Today, the Financial Times reported a significant development in the fight against online copyright piracy. The U.K. is reportedly ready to announce an agreement between copyright owners and ISPs under which UK ISPs will agree to work to achieve "a 'significant reduction'" in illegal file-sharing. As a first step, the proposal would have ISPs send warning letters to 1,000 prolific illegal downloader per week during the three-month trial period. If that fails to significantly reduce illegal file-sharing, other alternatives would be considered, including a variation of the graduated-response/three-strikes proposal that would eventually disconnect Internet access services of persons who ignore repeated warnings or--of course--another European media levy, this time on internet-access services.

Personally, I hope that the U.K. opts for the graduated-response option. I realize that the usual "public-interest" groups say that disconnecting infringing users after repeated warnings is unfair, but, seriously, as compared to what? Forcing copyright owners to incur thousands of dollars filing John Doe lawsuits that must then be recovered from the families of teenagers and students unless copyright enforcement is to become a money-loosing proposition? Putting college students in jail? Those are the options available to deter illegal file-sharing under existing U.S. law. Are these options honestly less punitive or more enlightened than a graduated-response program? And by the way, libraries also provide access to knowledge, but if you don't follow their rules, they will throw you out and revoke your borrowing privileges. Is that unfair?

Granted, these "public interest" groups may really think that suing teenagers and imprisoning college students are good ways to enforce copyrights on the Internet. For example, in MGM Studios, Inc. v. Grokster, Ltd., the Internet Archive, Project Gutenberg, and many associations of university and law-school librarians argued that for-profit corporations that encourage or dupe teenagers or students into downloading infringing files should not be held liable for the intended consequences of the business models that gave those corporations "no product costs to acquire music" and "the ability to get all the music." Why? Because these guardians of the public interest argued that the teenagers and college students that these corporations induced could just be sued into ruin by copyright owners or imprisoned by the United States Department of Justice. So remember, university students, if your file sharing causes you to receive a prelitigation letter or subpoena from a copyright owner--or a visit from the FBI--do be sure to say "thanks" to the Internet Archive, Project Gutenberg, and your campus librarians: They all told the Supreme Court that bankrupting or imprisoning you should be the preferred means of enforcing copyrights on the Internet....

But for those inclined to think seriously about how copyrights should be enforced on the Internet, this new U.K. proposal ought to be viewed as a wake-up call, though it need not be a roadmap for what we should do here. It should, however, remind us that we have a serious problem, and that we need to think seriously about how that problem ought to be resolved.

History suggests that if we do think seriously about all of the interests involved--consumers, copyright owners, artists, and ISPs--then we probably can identify means short of compulsory licensing or levies that can reconcile those interests and significantly reduce piracy. Consider, for example, the balance that the Digital Millennium Copyright Act (the "DMCA") struck as to sites hosting user-generated content ("UGC").

UGC sites have enormous potential to encourage creative expression, but it would be difficult to imagine how they could operate were they governed by the strict-liability that copyright law has traditionally imposed upon distributors of expressive works. But simply exempting UGC site operators from liability for infringing third-party uses of their sites would only encourage piracy and shift copyright enforcement onto individual Internet users.

As result, the DMCA created a so-called "safe harbor" that exempts UGC site-operators from liability for monetary damages if they take several measures to redress or deter infringing third-party uses of their sites. The most important is the so-called "notice-and-takedown" requirement. It prescribes an iterative process of dispute identification and resolution. First, a copyright owner must notify a site operator of allegedly infringing content. The site operator must then take down the content and notify the subscriber who posted it. The subscriber must then decide whether to send a counter-notice to the site operator. If the subscriber sends a counter-notice, then the operator must restore access to the disputed content unless or until the copyright owner files a lawsuit and secures a court order requiring it to be taken down.

This takedown process can benefit all three parties--copyright owner, site operator, and even the allegedly infringing user. The copyright owner gains a means to halt infringing conduct that is faster and cheaper than a lawsuit. The site operator gains unprecedented protections against most infringement liability. The allegedly infringing user receives a warning about any potential conflict, and gets to chose whether to avoid or confront it. This takedown process has resolved countless potential disputes and prevented many lawsuits.

But make no mistake: The DMCA notice-and-takedown regime is not ideal--not for copyright owners, UGC-site operators, or UGC-site users. Copyright owners find themselves playing takedown-notice whack-a-mole in which the same infringing content is repeatedly taken down and re-posted. UGC site operators incur enforcement and response costs, and operators receiving too many notices may fail to qualify for the safe harbor. For users, the notice-and-takedown process may alert them to potential conflicts and let them decide whether to avoid them, but it may not always show them how to correct problems so the content can be safely re-posted.

Fortunately, Congress expected that even the imperfect incentives to cooperate imposed by the takedown process would encourage interested parties to devise innovative solutions superior to any contemplated back in 1998. See 17 U.S.C. § 512(i)(1)(B). Congress appears to have been right. Many copyright owners and UGC-site operators have entered into licensing agreements. Both YouTube and the parties to the Copyright Principles for UGC Sites are preparing to deploy advanced filtering technologies. The parties to the Principles are also devising more interactive dispute-resolution procedures. Consequently, not even important, backward-looking disputes like the Viacom-Google litigation should obscure the progress being made by copyright owners, UGC-site operators, and UGC-site users.

To be sure, the DMCA did not anticipate the rise of file-sharing piracy that cannot be reasonably redressed at the application level. Nor could the balance that the DMCA struck as to UGC sites just be "cut and pasted" into the context of access providers. Nevertheless, the case of UGC sites show that when the law has encouraged cooperative approaches--even imperfect ones--cooperation has occurred, improvements have been made, and enforcement lawsuits against consumers have been almost entirely avoided.

Finally, some will argue that the U.K. proposal is unfair to internet-access providers. That argument has weaknesses and strengths. To be sure, many claim that piracy has helped access-providers by driving demand for broadband access. For example, in Free Culture, Professor Lawrence Lessig argues, "The appeal of file-sharing music was the crack cocaine of the Internet's growth. It drove demand for access to the Internet more powerfully than any other single application. It was the Internet's killer app.... It no doubt was the application that drove demand for bandwidth."

But while piracy may have been indirectly benefited some access providers, it has also imposed significant costs and inefficiencies. For example, from the perspective of efficient network management, most ISPs should cache popular downloads. But doing so is extremely risky. The DMCA's caching safe-harbor, (§512(b)), like its other provisions, envisioned a web-based Internet: Consequently, it does not seem to "harbor" the caching systems needed by file-sharing networks. Nevertheless, vague reports alleging the use of caching have surfaced ever since the 2004 study, Is P2P Dying or Just Hiding?

But in any case, a simple fact remains: Broadband Internet-access providers were not the ones who worked hard to ensure that file-sharing piracy would become a problem that could not be redressed at the application level. If those who did try to make that problem difficult to remediate now expect others to clean up their mess, then that is unjust.

Nothing makes this point more effectively than the written testimony provided recently to a congressional committee by Mr. Mark Gorton, "the founder and Chairman of LimeWire, LLC, the makers of the LimeWire file sharing program":

The regulatory framework that surrounds the Internet has not kept pace with technical advancements, and currently, no effective enforcement mechanisms exist to address illegal behavior on P2P networks.

Internet Service Providers, ISP's, are a unique point of control for every computer on the Internet. Universities frequently function as their own ISP's, and a handful of universities have implemented notice based warning systems that result in the disconnection of users engaged in illegal behavior who ignore multiple warnings. These universities have sharply reduced child pornography and copyright infringement on their campus networks.

Similar policies could be mandated for all ISP's in the United States. However, these policies are unpopular with the telecom and cable companies who would prefer not have an enforcement relationship with their paying customers. The telecom industry has objected vigorously to previous attempts to involve ISP's in the enforcement process and it continues to oppose policies that would allow for the establishment of moderate, yet effective enforcement mechanisms to combat illegal behavior on the Internet.

The only institution in the United States with the power to mandate the creation of an effective enforcement mechanism to police the Internet is the United States Congress.

I believe that careful thought would reveal viable solutions to the challenges of file-sharing piracy more creative and less prescriptive than those proposed by LimeWire. And if distributors of piracy-and-pornography-prone file-sharing programs now admit that they have knowingly created problems that can only be resolved by imposing significant costs on many third parties, including copyright owners, internet users, and internet-access providers, I would respectfully suggest that federal law-enforcement agencies should take such admissions into account. And send a message....

posted by Thomas Sydnor @ 10:22 PM | DMCA , Enforcement & Remedies , Free Culture Movement , Internet: P2P, Search Engines... , Markets: Business, Investment & Innovation

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

Over the past week, I have been asked repeatedly about the Voluntary Best Practices for P2P File-Sharing Software Developers to Implement to Protect Users Against Inadvertently Sharing Personal or Sensitive Data(the "VBPs") just released by the Distributed Computing Industry Association ("DCIA"). As most probably know, these VBPs appear to have been hastily released after LimeWire's latest fiasco, which involved inadvertent sharing of the financial data of Supreme Court Justice Stephen Breyer.

I am still reviewing these new VBPs and comparing their provisions against the behavior of then-current versions of the file-sharing programs distributed by entities that purport to have developed these VBPs. Nevertheless, I can now summarize some key conclusions: I have serious concerns about the scope, substance, and credibility of these new VBPs.

CONCERNS ABOUT THE SCOPE OF THE VBPs:

The VBPs Unfairly Stigmatize All "P2P File-Sharing Software Developers": The VBPs seem to proceed from a absurd premise: They seem to presume that roses and skunks are equally likely to smell bad. The VBPs purport to apply to all "P2P File-Sharing Software Developers." I am aware of no data showing that risks of potentially harmful inadvertent sharing, (much less inadvertent sharing of "personal" or "sensitive" files), arise consistently from all "P2P File-Sharing Software."

To the contrary, the available data indicate that the worst of these risks seem to arise only from a narrow subset of programs whose similarities appear to arise more from the business models of their developers than from any actual reliance upon peer-to-peer networking or file transfers. For example, both the Gnutella-based LimeWire program and the BitTorrent-based program Joost are "P2P File-Sharing Software." But Joost and LimeWire do not even arguably pose similar risks to their users. Nevertheless, the VBPs treat both programs as if either could be equally likely to cause harm.

That is just plain wrong. It makes no sense to state or imply that all "P2P File-Sharing Software" should be painted with the same bad-actor brush.

CONCERNS ABOUT THE SUBSTANCE OF THE VBPs:

Compliance with the VBPs Is Unlikely To Significantly Reduce Potentially Dangerous Inadvertent Sharing: Regrettably, I expect that the VBPs--even if scrupulously followed--may have little or no effect on the prevalence of inadvertent sharing of personal data. The VBPs seem to presume that inadvertent sharing of "sensitive" data is still a problem that program distributors can cause or remediate at will. I suspect that this presumption is now dreadfully wrong.

For example, when episodes occurring in 2005 and 2006 returned my attention to the problem of inadvertent sharing of personal data, I embarked on a then-fruitless snipe hunt. When trying to determine why users of file-sharing programs might be inadvertently sharing personal files in 2005 and 2006, I first thought that the programs themselves were unlikely to be causing inadvertent sharing: After all, problems with program design had been rather extensively investigated--and purportedly resolved--back in 2002 and 2003. I thus assumed that inadvertent sharing must be recurring for some other reason.

I thus investigated the possibility that malware might be causing inadvertent sharing of personal files. The same factors that make piracy-prone file-sharing networks well suited for the distribution of infringing files also make them well-suited for the distribution of files infected with malicious code. Consequently, I assumed that inadvertent sharing might be recurring because file-sharing networks were distributing malware that was reconfiguring the file-sharing programs themselves. At the time, nothing came of those efforts: Searches of the usual data repositories did not reveal malicious programs that reconfigured popular file-sharing programs. Only after this "malware hypothesis" led nowhere did I look again at the programs themselves--only to find some dumbfoundingly familiar problems.

The VBPs returned my attention to malware as a potential cause of inadvertent sharing after I discussed them with the data-security company Tiversa, Inc. Tiversa's perspectives on file-sharing tend to be uniquely valuable. Tiversa's technology lets it look comprehensively at all activities occurring on multiple networks, and the monitoring and remediation services that it provide to its clients ensure that Tiversa often has unique, first-hand knowledge about the causes of inadvertent sharing.

After reviewing the VBPs, Tiversa's President, Mr. Robert Boback, reported that he was not optimistic about their potential to reduce inadvertent sharing. In particular, he cited the problem of malware--he reported that Tiversa has now encountered multiple forms of malware that reconfigure the sharing-related settings of popular file-sharing programs.

If so, then the VBPs are too little, too late. By perpetuating the problem of inadvertent sharing until identity thieves had years to realize how advantageous it could be to them, distributors of file-sharing programs have ensured that inadvertent sharing is no longer a problem that they can cause or remediate by changing the default settings of their programs.

The VBPs Seem Hopelessly Vague: The VBPs also seem very waffly and fuzzy--they are so vague and flexible that it will often be very hard to say whether any given program complies with any particular provision. Worse yet, they are often so vague that they seem to fail to engage the available data on the causes of inadvertent sharing. Indeed, preliminary analysis suggests that the VBPs could permit use of search-wizards, partial-uninstall features, and certain coerced-sharing features, including LimeWire's confusing "individually-shared-files" feature. I don't see how anyone can be expected to believe that these VBPs will really deter inadvertent sharing unless they clearly address all the problems that have been repeatedly called to the attention of distributors.

For example, the VBPs center around the notion that developers can deter inadvertent sharing by requiring users to take "Affirmative Steps" before they share "User-Originated Files." That sounds good--until one recalls that the more dangerous version of the KaZaA program condemned in the 2002 study Usability and Privacy: A Study of KaZaA Peer-to-Peer File Sharing also required its users to take "Affirmative Steps" before they would share "User-Originated Files." Indeed, partial-uninstall features excepted, so did the "features" condemned in the USPTO report, Filesharing Programs and "Technological Features to Induce Users to Share."

The VBPs Proceed from the Sometimes-False Premise That It Is "Safe" for Users of File-Sharing Programs to "Share" Downloaded Files by Default: The VBPs also look like a cynical half-effort to redress inadvertent sharing. To me, the difference between conscientious program distributors and cynical distributors is simple: The former are concerned about the safety of users of their program; they want to ensure that users do not inadvertently share any files that would tend to be dangerous to share. The latter are concerned only about themselves; they only want to ensure that users of their program do not inadvertently share the sorts of files that would be likely to attract adverse attention to program distributors from the media, Congress, or Supreme Court Justices.

Sadly, the VBPs seem to reflect the latter approach to inadvertent sharing: They divide all files stored on users' computers into two classes: files downloaded from the file-sharing network and all others, (the VBPs call this latter class "User-Originated Files"). The VBPs then proceed from the following premise: Sharing of downloaded files is presumptively "non-sensitive," safe and permissible by default, while sharing of User-Originated Files is not. In other words, the VBPs presume that users sharing downloaded files are not sharing "sensitive" files.

As applied to programs like LimeWire, that premise is demonstrably and deliberately false. As LimeWire CEO Mark Gorton testified, other than downloading of music, the only other "major use" of his program is downloading movies. Sharing files containing downloaded music or movies can cost from $750 to $150,000 per file. As a result, for persons of moderate means, the financial consequences of sharing those files are probably as bad or worse than the financial consequences of identity theft.

Worse yet, this very real threat of enforcement lawsuits is a risk imposed upon users deliberately by distributors of certain file-sharing programs: For example, in MGM v. Grokster, LimeWire went out of its way to blame copyright owners for failing to sue infringing users of its program. Subsequently, LimeWire then altered its program in ways that can make it more difficult for users to stop sharing downloaded files--thus ensuring that the risks of sharing downloaded files would tend to fall disproportionately upon those users who happen to be very young or otherwise particularly unsophisticated.

An article published recently by the Torrentfreak website illustrates the real-world consequences of these choices. The article reports on an interview with "Hannah," the pseudonym of a 9-year-old girl who uses LimeWire. The interview begins, "Everyone knows that a significant number of file-sharers are teenagers and young adults.... But what about the true kids--the under 10's?"

In the interview, "Hannah" says that she uses LimeWire, "Because you can put anything in and it will come up and you don't actually pay for it" and because "you can get good albums off there. Duh!!" When asked whether downloading music for free might be illegal, she replied, "Why would they put it [music] on the Internet ... if it was against the law?" She was then asked what would happen if one of her favorite artists, Sean Kingstone, sued her family or sought a settlement because she had shared his albums using LimeWire. She replied, "I'd say 'tooooo strict' and anyway he can't make me do anything. He's not the boss of me, he's the boss of Sean Kingstone." When asked what would happen if her family did not settle, she said, "Nothing. I'm too young to be charged by the government so he can't charge me."

"Hannah" has her facts dangerously wrong, but I can still sympathize with Hannah (and her family): She's just a little girl who has made the usually rational assumption that most adults don't distribute dangerous toys to children. Unfortunately, some adults who distribute certain file-sharing programs persist in distributing potentially dangerous toys to children--even after painting enforcement targets on their little foreheads. As a result, programs like LimeWire now jeopardize the privacy, reputations, and finances of the families of many thousands of "Hannahs."

Nor do the distributors of such programs simply lack any means to prevent their misuse or otherwise avoid the need for enforcement against consumers who share infringing files--deliberately or otherwise. They do have the means, but they have chosen not to deploy them.

Distributors of other file-sharing programs have now made this clear: Joost only distributes files authorized for distribution; Veoh uses forms of filtering; Pando uses something akin to a notice-and-takedown process. That doesn't mean that any of these programs are perfect, but it does mean that people using them are unlikely to face the financial and other consequences of an infringement lawsuit.

In short, a useful set of VBPs would have to address a very deliberately constructed reality: Inadvertently sharing files downloaded from some networks can be as presumptively dangerous and as "sensitive" as inadvertently sharing personal files. VBPs that refuse to confront this deliberately constructed reality are not worth the pixels they are printed upon.

Unless the VBPs Redress Inadvertent Sharing of Downloaded Files, Pedophiles Will Use Inadvertent Sharing to Avoid Conviction for Knowingly Distributing Child Pornography: Because the VBPs do not really address inadvertent sharing of downloaded files, they also fail to defuse a ticking time-bomb: Piracy-adapted file-sharing networks have attracted not only 9-year-old girls who share music, but also pedophiles who share child pornography. As a result, a slew of prosecutions are now underway--I counted scores of pending cases during my last sweep of LEXIS, and a public defender in New York told me that her office is now inundated with P2P child-porn cases. Unfortunately, the defendants in these cases have realized that inadvertent sharing can help them avoid conviction on the "knowing distribution" count that can result in serious jail time. Soon enough, inadvertent sharing--even of downloaded files--is going to deliver get-out-of-jail-free cards to pedophiles.

The VBPs would have to reflect a serious effort to prevent inadvertent sharing of downloaded files before they could stop this from happening. Indeed, even their half-efforts are already too late. For example, in United States v. Park, 2008 U.S. Dist. LEXIS 19688, *2 (D. Neb. March 13, 2008), the defendant used LimeWire to share, inter alia, a three-hour video that "depicted 'a female minor bound with a rope and being choked with a belt by what appeared to be an adult male.'" Nevertheless, the defendant secured a reduced sentence by claiming that he "lacked an understanding of the software and thus ... the knowledge to distribute the illegal wares that he possessed." Id. at 4.

To be clear: Distributors of piracy-adapted file-sharing programs rightly resent any claim that might imply that they intend to aid pedophiles. But that is not my point: Frankly, I cannot imagine why any distributor of even the most piracy-prone file-sharing program would intend to facilitate the distribution of child pornography, or, for that matter, malware-infected files, or classified government data.

Nevertheless, some brute facts remain: Actions often have consequences that--while not intended--are wholly predictable. The same attributes that make certain file-sharing programs attractive to persons who want to distribute infringing files predictably make those programs attractive to persons who want to engage in other illegal activities. It was thus utterly foreseeable--and foreseen--that malefactors other than infringers would flock to the accommodating venues thus provided.

For example, in 2003, the distributors of the KaZaA program admitted this when discussing the prevalence of malware-infected files on the FastTrack network: "As you would expect, when files often come from anonymous and uncertified sources, the risk of that file containing a virus greatly increases." They may not have intended to attract malware distributors, but they fully expected that the design of their network would do so nonetheless. Those choices created a network used largely for illegal purposes in which it becomes very important to be able to say whether any given user intended to "share" any given file because so many are unlawful to share. Reasonable VBPs would acknowledge that in such venues, the "sharing" of downloaded files is generally unsafe--it can result in the "sharing" of files that are "sensitive," within any reasonable meaning of that term.

CONCERNS ABOUT THE CREDIBILITY OF THE VBPs:

The VBPs Are "Déjà Vu All Over Again" for Concerned Officials or Citizens: Sadly, these new VBPs proceed from a false premise: They presume that distributors of piracy-adapted file-sharing programs can be reasonably expected to adhere to a completely optional set of inadvertent-sharing-related "best practices" that would require them to redesign their programs in order to prevent users from inadvertently sharing files. All-too-recent experience has eviscerated that premise.

For example, after the second-to-last round of congressional hearings on inadvertent sharing, (back in 2003), the trade association P2P United purported to redress inadvertent sharing by promulgating a mandatory Code of Conduct designed by distributors of file-sharing programs including the distributors of LimeWire. But the distributors who devised that "mandatory" Code tended to ignored it in practice while signing pious hymns to its virtues to congressional committees and federal agencies. Now, another trade association has released another set of now-completely-optional LimeWire-designed VBPs. With all due respect--and none is--these new VBPs accomplish precisely one result: They force everyone concerned about inadvertent sharing to stare straight down both barrels of an old saying:

Fool me once; shame on you. Fool me twice...."

Seriously: If distributors of piracy-adapted file-sharing programs treated their own mandatory Code of Conduct--and the well-being of users of their programs--like an irrelevant joke back in 2004, how can anyone believe that, in 2008, they will treat new optional VBPs with anything other than similar contempt?

And least the above seem unduly harsh, I can report that I have begun to compare the requirements of the VBPs to the behavior of the version of LimeWire that was available when the VBPs were released. This version of LimeWire does not appear to comply with the VBPs. Once again, the VBPs thus seem to be just a cheery promise that things may improve in the future.

I agree that voluntary self-regulation will be an indispensable tool that can let us redress many of the security and privacy challenges that will inevitably arise from fast-changing internet technologies without saddling those technologies with prescriptive, market-distorting regulations that quickly prove to be partially underbroad, partially overbroad, and quickly dated. But for that reason, there will be times when the only reasonable response to miserably failed efforts at voluntary self-regulation will be law enforcement--not the repetition of airy promises of even less-obligatory self-regulation.

For all these reasons--scope, substance, and credibility--I can take no comfort in DCIA's new Voluntary Best Practices for P2P File-Sharing Software Developers to Implement to Protect Users Against Inadvertently Sharing Personal or Sensitive Data.

posted by Thomas Sydnor @ 9:54 AM | Enforcement & Remedies , Free Culture Movement , Internet: P2P, Search Engines... , Legislation and Legislators , Privacy and Security

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

In its 2005 decision in MGM Studios, Inc. v. Grokster, Ltd., the Supreme Court unanimously found "overwhelming" and "unmistakable" evidence that the distributors of two piracy-prone file-sharing programs intended to induce users of their programs to infringe copyrights. But Grokster did not do something that the Court had been widely expected to do: It did not clarify the meaning of the notoriously vague capacity-for-substantial/commercially-significant-use test adopted by Court's 5-4 decision in Sony Corp. of Am. v. Universal City Studios, Inc.. Indeed, in Grokster, the meaning of the Sony test was discussed only in clashing concurring opinions authored by Justices Ginsburg and Breyer. Justice Ginsburg's concurrence interpreted Sony's safe harbor rather narrowly; Justice Breyer's concurrence interpreted it very broadly.

In the aftermath of Grokster, I have been researching and writing about a problem that can be called "inadvertent file-sharing." It occurs whenever users of piracy-prone file-sharing programs end up "sharing" files that they did not intend to make available to thousands of strangers. Inadvertent sharing tends to make the news when reporters find users sharing highly sensitive personal or work-related documents.

But inadvertent sharing also routinely causes users to unwittingly share infringing files. Anyone inadvertently sharing personal files is also usually sharing their entire music collection, and users often inadvertently share only infringing files--one user might mistakenly think that "My Music" is a good folder for storing downloaded files, another just might not realize that downloaded files are "shared" by default, etc. Examples of my work on inadvertent sharing can be found in this USPTO report, in this congressional hearing, and in this follow-up report about a file-sharing program called LimeWire.

It has been suggested to me that documenting the problem of inadvertent file-sharing may not be that material to copyright law and policy generally. But an article in yesterday's Washington Post illustrates why I think that it may be useful.

This article reports that the latest person to have his sensitive personal data inadvertently shared by a LimeWire user was Supreme Court Justice Steven Breyer--author of the Grokster concurrence that would have interpreted Sony so broadly that it could "harbor" even the distributors of piracy-prone file-sharing programs like Grokster, Morpheus, and, well, LimeWire.

I regret to note that some commenters on this article treated this incident as if it were an somewhat-funny inconvenience. It isn't: For reasons that I explain below, inadvertent sharing can have financially devastating or deadly consequences, particularly if it affects a major U.S. official. For that reason, it is particularly important to understand whether the many incidents like this one many have been predictable side effects of a technology used mostly for illegal purposes.

In Grokster, Justice Breyer found that absent evidence of inducement, even the most piracy-ridden file-sharing programs would pass his interpretation of the Sony test. See 545 U.S. at 952 ("Grokster passes Sony's test"). For example, evidence in Grokster showed that 97% of the files that Grokster and Morpheus users actually selected for downloading were, or were highly likely to be, infringing. See 454 F. Supp. 2d at 985. Nevertheless, Justice Breyer found that these programs should pass the Sony test because, someday, their users might download infringing files only 90% of the time. 545 U.S. at 953-54.

And it is important to note that Justice Breyer did not find that, someday, 10% of the users of these programs would use them exclusively for non-infringing purposes. Rather, he found that Sony would harbor the distributors of file-sharing programs even if all users of their programs almost always uses them to infringe, so long as some users also make some incidental lawful uses, (currently perhaps has high as 3%), that could eventually rise to 10%. It is difficult to imagine that any real-world technology could actually fail to satisfy this standard, were it fairly applied.

In Sony, the Court said that its new test would have to "strike a balance between a copyright holder's legitimate demand for effective--not merely symbolic--protection... and the rights of others freely to engage in substantially unrelated areas of commerce." In Grokster, Justice Breyer concluded that this balance would be stuck by an interpretation of Sony that would deny copyright holders the ability to control areas of commerce 97% related to copyright infringement. To do so, Justice Breyer conducted a three-part analysis that culminated with a cost-benefit analysis in which he proposed that when assessing a technology like LimeWire, we should balance its costs--to copyright owners--against its benefits. 545 U.S. at 960.

Unfortunately, LimeWire's repeated failure to redress the long-known problem of inadvertent sharing has now exposed Justice Breyer, his family and many, many others to the real-world consequences of some omissions in Justice Breyer's cost-benefit analysis.

Justice Breyer's analysis recognized that technologies that are used almost exclusively for infringing purposes can impose profound costs upon copyright owners. But it failed to recognize that copyright owners will not suffer alone. Technologies that are used primarily for illegal purposes will tend to impose many social costs upon both their users and even innocent third parties, like Justice Breyer and his family.

For example, Justice Breyer may be wondering why it would even be possible for a file-sharing program like LimeWire to "share" files containing his financial data. After all, no reasonable person would deliberately "share" such files over the Gnutella network, and the CEO of LimeWire testified last summer that the only two "major use[s]" of his program were the sharing of music and movies. So why would a default installation of LimeWire share any other types of files?

LimeWire itself can answer that claim, but one explanation suggests itself: LimeWire probably shares financial data by default because distributors of file-sharing programs were hoping that judges might broadly interpret Sony: Groups like the Electronic Frontier Foundation counseled distributors that their file-sharing programs should share all types of files by default in order to buttress their theoretical "capacity" for non-infringing use. Consequently, LimeWire probably shared Justice Breyer's financial data by default so that judges broadly interpreting Sony could find that LimeWire also had a theoretical capacity to distribute files from the Prelinger Archive, even though it is almost never actually used to do that. See 545 U.S. at 954. Unfortunately, the resulting disconnect between what the program can do and what users expect it to do makes it much easier for users to make mistakes that impose severe costs upon themselves and others.

Justice Breyer may also be wondering why businesses do not adopt the very simple network-management techniques, like port-blocking, that would ordinarily let them prevent any use of of a file-sharing program on their corporate networks. Unfortunately, they cannot: Because programs like LimeWire are actually used for unlawful purposes almost all of the time, every reasonable business would block their use were it easy to do so. Perhaps not coincidentally, distributors of programs like LimeWire thus adopted techniques like port-hopping and tunneling that make it difficult and expensive to exclude their programs from a given network. In short, these programs are designed to go where they are not wanted. This imposes even more costs--not upon users of the program--but upon third parties who definitely DO NOT want to use the program. And like all the other costs discussed here, these costs appear to be mere side-effects of the high levels of illegal use prevailing today among actual users of programs like LimeWire.

Some research on inadvertent sharing might also lead Justice Breyer to ask another question: Why should inadvertent sharing still be a problem in 2008? Weren't the major causes of this problem identified long ago? They were, and that illustrates another cost that has just been inflicted upon upon Justice Breyer and many others--one that may have been best explained by the FBI back in 2003: When almost every consumer using a product uses it for illegal purposes most of the time, all our normal mechanisms for protecting consumers break down.

For example, consider what happened when a program briefly included on some lawfully-purchased audio CDs--the so-called "rootkit" DRM--was found to create a computer-security vulnerability. The vulnerability was quickly discovered, publicized, and within months, distribution of the problematic program was halted in a blizzard of consumer outrage, recalls, remediation efforts, and class-action lawsuits. In short, our systems for protecting consumers from risks worked quickly and very effectively--when consumers were lawfully acquiring an arguably problematic product.

Now consider inadvertent filesharing. Published research first identified some of its most important causes in 2002, and two congressional hearings revealed its dire effects in 2003. That consumer-safety information had only one effect: More distributors of more piracy-prone file-sharing programs deployed the very "features" that had been shown to cause inadvertent sharing--while inventing some new ones. For the next five years, such distributors testified that inadvertent sharing was a myth, told consumer-protection agencies that it had been remediated, and--when not actively exacerbating or perpetuating inadvertent sharing--repeatedly announced new "safeguards" that somehow managed to perpetuate this long-understood problem until it was still alive and well and able to harm Justice Breyer in 2008. In short, there was a complete system failure--when consumers were making mostly illegal uses of a very problematic product.

Justice Breyer and the other victims of this latest data-breech will also be confronting another cost that piracy-prone file-sharing networks impose upon third parties: Once data gets onto these networks, it becomes nearly impossible--or at least very expensive--to track or remove it. And it is critical to note that the nature of file-sharing networks does not require these expenses to be imposed upon those who do not their proprietary files on these networks. To the contrary, distributors of file-sharing programs could make it easy and inexpensive to remove unauthorized content from their networks. But if they did so, then it would also be easy and inexpensive to remove unauthorized copyrighted files. Perhaps not coincidentally, distributors have thus chosen to make it very difficult and very expensive to remove any unauthorized content from the networks that their programs create. Needless to say, those choices impose more costs upon anyone affected by inadvertent sharing.

Finally, the last set of costs that inadvertent sharing can impose upon its victims can be incalculable. Inadvertent sharing caused by programs like LimeWire can have horrific consequences because of another cost of some piracy-adapted technologies: The same factors that will tend to make a technology useful to persons who want to violate copyright laws will also tend to make it useful to persons who want to violate other laws. Consequently, piracy-prone file-sharing networks are also popular with identity thieves, malware distributors, pedophiles, and reportedly, potential would-be assassins of major U.S. government officials or their families (pp. 64-65).

But the catastrophic risks thus imposed can affect anyone--not just important government officials. In my testimony to Congress on inadvertent sharing, I used the following example to show why the difficulty of remediation and presence of multiple forms of criminal activity can greatly exacerbate the true social costs of inadvertent sharing:

To illustrate what [inadvertent sharing] can do, consider what would happen to my family if a visiting relative installed one of these programs on my home computer and tried to store downloaded files in its "My Documents" folder, so they would be easy to find.

I would end up sharing bank statements, tax returns, passwords for investment accounts, scans of legal, medical, and financial records, all my family photos, my children's names, addresses and social-security numbers, and a scan of the sign that designates the car authorized to pick my daughter up from preschool.

Oh, and I would also share over 3,000 copyrighted audio files ripped from purchased compact disks--I would share those too. With one mistake, I would be set up for identity theft, an infringement lawsuit or something far worse.

And what did I mean by "or something far worse?" I meant that inadvertent sharing could deliver data about my children to one of the vicious pedophiles that use piracy-prone file-sharing programs like LimeWire. See, e.g., United States v. Park, 4:06CR3097, 2008 U.S. Dist. LEXIS 19688, (D. Neb. March 13, 2008) (a LimeWire user shared videos of an adult raping a little girl "bound with a rope and being choked with a belt"); United States v. O'Rourke, CR-05-1126-PHX-DGC, 2006 U.S. Dist. LEXIS 1044 (D. Ariz. Jan. 12, 2006) (a LimeWire user was held to be a "danger to the community" because he shared many "extraordinarily abusive" images of "horrific child abuse" inflicted on "a very young girl, with hands bound and mouth gagged"); United States v. Postel, 524 F. Supp.2d 1120, 1123 (N.D. Iowa 2006) (a LimeWire user used shared child pornography to "groom" the girl that he molested for four years). Indeed, one researcher has already reported finding persons using piracy-adapted file-sharing programs to collect both sadistic child pornography and inadvertently shared data about particular children.

That is what I meant by "or something far worse." And that is one of the many reasons why I suspect that when they are fully informed, jurists will ultimately conclude that the true social costs of piracy-prone technologies will tend to vastly outweigh whatever benefits they might be imagined to provide.

I could go on listing more costs arising from Grokster-like file-sharing programs, but the above examples illustrate my point: In the past, debate about what Sony ought to mean has been largely abstract--we did not have real-world data about the results that different interpretations of the test might produce. Fortunately, Grokster has left lower courts with considerable flexibility to interpret the intended meaning and scope of the Sony test. Courts doing so can now be provided with some very practical, real-world examples of the full range of costs imposed by technologies used mostly for illegal purposes. I believe that many courts will find that information valuable and instructive.

In conclusion, I offer my sincere condolences to Justice Breyer, his family, the rest of the victims of this latest inadvertent-sharing-caused data breech, and to the victims of the needlessly numerous similar incidents that preceded it. At best, they will probably experience months of needless expenses and hassles--all as a result of a problem that could have been resolved six years ago.

Finally, I must reiterate two points that must always be stressed when discussing these issues. First, the fact that some miscreants used technologies that they called "peer-to-peer" to implement piracy-based business plans should not blacken the name of all technologies that actually do rely on real "peer-to-peer" networking. Personally, I doubt neither that real peer-to-peer networking technologies will play important roles in the distribution of legitimate Internet content nor that the technologies that will do so will not look like most existing piracy-prone implementations of allegedly "p2p" technologies.

Second, I suspect that what is now known about the ugly shenanigans of the Internet's would-be pirate kings may be just the tip of the iceberg. For example, one wonders how many of our vast supply of self-anointed technology savants could actually identify which popular piracy-prone file-sharing program was apparently designed to perpetuate the problem of inadvertent sharing while duping pesky journalists into believing that it had been resolved and while duping gullible Internet savants and jurists who broadly interpreted Sony into believing that the program's distributors had actually preserved the required façade of capacity-for-substantial-noninfringing-use.

I suspect that there is much still to be learned, though little to be admired....

posted by Thomas Sydnor @ 10:38 AM | Free Culture Movement , Internet: P2P, Search Engines... , Privacy and Security , Supreme Court

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (1)

CSDP just released a new paper addressing a question that has attracted much recent attention: Does posting a copyrighted work on a website or “sharing” it over a peer-to-peer file-sharing network like KaZaA infringe the exclusive rights that U.S. law grants to copyright owners? In other words, does the U.S. Copyright Act provide the “making available” right required by the WIPO Copyright Treaty, the WIPO Performances and Phonograms Treaty, and at least six bilateral or multilateral Free Trade Agreements?

This paper raised one of the more vexing legal issues that I have encountered in some time. The problem was not so much the difficulty of the underlying substantive issue. (Indeed, as the paper indicates, I think there is a very powerful case for recognizing a making-available right by adopting a plain-meaning interpretation of “to authorize” the phrase used to define the scope of all the exclusive rights granted by the Act.) Rather, the problem was that I have always thought it important that Congress and the President had both expressly and necessarily interpreted the Copyright Act to provide a making-available right when they enacted the implementing legislation for the WCT, the WPPT, and the six FTAs.

Many others with whom I have discussed this issue did not agree that these interpretations were particularly important. Our disagreements centered on a question that, does, at least in the context of international law and at the Supreme-Court level, seem to be open. Since the 1804 case Charming Betsy, the Supreme Court has held that courts should adopt any possible interpretation of a U.S. statute that would avoid a conflict with the international agreements and obligations of the United States. Nevertheless, to date, almost all cases invoking the Charming-Betsy interpretive principle seem to involve efforts to construe statutes that were enacted after a given treaty or international agreement had imposed some sort of obligation upon the United States.

The case of the making-available right reverses the temporal relationship between the relevant domestic statute and international agreements: The WCT, WPPT and the FTAs all postdate the Copyright Act of 1976 by at least thirty years. Many people found it odd that the terms of international obligations should influence the interpretation of a statute enacted about 30 years earlier. I could neither deny that such arguments had some force nor that I still found them unpersuasive, though for reasons that I could never quite articulate.

I hope that this paper can explain the source of these disagreements. I happen to have a longstanding interest in administrative law. Consequently, when I look at the Copyright Act of 1976, the implementing legislation for the WCT, WPPT, and the FTAs, and cases like Barker, I think that the resulting situation raises a question about the need for judicial deference analogous to that raised and resolved in cases like Chevron v. NRDC.

In the typical Chevron case, a governmental entity (usually a federal agency) must interpret an existing statute in order to determine how best to exercise lawfully acquired law-making powers. In such cases, courts accord so-called Chevron deference to statutory interpretation adopted by the agency: Regardless of whether the reviewing court might think some other interpretation more persuasive, it will defer to any reasonable interpretation that the agency adopted during the exercise of its law-making powers.

To be clear, I do not contend that Chevron is literally binding precedent in cases like Barker, but neither do I see why it is distinguishable as a matter of law and logic. The same factors that justify Chevron deference in the administrative-law context seem to recur here: To implement international agreements, Congress and the President must exercise their constitutionally delegated law-making powers, and to do so, they must interpret the meaning of existing statutes. Indeed, the interests in predictability and comity that justify Chevron deference seem to be both present and heightened in international-agreement implementation context. It is not clear why a case-or-controversy-bound judge should conclude that the President and Congress seven times executed the international obligations of the United States incompetently or duplicitously if a permissible interpretation of the Copyright Act would avoid the need to draw such conclusions.

Questions about the existence or scope of a U.S. making-available right will clearly be occupying many minds as the summer progresses. For the reasons set forth in the paper, I suspect that as courts begin looking closely at these questions, they will realize that their answers are less difficult to discern than they might seem at first glance.

posted by Thomas Sydnor @ 3:40 PM | DMCA , DRM & Watermarks, etc. , Enforcement & Remedies , Free Culture Movement , General , International , Internet: P2P, Search Engines... , Legislation and Legislators

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (3)

A ZDNet report on the "loud minority" in the FOSS Movement.

Efforts to increase the adoption of open-source software are being derailed by the efforts of a "loud minority" within the community who have made personal attacks on individuals who have expressed doubts about the software, according to one of the open-source movement's main advocates.

Jeff Waugh of open-source advocacy group Waugh Partners was disheartened after a series of personal attacks directed at the heads of Australian government agencies. These included comments directed at Australian Taxation Office chief information officer Bill Gibson...

Some of the public responses to the article labelled Gibson a "bureaucratic parasite" and his concerns "short-sighted".

While Waugh believes the open-source model holds better security outcomes than its proprietary equivalent, he describes the vitriolic reaction to Gibson's comments as being "disgraceful" and says they achieve nothing for the industry.
...
"This kind of language makes it extremely hard for the open-source industry to get the appropriate level of consideration in government departments," Waugh continued.
...
Waugh was also disheartened when personal attacks were levelled at Standards Australia's Alistair Tegart over Microsoft's push to have its OOXML format accepted as an ISO standard. "I suspect that as a result, [Teggart] is becoming deeply cynical about open source," Waugh said.

posted by Noel Le @ 7:36 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (1)

Nick Carr comments on a Linux Foundation report that over 70% of Linux kernel development is done by paid workers at commercial firms. Apparently, Linux has become a corporate initiative. Carr writes:

There's nothing particularly surprising in the shift from the volunteer to the corporate model - it tends to be what happens when lots of money enters the picture - but it does reveal that while Net-based "social production" efforts may be unprecedented in their scale and unusual in their technology-mediated structure, they are no more immune, or even resistant, to being incorporated into established market systems than any other type of labor that produces commercially valuable goods.
...
The shift in Linux kernel development from unpaid to paid labor, from volunteers to employees, suggests that the Net doesn't necessarily weaken the hand of central management or repeal old truths about business organization.

Continue reading Linux Goes Corporate . . .

posted by Noel Le @ 11:03 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (2)

CNet Blog Network contributor Matt Asay writes:

Linus Torvalds used to talk about "world domination" as his goal for Linux. These days, though, while we seem to be making progress toward this end, we also appear to be increasingly complacent. We downplay the ideology that underlies open source in favor of "safe" rhetoric about lower sales and marketing costs and such.

I'll await word from Mr. Asay on whether digital copyrights and software patents can help explain the sudden pedestrian state of FOSS.

posted by Noel Le @ 11:30 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

Martin LaMonica from CNet writes on Red Hat's latest desktop Linux strategy.

Red Hat likes Linux on the desktop, but it also likes making money.

The company's desktop software unit on Wednesday released an update on its plans, saying it will focus its efforts on specific markets but not face off against Microsoft in the consumer market.

The Linux Desktop team explained:

An explanation: as a public, for-profit company, Red Hat must create products and technologies with an eye on the bottom line, and with desktops, this is much harder to do than with servers. The desktop market suffers from having one dominant vendor, and some people still perceive that today's Linux desktops simply don't provide a practical alternative.

Instead, Red Hat is focusing on desktop software that works with its server products aimed at businesses and developers.

If Red Hat was really a good FOSS community citizen, it would still compete directly with Microsoft on the desktop, ride any loss to its bottom line, and therefore promote the freedom to tinker and the FOSS revolution.

posted by Noel Le @ 11:05 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (1)

Jon Brodkin from Network World reports on recent FOSS research from Gartner:

Nine out of ten software-as-a-service providers will rely on open source software by 2010 to save money, but the cost savings likely won't be passed onto customers, Gartner says in a new research note.
...
"The name of the game with software-as-a-service providers is dialing down your software acquisition costs," [Gartner Analyst Robert] Desisto says. "It's really economics-driven."
...
The savings SaaS providers obtain by using open source software can be passed on to customers, added to profits, or used in R&D. Users shouldn't expect to see any cost savings, though, Desisto writes. The savings are more likely to go toward the vendors' bottom lines or R&D.

posted by Noel Le @ 10:19 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (2)

InformationWeek reports on a year-to-date increase in VC funds flowing to commercial open source companies.

The money went toward 20 deals, of which 17 had a publicly disclosed value, resulting in an average deal size of $12 million. "The first quarter of 2008 was the most successful quarter in history in terms of open source vendors raising venture capital funding," writes 451 Group analyst Matthew Aslett. By comparison, 11 deals with disclosed value brought in $100 million in the first quarter of 2007.

posted by Noel Le @ 11:30 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (2)

posted by Noel Le @ 12:43 PM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (2)

posted by Noel Le @ 10:18 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (8)

posted by Noel Le @ 8:38 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Noel Le @ 9:01 PM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (4)

posted by Noel Le @ 8:15 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (1)

posted by Noel Le @ 8:00 AM | Academia , Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (1)

posted by Thomas Sydnor @ 9:45 AM | Academia , DMCA , Enforcement & Remedies , Free Culture Movement , Internet: P2P, Search Engines... , Privacy and Security , Supreme Court

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (3)

posted by Thomas Sydnor @ 2:08 PM | Enforcement & Remedies , Free Culture Movement , Internet: P2P, Search Engines... , Privacy and Security

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Thomas Sydnor @ 11:54 AM | Enforcement & Remedies , Free Culture Movement , Internet: P2P, Search Engines... , Privacy and Security

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Thomas Sydnor @ 10:00 AM | Free Culture Movement , Internet: P2P, Search Engines... , Legislation and Legislators , Privacy and Security

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Noel Le @ 1:44 PM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (3)

posted by Noel Le @ 12:31 PM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (3)

posted by Noel Le @ 11:05 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Noel Le @ 10:31 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Noel Le @ 10:07 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Noel Le @ 12:17 PM | Academia , Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (1)

posted by Noel Le @ 2:48 PM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (2)

posted by Thomas Sydnor @ 10:29 AM | Enforcement & Remedies , Free Culture Movement , Markets: Business, Investment & Innovation

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (12)

posted by Noel Le @ 9:32 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Thomas Sydnor @ 2:26 PM | Enforcement & Remedies , Free Culture Movement , Internet: P2P, Search Engines... , Privacy and Security

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Thomas Sydnor @ 11:50 AM | DMCA , Enforcement & Remedies , Free Culture Movement , Internet: P2P, Search Engines...

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Noel Le @ 3:55 PM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (1)

posted by Thomas Sydnor @ 9:56 AM | Enforcement & Remedies , Free Culture Movement , Internet: P2P, Search Engines...

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Noel Le @ 1:35 PM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Noel Le @ 1:25 PM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (0)

posted by Noel Le @ 8:48 AM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (3)

posted by Noel Le @ 12:42 PM | Free Culture Movement

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment (1)