One thing website operators MUST do under new DMCA rule

My colleague Melissa Kern wrote an advisory about the copyright office's final rule regarding designating a DMCA agent. I thought it was important enough to repost (with permission) here.

Beginning December 1, 2016, the Copyright Office is rolling out its new online filing system for designating an agent to receive notices of copyright infringement. Website operators and other online service providers who store user content must submit new designated agent information electronically before the deadline to continue to take advantage of the Digital Millennium Copyright Act’s (DMCA’s) safe harbor from copyright infringement liability.

The new online filing system replaces the interim, paper-based system that had been used since the DMCA was first enacted in 1998. Under the old system, service providers could designate agents by sending in paper forms to the Copyright Office, which the Copyright Office then scanned and publicly posted in its directory of agents. Previous filings made under the old, paper-based system will continue to meet the DMCA’s requirements until they are phased out on December 31, 2017.

In connection with its new online filing system, the Copyright Office has issued its Final Rule relating to designating an agent with the Copyright Office. Highlights are as follows:

• Beginning December 1, 2016, the Copyright Office will no longer accept paper agent designations. All new filings must be made electronically using the online filing system.
  
• All service providers who have previously filed with the U.S. Copyright Office for DMCA safe-harbor protection under the old, paper-based system will have until December 31, 2017 to refile using the online filing system or lose the safe harbor protection. To do this, the service provider, or its designee, must establish an account that will be used to log into the system and register.
  
• The DMCA filings will expire every three years, so they will need to be renewed. The Copyright Office’s new system will send out email reminders.
  
• Filing fees are significantly lower ($6 per entity). There is no limit to the number of alternative names, URLs, service names, software names, and other commonly used names that can be listed on a service provider’s filing for this fee. All alternative names that the public would be likely to use to search for the service provider’s designated agent must be provided. However, separate legal entities must file separately and are not considered alternative names.
  
• The designated agent does not have to be a natural person. Service providers now have the option to designate a specific person (e.g., Jane Doe), specific position or title of an individual (e.g., Copyright Manager), a department within the service provider’s organization or within a third-party entity (e.g., Copyright Compliance Department), or the service provider or third-party entity generally (e.g., ACME Takedown Service).
  
• The designated agent’s physical mail address, telephone number and email address must be provided to the Copyright Office, and a designated agent may now provide a post office box to be displayed as its physical address. However, in a nod to technological obsolescence, a fax number is no longer required.
  

Melissa's original advisory can be found here.

Photo credit from Flikr.com.

How to Discuss Open WiFi

As reported in this article from C|NET, Cathy Paradiso, a technical recruiter who works out of her home near Pueblo, Colo., was recently threatened with having her internet access discontinued based on allegations of copyright infringement that ultimately proved unfounded. According to the article, Ms. Paradiso had an unsecured wireless network, and someone took advantage of her connection to download various television shows and movies.

Anyway, on its own, this isn't that big a deal. Certainly, it isn't that big a deal in the ongoing story of copyright infringement accusations and open WiFi (my thought is that this story about an Ohio county which had its free WiFi shut down over a copyright infringement complaint is much more noteworthy). However, something about the reporting on Ms. Paradiso's predicament rubbed me the wrong way. After noting that cutting off internet for someone who works from home is essentially the same as destroying that person's business, the article asked

is it right to penalize someone for not being tech-savvy enough to properly secure a wireless network?

To me, that's entirely the wrong question. Whether someone has open WiFi isn't just a matter of tech savvy. After all, even Bruce Schneier, who is probably the web's best known expert on computer security has advocated for open WiFi, saying that people who maintain open WiFi make the world a better place, by making a valuable resource more easily available to more people. While Mr. Schneier's analysis of the costs and benefits of leaving WiFi open might not convince everyone that open WiFi is the way to go, it certainly disproves the idea that leaving WiFi open is something that only the technically unsavy would do, and that policies should be built around the idea that leaving WiFi open is somehow a less legitimate choice than the alternative.

So, how would I like to have seen the article deal with the open WiFi issue? I think treating it as a real issue, with real policy consequences would have been a better way to go. For example, instead of assuming open WiFi is bad, it could have explained why the problems with open WiFi (e.g., making it harder to police copyright violations) outweigh the benefits (e.g., broader access to valuable resources). Or, in the alternative, it could have explained that open WiFi is valuable, and then discussed policies which would help foster it (for example, stripping ISPs who go after people with open WiFi of their protections under section 512 of the DMCA, under the theory that those providers are no longer acting as passive conduits, and so shouldn't be protected as if they were). Either way, it would have been a great deal more informative and interesting than simply treating open WiFi as something that happens only by mistake.

Code Does Not Trump Law

According to this article from C|NET, an Australian judge has propounded an original and counter intuitive theory - that technology, represented by computer code, is more powerful than the law. As he put it in his own words, "We are moving to a point in the world where more and more law will be expressed in its effective way, not in terms of statutes solidly enacted by the parliament...but in the technology itself--code."

Of course, I use the words "original" and "counter intuitive" in their ironic sense, to mean "not original" and "not counter intuitive." The basic thesis is at least as old as Lawrence Lessig's 1999 book Code and other Laws of Cyberspace. However, the point of this post is not to point out that the judge's ideas are unoriginal, it's to set forth why I think they're wrong. Basically, I think there are three problems with the judge's argument that code trumps privacy legislation.

First, the judge fails to recognize that there are many types of privacy concerns. The article asserts that search engines like Yahoo! and Google had rendered the concept of limited usage for personal information obsolete. Frankly, I'm not sure how anyone could support such a silly notion. Yahoo! and Google make it easier to find information about a person, but do nothing to release information which isn't already publicly available. Thus, you can use Google to find out that I was (at one point) a competitive chess player, but you can't use Google to find out how much I paid the last time I went to the hospital. The fact that the judge does not realize that would be more serious concerns raised by my hospital records being publicly accessible by Google than are raised by my blog being accessible by Google indicates that his ultimate conclusion that code trumps law shouldn't be taken seriously.

Second, the judge overlooks the fact that, historically, the force of the law has a relatively good record in trumping the capabilities of code. For example, at one point there was a file-sharing service called Napster which was (supposedly) going to tear down the antiquated structure of intellectual property laws (for an example of the heady predictions related to Napster, see here). Of course, that didn't happen. What did happen is that Napster was sued out of existence based on violations of the intellectual property laws. For an even better example, consider the digital millennium copyright act, which has eliminated entire categories of consumer products (see this article for examples), which, if "code" actually trumped law, would be freely available. Now, by using these examples, I am not trying to make a normative argument that law should trump code, or that the world is better off because Napster (in its original incarnation) is gone and the DMCA is the law of the land. However, I think this examples make very clear that "code trumps law" is a conclusion which is simply not supported by the history of conflicts between the two.

Finally, the judge seems oblivious to the fact that "code" (or technology more generally) doesn't have the power to enforce social norms without the support of the law. For example, a search engine which is written in a manner that collects no personal information could only enhance privacy if: 1) people could trust its claims of gathering no personal information, which requires truth in advertising laws; and, 2) people could be sure it wouldn't unilaterally change its policies after they had relied on its guarantees of privacy, which requires the law to enforce its agreements. To me, the failure to understand that it is law which allows code to act as an alternate enforcer of social norms further undermines the judge's credibility, and his ultimate point that code trumps law.

Actually, the last of the three points is what bothers me most about the "code trumps law" argument. If you really think that "code" (or technology) trumps law, and that "code" can, ultimately be used to enforce social norms, there's no real need to fight for appropriate legal change. The result, of course, is that there won't be any legal change, and "code" will eventually trump law simply because the "law" side of the equation is ignored. As someone who cares about privacy protections, that seems to me to be an outcome which should be avoided, but that can only happen if people realize that the law is vital to protecting individual rights.

EU Court Protects Privacy Against Record Companies

According to this story from Wired.com, the top court in the European Union has ruled that telecommunications companies cannot be forced to divulge names and addresses of individuals suspected of distributing copyrighted movies and music over peer to peer networks. The court did state that individual countries could draft national laws to change that, but cautioned that any such laws would have to take into account individual privacy, as both property and privacy are "fundamental rights."

Given that this is taking place in Europe, it won't have much effect on privacy rights in this country, or on the music industry's continuing crusade against peer to peer networks in the U.S. However, it can provide a useful point of comparison between the treatment of privacy in the E.U., and the treatment of privacy in the U.S. For example, in the U.S., privacy protections aren't balanced against the interests of copyright holders - they're used as a pretext to advance the interests of copyright holders when it isn't politically expedient to advance the interests of copyright holders directly (see, e.g., here. As someone who generally supports greater individual privacy, I would like this to change, though I'm not optimistic that, in this country, it ever will.

DRM: a Threat to Privacy

Via Michael Geist by way of BoingBoing we learn that The University of Ottawa's Canadian Internet Policy and Public Interest Clinic has released a report concluding that DRM pose a significant threat to privacy. From the executive summary:

• Fundamental privacy-based criticisms of DRM are well-founded: we observed
tracking of usage habits, surfing habits, and technical data.
• Privacy invasive behaviour emerged in surprising places. For example, we
observed e-book software profiling individuals. We unexpectedly encountered
DoubleClick – an online marketing firm – in a library digital audio book.
• Many organizations take the position that IP addresses do not constitute
“personal information” under PIPEDA [Personal Information Protection and
Electronic Documents Act] and therefore can be collected, used
and disclosed at will. This interpretation is contrary to Privacy Commissioner
findings. IP addresses are collected by a variety of DRM tools, including
tracking technologies such as cookies and pixel tags (also known as web
bugs, clear gifs, and web beacons).
• Companies using DRM to deliver content often do not adequately document
in their privacy policies the DRM-related collection, use and disclosure of
personal information. This is particularly so where the DRM originates with a
third party supplier.
• Companies using DRM often fail to comply with basic requirements of
PIPEDA.

This, sadly, should not be a surprise. Copyright organizations have shown themselves to be actively hostile to concerns about information security and data privacy (see, e.g., the discussion of concerns related to watermarking here, or Sony's now infamous fondness for installing rootkits). Indeed, the only time when copyright and information security are (supposedly) aligned is when copyright is trying to piggyback on security concerns to achieve its own ends (e.g., the destruction of P2P networks, as described here).

The happy news though, is that the study came out in the first place. It is possible that this examination of the impact of DRM on privacy could be a reflection of some sort of backlash against the copyright industry's current tactics - something that, if supported by legislation, could result in significant benefits for privacy and security of individual data.

Watermarking: Threat to Privacy?

Recently, a mini-firestorm has erupted over the possibility that the recording industry will add watermarks to music files (e.g., articles here, here, and here). The idea behind the watermarks is that they will allow copyright holders to see where files on peer to peer networks came from and file lawsuits accordingly. Whether such tracking would actually allow the RIAA to file suits without being embarassed (e.g., as described in this article, which eventually led to a charge of malicious prosecution) is an open question. However, what I would like to address is not whether the watermarks will help in prosecution of copyright infringers, but what they will do for individual privacy. In a wired.com article on the subject, Evan Hill, CTO of Activated Content, a company that provides watermarking solutions to Universal, Sony/BMG and other labels is quoted as calling watermarks which uniquely identify each file purchased by each user a "privacy nightmare." While there are certainly concerns about watermarking, I don't think those concerns are really that significant. The reason for this is that problems with watermarking are really only a symptom of a larger issue: users being forced to sacrifice their privacy in order to participate in the modern economy. I've blogged previously (see post here) about the threat posed to privacy by the routine enforcement of clickwrap licenses where service providers can basically dictate terms because users either don't or can't understand what they're agreeing to. Similarly, in the case of music distribution, service providers (i.e., record companies) can basically dictate terms to users, because people won't bother to read the licenses provided with the songs and, even if they did, they wouldn't have any choice about accepting them because the record labels have government enforced copyrights (assuming the consumers care about buying licensed copies of the songs, of course). In both cases though, the problem isn't the watermarks (or the clickwraps) it's the economy, and the legal system which allows those tools to be used in ways that strip users of their privacy.

Priorities

Recently, at a hearing on P2P networks, Henry Waxman stated that he was considering laws aimed at the problem of inadvertent leaking of classified information (described here and here). Apparently, sensitive documents have been making their way onto P2P networks such as those accessed via Limewire or Kazaa. While this is obviously a problem, the solution proposed by Waxman - regulating the networks - is insane. I could access that sensitive data through my computer, and, in getting to my computer, that sensitive data would travel through a DSL line. However, Mr. Waxman isn't proposing that computer makers or telcos take responsibility for making sure that people can't access sensitive documents. The reason is obvious: telcos and computer makers can't be responsible for the actions of end users, because there is no effective way for them to control end users without effectively shutting down. P2P networks are no different. Looking at his comments charitably, it seems that Mr. Waxman simply doesn't understand the consequences of putting responsibility for the acts of consumers on the providers of P2P software.

Of course, it is also possible to look at Mr. Waxman's comments in a less charitable light. Currently, the federal government is scrambling to meet a White House directive on securing personal data (details can be found here) and it seems that there is an almost continuous stream of incidents of lost data involving government employees (e.g., the theft of a laptop containing records for 26.5 million veterans, described here), so attacking an easy target, such as P2P networks, could serve an instrumental purpose for Waxman of making it appear that he is doing something about information security. Further, by attacking P2P networks as a threat to national security, Waxman is undoubtedly pleasing the powerful recording industry, which has been seeking to destroy P2P technology ever since Napster. In this regard, it is telling that Waxman said that he would seek to achieve a balance between "sensitive government, personal and corporate information and copyright laws" (emphasis added). Given that protecting copyrights, while a valid concern, is an entirely different type of objective than protecting the physical well-being of Americans by improving national security, the inclusion of copyright law on that list seems strange. However, if the primary motivation to regulate P2P networks is to benefit copyright holders, then the list provided by Mr. Waxman makes perfect sense, with the national security concerns acting as window dressing for the desire to shut down P2P networks on behalf of copyright holders.

In any case, I think it is extremely unlikely that regulating P2P networks is a viable solution to the Federal Government's information security problems. Even if P2P networks were banned entirely, that would do nothing to stop people from stealing data, or from losing the media on which data are stored. However, when faced with a decision as to whether to spend time exercising oversight on HR or training policies which might increase information security, and blasting the enemies of the RIAA, it is clear where Congress' priorities lie. Disappointing, but not at all a surprise.

So Far, No Copyright Liability for Lax Network Security

The RIAA is currently in a battle which could have major implications for individuals or organizations which have security practices which allow others to use their equipment to download and distribute copyrighted material. As part of its ongoing campaign to scare people away from filesharing networks by suing individual consumers, the RIAA has asserted that a computer owner is guilty of indirect copyright infringement based on unauthorized downloading of songs by individuals using that person's computer. At present, the RIAA has been unsuccessful with this tactic, and is currently seeking reconsideration of a District Court's decision to award attorney fees to the accused computer owner (the award of attorney's fees is available here). However, if the RIAA continues to press this type of case, and is able to achieve success, it opens up an additional type of liability for people to be concerned with.

More information and related links are available at this blog post from wired.com.

To all U.S. copyright infringers: if you thought the RIAA was tough, you should see what they do to infringers in Russia.
Apparently, Russia has been mounting a high provile crackdown on intellectual property infringers as part of a bid to gain entrance to the WTO. During the crackdown, a school teacher, Alexander Ponosov, has been caught using pirated software in his classroom. Now, Ponosov faces punishments including...wait for it...detention in a Siberian prison camp.

CNN has the details here. Of course, it's still an open question whether Ponosov will be shipped to Siberia. However, in my mind at least, this story raises questions about the measures some people (at the behest of U.S. copyright ownerss) will take to protect intellectual property. While copyright infringement is a problem, detention in a Siberian prison camp for a school teacher using software he likely didn't know was pirated should not be considered an acceptable solution.