Fred von Lohmann's tutorial from O'Reilly Emerging Technology 2003 conference, "Legal Issues and Emerging Technology." Cory Doctorow doctorow@craphound.com -- Vendors are including "handshakes" in their devices now: there's only one reason to do this, so that they can block competitors from interoperating using the DMCA, which bans circumventing access-control. AOL Instant Messenger is doing this to get rid of Jabber and other interop technologies: it's not hard to fake the key that AIM clients use to authenticate themselves, but faking it is illegal because the DMCA forbids access control circumvention Hank Berry and Hummer-Windbladt were sued yesterday for funding Napster. This gives you a flavor of the risk that funding P2P systems can create. Bertellsmann has also been sued for investing in Napster -- on the theory that investing in Napster allowed it to continue for months. AIMSter, AudioGalaxy, Kazaa, Morpheus, Grokster, Scour were all sued or are being sued for building P2PNets. Every creative work that is fixed in tangible form is copyrighted. Just writing a note to a friend gives you a whole suite of rights that will last 100 years or more -- life of the author plus 70 years. Copying without permission violates that right: right to make copies, right to perform/display, right to make derivative works. MP3.com, by making a database of music, made a bunch of copies without permission, and hence vioalted copyright. The important thing about all the P2P cases, from Napster to today -- including ReplayTV -- the people who were sued never made copies of the music. They produced tech that allowed end-users to make copies. Napster never made a copy. Its users infringed, but so do VCR users, photocopier users, etc. So the question is, when can you as a toolmaker be held legally responsible for what users do with what you build? There are two classes of secondary copyright liability: contributory infringement and vicarious infringment. To prove contributory infingement, you have to prove: 1. That there was direct infringement -- i.e., that end users infringed 2. That the toolmaker had knowledge of the direct infringement -- the courts seem to think that this means, if you knew or if you *should have known*. If a user comes to you and says, "I want to swap Harry Potter books," and you say, "Sure thing, here's how to do it," then you know. But OTOH, if you distribute a piece of software and three months later, you pick up a newspaper and read an article that says, "Your tool is the hot new warez tool" -- is that enough knowledge to satisfy the requirement? The entertainment companies say so. 3. That the toolmaker materially contributed to the infringement. That's not as high a hurdle as you think: the entertainment companies say, "but for your technology, the infringement wouldn't have happened. Tech companies defend themselves by saying that their tools are capable of substantial non-infringing users. We don't ban photocopies because some people may use them for bad things. That's the chief bulwark against liability for two decades. It's the Betamax defense. HP can ship CDR drives in their machines because of this. Cisco can sell routers this way, too. Betamax is under sustained attack in all the P2P cases. The entertainment companies are trying to carve that back. Napster is capable of substantial noninfringing uses -- so are Kazaa and Morpheus, and in fact are all used for susbstantial noninfringing uses today. You can d/l Shakespeare's King Lear from most P2P nets. But the enterainment companies are winning. They argue that once you have knowledge that infringment is taking place with your tech, you lose the Betamax defense, that it only holds until they tell you that something bad is going on with your tool. This is devastating. The Napster court held that once you have specific knowledge of infringement, the Betamax defense evaporates. If that were the rule, the VCR would be illegal. That's the meat of the AIMSter case and the Morpheus case. The lawyers on the other side argue that P2P is different from the VCR. Once Sony sells a VCR, it has no further connection with the device or its users -- lawyers call this the "service/device distinction". But OTOH, if you have an ongoing relationship with a user and the ability to block a user from using the service, the entertainment companies say that that's different. The problem is that judges don't like to be perceived as coming out on the side of "Internet Pirates." But VCRs come with warranties and Xerox machines come with service contracts -- there is an ongoing relationship with the customer after the sales. But Xerox *could* have a much tighter relationship with its customers, and the reason they don't is that it would open them up to liability. A company that made high-speed cassette duplicators got successfully sued for contirbutory infingement because they never sold them, they only leased them to their customers. Foreign countries haven't really addressed this question. 1976 -- the Betamax hearings -- was the first time that a device maker had ever been sued under these theories. When entertainment companies say that making a P2Pnet is unlawful all over the world, it's not true: it hasn't been settled anywhere. There's almost no settled law about contributory infringement. -- The second theory of indirect copyright lability is *Vicarious Liability* If contributory liability is a kind of aiding and abetting, then vicarious liability is "you're responsible for the actions of people under your control." You're responsible for the bad acts of the people who work for you: if a WalMart checkout person punches a customer, WalMart will be on the hook, too. More generally, you're vicariously liable if: 1. There's some direct infringement (naughty end-users) 2. You had the right and ability to control the infringer 3. Some direct financial benefit flowed to you from the end-user Right and ability to control can be satisfied by the ability to disconnect the user (Napster court). That's very chilling for people who sell software on a subscription basis. Direct financial benefit is also pretty loose: it need not be direct nor financial. In Napster, no one was making money, but the court said, ah well, you were trying to make money SOME DAY. They said, "It's enough if the infringing use made the service more attractive." In a fleamarket case, the court ruled that the availability of bootleg tapes at a flea-market made more parking fees for the fleamarket. Selling banners will put you in the stew. The potential loophole is right and ability to control. Is a EULA enough? It gives you a contractual relationship between you and every user -- this is frigging insane. Laugh with me. But Morpheus has no EULA. One critical piece of vicarious liability is that there is NO KNOWLEDGE REQUIREMENT. You can be liabile even if you had no idea and no way of knowing that infringement was going on -- so long as you have control and financial benefit. Audience member asks, if I d/l a bunch of DRM music from Pressplay and then break the DRM and send it back, is Pressplay a contrib infringer? Maybe, but it's more likely that they'd use the DMCA to go after the DRM circumventer. MSFT doesn't think the labels will sue them for making Windows. Auto-updating is the big battle to come: if you have the ability to auto-update your users, you have the ability to force an update of a "kill-patch." Even an optional update might be enough to be forced to shut down your users. For a look at the future, consider TiVo: TiVo's primary investors are entertainment companies, so we can't get a TiVo that will commercial-skip. The future will have great tech, like TiVo, but it will be crippled -- like TiVo. === Trespass to chattels: This is being applied to people who make some use-without-permission of others' servers. eBay sued Bidders Edge because they spidered eBay and "did damage" by reducing the availability of eBay's servers. You have to show damage for Trespass to Chattels: It's not Trespass to Chattels if you pet someone's dog, but it's trespass to *kick the dog*. There's also the Computer Fraud and Abuse Act: you're not allowed to exceeed the scope of your authority in connection with a machine on the Internet. eBay also used this against Bidder's Edge. It's murky what the scope of your authority is in respect of a webserver: but if the server-owner sends you a letter telling you not to go to their site, it's clear that visiting that site exceeds the scope of your authority. [[SORRY, I LOST THE THREAD HERE A BIT BECAUSE OF NETWORK PROBLEMS]] [[HERE ARE WES FELTER'S NOTE FROM THE IRC CHANNEL]] >wmf: mouthbeef is temporarily off the net > JTP (~Snak@cliff.tibcofinance.com) has joined the channel >wmf: web services >wmf: a couple of old doctrines that apply >wmf: plus the computer fraud and abuse act, which is the main federal >computer fraud law >wmf: ebay vs. bidder's edge >dav: i could load a perlbot that logs the channel the a web page and >hyperlinks the urls >wmf: bidder's edge was crawling ebay and aggregating info from 3 major >auction sites >wmf: dav: go for it > dav is ~dav@w110.z208177133.sjc-ca.dsl.cnc.net (* I'm to lame to read >BitchX.doc *) > on channels: #etcon > on irc via server irc.freenode.net (http://freenode.net/) > dav is away: is away: (Auto-Away after 10 mins) [BX-MsgLog On] > dav has been idle 18 seconds >wmf: ebay sued, and won based on the theory of tresspass to chattels >wmf: "I can stop people from meddling in my stuff" > eLephant (~eLephant@Bio-BB4.Stanford.EDU) has joined the channel >mouthbeef: Auto-updating is the big battle to come: if you have the >ability to auto-update your users, you have the ability to force an update >of a "kill-patch." Even an optional update might be enough to be forced to >shut down your users. > mouthbeef has quit IRC ("Leaving") >wmf: ebay said bidder's edge was no longer welcome on ebay's servers >wmf: court said that bidder's edge caused damage to ebay's servers, >because it sucked up a lot of capacity > bmenasha has quit IRC (Remote closed the connection) >wmf: ebay claimed that they had to spend money to solve the capacity >problem >wmf: also computer fraud -- you're not allowed to exceed the scope of your >authority on a computer >wmf: it's not clear what your authority is on ebay's servers >wmf: another example: register.com >wmf: register.com competes with Verio >GamaraPV: Remember there was another side to the case. Ebay shut em down >(bannign their ip) and they raised a stink in the puclic and the courts. >wmf: verio was spidering all the whois servers >GamaraPV: A frind of mine was doing pr for either bidders edge or auction >wwatch or one of those. >GamaraPV: They were up in arms over what they perscieved to be a right to >spider and script against ebay. >wmf: when verio noticed a new customer in the whois database, they would >spam them with web hosting ads >wmf: register.com sued verio, telling them to stop >wmf: verio claimed that whois data is public (and required to be public) >wmf: last case: american airlines, AA.com >wmf: airlines are weird about Web fares >wmf: Web fares are very cheap but volatile There are people who say that "Tresspass to Chattels" with a website is like WalMart saying, "you can't enter the premises if you plan to take pictures." But it's more like WalMart erecting a window-display and insisting that certain passers-by avert their eyes. -- The DMCA has made it illegal to circumvent a technical protection measure or traffic in tech that does. A technical protection measure can be as simple as an authentication handshake. This means that a rights-holder for a movie has a TPM if she puts CSS on the DVD, which encrypts the movie. If you build DeCSS, you're manufacturing and trafficking in a circumvention device. It's also illegal to circumvent. This makes it easier to bust tech companies than all the secondary infingement mumbo-jumbo. You don't have to prove what you knew or what you controlled: this category of devices is illegal. If you impose any protection measure on your content, they you get the power to ban any device that accesses it without your permission. This doesn't mean that adding a bit to your MPEG stream that says, "this can't be read" is enough -- tech makers don't need to make devices that *respond* to a bit, but they can't take measures to get around your control-system. This has given us the Skylarov arrest for transcoding Adobe ebooks, and Lexmark v. SCC, and the garage-door-open DMCA case: Chamberlain v. Skylink. In these cases, the addition of an authentication handshake lets companies sue to keep any competitors out of the market. Lexmark makes printers and sells them cheap, then jacks up the price on the refill cartirdiges -- like "give away the razor, sell the blade." So Lexmark doesn't want people to remanufacutre cartridges. Lexmark's cartridges have a chip that handshakes, and once it's empty, sets a bit that says, "I'm empty." Even if you refill it, the cartidge will still report itself as "empty." SCC made a chip that said, "I'm not empty." You could now refill your Lexmark cartridge, add the chip, and it would work in your printer. Lexmark's authentication 'technical protection measure" gives them the benefit of the DMCA. But the DMCA is only supposed to protect copyrighted works -- is there a copyright on toner carts? Hell no. So Lexmark says that its TPM is protecting the copyrighted software on its printers. Lexmark deliberately designed their cartridges so that generating the handshake requires a copy of the printer's software -- for no other reason than to allow them to get into copyright law. A company makes universal garage-door remotes. They have a clicker that works with any garage-door opener, including the leading mfgr's. The leading mfgr is suing. It's hard to imagine what the copyrighted work that's being protected is, though.