Stillborn Thoughts

News, Issues, and Analysis on the intersection of Law and the Internet

Monday, November 28, 2005

Coming to a Supreme Court Near You!!!: Ebay v. MercExchange


The long standing patent issue over eBay's "Buy It Now" functionality is now headed for the supreme court. The issue is not only whether Ebay has infringed on two patents owned by MercExchange, a now defunct travel auction site, but whether the Federal Court's decision to grant an injunction against the internet giant was correct. A district court found eBay guilty of infringing, but when weighed against the four prong test used by the Court of Appeals Federal Circuit (CAFC), found that no irreparable damage would be caused and thus denied the injunction. A Federal Court later granted the injunction, awarding damages of 29.5 million dollars. If the injunction is validated, than eBay will either have to stop using the "Buy It Now" feature of their site or settle a licensing agreement with MercExchange. If the Supreme Court sides with eBay, they will still have to pay damages, but will not be obligated to cease using the "Buy It Now" feature.

What are the facts of the case? Hard to tell exactly. A sympathetic interview with Thomas Woolston, the CEO of MercExchange who formerly worked with the C.I.A. as an electric engineer, goes through Woolston's chronology of the events with eBay, turning from a friendly lunch with Ebay representatives to disbelief as Woolston watches his patents stolen by a much larger rival company. Conversely, a Washington Post article quotes Jay Thomas, a Georgetown U. law professor who notes with respect to Woolston's patent battle, "Some people call this 'trolling' after the old story where trolls sit under the bridge and say, 'Give me a gold coin or I'll eat you' ", suggesting a less than noble intent on the part of MercExchange.

What are the issues? The most helpful info I found came from the Patent Law Blog Patently-O which has analysis on the current status of the case, eBay's writ of cetoria, and the appeals court decision. From the Nov. 29, 2005 post, Dennis Crouch writes,

The issues before the Court include:

  1. Whether the Federal Circuit erred in setting forth a general rule in patent cases that a district court must, absent exceptional circumstances, issue a permanent injunction after a finding of infringement. (Question proposed by eBay).
  2. Whether this Court should reconsider its precedents, including Continental Paper Bag Co. v. Eastern Paper Bag Co., 210 U.S. 405 (1908), on when it is appropriate to grant an injunction against a patent infringer. (Question proposed by Supreme Court).
...According to regarded patent law professor Joseph Miller, this certiorari decision is breathtaking. “If the Court writes narrowly, it will be the most important patent case since Chakrabarty or Diehr. If the Court writes broadly, it will be the most important patent case (perhaps even the most important patent or copyright case) in a century.
So big news for patent law, and internet law as well.

Given that no one reads this, it is unnecessary to make a disclaimer- but what the hell. The rest of this post deals with the wording of the briefs filed by Ebay, MercExchange, and the EFF. Yea, it's that exciting (links to the briefs by eBay, MercExchange, and EFF).

1) Public Interest: This is the showstopper. At issue is legal precedent, stemming largely from Continental Paper Bag Co. v. Eastern Paper Bag Co., a similar decision in which a company not using patented material sued another company for patent infringement. In the case an injunction was granted. Now the Supreme Court has agreed to re-evaluate the case.

MercExchange argues that injunctions are necessary to protect the right of property as enshrined in patent law legislation, and quotes legal precedent to this effect, noting that traditionally exceptions are given to injunctions only where there is a clear public interest involved, for example if use of patented material is tied to public health.

eBay both denies this interpretation of legal precedence, and offers supplemental public interest arguments. It notes that
"The court of appeals held that "[b]ecause the 'right to exclude recognized in a patent is but the essence of the concept of property,' the general rule is that a permanent injunction will issue once infringement and validity have been adjudged... the court may decline to enter an injunction when 'a patentee's failure to practice the planned invention frustrates an important public need for the invention,' such as the need to use an invention to protect public health." (10-12)
eBay argues that this decision "jettisoned the familiar principles of equity in favor of a "general rule" that requires the issuance of a permanent injunction as a matter of course, absent aexceptionalal circumstance" (14). This 'shifts' the burden of patent protection away from the patent holder, stifling innovation, and downplays the use of other, more reasonable alternatives to settling patent disputes....

2) Channeling the Spirit of Patent Law Past: These differences are based in values that stem from conflictininterpretationsns of how injunctions play a part in patent law. MercExchange views injunctions as the only true source of protecting exclusionary patent ownership (and therefore the right of property), quoting from Kewanee Oil Co. v. Bicron Corp that "The patent laws promote [the Progress of Science and useful Arts] by offering a right of exclusion for a limited period as an incentive to inventors to risk the often enormous costs in terms of time, research, and development" (2). The importance of exclusion, the argument goes, necessitates the action of injunction. Monetary damages can simply NOT protect the patent in the same manner. When the district court made its decision, it used MercExchange's previous licensing agreement with GoTo.com (now owned by Yahoo) to conclude that since the patent was already being licensed, monetary damages would be sufficient. The Federal Circuit Court argues that just because patented material is licensed out, that does not erode any of the protection that is offered by law.

The Electronic Frontier Foundation, echoing the concerns of eBay, voices a scathing attack on the Circuit decision by displaying why such a precedent would in fact endanger the very point of patent law:
"What is worse, the Federal Circuit’ automatic injunction rule effectively shifts the burdens of the parties. Normally, trequestertor (often the patentee in cases such as this one) bears the full burden of proving that prohibitive relief is required. This includes affirmatively proving that the balance of hardships weighs in its favor and that the public interest will not be unduly harmed by the imposition of the injunction. The Federal Circuit’s new standard, by contrast, effectively requires the defendant to prove the contrary—i.e., that “extraordinary circumstances” justify denial of the injunction request." (7)
It's interesting to note the language of the parties involved: Although all 3 share much of the same wording, MercExchange is heavy with concerns about "rights", eBay with pragmatic (economic) concerns, and EFF with values.

3) Channeling the Spirits of Patent Law Present and Future: eBay and the EFF make further arguments that supplement their argument against the Federal Circuit decision.

First, eBay argues that the negative effects of a philosophy like the Federal Circuit's towards patent law is already taking place, noting that "Between 1994 and 2004, the district courts have seen a fully 90 percent increase in the number of filed patent cases... the Federal Circuit has imposed substantial and unwarranted costs on innovating companies" (3). This creates "entities such as MercExchange [that] exist for no other purpose but to threaten infringement suits in hops of securing a profitable license through litigation or settlement" (4). This is the sort of 'trolling' that Prof. Thomas was talking about: MercExchange waits for other companies to infringe on its patent, while not doing anything to innovate, use, or improve the product.

The EFF brief includes a really interesting analysis of why the nature of the internet changes the meaning and effect of patent law. They argue that if the Federal Circuit decision is upheld, such patent law abuses will become widespread with respect to communications technologies used on the net. Soon, everything from e-mail to video and music transfer software that is freely available will become under attack:
In particular, the Federal Circuit offers little, if any, room for consideration of an increasingly evident public interest in patent litigation—free speech. Freedom of expression is not an absolute. It can be and has been constrained by the rule of law, including the rules permitting injunctive relief. Yet in order to do so, courts of equity must be free to weigh the need for injunctive relief against the potential impact such relief may have on speech and speech-related activities. This Court'’s jurisprudence demands nothing less. The Federal Circuit’s automatic injunction rule completely ignores this balance..Patent owners who claim control over Internet publishing mechanisms are in a position to threaten anyone who uses them, even for personal non-commercial purposes. (8)
I doubt that such issues will be directly taken up by the court, but freedom of expression issues may find their way into dissenting or concurring opinions. If nothing else, it may create legal precedent for when the next big freedom of expression case comes a'knockin'. My prediction is that the Supreme Court will overrule the Federal Circuit's decision as well as Paper Bag based on analysis that injunctions should not be traditionally granted for cases with similar circumstances.


Legislation: Cybercrimes Treaty and Dual Criminality Apprehension

Declan McCullough of CNET on the first international cybercrims treaty.

Both McCullough and the ACLU have voiced concerns this week about the Council of Europe's convention on cybercrime. In particular, they are worried that Bush's encouragement to ratify the Council's international treaty on cybercrimes may open the doors to a number of abuses. The issue that is overshadowing all others is that of dual criminality. As the treaty states, "the Convention does not require, as a precondition to assistance, that the offense being investigated also constitute a crime in the state receiving the request (``dual criminality'')."

The ACLU and McCullough take issue with this, feeding fears that the U.S.'s assistance might be used to help Russia or China or other governments crack down on freedom of speech and spy on political dissidents. The ACLU's letter to Rep. Lugar and Rep. Biden states,
While in theory the treaty could not be used to investigate "political offenses" this term is undefined and the exemption only applies to portions of the bill. Worse, the treaty is not limited to Council of Europe members. Eventually countries with even more checkered histories of civil rights abuses, such as China, could become members.
I agree... sort of. There's a definite lack of clash between the protesters of the treaty and the wording of the treaty itself. To quote at length from the Nov. 8 report prepared by Lugar:

This lack of a dual criminality requirement is hardly a novelty. In the last two decades, the Senate has approved, and the President has ratified, 43 bilateral mutual legal assistance treaties that do not contain such a requirement for all types of cooperation. This is in the interest of U.S. law enforcement, which aggressively utilizes these treaties to gain evidence abroad and would be hamstrung by a rigid dual criminality provision in all cases. Therefore, the United States will be able to use this Convention to obtain electronic evidence in cases involving money laundering, conspiracy, racketeering, and other offenses under U.S. law that may not have been criminalized in all other countries.
At the same time, the Convention contains sufficient safeguards to ensure that the lack of a ``dual criminality'' requirement will not result in the provision of assistance by the United States in any inappropriate situations. The Convention provides the same high standard of protection of U.S. Constitutional interests that is contained in U.S. bilateral MLATs. Assistance is to be provided in accordance with the provisions of mutual legal assistance treaties between the parties where they exist. Where no such treaties exist between parties, article 27 of the Convention provides a procedural mechanism for cooperation to be applied between them, including the grounds for refusal of such requests (in addition to any grounds provided under the law of the requested party). The grounds for refusal contained in paragraph 4 of article 27 are analogous to those contained in U.S. bilateral MLATs. A requested party may refuse any request concerning a political offense or that is likely to prejudice its sovereignty, security, ordre public or other essential interests. In response to questions from the committee, executive branch officials confirmed that this provision authorizes the United States to deny a request where providing the assistance would impinge on U.S. Constitutional protections, such as free speech, and that the executive branch intends to deny assistance in such situations. In addition, they committed that ``[T]he Department of Justice will carefully review each request, regardless of the country from which it comes, to ensure that compliance with it would not impinge on U.S. fundamental principles and policy, and that U.S. implementation of foreign requests would not be inconsistent with Constitutional protections.''
The committee also wishes to emphasize that the United States will not rely upon authorities created in the USA PATRIOT Act to meet its obligations under the Convention. The Convention was substantially drafted prior to the enactment of the USA PATRIOT Act, and is entirely consistent with United
States law as it existed at that time...
...So the report actually covers the concerns of freedom of speech and dual criminality, but again, only sort of. The fact that 43 mutual legal assistance treaties have been ratified does not somehow prove that NOT having dual criminality on this treaty is a good thing (and the little blip about article 27 providing a procedure when MLATs are not present-so what? the procedure provides only political guidance and no legal guidance as to the limitations or scope of the agreement). It's in the hands of the governments.

On one hand, the government's claims make sense: laws are different in varying countries and we may need assistance in legal action. For example the music distribution site www.mp3search.ru may be legal in Russia, but it may not be in the States, and if the United States needs to get names it would be hard pressed to go it alone. A further example would be Americans signing up for pornography sites in other countries where the age laws are different (say 16). On the other hand, McCullough and the ACLU are right to press the issue of limitations: tech companies are known for providing the products that allow countries like China and more recently Indonesia to crack down on freedom of speech. Important values should not be tossed around as a political carrot-allowing governments to decide whether cybercrime assistance merits rejection based on freedom of speech conflicts-they should be enshrined in the treaty. I'll try to explore this conflict more as the treaty develops, and maybe look for some alternatives to the dual criminality solution.

Monday, November 21, 2005

Legislation: Universal Service Reform Act 2005

Voice over internet protocal (VOIP) scares a lot of people, especially people in the government that are confused and frightened about how VOIP is different and what can be done to- you guessed it- regulate the sucker.

There there... a new law called the USF Reform Act being proposed by Reps. Lee Terry (R-Neb.) and Rick Boucher (D-Va.) hopes to tax VOIP to provide funding for the Universal Service Fund, a branch of the FCC that subsidizes rural development. According to a story by wired news, the Act will increase the cost of broadband access to subscribers... a reasonable price to pay.

But (cue scary music) Susan Crawford has some daunting analysis about the Act. From her blog:

Section 4 (starting on p. 17 of the draft) says that another rulemaking is supposed to establish mandatory rules for tracking all services -- presumably so that USF can be assessed. This section is truly startling. It appears, among other things, to outlaw encrypted online traffic. Take a look at this:

Communications service providers [this includes any application that uses IP addresses to provide real-time voice communications] shall ensure that all traffic that originates on their networks contains sufficient information to allow for traffic identification by other communications service providers that transport, transit, or terminate such traffic, including information on the identity of the originating provider, the calling and called parties, and the jurisdiction in which the traffic originates. . . .

This is outrageous. This means that any voice application has to label its packets so that everyone else handling their packets can tell exactly what's going on. Who's talking. Where they are. This is unbelievable.

Such rules shall include mandatory requirements for identification of all traffic by the originating provider and shall require that such traffic identification information is transferred to transporting, transiting, and terminating providers unchanged and unaltered

Read the whole post... the Act is a year off from being pushed through, but such underhanded regulation is quickly becoming more and more common as companies try to reconcile new technologies with old business practices. It's a damn good thing that there are intelligent observers out there to warn of the upcoming peril.

Thursday, November 17, 2005

Article: Network Neutrality and "Saving the Net"

Earlier today my brother pointed me to an outstanding article entitled "Saving the Net" by Doc Searls. It is about the current rift over how the net will and should be regulated... centering on a framework for the net that's been getting kicked around a lot lately, network neutrality. Network neutrality is the concept that the network- as provided by DSL and cable service companies- should not distinguish between different types of use. For example, you can use your DSL or cable for checking your email, sending videos, calling someone up on VOIP, and a slew of other things. No one use should be held above any of the others.

The threat: Technology experts who tend to have libertarian leanings have expressed concern over the U.S. Committee on Energy and Commerce's recent discussion to create a statutory framework for Internet Protocol and Broadband Services. A second call to action came in the form of SBC acquiring AT&T, and Verizon acquiring MCI. This compounded fears that were birthed earlier this month by SBC CEO Edward Whiteacre's comments in a Business Week's article (from an analysis on WashingtonPost.com):

Asked about Internet firms such as Google, Microsoft Corp.'s MSN and online phone service Vonage, Whiteacre told Business Week that those companies were dependent on SBC's lines -- or "pipes" -- for their success in reaching consumers.

"Now what they would like to do is use my pipes free, but I ain't going to let them do that because we have spent this capital and we have to have a return on it. So there's going to have to be some mechanism for these people who use these pipes to pay for the portion they're using," he said, according to Business Week Online's edited excerpts of the interview.

"Why should they be allowed to use my pipes? The Internet can't be free in that sense, because we and the cable companies have made an investment and for a Google or Yahoo or Vonage or anybody to expect to use these pipes free is nuts," he said.

You can probably understand why this might rub some people the WRONG way. The fear is that the two recent telecommunication megamergers have created what Searls' calls "Ma Bell" in the form of SBC/AT&T and "Pa Bell" in the form of Verizon/MCI. With more consolidation, these companies will move from regulating the amount of broadband you receive (for example really really heavy users put more stress on SBC's 'pipes') to regulating ACCESS to the CONTENT of the internet. Think of it as a toll bridge that charges you for using the bridge and THEN turns around and says that you need to pay for each lane you want to use. We'll call it "superhighway robbery."

Techdirt and Susan Crawford point out that the real issue, when it comes down to it is about competition, and allowing more options for the consumer. Crawford writes,
We need to find higher ground. I think the real fight should be over rights of way and platform competition. There's a clear lack of competition in the last mile -- that's where choice has to exist, and it doesn't now. Even the FCC's own figures reveal that cable modem and DSL providers are responsible for 98% of broadband access in the U.S., and two doesn't make a pool. If the FCC is getting in the way of cross-platform competition, we need to fix that. In a sense, we need to look down -- at the relationship between the provider and the customer -- rather than up at the relationship between the provider and the bits it agrees to carry or block.

...[following Whiteacre's comments] That's the voice of someone who doesn't think he has any competitors. Competition in the market for pipes has to be the issue to focus on, not the neutrality of those pipes once they have been installed. We'll always lose when our argument sounds like asking a regulator to shape the business model of particular companies.
This is when it becomes increasingly harder to distinguish theory from law. In this case it's clear that the way legal concepts are articulated has a direct influence on how much political clout and legitimacy they have. If the Silicon Valley crowd can, as Crawford suggests, argue their case in terms of economic markets and the problem of too little competition- for example, SBC/AT&T's failed policy towards municipal wi-fi. In the case of Eldred v. Ashcroft, Searls' argues in a lengthy post that it is the inability to articulate the legal and technological issues in a way that are politically digestible that lost the case:

The issue here isn't enumeration, or the ability of Congress to pass laws of national scope regarding copyright; the copyright power is clearly enumerated in the Constitution. The issue, at least for the conservative justices who sided with the majority, is more likely the protection of property rights. In order to argue against that, Lessig would have had to argue for a communal property right that was put at odds with the individual property right of the copyright holder, and even that would be thin skating at best. So the Supremes did the only possible thing with respect to property rights and the clearly enumerated power the Constitution gives Congress to protect copyright.

Watch the language. While the one side talks about licenses with verbs like copy, distribute, play, share and perform, the other side talks about rights with verbs like own, protect, safeguard, protect, secure, authorize, buy, sell, infringe, pirate, infringe, and steal.

This isn't just a battle of words. It's a battle of understandings. And understandings are framed by conceptual metaphors. We use them all the time without being the least bit aware of it. We talk about time in terms of money (save, waste, spend, gain, lose) and life in terms of travel (arrive, depart, speed up, slow down, get stuck), without realizing that we're speaking about one thing in terms of something quite different. As the cognitive linguists will tell you, this is not a bad thing. In fact, it's very much the way our minds work

So code might matter, but words matter just as much. The issue in Eldred was Congressional power to extend copyright terms again and again, essentially making the proposed limits on copyright worthless. Lessig, who acted as lead counsel for Eldred, has a detailed retrospective of the case that outlines some of these concerns. When it comes to the next fight- the providers of 'pipes'- the property rights arguments are likely going to be clearer. In Eldred, it was the concept of public domain v. the business of copyright. Here, it's the business of internet service providers (Ma and Pa Bell) v. the business of internet content providers (Google, Yahoo, ect.). Economically speaking, its a more evenly matched battle.

For this reason, I think Searls' piece is somewhat extreme. But he makes some good points about issues that will become increasingly important as Google's plans for municipal wi-fi heat up. And then there's the second issue of copyright legislation. I'm not quite sure if I buy into the concerns that Congress will essential regulate the internet- closing the analog hole with the HD Radio and Content Act of 2005 is a good example. I'm not a huge fan of DRM, but I imagine that the recent Sony debacle coupled with increasing evidence that p2p has less of an economic impact than was once believed may erode some support for the RIAA and its ilk- although if the Act were to pass, it would be a staggering blow for consumer and artist alike. If any one lesson should be taken from the rift over network neutrality, I think Searls' final section on fighting back with words is it: given the influence of politics on the regulation of the internet, articulation becomes vital.

Wednesday, November 16, 2005

News Update: ICANN domain control issue settled


With time running out before the start of the U.N. Summit in Tunis, the international community has agreed upon a framework for control over internet domain names, a decision that most see as a striking win for the United States. Under the agreement, the U.S. based Internet Corporation for Assigned Names and Numbers will retain working control over the Internet's address structure, and the international community will be given more influence in an advising position under ICANN. The conflict over ICANN, as Wired News' article tells it:
"is the United States' control of the "root zone file," the master list of allowed top-level domains -- currently numbering at nearly 300, including generic domains like .com and .info, and hundreds of two-letter county codes like .uk and .au.

Control of the root means that the United States could, in theory, wipe another country's top-level domain out of the system for political reasons, leaving it largely unreachable to web and e-mail traffic. "Maybe countries that don't support the war on terror are kicked off the internet, for example," says Wu... "As long as the root is controlled by the United States, there's this psychological feeling that the United States owns the internet," says Wu. "It's symbolic, but symbolic things can matter when it comes to questions of nation-state legitimacy.""

And there is quite a lot of symbolic importance in the WSIS' text on Internet Governance, the document agreed to shortly before going into the summit- but the BIG issue of who OWNS the root goes to the United States. And the issue drives a lot deeper than just symbolism. Kenneth Neil Cuckier outlines some of the more pragmatic consequences of internet governance in a Nov/Dec 05 Foreign Affairs article entitled "Who Controls the Internet?", writing,
"although... what techies call "Internet governance" -- seems nerdy, it can have an important impact on mainstream policy issues. For instance, countries that place restrictions on the types of domain names that can be used effectively hamper free speech. The personal information of registrants of addresses with generic suffixes such as ".com" and ".net" are made publicly available online, which jeopardizes people's privacy. Telecom operators need access to Internet Protocol numbers to deploy services, making them a major asset for companies and an economic interest of countries. Technical standards can be designed either to foster openness or to permit censorship and surveillance. In short, the Internet, before it is physically constructed from routers and cables, is made up of values. And the domain name system is the central chokepoint where control of the Internet can be exercised."
Value? Architecture? I'm not sure how much I buy Cuckier's argument- ICANN's been controlling the internet for a while now, and China still seems to be able to use Cisco's product and the willingness of internet companies to crack down on free speech Regardless, . Granted, its important to keep the domain name system (DNS) open, but its only really one level of the internet. Regardless, the resolution that has been set forth allows for an international forum to take place within existing structure- namely, the international community will be able to engage in dialogue over all sorts of tricky issues through the Governental Advisory Committie of ICANN. GAC does not have control over ICANN policy, but does have influence- there has never been advise given by GAC that ICANN has not accepted and acted on.

So is it good news? Sure... the EU and International Community receive a symbolic victory, and its not like they've lost the 'nuclear weapon' option to create a parallel system of internet governance, they've simply choosen not to use it at this time. Hopefully, this will resolve the question of internet governance for the time being, and get the Summit back on pace, dealing with issues like closing the digital divide and fighting cybercrime.

Monday, November 14, 2005

Update: WSIS and the diplomacy of KHAAAAAAN

Quick update- my post on the upcoming WSIS event in Tunis was decidedly pessimistic as to whether or not anything would get done. Reading the Register's article on Masood Khan, Pakistan's ambassador to the U.N..

Some highlights of the article include the UK/EU's faith in Masood:

In an extraordinary statement, the UK/EU then deferred its entire contribution to the net governance debate to Mr Khan's stewardship. "We will co-operate in any way you choose," the representative told Mr Khan. This was the same UK/EU team that stunned the self-same room in September by producing a radical blueprint for a new form of internet control.

And more importantly, Khan's focus on real results, and not the generalizations we've sort of grown accustomed to from such multilateral attempts:

"I would encourage you all not to focus on general themes of internet governance but instead go to the heart of the matter,” were his opening words. And then he listed them. “The question of a future mechanism, the question of oversight, and the paradigm of co-operation amongst all stakeholders."

I couldn't find much more on Khan related to the WSIS, and one article isn't enough to make me change my assumptions about the Summit... but given the glowing review of Khan, I'll be sure to keep my eyes open for more about him (yeah, this really isn't a post in the sense that I offer some sort of commentary, but its a fairly slow day in the tech/law world)

Update: Sony DRM


Two quick updates on the scourge that IS Sony DRM:
1) The most notorious version of DRM, by First4Internet, is being taken off Sony products for the time being, although Sony defended their right to copy-protect merchandise. Also, this very software might be entitled to legal attention not on disclosure issues, but in that IT MAY VERY WELL BE stealing code without fufilling required measures.
2) Freedom-to-tinker's J. Alex Halderman has a wonderful post on the DRM software that still IS in place, by a company called SunnComm- see the EFF list to see what albums have SunnComm. Halderman goes into detail explaining how and what the SunnComm program downloads without permission- but the most worrisome section has to do with privacy and information gathering (SunnComm DOES gather information, but does not disclose this to consumers). Scary Stuff.

Friday, November 11, 2005

Issue/News: Grokster, the RIAA and the battle over p2p

The tumultuous battle over p2p is being fought once again, this time the contenders are Fred von Lohmann of the Electronic Frontier Foundation and Adam Thierer formerly of the Cato Institute.

The issue: well, everyone pretty much agrees that RIAA lawsuits against file sharers aren't working too well. And the Grokster settlement threatens to chill innovation on the web by holding p2p providers accountable, a move that may also be ineffectual in driving down illegal file sharing. The EFF has just put out a paper to this effect, arguing that past attempts of regulating by RIAA lawsuit have failed miserably, resulting in a) disproportionate punishment b) the potential for innocents to be targeted and punished and c) no reduction of the impact that illegal file sharing has on the legal music market. Although the paper includes moral, pragmatic, and empirical concerns, the subsequent debate has boiled down mostly to the pragmatic- there is a market that has embraced p2p software for illegal filing sharing, and there is no workable alternative to the RIAA lawsuits currently in place- what can be done?

The main issue centers around EFF's proposed solution to the problem. From RIAA v. The People: Two Years Later:
"There is a better way. EFF has been advocating a voluntary collective licensing regime as a mechanism that would fairly compensate artists and rightsholders for P2P file sharing. The concept is simply: the music industry forms a collecting society, which then offers file-sharing music fans the opportunity to 'get legit' in exchange for a reasonable regular payment, say 5$ a month. So long as they pay, the fans are free to keep doing what they are going to do anyway--share the music they love using whatever software they like on whatever computer platform they prefer--without fear of lawsuits. The money collected gets divided among rights-holders based on the popularity of their music... the more competition in P2P software, the more rapid the innovation and improvement."
As the paper goes on the say, such a framework is already being pushed with the deal struck between Playlouder Music and Sony MGM (wait, the DRM villains?) to provide Sony's entire catalogue in a format that would allow it to be traded over existing p2p software- Grokster, Donkey, BitTorrent- and be tracked and protected from "leakage", creating a "walled garden" in which songs are tracked and kept from being illegally traded. Similar projects are following suit, such as SNOWCAP. How plausible is the idea?

That's what's being debated between von Lohmann and Theirer. Both agree that some sort of enforcement is necessary, but differ on the extent of that enforcement. Theirer quotes the EFF's white paper on "Play to Play", where von Lohmann writes:
"Copyright holders (and perhaps the collecting society itself) would continue to be entitled to enforce their rights against "free-loaders." Instead of threatening them with ruinous damages, however, the collecting society can offer stragglers the opportunity to pay a fine and get legal."
And this is where it gets tricky... and where I (and Thierer) think von Lohmann's logic starts to lack in a couple of key places. The "Two Years Later" paper makes a pretty strong case that P2P software is easy to produce, and quickly accessible. He also argues that consumers that do break the law should be fined a reasonable amount. This is predicated on the notion, reinforced by a fair bit of evidence, that in the end, most users WANT to go legal.

Regardless, we're left with the question of what consists of effective and reasonable enforcement measures for those that haven't signed on board:

1. Users that still don't go legal: There will be, of course, a group out there that refuses to pay the 5 or 10 or 20 dollar fee that comes with a pay-to-play plan. von Lohmann's argument that "a collective licensing solution, because it would create an environment where intermediaries would have market incentives to "bundle" licenses with other products and services, would do a better job "enforcing" copyrights -- that is to say, getting people to pay rightsholders" falls short. It reduces copyright infringement by encouraging people to be legit (and most importantly, makes it extremely EASY to go legit), but without the threat of punishment, it has no teeth to deal with users that don't convert. If massive lawsuits don't encourage them to go legit, paying a fine probably won't either (if enough people go legit, however, it might, because the risk analysis changes- i.e. your fining a smaller group of users, and therefore the risk cost of illegal file sharing goes up per-person, see the comments on lessig's post for more). Tracking files of illegitimate and legitimate users might make enforcement easier- and encourage some enhanced version of the RIAA's "amnesty" program as opposed to wreckless lawsuits- but copyright still needs to be enforced, and von Lohmann is too vague on the issue to be of much guidance.

2. Applications that continue to encourage illegal file sharing: If the pay-to-play structure becomes popular, BitTorrent and Donkey-esque applications may become more suspect in that they continue to allow illegal file sharing with cost-reasonable filters (if these filters are, in fact, cost-reasonable). Not only this, but there are sites like www.mp3search.ru that are based in other countries with differing copyright law, allowing American users to in essence receive music under Russian regulations (and low Russian prices). For the BitTorrent like sites based in the States, we may see an increasing shift towards more scrutiny over what qualifies as acceptable software, and that may stifle invention. Conversely, the burden might shift away from software to the customer, who now has the opportunity to use such software in legal ways and refuses to (but again, this comes back to problem of what regulation is effective). For the Russian sites, the U.S. would have one hell of a time taking them to court, so by default the burden will likely fall on the U.S. consumer.

How will that burden be meted out? Hard to tell- but if I had to predict, it will be an amended version of the "amnesty plan" of the RIAA, with more corporate involvement. The erroneous lawsuits may still remain, but their support, both publicly and pragmatically, may erode as the pay-to-play structure becomes popular. In the end, the questions raised in this post are more logistical than substantive... I'm convinced the system that the EFF advocates will work, its just a question of the few instances in which it does not work. Hopefully, programs like Sony and Play Louder's will progress quickly enough that we'll see these questions raised in the next couple of years, because until then, the RIAA is showing few signs of slowing down the rampaging fines.

Thursday, November 10, 2005

Issue/News: World Summit + the Digital Divide

So far, this blog has been focused pretty much exclusively on American legal theory and the internet. In my second post, I talked about two perspectives: Lawrence Lessig and Manuel Castells. Thus far, Castells has been neglected, namely because his theory is more, well, theoretical, and less legal.

Today, I wanted to bring the two together with a bit more of a focus on international issues, as a precursor to the upcoming World Summit on the Information Society held in Tunis, held Nov. 16-18, 2005. It is the second of a two part summit, the first held in Dec. of 2003 in Geneva, which resulted in both a declaration of principles and a plan of action. Neither document has many specifics on what actions will be taken on behalf of the World Summit- they are more a general statement of ideals, with the declaration basically a collection of abstract ideals (social justice, enabling the developing world, bridging the digital divide, being eco-conscious, ect.) and the plan being slightly more specific (employment, environment, e-learning) but lacking any actual actions- and having timelines that are far enough down the road to make them ineffectual (for example, half the world should have access to information and communication technologies by 2015).

The second phase of the summit may answer some of the ambiguities left by the first. However, overshadowing the Tunis convention are concerns over Tunis's repressive actions against internet users, as well as analysis that suggests poor countries face tough obstacles to go online.

The bright side? Well, if you take the perspective that the internet is an extension of other information and communication technologies, than the rise of cell phones in developing areas such as Africa gives some indication of how powerful bridging the digital divide can be. One of the most thorough papers on the developing world and the internet comes from the World Bank, which will distribute both Financing Information and Communication Infrastructure in the Developing World: Public and Private and E-Development: From Excitement to Efficiency. They have not yet made the latter document available, but if the former is any indication, there will be a heavy emphasis on private investment and effective regulation, with governments and donor communities (like the WB) playing a supportive role. There is a focus on investment as both philanthropy and of economic benefit (sustainable).

Although this post does not contain any specific legal resolutions or cases, the discussions that will take at the Summit may have far-reaching legal consequences, including:

1. Commerce Regulation: The World Bank report really hammers on the issue of commerce regulation, and how rules concerning foreign investment in information and communication technologies often hamper growth. Scott Wallsten, a former economist at the World Bank, argues persuasively that ISP entry barriers slow down growth. Presented with fairly straightforward evidence that liberalizing technology market regulations improves growth, coupled with possible World Bank loan incentives- the legal framework governing foreign investment in the information and communications technology (ICT) sector may see some changes.

2. Freedom of Speech standards: Castells talks a lot about why networks of communication should be set up with the principle OF communications... although too controversial to get much coverage at the convention, closer relations between countries on internet matters may encourage repressive governments to stop draconian regulation. OR, it could follow in the wake of the controversy with Cisco providing the infrastructure for China to closely control internet content, and push for private companies to do more... but I wouldn't hold my breath. Whatever happens, it'll be interesting to see whether either the market or regulatory bodies do anything about this issue.

3. Internet Domain Control: Probably the most covered issue that will be brought up at the convention- the United States and the EU are battling over control for internet domains. Currently, ICANN controls domain regulation, but the EU and a number of other countries would like that to change and place control in the hands of the U.N.. On one side, U.S. advocates such as Senator Norm Coleman (R-Minnesota) argue that the E.U. is attempting to usurp U.S. power at the cost of a system that is already effective and working. On the other, reform advocates argue that ICANN has bowed repeatedly to the pressures of U.S. corporations, and a solid analysis of the issues reveals that reform has to happen either through an international or U.S. agency, or through 'internationalizing' the current legal structure. A more moderate view, expressed again by Lessig (I don't mean to link to his stuff so much but the guy seems to get interviewed a fair bit and writes a lot about important topics) in a Foreign Policy interview is that although in the past ICANN has behaved badly, and a separation of UN/US regulatory bodies could co-exist, its more hassle than its worth given that ICANN is now pretty good.

4. Cheaper Product: Private corporations have been for some time now developing cheaper technological products aimed at the developing world. One of the most talked about is MIT Professor Nicholas Negroponte's 100 dollar laptop. Such inventions, coupled with freely available software, may make bridging the digital divide a whole lot easier. Hopefully, there will be specific plans that emerge from the summit on these measures.

Will much progress be made? I doubt it... the vast majority of the developing world lacks the infrastructure that enables the potential of information and communication technologies. This hasn't changed a whole lot since Bill Gates made the point in 2000 that a revolution in health care needs to take place before the digital divide can be closed. This is not to say that in some places- India, China, Thailand, Nigeria- that ICT will not help, it certainly will if governments have good regulatory policies. But there are issues like intellecutal property rights, freedom of speech, and economic policy that are extremely stubborn, and a general summit is unlikely to change any of this. Given the sluggish manner in which governments have worked against intellectual property rights standards that bar cheap generic medicines from reaching the developed world, it is doubtful that any significant changes (at least changes that threaten intellectual property rights or the market) will come from Tunis.

Wednesday, November 09, 2005

Issue/News: Google Library

Ok- so pretty much everyone has written about Google Library, and my aim here isn't to inform anyone of anything (which is good, because when exactly no one reads your blog, you need to set your expectations relatively low)... my aim is to explore Google Library from a legal perspective, and more importantly, what the future implications of the Google Library controversy will be, namely, what if any limitations/regulations will be defined as part of regulatory structure that controls internet law.

First, a quick introduction to the sides of the case. There's a ton of material flying around the world wide web about Google Library, and some of the best stuff has been collected at DigitalKoans. Borrowing from these sources, I want to briefly mention the theoretical and legal underpinnings of the Google Library case through much more articulate sources than myself:

1. Theory- For a very clear analysis of the theoretical battle underlying the Google Library controversy, I suggest Columbia Law Professor Tim Wu's article in Slate, which is not only worth reading, but quoting large passages from, like this one:
"The idea that there is no tradeoff between authorial control and exposure is attractive. But it is also wrong. Individually, more control may always seem appealing—who wouldn't want more control? But collectively, it can be a disaster. Consider what it would mean, by analogy, if map-makers needed the permission of landowners to create maps. As a property owner, your point would be clear: How can you put my property on your map without my permission? Map-makers, we might say, are clearly exploiting property owners, for profit, when they publish an atlas. And as an individual property owner, you might want more control over how your property appears on a map, and whether it appears at all, as well as the right to demand payment... The critical point is this: Just as maps do not compete with or replace property, neither do book searches replace books. Both are just tools for finding what is otherwise hard to find. And if we really want to have true, comprehensive book searches, we cannot require that every author's permission be individually sought out. The book search engines that emerge would be a shadow of the real thing, just as a negotiated map would be a lousy one."
Google is a great example of where law and theory combine. On Lessig's most recent blog post, he argues, extending a doctrine of shifting intellectual property rights, that Google print is a step towards rightly viewing certain material as fair access (like Wu with the maps- your house or your book, either way we can search it). He bases this on the case of Causby, which treats air space above ones home as a commons with the advent of airborne transportation... the blog is in response to a post by James DeLong, of the Progress and Freedom Foundation (however, his reply to Lessig- quoted later- is a bit more concise and helpful).

So with regards to theory, on one side there is an argument that in light of technological advances, a search like Google Print does not infringe upon copyrighted printed sources in a way that detracts from the spirit of copyright.

2. Law- But in practice, will Google Print create the potential for copyright infringements? Attorney Jonathan Band doesn't think so, arguing that the opt-out policy of Google Print "does not turn 'every principle of copyright law on its ear.' Rather, it is a reasonable implementation of a program based on fair use. " He basis such analaysis on Kelly v. Arriba Soft, a case involving a company that allowed searches to be conducted for images on the internet- since the nature of the search engine did not specifically use such images for commercial purposes (Kelly's images were a small drop in the pool of images) and because it did not have a detrimental effect on the market (the search engine granted more expore, and the fact that the search brought up lower resolution thumbnails disqualified them for extensive commercial use). But wait, if it improves the market exposure of material, and qualifies under fair use, what problems are there? To look at two that DeLong points out:
1) A digital copy of each book goes to the participating library, and the only restriction is that it abide by copyright law. There can be no guarantee that the library will impose security akin to that adopted by Google.

2) The law has no doctrine that allows Google to be special. So what Google is allowed to do, others can do. The authors and publishers can legtimately object to having a huge burden of policing imposed on them.

I can see it being a scary notion that Google is making digital copies of every book from a fair amount of very, very large libraries. When you map my house, you use an image of that house, or in the case of satellite maps, a photograph. Cool- but that's NOT what Google Print does. The value of my house is not tied to that particular image- it has no market value in and of itself. Granted, neither do the excerpts that are created via a Google Library search, but the fact that Google creates two digitized copies of the material presents a huge risk. This weeks Businessweek provides an excellent summary of such fears.

This argument, although valid, does not necessarily find comfort in the law. Going back to the Grokster issue and safe harbor act, think of CDs, or CD burners, or DVD burners that can be used to copy a wealth of copyrighted material- those have very little protection barring their use- at least the Google Library project has a corporation and library institutions that have the master copies- institutions which are far easier to hold legally accountable (see the last post on the Grokster case).

The second argument, about the opt-out policy, seems far less pursuasive, namely because objection 1 didn't argue that there was a clear copyright infringement, simply a potential for abuse. So )*&^* what? How many libraries have you been to that have, lets say, a PHOTOCOPYING MACHINE... making every library prone to MASSIVE COPYRIGHT INFRINGEMENT ABUSE. So do you force every library to have an opt-in clause for each particular author? Of course not...

So in the end, it looks like Google Library will survive the legal battle it may be embroiled in over the next couple of years... perhaps the fact that the case takes a step into what Harvard Law Professor Jonathan Zittrain calls "terra incognita" will be a good thing. It is the best chance for what Lessig calls a "revolt" of copyright... and even if not a full fledged revolt, than it will at least give us a better idea of what the rules of battle are.

Monday, November 07, 2005

Issue/News: Grokster pays up and shuts down

Just when things were getting a bit tepid in the electronic legal waters Grokster settles their privacy dispute, the result of a multi-year long battle with MGM which culminated at one point in the Supreme Court Case of MGM v. Grokster. Both The Wall Street Journal's article about the settlement, as well as The New York Time's take describe it as a blow to copyright infringement on the internet.

There is a wealth of analysis on the Grokster case... its pretty ridiculous. For a comprehensive look at the case and some associated articles, check out EFF's Grokster site. Much of it is unsurprisingly pessimistic about the Grokster decision (analysis that seems to have been reinforced with Grokster's closing). For example analysis from BagandBaggage argues that this case is a harbinger of speech chilling, akin to Batzel v. Smith, specifically the section that reads (their emphasis):
Although Stratton was a defamation case, Congress was concerned with the impact such a holding would have on the control of material inappropriate for minors. If efforts to review and omit third-party defamatory, obscene or inappropriate material make a computer service provider or user liable for posted speech, then website operators and Internet service providers are likely to abandon efforts to eliminate such material from their site.
I disagree with their analysis, because the Grokster case is different in a couple of significant ways. First, the assumption made in Batzel is that with the status quo, website operators and Internet service providers self-regulate to some extent. In Grokster, the court bases its analysis partly on the fact that Grokster was created to attract ex-Napster users that used the p2p program for copyright infringement purposes- thereby negating this assumption. Second, the argument is talking about a regulation that goes beyond Grokster. It makes the argument that sites and services that filter material ought not be responsible for such material. Grokster only makes the claim that p2p services have to make an attempt to filter in the first place, with nothing about responsibility after that attempt is made (in other words, the burden is on Grokster showing that the service is set up to be used primarily or at least significantly for SNUIs). Justice Souter wrote in the majority opinion,
Respondents' efforts to supply services to former Napster users indicate a principal, if not exclusive, intent to bring about infringement. Second, neither respondent attempted to develop filtering tools or other mechanisms to diminish the infringing activity using their software. While the Ninth Circuit treated that failure as irrelevant because respondents lacked an independent duty to monitor their users' activity, this evidence underscores their intentional facilitation of their users' infringement. Third, respondents make money by selling advertising space, then by directing ads to the screens of computers employing their software.
So what's going to happen now in the wake of the Grokster settlement? After the decision Judge Richard Posner wrote an opinion about the Grokster case, which concludes that the 'middle way' might be to have file sharing systems be required to take reasonable (cost possible) steps to filter illegal material. This, to me, makes sense, but its a shame that the architecture is shifting towards one of control. However, its too soon to jump to that sort of broad conclusion... taking a look at SCOTUSblog's discussion on the Grokster material, this settlement/decision only establishes a principle that cannot be readily applied to such technologies as BitTorrent, which has a much clearer promotion of non-infringing transfers. It also has some posts by one of the lawyers of the case, Fred Von Lohmann, who points out some possible analogous technologies that will be effected. Furthermore, Pamela Samuelson of the Berkeley Center for Law and Technology argues concisely and effectively that although the MGM v. Grokster decision may look far-reaching, in actuality the decision is a win for the technology community since the Supreme Court decided not to revisit the Sony Safe Harbor Act (which protects technologies which can be used for illicit purposes, but that have clearly defined legitimate uses). [Update- And although Lessig agrees with Samuelson about the refusal to re-postulate the safe harbor stanndard, he argues in an interview with business week that the case will chill invention by placing an undue economic and legal burden on corporations.]

So big news- but we'll have to wait and see how far and powerful the Grokster settlement's ripples are- although it is somewhat of a indication of the direction of a much more powerful wave- how far software development will be beholden to legal concerns. With Grokster gone, it looks like BitTorrent might be next text (the recent arrest of a Hong Kong man using BitTorrent for copyright violations suggests that for the time being, it is the user and not the technology in this case that bears the burden of the law).

Friday, November 04, 2005

Issue/News: Sony DRM and a few legal precedents

So what's the lowdown on the Sony DRM issue and legal precedent? I'm not sure- in this case, Sony seems fairly quick to cover their own ass, so its doubtful anyone would try to sue them. But its an interesting point for the ongoing balance between commerce and personal privacy on the internet. The Wired.com story I mentioned argues that it may be a crime under the U.S. Computer Fraud and Abuse act. Is it?

Probably not. Two cases that have been tried under this act for not completely unrelated issues, the cases of Pharmatrak, Inc. v. Private Litigation and doubleclick inc. v. private litigation, have not turned out too well for the forces of privacy. In both, the argument is made that the companies in question (Pharmatrak and Doubleclick... the latter a company watched closely by the internet privacy advocacy group EPIC) illegally used internet cookies to collect personal information about consumers. A lot of the discussion in the case is based on the fairly straightforward wording of the Computer Fraud and Abuse Act, as well as the Electronic Communications Privacy Act. Neither I nor any of the hordes of people reading this want me to go through the entirety of the cases, but there are a couple of interesting things to note with relation to DRM, one being that in DoubleClick there is a "simple steps" observation that places more of the burden on the consumer:

Third, DoubleClick will not collect information from any user who takes simple steps to prevent DoubleClick’s tracking. As plaintiffs’ counsel demonstrated at oral argument, users can easily and at no cost prevent DoubleClick from collecting information from them. They may do this in two ways: (1) visiting the DoubleClick Web site and requesting an “opt-out” cookie; and (2) configuring their browsers to block any cookies from being deposited.
There are similarly 'simple' ways you can turn off the autorun program that runs Sony's DRM, although instructions or notification for the 'opt-out' option (in the DRM case you need to stop a process in windows) isn't easy to find (although now Sony has set up an uninstall web site). And this is what disturbs me- if the legal burden shifts to the consumer, corporations will be able to continue to push the line of privacy, and all changes will be retroactive. So far, recourse has really only come from the blogging community (update- the market has also reacted, as antivirus companies are quickly putting Sony's DRM on their hit list)

The Doubleclick case, however, only has so much in common with the Sony DRM issue. At its base, it provides a guide for how the law is interpreted- mostly 'on its face'- and where the burden lies- on the consumer. Other sources of legal precedent may be more telling, as CNET's Declan McCullagh has written today about the potential legal mess Sony is in. He cites two such cases: Soleto v. Directrevenue and the California anti-spyware law.

First, Soleto: In this case the plantiff sued Directrevenue, which bundled spyware with a number of 'free downloads', and did not openly display the EULA (the spyware was bundled and downloading the software did not require the user reading the EULA- in the case of users with Microsoft security settings on low, the software would be downloaded without fixed consent). As McCullagh writes,"U.S. District Judge Robert Gettleman said the company could be sued on trespass, Illinois consumer fraud, negligence, and computer tampering grounds.<
There are a couple of signs in this case that although much of the burden falls on the consumer, there are limitations to the harm that can be created via third party programs. For example at one point in dismissing a claim that users are able to opt-out, Gettleman writes,"Spyware begins consuming computer resources when it is installed, and uninstalling Spyware is significantly more confusing and vexing process than returning a product". This strikes me as a fairly sharp contrast to the logic applied in Doubleclick over the same matter, although then again Doubleclick's cookies signifigantly differ from Directrevenue's spyware.

Second, such harms can be tied to trespass. Gettleman evidences this with legal precedent, writing,
"A series of federal district court decisions, beginning with CompuServe. Inc., has approved the use of trespass to personal property as a theory of liability for "spam e-mails" sent to an Internet service provided ("ISP") based upon evidence that the vast quantities of spam e-mail overburdened the ISP's own computer and made the entire computer system harder to use for computer users, the ISP's consumers."
However, as much as people might make out that Soleto applies to Sony's DRM, there remain glaring disimilarities. For one, the claims in Soleto- particularly consumer fraud and negligence- are based on Directrevenues' disclosure policy. Sony is a lot more open: although the EULA is confusing, a user has to click through it to access material, and with regards to Sony disseminated CD's, there are clear labels (take a look at "Z" on amazon.com, the CD I mentioned in the last post, and notice the COPY PROTECTED CD line in the title). Eric Goldman reinforces this, arguing,
"However, the Sotelo case doesn't offer us much insight here. First, the Sotelo decision was just a denial of a motion to dismiss, so its precedential value is low (especially if the court ultimately finds that there was no trespass to chattels). Second, a properly formed EULA consenting to the install would negate a trespass to chattels claim (and all of the various other related claims, like the Computer Fraud & Abuse Act)."
So that's it for Soleto- what about the California law? Well, the definitions of the law state that:
(h) "Intentionally deceptive" means any of the following:
(1) By means of an intentionally and materially false or fraudulent statement.
(2) By means of a statement or description that intentionally omits or misrepresents material information in order to deceive the consumer.
(3) By means of an intentional and material failure to provide any notice to an authorized user regarding the download or installation of software in order to deceive the consumer
On its face, the Sony's EULA does not meet either the 1st or 3rd criteria. And as far as
"intentially omits or misrepresents material" it sufficiently, if confusingly, represents the
existence of the rootkit. What it might not do, however, is give sufficient notice to how HARD
the damn thing is to remove from Windows (as evidenced in the comments on Ed Felton and
Eric Goldman's site).

Another possibility for legal recourse is in one of the later sections, which reads that a company or individual cannot:
(1) Induce an authorized user to install a software component onto
the computer by intentionally misrepresenting that installing
software is necessary for security or privacy reasons or in order to
open, view, or play a particular type of content.
I can see this one being argued on two counts: first, by the user of the CD, that the EULA doesn't include any opt-out option (i.e. instructions to disable Windows autorun) and therefore appears to be required to play the content, and second, by a user on the network that has an administrator that has downloaded the Sony rootkit. Because the rootkit cloaks any file with $sys$ this cloaking feature can be picked up by other malicious software programs and used to clock their files... in other words the user on the network, which has not downloaded the rootkit, is adversely affected because a malicious program on their system is using the rootkit on the administrators computer to cloak files.

Regardless, Sony is taking a hit with all the furor over the rootkit, and it won't help their already tarnished reputation. What a legal action really needs in order to be pushed through is a very clear claim of damages (i.e. the rootkit specifically hinders this or that operation on this or that system). In the coming weeks, it will likely be resolved through the private actions of Sony- or it might not- either way, it may give us a better sense of how blurry the line is between illegitimate and legitimate software, as well as the balance of burdens between the consumer and the corporation.

Thursday, November 03, 2005

Continued: Sony Rootkit, ect. ect.

A lot of flak is given to Microsoft for being the dark side as far as open and closed source code goes- namely, they steal open source code, and then make it closed source. However, in the last week, I believe the rightful bearer of the closed source code goes to Sony, for the rootkit issue mentioned in the last post. Not that this wasn't a long time coming... Sony's business model is pretty much 'you can't have it' (remember minidisk players- and all of the other Sony music players that JUST started natively playing MP3? no? what about memory sticks? in fact, check out the section called 'proprietary formats' under Wikipedia's entry for Sony and see how many are followed soon after with the words "failed" and or "miserably") Notably, while Sony's come under such attack, Microsoft has reworked its code sharing plan to allow more access to code that was previously protected, and even more recently has called for a law granting broader privacy protection from the government.

But back to Sony. A lot of legal theorists like to explain fairly complicated issues with analogies, here's my sorry attempt:

Bobby is walking home. On his way home, Bobby decides to buy a compact disc from the local CD-O-Rama, lets say, My Morning Glory's new acclaimed album, "Z". He pays his 10 dollars, and off he goes. But what Bobby didn't bargain for was that CD-O-Rama sent an invisible dog after him, a rotweiller in fact, that followed him home. When Bobby played the CD, it played fine. When he tried to burn the CD onto his computer, that was ok too... but when he tried to burn the songs onto a new CD, or download the songs to his i-Pod (Bobby's hip), all he hears is loud barking when he listens.

The invisible dog, as it were, had been trained to bark loudly whenever Bobby tried to do certain things with the CD. Bobby couldn't understand why. And soon, other things began to happen. One day Bobby comes home and his room has been torn apart, another day and there are claw marks on the walls. Bobby begins slowly going insane, while the dog continues to rummage around unabated. To make matters worse, Bobby used to be tormented by several cats in the neighboorhood as well, but the cats found out that if they came into Bobby's room with the invisible dog, they too would turn invisible!

Legally speaking, sucks to be Bobby. Eric Goldman writes,
Accordingly, I'm a little perplexed about what Sony has done wrong from a legal perspective. (I have mixed views about the propriety of Sony's behavior from other perspectives). Sony has the right to protect its music via DRM. Doing so may require the installation of client-side software. Sony has disclosed the install in the EULA. It seems like everything is legally kosher.
Goldman is, unfortunately, right as far as I know. Wired.com's story on the subject argues that a crime has been committed, and may be punishable in the courts, but their claims are a little thin on specifics (although it DOES have a good summary of what's going on, just in case the Bobby and the dog analogy doesn't work for you). The Wired News Staff argues,
Sony may even have committed a crime under the U.S. Computer Fraud and Abuse Act, which can carry fines and prison terms for anyone who "knowingly causes the transmission of a program ... and as a result of such conduct, intentionally causes damage, without authorization, to a protected computer." Corrupting Windows so it misreports the contents of a hard drive sounds a lot like "damage," and the click-wrap license agreement on the Sony disk amounts to pretty thin "authorization" -- disclosing only that "this CD will automatically install a small proprietary software program ... intended to protect the audio files embodied on the CD."
No, simply no. "Intentionally cases damage?" Sony has a right to protect its material, and in doing so, has a legitimate concern to alter the DRM (Digital Rights Management) with its program. As Goldman points out, even if it didn't do a particulary good job of disclosing the rootkit, it DID disclose it. And the authorization is a bit thicker than Wired claims, as part of the full disclosure reads:
"this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT."
Ommiting "May also facilitate your use of the DIGITAL CONTENT"? BAD JOURNALIST. BAD! So how can a better system be created as far as allowing users to control their systems? After all, even if the disclosure is there, most consumers won't read it. Furthermore, if you do accidentally download it, the program has lots of neato features that keep it there long after you want it to be gone, and compromises the security of your computer. So Sony has issued a patch, and over the last couple of days different actions have been taken to mitigate the rootkit (one of which involves using a different rootkit, which Ed Felton rightly haranges).

Back to the law: What is the precedent for legal disclosure of invasive software? And what values are in play - are we dealing with the privacy of a consumer versus the ability of a company to protect intellectual property? Does the invasion involve a tresspassing-like violation (how much consent is needed), or in the case of an iPod, an economic concern (facilitating the use of digital content doesn't really disclose that the material may not be compatable with say, the digital audio player that controls roughly 80 percent of the market). Next post will be a breakdown of such issues.

Wednesday, November 02, 2005

News/Issue: Privacy- Good, Bad, and Ugly

There's been a lot of news lately about privacy- much of which is being bounced around the blog world from privacy advocacy group to privacy advocacy group. I'll try to give it a bit of a more moderate spin, and one that frames it in a legal context. But first, three news pieces:

1. In this weeks BusinessWeek, there is a story about an employee that used a Yahoo message board to post attacks against the company he worked for, including one that contained racial epithets to describe the company's diversity policy. In retaliation, the company used the courts to receive a subpoena to reveal the man's identity, and subsequently fired him from his position. Now, the former employee is suing, claiming the company wrongfully used the courts to unmask his identity. The privacy group Public Citizen is protecting him, there summary of the case can be found here.

2. The Delaware Supreme Court this week determined in John Doe v. Cahill that as far as blogs and chatrooms are concerned, defamation charges that require ISPs to reveal the names of anonymous individuals must meet a "summary judgment" standard as opposed to a "good faith" standard (the latter being the standard a lower court used). In this case the plaintiff used a screenname "Proud Citizen" to make potentially defamatory comments about Cahill, a public officer. The court found that given the ambiguous nature of the comments, and the context in which they were said, offered suitable grounds to dismiss the charge. Notably, Chief Justice Steele gives a fairly long account of why blogs and chatrooms ought to be considered opinion, not platforms of discourse that reasonable people accept as fact.

In the first case, privacy is used as both a means to attack a corporation's reputation, as well as to use racial slurs. Given that this speech was made on the person's own free time, in their own home, and without signing a terms and agreements document that would allow his anonymity to be taken away, it appears that Allegheny illegitimately wrested this information from the ISP.

So what's the problem? A lack of standards, or at least, applicable standards. In the second case, Steele was absolutely right in viewing the law in light of both the value and context of free speech on the internet. By doing so, he creates a very clear framework of how law should apply to the internet, and refuses to treat the internet like any of the spaces- home, street corner, town hall, ect. - that it is often compared to. A significant reason for Alleghany's lawsuit was to ensure that the person posting messages was not a 'high ranking employee'. And if it was? As long as a person is not using their anonymity to commit a crime (for example disclose proprietary information or make clear defamatory statements) then the values in the case need to be weighed- anonymity v. protection of reputation/security. Such a balance was never attempted in the Allegheny case.

3. There's been a lot of buzz about Sony and its use of a rootkit program in CDs. Princeton Professor Ed Felton has posted an excellent analysis of the issue on his blog, freedom to tinker. The folks at boing boing also seem particularly irate. So what's with all the rabble rabble?

Well, this one takes a little more time, so I get to it in the next post. Ciao