Information Technology and the Law

Although CIPA is well-meaning, I believe that it sets some very scary precedents. Adults can ask the librarian to disable internet filtering, but doing so can come with some potentially embarrassing connotations. This is a clear deterrent for users who want to view material that is protected under the 1st amendment. Recent media events have indicated that such well-meaning censorship is still powerful in its potential to undo our 1st amendment rights.

In April of last year Howard Stern, famous radio shock jock, and one of his syndicated broadcasters, Clear Channel Communications, received the biggest fines in the history of broadcasting, from the FCC. His employer, Infinity Broadcasting, also received very heavy fines shortly after. I admit that the things Howard was discussing in this case, the subjects of the fines, would probably be considered lewd and indecent by most communities’ decency standards; this is not what worries me. What does worry me is the fact that the man who received these fines is one of the most outspoken anti-Bush public personalities.

Howard Stern had been talking about indecent things on the radio for years, and had never received such fines. However, as it neared election time, he stepped up his Bush criticism more than ever. The newly appointed chairman of the FCC seemed to have it out for him. These fines were so large that it became a liability for any broadcaster to syndicated the Stern show, and it was announced that he would no longer be broadcast over public radio waves, and would instead move to the much smaller, less-developed satellite radio market. If this isn’t disturbing enough, here’s another interesting fact: the new FCC chairman was none other than Colin Powell’s son. If anyone owed Bush a favor for being placed in a position of power that he probably didn’t rightly deserve (I’ll leave the reasons why for another post elsewhere…), it was Michael Powell.

FCC censorship and regulation is quite a nice, well-meaning idea and set of laws. It was, in my opinion, used in a very disingenuous way. I could see CIPA being misused in a very similar way. The idea of our current conservative government blocking out sites concerning contraception and birth control has been mentioned, but I could also see this government blocking many other things. Certain particularly violent anti-Bush sites could be blocked, since such criticism of the President is indecent; sites that are particularly insistent that evolution is a correct theory and that creationism is hogwash could be blocked, since evolution is just a theory and it’s indecent to not give creationism the same weight; sites that criticize the war in Iraq could be blocked, since it’s indecent to criticize our brave troops; etc, etc, and more etc.

I find government-mandated censorship in general to be a very slipper slope. Instead of investing in ineffectual filtering technologies, I think it makes much more sense to hire an extra worker at libraries. Children cold be banned from the computers altogether, and allowed to use them only with adult supervision, including the supervision of that one extra library worker who has been hired. I would much rather entrust the child to that adult than violate everyone’s 1st amendment rights. In addition, that adult will be able to filter what the child sees according to local decency standards, rather than a blanket system which is too restrictive in some communities and not restrictive enough in others.

There are many problems inherent in the current ICANN governance system; this much we can agree on. We can also agree that creating some sort of global governing body that would reach agreements on the governance of the Internet would be prohibitively difficult and impractical. Although I at first discounted the idea of having separate ‘zones’ on the internet, each goverened by its own root DNS servers, I now think that this could be made to work.

Let’s assume that the world is split up into zones. Each zone could have its own prefix (like the international telephone system), and be goverened by its own set of root DNS servers. This does not necessarily mean that all of the DNS servers must reside inside the geographical bounds of the zone. In other words, if the US were its own internet zone, it could operate root DNS servers in Mexico and Canada for the sake of redundancy and resilience to server failure.

Each zone would have its own root DNS servers and a governing body, which would make decisions similar to the ones that ICANN makes, except the jurisdiction of each of these governing bodies would cover its own internet zone. These governing bodies would resolve copyright and naming disputes (similar to the current UDRP) only within the confines of their own zones. These governing bodies would be authoritative only within their own zones, and would not be able to lodge copyright and naming complaints against registrars in other zones. So, for example, if Google attempts to register in the Russian zone, but another company or person has already registered www.google.com in that zone, Google will have no grounds to lodge a complaint. However, if Google incorporates in Russia (or does the Russian equivalent of incorporating), it could file a complaint under Russian copyright and naming resolution law. With this system, countries could deal with international copyright issues by negotiating with each other directly, and could even resolve any issues by using their existing copyright treaties. Zones could either be delineated by country, or by treaty among several countries (in order to split the costs of operation).

The technological basis for this whole system would be a change in the Internet Protocol (IP). IP addresses would have to be prefixed by a 6-bit zone code, and each zone’s internet gateway(s) would have to ensure that all outgoing traffic was prefixed by the correct code. This way DNS servers would be able to tell where all traffic originates from, and where all traffic is destined for. URLS could use the following form: [http ://us$www.google.com]. This would indicate that the server is in the United States zone. Users would be able to set the default prefix for their zone (or another for that matter) so that they would not be burdened with typing it in each time.

With this system in place, zones in foreign countries could restrict traffic from others (a virtual trade embargo) and more easily control outgoing traffic to other zones. However, it would be against the best interest of any zone to be too restrictive, because this would limit the usefulness of the internet in terms of commerce and communication value.

Although this system might be a little bit rough to start out with, from a technical as well as a political standpoint, I think that ultimately the internet would flourish. The good thing about this kind of problem is that it is not a “tragedy of the commons” one. Practically, bandwidth on the internet cannot be depleted. The more interaction among people and the better the organization of the internet, the more developed the network could become, with, hopefully, positive affects on many countries that could benefit from a better electronic infrastructure.

Since I like gedanken experiments and hypothetical situations, here’s one: Imagine that the Internet were not a collection of networks all connected by high bandwidth backbone fiber optic connections. Image that the means of data transmission were the postal service. In this hypothetical situation, all data would be delivered to your doorstep on DVDs, and sent to others via DVDs that the postman would pick up from the mailbox down the street (See here.). This Internet model would have HUGE bandwidth, but also very high latency, since it could take up to three days to transfer a parcel of data across the country. Clearly, high-volume servers in this situation would have to indiscriminately accept all data discs, because it would be impossible to know beforehand whether a request is legitimate or somehow violates a dictum that the operator has established. Individual users could more easily vette the information entering their networks. This could be accomplished, for example, by having one computer that remains off of the network and looking at all incoming data before deciding whether to respond to it or not.

What implications does this model of the Internet have in terms of trespass and internet governance as we have studied it?

One of the biggest questions in the debate over whether trespass law is appropriately applied to the situation where a website operator wants to restrict access to his website is whether sending data down a wire into another machine constitutes some sort of derogatory or injurious interaction with the chattels of the operator. Although there is still the question of whether it is possible to quantify the amount of damage done to the operator due to the extra usage of the server, in this model the sender is sending a much more tangible object to the website operator. It would probably be much easier to bring suit invoking trespass law in such a situation, especially if the operator’s physical location were bombarded by a huge number of data discs. This physical manifestation of the data requests would pose a huge burden on a website operator. The the utility of the operator’s chattel, space in a warehouse, for example, would be significantly reduced.

In the case of a website operator putting a disclaimer on a website, this could be accomplished in a much better manner in a postal service Internet model. Data discs sent to clients could be packaged with a shrinkwrap agreement, which I think is stronger than a clickwrap agreement. Personally, I think a physical document indicating a meeting of the minds is important for contracts. If it was obvious on the packaging that opening the package was tantamount to agreeing to the terms of the contract, website operators would have much more of a right to claim that their intentions had been violating if an unauthorized client accessed the material contained in subsequent data discs. In cases like the TOU of Verio or eBay, the website operator could ensure, in a more legitimate matter, that clients would not be able to abuse the server’s services (with abuse defined by the website operator).

In conclusion, this postal service Internet model would probably be more prone to legal intervention and legal red tape. I personally think it would be bad, but it would give website operators much more legitimacy in terms of restricting access to clients.

In class and in readings, we looked at the interaction between a client computer and a server from the angle of the server. From the server’s perspective another computer is asking for some information, and the server responds. When looking at it this way, it seems appropriate to apply trespass doctrine to the situation.

It is possible to create an analogy from the other side of the situation. From the 180 degree angle, the server is providing a portal into its information for the client to access. This is analogous to a person wiring their house with cameras and transmitting each room on a different channel. There may be some channels available to the public (broadcast on public frequencies), and others available to paying customers (who have a cable box that decrypts the scrambled signal). This scenario has a method of access control, just like a website could.

If someone broadcasting material over public frequencies attempted to sue a client for viewing a broadcast, even though the broadcaster had expressly forbidden the client to view it, he/she would surely have no claim in court. Once such material has been broadcast to the public, it becomes fair game and its viewing is fair use - if the material is copyrighted. If a client were to decrypt the signal and gain access to copyrighted material in an unauthorized manner, the broadcaster would certainly have a claim in a court of law.

It seems to me like the model of interaction between clients and servers on the Internet is quite analogous to this one. There is public information and information to which access is protected by password, encryption, and other methods. In this model the only kind of infringements that a client would be able to sue for are copyright infringements. It is the responsibility of the website operator to regulate the information that is hosted there. Putting up information in an unprotected manner and then prohibiting people to access it seems like an act in bad faith. I believe that the operator should be held to the standard that he/she must attempt to impose some sort of protection mechanism on his/her data. Since, by the nature of the technology, basic HTTP password protection is so easy to implement, there is no excuse. At this point, if someone breaks this security mechanism to gain access to the data, the ‘broadcaster’ is protected by copyright law and things such as the DMCA.

Obviously the website operator is taking a risk by having the information possibly accessible to skilled hackers, but it is he/she who is choosing to provide this service. The broadcast operator of the closed-circuit cameras in his house broadcasts this data at his own risk. Information that he/she does not want to be public may very well be transmitted, or information available only to certain clients that can decrypt the signal could be vulnerable to attack by skilled clients. If one chooses to host such a service, he is liable for any damages that he may incur to himself, although he is free to sue someone who violates the sanctity of any copyrighted material he broadcasts.

So, now we have two models of interaction for website servers and clients: the first under which trespass seems to be a good fit, and the second for which trespass has no obvious application. The debate becomes, which model is more suited for this kind of technology. Personally, I believe that the model of a client accessing a multi-channeled information portal is more appropriate for the Internet. My computer does not physically enter another one when it accesses a webpage. Although the communication between a client and server is duplex, and thus more dynamic than that between a signal receiver and a transmitter, I still believe that this model is a better fit for the interaction, and thus using trespass law to protect that website operator’s ability to control access is inappropriate.

One thing that we didn’t really discuss in class is how similar this case is to the case of Sega v. Accolade. In the Lexmark case, the item at issue is the “prebate” toner cartridge for two models of Lexmark printers. Lexmark holds customers who purchase the prebate cartridges to a contract, which specifies that customers must only replace their cartridges with certified Lexmark packages. In the background for the bried it is stated that:

To ensure that consumers adhere to the Prebate agreement, Lexmark uses an “authentication
sequence” that performs a “secret handshake” between each Lexmark printer and a microchip on each
Lexmark toner cartridge.
Lexmark v. Static Control

In the Accolade case, Sega employs a technology called a TMSS (Trademark Security System) to ensure that game cartridges used are authentic Sega products. The brief says:

When a game cartridge is inserted, the microprocessor contained in the Genesis III searches the game program for four bytes of data consisting of the letters “S-E-G-A” (the “TMSS initialization code”). If the Genesis III finds the TMSS initialization code in the right location, the game is rendered compatible and will operate on the console.
Sega v. Accolade

There was much discussion in class as to whether the code contained in the chip on the cartridge should be considered a reasonable method of access protection, and whether it should be protected by the DMCA. I think the question here is not about the way they went about convoluting copyright law and the DMCA for their own monopolistic’ purposes (as Chris put it). I, personally, think that this is a simple case of a clear and obvious circumvention of access control technology. The issue of the copied code being copyrighted is separate. The DMCA clearly states:

No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that […] is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title.
DMCA excerpts

If SCC’s SMARTEK chip is not in violation of this section of the DMCA, I don’t know what is. The Court used logic relating to Accolade causing trademark confusion in order to give injunctive relief to Sega, because the DMCA did not yet exist. It seems like the Lexmark ruling could have been made in a similar vein of thought. SCC was wrongfully engaging in business in a manner that was harmful to Lexmark. But… in addition, SCC’s actions are clearly a violation of the DMCA! There really could have been two cases against SCC here: one for copying copyrighted software, and one for circumventing an access protection system. So, in conclusion, I disagree with the ruling on this case; I think that the injunction should have been granted, such that Lexmark could continue to do business in whatever manner it desired. This belief is strengthened by the fact that Lexmark’s manner of doing business was in no way harmful to society or other businesses (before the entrance of SCC into the picture). It is SCC that has hurt Lexmark unfairly. The Court protected Sega from Accolade’s unfair (or maybe deceiving) practices, why couldn’t it protect Lexmark?

WARNING: This next part is a bit off the topic of the rest of the post.

I think that people are thinking of Lexmark’s “monopoly” in the wrong way. Although it my have liked to, Lexmark in no way posed the threat of completely taking over the market for printers. When we talk about monopolistic behavior here, we should be referring to Lexmark’s attempts to monopolize the market for cartridges only for its own printers. Claiming that this is illegal or wrong is, in essence, tantamount to saying that the producer of a product should not be allowed to be the sole vendor of accessories for that product (because these replacement cartridges are really accessories that extend the use of the product). If my business model is such that only I produce accessories for my product, why should anyone have the right to take that away from me?

In my opinion, it should be up to the producer to decide if they want to allow third party accessories. In some business models this could be considered desirable, because it creates a larger market for the product. But if a company decides that third party accessory-producers are harmful to its way of doing business, it should be protected. A company’s product is its intellectual property, and what does the law or a government exist for, if not to protect the property (defined in a broad sense) of its citizens?

The clickwrap contract is the most common means of deliverance for EULAs and TOUs for commercial software. Often these contracts include provisions that disallow the end-user to:

in whole or in part, copy, photocopy, reproduce, translate, reverse engineer, derive source code, modify, disassemble, decompile, create derivative works 5 based on the Program, or remove any proprietary notices or labels on the program without […] prior consent
Davidson v. Internet Gateway

The software is acquired by purchase from a vendor (either at a store or online), at which point the customer exchanges money for the product, but does not actually have a license to use it; at this juncture it is but a CD and user manual. Only after the clickwrap contract is accepted by the end-user is the user actually licensed to use the software. If the user doesn’t accept the clickwrap, he/she has the option of contacting the software developer for a full refund for the product.

It seems to me like this licensing model puts an undue burden on the customer. In no other instance can I think of a product or service where the consumer puts down the money up front and does not have the legal ability to use it. In all other models that I can think, a terms of use contract or some sort of waiver of rights is signed before money is exchanged. It seems logical to me that the ‘meeting of minds’ that is requisite for a contract to be considered valid should occur before the monetary exchange (which seals the deal).

Intuitively, it seems like a user should know the terms of a contract before going home with a product. I believe that a much better licensing model would be one where the user agrees to a EULA and/or TOU at the time of software purchase (in the store or online). Only after agreeing to the contract should the user pay money, and take the software home. Although software developers offer the option of returning the software at full refund, practically-speaking it is quite a hassle to return the software. In addition, the software developer does not refund the consumer for wasted time on hold while contacting customer support or going to the post office to ship the product back to the developer.

In sum, I think that the roles of developers, vendors and consumers would be much more clear-cut if the order of events in the process of software sales was to be altered. This way, the consumer knows before-hand exactly what he/she is getting into, eliminating the undue burden on him/her. Under this model the software developer’s position is also more clear, because the consumer cannot make the case that he/she is entitled to a seemingly infringing use by the first sale doctrine: the limitations on using the software are set out, and certain rights waived, before the sale.

It seems that in recent copyright enforcement relating to file sharing and P2P, the focus has been on the technology and medium for the transfer of infringing material. Everyone is looking at the secondary infringers who provide the means for the distribution and publication of the copyrighted material. Although the RIAA has sued ‘John Doe’s by the thousand, it has come up against much opposition. (NOTE: I do not support the RIAA, and I do support the free exchange of information.) The reason for all this resistance is the Internet Service Providers’ (ISP) insistence on protecting the identity of their customers.

Although consumer privacy is important and there are many laws attempting to protect consumers, as soon as they infringe a copyright, they are criminals. They are the direct infringers of the copyright, and have, so far, received support from the courts. It seems a bit funny that the court has protected direct infringers and slowed the RIAA’s efforts to protect its best interests (not necessarily those of its constituents). If I owned a television store and had a sneaking suspicion that someone was stealing my TVs, I could report this to the police. The police could have a warrant issued to investigate the identity of the thief and the validity of my claim that he was making it difficult for me to do business. In the case of copyright it is the courts that are the police. The data-stealing thieves are not being held accountable for making it more difficult for the RIAA to do business.

In the 9th Circuit’s MGM v. Grokster decision, Judge Thomas proposes a 3-part test to determine whether secondary infringement has occurred.

The three elements required to prove a defendant liable
under the theory of contributory copyright infringement are:
(1) direct infringement by a primary infringer, (2) knowledge
of the infringement, and (3) material contribution to the
infringement. (MGM v. Grokster)

In discussing the knowledge aspect of the Grokster cases’ analysis, Thomas says that the accused secondary infringer can be held liable if

the defendant had reasonable
knowledge of specific infringing files and failed to act on that
knowledge to prevent infringement. (MGM v. Grokster)

In the case of Grokster it may have been impossible to prevent infringement even with knowledge of its occurrence. However, in the case of ISPs, who are specifically notified that their customers have been caught with infringing material, service providers are impeding the RIAA’s ability to stop the infringement. Acting in this manner seems like it is in contempt of the law. ISPs are giving safe haven to infringers by protecting their identities.

Means of conveyance, such as the Internet, technologies for distribution of data, such as P2P, and other technologies need to be protected, and the discovery of new ones should be encouraged. However, in this case, I believe that the ISPs need to be held to the same standard as anyone harboring a known criminal. If the courts were to rule that ISPs must release the information pertaining to criminals, this would not discourage future technological or artistic innovations. It would simply discourage copyright infringement, or at the very least temporarily lower its incidence by forcing infringers to readjust and find new means of transferring the material. Someone who hosts child pornography or who threatens to kill people on his/her website would certainly be apprehended by the authorities. An ISP would never be allowed to hide the identity of such a deviant. Why should it be allowed to protect the identities of only certain kinds of criminals? It shouldn’t.