In my last post, I discussed the how CNET, Slashdot and others were wrongly asserting that two federal agencies recently told Congress that piracy-prone file-sharing programs pose no unusual risks to agencies or consumers. In the case of OMB, this missed the real story: OMB itself already requires agencies to take special educational and security measures to manage the risks posed by file-sharing programs.

In the case of the Federal Trade Commission (FTC), the real story is far worse. Here is CNET’s report on the FTC’s testimony to Congress about the risks associated with file-sharing programs: “[A] Federal Trade Commission official told politicians that it has found any risks are largely rooted in how individuals use [file-sharing programs].” But this report tells only half of the story. The headline of a more complete report might have read, “FTC Warns That Distributors of File-Sharing Programs May Have Mislead the FTC and the Public.”

During a July 2007 hearing on inadvertent sharing, an FTC official did testify that a preliminary inquiry that the FTC had conducted in 2004 had suggested that risks of file sharing were largely rooted in how individuals use file-sharing programs. But she then testified that the FTC’s view of this matter had changed:

“It is certainly true that P2P technology causes these substantial risks about sensitive data getting out.… [T]he PTO report raises some very difficult, serious questions about the design of the technology which has not been previously brought to our attention, and we are looking at it very closely to see whether further FTC involvement in this area is appropriate.”

Why had the FTC's views changed? Simply put, the FTC had received new data indicating that many distributors of popular file-sharing programs had compromised the integrity of the FTC’s 2004 inquiry into inadvertent sharing by making grossly inaccurate claims about the design of their programs.

Here is what happened. In 2004, members of Congress warned the FTC that a now-classic computer-science study, Usability and Privacy: A Study of KaZaA Peer-to-Peer File Sharing, and two congressional hearings had identified two “features” in file-sharing programs that could cause users to inadvertently share not only infringing files, but also their own personal files. To provide some quick feedback on these concerns, the FTC first tried to determine whether these dangerous features were still being deployed in 2004. To do this quickly, its staff downloaded various disclosures, FAQs, and user guides from the websites of the distributors of ten popular file-sharing programs and reviewed them for “facially deceptive” representations.

This was a potentially reasonable first step, but one that could accurately access the then-current risk of inadvertent sharing only if the website disclosures reviewed accurately described how the programs themselves behaved. But if they did not, (for example, if they concealed continuing use of “features” long known to be dangerous), then a review of those disclosures would suggest that the risk of inadvertent sharing had decreased—even if it had actually increased.

After reviewing these website disclosures, the FTC cited Usability and Privacy and reported to Congress that these disclosures indicated that distributors had improved the design of their programs and that, as a result, “the risk of inadvertent sharing appears to have decreased…”

No doubt this conclusion could be reasonably drawn from the disclosures that the FTC had reviewed. But the design of the programs themselves would have suggested a different conclusion. For example, in 2002, the program LimeWire contained neither of the dangerous “features” that Usability and Privacy had condemned. By mid-2004, LimeWire contained equally or more aggressive versions of both of those “features.” Indeed, by August of 2004, LimeWire itself was citing one of these two features to explain why users of its program were inadvertently sharing classified military data. In short, from 2002 to 2004, the risk of inadvertently sharing files in LimeWire had increased, even though the FTC’s review of LimeWire’s 2004 website disclosures suggested that such risks “appear to have decreased.”

The FTC then followed up on its initial review of website disclosures by meeting with distributors and holding a workshop in which distributors testified at length—and in the strongest terms—that they had remediated the problem of inadvertent sharing.

Many distributors reported to the FTC and the public that the distributors of LimeWire, BearShare, eDonkey, Morpheus, Blubster, and Grokster had responded to Usability and the subsequent congressional hearings by creating a self-regulatory Code of Conduct that would prevent inadvertent sharing. On its face, this Code certainly does appear to preclude any use of features that would tend to cause inadvertent sharing—including those condemned in Usability and Privacy.

Many of those same distributors reported that their steadfast compliance with this wonderful Code had renderred any further concern about inadvertent sharing a mere “urban myth”: “As [we] testified before Sen. Smith last June, these allegations are among the most egregiously false claims about [our] software. They appear, however, to have the inexplicable staying power of “an urban myth, no more accurate—though easily as persistent—as reports of alligators in New York’s storm drains.” One could certainly understand why representations like these would have led the FTC to conclude that the problem of inadvertent sharing had been redressed.

But then, in 2007, the United States Patent & Trademark Office released the report on inadvertent sharing noted in the FTC’s recent testimony. That report provided “new information” because it examined—not disclosures on websites—but the programs themselves. It concluded that while distributors were telling the FTC and the public that inadvertent sharing had become a baseless “urban myth,” many were deploying up to five different “features” that had a known or obvious tendency to cause inadvertent sharing—including more aggressive versions of same “features” condemned in Usability and Privacy.

Representations about a file-sharing program’s propensity to cause inadvertent sharing of infringing or sensitive files bear directly on the safety of the program to users—many of whom are teenage or preteen children. Because representations concerning “the safety of [a] product,” are “of great significance to consumers,” the FTC has always “required scrupulous accuracy… for obvious reasons.” FTC Policy Statement on Deception, 103 F.T.C. 110, 172 n.7 (Oct. 14, 1983).

Now that the FTC has renewed its investigation of inadvertent sharing, it is difficult to imagine how the representations made to the FTC and the public in 2004 and early 2005 could be found to have satisfied this standard of “scrupulous accuracy.” If the Code that distributors were touting permitted use of “features” that were known to cause catastrophic inadvertent sharing, then it would seem deceptive to claim that this Code made inadvertent sharing “an urban myth.” If that Code prohibited use of such features, then distributors deploying them were violating that self-imposed standards of conduct that they claimed to be observing. That also seems deceptive.

Moreover, the FTC now possesses not only the information provided by the USPTO report, but also the information provided by the Grokster case. In 2004, the FTC could conclude that its review of website disclosures indicated that a program like Morpheus was a “neutral consumer technology.” Subsequently, in Grokster, all nine Justices of the United States Supreme Court disagreed: They examined a more complete record and found, “clear,” replete,” “overwhelming” and “unmistakable” evidence that the distributors of Morpheus intended to induce, (i.e., encourage or trick), users of their program into infringing copyrights. On remand, the Grokster district court found that no reasonable person could disagree, citing internal documents in which the distributors of Morpheus bragged that their piracy-based business model gave them “no product costs to acquire music” and “the ability to get all the music.”

In short, the federal courts have now found that Morpheus was not a “neutral consumer technology.” It was a technology designed and intended to facilitate massive, for-profit copyright piracy by inducing consumers and children to break the law.

Indeed, most of the program distributors who had “worked with” the FTC in 2004 have now met similar fates. Courts held the distributors of two programs, (KaZaA and Morpheus), liable for inducing or authorizing infringement. Distributors of three programs, (Grokster, eDonkey, and BearShare), quickly settled inducement claims. An inducement claim against the distributor of a sixth program, (LimeWire), is proceeding. Consequently, the FTC now has every reason to suspect that the distributors of these or functionally similar programs would have strong disincentives to do anything that might effectively deter either the deliberate or inadvertent sharing of the infringing files that would give those distributors “no product costs to acquire music” (and movies) and “the ability to get all the music” (and movies).

Omissions and misrepresentations may have sufficed to mislead the FTC's investigation back in 2004. It would be premature to assume that they will do so again. As an old saying puts it:

“Fool me once, shame on you. Fool me twice….”

posted by Thomas Sydnor @ 11:54 AM | Enforcement & Remedies, Free Culture Movement, Internet: P2P, Search Engines..., Privacy and Security

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment(0)