Tuesday, June 05, 2012

DMCA: jailbreaking


Proposed Classes to be discussed:

4.      Computer programs that enable the installation and execution of lawfully obtained software on a personal computing device, where circumvention is performed by or at the request of the device's owner.

5.   Computer programs that enable wireless telephone handsets ("smartphones") and tablets to execute lawfully obtained software applications, where circumvention is undertaken for the purpose of enabling interoperability of such applications with computer programs on the handset or tablet.

Aaron Williamson, Counsel, Software Freedom Law Center.  Proponent of proposed Class 4.  His clients are copyright owners who use flexible licenses.  Expansion of jailbreaking exemption.  Apple, primary opponent of jailbreaking last time; jailbreaking bolstered the market for third-party applications not approved by Apple: over 50 million devices have accessed one store.  Majority of Americans own smartphones (not exactly true—it’s a majority of new purchases, not a majority of phone owners, though I don’t think anyone doubts the trend line).  iPads and other devices are being used in place of computers for most common computing tasks—writing, email, browsing the web, even tracking exercise on smart watch linked to tablet.

Endangers innovation: lockdown prevents installation of non-preapproved software, preventing competition with Apple’s favored apps: now an industry standard. Nearly every Android phone prevents replacing OS.  All mass market ereaders are locked down, as are video devices. So ubiquitous on mobile devices now finding themselves trickling back to traditional computers.  Windows notebooks now prevent installation of unapproved devices; next generation of Windows apps can only be sold through Windows.  Often billed as security features, but purpose is to limit competition.  In the past, you didn’t need to make deals with hardware vendors to make software; that path to success through innovation—followed by Google, Apple, and Microsoft—is now being choked off.

Mozilla can’t circumvent locks on tablets with current exemption, or ereaders, or other new generations of devices.  Makes upstarts at competitive disadvantage. 

Exemption appears quite broad, but it’s only as broad as necessary. Hard to categorize the types of devices emerging: the line between tablet and ebook is uncertain.  What makes Kindle a reader and not a tablet depends on the software; many tablets contain antennas like phones; size varies; applications are similar.  These are all personal computers with different inputs/outputs, used for overlapping purposes; justifications for jailbreaking are the same for each. Making distinctions between them is difficult and hampers competition; going back each rulemaking would put innovators 3 years behind—3 million iPads had been sold before the notice and comment for this round even went out.

Inherent limitations preclude unintended consequences: circumvention allowed only to install licensed software, not to alter existing software.

Brett Wynkoop, New Yorkers for Fair Use.  In support of proposed Class 4.

Wynkoop: I believe in strong traditional copyright, but the DMCA has much less to do with copyright than control.  Device is under the control of the manufacturer, not of the person who bought it.  Most smaller computing devices these days prevent installation of software a user desires to install.  The only reason to lock them up is to allow incumbents to control the computing environment.  If you can’t use it as you want to, you don’t really own the device.  (Reminds me of the reasons to avoid easements in chattels.)

We design ecommerce websites, but also tablet apps for iPad and Android.  Unfortunately, if the incumbents decide we don’t want an app in our official store, you’re locked out of the market, because not everyone is going to go through the process of breaking encryption to accept software.  PC revolution came about because mainframes were by design very restrictive and it was very time-consuming to change anything on an application on a mainframe.  The PC’s increasing power allowed upstarts to innovate—spreadsheets, word processors, whole slew of applications we now take for granted.  Because small, less powerful devices were open and people could experiment.

We shouldn’t have to beg for the right to use our computing devices every three years, but we do.  Shouldn’t matter what size the computer is.  The tiny computer in his hand is much more powerful than the huge UNIX machine he used in his first job years ago.  Allow citizens to have private ownership of their computers and the ability to employ them as they wish to employ them.  This isn’t to say that everyone will employ it legally, but citizens don’t always use their cars or guns legally.  To outlaw a class of tools because some people may not employ them legally is wrong. The focus should be on the illegality of the act. 

Jay Sulzberger, New Yorkers for Fair Use.  Newspapers misunderstand what’s at stake. It’s not about copyright.  It’s about the right of ownership of a computer. 25,000 people signed a comment in favor of these exemptions.  Other side implicitly theorizes that they’ll lose money if there’s an exemption, but that’s not about copyright.  If these exemptions aren’t granted, the present bright line of ownership will go.  Most people don’t in practice hack the Windows OS, but some of us do.  Most people don’t take apart their car engines, but they still have the right to do so.  Doesn’t mean you get to make too much noise when you run it, but you can still tinker.  Without an exemption, Microsoft has declared, it will attempt to stop booting unauthorized software, which means you won’t be able to install an OS that’s different.  Amazon went into people’s Kindles and destroyed their copies of Orwell; this is not an American practice.  Amazon thinks correctly that they own every Kindle until it’s been jailbroken.  Google says that for Chromebooks they’ll require ability to make it open.  The issue is not one of convenience.  The issue is that Americans should be able to buy a product and use it so long as it doesn’t injure other people.  People have spoken: want control over their devices.

Jesse Feder, Director of International Trade and Intellectual Property, Business Software Alliance.  Opponent of proposed Classes 4 and 5.

There are over 100 million smartphone users in the US, tens of millions of tablets.  Over a million apps are available for the major platforms.  Fierce competition exists on the platforms and apps. Consumers have choices.  It’s against this background that the Office should decide about an exemption. Exemption being sought in name of consumer choice.  TPMs at issue play a key role in motivating investment into the platform and the apps.

Class 5 first, since arguments also apply to Class 4.  Haven’t met their burden of demonstrating substantial adverse impact of ability to make noninfringing uses of a class of works.  There are some users who wish to install only limited apps not available through curated distribution model, but no evidence that this is a significant group.  EFF’s statistics about jailbreaking don’t establish that users are jailbreaking solely to install legit apps instead of pirated software.  Many users counted are engaged in piracy.

Even if there were substantial adverse impact, failed to show harm not outweighed by benefit of TPMs.  TPMs are central to distribution system benefiting consumers, content creators, and app developers.  Gives consumers quality and security assurance, and antipiracy assurance for content creators.  Result: many apps, vast array of choices.  Can also choose a platform like Android or Linux that’s more open.

TPMs are precisely the kind of use-facilitating TPMs Congress sought to promote.  Permitting circumvention decreases incentives by undermining attractiveness of platform to developers and consumers, who are interested in the quality of apps and want confidence in quality/security and would be less likely to choose an insecure one.  App developers who experience high levels of piracy see their incentives decline: high rates of piracy on Android drive them to iPhone. 

Moreover, this is not a noninfringing use because it’s not fair.  Inappropriate extension of 9th Circuit cases on reverse engineering.  Sega and Sony involve intermediate copying in developing an end product that’s not substantially similar. Jailbreaking involves creating and using an identical version of the OS. The use of the original program is direct and continuous, not indirect and limited.  Jailbreaking is not transformative. It doesn’t add something new. The hacked OS serves the same purpose as the original OS. 

Clarify our view on 1201(f): narrow exception for noninfringing reverse engineering with important safeguards; jailbreaking wouldn’t qualify.  Not for developing interoperable software.  Customer who jailbreaks also generally is in violation of the license, so there’s no longer a lawful right to use as required. Info to make interoperability is also readily available to app developers.  We do believe that 1201(f) is relevant as expression of congressional intent: interoperability is valid in some circumstances, but only in narrow ones.  Specific exemption existing that proponents don’t qualify for should weigh against an exemption.

Class 4 is far broader than 5.  Reasons to reject it apply here as well.  Also, we know the argument for PCs relies on speculation.  No current noninfringing uses to point to.  Future adverse impact evidence has to be highly specific and persuasive and it’s not.

Right of ownership: not relevant.  The kinds of transactions involved here also involve licensing and other ongoing relationships between consumer and software developer.  Not a sale of a book. 

Steve Metalitz, Partner-MSK, representing Joint Creators and Copyright Owners.  Opponent of proposed Class 4. 

May 17 hearing, it was pointed out that our evidence of relationship between hacking and piracy was rather outdated; we submitted evidence May 31.  Makes points Feder summarized: there is a relationship between hacking and pirated apps; leading jailbreaking store provides both.  While there are competitive models here, and we can compare Apple and Android, the market will decide which models prevail or coexist.  One difference spelled out in many articles is that the Apple model encourages and supports greater development/dissemination of new apps: far more apps available on Apple even though Android has greater market share among consumers; developers are not as eager to exploit the market because it has very high levels of piracy.  In terms of the line between business interests and copyright interests: there’s no statutory basis for that (comment: it’s only in the Copyright Act, after all), but anyway the underlying interests include promotion of copyrighted works.

With regard to Class 4, we heard that you can’t draw a sharp line between tablet and PC; part of this is fallout of failure of proponents of Class 5 to provide any definition of a tablet, and would be unwise to recognize any exemption without a clear definition.  Options are also available in the PC marketplace, and only speculation that there might not be any in the future.  Commodity hardware is available for PCs.

Marcia Hoffman, Senior Staff Attorney, Electronic Frontier Foundation.  Proponent of proposed Class 5.

Consumers will suffer adverse impact without exemption. People have benefited from 2010 exemption, but tablets have come in since then; tremendous growth not just in the market but also in the development of unapproved apps. The people who’ve been making lawful uses for the past 3 years will become criminals, and people doing similar things with tablets will be chilled.  Worth noting that the anticircumvention provisions do carry criminal penalties—not just a worry about being sued.

Class 5 is narrowly crafted.  Articles express concern about piracy; they have nothing to do with exemption for lawful uses of third party software.  Piracy was an issue before 2010 exemption, and it’s still an issue today; no one disputes that. This exemption will clear the way for lawful uses of software; won’t remove existing legal remedies for copyright owners. 

Vast array of available apps: that would be a smaller array if not for the fact that developers can develop for other platforms even if Apple doesn’t approve them.  Jailbreaking encourages competition/innovation.  If developers don’t want to develop for Android, they can develop for other platforms—including jailbroken.

1201(f): Congress couldn’t foresee what we are looking at today; that’s what the rulemaking was for.

Would appreciate the opportunity to respond in writing to the new evidence. But still they’re beside the point because the exemption covers lawful fair uses. 

Sulzberger: Feder said the harms are speculative.  Not true: as of last week, Microsoft has indicated intent to lock most of its computers, all Dell, all HP, all Lenovo, from this day forward.  Won’t be able to install a different OS.  The big issue is that the absolute lockout is the openly declared position of Microsoft, backed by criminal penalties.  Competion in a limited arena: the benefit is not the end user who likes to watch movies; the people who rake in the money are Apple, perhaps Microsoft, Sony.  What arena are we interested in?

Carson: are you saying that Microsoft has deals with manufacturers and there will be access controls preventing people from taking it off?

Sulzberger: you may be able to destroy it, but you won’t be able to install a new OS.  Red Hat decided to pay Microsoft in order to allow Linux to boot.  Without an exemption, it will be the end of distribution of valuable copyrighted works like open source.

Feder: Would have to get back to you on the specifics of the Microsoft deal.  We don’t know how it will play out in the marketplace: it’s speculative.  Applies to a particular chip architecture, but not all. There is still a market for unlocked PCs.  Not all PCs will be impervious to installation of new OS. 

Carson: what’s the point of this deal?

Feder: doesn’t know.  One common thing is to alter the kernel. The more you harden the kernel the harder the system is.  (Sulzberger apparently agrees with whatever this means.)

Ruwe: boingboing called it a “ransom” payment. 

Williamson: doesn’t have specific information about the deal, but essentially there’s a secure boot—a TPM that can lock down the system.  Microsoft published a draft specification that Windows certified computers would have to implement it.  Signal that these measures are moving to PC. Since our initial filing, Microsoft published a new specification. It divides PCs into 2 categories, Intel and ARM.  Intel must allow a physically present user to install a new OS, while ARM must not allow this.  This means that only OSs with keys in the original install will be allowed.

Wynkoop: I believe the reason Microsoft hasn’t written it into stone is that it’s waiting for these hearings to conclude. It will gain a significant business advantage if citizens are prevented from using their tools.

These are not piracy tools.  People can be fed up with cellphone carriers shoving crap onto our phones; my phone has at least 4 apps that I didn’t install and didn’t want installed since I bought it—constantly installing updates I didn’t want. Some aren’t even uninstallable by the device owner.  You should be able to put legal software on hardware you own.

Williamson: competition is not thriving: there are two big platforms, and Mozilla is one of the few players with a credible shot at entering the market, but they rely on the exemption.  Policy against pirated apps; several free software clients have complained that Apple’s store distributes their software in violation of the GPL. Piracy is not limited to jailbroken phones; curation does not solve piracy. The difference you see on Android v. iOS is not necessarily due to openness/sideloading, but rather to lackadaisical approach to review.  That has nothing to do with whether a user is able to jailbreak.

Happy to hear about success of app store, because vindicates the exemption for smartphones: apps have continued to grow uninterrupted.  It’s not adequate that you can make a deal with a particular licensing authority to get a key; one of his clients is a Linux-based OS built from source every time; whatever image you apply a key to would be different from what a user would install, so a key based system could never work.

The statutory standard is not that circumvention be absolutely necessary for the noninfringing use, but that users of noninfringing works be adversely effected. Opponents are trying to elevate the standard.  If we demonstrate adverse effect, you can grant an exemption.

Feder: the language is substantial adverse effect. More than an adverse effect for a few people who want to tinker.  Significant in the context of a marketplace of millions.  Since market alternatives exist, proponents have heavy burden.

Ruwe: what threshold should we use?  100,000?

Feder: would depend on the marketplace, here 100s of millions of devices.  Correspondingly higher threshold.  Also, conceded that jailbreaking facilitates installation of pirated apps. No matter how narrow the class, allowing jailbreaking for the purpose set forth in the class still allows a jailbroken phone to install pirated apps on day 2.  Be cognizant of effect regardless of intention.

Ruwe: but not all jailbroken apps are pirated, right?  I could drive my car badly, but I don’t.

Feder: you have to look at nature of market.  A lot of people are jailbreaking their phones in the belief that it’s legal; maybe they initially have an ok purpose but then they install pirated apps. There is a definite causal connection between jailbreaking and pirated content.  Key point: copyright interest doesn’t begin and end with piracy. There’s more at stake. What’s the economic model?  We no longer live in a world where the sole or even predominant model is sales of copies at a particular price. Instead we have a business model where there are different income streams belonging to different people including the copyright owner of the OS. You don’t sell individual copies of the OS divorced from the rest of the transaction, but it’s not charitable—it’s part of the business model.  (Um, didn’t the purchaser pay for that copy?)  Kindle is sold at a lower cost because of the expected income stream from the sale of books. And if the purpose of jailbreaking is to permit an end run around the business model, you’re saying it’s okay to acquire this work at something other than the customary price.  (“This work” and “customary price” don’t quite match up, but ok.  A little bit like saying that if you go to the bathroom during TV ads you’re stealing from the broadcaster; you are expecting a certain level of return but you don’t make users promise to give it to you because you fear they wouldn’t like that; you hope they’ll overspend their intentions.)

Ruwe: I respect what you said, but I have concerns about user rights and competition. Don’t we have to balance those? 

Feder: there’s competition.

Ruwe: doesn’t the competition stop when I buy my phone, though?  I can’t get rid of the apps they add to my phone.

Metalitz: different competition. If you don’t like how you’re treated, go to another business.  (Ah yes, because there is so much cellphone competition in the US: styrofoam chicken or tough beef?)

Sulzberger: they’re claiming a right to continued control over the entire device.  The DMCA was not supposed to be used for this.  They want the legal power to haul us into court for touching the OS on the device you bought. 

Feder: we’re not claiming that the entire OS is DRM, but that it’s a copyrighted work. Modification of it in order to eliminate the DRM is therefore an infringement. 

Hoffman claims there’s a reliance interest in the existing exemption, but the standard is de novo so that can’t be a cognizable harm preventing you from rolling back an existing exemption.

Hoffman: If we can’t take that into consideration, then that would mean the law would be completely chaotic.  If the Office couldn’t consider whether it granted an exemption in the past (where people are still exposed to liability on an ongoing basis, at least); people would be constantly confused and never know when they could rely. Standard of review is de novo, but it makes sense to consider the effects of prior legal protection.  The effect of disrupting expectations is a factor worth thinking about.

Carson: are you saying that if we let the exemption expire, those folks who’ve already engaged in jailbreaking will be in violation of 1201?

Hoffman: no, going forward. With respect to phones: people who jailbroke under the exemption have done so lawfully.

Carson: we have had exemptions expire in the past.

Hoffman: this one would affect millions.  A lot of people jailbreak/root devices, not 5 or 50 people.  When the jailbreaking tool Absinthe was released, 1 million downloads in a weekend.

Metalitz: if the Office were to decide not to issue an exemption, EFF would certainly inform people about the change in the law.  (With its magic powers of beaming information into the heads of all citizens!  Ah, if only.)  Also, criminal liability only applies for willful circumvention for private gain.

Hoffman: like, e.g., Mozilla?

Metalitz: doesn’t know its situation.  Other statutory provisions might be relevant.  But if 1201(a)(1) were to apply to jailbreaking, wouldn’t necessarily mean criminal liability.

Wynkoop: idea that the effect is limited to a few kooks: netgraft, a site that gives statistics on what software is used by the webservers on the internet.  Over 80% of servers use free software, booted on free operating systems.  If Microsoft’s plan happens, that’s the end of that.  How will we run websites for our customers?  We use a free software stack; at best we will have to pay Microsoft a large fee.  That will have a big impact on consumers.  The half life of a computer production system is no more than 3 years.

Ruwe: is this about operating systems or is there a larger component?

Williamson: we are mostly concerned with OSs.  Many users of smartphones and tablets want access to apps that are not available on their devices even if they don’t want to replace the OS; should take both groups into account. If you have the ability to replace the OS you can also replace the apps.

Ruwe: isn’t that covered by the EFF exemption?

Williamson: as I understand their request it covers both.

Carson to Metalitz: you say installing a new OS might not be circumvention?

Metalitz: do you need to circumvent to install or delete?  I don’t know the answer, and it’s proponents’ burden to show that circumvention is required.

Kasunic: can you completely wipe the software? Is there firmware that sticks?  If you can, is there any copyright/infringement/circumvention issue?

Feder: deleting an OS wouldn’t be an infringement.

Kasunic: or circumvention?

Feder: is there a TPM that needs to be circumvented to delete?  I don’t know.

Metalitz: FSLF submission says that you need to modify an OS to install apps, but you don’t to change OSs.  Why would you need to access it in order to destroy it?

Williamson: definitional issues aren’t easily resolved by cases or the statute.  You might need to modify some OS to get permission to remove it. Three ways in which users are prevented from removing an OS.  (1) withholding admin rights, making it impossible to delete. (2) firmware: system won’t boot without a signed OS; this controls access to the OS, he believes. (3) encrypt the bootloader to make it impossible to install a bootloader.  All of these can be construed to control access to the existing OS.

Wynkoop: As a computer systems engineer and the only one on this panel: if burned into ROM is a tiny program that says “you can’t load anything I don’t want you to load,” then it becomes from a practical point of view impossible to load another OS on top unless you can wipe and reprogram that chip.  Not a lawyer, but a reasonable man would say somebody could call that circumvention. 

Metalitz: looking at statute, installing new OS is irrelevant.  If there’s access control to the ROM, we’re in the right place, but if not, not.

Kasunic: if the purpose of getting access to the work is to obliterate it rather than use it, then what’s going on?

Metalitz: but there is probably another purpose to the access controls on the OS.

Feder: comes back to a security issue. Anti-tampering protection.  There are real factual questions and it’s the proponents’ burden to establish that they’re talking about circumvention of access control for noninfringing purpose and substantial adverse impact.  Can’t answer the technical question, but that’s not my burden.

Ruwe: say the DRM is a physical thing and I ripped it out. Would that be circumvention?

Metalitz: yes.  Same as adding a chip to circumvent access.

Feder: yes.

Williamson: Metalitz construed the issue as need to access; statute asks whether the TPM controls access and then whether your use is noninfringing, and here the OS signing procedure definitely controls access to the work.  We only want to circumvent it to do noninfringing things.

Sulzberger: nobody would have considered this: Congress was concerned about musical works etc.  It’s merely a coincidence/misuse.  Accessing the proprietary OS when you’re fiddling with the bootloader is not a proper concern.

Ruwe: so how can you define a tablet?  Is that an established class?

Hoffman: Looked at a bunch of definitions out there from places like Intel. We suggest a tablet computer is a personal mobile computing device, typically w/touchscreen interface, that contains hardware technically capable of running a wide variety of programs, that is designed with technological measures that restrict the installation or modification of programs on the device, and is not marketed primarily as a wireless telephone handset.

Carson: why include that it contains technological measures?

Hoffman: we thought about in the context of the proposed class.  Define a device that met the criteria we were seeking exemption.  We want to make clear we’re talking about where a device has TPMs that make it impossible for a consumer to install/modify programs.  If the goal is to define a tablet out of context, that might not be necessary. We did want to differentiate it from a smartphone.

Carson: new and potentially helpful suggestion.  Send us the text and we’ll ask for reactions.

No comments: