In its 2005 decision in MGM Studios, Inc. v. Grokster, Ltd., the Supreme Court unanimously found "overwhelming" and "unmistakable" evidence that the distributors of two piracy-prone file-sharing programs intended to induce users of their programs to infringe copyrights. But Grokster did not do something that the Court had been widely expected to do: It did not clarify the meaning of the notoriously vague capacity-for-substantial/commercially-significant-use test adopted by Court's 5-4 decision in Sony Corp. of Am. v. Universal City Studios, Inc.. Indeed, in Grokster, the meaning of the Sony test was discussed only in clashing concurring opinions authored by Justices Ginsburg and Breyer. Justice Ginsburg's concurrence interpreted Sony's safe harbor rather narrowly; Justice Breyer's concurrence interpreted it very broadly.

In the aftermath of Grokster, I have been researching and writing about a problem that can be called "inadvertent file-sharing." It occurs whenever users of piracy-prone file-sharing programs end up "sharing" files that they did not intend to make available to thousands of strangers. Inadvertent sharing tends to make the news when reporters find users sharing highly sensitive personal or work-related documents.

But inadvertent sharing also routinely causes users to unwittingly share infringing files. Anyone inadvertently sharing personal files is also usually sharing their entire music collection, and users often inadvertently share only infringing files--one user might mistakenly think that "My Music" is a good folder for storing downloaded files, another just might not realize that downloaded files are "shared" by default, etc. Examples of my work on inadvertent sharing can be found in this USPTO report, in this congressional hearing, and in this follow-up report about a file-sharing program called LimeWire.

It has been suggested to me that documenting the problem of inadvertent file-sharing may not be that material to copyright law and policy generally. But an article in yesterday's Washington Post illustrates why I think that it may be useful.

This article reports that the latest person to have his sensitive personal data inadvertently shared by a LimeWire user was Supreme Court Justice Steven Breyer--author of the Grokster concurrence that would have interpreted Sony so broadly that it could "harbor" even the distributors of piracy-prone file-sharing programs like Grokster, Morpheus, and, well, LimeWire.

I regret to note that some commenters on this article treated this incident as if it were an somewhat-funny inconvenience. It isn't: For reasons that I explain below, inadvertent sharing can have financially devastating or deadly consequences, particularly if it affects a major U.S. official. For that reason, it is particularly important to understand whether the many incidents like this one many have been predictable side effects of a technology used mostly for illegal purposes.

In Grokster, Justice Breyer found that absent evidence of inducement, even the most piracy-ridden file-sharing programs would pass his interpretation of the Sony test. See 545 U.S. at 952 ("Grokster passes Sony's test"). For example, evidence in Grokster showed that 97% of the files that Grokster and Morpheus users actually selected for downloading were, or were highly likely to be, infringing. See 454 F. Supp. 2d at 985. Nevertheless, Justice Breyer found that these programs should pass the Sony test because, someday, their users might download infringing files only 90% of the time. 545 U.S. at 953-54.

And it is important to note that Justice Breyer did not find that, someday, 10% of the users of these programs would use them exclusively for non-infringing purposes. Rather, he found that Sony would harbor the distributors of file-sharing programs even if all users of their programs almost always uses them to infringe, so long as some users also make some incidental lawful uses, (currently perhaps has high as 3%), that could eventually rise to 10%. It is difficult to imagine that any real-world technology could actually fail to satisfy this standard, were it fairly applied.

In Sony, the Court said that its new test would have to "strike a balance between a copyright holder's legitimate demand for effective--not merely symbolic--protection... and the rights of others freely to engage in substantially unrelated areas of commerce." In Grokster, Justice Breyer concluded that this balance would be stuck by an interpretation of Sony that would deny copyright holders the ability to control areas of commerce 97% related to copyright infringement. To do so, Justice Breyer conducted a three-part analysis that culminated with a cost-benefit analysis in which he proposed that when assessing a technology like LimeWire, we should balance its costs--to copyright owners--against its benefits. 545 U.S. at 960.

Unfortunately, LimeWire's repeated failure to redress the long-known problem of inadvertent sharing has now exposed Justice Breyer, his family and many, many others to the real-world consequences of some omissions in Justice Breyer's cost-benefit analysis.

Justice Breyer's analysis recognized that technologies that are used almost exclusively for infringing purposes can impose profound costs upon copyright owners. But it failed to recognize that copyright owners will not suffer alone. Technologies that are used primarily for illegal purposes will tend to impose many social costs upon both their users and even innocent third parties, like Justice Breyer and his family.

For example, Justice Breyer may be wondering why it would even be possible for a file-sharing program like LimeWire to "share" files containing his financial data. After all, no reasonable person would deliberately "share" such files over the Gnutella network, and the CEO of LimeWire testified last summer that the only two "major use[s]" of his program were the sharing of music and movies. So why would a default installation of LimeWire share any other types of files?

LimeWire itself can answer that claim, but one explanation suggests itself: LimeWire probably shares financial data by default because distributors of file-sharing programs were hoping that judges might broadly interpret Sony: Groups like the Electronic Frontier Foundation counseled distributors that their file-sharing programs should share all types of files by default in order to buttress their theoretical "capacity" for non-infringing use. Consequently, LimeWire probably shared Justice Breyer's financial data by default so that judges broadly interpreting Sony could find that LimeWire also had a theoretical capacity to distribute files from the Prelinger Archive, even though it is almost never actually used to do that. See 545 U.S. at 954. Unfortunately, the resulting disconnect between what the program can do and what users expect it to do makes it much easier for users to make mistakes that impose severe costs upon themselves and others.

Justice Breyer may also be wondering why businesses do not adopt the very simple network-management techniques, like port-blocking, that would ordinarily let them prevent any use of of a file-sharing program on their corporate networks. Unfortunately, they cannot: Because programs like LimeWire are actually used for unlawful purposes almost all of the time, every reasonable business would block their use were it easy to do so. Perhaps not coincidentally, distributors of programs like LimeWire thus adopted techniques like port-hopping and tunneling that make it difficult and expensive to exclude their programs from a given network. In short, these programs are designed to go where they are not wanted. This imposes even more costs--not upon users of the program--but upon third parties who definitely DO NOT want to use the program. And like all the other costs discussed here, these costs appear to be mere side-effects of the high levels of illegal use prevailing today among actual users of programs like LimeWire.

Some research on inadvertent sharing might also lead Justice Breyer to ask another question: Why should inadvertent sharing still be a problem in 2008? Weren't the major causes of this problem identified long ago? They were, and that illustrates another cost that has just been inflicted upon upon Justice Breyer and many others--one that may have been best explained by the FBI back in 2003: When almost every consumer using a product uses it for illegal purposes most of the time, all our normal mechanisms for protecting consumers break down.

For example, consider what happened when a program briefly included on some lawfully-purchased audio CDs--the so-called "rootkit" DRM--was found to create a computer-security vulnerability. The vulnerability was quickly discovered, publicized, and within months, distribution of the problematic program was halted in a blizzard of consumer outrage, recalls, remediation efforts, and class-action lawsuits. In short, our systems for protecting consumers from risks worked quickly and very effectively--when consumers were lawfully acquiring an arguably problematic product.

Now consider inadvertent filesharing. Published research first identified some of its most important causes in 2002, and two congressional hearings revealed its dire effects in 2003. That consumer-safety information had only one effect: More distributors of more piracy-prone file-sharing programs deployed the very "features" that had been shown to cause inadvertent sharing--while inventing some new ones. For the next five years, such distributors testified that inadvertent sharing was a myth, told consumer-protection agencies that it had been remediated, and--when not actively exacerbating or perpetuating inadvertent sharing--repeatedly announced new "safeguards" that somehow managed to perpetuate this long-understood problem until it was still alive and well and able to harm Justice Breyer in 2008. In short, there was a complete system failure--when consumers were making mostly illegal uses of a very problematic product.

Justice Breyer and the other victims of this latest data-breech will also be confronting another cost that piracy-prone file-sharing networks impose upon third parties: Once data gets onto these networks, it becomes nearly impossible--or at least very expensive--to track or remove it. And it is critical to note that the nature of file-sharing networks does not require these expenses to be imposed upon those who do not their proprietary files on these networks. To the contrary, distributors of file-sharing programs could make it easy and inexpensive to remove unauthorized content from their networks. But if they did so, then it would also be easy and inexpensive to remove unauthorized copyrighted files. Perhaps not coincidentally, distributors have thus chosen to make it very difficult and very expensive to remove any unauthorized content from the networks that their programs create. Needless to say, those choices impose more costs upon anyone affected by inadvertent sharing.

Finally, the last set of costs that inadvertent sharing can impose upon its victims can be incalculable. Inadvertent sharing caused by programs like LimeWire can have horrific consequences because of another cost of some piracy-adapted technologies: The same factors that will tend to make a technology useful to persons who want to violate copyright laws will also tend to make it useful to persons who want to violate other laws. Consequently, piracy-prone file-sharing networks are also popular with identity thieves, malware distributors, pedophiles, and reportedly, potential would-be assassins of major U.S. government officials or their families (pp. 64-65).

But the catastrophic risks thus imposed can affect anyone--not just important government officials. In my testimony to Congress on inadvertent sharing, I used the following example to show why the difficulty of remediation and presence of multiple forms of criminal activity can greatly exacerbate the true social costs of inadvertent sharing:

To illustrate what [inadvertent sharing] can do, consider what would happen to my family if a visiting relative installed one of these programs on my home computer and tried to store downloaded files in its "My Documents" folder, so they would be easy to find.

I would end up sharing bank statements, tax returns, passwords for investment accounts, scans of legal, medical, and financial records, all my family photos, my children's names, addresses and social-security numbers, and a scan of the sign that designates the car authorized to pick my daughter up from preschool.

Oh, and I would also share over 3,000 copyrighted audio files ripped from purchased compact disks--I would share those too. With one mistake, I would be set up for identity theft, an infringement lawsuit or something far worse.

And what did I mean by "or something far worse?" I meant that inadvertent sharing could deliver data about my children to one of the vicious pedophiles that use piracy-prone file-sharing programs like LimeWire. See, e.g., United States v. Park, 4:06CR3097, 2008 U.S. Dist. LEXIS 19688, (D. Neb. March 13, 2008) (a LimeWire user shared videos of an adult raping a little girl "bound with a rope and being choked with a belt"); United States v. O'Rourke, CR-05-1126-PHX-DGC, 2006 U.S. Dist. LEXIS 1044 (D. Ariz. Jan. 12, 2006) (a LimeWire user was held to be a "danger to the community" because he shared many "extraordinarily abusive" images of "horrific child abuse" inflicted on "a very young girl, with hands bound and mouth gagged"); United States v. Postel, 524 F. Supp.2d 1120, 1123 (N.D. Iowa 2006) (a LimeWire user used shared child pornography to "groom" the girl that he molested for four years). Indeed, one researcher has already reported finding persons using piracy-adapted file-sharing programs to collect both sadistic child pornography and inadvertently shared data about particular children.

That is what I meant by "or something far worse." And that is one of the many reasons why I suspect that when they are fully informed, jurists will ultimately conclude that the true social costs of piracy-prone technologies will tend to vastly outweigh whatever benefits they might be imagined to provide.

I could go on listing more costs arising from Grokster-like file-sharing programs, but the above examples illustrate my point: In the past, debate about what Sony ought to mean has been largely abstract--we did not have real-world data about the results that different interpretations of the test might produce. Fortunately, Grokster has left lower courts with considerable flexibility to interpret the intended meaning and scope of the Sony test. Courts doing so can now be provided with some very practical, real-world examples of the full range of costs imposed by technologies used mostly for illegal purposes. I believe that many courts will find that information valuable and instructive.

In conclusion, I offer my sincere condolences to Justice Breyer, his family, the rest of the victims of this latest inadvertent-sharing-caused data breech, and to the victims of the needlessly numerous similar incidents that preceded it. At best, they will probably experience months of needless expenses and hassles--all as a result of a problem that could have been resolved six years ago.

Finally, I must reiterate two points that must always be stressed when discussing these issues. First, the fact that some miscreants used technologies that they called "peer-to-peer" to implement piracy-based business plans should not blacken the name of all technologies that actually do rely on real "peer-to-peer" networking. Personally, I doubt neither that real peer-to-peer networking technologies will play important roles in the distribution of legitimate Internet content nor that the technologies that will do so will not look like most existing piracy-prone implementations of allegedly "p2p" technologies.

Second, I suspect that what is now known about the ugly shenanigans of the Internet's would-be pirate kings may be just the tip of the iceberg. For example, one wonders how many of our vast supply of self-anointed technology savants could actually identify which popular piracy-prone file-sharing program was apparently designed to perpetuate the problem of inadvertent sharing while duping pesky journalists into believing that it had been resolved and while duping gullible Internet savants and jurists who broadly interpreted Sony into believing that the program's distributors had actually preserved the required façade of capacity-for-substantial-noninfringing-use.

I suspect that there is much still to be learned, though little to be admired....

posted by Thomas Sydnor @ 10:38 AM | Free Culture Movement, Internet: P2P, Search Engines..., Privacy and Security, Supreme Court

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment(1)