In the end, though, the case shows what all of the cases I’ve discussed show: copyright was not really developed with digital content storage and streaming in mind. While some rules fit nicely, others seem like creaky old constructs that can barely hold the weight of the future. The result is a set of highly formalistic rules that lead to services purposely designed inefficiently to either follow or avoid the letter of the law. This problem is not going to get any better with time, though my ownguess hope is that the pressure will cause providers to create some better solutions that leave everyone better off.

Here are the basic facts.  Aereo runs a system with thousands of dime size antennas. Each of these antennas can capture over-the-air broadcast television, but not cable or satellite signals. OTA signals are “free” – viewers don’t have to pay for access to them the way they do for cable.

Aereo then runs what is essentially a remote digital video recorder for each subscriber. That is, when a user wants to watch or record a program, the Aereo system tunes one of the antennas to the appropriate channel at the appropriate time, saves the resulting TV signal (a show) to disk, and then either streams it to the user over the internet or stores it for the user for later viewing.

Aereo does this for every single subscriber; if 10,000 people want to record a show, then 10,000 antennas store 10,000 copies of the program.  Why, you ask, would it do something so ridiculously costly and redundant? Because it’s the law, of course.  A prior case, called Cartoon Network stands for this proposition. Here’s the logic: a) a user can use DVRs to store recordings at home (relatively well settled law since the Supreme Court’s decision not to hold VCR makers liable back in 1984); b) a cable operator can store those DVRs at the cable site, because where a customer’s DVR is located does not change the nature of its use, but c) the cable operator must maintain each customer’s choices like a DVR, meaning that the customer chooses what to record, and that a separate copy must be maintained for each customer.

The question in Aereo, then, is whether this basic framework changes if the “cable provider” is now an “antenna farm” provider. There are some differences. The cable subscriber is paying a fee that allows for the rebroadcast of content from the cable operator to the subscriber. Without such a fee/license, such rebroadcast would be infringement. Aereo has no such license, and thus its service could be considered a rebroadcast, which is a no-no. Just ask the folks who tried to rebroadcast NFL games into Canada.

The Aereo Court agreed with the rationale in Cartoon Network, however; the license was not relevant.  Instead, the individualized copies were simply not “public” performances. They were private: selected by the user, recorded in the user’s disk quota, and shown in that form only to the user. As the court noted, it was as if the user had a private antenna, DVR, and Slingbox located at Aereo’s facility, and the fact that Aereo owned it and charged for the service was irrelevant.

Judge Chin dissented from the opinion, and took an opposite view, best described using the original dissent’s text:

Aereo’s “technology platform” is, however, a sham. The system employs thousands of individual dime-sized antennas, but there is no technologically sound reason to use a multitude of tiny individual antennas rather than one central antenna; indeed, the system is a Rube Goldberg-like contrivance, over-engineered in an attempt to avoid the reach of the Copyright Act and to take advantage of a perceived loophole in the law.

Judge Chin’s dissent goes on to argue that the formalistic reading of the statute fails, and that we should see Aereo’s acts for what they are: a transmission of content to members of the public, which thus constitutes public performance.

This disagreement is a great ending illustration of the cases I’ve blogged about this month. The tension between formalistic statutory reading and policy based glosses is palpable.  In my last post, I made clear that I favor following the statute unless convinced otherwise.

But that doesn’t answer the fundamental question, which is: what do we make of all this? Sure, this case was rightly decided. Perhaps now this might lead to the formation of an efficient/licensed broadcast network streaming service that costs users less than Aereo because it is less resource intensive.

I’m not sure the Aereo ruling is the right one in the long run.  One of the thorny issues with broadcast television is range. Broadcasters in different markets are not supposed to overlap. Ordinarily, this is no issue because radio waves only travel so far.  When a provider sends the broadcast by other means, however, overlap is possible, and the provider keeps the overlap from happening. DirecTV, for example, only allows a broadcast package based on location.

Aereo is not so limited, however. Presumably, one can record broadcast shows from every market. Why should this matter? Imagine the Aereo “Sunday Ticket” package, whereby Aereo records local NFL games from every market and allows subscribers to stream them. Presumably this is completely legal, but something seems off about it. While Aereo’s operation seems fine for a single market, this use is a bit thornier. I’m reasonably certain that Congress will close that loophole if any service actually tries it.

Thus, dealing with what should be clearly legal under the statute is thornier than it appears at first.  While I believe that more and cheaper streaming options would be a good thing, I wonder whether the disruption to local broadcast markets is the right way to get there. One thing is clear: copyright law is ill equipped to answer the question.

For the uninitiated, 17 U.S.C. 512 states that “service providers” shall not be liable for “infringement of copyright” so long as they meet some hurdles. A primary safe harbor is in 512(c), which provides exempts providers from liability for “storage at the direction of a user of material that resides on a system” of the service provider.

To qualify, the provider must not know that the material is infringing, must not be aware of facts and circumstances from which infringing activity is apparent, and must remove the material if it obtains this knowledge or becomes aware of the facts or circumstances. Further, if the copyright owner sends notice to the provider, the provider loses protection if it does not remove the material. Finally, the provider might be liable if it has the right and ability to control the user activity, and obtains a direct financial benefit from it.

But even if the provider fails to meet the safe harbor, it might still evade liability. The copyright owner must still prove contributory infringement, and the defendant might have defenses, such as fair use. Of course, all of that litigation is far more costly than a simple safe harbor, so there is a lot of positioning by parties about what does and does not constitute safe activity.

This brings us to our two cases:

Viacom v. YouTube

This is an old case, from back when YouTube was starting. The district court recently issued a ruling once again finding that YouTube is protected by the 512(c) safe harbor. A prior appellateruling remanded for district court determination of whether Viacom had any evidence that YouTube knew or had reason to know that infringing clips had been posted on the site. Viacom admitted that it had no such evidence, but instead argued that YouTube was “willfully blind” to the fact of such infringement, because its emails talked about leaving other infringing clips on the site – just not any that Viacom was alleging. The court rejected this argument, saying that it was not enough to show willful blindness as to Viacom’s particular clips.

The ruling is a sensible, straightforward reading of 512 that favors the service provider.

UMG v. Escape Media

We now turn to UMG v. Escape Media. In a shocking ruling yesterday, the appellate division of the NY Supreme Court (yeah, they kind of name things backward there) held that sound recordings made prior to 1972 were not part of the Section 512 safe harbors. Prior to 1972, such recordings were not protected by federal copyright. Thus, if one copies them, any liability falls under state statute or common law, often referred to as “common law copyright.”  Thus, service providers could be sued under any applicable state law that protected such sound recordings.

Escape Media argued that immunity for “infringement of copyright” meant common law copyright as well, thus preempting any state law liability if the safe harbors were met.

The court disagreed, ruling that a) “copyright” meant copyright under the act, and b) reading the statute to provide safe harbors for common law copyright would negate Section 301(c), which states that “any rights or remedies under the common law or statutes of any State shall not be annulled or limited by this title until February 15, 2067.” The court reasoned that the safe harbor is a limitation of the common law, and thus not allowed if not explicit.

If this ruling stands, then the entire notice and takedown scheme that everyone relies on will go away for pre-1972 sound recordings, and providers may potentially be liable under 50 different state laws. Of course, there are still potential defenses under the common law, but doing business just got a whole lot more expensive and risky to provide services. So, while the sky has not fallen, as a friend aptly commented about this case yesterday, it is definitely in a rapidly decaying orbit.

Policy and Plain Maining

This leads to the key point I want to make here, about how we read the copyright act and discuss it. Let’s start with YouTube. The court faithfully applied the straightforward language of the safe harbors, and let YouTube off the hook. The statute is clear that there is no duty to monitor, and YouTube chose not to monitor, aggressively so.

And, yet, I can’t help but think that YouTube did something wrong. Just reading the emails from that time period shows that the executives were playing fast and loose with copyright, leaving material up in order to get viewers. (By they way, maybe they had fair use arguments, but they don’t really enter the mix). Indeed, they had a study done that showed a large amount of infringement on the site. I wonder whether anyone at YouTube asked to see the underlying data to see what was infringing so it could be taken down. I doubt it.

I would bet that 95% of my IP academic colleagues would say, so what? YouTube is a good thing, as are online services for user generated content. Thus, we read the statute strictly, and provide the safe harbor.

This brings us to UMG v. Escape Media. Here, there was a colossal  screw-up. It is quite likely that no one in Congress thought about pre-1972 sound recordings. As such, the statute was written with the copyright act in mind, and the only reasonable reading of the Section 512 is that it applies to “infringement of copyright” under the Act. I think the plain meaning of the section leads to this conclusion. First, Section 512 refers to many defined terms, such as “copyright owner” which is defined as an owner of one of the exclusive rights under the copyright act. Second, the copyright act never refers to “copyright” to refer to pre-1972 sound recordings that are protected by common law copyright. Third, expanding “copyright” elsewhere in the act to include “common law copyright” would be a disaster. Fourth, state statutes and common laws did not always refer to such protection as “common law copyright,” instead covering protection under unfair competition laws. Should those be part of the safe harbor? How would we know if the only word used is copyright?

That said, I think the court’s reliance on 301(c) is misplaced; I don’t think that a reading of 512 that safe harbored pre-1972 recordings would limit state law. I just don’t think that’s what the statute says, unfortunately.

Just to be clear, this ruling is a bad thing, a disaster even. I am not convinced that it will increase any liability, but it will surely increase costs and uncertainty. If I had to write the statute differently, I would. I’m sure others would as well.

But the question of the day is whether policy should trump plain meaning when we apply a statute. The ReDigi case and the UMG case both seem to have been written to address statutes who did not foresee the policy implications downstream. Perhaps many might say yes, we should read the statute differently.

I’m pretty sure I disagree. For whatever reason – maybe the computer programmer in me – I have always favored reading the statute as it is and dealing with the bugs through fixes or workarounds. As I’ve argued with patentable subject matter, the law becomes a mess if you attempt to do otherwise.  ReDigi and UMG are examples of bugs. We need to fix or work around them. It irritates me to no end that Congress won’t do so, but I have a hard time saying that the statutes should somehow mean something different than they say simply because it would be a better policy if they did. Perhaps that’s why I prefer standards to rules – the rules are good, until they aren’t.

This is not to say I’m inflexible or unpragmatic. I’m happy to tweak a standard to meet policy needs. I’ve blogged before about how I think courts have misinterpreted the plain meaning of the CFAA, but I am nevertheless glad that they have done so to reign it in. I’m also often persuaded that my reading of a statute is wrong (or even crazy) even when I initially thought it was clear. I’d be happy for someone to find some argument that fixes the UMG case in a principled way. I know some of my colleagues look to the common law, for example, to solve the ReDigi problem. Maybe there is a common law solution to UMG. But until then, for me at least, plain meaning trumps policy.

A large part of existing critical thinking on social media has been obsessed with the concept of privacy. . . . Reading through a number of volumes and texts dedicated to the problematic of privacy in social networking one gets the feeling that if the so called “privacy issues” were resolved social media would be radically democratized. Instead of adopting a static view of the concept . . . of “privacy”, critical thinking needs to investigate how the private/public dichotomy is potentially reconfigured in social media networking, and [the] new forms of collectivity that can emerge . . . .

I can even see a way in which privacy rights do not merely displace, but actively work against, egalitarian objectives. Stipulate a population with Group A, which is relatively prosperous and has the time and money to hire agents to use notice-and-consent privacy provisions to its advantage (i.e., figuring out exactly how to disclose information to put its members in the best light possible). Meanwhile, most of Group B is too busy working several jobs to use contracts, law, or agents to its advantage in that way. We should not be surprised if Group A leverages its mastery of privacy law to enhance its position relative to Group B.

Better regulation would restrict use of data, rather than “empower” users (with vastly different levels of power) to restrict collection of data. As data scientist Cathy O’Neil observes:

There are very real problems in the information-gathering space, and we need to address them, but one of the most important issues is that the very people who can’t afford to pay for their reputation to be kept clean are the real victims of the system. . . . [T]hrough using the services from companies Reputation.com and because of the nature of the personalization of internet usage, the very legislators who need to act on behalf of their most vulnerable citizens won’t even see the problem since they don’t share it.

On the other hand, Patelis and Hatzopolous should not be taken to imply that neoliberal, individualist conceptions of privacy are the only version of fair data practices on offer. Both Julie Cohen and Neil Richards have provided rich, holistic accounts of “what privacy is for” and the “dangers of surveillance.” Neither sees data collection as a purely economic transaction isolated from social context. Both recognize the power of governments and corporations to use data collection (and the threat of classification based on it) to not only limit freedom, but also to promote certain ways of life and ideological orientations.

When a service collects information about a user, the situation is so far from the usual arms-length market transaction that neo-classical economic approaches tend to mislead. We need to look to other approaches to equalize the power relationship that surveillance entails, and to stop trying to characterize lack of surveillance as a product that individuals have varying preferences for and purchase accordingly. As James Rules has observed,

Consider the achievements of today’s systems for tracking and evaluating the so-called credit-worthiness of American consumers. This country’s consumer credit reporting industry ascribes to the great majority of adult Americans a three-digit score epitomizing their potential profitability as charge-account customers, credit card users, or mortgage applicants. As in virtually all systems of mass surveillance, credit tracking and scoring enables institutions to make ever-finer distinctions in their treatment of the people they deal with.

But note that American consumers have no remotely comparable monitoring system to help them choose among retailers, products, and services. . . .[S]uch a system would require manufacturers and sellers to provide crucial data. They will, of course, insist that such information is proprietary–that is, they own it, and they’re not giving it up. The reasons for such resistance are obvious: Better information for consumers spells potential disadvantage for sellers. The dramatic discrepancies between these two surveillance potentials—one an ultra-sophisticated reality, the other grossly underdeveloped—are by no means imposed by technology. They reflect sponsorship.

No one should assume that “transparent citizens” and black box corporations are the natural outcome of market processes. The discrepancy reflects and reinforces the ever-growing power of the latter vis a vis the former. There may be no way to stop that trend. But we can at least identify it honestly, rather than mystifying or rationalizing it to reduce cognitive dissonance.

This post describes a recent attempt to create such a market, and proposes potential solutions.

In the good old days, when you wanted to sell your old music, books, or movies, you did just that. You sold your CD, your paperback, or your DVD. This was explicitly legalized in the Copyright Act: 17 USC Section 109 says that: “…the owner of a particular copy or phonorecord lawfully made under this title, or any person authorized by such owner, is entitled, without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy or phonorecord.” As we’ll see later, a phonorecord is the material object that holds a sound recording, like a CD or MP3 player.

But we don’t live in the good old days. In many ways, we live in the better new days. We can buy music, books, and DVDs over the internet, delivered directly to a playback device, and often to multiple playback devices in the same household. While new format and delivery options are great, they create problems for content developers, because new media formats are easily copied. In the bad sort-of-old days, providers used digital rights management (or DRM) to control how content was distributed. DRM was so poorly implemented that it is now a dirty word, so much so that it was largely abandoned by Apple; it is, however, still used by other services, like Amazon Kindle eBooks. Providers also use contracts to limit distribution – much to Bruce Willis’s chagrin. Indeed, Section 109(d) is clear that a contract can opt-out of the disposal right: “[Disposal rights] do not, unless authorized by the copyright owner, extend to any person who has acquired possession of the copy or phonorecord from the copyright owner, by rental, lease, loan, or otherwise, without acquiring ownership of it.”

But DRM is easily avoided if you simply transfer the entire device to the another party. And contracts are not necessarily as broad as people think. For example, I have scoured the iTunesterms of service and I cannot find any limitation on the transfer of a purchased song. There are limitations on apps that make software a license and limit transfers, but the music and video downloads are described as purchases unless they are “rentals,” and all of the “use” limitations are actually improvements in that they allow for multiple copies rather than just one. Indeed, the contract makes clear that if Apple kills off cloud storage, you are stuck with your one copy, so you had better not lose it. If someone can point me to a contract term where Apple says you have not “purchased” the music and cannot sell it, I would like to see that.

Enter ReDigi and the lawsuit against it. ReDigi attempted to set up a secondary market for digital works. The plaintiff was Capitol Records, so there was no contract privity, so this is a pure “purchase and disposal” case. A description from the case explains how it worked (in edited form here):

To sell music on ReDigi’s website, a user must first download ReDigi’s “Media Manager” to his computer. Once installed, Media Manager analyzes the user’s computer to build a list of digital music files eligible for sale. A file is eligible only if it was purchased on iTunes or from another ReDigi user; music downloaded from a CD or other file-sharing website is ineligible for sale. After this validation process, Media Manager continually runs on the user’s computer and attached devices to ensure that the user has not retained music that has been sold or uploaded for sale. However, Media Manager cannot detect copies stored in other locations. If a copy is detected, Media Manager prompts the user to delete the file. The file is not deleted automatically or involuntarily, though ReDigi’s policy is to suspend the accounts of users who refuse to comply.

 

After the list is built, a user may upload any of his eligible files to ReDigi’s “Cloud Locker,” an ethereal moniker for what is, in fact, merely a remote server in Arizona. ReDigi’s upload process is a source of contention between the parties. ReDigi asserts that the process involves “migrating” a user’s file, packet by packet — “analogous to a train” — from the user’s computer to the Cloud Locker so that data does not exist in two places at any one time. Capitol asserts that, semantics aside, ReDigi’s upload process “necessarily involves copying” a file from the user’s computer to the Cloud Locker. Regardless, at the end of the process, the digital music file is located in the Cloud Locker and not on the user’s computer. Moreover, Media Manager deletes any additional copies of the file on the user’s computer and connected devices.

 

Once uploaded, a digital music file undergoes a second analysis to verify eligibility. If ReDigi determines that the file has not been tampered with or offered for sale by another user, the file is stored in the Cloud Locker, and the user is given the option of simply storing and streaming the file for personal use or offering it for sale in ReDigi’s marketplace. If a user chooses to sell his digital music file, his access to the file is terminated and transferred to the new owner at the time of purchase. Thereafter, the new owner can store the file in the Cloud Locker, stream it, sell it, or download it to her computer and other devices. No money changes hands in these transactions. Instead, users buy music with credits they either purchased from ReDigi or acquired from other sales. ReDigi credits, once acquired, cannot be exchanged for money. Instead, they can only be used to purchase additional music.

ReDigi claimed that it was protected by 17 USC 109. After all, according to the description, it was transferring the work (the song) from the owner to ReDigi, and then to the new owner. Not so, said the court. As the court notes, Section 109 protects only the disposition of particular copies(phonorecords, really) of the work. And uploading a file and deleting the original is not transferring a phonorecord, because the statute defines a “phonorecord” as the physical medium in which the work exists. Transfer from one phonorecord to another is not the same as transfering a particularphonorecord. So, ReDigi could be a secondary market for iPods filled with songs, but not the songs disembodied from the storage media.

As much as I want the court to be wrong, I think it is right here, at least on the narrow, literal statutory interpretation. The words say what they say. Even the court notes that this is an uncomfortable ruling: “[W]hile technological change may have rendered Section 109(a) unsatisfactory to many contemporary observers and consumers, it has not rendered it ambiguous.”

Once the court finds that transferring the song to ReDigi is an infringing reproduction, it’s all downhill, and not in a good way. The court notably finds that there is no fair use. I think it is here that the court gets it wrong. Unlike the analysis of Section 109, the fair use analysis is short, unsophisticated, and devoid of any real factual analysis. I think this is ReDigi’s best bet on appeal.

Even despite my misgivings, ReDigi’s position is not a slam dunk. After all, how can it truly know that a backup copy has not been made? Or that the file has not been copied to other devices? Or that the file won’t simply be downloaded from cloud storage or even iTunes after it has been uploaded to ReDigi.

If ReDigi, which seemed to try to do a good job ensuring no residual copies, cannot form a secondary market, then what hope do we have? We certainly aren’t going to get there with the statute we have, unless courts are much more willing to read a fair use into transfers. The real problem is that the statute works fine when the digital work (software, music, whatever) is stored in a single use digital product. When we start separating the “work” from the container, so that containers can hold many different works and one work might be shared on several containers all used by the same owner, all of the historical rules break down.

So, what do we do if we can’t get the statute amended? I suspect people will hate my answer: a return to the dreaded DRM. A kinder, gentler, DRM. I think that DRM that allows content providers to recall content at will (or upon business closure) must go — whether legislatively or regulatorily. It is possible, of course, for sophisticated parties to negtotiate for such use restrictions (for example, access to databases), and to set pricing for differing levels of use based on those negotiations. That’s what iTunes does with its “rentals.”

But companies should not be allowed to offer content “for sale” if delivery and use is tied to a contract or DRM that renders that content licensed and not in control of buyers. This is simply false advertising that takes advantage of settled expectations of users, and well within the powers of the FTC, I believe.

But DRM can and should be used to limit copying and transferrability. If transferability is allowed, then the DRM can ensure that the old user does not maintain copies. Indeed, if content outlets embraced this model, they might even create their own secondary markets to increase competition in the secondary market. In short, the solution to the problem, I believe, is going to be a technical one, and that might be a good thing for users who can no credibly show that they won’t copy.

And DRM is what we are seeing right now. Apparently, ReDigi has reimplemented its service so that iTunes purchases are directly copied to a central location where they stay forever. From there, copies are downloaded to particular user devices pursuant to the iTunes agreement. This way, ReDigi acts as the digital rights manager. When a user sells a song, it ReDigi cuts off access to the song for the selling user, and allows the buying user access without making a new copy of the song on its server. I presume that its media manager also attempts to delete all copies from the sellers devices.

Of course, this might mean that content, or at least transferring it, is a little more expensive than before. But let’s not kid ourselves – the good old days weren’t that good. You had to buy the whole CD, or maybe a single if one was available, but you could not pick and choose any song on any album. Books are heavy and bulky; you couldn’t carry thousands of them around. And DVDs require a DVD player, which has several limitations compared to video files.

DRM may just be the price we pay for convenience and choice. We don’t have to pay that price. Indeed, I buy most of my music on CD. And I get to put the songs where I want, and I suppose sell the CD if I want, though I never do. As singles start costing $1.50, it may make sense to buy the whole CD. Alas, these pricing issues are incredibly complex, which may take another post in the future.

a broken system built on the dangerous misconception that testing is a proxy for actual teaching and learning. Somehow, along the path of good intentions, testing stopped being seen as a diagnostic tool to guide good instruction and became, instead, the instruction itself. It’s as if a patient were given a biopsy, learned she had cancer and was then told that no further medical treatment was necessary. If that didn’t sound quite right, we could just fire the doctor who ordered the test or scratch out the patient’s results and mark “cured” in the file.

Although I am leery of easy solutions, I think that a system that may prod a student to see what they know and then come to a teacher to gain further insight and evaluate what they grasp would be great. It might be a step away from a system that asks students to jump through a hoop and receive a star or treat for performing a trick without knowing why the words or ideas coming from them matter or how to apply the words and ideas to new contexts, which I think would be knowledge rather than inert data.

“Computers in the future will weigh no more than 1.5 tons.”
Popular Mechanics, 1949

Or maybe 112 grams (3.95 ounces)?

“There is no reason for any individual to have a computer in his home.” Ken Olsen, co-founder of Digital Equipment Corporation, 1977

Or maybe three out of four homes will have at least one computing device (2010 statistics; see table 1C; given that “handhelds” were included and the data is from 2010, I’m guessing that number has increased significantly)?

So much for the predicting (though Arthur C. Clarke seems to have gotten it largely right). [The "missed predictions article includes the now infamous Bill Gates "640K is more memory than anyone will ever need on a computer" quotation, but given that Gates has disavowed ever making this statement, and there's no good proof that he did, it's probably best to leave Gates out of this one.]

But even though the predictions were wrong, and many of us carry around significant amounts of computing power every day, we don’t always realize what it is that we have or just how much that power can do. Case in point:

Apparently you can hijack an airliner by hacking into the planes [sic] system with an android smart phone!

Animalnewyork.com reports that at a security conference in Amsterdam, hacker and researcher Hugo Teso demonstrated how to hijack a plane’s controls from the ground using his Android smartphone.

So, it can be done without the hacker having to be on the plane at all?! Creepy doesn’t even cover it! Teso exploited the Aircraft Communications Addressing and Report System (ACARS), which controls planes’ flight management systems and has very little in the way of security.

More details here and here; this is the full presentation in PDF. I remember being upset when I heard that people might hack the Hoover dam (hint, they can’t, it’s not connected to the Internet). But you can hack an insulin pump for diabetics. And the electric grid. And maybe those wireless brain implants (okay, those aren’t really in use yet, but once they are . . . ). Maybe this is all overplayed — the aircraft hack article ends with this claim from Honeywell, the company that makes the relevant systems:

“[T]he version he used of our flight management system is a publicly available PC simulation, and that doesn’t have the same protections against overwriting or corrupting as our certified flight software.”

I guess I’m still not particularly impressed, but I am intrigued by even the potential for a remote aircraft hack, and the policy and liability issues raised by this and other vulnerabilities as computing becomes more and more pervasive in our daily lives. Fascinating stuff.

Much troll activity today is hidden beneath a labyrinth of shell companies. Acacia’s subsidiaries control 250 patent portfolios. Intellectual Ventures has used at least 1276 shell companies to purchase and hold patents. Given this, how could potential targets engage in licensing negotiations or evaluate patent portfolios? The agencies must be able to shine sunlight on this subterranean network, obtaining complete information from patent acquisitions, among other conduct, to determine competitive effects.

I’m going to guess that, if someone tried to expose (or require disclosure) of the port-trollios, the firms would respond “our combination of patents is itself valuable IP–a trade secret!” They may follow Silicon Valley giants’ pattern of trade secret expansionism. Are we ready for the term “trade [secret] troll?”

Andrew “Weev” Auernheimer (whom I will call AA for short) was recently convicted under the CFAA and sentenced to 41 months and $73K restitution. Orin Kerr is representing him before the Third Circuit. I am seriously considering filing an amicus brief on behalf of all academics. In short, this case scares me in a much more personal way than prior discussed in my prior CFAA posts. More after the jump.

Here’s the basic story, as described by Orin Kerr:

When iPads were first released, iPad owners could sign up for Internet access using AT&T. When they signed up, they gave AT&T their e-mail addresses. AT&T decided to configure their webservers to “pre load” those e-mail addresses when it recognized the registered iPads that visited its website. When an iPad owner would visit the AT&T website, the browser would automatically visit a specific URL associated with its own ID number; when that URL was visited, the webserver would open a pop-up window that was preloaded with the e-mail address associated with that iPad. The basic idea was to make it easier for users to log in to AT&T’s website: The user’s e-mail address would automatically appear in the pop-up window, so users only needed to enter in their passwords to access their account. But this practice effectively published the e-mail addresses on the web. You just needed to visit the right publicly-available URL to see a particular user’s e-mail address. Spitler [AA’s alleged co-conspirator] realized this, and he wrote a script to visit AT&T’s website with the different URLs and thereby collect lots of different e-mail addresses of iPad owners. And they ended up collecting a lot of e-mail addresses — around 114,000 different addresses — that they then disclosed to a reporter. Importantly, however, only e-mail addresses were obtained. No names or passwords were obtained, and no accounts were actually accessed.

Let me paraphrase this: AA went to a publicly accessible website, using publicly accessible URLs, and saved the results that AT&T sent back in response to that URL. In other words, AA did what you do every time you load up a web page. The only difference is that AA did it for multiple URLs, using sequential guesses at what those URLs would be.  There was no robot.txt file that I’m aware of (this file tells search engines which URLs should not be searched by spiders). There was no user notice or agreement that barred use of the web page in this manner. Note that I’m not saying such things should make the conduct illegal, but only that such things didn’t even exist here. It was just two people loading data from a website. Note that a commenter on my prior post asked this exact same question–whether “link guessing” was illegal–and I was noncommital. I guess now we have our answer.

The government’s indictment makes the activity sound far more nefarious, of course. It claims that AA “impersonated” an iPad. This allegation is a bit odd: the script impersonated an iPad in the same way that you might impersonate a cell phone by loading http://m.facebook.com to load the mobile version of Facebook. Go ahead, try it and you’ll see – Facebook will think you are a cell phone. Should you go to jail?

So, readers might say, what’s the problem here? AA should not have done what he did – he should have known that AT&T did not want him downloading those emails. Yeah, he probably did know that. But consider this: AA did not share the information with the world, as he could have. I am reasonably certain that if his intent was to harm users, we would never know that he did this – he would have obtained the addresses over an encrypted VPN and absconded. Instead, AA shared this flaw with the world. AT&T set up this ridiculously insecure system that allowed random web users to tie Apple IDs to email addresses through ignorance at best or hubris at worst. I don’t know if AA attempted to inform AT&T of the issue, but consider how far you got last time you contacted tech support with a problem on an ISP website. AA got AT&T’s attention, and the problem got fixed with no (known) divulgence of the records.

Before I get to academia, let me add one more point. To the extent that AA should have known AT&T didn’t desire this particular access, the issue is one of degree not of kind. And that is the real problem with the statute. There is nothing in the statute, absolutely nothing, that would help AA know whether he violated the law by testing this URL with one, five, ten, or ten thousand IDs.  Here’s one to try: clickhere for a link to a concert web page deep link using a URL with a numerical code. Surely Ticketmaster can’t object to such deep linking, right? Well, it did, and sued Tickets.com over such behavior. Itclaimed, among other things, that each and every URL was copyrighted and thus infringed if linked to by another. It lost that argument, but today it could just say that such access was unwanted.  For example, maybe Tickemaster doesn’t like me pointing out its ridiculous argument in the tickets.com case, making my link unauthorized. Or maybe I should have known because the Ticketmaster terms of service says that an express condition of my authorization to view the site is that I will not “Link to any portion of the Site other than the URL assigned to the home page of our site.” That’s right, TicketMaster still thinks deep linking is unauthorized, and I suppose that means I risk criminal prosecution for linking it. Imagine if I actually saved some of the data!

This is where academics come in. Many, many academics scrape. (Don’t stop reading here – I’ll get to non-scrapers below.) First, scraping is a key way to get data from online databases that are not easily downloadable. This includes, for example, scraping of the US Patent & Trademark Office site; although data is now available for mass download, that data is cumbersome, and scraper use is still common. That the PTO is public data does not help matters. In fact, it might make it worse, since “unauthorized” access to government servers might receive enhanced penalties!

Academics (and non-academics) in other disciplines scrape websites for research as well. How are these academics to know that such scraping is disallowed? What if there is no agreement barring them from doing so? What if there is a web-wrap notice as broad as Ticketmaster’s, purporting to bar such activities but with no consent by the user? The CFAA could send any academic to jail for ignoring such warnings—or worse—not seeing them in the first place. Such a prosecution would be preposterous, skeptics might say. I hope the skeptics are right, but I’m not hopeful. Though I can’t find the original source, I recall Orin Kerr recounting how his prosecutor colleagues said the same thing 10 years ago when he argued the CFAA might apply to those who breach contracts, and now such prosecutions are commonplace.

Finally, non-scrapers are surely safe, right? Maybe it depends on if they use Zotero. Thousands of people use it. How does Zotero get information about publications  when the web site does not provide standardized citation data? You guessed it: a scraper. Indeed, a primary reason I don’t use Zotero is that the Lexis and Westlaw scrapers don’t work. But the PubMed importer scrapes. What if PubMed decide that it considered scraping of information unauthorized? Surely people should know this, right? If it wanted people to have this data, they would provide it in Zotero readable format. The fact that the information on those pages is publicly available is irrelevant; the statute makes no distinction. And if one does a lot of research, for example, checking 20 documents, downloading each, and scraping each page, the difference from AA is in degree only, not in kind.

The irony of this case is that the core conviction is only tangentially a problem with the statute (there are some ancillary issues that are a problem with the statute). “Unauthorized access” and even “exceeds authorized access” should never have been interpreted to apply to publicly accessible data on publicly accessible web sites. Since they have, then I am convinced that the statute is impermissibly broad, and must be struck down. At the very least it must be rewritten.