Information Technology and the Law

So exactly how good is Internet filtering technology? Even if strict scrutiny isn’t applied to the Children’s Internet Protection Act (CIPA), the government still needs the filtering requirement to be substantially related to its goal of protecting children from obscenity on the Internet. The American Library Association provides a list of eight of the most commonly adopted filtering technologies used in libraries, with a brief description.

Questions remain, though, about the actual quality of the filters, and how much they “underblock” and how much they “overblock”. Dan introduced some alarming anecdotal evidence on the problems created by bad filters. One item we didn’t address much that is of significant concern for many is the power filtering technology companies have in light of legislation like the CIPA. Are we sure it makes sense to allow someone the power to restrict the information we can receive from the Internet? How can we be sure software providers don’t have an alternate agenda, and seek to block things beyond obscene pornography?

It’s not just a wild hypothetical – it’s happened repeatedly. While it is true that keyword blocking has accidentally blocked sites discussing “chicken breasts” and unsophisticated object blocking has blocked art instead of pornography, a much more threatening type of filtering also exists. Virtually all filtering software has a pre-included list of URLs that are to be blocked, and what URLs have shown up here in the last decade might surprise you. CyberSitter (an award-winning software, no less) once blocked TIME Magazine’s website due to an article that criticized CyberSitter as a product. Other blocked sites have included the ‘National Organization for Women’, anti-racist websites, gay politics websites, and more. The power to control information is not something to be taken lightly, and the abuse of this power is a real, if not widespread problem that we ought to consider with regards to filtering.

A skeptic might say, “but filtering software that made such choices (or accidentally overblocked) couldn’t do so over the long term – word would get out about what sites were being blocked, and they would quickly be added to the safe URL list. The ability to add sites to the safe list means filtering software essentially rapidly improves.” I was hoping this was the case – I’m now not so sure it is. In 2001, Ben Edelman, a Harvard researcher, published a list of sites inappropriately blocked by popular software. Despite publishing his findings and sending this list to the software companies, five months later, most of those sites were still blocked. You can read about it here (scroll about one-third of the way down).

Of course, this evidence is anecdotal, and one can argue that this evidence doesn’t illustrate that severe a problem. Nonetheless, it’s irrefutable that bad things have happened before (far worse than not being able to access the web page of Middlesex) and it would be naïve to think it could never happen again. That’s why if you support filtering software, I think it only makes sense for the CIPA to mandate that any adult request the filter be turned off. How often do you even look over people’s shoulders at the library to see what’s on their monitor anyway? Free flow of information is extremely important to protect, and given the problems presented by filtering software, it makes sense to allow adults to turn off the filter at any time.

The Communications Decency Act of 1996 (CDA) was found by the Supreme Court to be unconstitutional in the 1997 case Reno v. ACLU. The CDA prohibited internet transmission of obscene, indecent, or patently offensive messages to people under the age of 18. In its thinking, the Supreme Court noted what it thought to be key new aspects of cyberspace which made them distinct from previous indecency laws.

the District Court found that the risk of encountering indecent [Internet] material by accident is remote because a series of affirmative steps is required to access specific material.

. . [S]ome of our cases have recognized special justifications for regulation of the broadcast media that are not applicable to other speakers. In [those] cases, the Court relied on the history of extensive government regulation of the broadcast medium, the scarcity of available frequencies at its inception, and its “invasive” nature.

Those factors are not present in cyberspace…the Internet is not as “invasive” as radio or television. . . .

Ignoring for the moment the issue of whether traditional broadcast mediums such as television and radio are in fact invasive in nature and thus deserving of limited First Amendment protection, it’s interesting to note the distinction the Court makes, which I contend is not that obvious a line. Restricting indecent content on television and radio is not narrowly tailored – clearly preventing youths from viewing this content also prevents adults from accessing it. The same is true of the content-based restriction put forth by the CDA. The CDA appears to have other overbroad elements, but in this aspect, is there really a recognizable difference in invasiveness?

I’m sure all of us have at one point or another encountered indecent content or images when online without taking a series of affirmative steps attempting to access that content, whether that’s in the form of disguised spam or advertisements or any of the other mechanisms in use. It’s not at all clear to me how one draws the line between an unwanted pop-up ad and a television broadcast as being different in terms of invasiveness. They would seem to me to be precisely the same.

I don’t think the Court understood this issue, and understood the technological capabilities at work here. It would almost seem to me that the underlying argument for television restriction has to do with the prevalence of television viewing, in contrast to the prevalence of significant internet browsing when this case was first brought in 1996. But it was a shortsighted and ultimately incorrect reasoning if the Court subconsciously thought, “well if you don’t want Internet indecency just don’t go online – but everyone watches television, so we have to be more vigilant there.” Of course this is merely conjecture – but I don’t see any other plausible reason which would truly explain how the Court argued that the Internet was fundamentally less invasive than other mediums. If the Court was wary of restricting content in such an information-rich medium as the Internet, then that standard ought to apply to television and radio broadcasting as well.

Unsuspecting Innocent points out that a crucial underlying question in cases of computer trespass is implied consent. Archer, if I read correctly, points out that consent is difficult to ever know, because consent may actually exist, or it may be the result of technical incompetence, and since such confusion exists, placing a burden on a particular party should be avoided.

Ultimately, neither technology providers or computer administrators can be held responsible – that would be an incredibly slippery slope leading to a wide range of possible liabilities for bugs or failure to inform about some risk. Also, those accessing the network resources should not need to weigh and discern whether people intended their content to publicly viewable.

I tend to disagree here that a burden on website administrators or network drive owners would not be sensible or effective. (Definitely with respect to websites – I’ll concede I’m on shakier ground with the more private-in-nature H drives). It doesn’t really matter that consent and intent are not fundamentally knowable (without significant information costs). The value of implied consent is that, given a certain set of parameters, consent is implied so strongly that we no longer care if consent actually exists – to question the situation at that point would be inefficient, and at this point, the burden shifts away from the network user.

What would be the optimally efficient setting for implied consent? Not setting permissions is a measure I like a lot – it’s clear to network users, a sort of “bright-line” indicator. Although it is a valid point that currently, many users are unsophisticated and do not know how to set permissions, I think its magnitude can easily be overstated. We live in a world where people are increasingly computer-savvy, not increasingly ignorant. Setting permissions is not difficult at all to learn how to do. Sure, initially, some people might find themselves in unfortunate situations due to their lack of computer knowledge. But in the bigger picture, this would spread caution quickly. If you think back to when we all first had computers, how many of us were regularly running virus scans? Now, America Online advertises in national commercials that their product comes equipped with virus protection.

As much as laugh at our older bumbling relatives and their computer inabilities, the fact remains that when significant risks are out there, people do eventually learn more about what they should be doing to protect themselves. Even among the unsophisticated, local network use and web browsing has become so commonplace that I doubt placing a burden on owners will cause people to say “Gosh, this permission stuff sure is tricky. I’ll just give up entirely and disconnect from the world.” If setting permissions is what people feel is necessary for adequate protection, it will happen, and sooner than we might think. Placing a permission-setting burden on those with the power to do so will surely have some short-term casualties, but soon enough, we’ll be in a permission filled world, and actual consent will catch up quickly to implied consent.

Nitin and Lauren both argue in this week’s posts that website owners and operators should not have the burden of implementing security measures to prevent unwanted trespass. Both reference an interesting analogy – that of auto theft. Consumers certainly can take security measures against auto theft, but the law doesn’t require it – and similarly, this should not be the case for websites. The analogy is certainly a compelling one, but ultimately, I don’t think it’s well suited to the cyber trespass issue, if you believe, as I do, that the value of property rights is rooted in economic efficiency, and not fundamental notions of fairness.

Even assuming that websites are real property, they are a very different kind of property from cars. We don’t want people to take other people’s cars – we do want them to access other people’s websites. An open cyberspace has significant positive network externalities. If you remember the great tech stock bubble of the late 1990s, everyone used to argue that the Internet was an innovation unlike any other, because unlike the car or the light bulb, it exponentially increased the speed of the flow of information, which would in turn rapidly increase the rate of innovation. While the business world wasn’t instantly revolutionized as many thought, the argument still contains significant truth. Website creators aren’t the only people who add value to the Internet. Of course we want to encourage website creation, but the value of the Internet isn’t just websites. It’s also users. The more users you have accessing many sites, the faster information will flow through society, and this is a critical positive externality of the Internet. Compared to fifteen years ago, we know far better what products we should buy, what prices we should pay, what universities we might want to attend – the list is endless. My concern may seem farfetched, but the magnitude of importance of protecting the free flow of information is not to be dismissed.

In a world where website creators had no burden, and could exercise their cyber trespass rights at any given moment without any burden to meet, we might see a terrible thing start to happen. Maybe not a drop in people who use the Internet (I realize that’s unlikely), but the variety of sites they access could certainly drop, and that would be a horrible thing to have happen.

There are, as we’ve seen in the cases, sensible reasons why website creators ought to be able to restrict access in certain ways. But as a society, we ought to err on the side of allowing open access to websites. Thus, it’s sensible to place the small burden on website owners to have to take measures to prevent trespass.

Sebastian’s post raises interesting questions about the rights a company should have to limit “interoperability” products from third parties:

As with the Sega case, I still don’t see the reasoning why a developer of a new product cannot protect the product from use by other third-party developers. To clarify, why is it that Lexmark cannot enforce that only Lexmark cartridges are used on its printers?

My interpretation of the situation is that Lexmark can, and does enforce that Lexmark cartridges are used on its printers. The important thing to bear in mind, though, is that Lexmark can do this with respect to their customers, but not with respect to their competitors. Assuming that the shrinkwrap agreement is a valid and enforceable contract (Judge Feikens says it probably is on page 30 of the ruling), Lexmark requires customers not to use third-party cartridges. The setup is beneficial to both parties, and like the example posed in class of car parts, Lexmark certainly is within their rights with such a business model, and could take action against customers who breach the contract. But Lexmark does not have an all-encompassing right to stop other companies that provide products or services which, when used by customers (by the customers’ own choice), violate the contract. Lexmark attempted to beat this with a copyright loophole, but, I think the court was correct in not allowing Lexmark to claim DMCA protection

Interestingly, reverse engineering is on the line in a case pro-reverse engineering people would never use as their model. SCC’s reverse engineering in this case doesn’t do many of the fantastic things that Unsuspecting Innocent mentions. SCC, in its verbatim copying, didn’t gain much useful knowledge for society and future products. They didn’t open up new dimensions of printer use that previously had not been imagined or exploited. In fact, if third-party cartridges caught on, it’s pretty easy to make a case that Lexmark might eliminate this business model, hurting consumers, who no longer have the option of getting money now in the form of a printer discount, in exchange for purchasing cartridges later. (This particular case is notably different than the Playstation case. Arguing that an emulator will lead to Sony no longer making future Playstations, a product, is more farfetched than arguing Lexmark might discontinue the prebate system, a business model.)

But even though SCC might not be the great innovators of our time, the court noted that the SMARTEK chip had other functional computer programs beyond circumventing Lexmark’s sequence. The court appears to have a broad definition for “independently created computer programs” as written in the DMCA, and I think this is correct. Simply because the chips contain an exact copy of the Toner Loading Program does not mean they are not independently created programs. Normatively, I think this is correct – we want products that add value, and even though SCC’s added value may be small or not obvious, a low bar protects reverse engineering and allows consumers to obtain better products even if there is some verbatim copying. Why should we have to wait until engineers understand every single minute detail to get product improvements? I think the court’s decision is the correct one to protect reverse engineering, and I am pleased that the court looked at broader implications, rather than the value of SCC’s reverse engineering, which may not be that great.

Our discussion of the bnetd case today in class prompted the question of the normative value in allowing software sellers and buyers to agree on contracts which explicitly prohibit otherwise fair use, such as reverse engineering to access otherwise irretrievable data or files in the process of making a new product. The question was posed as to whether Congress should pass a law prohibiting a EULA from having such a provision.

There is nothing wrong with signing a contract that removes a privilege or a right you otherwise would have had. We make these kinds of contracts all the time – and for rights that may seem far more valuable than the right to reverse engineer software. Free speech serves as a nice example, whether explicit (a gag order) or implicit (doctors and lawyers). Contracts are, in a word, great. A good contract allows us to know what the parties involved actually want to happen far more accurately than what broad judicial rulings will come up with in the absence of a contract. (Whether software buyers are actually reading these contracts is a related, but different issue.) If rational, competent parties agree to a no-reverse engineering provision, we shouldn’t block it because it removes rights.

Dan’s point that there is a collective action problem here is well taken, and caused me to re-think my position. It is quite possible all software makers feel it is in their best interest to prohibit reverse engineering, and I doubt it’s disputed that for most software buyers, such a provision would cause no loss in expected value. Thus, reverse engineering of software would be completely prohibited, and Dan quite rightly points out that reverse engineering has significant value.

I don’t have a problem with Congress passing a law prohibiting the exclusion of fair use in EULAs, but an important distinction needs to be made. In order for such a law to make sense, you have to feel that the value of reverse engineering is greater than the value lost by not allowing software producers control of their product in this way. Clearly prohibiting reverse engineering has some value to the software makers (and hence society) – otherwise they wouldn’t put it in their EULA. I would also add that you should probably also feel the value of reverse engineering is obviously significantly greater than the no-reverse engineering alternative because legislation that prevents parties from forming contracts they would otherwise agree to readily should not be taken lightly. Law that turns over a reasonable contract ought to have some excellent reasons behind it, not merely a debate that might seem to lean in one direction. In any case, the rationale for such a law cannot be that it is to prevent software companies from denying otherwise existing rights. Those sorts of contracts are everywhere to be found – the reasoning has to be that reverse engineering of software products has tremendous value, and the aforementioned contractual provisions, while acceptable to the parties, have very negative consequences to society.

The internet amici brief makes their opinion quite clear (and several people in class seem to agree) that the issue of secondary liability for copyright infringement is an issue best left to Congress, and the Supreme Court should take pains not to overreach, since only Congress can appropriately address this issue.

Before I get to what Congress can and should do, I’d like to offer my personal opinion that in reality, Congress isn’t going to do anything. If history serves as a good guide, the relatively recent passage of the Digital Millennium Copyright Act implies that Congress isn’t going to be eager to legislate on this again very soon. I can’t imagine the issue is truly as high on Congress’ radar screen as the internet brief would have you think. Senator Hatch gave it a shot – not with regards to the RIAA, but for obscenity reasons. This is not that big a deal for many voters, it’s extremely difficult to legislate on, and even if effective legislation was crafted the political advantages of being the Senator who helped resolve this issue can’t be that great.

At least the Internet amici do put forth a proposed law, as Unsuspecting Innocent commented on earlier. As narrow as this document tries to be, it’s still riddled with problems that require pages and pages of more detail. What exactly would majority revenue entail? If a P2P service had a subscription fee, and I signed up, downloading some illegal files, but only uploading my own written poems, would my fee count in the majority revenue test? What if I had more poems than illegal files? What if I wouldn’t have paid the fee had I not had the opportunity to share my poems? The proposed majority revenue test also includes advertising revenue. But what would happen if the P2P service was primarily used for infringing uses, but the click-through rate for the advertisement was primarily from non-infringers using the P2P service? And these are just some of the questions I have solely regarding the majority revenue standard.

What I’m trying to illustrate is how difficult it will be for Congress to create (or someone else to create, and Congress to approve) effective narrow law on the subject. I understand that just because something is difficult doesn’t mean we shouldn’t try, but as I mentioned earlier, I don’t think Congress will. Thus, I think it’s imperative that the Supreme Court establish clear broad precedent with their ruling, instead of producing a wishy-washy ruling and begging Congress to step in. I once wrote against the bright-line Betamax test, but I’ve come around. Whatever the Supreme Court decides, a bright-line standard is critical, because even though it has costs, it beats a narrow 200-page long law that effectively does nothing. And if Congress really does want to act? A bright-line standard (either the Betamax one or something else) provides a better incentive to push Congress into action.