurs with mail servers the computers that process email after it is sent and before it is received. Suppose the average email user sends and receives an average of 20 legitimate messages per day and receives an average of 80 spam messages per day. His Internet Service Provider's (ISP) mail server will spend 80% of its time processing spam and only 20% processing the "real" mail which is what the user (the ISP's paying customer) wants it to process. Instead of buying the server it wanted to buy, the ISP had to buy one with five times the processing power to accommodate the unwanted extra load. This does not increase the cost of the server linearly (by five times), but it does increase the cost of the server by a measurable amount. Similarly, the ISP has to pay for five times the bandwidth (transmission capacity) that its customers want to use. Even if the ISP filters out spam as a service to its customers, it must still pay for all this extra capacity to receive each piece of mail, look at the contents of each message, and flag each message for deletion or delivery.
The first case to examine spam from this perspective was CompuServe v. Cyber Promotions, 962 F. Supp. 1015 (S.D. Ohio 1997). CompuServe, an ISP, sued Cyber Promotions (CP) over spam that CP was sending to CompuServe's customers. (CP is no longer in that line of business.) That court built on the analysis written by a California Court of Appeals from a year before in Thrifty-Tel, Inc. v. Bezeneck, 56 Cal. App. 4th 1559, 1567 (1996). The California court had held that "Electronic signals generated and sent by computer have been held to be sufficiently physically tangible to support a trespass cause of action." CompuServe, 962 F. Supp. at 1021. In other words, the electric impulses that computers use to communicate constitute a physical invasion of property when they are sent into a privately-owned system without permission. In Thrifty-Tel, a telephone company had sued the parents of children who engaged in "phreaking" attempting to crack the company's authorization codes in order to make long distance calls without paying for them. The most famous decision in this line of cases is eBay v. Bidder's Edge, 100 F. Supp. 2d 1058 (2000), which extended the same reasoning to web servers.
Two pieces of the bill the "working unsubscribe" and "anti-resubscribe" provisions belong under the same conceptual umbrella, which I call the "meaningful unsubscribe mechanism."
The "working unsubscribe" provision would require each piece of spam to include instructions for the recipient to "opt out" of future advertising. This opt-out mechanism must function for 30 days after the spam is sent, to ensure that recipients have a reasonable opportunity to use it. Otherwise, the spammer could shut it down immediately after clicking send before most people have received the junk mail.
Some spammers get around states' opt-out laws by removing people from lists when they make opt-out requests, then immediately adding the same person to a new list. This new list has a much higher economic value to the spammer because the addresses on it are "verified" the spammer knows that each one belongs to and is being actively used by a live person. This formalistic interpretation of many state laws' opt-out requirements is not possible under CAN-SPAM's "anti-resubscribe" provision, which bars the spammer from adding opted-out addresses to other lists.
The "working unsubscribe" provision is the most controversial and troubling provision in the Act. A great controversy surrounds the question of whether spam should be an opt-in or an opt-out enterprise. An opt-in system would forbid unsolicited commercial email by requiring spammers to document that the owner of each email address on a mailing list has requested to be placed on that list. An opt-out system would permit unsolicited commercial email but requires spammers to remove an address from their lists when the person who owns it asks to be removed. The CAN-SPAM bill passed by the House came down on the side of opt-out.
The foundation of American law is the U.S. Constitution, and the First Amendment to the Constitution provides that "Congress shall make no law abridging the freedom of speech, or of the press." Despite this plain language, the Supreme Court has held that not all speech is equal under the First Amendment. While indecent speech (e.g., ordinary pornography) is protected from most government interference, obscene speech and child pornography enjoy no First-Amendment protection whatsoever. (See, for example, Ashcroft v. Free Speech Coalition, 535 U.S. 234, 122 S. Ct. 1389 (2002) for child pornography and Miller v. California, 413 U.S. 15, 24-25 (1973); Smith v. U.S., 431 U.S. 291, 301-02, 309 (1977); and Pope v. Illinois, 481 U.S. 497, 500-01 (1987) for obscenity.) Commercial speech gets an intermediate level of protection. Central Hudson Gas & Electric Corp. v. Public Service Commission of N.Y., 477 U.S. 557, 564-65 (1980).
Since the First Amendment was ratified, it has been axiomatic that "prior restraints" on speech are one of the greatest evils threatening the health of our polity. A prior restraint is a government prohibition on a particular message before the speaker has a chance to communicate it. The freedom of speech and the fundamental liberty of self-expression demand that everyone be given an opportunity to voice his thoughts. Some speech is always socially harmful such as threats of violence or statements made in the formation of a criminal conspiracy. However, it is simply not possible to articulate in advance a definition of all forms that such harmful speech will take without our definition also encompassing many forms of legitimate speech. Therefore, we only punish speech after it has been uttered, when we can analyze the facts of each case. True, this allows some harms to occur that we might otherwise prevent, but a system of prior restraints would create far more and far greater harms by having a "chilling effect" on socially-necessary speech.
Therefore, everyone must have a reasonable opportunity to stand in a public square, tap passers-by on the shoulder, and say, "Would you like to hear what I have to say?" However, the freedom of speech guarantees a right to speak not a right to force others to listen. Each listener has the right to say, "No, I find your views offensive, and I do not want to listen to you." Spam may be the 21st century, commercial-speech embodiment of this tap on the shoulder. The mandated opt-out system is the listener's opportunity to decline.
Many people believe that commercial speech should get less protection than it does today. Consumer protection demands it, they argue. How else can we prevent hucksters from selling snake oil through lies and deceit? These arguments do have merit, and I do not mean to dismiss them here; they are just beyond the scope of this blog. However, it would be irresponsible not to note at this point that, in recent years, the Supreme Court has been backing away from the Central Hudson doctrine because it is proving impractical to differentiate commercial speech from other types of speech. In ten years, what is "commercial speech" today may get full constitutional protection.
Spammers employ many strategies to collect email addresses for their spam lists. One common strategy is called "harvesting." Spammers write software that trolls the Internet for character strings that appear to be email addresses. The software scans the text of web pages, chat rooms, message boards, and usenet, recording all the email addresses it finds. The CAN-SPAM Act will make this practice illegal. The very next paragraph of the Act prohibits another common strategy, "randomly generating electronic mail addresses by computer." The combination of these two prohibitions will make it much harder for spammers to get a hold of functional email addresses.
The Act allows states to enforce the act by suing spammers on behalf of their citizens and ISPs to sue on their own behalf or on behalf of their subscribers. This is a common-sense compromise between the factions advocating a private right of action (which would permit individuals to sue spammers for themselves) and those advocating federal enforcement (which would permit only the U.S. Attorney General to enforce the Act).
Both extreme positions carry dangers and benefits. With a private right of action, the courts might be clogged with individual or class action suits, and it would take too long to reach large judgments against spammers for the law to be effective. On the other hand, leaving enforcement in the Attorney General's hands exposes the law to the dangers of under-enforcement and political cherry-picking. First, spam may seem minor compared to violent crimes, which rightfully get prosecutors' prime attention. Spam prosecutions might fall by the wayside. Second, the economic and technological damage caused by any two pieces of spam are identical, but does anyone honestly believe that John Ashcroft would approve the prosecution of inkjet toner vendors if there are any pornography vendors still standing? With finite resources, any Attorney General (like any manager) must set priorities for his office, and I would never fault Ashcroft for setting clear guidelines. However, I frequently disagree with the content of his guidelines; and, in this context, his preferences would probably lead to systematic selective enforcement, which would be untenable under the First Amendment which prohibits the government from treating different speech differently, based on its content or viewpoint. With all fifty states and hundreds of ISPs bringing spam suits, the danger of selective enforcement declines.
CAN-SPAM expressly "preempts" state laws dealing with spam. The Supremacy Clause of the U.S. Constitution (article 6, § 2) establishes that the Constitution, laws, and treaties of the United States "shall be the supreme law of the land" and that they preempt state laws where they are in conflict (and in certain other situations). California, in particular, has passed several statutes prohibiting spam. California's most recent statute, which will not take effect until January, is far more protective of consumers than CAN-SPAM. All of these laws would be rendered unenforceable by the federal Act.
The House considered drafts of the bill that would have required the Federal Trade Commission (FTC) to maintain a "Do Not Spam" registry, similar to the "Do Not Call" registry that it recently established in conjunction with the Federal Communications Commission (FCC). Spammers would have been required to compare the email addresses in this registry to their own mailing lists and remove any addresses that match. In effect, it would have been illegal to send unsolicited commercial email to any address in the registry. However, the House rejected this provision (which would have required the FTC to create the registry) in favor of one that merely requires the FTC to study the issue and permits the it to create a registry if it sees fit.
Anyone taking odds on what the FTC will do? Before you answer, consider that the bill fails to allocate a single dollar to fund the registry.
By making certain kinds of email illegal, the Act, by implication, renders all other kinds of email legal. However, some spam that Congress intended to make illegal will always slip through cracks in the law's definitions. (This is a fundamental shortcoming of human language, not necessarily a fault of Congress.) Therefore, the bill expressly permits ISPs to devise and implement their own, private email-handling policies.
Without this provision, ISPs would be vulnerable to lawsuits from spammers if they decide to block this slippery spam on their own. By blocking mail that is technically legal, the ISPs would arguably be liable for such torts as interference with business relations (for blocking legal business communications) and defamation (for falsely labelling messages as "spam"). Much like § 230 of the Telecom Act of 1996 (47 U.S.C. § 230), CAN-SPAM's "private mail policy" provision is designed to protect ISPs from an onslaught of litigation that would render them unable to conduct business. If ISPs cease operating out of fear of litigation, consumers would be unable to access the Internet at all.
Wednesday, 19 November 2003
Kucinich slaps Diebold
Congressman and presidential candidate Dennis Kucinich (D-OH) has come out decisively in favor of civil liberties. On his Voting Rights issue web page, he posts excerpts from and links to the memoranda that Diebold has tried so hard to erase from the public hivemind. Thanks to Donna at Copyfight for the heads up.
The Congressman writes:
Stopping False Copyright Claims
Earlier today, Doug Simpson of Unintended Consequences pointed out (Article: Congressman Posts Diebold Document Excerpts) that the Speech or Debate Clause of the U.S. Constitution (Art. I, § 6, cl. 1) may put Rep. Kucinich beyond Diebold's long reach if the company should choose to serve him with a DMCA notice-and-takedown letter. This clause immunizes members of Congress from "arrest" during any speech or debate in the course of their Congressional duties or while traveling thereto or therefrom. It further provides that members "shall not be questioned in any other place" "for any speech or debate in either House" of Congress.
Doug also brings up the similarity between this hypothetical case and Brown & Williamson Tobacco Company v. Williams, 62 F.3d 408 (D.C. Cir 1995), where a paralegal working for the law firm representing B&W (a tobacco company) leaked juicy documents to the press and to Congress. In this decision, the D.C. Circuit Court affirmed the District Court's quashing of the subpoena served on Rep. Waxman by B&W. Doug asks, "Can we expect Diebold to send Congressman Kucinich a cease and desist letter, with a takedown notice to the ISP hosting [his web site at] House.gov? I'd like to be a fly on the wall when those arrive."
Tuesday, 18 November 2003
Court hears Diebold arguments
Declan McCullagh reports on C|Net that the U.S. District Court in San Jose, California heard arguments in the case brought by students and the Electronic Frontier Foundation (EFF) against Diebold Election Systems. (Article: Students fight e-vote firm's DMCA claims)
As discussed here (1, 2) and elsewhere, Diebold manufactures electronic ("touch screen") voting machines. Students at Swarthmore launched what has since become a widespread electronic civil disobedience movement. Internal Diebold documents indicating mismanagement and a lack of security were publicly distributed, and protesters sought to bring them to the fore of public debate while Diebold sought to repress them, by sending threatening letters under the notice-and-takedown provision of the Digital Millenium Copyright Act (DMCA). There are also other political concerns, which Declan summarizes concisely:
Diebold gave at least $195,000 to the Republican party during a two-year period starting in 2000, and its chief executive, Walden W. O'Dell, once pledged to deliver Ohio's electoral votes for President George W. Bush. Earlier this month, California started an investigation into whether Diebold had improperly installed software into Alameda County's machines that had not been certified.
Up to this point, Diebold has been maintaining a stern face on the copyright front while hedging its bets behind the scenes by claiming that it could not tell whether any or all of the documents at issue had been altered. In court filings in the present case, however, it wrote, "Wholesale publication of unpublished, stolen materials, with no transformation or creativity and nothing other than a request that others download them in their entirety, is infringement, not fair use." This sounds to me like an admission that the documents are authentic. There goes Diebold's plausible deniability when it defends its products in the court of public opinion.
Monday, 17 November 2003
File sharing zeitgeist
The Contra Costa Times ran an interesting, yet unsurprising, AP story on Saturday (Music industry mines data from downloads). In a nutshell: "Despite their legal blitzkrieg to stop online song-swapping, many music labels are benefiting from — and paying for — intelligence on the latest trends in Internet trading." That is right, P2P networks are the best tool yet-invented for gathering realtime data on music consumer tastes. By tracking the number of downloads for particular artists and particular songs and the rough geographical distribution of those downloads, the industry can better target its marketing and products.
I would accuse RIAA of batting both ways (like I did H&R Block this morning), but this phenomenon raises an issue more important than copyright law. For the first time in the history of human social interaction, we have the technology to gather realtime information on the thoughts of a cross-section of a nation. P2P file sharing is a specific example, and the Google Zeitgeist is a more general one.
H&R Block bats both ways
SiliconValley.com reprints a story from the Kansas City Star, reporting a defamation lawsuit filed by H&R Block (H&R Block sues anonymous online critic). Essentially, the accounting firm believes that an employee is behind a series of postings on a Yahoo! message board that criticize the company. The article is a bit sketchy, but apparently both the complaint and company a spokesman said that the message board posts constituted (1) false and misleading statements and (2) improper disclosures of confidential information.
H&R Block is trying to bat from both sides here. If the anonymous poster's statements were accurate, they would prove highly embarassing to the company, and he would have disclosed confidential information. If they are not accurate, they would be defamatory. Either way, H&R Block maintains plausible deniability for long enough to force Yahoo! to reveal the anonymous poster's identity. Ultimately, H&R Block may have a difficult time proving either claim because damages (an essential element of both claims) would be too speculative. The author writes, "The defendant's comments don't appear to have had a material effect on Block stock," and goes on to detail the fluctuation of H&R Block's share price during the relevant time period and concluding that it was a mere penny off its 52-week high shortly after the statements. Proving a link between these statements and any trend in revenue would be exceedingly difficult, if not impossible.
This is a SLAPP — a strategic lawsuit against public participation. After Yahoo! breaches the poster's anonymity, we have no guarantee that H&R Block will pursue the lawsuit. More likely, it merely needed a subpoena to learn whether the poster was an employee — and will promptly forget about the suit after getting what it wants. Better to make an example by loudly firing a wayward employee than to waste time and money on a lawsuit against someone who will not have millions of dollars to pay in damages, in the unlikely event that you win. The last portion of the article begins, "Lawsuits aimed at forcing Internet service providers to provide the names of anonymous Internet users have become increasingly common in recent years." Little question exists as to the effect this is having on the freedom of speech.
Saturday, 15 November 2003
When tangible is intangible
I just learned of a fascinating post in Julian Dibbell's blog, Play Money. (Article: On the Nature of the Intangible: A Dialogue) Thanks go to Donna Wentworth of Copyfight for mentioning it in her coverage of The State of Play conference.
The article contains the transcript of a brief phone call the author placed to PayPal to inquire about his rights under that company's Seller Protection Policy. The policy apparently covers only tangible items — which, in PayPal's reasoning, the seller can prove that he has shipped to a buyer by providing PayPal with a tracking number. The policy does not cover intangible items because no such proof can be provided.
The author was asking about a virtual item from an online game. PayPal told him that virtual items are not covered because they cannot be shipped. Tickets to a football game, on the other hand, would be covered. The tickets, PayPal reasons, are a physical item that can be shipped. The company fails to apply the same logic if the seller writes down the password to an online account on a piece of paper and ships that paper to the buyer in the same manner that he would ship the football tickets. The assets underlying both sales are equally intangible — the right to be admitted to the football game and the right to be admitted to a secured computer. PayPal, unfortunately, cannot see the parallel. One wonders what PayPal would do if the seller advertised the sale of a piece of paper with several characters written on it and offered — as a free gift, with purchase — to transfer all rights to an online account.
Read the full transcript here.
Thursday, 13 November 2003
Diebold & Democracy
The venerable Mary Hodder over at bIPlog gives us a terse summary of the goings on in California, with respect to Diebold Election Systems. (Article: Diebold Latest: The Effects of Student Spread Memos on CA Secretary of State) More importantly, I cannot overstate my support for her synopsis of the implications this affair holds for the future of American democracy.
Mary hit the nail on the head when she wrote:
[S]tudents at Swarthmore, followed by students at many other institutions…in spreading the Diebold memos around, have accomplished the goal of causing those with review power over Diebold systems to take another look at Diebold's work. … Even if the review doesn't cause the state to discontinue using Diebold systems or require severe changes (and I'm sure the pressure is enormous TO certify), the fact is the memos raise disturbing issues and the review is very necessary. If companies providing services of this sort feel that they can quash documents out on the Internet by using the DMCA, if Diebold succeeds on this point, we and our democracy will be the poorer for it.
The Diebold affair neatly illustrates two points. First, it shows the unconscionable overbreadth of the Digital Millenium Copyright Act (DMCA) — in this case, the "notice and takedown" provision. Second, it underscores the growing relevance of the blogosphere to national politics. The activists hosting the internal Diebold memoranda that triggered this affair deserve the lion's share of the credit for bringing this issue to light. Bloggers deserve the credit for keeping it there. While bloggers were giving the issue its due, the mainstream press was comparatively slow to report the acts of civil disobedience at Swarthmore and elsewhere. Bloggers can force the media to pay attention to important issues. We can force public officials to take notice. We can make a difference.
Thursday, 6 November 2003
Penn State lends credibility to Napster 2.0
Pennsylvania State University announced today that it would offer its students a chance to partake in Napster 2.0. The original incarnation of Napster — once synonymous with wanton copyright violation — shut down two years ago, under the crushing weight of a legal assault from the Recording Industry Association of America (RIAA). Sometime thereafter, a small software company named Roxio purchased the defunct Napster's source code and brand, betting that Napster's worldwide name recognition would help it launch a legal music distribution service. Not long ago, Napster 2.0 launched, selling individual songs for 99’ and monthly "subscriptions" for $9.95. The Nittany Lions intend to fund their new service from the $160-per-year "information technology fee" that its students are required to pay. The university declined to state how much it paid per student in the deal but claims the amount was "substantially less" than Napster's standard $9.95 per month. See the New York Times' coverage: "Penn State Will Pay to Allow Students to Download Music."
Tuesday, 4 November 2003
Diebold's reaction to California's prudence
California election officials at the state's State Department added fuel to the fiery blogosphere two days ago, when they announced they would halt the certification process for new voting machines manufactured by Diebold Election Systems. The announcement came in the wake of multiple, independent, public revelations that the software running the machines is horribly insecure and Diebold's infamous attempts to squelch public discussion of the issue. (Sources: 1, 2, 3) Amazingly, the blog furor has apparently overlooked one interesting bit. A recent Wired News article mentions the reaction of Diebold officials who attended the meeting where the State Department announced its decision. (Article: Calif. Halts E-Vote Certification) Quoth the article: "Diebold officials, who were attending the meeting, seemed surprised by the announcement and expressed displeasure to several panelists afterward that it had been introduced in a public forum. They were unavailable [after the meeting] for comment."
Is anyone surprised that Diebold's chief concern was the public nature of the announcement and not the problems underlying it?
Update: MIT suspends music-on-demand service
The New York Times reports that the Massacusetts Institute of Technology (MIT)has "temporarily suspended" its ballyhooed music-on-demand service. (Article: Music-Sharing Service at M.I.T. Is Shut Down) (See my prior blogs on this issue: 1, 2.)
NYT summarizes Diebold brouhaha
Yesterday the New York Times (NYT) published an excellent overview of the situation that Diebold Election Systems has created for itself. (Article: File Sharing Pits Copyright Against Free Speech) (See my previous blog entries on Diebold: 1, 2, 3, 4.) The crux of the summary:
Diebold Election Systems, which makes voting machines, is waging legal war against grass-roots advocates, including dozens of college students, who are posting on the Internet copies of the company’s internal communications about its electronic voting machines.
Friday, 31 October 2003
Update: MIT lacks music licenses
As I blogged a few days ago, a group of MIT students devised an analog system for transmitting music via the university's cable television infrastructure. They intended to distribute streaming music free of charge to students without triggering copyright rules that mandate royalties for digital on-demand distribution. Today the Los Angeles Times reports that MIT had to suspend service for part of its music library because Loudeye Corp., the company from which it believed it had purchased licenses for the music, did not have the relevant licenses to sell. (Article: Music Service at MIT Hits a Snag) MIT and Loudeye are now engaged in very public finger-pointing.
Thursday, 30 October 2003
Idiot's guide to combating satire & criticism
If there were a rule #1 in public relations for responding to satire, it would be: "If someone satirizes you, don't give him free advertising." Fortunately, most American corporations and political entities have yet to learn this lesson. This gives the rest of us endless entertainment as they add to the "who's who" list of good satire that comes from their PR blunders.
My first exposure to this maxim came in the 2000 U.S. Presidential campaign, when then-governor Bush excoriated the plucky web site GWBush.com in front of a large crowd and television cameras. His staff had registered all the Internet domains it could think of that contained variations of the candidate's name, but this one slipped through the cracks and was registered by a gadfly. The site satirized Bush and all the silly things he said.
Instead of ignoring this relatively unknown crank, Bush stood atop his soapbox and uttered the phrase that will live longer than his children's children: "There ought to be limits on this kind of freedom." The site enjoyed an instant (and long-lived) boost in popularity, growing from 1,000 visitors per day to over 1 million visitors per day for the rest of the campaign, with somewhat lower levels thereafter. The t-shirts it introduced the next day (with the "There ought to be limits on…freedom" speech bubble) were its hottest item for the rest of the campaign.
A group near and dear to Bush's heart, the Republican Party of Texas (RPT) is not outdone by its leader. Last March, the RPT threatened to sue the operators of a web site, EnronownstheGOP.com. The parody site mimics the RPT's site and "contains a banner which reads 'Republican Party of Texas…brought to you by Enron.' The letter 'e' in the word 'Republican' is in the form of the crooked 'e' symbol for Enron. The Web site contains 'humorous takes on the GOP's ties to Enron'" and parodic representations of its elephant logo. (Source) The site promptly displayed RPT's "cease and desist" letters, and the story was picked up by the national media. That same week, my Trademarks professor, David Byer, brought it to the attention of our law school class. "I had three or four associates ask if we could represent this site pro bono," he said. "That is not the reaction you want people to have when they read about your lawsuit."
The most recent bonehead example comes from Fox. (I am not trying to paint this as a right-wing problem (honest!) the best recent examples just happen to come from "right field.") On Tuesday Matt Groening, creator of "The Simpsons," reported during an interview on NPR that Fox News nearly sued the network's entertainment division over a Simpsons episode that parodied "the Fox News rolling news ticker" by highlighting what is widely-perceived as "the channel's anti-Democrat stance, with headlines like 'Do Democrats Cause Cancer?'" (Source) If Fox News had the self-control to ignore its sister channel's show, only those who saw the show would have seen it, and only a few Simpsons devotees would remember it an hour later. Now, however, over a dozen news outlets have picked up the story.
Wednesday, 29 October 2003
Update: Press coverage of DMCA exemptions
The Wired article has this succinct summary of the exemptions granted yesterday: "People may bypass a digital lock to access lists of websites blocked by commercial filtering companies, circumvent obsolete dongles to access computer programs, access computer programs and video games in obsolete formats, and access e-books where the text-to-speech function has been disabled."
Tuesday, 28 October 2003
Copyright Office issues DMCA exemptions
The U.S. Copyright Office today issued its report creating a new set of exemptions under the DMCA for the next three years. (Links: short version and long version) The Register granted two major exemptions and denied many others. Ernest Miller has a collection of blog links. Derek Slater has a good, short summary.
Elvis' income tops among dead celebrities
Interesting development that brings the law of publicity to the fore: Last week Forbes magazine reported the top-earning dead celebrities. (Article: Top-Earning Dead Celebrities) Elvis Presley ($40 million) has held the top spot since Forbes introduced this ranking three years ago. This year, he is followed by the likes of "Peanuts" cartoonist Charles Schulz ($32 million), J.R.R. Tolkien ($22 million), and former Beatles John Lennon ($19 million) and George Harrison ($16 million). Tolkien's rank is temporary, I suspect, and will fall once the Lord of the Rings films finish their theater and video runs.
Law driving innovation
The government should occassionally drive innovation. This is especially true when the potential benefits of a new science or technology are great but the probability of developing products based on them within a reasonable time is small. This is an obtuse reference to the old argument that the government should, in some cases, support "pure" research. In most cases, however, government intervention in the market for research and development (R&D) is unwarranted and even destructive. The case for government intervention absolutely breaks down when market forces have already produced the first viable product. Where multiple products compete, there is no plausible argument yet-made for government intervention.
Sometimes, however, government actions shape innovation as the unintended consequence of legitimate actions taken in another sphere. This is happening right now in the area of copyright law. Since the first Congress enacted the first American copyright act in 1789, copyright law has grown in two directions: more complex and more protective of copyright owners' interests. Both trends have deeply affected copyright markets in the last two centuries. Since the 1976 copyright act — the most recent major overhaul to copyright law in this country — the complexity of the law has had a disproportionate impact on the technologies developed to serve the copyright industry. My theoretical opinion and this practical reality collide in the project of two Massachusetts Institute of Technology (MIT) students.
The New York Times reported yesterday that MIT students Keith Winstein and Josh Mandel have developed a system for distributing music via campus information networks that appears to comply with copyright law and partially render moot the grand public debate over file sharing. (Article: With Cable TV at M.I.T., Who Needs Napster?) The project transmits music over MIT's cable television infrastructure in analog form — thereby taking advantage of the bulk licenses that copyright producers routinely grant to television and radio operators and avoiding digital transmission, which triggers the nastier niceties of the copyright act. This new technology adds precisely zero end-user functionality to existing distribution systems (namely, file sharing networks and radio). Its sole purpose was to formally circumvent a distribution mechanism that copyright producers find objectionable. John Schwartz of the NYT writes that "some legal experts say the M.I.T. system mainly demonstrates how unwieldy copyright laws have become." Mike Godwin, senior technology counsel to Public Knowledge, says the students have "sidestepped the stonewall that the music companies have tried to put up between campus users and music sharing."
Copyright law's burgeoning complexity may be the lifeblood of intellectual property lawyers, but it is bad social policy. I admit this as someone currently aspiring to become an IP and cyberlaw lawyer. Another prime example of complexity breeding bad results lies in the recent episode where the Minnesota Public Utilities Commission (MPUC) tried regulate Vonage and other VoIP providers as telephone service providers. The Federal Communications Commission (FCC) long ago penned the legal distinction between "telecommuniction services," which states may regulate, and "information services," which they may not regulate (because such regulations are preempted by federal law. Vonage and other VoIP providers offer consumers and businesses a method of conducting voice communication, which we would ordinarily recognize as "phone calls." The only difference, from the end-user's perspective, is that his phone is plugged into a black box which, in turn, is plugged into the wall, instead of the phone being plugged directly into the wall. The user still dials a number, talks, and listens just as he would with an ordinary telephone. The problem is that the law created two legal categories and treated them differently. As technology allowed, the market made this distinction spurious at best by offering products that straddled the line between the two categories.
In both cases, the complexities of the law drove technology and they way we use it. In the former, copyright law inspired wasteful development of a system that is, at best, as efficient as preexisting systems. In the latter, the law held up development of a highly efficient technology (compared to what it would replace) with wasteful litigation that sought to resolve whether it was really the old technology or something new. The commonality is the resources consumed by the attempt to apply overly complicated laws to new facts. These examples are drawn from this and last week's headlines. I could probably select one example per week over the last five years, with some effort. I think, however, that my point is made.
Monday, 27 October 2003
AP picks up the Diebold story
The Associated Press has picked up the story of Diebold's cease & desist demands under the DMCA. (Article: Diebold threatens publishers of leaked electronic-voting documents.) This should lead more mainstream news outlets to carry the story, beyond the paltry few that have carried it thus far (1, 2, 3). This could be the third major story with national political implications broken in the blogosphere after the mainstream press ignored it.
Update: Press digs anti-spam ruling
The press is agog with the anti-spam ruling won by California Attorney General Bill Lockyer, which I blogged on yesterday. See representative stories in Wired, San Jose Business Journal, and Computer World.
Sunday, 26 October 2003
California wins anti-spam lawsuit
California Attorney General Bill Lockyer announced on Friday that his office had won the first-ever anti-spam lawsuit in the state. The court ordered defendant PW Marketing (and its owners) to pay "$2 million in civil penalties for violating state laws prohibiting unsolicited commercial email, false advertising and unfair business practices." It also entered an injunction against PW, prohibiting it from doing the following:
Update: Indirect linking & the DMCA
Today, LawMeme asked essentially the same question I asked on Friday. I cannot link directly to the LawMeme article, in order to preserve the experiment I proposed on Friday (due to trackbacking effects). You can find it easily, however. The title is "How Direct is Too Direct When It Comes to Hyperlinks?," the author is James Grimmelmann, the publication date is 26 Oct 2003, and the category is copyright.
Friday, 24 October 2003
Indirect linking & the DMCA
Ed Felton asks an important question over at Freedom to Tinker. As first blogged by Ernest Miller, Swarthmore has begun suspending the Internet accounts of students who link to the Why War? web site, which maintains direct links to the infamous Diebold memos. (See my previous blog entries on Diebold: 1, 2, 3.) While Seth Finkelstein points out the potential dangers of linking under Rameirdes (the DeCSS case), Ed notes that Swarthmore has escalated the danger by punishing students who link indirectly to the Diebold memos. The college is shutting down web sites that link to a site that links to the memos. What, Ed asks, is the limit? His article links to Ernest's article, which links to Why War?, which links to the memos. How many intermediate links would Swarthmore require before its students may exercise their free speech rights?
Ed offers the opportunity to test the waters by linking to his page, which is two steps removed from the memos. I deliberatetly avoided linking this article to any page "closer" to the memos than Ed's blog, to increase the chain by one. Anyone at Swarthmore feeling lucky?
Antipiracy indoctrination gets off to rocky start
The Motion Picture Association of America (MPAA), the chief Hollywood lobbyist, has launched an indoctrination campaign in public schools. Although MPAA calls it "education," the program fits all the elements of the definition of indoctrination in Webster's Dictionary. MPAA paid $100,000 to deliver its message to 900,000 children over the next two years, taking advantage of public schools' budget crises. Although the program's title is "A Guide to Digital Citizenship," its curriculum is more accurately reflected by its slogan, "If you haven't paid for it, you've stolen it."
As a statement of law, this slogan is absolutely wrong. There are many situations in which one can lawfully acquire property without paying for it, and a good number of those apply to file sharing, the main target of MPAA's effort. As reported by AP, the MPAA curriculum is a simplistic and one-sided presentation on a complex area of law, delivered to children, many of whom are likely to lack the knowledge and sophistication to engage the instructors in productive discussion. In one example reported by AP, one knowledgable student was cut off by the teacher when he disagreed with the scripted lesson.
Note to MPAA: Discussion is good, but proselytization is not.
Thursday, 23 October 2003
Mark Fingerman posted a comment asking some good questions about my entry on the propriety of using copyright to quell criticism ("Diebold detractors defy DMCA desist demands"). I will try to answer them all here.
First, whether Bill Gates "should be allowed to profit from" software that he designs. Of course! The law should forbid people to profit from their labor only in rare circumstances — like murders for hire. Should Ford be allowed to sell cars at a profit? And Dole to sell pineapples? Surely, no one would argue that these companies are not permitted to build and grow physical products with their own factories and land, then place those items in the stream of commerce. The difference is that cars and pineapples are physical goods, which are rivalrous, meaning that only one person can consume them at any time (and, in the case of pineapples, only one person can eat a pineapple before it becomes useless to everyone else). Software is a nontangible good, which can be copied and used by two or more people at the same time — so if you copy my Office 2002 CD, my enjoyment of the software is not diminished. That is where copyright law comes in: the law erects an artificial barrier to some activities to imbue nontangible goods with some of the same qualities that allow producers to profit from tangible goods. (Note that "artificial" sometimes carries a negative connotation, but that is not what I intend here. I mean that a legal barrier does not exist in a "natural" world without laws.)
Second, on "intermediate" products of a copyrightable nature. Surely, Tom Clancy holds a copyright in chapter 1 before he finishes writing chapter 12. Copyright law protects the expression in any creative work beginning at the instant it is "fixed in a tangible medium of expression." Courts have interpreted the term "tangible medium of expression" broadly, as anything that can hold information in a stable form for a measurable period of time — e.g., paper, rock, clay, glass, wood, magnetic disks and RAM. Section 101 of the Copyright Act defines the moment of fixation:
A work is "fixed" in a tangible medium of expression when its embodiment in a copy or phonorecord, by or under the authority of the author, is sufficiently permanent or stable to permit it to be perceived, reproduced, or otherwise communicated for a period of more than transitory duration.
The Copyright Act does not distinguish between "finished" and "unfinished" works, and the copyrights in intermediate stages of production can be analyzed separately from the copyright in a finished work. Normally we need not bother, because the copyright in the finished product is much more valuable and is the focus of disputes that arise.
Next, Mark takes exception to my claim that "The public enjoys the right to make 'fair use' of copyrighted works — especially for purposes such as criticism, satire, parody, scholarly analysis, and other uses that are necessary to preserve unfettered public debate and preserve the liberty of free expression." He asks, "So the public has the right to break into your home, steal your private correspondence, and publish it 'especially for purposes such as criticism, satire, parody, scholarly analysis...?' Can I rob a bank for the purpose of holding them up to 'scholarly analysis?'"
The answer, of course, is no, because the actions you describe are crimes and torts. Diebold has clear legal remedies against the person who broke into its computer network. It can sue him for, among other claims, trespass, theft of trade secrets, and interference with business relations. It can also press criminal charges under the Computer Fraud & Abuse Act. Take note that Diebold has done none of these legitimate things. Instead, the company has taken aim at people who have, unquestionably, never committed a crime or tort against it. The harm that Diebold fears is not further loss of trade secrets (these "secrets" are already public knowledge so, by definition, they are no longer trade secrets). Rather, it is trying to use copyright law to stymie discussion its products after the public has learned of their flaws.
The Lanham Act, the foundation of American trademark law, explicitly allows us to reproduce trademarked words, phrases, and symbols for the purpose of discussing the products they represent. This limits the general rule that reproducing a trademark without permission is infringement, and it is necessary to avoid rendering the trademark regime unconstitutional under the First Amendment. If we can write Diebold's name but cannot discuss its products, then the limitation is meaningless. Forcing the public to discuss the voting machines' shortcomings without sufficient supporting facts is tantamount to the same thing. Yes, the person who "stole" Diebold's documents should be held responsible, if Diebold chooses to press the issue. The general public, however, should not be held responsible for one person's wrongdoing.
Finally, the questions "Is Diebolds product better than hanging chads? And did Diebold provide what the state requested?" I take it, you are referring to the Georgia election I discussed in a previous article. For all the reasons stated in that article: no, Diebold's products (in their current form and with current election laws) are not better than hanging chads. And no, it did not provide what the state requested. The state certified the machines prior to the election, according to its laws. Sometime thereafter, Diebold made changes to its software and did not disclose that changes had been made — let alone the content of those changes — to anyone. There has been no allegation that these particular changes compromised the election, but one can easily imagine a scenario where such changes would cause problems. If the government is not informed of the changes and has no opportunity to examine them, what is to stop Diebold or another manufacturer from changing every tenth Republican vote to a Democratic one?
I sympathize with Diebold's problems. Nobody likes criticism. It invested a lot of time and money in developing its touch-screen voting machines, and it wants to prevent that work from being wasted. But we live in a democracy that values the integrity of its elections and a capitalist economy that values the operation of market forces in an environment of as-nearly-perfect-as-possible information. Diebold could subvert the first and has subverted the second.
Wednesday, 22 October 2003
Diebold detractors defy DMCA desist demands
As I explained in a previous article (E-lection security in Georgia), the voting machine products and related services sold by Diebold Election Systems raise serious election-integrity concerns. After a hacker broke into Diebold's computer network and downloaded ("stole," in Diebold's words) several internal memoranda, he distributed those documents widely, including some copies to journalists and activists. The compromising documents confirm that the company has known of its voting machines' shortcomings for some time. Embarassed, Diebold played the great American trump card, the lawsuit.
Diebold has sent an unknown number of "cease and desist" letters to people who posted the documents on their web sites. The letters threaten that the company will sue under the Digital Millennium Copyright Act (DMCA) if the recipient does not promptly remove the offending memos from his web site. Diebold (correctly) insists that it owns a copyright in those documents and that they are being publicly displayed without permission. It then invokes the provision of the law which requires Internet Service Providers (ISPs) to remove material that infringes a copyright promptly upon being notified of its presence on its servers. Any webmaster who does not take down the memos, Diebold threatens, will soon stare down the barrel of a copyright infringement lawsuit.
How is this wrong? Let me count the ways.
Copyright law, including the DMCA, is intended to give authors and artists a chance to earn rewards for their creative work. It grants them the exclusive rights to copy, distribute, perform, and publicly display their literature and art. In the U.S., the rationale behind copyright goes like this: if an author has the legal right to prevent others from doing these things, he will hold a limited monopoly on his own work and will be able to derive income from it. In Europe (and especially in France), the rationale is different: authors and artists are naturally and morally attached to their work, and this attachment endows them with the right to control the distribution and use of their work. Diebold, on the other hand, has never had the intention of profiting from the writings at issue. In fact, these writings harm Diebold's profit interests because they expose flaws in its revenue-generating products. The company's desire to suppress public discussion of these documents is understandable, but its method of suppressing them bends copyright law past the breaking point.
Copyright law has always granted only a limited monopoly to authors. The public enjoys the right to make "fair use" of copyrighted works especially for purposes such as criticism, satire, parody, scholarly analysis, and other uses that are necessary to preserve unfettered public debate and preserve the liberty of free expression. These limitations on the copyright monopoly are deeply affected with First Amendment interests, and they are the Copyright Act's last line of defense against constitutional challenges. See, e.g., Eldred v. Ashcroft, 123 S.Ct. 769, 154 L.Ed.2d 683 (2003).
It is axiomatic in First Amendment jurisprudence that "political speech," broadly defined, is at the core of what the Amendment protects. Few, if any, topics are more fundamentally political than the process by which citizens in a democracy elect their government's officials. As states and counties update their voting machinery in the wake of the 2000 Presidential election debacle and the California recall lawsuit, most of them are adopting (or at least considering) "touch screen" machines like Diebold's. In perhaps ten to 15 years, all American elections will be conducted on such machines. Diebold, by choosing to manufacture and sell voting machines, has thrust itself into the the election process and made itself a focal point of public debate. Unfortunately, the company has asserted its copyrights for the sole purpose of stifling the public discussion that is so vital if our communities are going to adopt the best election machinery and conduct the fairest possible elections.
Civil libertarian organizations like the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) are fighting to protect the public's right to access, read and discuss documents that directly affect the right to vote. Without public discussion, our communities might buy inferior equipment, and future elections would be tained with, at best, inefficiency and, at worst, fraud and corruption. Two brave groups of students at Swarthmore College are engaged in an "electronic civil disobedience" campaign to thwart Diebold's machinations. The groups, Why War? and the Swarthmore Coalition for the Digital Commons (whose web site Diebold has, at least temporarily, succeeded in shutting down), have organized a network of students and others who are willing to host the Diebold documents for at least a short time. Why War? maintains a web page with links to the "current" location of the documents, and the location changes as soon as Diebold sends another cease and desist letter. Efforts like this give life to John Gilmore's prescient statement, "The Net treats censorship as damage and routes around it."
We should support efforts like Why War?'s not only because they bolster the long-term integrity of the American electoral system (their narrowest goal) but because they also enable the free exchange of ideas (their broadest goal). The First Amendment embodies some of the most fundamental rights and liberties that our society recognizes. Pinching them through copyright law can only hurt our society.
Tuesday, 21 October 2003
CDT report on broadcast flag
Today, the Center for Democracy and Policy (CDT), Public Knowledge and Consumers Union (publisher of Consumer Reports) issued a 31-page report entitled "Implications of The Broadcast Flag: A Public Interest Primer" [pdf]. The report has an excellent description of the background of the broadcast flag and explains how the issues affect the television and film industries, the government, and the public interest with remarkable clarity. This is a must-read for anyone interested in the most active area of debate in copyright law for the next three years.
The report's three most important findings (in my opinion) are:
Tuesday, 14 October 2003
E-lection security in Georgia
The issue of election integrity has gained widespread public attention since the 2000 Presidential election debacle. Demagogues have taken up electronic voting systems as the silver bullet to cure all the ills of paper-based elections. While it is true that electronic systems do eliminate some problems, they introduce just as many which are not solvable with current technology and election laws.
It has been apparent for some time that electronic voting systems lack sufficient safeguards to guarantee their security and integrity. David Dill, a computer science profesor at Stanford, has been pointing out these flaws for over a year now. For example, the companies that produce "touch screen" voting machines guard their equipment (both hardware and software) as trade secrets. Very little information about the equipment (beyond marketing literature, of course) is available to the public or to local election authorities before they enter contracts with these companies to provide products and services. The methods of keeping ballots physically secure and safe from hacker-tamperers are proprietary information in this burgeoning industry. In other words, the public is not permitted to know how their elections are being kept secure. Furthermore, there is ample opportunity for deliberate tampering with election results from the inside.
No balloting machine currently on the market creates a hard copy of a ballot as it is cast. This would require installing a printer in each machine, which would increase the machine's cost, or connecting each machine to a central printer, which would destroy the secrecy of the ballot. Either way, the local jurisdiction must absorb the additional costs of printing (paper, ink, and maintenance on the printers). So why is a paper trail necessary when the point of these machines is to decrease costs while improving accuracy? Because the balloting machines' software is proprietary, nobody outside the company that manufactures it knows what it is doing. A first-year programming student could write a program that displays input from a keyboard on a screen while recording different information on a disk. A voter might press the button for Gray Davis and see his name on the screen, but Arnold Schwarzenegger's name could be recorded. If the voter cannot see a paper record to verify his vote, there is no way to ensure that the proper votes are being recorded. These paper ballots would be verified by each voter in the polling booth, then secured in a locked box in much the same way that paper ballots are stored now. Without paper records, it is impossible to link individual voters to individual ballots after the election, if tampering is suspected. Paper ballots remain intact long after the election, making investigations and hand recounts possible.
It is a long-shot that anyone would ever fix an election in the U.S., you say? Maybe. But this is a live issue right now. Diebold Election Systems had its software certified by Georgia's election commission in advance of that state's 2002 gubernatorial election. Diebold then altered the software before the election without telling anyone! Diebold seems to have made the changes in response to reports that its machines were insecure and unreliable. Perhaps, but the move was awfully suspicious, considering that the election resulted in an upset and was decided by a very slim margin. Only a few votes would have to be altered to change the outcome and, without a paper trail, those few votes would be impossible identify. Wired News reports this story here.
Monday, 13 October 2003
John Halderman cracked an encryption and DRM system called MediaMax CD3, a product of SunComm Technologies. Why? He is a PhD candiate in Princeton University's Department of Computer Science, writing his thesis in computer security. In classic academic style, Halderman published the resulting paper on the web. In classic cranky-three-year-old style, SunnComm threatened to sue Halderman on several grounds, including a claim under the Digital Millenium Copyright Act (DMCA). SunComm's CEO's quote in the first news cycle since this story broke was precious: "No matter what their credentials or rationale, it is wrong to use one's knowledge and the cover of academia to facilitate piracy and theft of digital property." SunComm backed down from its lawsuit threat within 48 hours after an enormous public outcry fueled by the blogosphere.
This episode is important for two reasons. First, it shows the excesses of the DMCA and underscores how ridiculously overbroad its language is (in addition to being bad policy). SunComm must have interpreted Halderman's paper as either a "device" intended to "circumvent a technological measure that effectively controls access to a [copyrighted] work" under DMCA § 1201(a) or as trafficking in such devices. No person who speaks ordinary English would ever confuse a research paper with a device. Besides, Halderman defeated the system merely by holding down his shift key, so how "effective" could it be? Effectiveness of the DRM system is, after all, an essential element of the DMCA claim. SunComm may have deserved the $10 million decline in its stock-price value the day after the blogosphere picked up this story.
Second, it shows the power of the blogosphere. The first Internet publisher to become a legitimate force in American politics was Matt Drudge when he broke the Monica Lewinsky story in 1997 after the traditional press (namely, Newsweek) declined to print the story. The Internet's role in politics was considered routine barely five years later, when bloggers brought down Trent Lott again, after the traditional news media dismissed an important story. The SunComm episode clearly shows that Internet publishers' influence has outgrown the first level of the political sphere, where rumor and innuendo are weapons in their own right. This time, bloggers slapped around a software company working for several major record labels in two industries driven by bottom-line considerations. Blogging tools make Internet publishing easier than ever, and the number of bloggers is growing daily. Their voices are heard by one another and now by the major media and corporate America. If we can continue to avoid demagoguery, this may be a good thing.