Moderator: Jennifer Stisa Granick, Stanford Law School Center for Internet and Society
Quick overview of 1201 and 1202: primary prohibitions in 1201, with specific statutory exceptions and an exemption procedure done through triennial rulemaking. Prohibitions: acts of circumvention and trafficking in circumvention tools or services. Acts prohibition bans circumvention of measures that control access to a copyrighted work, but no prohibition on circumventing copy controls. TPMs = another term, technological protection measures. Trafficking covers both access control and copy control. Exceptions recognized that legitimate activities could be affected.
Tyler Ochoa, Santa Clara University School of Law: 1202, protection of copyright management information (CMI). The idea was to encourage reluctant content providers to put their content online; foreseeing that when you have digital information, it can carry additional information about copyright owner/permissions/licenses/etc. Idea was that this information would travel with the work, and content providers wanted to ensure that it was preserved/not altered. 1202(a): False information: Notice the dual intent requirement: you have to know the info is false and you have to have the intent to induce, facilitate, or conceal infringement. 1202(b) deals with intentionally removing information or importing CMI knowing it’s been removed or altered (which seems weird, and explains why we never see (b)(2) cases), and with distributing works knowing CMI has been removed or altered, with the same dual intent requirement—you have to have the intent to induce, facilitate, or conceal infringement. The intent requirement has proved most important in litigation.
Definition of CMI: information “in connection with” copies/phonorecords/performances/displays—this has turned out to be contentious in litigation too. Exceptions exist for broadcasts, since broadcasters apparently had the clout to get it. However, usage information (privacy-related) isn’t considered CMI.
Litigation issues: (1) is CMI limited to info in digital form, since that was the basic idea? A couple of district courts initially looked at intent/history. But courts have come around to the view that digital isn’t the exclusive protected CMI.
(2) What is the nature of intent required? Company erroneously thought it had permission to use a work; testified that it wouldn’t have used the work had it known it wasn’t cleared. Court found no relevant intent, though did say in dicta that vicarious liability for violations of 1202.
(3) Intentional and inadvertent stripping of metadata. (Tumblr, are you listening?) Many basic tools automatically strip metadata, including when you resize a photo—happens on Facebook, Pinterest, Google Docs, Flickr—unless you change the defaults, the metadata is stripped out. Example: Getty licensed a bunch of stock photo images to Googledocs, and the processing stripped the metadata. Photographers were understandably upset. But again, you have an intent problem.
(4) What is “removing” CMI? What if you just copy something without copying the copyright notice? Is that removal? If a notice is at the beginning of a book and you copy a photo in the middle of the book? If the copyright notice is on a different part of the website, or if it’s next to a photo and you copy only the photo, is that part of the CMI?
Ed Felten, Princeton University Center for Information Technology Policy
Many of us in security research were alarmed when the DMCA was proposed and wrote to Congress—our past research had led to good things like the internet. But we were unsuccessful; a provision in the statute was supposedly believed to help us, but never covered any research I’ve ever considered doing. Research on TPMs has been devastated by 1201, and I and many others don’t work in the field because of what happened when some tried.
One story is well known, the other not but more disturbing in many respects. The first story is research I did on CD copy tech at the invitation of the music industry. We were open about our research, but received legal threats to conference organizers, the venue, etc. We ultimately succeed after 6 months of delay, one collaborator having to change jobs, another having to take his name off of what he considered one of his major works. That happened because someone didn’t like our results and had the ability to harass us with 1201.
Research with Alec Halderman: a major record company was shipping CDs that installed spyware. We knew this, but felt we had to consult counsel before alerting the public. Because we’d have to admit that we’d engaged in acts of research. Meanwhile, more and more copies of the spyware were being installed on people’s computers. This was what disturbed me most: I had to sit on my hands while I knew about that. As it turned out, someone less risk-savvy discovered the issue and published, and then the floodgates were opened. This allowed us to get a triennial exemption, which is very difficult; we no longer ask for exemptions, since we’re resigned to not doing research in these areas. That’s to the detriment not only of the computing community broadly, and many people who advocated for anticircumvention in the first place. It would be possible to write a better research exemption, but we don’t have it. Until that changes we’re stuck and won’t see research in this area resume.
Granick: what would such an exemption need to give you what you need?
Felten: would have to apply to legit computing research generally, not just encryption, which is the least interesting/challenging aspect of TPMs from a research standpoint. There’s nothing special about TPM encrpytion; if we wanted to research encryption we would. We need to be able to disseminate our results openly, as we do in other areas. There is currently an exemption meant to cover dissemination, but written in a way that’s uninformed about research community practices—allows me to share tools with my collaborators—person who is working on the project with me. But if someone just wants to understand what I did, or wants to use it for another project, which is the most common thing, then that’s not covered. Most researchers don’t even know about the exception. Written without understanding of the research process. Needs to be broad and needs to focus on legitimate research.
Corynne McSherry, Electronic Frontier Foundation
Impact of 1201 on fair use, innovation and competition. Not convinced that all these consequences were unintended. Updated version of EFF white paper available; here are some highlights.
DMCA’s interaction with DVDs set the path. There are a lot of reasons people want to interact with DVDs in unapproved ways—remix, backup, skip commercials. To be clear, the encryption was broken right away. Followed with lawsuits to shut them down in all kinds of ways. RealNetworks RealDVD was shut down despite using TPMs to prevent uncontrolled copying; it was enabling normal, personal use. What wasn’t taken out of circulation: the circumvention tools like MactheRipper, Handbrake, and other easily available tools. DMCA didn’t stop the tools and didn’t stop people from using them, just created a legal threat over everyone’s head. Essentially have given Hollywood a veto on innovation. As a practical matter, if you want to innovate in DVD or Blu-Ray, you need a license from content owners—and from competitors! You have to get them to agree that your tech is acceptable; shouldn’t give a small group a veto on innovation.
Videogames: Sony sued people for putting Linux on PS3. Blizzard sued volunteer hobbyists for providing World of Warcraft alternative service. These are people who bought the game, used the game, wanted to adapt it for their own purposes.
At least those have some tenuous relationship to copyright, but of course there’s a whole series of cases just about stifling competition: garage door openers, printer cartridge refills. Those people won, but only after long, expensive fights. What we’re already seeing: software built into all kinds of devices. That software comes with digital locks, and if you want to repair those devices or interact with them, they may have to break those locks, so we’ll keep seeing these cases. Also worried about all the innovation we won’t see because people are afraid, just as security researchers are afraid.
Cellphones: very clear that DMCA threat was about business model, not copyright. Unlocking/jailbreaking has nothing to do with protecting copyright in the OS on the phone—locking you into a particular carrier or app store. DMCA exemption that used to exist for unlocking no longer exists, and that got lots of people concerned. Hoping to use that interest to look beyond cellphone unlocking and think about 1201 and innovation more broadly.
Granick: in 2006, I applied for an unlocking exemption allowing people to switch networks. Was granted; no one was more surprised than I was. In 2009, it was renewed with additional exemption for jailbreaking. In 2012, a number of entities applied for unlocking but it wasn’t granted and therefore expired, prompting public outrage and a petition to the White House with over 100,000 signatures. White House responded by endorsing unlocking, as did the FCC. That has led to congressional attention, with at least 3 proposed bills. Her analysis is in this blog post. How do panelists think about this?
Felten: symptom of larger problems, and of failure of exemption to provide actual safe harbor for nonfringing uses that are likely to be affected. In practice, the Copyright Office holds you to a much more difficult and higher standard, and this is just an example.
McSherry: would dump 1201 in its entirety—prohibition is incredibly broad, with tiny bits and pieces bitten out; legislation should have instead been more tailored in the first place. It can’t stop with cellphone unlocking, a symptom of a broader problem. It would be a shame to stop there; we need hearings on 1201 in general. It’s exciting that folks are paying attention, and it would be a great idea to fix unlocking. Short of repeal, clearer and broader built-in exemptions that you don’t have to go in and ask for would be a good idea and wouldn’t violate our existing trade relations.
Some have expressed concern that we adopted 1201 for treaty obligation reasons, and since then we’ve made additional free trade agreements with anticircumvention provisions. Anyone in Congress should feel uncomfortable that the US Trade Representative asserts that the USTR is the boss of Congress. Our flexibility to adapt over time is at issue; these agreements are negotiated in secret/without public participation. The more targeted issue: some of the relevant agreements include provisions for renegotiation of specific exceptions and limitations; we aren’t prevented from enacting new legislation/reforming our legislation. If we are, the executive/legislative relationship needs to be revisited.
Ochoa: Article 11 of WIPO Copyright Treaty says we need adequate legal protection and effective legal remedies against circumvention for uses that are unauthorized/not permitted by law. That’s a very general provision that has been interpreted in lots of ways by different countries. In Europe, they say that if there’s an exception, the manufacturers have to provide a key so that you can use the exception. We could do lots and still comply.
Also, independently, we violate our treaties all the time. Art. 6bis of Berne requires us to protect moral rights; we don’t; we haven’t changed. We were the first country held in violation of the copyright and the TM provisions of TRIPS, and we haven’t changed. Why we’re worrying about this treaty strikes him as bizarre.
Q: First Amendment arguments about security research?
Felten: thinks it should be, but isn’t willing to risk his house.
McSherry: arguments have been made, but not successful yet. SCt says that fair use and idea/expression are the only limits on copyright from the First Amendment.
Ochoa: No content owners on the panel. If we want to revise this: it’s getting hard to tell the difference between legit research and people who just want to crack things as a hobby or to provide circumvention tools. It’s easy to say Felten is a professor at Princeton—but how do you draw a line? Same problem comes up with “freedom of the press”—is every blogger a journalist? He’s not necessarily sympathetic to hard and fast lines. Paul Goldstein says copyright laws are driven by fear and greed. Copyright owners fear that all sorts of people will claim research.
McSherry: you can tell the difference between people circumventing to infringe—they’re the ones who don’t care about the DMCA.
Granick: we shouldn’t treat people differently based on status for First Amendment purposes: we don’t treat hobbyists differently from professors. It’s not about the speaker or the tastefulness of the speech. Regulation of acts is different, but distribution of information needs to be allowed.
McSherry: tools become words/code as speech. The statute is written as if black boxes will do all the work, but it’s information.
Felten: shouldn’t use formal credentials to decide who’s a researcher; some of the best are just out there discovering things. You can find out whether someone is a researcher by looking at what they’re doing: are they disseminating information useful for increasing knowledge or disseminating tools designed for circumvention. The linedrawing argument is used against credentialed researchers; the first time he got in trouble it was for a peer reviewed paper, and the second time it was to investigate the strange things happening on people’s computers. The current distinction isn’t working, and the reason researchers got threatened is that people were afraid we would disseminate inconvenient knowledge.
Ochoa: the problem is that the law-abiding people are the ones who are being chilled, and the lawbreakers are ignoring it. That makes it ineffective. But what was DeCSS?
Felten: First, the work by Frank Stevenson to reverse engineer the algorithm and talk about how it worked were very clearly research. DeCSS is code; it’s the most effective way of describing how the algorithm works. Code is how researchers talk to each other. DeCSS in itself is not an effective means of circumvention; you need a lot of facility to make it work. DeCSS-like things have been used to make circumvention technology, but it isn’t itself one.
Ochoa: but that means that lots of people don’t decrypt things if DeCSS is hard to use. Lots of people can’t take advantage of the widely available tools. (This is a mistake of fact—if DeCSS were the only widely circulated tool, then he’d be right, but DVDDecrypter is the widely circulated tool.)
Felten: except that there are tools that are packaged for easy use. You can buy them easily. (See also: VLC.) It’s security research—the stuff that operates on DeCSS—that is affected.
McSherry: remember garage door openers—there are many tools affected here.
Q: Unenforceability as an argument: but many people won’t trust something unless it comes from a respectable, reliable source since some tools circulating on the internet might be bad for your computer. You can’t enforce the law against the competent, but can prevent the mass market violation.
McSherry: The only thing that slows the tide is providing people with good, lawful, easy, better alternatives. (Remember, even the incompetent can use bittorrent, where they don’t even have to download DVDDecrypter!) This just drives people underground. What’s the cost benefit analysis? Is the speedbump worth all the negative effects and collateral damage that comes along with it?
Granick: other indicators of reliability exist, like open source status, reviews, recommendations, number of downloads—unsophisticated users don’t even know how spyware gets on their computers.
Ochoa: this is what proponents thought would happen. Movie industry thought CSS would be broken eventually (though not in 4 hours). Thought it would keep tools from being widely available. But that failed. What worked is making content lawfully available.
Felten: if the industry did due diligence it would have known that a teenager could break it in 4 hours. They did hire people who knew better. This idea that you can keep infringing works out of the hands of people is demonstrably not working. The plan to force people to comply with copyright by preventing them from having access to tools hasn’t worked (or ripped copies). The only thing that works is providing something they’re happy to pay for.