Moderator: Jennifer Stisa Granick, Stanford Law SchoolCenter for Internet and Society
Quick overview of 1201 and 1202: primary prohibitions in1201, with specific statutory exceptions and an exemption procedure donethrough triennial rulemaking. Prohibitions: acts of circumvention andtrafficking in circumvention tools or services. Acts prohibition bans circumvention of measures that control access to acopyrighted work, but no prohibition on circumventing copy controls. TPMs = another term, technological protectionmeasures. Trafficking covers both accesscontrol and copy control. Exceptionsrecognized that legitimate activities could be affected.
Tyler Ochoa, Santa Clara University School of Law: 1202,protection of copyright management information (CMI). The idea was to encouragereluctant content providers to put their content online; foreseeing that whenyou have digital information, it can carry additional information aboutcopyright owner/permissions/licenses/etc. Idea was that this information would travel with the work, and contentproviders wanted to ensure that it was preserved/not altered. 1202(a): False information: Notice the dualintent requirement: you have to know the info is false and you have to have theintent to induce, facilitate, or conceal infringement. 1202(b) deals with intentionally removinginformation or importing CMI knowing it’s been removed or altered (which seemsweird, and explains why we never see (b)(2) cases), and with distributing worksknowing CMI has been removed or altered, with the same dual intent requirement—youhave to have the intent to induce, facilitate, or conceal infringement. The intent requirement has proved mostimportant in litigation.
Definition of CMI: information “in connection with”copies/phonorecords/performances/displays—this has turned out to be contentiousin litigation too. Exceptions exist forbroadcasts, since broadcasters apparently had the clout to get it. However, usage information (privacy-related)isn’t considered CMI.
Litigation issues: (1) is CMI limited to info in digitalform, since that was the basic idea? A couple of district courts initiallylooked at intent/history. But courtshave come around to the view that digital isn’t the exclusive protected CMI.
(2) What is the nature of intent required? Companyerroneously thought it had permission to use a work; testified that it wouldn’thave used the work had it known it wasn’t cleared. Court found no relevantintent, though did say in dicta that vicarious liability for violations of1202.
(3) Intentional and inadvertent stripping of metadata. (Tumblr, are you listening?) Many basic toolsautomatically strip metadata, including when you resize a photo—happens onFacebook, Pinterest, Google Docs, Flickr—unless you change the defaults, themetadata is stripped out. Example: Gettylicensed a bunch of stock photo images to Googledocs, and the processingstripped the metadata. Photographerswere understandably upset. But again,you have an intent problem.
(4) What is “removing” CMI? What if you just copy something without copying the copyrightnotice? Is that removal? If a notice is at the beginning of a book andyou copy a photo in the middle of the book? If the copyright notice is on a different part of the website, or if it’snext to a photo and you copy only the photo, is that part of the CMI?
Ed Felten, Princeton University Center for InformationTechnology Policy
Many of us in security research were alarmed when the DMCAwas proposed and wrote to Congress—our past research had led to good thingslike the internet. But we were unsuccessful; a provision in the statute wassupposedly believed to help us, but never covered any research I’ve everconsidered doing. Research on TPMs has been devastated by 1201, and I and manyothers don’t work in the field because of what happened when some tried.
One story is well known, the other not but more disturbingin many respects. The first story is research I did on CD copy tech at theinvitation of the music industry. Wewere open about our research, but received legal threats to conferenceorganizers, the venue, etc. We ultimately succeed after 6 months of delay, onecollaborator having to change jobs, another having to take his name off of whathe considered one of his major works. That happened because someone didn’t likeour results and had the ability to harass us with 1201.
Research with Alec Halderman: a major record company wasshipping CDs that installed spyware. We knew this, but felt we had to consultcounsel before alerting the public. Because we’d have to admit that we’dengaged in acts of research. Meanwhile, more and more copies of the spywarewere being installed on people’s computers. This was what disturbed me most: Ihad to sit on my hands while I knew about that. As it turned out, someone lessrisk-savvy discovered the issue and published, and then the floodgates wereopened. This allowed us to get a triennial exemption, which is very difficult;we no longer ask for exemptions, since we’re resigned to not doing research inthese areas. That’s to the detriment not only of the computing communitybroadly, and many people who advocated for anticircumvention in the firstplace. It would be possible to write a better research exemption, but we don’thave it. Until that changes we’re stuck and won’t see research in this arearesume.
Granick: what would such an exemption need to give you whatyou need?
Felten: would have to apply to legit computing researchgenerally, not just encryption, which is the least interesting/challengingaspect of TPMs from a research standpoint. There’s nothing special about TPM encrpytion; if we wanted to researchencryption we would. We need to be able to disseminate our results openly, aswe do in other areas. There is currently an exemption meant to coverdissemination, but written in a way that’s uninformed about research communitypractices—allows me to share tools with my collaborators—person who is workingon the project with me. But if someone just wants to understand what I did, orwants to use it for another project,which is the most common thing, then that’s not covered. Most researchers don’teven know about the exception. Written without understanding of the researchprocess. Needs to be broad and needs to focus on legitimate research.
Corynne McSherry, Electronic Frontier Foundation
Impact of 1201 on fair use, innovation and competition. Notconvinced that all these consequences were unintended. Updated version of EFF whitepaper available; here are some highlights.
DMCA’s interaction with DVDs set the path. There are a lotof reasons people want to interact with DVDs in unapproved ways—remix, backup,skip commercials. To be clear, the encryption was broken right away. Followed with lawsuits to shut them down inall kinds of ways. RealNetworks RealDVD wasshut down despite using TPMs to prevent uncontrolled copying; it was enabling normal, personal use. What wasn’t taken out of circulation: thecircumvention tools like MactheRipper, Handbrake, and other easily availabletools. DMCA didn’t stop the tools and didn’t stop people from using them, justcreated a legal threat over everyone’s head. Essentially have given Hollywood a veto on innovation. As a practicalmatter, if you want to innovate in DVD or Blu-Ray, you need a license fromcontent owners—and from competitors! You have to get them to agree that yourtech is acceptable; shouldn’t give a small group a veto on innovation.
Videogames: Sony sued people for putting Linux on PS3.Blizzard sued volunteer hobbyists for providing World of Warcraft alternativeservice. These are people who bought thegame, used the game, wanted to adapt it for their own purposes.
At least those have some tenuous relationship to copyright,but of course there’s a whole series of cases just about stifling competition:garage door openers, printer cartridge refills. Those people won, but only after long, expensive fights. What we’realready seeing: software built into all kinds of devices. That software comeswith digital locks, and if you want to repair those devices or interact withthem, they may have to break those locks, so we’ll keep seeing these cases.Also worried about all the innovation we won’t see because people are afraid,just as security researchers are afraid.
Cellphones: very clear that DMCA threat was about businessmodel, not copyright. Unlocking/jailbreaking has nothing to do with protectingcopyright in the OS on the phone—locking you into a particular carrier or appstore. DMCA exemption that used to existfor unlocking no longer exists, and that got lots of people concerned. Hopingto use that interest to look beyond cellphone unlocking and think about 1201and innovation more broadly.
Granick: in 2006, I applied for an unlocking exemptionallowing people to switch networks. Was granted; no one was more surprised thanI was. In 2009, it was renewed with additional exemption for jailbreaking. In2012, a number of entities applied for unlocking but it wasn’t granted andtherefore expired, prompting public outrage and a petition to the White House withover 100,000 signatures. White House responded by endorsing unlocking, as didthe FCC. That has led to congressionalattention, with at least 3 proposed bills. Heranalysis is in this blog post. How do panelists think about this?
Felten: symptom of larger problems, and of failure ofexemption to provide actual safe harbor for nonfringing uses that are likely tobe affected. In practice, the Copyright Office holds you to a much moredifficult and higher standard, and this is just an example.
McSherry: would dump 1201 in its entirety—prohibition isincredibly broad, with tiny bits and pieces bitten out; legislation should haveinstead been more tailored in the first place. It can’t stop with cellphoneunlocking, a symptom of a broader problem. It would be a shame to stop there;we need hearings on 1201 in general. It’sexciting that folks are paying attention, and it would be a great idea to fixunlocking. Short of repeal, clearer and broader built-in exemptions that youdon’t have to go in and ask for would be a good idea and wouldn’t violate ourexisting trade relations.
Some have expressed concern that we adopted 1201 for treatyobligation reasons, and since then we’ve made additional free trade agreements withanticircumvention provisions. Anyone in Congress should feel uncomfortable thatthe US Trade Representative asserts that the USTR is the boss of Congress. Ourflexibility to adapt over time is at issue; these agreements are negotiated insecret/without public participation. The more targeted issue: some of the relevantagreements include provisions for renegotiation of specific exceptions andlimitations; we aren’t prevented from enacting new legislation/reforming ourlegislation. If we are, theexecutive/legislative relationship needs to be revisited.
Ochoa: Article 11 of WIPO Copyright Treaty says we needadequate legal protection and effective legal remedies against circumventionfor uses that are unauthorized/not permitted by law. That’s a very generalprovision that has been interpreted in lots of ways by different countries. InEurope, they say that if there’s an exception, the manufacturers have toprovide a key so that you can use the exception. We could do lots and still comply.
Also, independently, we violate our treaties all the time. Art. 6bis of Berne requires us to protect moral rights; we don’t; wehaven’t changed. We were the firstcountry held in violation of the copyright andthe TM provisions of TRIPS, and we haven’t changed. Why we’re worrying about this treaty strikes him as bizarre.
Q: First Amendment arguments about security research?
Felten: thinks it should be, but isn’t willing to risk hishouse.
McSherry: arguments have been made, but not successfulyet. SCt says that fair use andidea/expression are the only limits on copyright from the First Amendment.
Ochoa: No content owners on the panel. If we want to revise this: it’s getting hardto tell the difference between legit research and people who just want to crackthings as a hobby or to provide circumvention tools. It’s easy to say Felten isa professor at Princeton—but how do you draw a line? Same problem comes up with “freedom of thepress”—is every blogger a journalist? He’snot necessarily sympathetic to hard and fast lines. Paul Goldstein sayscopyright laws are driven by fear and greed. Copyright owners fear that all sorts of people will claim research.
McSherry: you can tell the difference between peoplecircumventing to infringe—they’re the ones who don’t care about the DMCA.
Granick: we shouldn’t treat people differently based onstatus for First Amendment purposes: we don’t treat hobbyists differently fromprofessors. It’s not about the speaker or the tastefulness of the speech.Regulation of acts is different, butdistribution of information needs to be allowed.
McSherry: tools become words/code as speech. The statute iswritten as if black boxes will do all the work, but it’s information.
Felten: shouldn’t use formal credentials to decide who’s aresearcher; some of the best are just out there discovering things. You canfind out whether someone is a researcher by looking at what they’re doing: arethey disseminating information useful for increasing knowledge or disseminatingtools designed for circumvention. The linedrawing argument is used againstcredentialed researchers; the first time he got in trouble it was for a peerreviewed paper, and the second time it was to investigate the strange thingshappening on people’s computers. The current distinction isn’t working, and thereason researchers got threatened is that people were afraid we woulddisseminate inconvenient knowledge.
Ochoa: the problem is that the law-abiding people are theones who are being chilled, and the lawbreakers are ignoring it. That makes itineffective. But what was DeCSS?
Felten: First, the work by Frank Stevenson to reverseengineer the algorithm and talk about how it worked were very clearly research.DeCSS is code; it’s the most effective way of describing how the algorithmworks. Code is how researchers talk to each other. DeCSS in itself is not aneffective means of circumvention; you need a lot of facility to make it work.DeCSS-like things have been used to make circumvention technology, but it isn’titself one.
Ochoa: but that means that lots of people don’t decryptthings if DeCSS is hard to use. Lots of peoplecan’t take advantage of the widely available tools. (This is a mistake of fact—ifDeCSS were the only widely circulated tool, then he’d be right, butDVDDecrypter is the widely circulated tool.)
Felten: except that there are tools that are packaged foreasy use. You can buy them easily. (See also: VLC.) It’s security research—the stuffthat operates on DeCSS—that is affected.
McSherry: remember garage door openers—there are many toolsaffected here.
Q: Unenforceability as an argument: but many people won’ttrust something unless it comes from a respectable, reliable source since sometools circulating on the internet might be bad for your computer. You can’tenforce the law against the competent, but can prevent the mass marketviolation.
McSherry: The only thing that slows the tide is providingpeople with good, lawful, easy, better alternatives. (Remember, even the incompetent can usebittorrent, where they don’t even have to download DVDDecrypter!) This just drives people underground. What’sthe cost benefit analysis? Is thespeedbump worth all the negative effects and collateral damage that comes alongwith it?
Granick: other indicators of reliability exist, like open source status, reviews, recommendations, number of downloads—unsophisticatedusers don’t even know how spyware gets on their computers.
Ochoa: this is what proponents thought would happen. Movieindustry thought CSS would be broken eventually (though not in 4 hours).Thought it would keep tools from being widely available. But that failed. Whatworked is making content lawfully available.
Felten: if the industry did due diligence it would haveknown that a teenager could break it in 4 hours. They did hire people who knew better. This ideathat you can keep infringing works out of the hands of people is demonstrablynot working. The plan to force people to comply with copyright by preventingthem from having access to tools hasn’t worked (or ripped copies). The onlything that works is providing something they’re happy to pay for.
View the Original article
No comments:
Post a Comment