Information Technology and the Law

In US v. ALA, the majority opinion takes a very narrow view of the purpose of libraries, and seems to wish to attempt to ensure that the libraries continue to fulfill only their traditional role. As the opinion states, “… public libraries seek to provide materials that would be of the greatest direct benefit or interest to the community. To this end, libraries collect only those materials deemed to have requisite and appropriate quality.” (Internal quotes omitted.) The opinon also quotes a document which states that “a hypothetical collection of everything that has been produced is not only of dubious value, but actually detrimental to users trying to find what what they want to find and really need.” While these quotes certainly do apply to libraries in the context of their traditional purpose (i.e., lending books), their use in support of the court’s decision demonstrates that the court has fundamentally misunderstood the situation of the libraries’ provision of Internet access in at least three different ways.

First, many libraries may not wish to curate their Internet access in the same way they do their print collection. The Internet is an extremely large resource and is extremely dynamic, which would make it difficult to select the most beneficial or most interesting parts of it in any kind of timely fashion, even with a substantial staff dedicated to the purpose — which very few libraries, if any could afford. If a library chooses to provide Internet access to its patrons, perhaps this suggests that the library has decided that the Internet as a whole is a resource worth providing, despite its inability to examine all of the material it contains.

Second, a library’s traditional role towards the selection of material is positive, not negative — while its role in the selection of worthwhile Internet material is usually the opposite. A positive role, in which the library affirmatively chooses what material to display in its collection, indicates that the most important limiting factor in the size of the collection is not a dearth of worthwhile material, but rather the library’s limited resources and inability to make an infinite number of items available to its patrons. A negative role, in which the library displays everything by default and eliminates objectionable material from its collection, indicates that the limiting factor is the amount of worthwhile material and not library resources. The court in this case errs in determining that negative filtering is within a library’s typical or necessary role. This brings me to the next part.

Third, a filtering software does not help a library to find the material that a patron desires to find. In fact, any negative filtering method generally will not help a patron find information — even after the elimination of all objectionable information, there is simply too much material remaining for a user unfamiliar with the collection to determine what is worth his attention and what is not. It is not by the suppression of information of questionable quality that Internet users find information, but instead through search engines and human-maintained indices of content. Internet filters do not have any recognizable role here — their role is simply in preventing some users from seeing material that they might find offensive.

The majority of the court, in this case, has found the Internet to be, in nature, similar to a large pile of books. In this context, they believe it is the library’s role to locate and display only those books that contain worthwhile content. But this is necessarily a subjective (and in many cases controversial) determination, and, since the library is not constrained by limited resources, it makes little sense to state that Internet filtering is a service that should be expected from a library. To do so is to seek to confine libraries to a role that they have traditionally held, and to deny them the opportunity to expand their service and their goals in light of the new capabilities that the Internet affords them.

One of the more controversial proposals for reforming the global DNS system is to eliminate the .com, .net, and .org domains entirely, and require all new registrations to be under a particular country code, each of which would be managed by its respective government. ICANN would be stripped of all of its policy functions, leaving it as a solely technical regulatory body. This solution is appealing because it avoids substantial international policy disputes, which it accomplishes by making all policy decisions explicitly national. I believe that such a model is not a good one for the Internet.

While enormous difficulties and inequities would certainly accompany the transition to such a plan, I imagine that the worst could be avoided or ameliorated with sufficient foresight. The real problem instead lies in the fact that, as Julie has pointed out, forcing all domains to reside in a national subdomain disregards the Internet’s location-agnostic nature, painting artificial lines on a canvas that will not naturally accept them.

Trademark law recognizes that some names are local in nature. A business called Olympic Plumbing in Tempe has just as much right to the name as another business called Olympic Plumbing in Albany. Some names and some brands are national, and it does not make much sense for the owners of these names to compete for a single (or a small set of) domain names shared by the entire world. (Theoretically, the national owner of a ccTLD could create even smaller local subdomains to resolve questions such as that of the dueling plumbers above.) But it makes even less sense for an organization that does own a name used internationally to have to defend its rights in every country of the globe.

Furthermore, plenty of people or organizations wish to have an Internet presence for purposes more or less unrelated to any nation at all. Why should Metafilter, a collaborative website which posts contributions from a large number of users and uses the domain name metafilter.com, be required to register at (presumably) metafilter.com.us? The only uniquely American quality of the site is that its maintainer is American. Many of the users and contributors are from other countries, and the content of the site is extremely varied in nature. A site hosted under a ccTLD gives the impression that it is has some unique, relevant relationship to the country that owns that particular ccTLD. There are many sites maintained by US residents that are not particularly American, but instead cater to a particular interest or range of interests, and requiring such sites to imply that they are primarily American is a disservice to all of them.

While .com has lost its “commercial” connotation, this is solely by virtue of .com’s ubiquity. Sites of all natures are hosted under the .com TLD. Unlike .com, however, the ccTLDs are very unlikely to lose their subtext, since each is associated with and administered by a particular government. Sites of particular Finnish interest will rarely appear in .us, and likewise sites of particular American interest will rarely appear in .fi. Americans encountering a site in .fi may very well be skeptical of the site’s relevance to any of their concerns, and likewise for Finns encountering sites in .us.

One of the Internet’s greatest virtues is that it has the potential to allow communities to form and information to spread without any explicit acknowledgement of national borders. It would be a shame to create boundaries — even if only symbolic — between different national sectors of the Internet simply for the sake of a little convenience.

Many of the criticisms that have been leveled against the Computer Fraud and Abuse act are targeted at section (a)(2), which outlaws certain cases in which information is obtained when a person “intentionally accesses a computer without authorization or exceeds authorized access.” More than one person has claimed that the language in this section of the act is overly broad, and forbids acts that are not normatively wrong. On the contrary, I believe that the law is generally correct as written, and that many of the complaints regarding this section place far too little responsibility on accessors of confidential information, and far too much responsibility on computer owners, operators, and users to make sure that all of their information is tightly locked down.

Before I continue, I should first remark that the precise reading of this section of the act is important. Reading the act as outlawing intentionally accessing a computer for which one happens to not have proper authorization (and then obtaining information, etc.) will of course yield all kinds of absurd results, because such a reading does not take into account whether the person accessing the computer knew that his access was in excess of his authorization. I believe that the act is most properly read as outlawing intentionally accessing a computer in a manner in which one knows one is not authorized (and then obtaining information, etc.).

One common form of this objection to the language of the act is the following: file permissions and other technical measures serve as standard forms of notice that particular pieces of information are off limits. Therefore, if I encounter a readable file, I should assume that I have permission to read it.

I do not believe this to be the case.

We live in a world where an increasing number of people are using computers, and, therefore, more and more private information will be stored on them. Another consequence of this trend, however, is that we cannot expect the average computer user to have full knowledge of all computing standards and all the means he has at his diposal to both signal that particular pieces of information are private, and to actually erect barriers around this information to keep unauthorized parties from viewing it. We have more and more people using their computers for more and more tasks, and not all of these people can be expected to be experts on the proper usage of the system. Many computer systems do not assign files reasonable permissions by default (including, until recently, the servers on which Princeton student file shares are hosted). We cannot expect all users to know that this is the case, or to know how to set proper file permissions, or even to know what file permissions are.

It is certainly true — from a pragmatic point of view, at least — that these users should know how to set their permissions properly. But it is also unreasonable to expect that the average level of computer literacy to increase suddenly, and just plain bizarre to argue that file permissions (or other access control measures) are the only means by which a person may determine whether he has authorization access to a particular file. The file’s location on the computer system may be one form of notice: if I have a directory called “My Private Files”, it is obvious that the files within are not intended for public consumption. Another form of notice may be the contents of the file: one could presume that I would generally not wish to keep private, say, a list of my favorite books. But if someone were to browse and publish detailed information about my medical and financial history, I would find any claim that he did not know he was not authorized to do this highly unlikely. Especially unlikely would be any claim that he did not even harbor enough suspicion that this information was private to send me a note confirming whether or not he indeed had authorization to access and use it.

Of course, one must be careful not to apply the law too harshly. There are always opportunities for misunderstandings and miscommunications about precisely what degree of confidentiality some piece of information has, or what precise actions I might permit someone to take on my computer. In these cases, we must presume that the defendant was truly mistaken about his level of authorization. But there are also cases in which no reasonable person would presume authorization to access a particular piece of information, even if the permissions were set correctly. In these cases, an absence of technical access controls is no excuse for unauthorized access.

Hardin, in his article applying various theories of property to web sites, discusses the theory of the tragedy of the commons: if there exists a limited resource to which all members of a community have equal rights, then every member of that community has an incentive to exploit the resource to its fullest, even if that use leads to the depletion of or a diminishment in the quality of that resource Therefore, since partitioning the common resource into individual units gives each individual an incentive to use his own share properly, the resource is better kept and everyone is happier. In Hardin’s application of this theory to web sites, ownership of a web site (as property) gives the owner the right to restrict access to the site, which is necessary because otherwise too many people might visit it, which would impose web site maintenance costs on the owner well in excess of what he might otherwise be willing to pay.

This particular application of the theory to web sites seems strained. The issues at hand are only the effort and resources required to keep a particular server on line. Hardin mentions that it is possible for web site operators to implement priority schemes to attempt to avoid server load and make sure that sites stay available even during periods of extremely heavy use, but does not make it clear why this particular remedy requires a legal justification.

I would argue that the idea of the tragedy of the commons harms the concept of trespass to web sites more than it helps that concept. The resource in question, in this case, is the web itself — the hyperlink connections between the millions of web sites out there. When a web site goes online, it increases the quality of this public resource by providing more information to the public. Similarly, when a web site goes offline, or when its owner restricts access to it, this depletes the resource.

From a purely selfish point of view, there is no incentive to be stripped of the ability to restrict access to one’s site. One may wish to require visitors to pay to view content. One may wish to allow visitors from some sites and restrict visitors from others (for financial, personal, or other reasons). One may simply derive a certain sense of pleasure from knowing that one could restrict access to one’s site if one wished. Yet, when a website operator controls access to his site, he suffers no harm in return: he will be permitted to link to no fewer sites than if he had never restricted access control at all. He has depleted the resource without consequence.

He has also deprived the rest of the web of its former right to link to his site and to direct others to the information contained there. Even if he has only restricted access to certain classes of people, or implemented a few qualifying measures (such as registration) that any would-be viewer must complete, he has made his website difficult to view, and thus much less valuable to the Internet at large. When one web site links to another, the author of the linking site is likely to consider how difficult it is to view the material on the linked site. If the linked site requires a subscription to view, the linker knows that most of his readers will not have a subscription (even if he does), and so he is unlikely to insert the link at all. If the linked site only implements a mandatory registration form, the linker is still likely to consider whether it is truly necessary to link to that site, since he knows that his readers will most likely dislike the time, effort, and sacrifice of privacy necessary to access the site. Even if the site only restricts access to certain classes of people (and is absolutely free to acccess to everyone else), the linker will still prefer to avoid linking to that site if possible, since those links may damage the reputation of the linker’s site for those people unable to access their content.

This phenomenon can be seen on community websites such as Metafilter and Slashdot. On these sites, users contribute article submissions, which contain some number of links pertaining to a single topic embedded within a short summary of the link material. The utility of a single posting usually derives not from the original content posted to the site (the summary), but instead from the content in the links and (possibly) in the comments attached to the story. Sites of this sort prefer to avoid posting restrictive links if at all possible, and, when they do, complaints can usually be found in the comments.

Restrictions on access to a website severely damage that website’s utility to its potential readers and other sites on the web. A website’s contribution to the public good is effectively negated when the owner decides to stop some people from viewing it — and so one should be extremely careful when one proposes legal access control mechanisms in the name of the public good.

Earlier this year, a website called Think Secret, which specializes in posting news about upcoming Apple products, posted information about a as-yet unreleased product called “Asteroid.” Apple requested that Think Secret reveal the identity of the person (presumably an Apple employee) who leaked the product information. When Think Secret did not comply, Apple sued Think Secret to compel them to reveal the source’s identity.

There is obviously some value to allowing journalists — traditional or not — to keep their sources confidential. Imagine a different case, in which, for example, a producer of processed foods had been found to have been adding harmful additives to their products. If an employee had discovered this fact, it is clearly in the public interest for this information to be publicized, and a journalist should clearly enjoy the right to publish such information without being compelled to divulge his sources when the company determines that the information he had released was a protected trade secret. The same sort of stakes are clearly not present in this case — but the line between protected and nonprotected speech is certainly not clear.

In this case, however, one argument advanced primarily by Apple itself, is that Think Secret is not a legitimate news organization, and thus does not enjoy the protections — including the protection of sources — typically afforded to such organizations.

The Internet has changed the way we experience the news. While older forms of media clearly still reach more people, wield more influence, and earn more money than does online reporting, the Internet has enable a large number of niche information providers to reach interested audiences easily and cheaply. People interested in information on relatively obscure topics no longer need to seek out a relevant specialized magazine or daily, which might require paying a fee for a subscription. Instead, now, the same information is usually available for free online. These online news sources operate in much the same way that older ones do (and most of the essential ones): they gather information, find sources, and publish on a regular basis.

It might be argued that more mainstream media outlets might be trusted to report the news in a more responsible manner, or, by virtue of the fact that as corporations, they are naturally more careful of being held liable for the content that they publish: in essence, that because they are more likely to police themselves, that they should be afforded additional protection. First, whether online journalists are as a matter of course any less reliable than traditional sources is a matter of some debate. Second, because of their aversion to risk or their market incentive to publish material that appeals to a wide audience, mainstream media sources may not (at least initially) be willing to publish relevant material, while one of the myriad online information sources might be willing to do so.

For these reasons, it is important to preserve promises of confidentiality made by online writers. The distinction between online and older media specious is harmful, and serves only to expose online sources to far more risk than their traditional equivalents.

One of the issues discussed in Wednesday’s class was whether software manufacturers should be able to prevent purchasers of their products from reverse-engineering them. Assuming that EULAs are valid contracts, the question comes down to the following issue: should a person be capable of signing away his or her fair use right to reverse-engineer a product for interoperability purposes?

The general legal philosophy in the United States is that parties to a contract are free to bind themselves to pretty much any act, assuming that the contract meets the criteria for an exchange of value, a meeting of the minds, and so forth. Exceptions generally arise only when a term of the contract is deemed to be unconsionable: “so unfair to a party that no reasonable or informed person would agree to it.” (http://dictionary.law.com/default2.asp?selected=2183) This is a very high standard, and, in most cases, one that prohibitions on reverse engineering do not meet.

On the other hand, a contract depriving the purchaser (or licensor) of the rights that he would otherwise have under fair use only constitutes an exchange of consideration because of the protections afforded to the copyright holder under copyright law. The purchaser of the work does not in fact possess full rights to the copy; his rights under the copy exist only at the pleasure of the copyright holder. The consideration due to the purchaser is the ability to use the copyrighted work for its intended purpose. If the copyright holder in fact held no copyright to the work in question, then the license would have no force, because the purchaser would be receiving no compensation in exchange for restrictions on his use of the product. This conflict between copyright law and contract law could be resolved without any lasting or widespread damage to the power of contracts by altering copyright law such that copyright would not apply to any work licensed in a way that exploited copyright law in order to strictly expand the licensor’s rights.

So it appears plausible that we could protect reverse engineering without undue damage to contract law. But is reverse engineering a right we would like to protect — or, at the very least, would protecting it be worth any potential costs? Reverse engineering provides a number of valuable benefits:

• it enables companies to provide competition to proprietary systems that might otherwise monopolize their market space (as in the case of Compaq’s reverse engineering of the IBM PC BIOS
• it gives purchasers the rights that they would expect to have over a physical item that they had bought
• and it allows other companies to identify potential copyright or patent infrigements in the protected code.

It seems like all of these uses are ones that we would, as a society, like to protect. The disadvantages of reverse engineering, on the other hand, might be the following:

• by enabling competitors to create competing devices, the possibility of reverse engineering might decrease the incentive for technology creators to develop new products, and
• reducing the manufacturer’s control over consumer uses for the product might have the same effect.

In reponse to the first disadvantage, we might note that the process of reverse engineering is still a costly one, especially when the party reverse engineering the product desires to create a competing product: two separate teams of highly skilled engineers must be hired, and the process may take a substantial amount of time. In addition, the lack of even potential competition for a product would take any pressure off the original manufacturer to innovate further or attempt to provide any further benefits to consumers. In response to the second, one might note that giving authors or content creators total control over their works has never been a goal of copyright law. We allow critics to quote books when reviewing them. An author who tried to prevent readers of his book from writing any book with a similar plot would probably be laughed out of court.

Finally, allowing consumers to contract away their rights to reverse engineer a piece of software sets the troubling precedent of allowing copyright owners to unilaterally expand their rights under the law. One might argue that a copyright holder should be allowed to do so, since a purchaser who disagreed with the terms is free to buy a competing product. But, under copyright law, there are no true competitors to a work: the function of a book or movie or a piece of software is at least partially embodied in its expression. Going back to the example of the book review, it would be absurd to say that if the critic does not wish to comply with a provision that he not quote the book he is reviewing, then he is free to quote a similar one. Copyright protection already gives the holder a monopoly on the work — expanding this monopoly beyond the scope of the law should not be permitted.

The law and economics’ professors amici filing in the Grokster case gives two primary tests for determining when the maker of a dual-use technology may be held indirectly liable for copyright infringement committed with the aid of his product or service. The first test is whether the product or service could have been altered, at low cost, to prevent infringement while still allowing non-infringing uses. The second test is whether there exist other technologies that provide less potential for copyright infringement, while still fulfilling the noninfringing roles of the dual-use technology. The idea behind these two standards is that manufacturers of products that carry a high cost for society without a corresponding benefit should be liable for any damages committed with the aid of their products, in order to dissuade manufacturers from acting in socially irresponsible ways and to transfer the indirect costs of bad actions committed with a manufacturer’s product from the public back to the manufacturer. The underlying theory, however, is profoundly flawed regarding technological progress.

It is flawed in two main respects. First, it discourages innovation in any field where the existing technology is already “good enough” by penalizing parties who seek to introduce technology that improves on the status quo, since existing technology is always a viable alternative, and the new technology may have unforeseen harmful uses. Second, and perhaps more importantly, a new technology often yields its greatest benefits by creating goods, markets, and forms of expression that could not have been predicted prior to its introduction.

Take, for example, the home audio recording market, and the Digital Audio Tape standard. In the late 1980s, Sony attempted to introduce DAT to the United States as both a consumer and professional audio recording medium. However, the RIAA successfully kept DAT players out of the US for a while through the use of lawsuit threats. This situation only changed in 1992 with the passage of the Audio Home Recording Act, which, in a compromise between the RIAA and electronics manufacturers, allowed DAT machines to be sold in the United States under two conditions: first, that the RIAA receive a royalty for each DAT recorder and DAT tape sold in the United States, and second, that no DAT recorder be sold without copy protection, the Serial Copy Management System, or SCMS. (More on SCMS.) The result was that any affordable DAT recorder was unable to create second-generation digital copies, even of material that the owner had recorded himself. (“Professional” DAT recorders, which were not subject to these restrictions, generally sold for several times the price.) Mostly due to SCMS, the format never became widely used outside professional and semi-professional recording environments, and even then was far more expensive than it would have otherwise been. Cheap digital home recording might have been available years earlier if the music industry had not gone to such lengths to suppress DAT — and might never have become available if the music industry had successfully managed to apply the same restrictions to computers.

The compromise solution worked out in 1992 seems to be in keeping with the law and economics professors’ theories of secondary liability. It required minimal effort on the part of the electronics manufacturers to include SCMS in their equipment, and one could certainly argue that multitrack analog recording equipment was already perfectly sufficient for home audio recording; after all, musicians had been using such equipment for years. But the result was hardly ideal: DAT was never affordable to the home musician until after computer-based recording solutions had become widespread, and, even now, a musician using DAT to record must pay the RIAA for the privilege.

And now imagine that this same standard were applied to computers, which, like DAT machines, are also capable of producing perfect lossless digital copies of audio recordings. Not only would the expected benefits of digital recording still be denied to many musicians, but entire genres of music, largely unforeseen several years ago, would never have existed. Glitch depends on extensive digital manipulation of audio to create jarring textures and complex rhythms. Mashups digitally edit elements of multiple songs together to create new works. Bands have created careers and attracted critical and academic attention from releasing recordings based on the sounds of scratched CDs. Would it have been proper to deny any of these phenomena the chance to exist?

Secondary liability is a concept that does not translate well to technological innovators. It is premised on the assumption that an actor may reasonably foresee the effects of his actions, which, in the case of technology, is not always true. In the case of home audio recording, it appears that efforts to avoid incurring the social cost of copyright infringement using DAT players instead resulted in DAT technology becoming unavailable to the average home musician, and that the same requirements, had they also been applied to computers, would have had terrible artistic consequences. Who knows what we might lose if we make the same mistake again?