via Reddit.

BitTorrent users download by connecting their BitTorrent client with a tracker that allows the client software to locate the IP addresses of both seeds (those users who have downloaded an entire file) and peers (those who are still downloading). Once a user has one “piece” of a file, they continue downloading the rest while also uploading (where needed) the piece that they have to other peers. Those uploading and downloading at the same time are called a “swarm.”

Why does this matter? Because how users interact with software is important, as Judge Ryu notes, and it could be important enough to sever cases and declare joinder inappropriate even at the “Doe” stage of litigation. In the California case, Pacific Century International, Ltd. v. Does 1-101, Judge Ryu does exactly that, severing and dismissing Does 2-101 for the plaintiff’s failure to link them to the same Torrent swarm (even though they were alleged to have exchanged the same copyright protected work).

More after the jump

According to the Court:

. . . BitTorrent users may upload different initial files of a given work, which results in the creation of distinct swarms. [A] second initial “seeder” may not enjoy television shows in low definition and instead decide to upload a high definition file of the same episode for distribution. Notably, because of the differences between the first, low definition file and the second, high definition file, the participants in the first swarm would not interact with those in the second swarm. (See Hansmeier Decl. ¶ 9 (noting that swarms develop around originally seeded file, as opposed to a particular work).) That BitTorrent users have downloaded the same copyrighted work does not, therefore, evidence that they have acted together to obtain it. [emphasis in original]

This is a suitably accurate description of how BitTorrent works, and it is necessary to paint the required picture of cooperativeness for federal joinder of defendants purposes. The Court continues:

Because of this fundamental constraint on the collaboration between copyright infringers using the BitTorrent protocol, the court finds that Plaintiff cannot meet the permissive joinder requirement of Rule 20(a)(2)(A). Although Plaintiff explains the protocol and how it differs from its predecessor P2P programs, and specifically claims that Defendants have engaged in a civil conspiracy (Compl. ¶¶ 32-39), Plaintiff still has failed to demonstrate that it has “any right to relief against [Defendants] . . . . arising out of the same transaction, occurrence, or series of transactions or occurrences.” Fed. R. Civ. P. 20(a)(2)(A). This deficiency proves fatal to Plaintiff’s attempt to join Defendants because the only commonality between copyright infringers of the same work is that each “commit[ted] the exact same violation of the law in exactly the same way.” LaFace Records, LLC v. Does 138, No. 07-CV-298, 2008 WL 544992, at *2 (E.D.N.C. Feb. 27, 2008) (not reported in F. Supp.) (citation & quotation marks omitted); accord Diabolic Video Prods., Inc., No. 10-CV-5865, at *6 (“[T]he mere allegation that defendants have used the same peer-to-peer network to infringe a copyrighted work is insufficient to meet the standards for joinder set forth in Rule 20.”).

The easiest way to make this requirement clear would be to insist that plaintiffs plead that all “Doe” defendants listed in a particular file sharing suit be alleged to have participated in the same swarm at the same time.

While not stating such a requirement explicitly, it seems to me that Judge Ryu got this right, while other federal judges are getting it wrong. Judge Howell in her combined order in the Call of the Wild, Maverick, and Donkeyball Video decision seems to have gotten it entirely wrong (The Hollywood Reporter has more). Diabolic seems wrong to me, too, given how things actually work and the requirements of the Federal Rules. That is, Rule 20 of the Federal Rules of Civil Procedure allows defendants to be joined together in one lawsuit when “any right to relief is asserted against them jointly, severally, or in the alternative with respect to or arising out of the same transaction, occurrence, or series of transactions or occurrences.”

What is missing in the Call of the Wild grouping or the Diabolic case is the actual actions of the accused users in cooperating with each other. Failing to require concerted action, but instead allowing plaintiffs to lump together defendants who are alleged to somehow have downloaded the same (or perhaps even different) copyright work (regardless of the source file or source location) simply misses the requirements of the Federal Rules in light of the BitTorrent technology.

Perhaps an example would help here: consider the situation where CD bootlegger A makes 1,000 bootleg audio CDs and sends them out one-by-one by special delivery service to buyers. At the same time bootlegger B also makes 1,000 bootleg CDs and sends them out one-by-one to buyers by special delivery service. Assuming A and B have no interaction with each other (and in fact have no commonalities other than copying the same CD and using the same delivery service), no Federal Court would consider allowing them to be joined in a federal lawsuit. The requirements of the rules simply aren’t met. The same situation exists if Bootlegger A sends to distributors K, L, M & N, and Bootlegger B separately sends to distributors O, P, Q & R. Plaintiff cannot bring A, K, L, M & N into the same lawsuit with (for example) R. They have not engaged in the same transaction. And what cannot be done in the real world does not, to paraphrase Judge Kozinski in Roommates.com [pdf], “magically become [allowable] when [done] electronically online.”

To be fair, Judge Howell in the Call of the Wild line of cases seemed much more concerned with saving the plaintiffs some money, so was not looking for compliance with the rules. Compliance would come after disclosure of Doe identities (though of course this is rebutted by the notion that you can simply join Doe defendants willy nilly and still somehow comply with the rule; you can’t).

Magistrate Judge Ryu, however, recognizes the folly of this: the Federal Rules require some coordinated action in pursuit of a common goal before defendants can be joined, and while BitTorrent users downloading the same copyright work in different swarms may have a common goal, there is no coordinated action between swarms. Given the Supreme Court’s recent insistence [pdf] on form over substance in applying Federal Law (specifically relating to the Federal Arbitration Act’s preemption of state law), Judge Howell and those judges (and plaintiff’s lawyers) similarly minded should perhaps reconsider whether strict adherence to technical requirements that defendants have engaged in the same “transaction, occurrence or series of transactions” regardless of the financial implications for plaintiffs can be so easily excused even at the “Doe” stage of BitTorrent litigation.

Rustock was one of the biggest botnets in the world, producing more e-mail spam than any other network. But early yesterday, it ceased sending spam.

One more step in the technological arms race that is the Internet.

Why is the U.S. electrical grid connected to the Internet? Why are defense resources connected to the grid? Who decided to connect “critical infrastructure” to the Internet? Why would the Hoover Dam be connected to the Internet (factoid: it’s not)?

Don’t get me wrong, I actually know why: efficiency. Or, in non-economic parlance: convenience. Which, for me, is an awful reason to connect something to the Internet.

What should be connected to the Internet? Non-critical infrastructure. Chat. Businesses. Individuals. LOLCatz. Not the defense department. Not the military (at least not core functions of the military). Not the electrical grid. Not nuclear power plants.

For critical infrastructure (in terms of blowing up the world or flooding lots of people), make your own network. Don’t use VPN over the Internet. Don’t play with encryption strength. Build another, non-public, non-Internet-connected, network.

But in addition to constraining our desire to connect critical infrastructure to the Internet, there are some other things that I would not connect to the Internet. Like my toaster. Or my

This leads me to the point of this post: our search for the all encompassing ability to control all of our lives from our computers (or our smart phones) we are failing to sufficiently consider the security implications of the connections required to make life “easier” or more efficient.

This is exemplified in a story yesterday from the NY Times: “Researchers Show How a Car’s Electronics Can Be Taken Over Remotely.” In the desire to not have to carry around heavy keys, we have opened ourselves to hacking as we drive down the highway (or when we park our cars at work, or at home, or anywhere). This is not a “good thing.”

We (as a society) need to take more time to think about the gains in convenience (efficiency) that follow from attaching a particular thing to the Internet. The question can’t just be: is it cool? Can I impress people with the connection? We should, for example, be listening to the experts, who encourage caution:

Computer security researchers have long argued that wholesale computerization and Internet connectivity of complex systems present new risks that are frequently exploited first by vandals with malicious intent.

As a Torts professor, I’m excited (in a geeky kind of way) about the exam hypotheticals I can make up involving a hacked car causing havoc (amongst other havoc, of course). As a driver and car owner? I’ll have to admit, I’m not so excited about my car being taken over by a hacker.

Maybe I’ll just stick to using the key.

I’m referring to a Wired piece entitled, Alien Microbe Claim Starts Fight Over Meteorite. I won’t weigh in on whether or not the findings are reliable, appropriate, supported by evidence, or were properly interpreted. Why not? Because that’s not how science works. I believe that the Internet (and the “crowds” that inhabit it) can be really good at some things: picking a good movie; helping identify new and unknown musical talent; providing answers to questions. But, historically, crowds are not good at science. We let our own biases take over, and it turns quickly from a question of science to one of the popularity of underlying values and beliefs.

This is not how the scientific process, the real scientific process, you know, the one that brought us notions of gravity, the thermodynamic laws, relativity (both general and special). This requires peer review. Peer. Not general public review, which means little in context for a variety of reasons.

Here, however, it is clear that experts are weighing in early and often, many times admitting that they don’t have all the facts or access to the underlying data that they need. It doesn’t help that the research at issue was published in a non-peer-reviewed journal to begin with. That just screams for verification. But instead of waiting, which is what scientific development requires, the results are debated in the public sphere. To what end? Of that I am not quite sure, but I can be sure that it’s not the better development of scientific findings.

There are some things the Internet does well; contributing to the development of science through public discourse is not one of them.

Facebook currently uses HTTPS whenever your password is sent to us, but today we’re expanding its usage in order to help keep your data even more secure.

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS.

This is generally a good thing; secure browsing really should be the default in more cases than it already is. But, this announcement still raises issues: first, as I posted yesterday, Facebook is quite ready to share your personal information with advertisers as they see fit (and as will make them money). For me, steps like these and the way they are presented smack of underhandedness: “Look at us, helping you to protect your personal data, isn’t that great?” But that is followed by: “We still give all our ‘partners’ access to your data, but we trust them, so you should, too.” The disconnect between rhetoric and action is simply too big for me to buy.

Separately, but perhaps just as importantly, Facebook announced changes in how it will authenticate users when there may be a security issue with their account (Facebook’s example is a logon from California and then one a few hours later from Australia). According to Facebook:

Many sites around the web use a type of challenge-response test called a captcha in their registration or purchasing flows. The purpose of this test is to verify that you are a human being and not a computer trying to game the system. Traditional captchas have a number of limitations including being (at times) incredibly hard to decipher and, since they are only meant to defend against attacks by computers, vulnerable to human hackers.

Traditional captcha

Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don’t know who your friends are.

Social authentication

We will continue to test social authentication and gather feedback from you and the security community on how to make this and other social features safe and useful.

The Washington Post calls this “better authentication.” The difficulty with this is that many people keep their friends list public. Whether publication of a user’s friend list is intentional or inadvertent, in cases where the list is public, using “friend identification” as authentication would pose no greater obstacle to a semi-skilled hacker than no authentication at all (one browser window open to the friends list, second one open to the authentication page). It is the use, in many cases, of publicly available information to authenticate the person to whom the publicly available information pertains (not to mention how it would function for more public personas with thousands of friends).

I’m not sure why this is supposedly good (and definitely not sure why it’s “better”), but hopefully Facebook will think twice about using information it encourages users to keep public to authenticate users when authentication is needed.

Facebook’s new Sponsored Stories feature will allow companies to take any user content — such as status updates, Facebook application use, or Places check-ins — and turn that content into an advertisement for its products on the social networking website.

This is just one more example of Facebook going to (over?) the edge of the privacy/advertising boundary in the search for revenue. Another recent example, as noted by the LA Times, involves giving advertisers access to user phone numbers and addresses (and then taking that access away again, and then promising they were going to give it back yet again). More details on “sponsored stories” in the Facebook video:

The moral of the story (yet again)? Facebook is not your friend. Facebook is a money maker. Facebook wants to make more money. You are how Facebook makes money. I am not advocating, as many did last year, that you should leave Facebook (I most likely won’t leave Facebook over this), but instead, be careful what information you make available there (for example, my phone number isn’t found on the site, nor is my address, and I don’t “check in” anywhere on Facebook).

As a final note, under the new plan, advertisers might be able to use your profile picture in advertising to your friends. My current profile picture isn’t a picture of me, it’s of the moon, though I’m considering going to a picture of me flipping Facebook the bird. Let them use that in their advertising “sponsored stories” . . .

This has happened to me: I very quickly learned how to make sure no one could see photographs of me on my profile on Facebook that others had “tagged” with my name when an old high school band mate posted some shots of me in spandex pants, no shirt and a denim vest (no, I won’t post them here, it’s not a pretty sight). The problem is not limited to digital media, but includes analog media made digital.

In an article entitled, “Artist’s Daughter Wants Videos Back,” the New York Times’s Kate Taylor tells the story of Emma Tamburlini, the daughter of “proto-Pop artist Larry Rivers. According to the article:

Ms. Tamburlini said her father filmed his daughters every six months over at least five years for a body of work he titled “Growing.” If she objected, she said, she was called uptight and a bad daughter. When she confronted her father as a teenager about the films, she said he told her “my intellectual development had been arrested.”

In 1981 Rivers edited the footage into a 45-minute film that he planned to show as part of an exhibition. The girls’ mother, Clarice Rivers, who also appears in parts of the film, intervened and stopped him.

In the film Rivers tells the girls to take off their clothes and then zooms in on their breasts from various angles. He interviews them about how they feel about their breasts and whether boys have started noticing them. In some scenes Clarice Rivers appears with her daughters, displaying her own breasts and talking about them.

The videos are now part of the Rivers archive, which soon shall be held at New York University, and the Foundation’s director refused to destroy them before selling them. This leaves us with videos of a young girl, naked, forced to discuss and show herself and her “development” on video, and who then — primarily because of the choices of copyright law — has no control over what happens to those videos.

My proposal, currently being developed in a piece for the “I/S” journal and based on my presentation at this conference at Ohio State past spring, is that minors who appear in videos or photographs have a right to either assent object to — and thus allow or prevent — distribution of the video or photographic artifacts in which they appear. Today’s NY Times article convinces me that, while the idea still needs some work, I’m at least traveling down the right path. This just can’t be right.

Case in point: The NY Times often includes “resources” next to links for its stories or multimedia content on the Web version of its newspaper. On the site today, I found the box shown in the image. The main link is to an interesting discussion by writers on books they would never part with. The “resources” are links to pages on “what books to throw out and why it’s a good idea to clean one’s home library.” The problem is that the links are wrongly identified, don’t actually relate to that topic, or where they do, are seriously tongue in cheek.

The first link is to a piece in the Guardian; except, it is not in the Guardian, it is a Huffington Post piece by Lewis Grossberger (more on this later, as it gets its own link). I could not find any relevant stories in search the Guardian website.

The second link is to a story in the New Yorker about books that die a natural death, which doesn’t talk about books you’d throw out, but rather about a proposal by Virginia Woolf that first runs of books be printed on paper that degrades/disintegrates, so that if no second run was needed (ie, if the book was no good), the first runs would simply disintegrate.

The third link is to a piece by Tyler Cowen that actually talks about the subject; he argues you should throw average books out so that others don’t waste their time reading them. Interesting point, but the post is hosted on a publisher’s site (Penguin Books), who I am sure would love you to throw out old books rather than taking someone’s attention away from  their new books.

Finally, the fourth link is to the Lewis Grossberger post at Huffington Post referenced (and linked to) in the first link, above. The problem? Grossberger makes his books up. That’s right, they’re not real books. The plot summaries are hilarious at points, and there is a lot in the whole piece to think about (in fact I highly recommend this one), but it’s not about throwing real books out.

In other words, the resources aren’t actually relevant to the topic they’re supposedly relevant to.

I’m hoping the N.Y. Times is paying more attention to its main stories than it is to the “new media” additions to its primary content.

But even “unknown” individuals can cause headaches for businesses and business people. There are now a host of both general ratings websites — including sites such as epinions.com and bizrate.com — and more specific ones. Some of these sites allow individuals to post comment and review of business providers, while others add their own “site” reviews or aggregate reviews into overall rankings or generalized reviews (for example, movingscam.com allows for individual posts and also aggregates reviews of moving companies).  Much has been written about the potential liability of site owners and operators for content posted by others (see the EFF pages, for example, or Eric Goldman’s very readable take on the subject), and the extent to which the protection offered by federal law has gone off the rails in protecting site owners. Because of the ease of online criticism, businesses have sprung up with the goal of “protecting” others from criticism online.

Less has been written, however, about the opportunity that individuals now have to get in trouble themselves for content that they post on the web. What used to be a rant to friends, relatives and co-workers has become a broadcast to the whole world via the WWW. The dangers that arise when mixing fact and hyperbole, exaggerating the extent of what happened — something that is common in emotional responses to interpersonal disputes — are potentially significant, as the decision in Agard v. Hill reminds us. In Agard, the Federal District Court for the Eastern District of California refuses defendant’s motion to dismiss a claim of libel per se brought by a wedding planner. The defendants had difficulties with the wedding planner, and then eventually fired her. There are three specific statements (as is required) that the plaintiff claims are defamatory (in relation to their use by defendants to show through their statements that plaintiff is incompetent and untrustworthy):

(1) plaintiff moved multiple times;
(2) plaintiff is operating under a new name and in a new location; and
(3) plaintiff was fired two months before defendants’ wedding “due to issues that are too numerous and frustrating to go into at the moment.”

The Court dismisses the claim based on the third statement, noting that whether the defendant was fired one or two months before the wedding is irrelevant to the defamatory nature of the claim (so its falsity is also irrelevant) and that any implications underlying the numerous issues were supported by a small claims court judgment won by the defendants against the plaintiff. Statements one and two, however, according to the Court:

“Within the context of the entire publication, which contains multiple uncontested facts, the court finds that the “provably false assertion of facts” that plaintiff challenges here are likely to be believed by readers and lead to the impression that plaintiff is untrustworthy and incompetent. Defendants’ assertion that plaintiff moved multiple times and was operating under a new name may lead a reader to believe that plaintiff was engaged in unfair trade or was attempting to avoid a lawsuit.”

What makes the refusal to dismiss as to these statements more interesting, however, is that the overall context of the dispute, as played out in plaintiff’s online statements, does not “save” them from defending these statements. There were a number of relatively damning facts that plaintiffs included in their online post that the plaintiff did not dispute. These include: plaintiff not returning a portion of the deposit when she was fired, though she had agreed to do so; defendants winning a small claims action against plaintiff, which was then upheld on appeal; plaintiff not having returned money due to defendants; and, other couples having sued the plaintiff.

These statements, again, were not challenged by the plaintiff, and seem to paint a pretty nasty picture of how she interacts with at least some of her wedding clients. Yet the Court does not take these statements as establishing a context of poor performance that would excuse further, potentially false statements of fact used to embellish the report. Plaintiff’s challenge of these latter statements as factually inaccurate is sufficient to force defendants to continue to defend them (though the Court leaves open the question of whether a California privilege to make such statements without malice, found in Cal. Civ. Code § 47(c), is applicable, and if so, whether there was malice here, an issue the Court says is more properly reserved to a motion for summary judgment).

The lesson here is straight forward: if you are making statements online about another person, a business or a service, do not embellish beyond what you can show factually. Statements of opinion were, in the past, considered absolutely protected, but the U.S. Supreme Court has clarified that opinion-statements backed by implied facts will be actionable where the facts implied are false (see, Milkovich v. Lorain Journal Co.). Even where the entirety of a statement can be read as opinion (ie, I think X is an awful wedding planner and hope no one else hires her), where facts are stated or implied to support the opinion (something often required to make the opinion credible to those reading it), you’re likely to have to go further in defense of an expensive defamation lawsuit than you might otherwise like.

How we make “ordinary” people aware of the distinction and its importance is a question we should probably begin to consider.

The case is Agard v. Hill, No. CIV 2-10-cv-0323-GEB-JFM (PS), 2010 U.S. Dist. LEXIS 35014 (E.D. Ca., April 9, 2010).