Information Technology and the Law

I would like to respond to some of UI’s concerns about a revised Communications Decency Act (CDA-2) that exempts those that tag their web sites appropriately from being prosecuted. International issues aside, the post does a good job of bringing the major issues to light.

To review, requiring tags on “indecent” sites (we’ll get to the definition in a minute) allows Internet users to discern whether content is desired. Any content filtering is done by the recipient. Users can choose to ignore the tags and publishers can put “yucky” content on the Internet – so no first amendment rights are abridged. This is a convenient scenario, as sites with unquestionably legitimate content do not have to bother with tagging. Sites that host indecent material should bear this (small) burden, as they are publishing information that society - through congress - deems hazardous, inappropriate for some ages, or unwanted.

Skeptics are rightly wary of a tagging system that forces webmasters of labeling borderline material as indecent. However, this falsely assumes a binary classification. The PICS standard provides a flexible, multi-dimensional ranking of content. Labeling schemes range from age categories, to those that include broad categories (like “environmental awareness”). Some of the different labeling services may even be too flexible. But the point is this: webmasters need not feel coerced into choosing to label their site as indecent for the borderline content that they feel may bring a lawsuit. They simply label it “borderline.” By informing users of the content type, they can avoid potential lawsuits. Sites with information about STDs need not fear prosecution; they just state that their information is sexual in nature, but within a medical context. Our CDA-2 provides an out – they need only show a good faith effort to accurately tag their information, even if it is later found that it should have been rated “indecent.”

I agree that “indecent” needs to be more firmly defined, and I believe that Congress can do this. I expect that the level might be similar to that of what is deemed acceptable in libraries. At the same time, there will always be borderline material - simply consider a line of films that is increasingly sexual in nature. Congress can say that at some point the information providers should be required to provide a few lines of meta code stating that the content would generally be viewed as yucky. Even a somewhat vague line does not infringe on a publisher’s right to due process.

Let me address the concern about inefficacy with a brief argument. I agree that most determined users with sufficient skill will find a way to access indecent content. However, I believe that it is still worth helping users better filter their content. Some Internet subscribers specifically seek out ISPs that provide “pure” filtered content. Even without a majority of people utilizing the tags, I think it is worth providing the option to many concerned institutions (e.g., libraries, workplaces) and parents. Importantly, I think that tags can help guard against accidental accesses of indecent material. This is important to many parents, who believe that even accidental viewings are damaging.

The efficacy may be further limited by untagged international content. However, tagging American content will improve filtering options, and will provide little competitive handicap to producers of “tagged” American content.

In conclusion, I want to observe differences from the v-chip situation. Internet tag-based filters may be more popular, as the Internet is seen as a more “wild” place than FCC-regulated broadcast. Internet tags would only be required for “indecent” material, not all content. Browser-writers would not be required to include a tag-based filter, as TV manufacturers are. The competitive environment and ease of downloading a browser will lead companies to add the feature on their own accord. In fact, Internet Explorer already includes PICS-based filtering, and a Firefox extension would not be difficult to create. We only need adult content to be labeled accordingly for 90% of web users to have the option of filtering indecent content.

Microsoft was right to recognize the importance of the browser, and made a prudent business choice in pursuing the market. The browser provides several key opportunities for greater business profit and influence on the Internet. Without dwelling on the specific browser shares (which are difficult to measure), I will comment on the influence that market share provides a browser developer.

Home page

A user’s home page on the web has many parallels to the desktop initially displayed upon booting a computer. Both provide a starting point from which users begin their work, and both provide an opportunity to guide a user’s mouse to choose certain services. In both cases, a novice might not be able to (or not think to) control the display. When using others’ computers, it sometimes boggles my mind how many people still have IE set to msn.com upon startup, and I doubt many of these people considered the possible portals before deciding to settle on msn. Setting the default home page is a very powerful means of making people default to other services (e.g., webmail or movie guides).

Applications/Extensions

Microsoft has shied away from using the browser as middleware, but Firefox provides a framework for extensions to browser functionality. While Microsoft prefers to maintain Windows as the standard for development, the Mozilla team aims to provide an architecture for adding Internet functionality (or a calendar) on top of their browser. While browser middleware has now arrived, it is perhaps been superseded by powerful web pages that handle features previously delegated to special applications. Wikis, project management tools, bug tracking, and many other tools provide web-based means for collaborating or even working by oneself. While this market segment escapes direct influence from browsers, it is yet impacted by standards.

Standards

While the World Wide Web Consortium has no authority as an Internet regulator, it plays a vital role in setting standards for Internet technology. Its recommendations ease web design, and provide browsers with a defined set of protocols to implement. Theoretically. Web designers love to complain of Microsoft’s poor job in adhering to the standards, making it a challenge to design pages that can accommodate both Internet Explorer and browsers that adhere to the standards. Unlike ICANN, the W3C attempts to be very open, such that anyone with enough money can join as a member and give input into the standardization process. This grants the body significant credibility in determining good standards for all web users. However, the companies with the largest users base (i.e., Microsoft) set the de-facto standard of how web pages must be designed in practice. They may choose to ignore standards so as to promote interaction with their online services, to the detriment of others. Normally I would rely on market pressure to force companies to adopt a certain set of standards. However, if a company is found to be flouting standards and using its market share to dominate a new sector (as may be made possible with a browser monopoly), I think it would be reasonable for the courts to coerce the adherence to standards as a resolution to a successful anti-trust case.

Nitin recently considered the implications of implied consent for the viewing of shared network drives. While implied consent has most visibly been used for consent to breathalyzer tests, it has recently entered the technical realm with the Pharmatrak case. On page 23, the first circuit states that “deficient notice will almost always defeat a claim of implied consent.” However, for the concept of implied consent to make any sense, there must be a common understanding of personal rights. The court determined that Pharmatrak could not use cookies to gather personal information, as the web surfers had not consented to this practice that invaded their privacy. The problem with access of shared network directories is that the system of “rights” is not clearly understood by many people.

In the world of technology, access rights are typically indicated through technical protection. When we hit a password prompt we know that we aren’t supposed to access certain data. This is both the best way of telling people to keep away, and serves as the standard notification of access rights. Unix permissions for a world readable file (rw-rw-r–) affirmatively flag a file as world readable, and Windows permissions give Read access to “Everyone.” There may be alternatives to this neat technical method, but they are neither straightforward nor standard. Writing a letter informing someone that access is not permitted should also suffice, but would probably arrive too late. Maybe if I made a file: ~archer/DO_NOT_READ_UNLESS_YOU_ARE_ARCHER it would qualify as clearly marked. But even then, a computer bot would not understand this name, and might access the publicly readable file (unless there was some robots.txt-like file). In short, the built-in technical means for protecting data are the best ways to notify people of private data, while protecting against some mischief makers as well.

The problem is that a large segment of the population that uses computers does not have the knowledge necessary to set permissions. Many of these people have been given “deficient notice” of the public accessibility of their data. This happens both through poor communication with their computer administrators and a limited (or practically nonexistent) set of computer skills. The situation is further worsened by poor selections for default settings of accounts and hardware that is set up. Ultimately, neither technology providers or computer administrators can be held responsible – that would be an incredibly slippery slope leading to a wide range of possible liabilities for bugs or failure to inform about some risk. Also, those accessing the network resources should not need to weigh and discern whether people intended their content to publicly viewable. Rather than force difficult decisions about intent and expectations for the content, let’s just all set our permissions correctly! If you don’t know how, find out.

Although modern use of trespass to chattels has a strange origin, the legal principle is quite sensible. As with trespass of physical property, unauthorized use of (or trespass onto) electronic equipment has tangible effects and trespass to chattels is a reasonable way of extending existing legal principles to cover the new electronic terrain.

As the courts have been finding, an individual or business should not be permitted to use another party’s website if they are told not to. To focus on the Internet cases, Compuserve and eBay both clearly indicated that the abuser should cease using their property and interfering with their business. Private parties should be able to deny use of their equipment to certain other parties, and there should be remedy for even one disallowed use. (Note that the actual damages of a single use are likely to be minimal!) This legal protection is important to have, and to independent of copyright law. Suppose I was hosting an online phone directory (or other information that is not copyrightable), and my rival sent a webcrawler to update their database of phone entries every hour, making thousands of queries to retrieve every name. While I would not have a remedy under copyright law, their trespass of my “chattels” would allow me to block their usage and sue for the bandwidth and server costs.

A sufficiently clear notice should be the sole criteria required to alert a party that they should cease accessing certain equipment on the Internet. In particular, notices mailed to the accessing party or a robots.txt file would qualify as “sufficiently clear.” An individuals.txt file is unlikely to qualify as sufficiently clear. However, an entry page specifically for this purpose may set out terms for using a web site that are clear (e.g., preventing certain ages of users from accessing the site). Most websites placed on the Internet are put there specifically for public use, so it should be safe to assume that the host intends for people to be able to access the site. However, one should be able to limit access to a site on the Internet, just as one can limit the use of one’s property, even if it is accessible to the public.

Technology can help prevent trespass to chattels, but should not be required. Often, technological means are the most efficient way of alerting parties that they should not access a site, or of simply blocking them from accessing it altogether. Robots blocking (see next paragraph) or IP blocking are simple means to accomplish this, and will be frequently preferred by server owners. However, a server owner should merely be required to provide clear notice that certain parties are not to trespass – it is up to the owner to determine the most efficient means for doing this.

As mentioned above, robot blocking protocols are designed to help avoid trespass to chattels. Websites that do not want robots to index their webpages can exclude them with a robots.txt file or robots META tag. It is telling that only a few robots support the META tag version. The file robots.txt must reside on the root of a web server, and is likely controlled by the server’s administrator. Since they are the party whose equipment would be trespassed, they have the authority to block certain parties (like all robots). A user of the server may have her own web page (e.g., http://www.site.com/~user), but is unlikely to have access to the robots.txt file in the web root directory (http://www.site.com/robots.txt). The user could attempt to use the robot blocking META tag in each of her HTML pages, but this may be ignored by the robots. The ‘bot writers feel safe in ignoring the META tag, because a user does not own/operate the computer and would be unable to sue for trespass upon it. The server’s owner still has an option to block robots with the robots.txt file, and hence is not lacking an efficient means to alert ‘bots to stay away.

Efficient technological means are available for protecting against much undesired access of servers. It is prudent to have legal recourse against parties who deliberately flaunt requests to cease using a computer system.

Universal v. Corley correctly determines that some computer code should be illegal. Although all computer programs qualify as speech, that does not grant all programs a right to legality and free distribution.

Let me first make a few comments specific to the DMCA. I agree with the popular sentiment in class: this is bad legislation. It is ambiguous and poorly written, allowing lots of space to expand the statute beyond its original intent. Even the original intent may be bad policy. But I don’t want to focus on whether the DMCA is a good idea, or even whether it is constitutional. Instead, let us simply consider the issue of free speech, and how it relates to computer code in general.

It’s clear that computer programs have both expressive (copyrightable) and functional (patentable) elements. A program can be expressive either in the source code, or in the output generated by the object code. Source code may express messages by naming each variable as the next word in a sentence (duplicate words could be suffixed with a number). Also, what about a program that displays expressive content as a message box upon starting? Whether or not this content was visible in the source code, it is expressed in the corresponding object code. Note that in a properly operating program, the functionality encoded in the source code and object code is the same.

Let’s be clear: although we may think DeCSS should be legal for use and dissemination, not all computer programs qualify for this liberty. The content and purpose of the program is critical. Consider a program that generates virtual child pornography. Or consider a program that contains a hit list of people to be targeted, and explicitly advocates their assassination. Public dissemination of the content generated by these programs is clearly illegal. The object code is the sole data needed to generate the illegal content, and hence it should be equally illegal to distribute publicly. The source code is the sole data needed to generate the illegal object code, and hence it should also be illegal to post the source code on the Internet. (Note that in all of this I am talking about a program used for only one thing – no dual use technologies.)

The first amendment right to free speech protects expressive elements, not functional ones. DeCSS was in court because of its functionality, not the expression of either the source code or object code. The court properly focused on the functionality as the problem, and assigned what it felt was the proper remedy. Legitimate messages in the content (which would normally qualify for protection under the 1st amendment) do not provide safe-harbor for illegal functionality. Traditionally, functionality would not get a computer program like the DeCSS into trouble, as illegal functionality focused on malicious code (like viruses) or patent infringers. We should be upset about the DeCSS ruling because of the restriction of functionality that the DMCA imposes, not because it jeopardizes some “right” to disseminate whatever computer code we wish.

The court decisions about reverse engineering have attempted to balanced protection and accessibility to technology. Dominant companies try to protect their innovations, developed through large R&D budgets. Smaller companies try to leverage the popularity of products, taking advantage of technology developed by others. Then, pirates and hackers attempt to free-ride or challenge themselves by bending the technology in unintended ways. On the one hand, fewer legal safeguards for technology creators (e.g., Sega) may force them to spend disproportionate energy in “hardening” their technology against use in purposes that they do not intend (i.e., purposes that they do not profit from). This can both inflate prices on technological goods, and influence functionality by making a product more difficult to use. On the other hand, legal restrictions on the ways that technology can be used may hinder important technical or market innovations (e.g., Accolade games or the Game Station emulator). This is an important tension, and one which the government needs to monitor – carefully considering the legal restrictions that will be beneficial to well-behaved parties on both sides.

It is not merely a technical arms race, but also includes sophisticated legal strategies on both sides. Technology producers implant intellectual property of every type to create a range of options in prosecuting infringement. At the same time, companies like Accolade are careful to copy minimal code and isolate their own developers from those that have seen the disassembled code. The courts should be careful to consider the intent of each side. Following the letter but not the spirit of the law is rightly frowned upon!

While the courts have an important role in establishing the balance, congress has the ultimate authority. Evidently, our congressmen thought (after significant lobbying by established companies, no doubt) that the balance was not providing enough protection to technology creators. In 1998, the DMCA provided new legal tools for companies to protect their products from unintended use. Theoretically, this should free companies from the need to include sophisticated protection mechanisms in their products.

I am wary of the shift favoring legal protection through the DMCA, allowing companies to design their product with simple restrictions that are then illegal to work around (e.g., one can’t work around a protection system in order to expand features – like to play DVDs in Linux). First, I value technical innovation over legal innovation. If a battle of new strategies and ideas is to be fought, we might as well be developing some technology. Second, I think the DMCA shifts the determination of business models into the hands of technology incumbents, rather than allowing newcomers to develop ideas that are then tested in court. The DMCA provides too strong of a legal card such that newcomers don’t have a chance to debate the merits of their system in court. Finally, I think that the courts are best equipped to consider the intent of technology developers and “re-developers” on a case by case basis. There are many subtleties and considerations in cases that challenge intellectual property law – the courts need the most freedom possible in creating a healthy balance for the entire technology industry.

P2P file distribution is more economically efficient than the recording industries systems, and offers a system that will potentially encourage more creation as music performers gain greater audiences and increased concert revenues. While most musicians prosper in this scenario, songwriters lose out. Here I propose two possible methods that could be used to provide songwriters with royalty payments.

Motivation & preliminary comments

I believe P2P music distribution is better than the existing model, this is not a license to infringe against copyright holders. P2P needs to be allowed to develop, and should not be restricted as a technology. However, I am in favor of the introduction of bogus files imitating infringing works and full-fledged suing of any copyright infringers on the P2P networks.

“mdaly” has a helpful discussion arguing for the new P2P model of distribution, and concludes that the artists will continue to profit – or become more profitable through the use of P2P. I agree. It is likely that piracy will flourish, and this will just become the new paradigm for the music industry. In this scenario, the RIAA loses big. They should be concerned about their future, and need to make significant changes to continue to profit. However, I disagree with mdaly about the importance of keeping people in their current jobs. I don’t think we should care about the RIAA businesses, nor the employment of thousands of people that are part of their out-dated music distribution infrastructure. The economy will restructure itself and these people will find new jobs. Preserving jobs is not a good reason for resisting a more efficient economic design, an argument akin to that used by toll booth operators concerned about “SpeedPass” systems for automobiles. If the recording industry dies out, so be it, as long as musical creation continues to thrive.

I want to focus on a problem that mdaly did not discuss: profits and incentives for songwriters. They cannot directly recoup costs through musical performances. Songwriters can either charge musicians more for concert performances, or we can consider a tax on Internet service.

A proposal for songwriters

(Please excuse my googled statistics. If someone has more reliable numbers, I would be happy to use them, but I think these will suffice for my “back-of-the-envelope” calculations.)

Songwriters get a royalty of 8 cents for each copy of their composition that is sold.
( howstuffworks.com and )

675 million albums are sold annually in the United States.
( plunkettresearch.com)

Estimate 12 songs per album, totaling about 1 dollar to the songwriters for each album. So we need to find $675 million per year.

Option A: Current annual concert revenue is $2.5 billion. Adding another $675 million into concert revenue would increase ticket prices by 27% on average. Although I do not have good evidence to support this, my sense is that concert ticket sales are not sufficiently elastic to increase profits by 27% due to the increased demand caused by P2P-created popularity. It’s possible , but I have my doubts. Music performers also might not be that happy by the suddenly increased royalty charges that cut into their profit margins on concert tickets (driving people away by high prices, or lowering the portion of each ticket going to the performers).

Option B: There are currently about 200 million Internet subscribers in the United States. ( internetworldstats.com ) Charging them $675 million would mean $3.48/year, or 28 cents per month. For a workable free music system, this is orders of magnitude less than Napster’s $15/month. I guess the RIAA would lose out tremendously! Government taxes on Internet subscriptions could be used to dole out royalties to songwriters. (Metrics of how the royalties should be distributed are admittedly tricky, but doable.)

In defense of the unthinkable

I, like many others, am reluctant to accept a system that flatly charges all Internet users to support a benefit that not all may use. What about deaf people! However, consider other services where we regularly pay taxes to the government. Phone service has several layers of taxes for the service, which people have come to accept. Airplane tickets also have significant special taxes, including ones for security. Isn’t that unfair to the non-terrorists, or babies incapable of terrorism? In general, one does not have to be a beneficiary of the tax money that we are paying in order for it to be fair, else I could protest my tax money that helps handicapped individuals. Taxing Internet service to pay songwriters is not as absurd as it may seem initially. P2P is not likely to die, and free music services will probably survive. If this is the case, Internet taxation for songwriters seems to be one of the most viable means for providing for continued musical creation.

The RIAA may also propose such a tax in general to recover their losses to infringement. I would rather cut out their high costs and have an efficient system that benefits just musicians and songwriters.