nexusgroove Posted June 14 Report Share Posted June 14 You're about to lose your ability to use TiVo, your firewall, and keep yourprivacy. This bill has secretly passed the Florida legislature and will becomelaw once Jeb Bush signs it in a few weeks! Did you know this???Florida State "Super-DMCA" Legislation:MPAA's Stealth Attack on Your Living RoomFred von LohmannSenior Intellectual Property Attorneyfred@e...Recently, the Motion Picture Association of America (MPAA) has been pressingstates to enact new legislation aimed at criminalizing the possession of whatthey call "unlawful communication and access devices." These measures representan unprecedented attack on the rights of technologists, hobbyists, tinkerersand the public at large. In essence, these proposals would allow "communicationservice providers" to restrict what you can connect to your Internet connectionor cable or satellite television lines.These measures represent a stealth effort to dramatically expand the reach ofthe federal Digital Millennium Copyright Act (DMCA), which has already put fairuse, innovation, free speech and competition in peril since being enacted in1998.The Electronic Frontier Foundation (EFF) strongly opposes these state"super-DMCA" bills as unnecessary and overbroad. The proposed bills representthe worst kind of special interest legislation, sacrificing the public interestin favor of the self-serving interests of one industry. ResourcesFor the latest news about the status of the various bills, as well as updatesabout what you can do to share your views with state legislators, check EFF's"Super-DMCA" Action Center page. Another excellent resource is Professor EdwardFelten's page on these bills.BackgroundThe MPAA's state lobbyists have been stealthily pushing these state super-DMCAmeasures since at least 2001. Even before these activities crossed activists'radar, six states (Delaware, Illinois, Michigan, Oregon, Pennsylvania andWyoming) had already enacted them into law. Similar bills have been introducedand are currently pending in Arkansas, Colorado, Florida, Georgia,Massachusetts, Tennessee and Texas.The bills are generally offered as amendments to existing state criminal lawsrelating to signal theft, that is, getting cable television without paying forit. Since these signal theft laws vary from state to state, the super-DMCAproposals also vary in their wording.Nevertheless, all of the proposed bills appear to be derived from a single"model bill" developed by MPAA lobbyists and thus share common traits. First,they would all impose a new ban on the possession, development, or distributionof a broad array of "communication" and "unlawful access" devices, along with aban on devices that enable anonymous communication. All the bills also create anew right to bring civil lawsuits to enforce these provisions.The definitions used in the bill are absurdly broad. The bill protects"communication services," which includes any "service lawfully provided for acharge or compensation" delivered via electronic means using virtually anytechnology. This would include every wire in your house for which you pay afee, including your telephone, cable TV, satellite and Internet lines. Thiscategory also sweeps in any Internet-based subscriptions services, includingdigital music services such as pressplay, MusicNow, or Rhapsody.The super-DMCA bills would regulate the possession, development and use of"communication devices" and "unlawful access devices." A "communication device"is virtually any electronic device you might connect to any communicationservice. The definition of "unlawful communication device" is somewhatnarrower, sweeping in any device that is "primarily designed, developed,.possessed, used or offered. for the purpose of defeating or circumventing" atechnological protection measure used to protect a communication services. The proposed bills generally prohibit four categories of activity:1.. Possession, development, distribution or use of any "communicationdevice" in connection with a communication service without the expressauthorization of the service provider. 2.. Concealing the origin or destination of any communication from thecommunication service provider. 3.. Possession, development, distribution or use of any "unlawful accessdevice." 4.. Preparation or publication of any "plans or instructions" for making anydevice having reason to know that such a device will be used to violate theother prohibitions. These proposals dramatically expand the power of entertainment companies, ISPs,cable companies and others to control what you can and can't connect to theservices that you pay for. If enacted, they will slow innovation, impaircompetition and seriously undermine a consumer's right to choose whattechnologies they use in their homes.These Bills are UnnecessaryWhy is this additional law needed? The MPAA has circulated a "one-pager"explaining in vague terms that additional measures are necessary to "update"existing state laws to address the problem of "Internet piracy" and "cabletheft." Copyright infringement and cable service theft, however, are alreadyclearly prohibited under existing laws, both state and federal. The federallaws include traditional copyright infringement, as well as the DMCA, theComputer Fraud and Abuse Act (CFAA), and prohibitions on illicit cable andsatellite descrambling equipment. There are a variety of existing state lawremedies, as well, including laws banning signal theft and computer intrusion.Providers of communication services can also bring breach of contract actionsif their customers violate any restrictions included in their subscriptionagreements. In short, state super-DMCA measures are redundant and unnecessaryas penalties for Internet copyright infringement or cable service theft.The MPAA has failed to identify any specific problem that the proposed billsreach that is not already addressed by existing law. In fact, when asked byMassachusetts legislators why an additional law was needed, a representative ofthe MPAA could only answer, "I don't know. The lawyers tell me we need this."It is telling that state law enforcement personnel, the very people who enforcethe existing cable theft laws, have not called for or supported the super-DMCAproposals.All Things Not Expressly Permitted are ForbiddenWhatever their intended target, state super-DMCA bills represent anunprecedented intrusion into the living rooms of law-abiding citizens, givingcommunication service providers unilateral control over what you can connect toyour home entertainment systems.Under existing law, those who have legitimately purchased communicationservices (e.g., cable TV, satellite, or broadband Internet services) are freeto connect whatever they like to the wires they pay for, so long as they do notviolate any otherwise applicable law. So, for example, you are free to connecta new TV, PC, VCR or TiVo to a cable television connection that you pay for.Similarly, you are free to connect a Wi-Fi wireless access point to your DSLline in order to share your broadband connection among several computers inyour house. This freedom has encouraged technology vendors to compete andinnovate in response to the demands of consumers.The proposed super-DMCA statutes reverse this traditional rule. Under thesestatutes, you would not be entitled to connect anything to your cable,satellite, or DSL line without the express permission of your service provider.The model MPAA bill accomplishes this by making it a crime to possess a deviceto "receive . transmit, [or] re-transmit" any communication service without the"express authorization" of the communication service provider. The variouspending state bills include similar language.This provision would make you a criminal for simply connecting a TV, PC, TiVoor VCR (all of which can "receive" communication services) to the cable TV linein your living room without your cable company's permission. It could also makeyou a criminal for connecting a Wi-Fi wireless gateway (which can "retransmit"Internet traffic) to your DSL or cable modem line without the permission ofyour ISP. The shift proposed by these bills is radical: all technology that isnot expressly permitted becomes forbidden. This would give communicationservice providers unprecedented control over the home entertainment and thetechnology marketplace. For example, your broadband ISP could force you to useonly certain brands of computers, or force you to pay extra if you wanted toconnect more than one computer to your DSL line. Cable and satellite TVservices could forbid you from using a TiVo, or could charge you extra toconnect a VCR to your TV. Bolting on the "Intent to Defraud"In the face of mounting criticism from several quarters, the MPAA has offeredto modify its proposal to reach only those who act with an "intent to defraud"a communication service provider. Rather than addressing the underlyingproblems with the measure, however, the "intent to defraud" revision merelyfurther muddies the waters.First, it is critical to note that this "intent to defraud" language has notbeen incorporated into all of the bills that are currently pending before statelegislatures. Moreover, it is too late to include this limitation in the statestatutes that have already been adopted. While the revision addresses some concerns, it leaves many legitimateactivities hip-deep in legal quicksand. For example, what if a subscriber tothe MusicNow digital music service connects an analog cassette deck to her PCin order to record streaming music for later playback in her car's cassettedeck? The fine print in the MusicNow subscriber agreement purports to forbidsubscribers from making any copies without authorization. Has she acted with an"intent to defraud" MusicNow? What if HBO begins broadcasting a notice beforeevery episode of the Sopranos, forbidding HBO subscribers from recording theprogram? If, notwithstanding this prohibition, a subscriber connects a TiVo inorder to record the program for later viewing, has he acted with an "intent todefraud" HBO? To take a third example, what if a researcher signs up for the pressplaydigital music service in order to evaluate the digital rights managementtechnologies being used by the service. Notwithstanding the fact that thepressplay user agreement forbids reverse engineering, the researcher engages inotherwise legal reverse engineering in order to develop tools that allow him totest the security of the service, and subsequently publishes his results in anacademic journal. Has the researcher acted with an "intent to defraud"pressplay?Each of these activities raises unsettled and controversial questions at thenexus of federal copyright and state contract laws. The proposed super-DMCAstatutes, however, constitute a sneaky, self-serving attempt by one industry tolegislate an answer to these important questions under cover of dark withoutpublic interest input. Bolting on an ambiguous "intent to defraud" qualifierdoes not redeem this flaw.Attacking AnonymityAnother provision of the various state super-DMCA statutes that has attractedconsiderable attention is the ban on devices that "conceal . the existence orplace of origin or destination of any communication." At a time when consumerprivacy and the constitutional right to anonymous speech are under attack froma variety of sources, this provision is particularly misguided.A simple ban on devices capable of concealing communication would make a widerange of multi-purpose tools illegal. Widely-used home networking equipmentcould be banned because it often includes "network address translation" (NAT)and firewall features that incidentally conceal the origin and destinations ofInternet communication. Some forms of encryption for email and web trafficmight fall within this provision. The use of "virtual private networking" (VPN)software by corporations to secure communication with off-site employees wouldalso be swept up by this provision. Products like Anonymizer that aim toprotect the privacy of Internet users against advertisers like Doubleclickmight also be imperiled. Perhaps recognizing the absurd overbreadth of thisprovision, the MPAA has offered to revise the language in its model bill toapply only where "such concealment is for the purpose of committing aviolation" of the prohibition on connecting a device without the expressauthorization of a communication service provider.Although this change represents a step in the right direction, it does notadequately address the failings of the provision. For example, as noted above,the ban on connecting unauthorized devices to your broadband DSL connectioncould reach home networking equipment that was not authorized by your ISP. Byinstalling a $50 Linksys router that includes NAT and firewall functions, youcould be liable for "concealing" communication even under the revised MPAAlanguage. Employees who use VPN software to access their corporate networkwithout the express authorization of their home ISPs would also run afoul ofeven the revised provision.A Chill on Computer Security ResearchThe proposed legislation will also chill legitimate computer security research.Security researchers advance their science by testing existing security systemsfor weaknesses. By discovering, documenting and reporting these weaknesses,security researchers teach vendors how to improve their systems, as well aswarning customers when those systems are compromised. Unfortunately, the proposed state "super-DMCA" bills will chill legitimateresearch in two ways. First, these measures make it unlawful to develop orpossess the tools that security researchers need in order to carry out theirwork. Researchers often design their own software tools in the course ofcarrying out their research and must distribute these tools to their colleaguesin order to enable peer-review of research results. These tools, moreover, maybe designed for the sole purpose of breaking the security systems that areunder examination. As a result, these tools would be banned by the proposedstate statutes, which lump all tools "primarily designed" to circumvent anyprotection system into the category of "unlawful communication devices." Earlyexperience with the DMCA suggests that computer security research has alreadysuffered at the hands of overbroad and poorly drafted legislation. The proposedstate super-DMCA statutes will only exacerbate this problem.Second, the statutes interfere with a researcher's ability to publish theresults of her research by banning the distribution of "plans or instructions"for making an "unlawful access device." By describing the weaknesses of asecurity technology, and describing research in enough detail to enable peerreview, researchers could well run afoul of this prohibition. This creates anunnecessary burden on the free speech rights of researchers and thepublications that seek to disseminate their work. This provision alsorepresents a substantial expansion beyond the boundaries of the DMCA, whichreaches only "technology," stopping short of "plans or instructions." In acountry where the First Amendment protects the publication of bomb makingplans, it seems particularly unwarranted to crack down on the publication ofinformation regarding computer security.Although the "intent to defraud" limitation may ameliorate these harms to someextent, for the reasons noted above, this last minute addition raises as manyquestions as it answers. Legal ambiguities in this context will only chillsecurity researchers and their institutions from engaging in sorely neededresearch activities.A Threat to Innovation and CompetitionAs discussed above, the proposed state super-DMCA proposals forbid a consumerfrom connecting anything to a communication service without the serviceprovider's express authorization. This creates an enormous opportunity foranticompetitive conduct. Broadband ISPs, for example, could require that theirsubscribers use only a particular brand of PC or operating system. AOL couldeffectively ban its subscribers from using any instant messanging softwareother than its own. Cable TV providers could limit subscribers to using onlycertain brands of VCRs and could ban TiVo in favor of their own proprietary PVRtechnologies. This outcome would be particularly ironic in the face of theFCC's decade-long effort to encourage the development of open, interoperablestandards for cable-compatible televisions.These scenarios are not far-fetched. Recent experience with the DMCA makes itclear that companies will not hesitate to use new legal protections in order torid themselves of competition. For example, Lexmark recently invoked the DMCAin an effort to eliminate the aftermarket for Lexmark laser printer tonercartridges. A leading garage door opener maker has also invoked the DMCA in aneffort to eliminate a competitor in the market for universal garage doorremotes.Recognizing the importance of interoperability, Congress included a reverseengineering exception in the DMCA. The MPAA's proposed state super-DMCAmeasures include no such exception, making them an even more severe threat tocompetition and consumer freedom of choice.Transferring law enforcement from public to private hands.The proposed state super-DMCA statutes transfer considerable new enforcementpowers from law enforcement authorities into private hands.Each of the pending state bills starts from an existing state penal lawprovision, extending its reach by adding a civil cause of action to what waspreviously a criminal statute. In other words, the bills authorize privateparties to sue in addition to local district attorneys. This change alone hasimportant consequences. When enacting criminal statutes, legislatures are oftenwilling to adopt broad and ambiguous language that they might not accept in acivil provision, counting on the discretion of a district attorney (who isoften an elected official) to prevent abusive application of the law. Privateparties are not subject to these institutional checks. In addition, where acriminal statute is involved, the state must prove its case "beyond areasonable doubt" and courts must interpret statutes narrowly. In civil cases,in contrast, a private party can prevail under the more lenient "more likelythan not" standard and there is no similar policy of narrow interpretation.Before new legal enforcement powers are delegated into private hands, prudentpolicy-makers should ask whether these new powers are justified and whetherthey can be too easily abused to the detriment of the public interest. Here,the MPAA has made virtually no showing that these additional powers should betransferred from the state into private hands.Dangerous RemediesThe proposed state law measures impose a variety of unreasonably one-sidedremedies on defendants.Remote Downgrades. The MPAA's proposed model bill authorizes a court to order"the remedial modification.of any communication or unlawful access device.thatis in the.control of the violator." When coupled with an "auto-update" feature,this provision could empower state courts to order technology companies toforce "downgrades" on consumers nation-wide. For example, TiVo retains theability to upgrade remotely the software on all TiVo units. AOL, Microsoft andApple also provide automatic upgrade functionality in their software, aimed atgiving customers the latest security and feature upgrades. If state courtconcludes that these vendors have the power to "control" their software, thecourt would have the power to order the "downgrade" of devices in homesnation-wide (and perhaps world-wide). Bestowing this remedial power on a statecourt would be unprecedented.One-Sided Attorneys' Fees. All of the proposed bills include one-sided"fee-shifting" clauses authorizing a court to force a losing defendant to payfor the attorneys of the prevailing plaintiff. One proposed measure, in fact,goes so far as to automatically require that a losing defendant pay theattorneys' fees of the victorious service provider.These provisions are not reciprocal, however. When a service provider wins, itcan collect attorneys' fees, but an innocent defendant is never entitled to areimbursement of fees. This is remarkable, when you consider that in most casesthe communication service provider will be a large business, while thedefendants are likely to be individuals or small businesses with limitedability to defend a lawsuit.Automatic Injunctions. The proposed state bills include provisions that wouldeffectively entitle plaintiffs to automatic preliminary injunctions, withouthaving to satisfy the traditional requirements of showing actual damage,irreparable harm or an inadequate remedy at law. Especially where software,instructions and plans are concerned, each of which has been recognized asprotected expression under the First Amendment, this sort of automaticinjunction threatens constitutional interests.Abusive damages. The proposed state bills would also give prevailing plaintiffsthe right to demand "statutory damages" in an amount ranging from $1,500 to$10,000 for each prohibited device. These statutory damages would apply even ifa plaintiff were unable to prove that it had suffered any actual damage at all.The bills also create enhanced criminal penalties based on the number ofprohibited devices and creates a separate offense for each device and for eachday that a person violates any provision. Multiplying remedies by the number of devices is an approach that quickly leadsto absurd results in the digital context. Where software is concerned, thenumber of copies has no necessary relationship to the harm suffered by aservice provider. For example, if a security researcher were to publish a paperthat included software held to be an "unlawful access device," and that paperwere downloaded by only 100 academic colleagues, the researcher would facedamages of at least $150,000. Similarly, because the proposed statutescriminalize mere possession of an "unlawful access device," a researcher couldface serious penalties simply for installing a tool on several computers in hisown research lab. The number of devices simply has no necessary relationship tothe harm involved, and thus should not be the basis for a penalty multiplier.What You Can DoThese bills are often whipping through state legislatures with very littleopportunity for public comment. MPAA lobbyists are presenting the measures as"consensus" bills, suggesting that no one opposes them. Even a few concernedletters from constituents can upset this lie, leading a state legislator to askquestions.Please take a moment to express your opposition to this measure to your statelegislators, should it be introduced in your state. Quote Link to comment Share on other sites More sharing options...
vipnerd Posted June 15 Report Share Posted June 15 Originally posted by nexusgroove You're about to lose your ability to use TiVo, your firewall, and keep yourprivacy. This bill has secretly passed the Florida legislature and will becomelaw once Jeb Bush signs it in a few weeks! Did you know this???Florida State "Super-DMCA" Legislation:MPAA's Stealth Attack on Your Living RoomFred von LohmannSenior Intellectual Property Attorneyfred@e...Recently, the Motion Picture Association of America (MPAA) has been pressingstates to enact new legislation aimed at criminalizing the possession of whatthey call "unlawful communication and access devices." These measures representan unprecedented attack on the rights of technologists, hobbyists, tinkerersand the public at large. In essence, these proposals would allow "communicationservice providers" to restrict what you can connect to your Internet connectionor cable or satellite television lines.These measures represent a stealth effort to dramatically expand the reach ofthe federal Digital Millennium Copyright Act (DMCA), which has already put fairuse, innovation, free speech and competition in peril since being enacted in1998.The Electronic Frontier Foundation (EFF) strongly opposes these state"super-DMCA" bills as unnecessary and overbroad. The proposed bills representthe worst kind of special interest legislation, sacrificing the public interestin favor of the self-serving interests of one industry. ResourcesFor the latest news about the status of the various bills, as well as updatesabout what you can do to share your views with state legislators, check EFF's"Super-DMCA" Action Center page. Another excellent resource is Professor EdwardFelten's page on these bills.BackgroundThe MPAA's state lobbyists have been stealthily pushing these state super-DMCAmeasures since at least 2001. Even before these activities crossed activists'radar, six states (Delaware, Illinois, Michigan, Oregon, Pennsylvania andWyoming) had already enacted them into law. Similar bills have been introducedand are currently pending in Arkansas, Colorado, Florida, Georgia,Massachusetts, Tennessee and Texas.The bills are generally offered as amendments to existing state criminal lawsrelating to signal theft, that is, getting cable television without paying forit. Since these signal theft laws vary from state to state, the super-DMCAproposals also vary in their wording.Nevertheless, all of the proposed bills appear to be derived from a single"model bill" developed by MPAA lobbyists and thus share common traits. First,they would all impose a new ban on the possession, development, or distributionof a broad array of "communication" and "unlawful access" devices, along with aban on devices that enable anonymous communication. All the bills also create anew right to bring civil lawsuits to enforce these provisions.The definitions used in the bill are absurdly broad. The bill protects"communication services," which includes any "service lawfully provided for acharge or compensation" delivered via electronic means using virtually anytechnology. This would include every wire in your house for which you pay afee, including your telephone, cable TV, satellite and Internet lines. Thiscategory also sweeps in any Internet-based subscriptions services, includingdigital music services such as pressplay, MusicNow, or Rhapsody.The super-DMCA bills would regulate the possession, development and use of"communication devices" and "unlawful access devices." A "communication device"is virtually any electronic device you might connect to any communicationservice. The definition of "unlawful communication device" is somewhatnarrower, sweeping in any device that is "primarily designed, developed,.possessed, used or offered. for the purpose of defeating or circumventing" atechnological protection measure used to protect a communication services. The proposed bills generally prohibit four categories of activity:1.. Possession, development, distribution or use of any "communicationdevice" in connection with a communication service without the expressauthorization of the service provider. 2.. Concealing the origin or destination of any communication from thecommunication service provider. 3.. Possession, development, distribution or use of any "unlawful accessdevice." 4.. Preparation or publication of any "plans or instructions" for making anydevice having reason to know that such a device will be used to violate theother prohibitions. These proposals dramatically expand the power of entertainment companies, ISPs,cable companies and others to control what you can and can't connect to theservices that you pay for. If enacted, they will slow innovation, impaircompetition and seriously undermine a consumer's right to choose whattechnologies they use in their homes.These Bills are UnnecessaryWhy is this additional law needed? The MPAA has circulated a "one-pager"explaining in vague terms that additional measures are necessary to "update"existing state laws to address the problem of "Internet piracy" and "cabletheft." Copyright infringement and cable service theft, however, are alreadyclearly prohibited under existing laws, both state and federal. The federallaws include traditional copyright infringement, as well as the DMCA, theComputer Fraud and Abuse Act (CFAA), and prohibitions on illicit cable andsatellite descrambling equipment. There are a variety of existing state lawremedies, as well, including laws banning signal theft and computer intrusion.Providers of communication services can also bring breach of contract actionsif their customers violate any restrictions included in their subscriptionagreements. In short, state super-DMCA measures are redundant and unnecessaryas penalties for Internet copyright infringement or cable service theft.The MPAA has failed to identify any specific problem that the proposed billsreach that is not already addressed by existing law. In fact, when asked byMassachusetts legislators why an additional law was needed, a representative ofthe MPAA could only answer, "I don't know. The lawyers tell me we need this."It is telling that state law enforcement personnel, the very people who enforcethe existing cable theft laws, have not called for or supported the super-DMCAproposals.All Things Not Expressly Permitted are ForbiddenWhatever their intended target, state super-DMCA bills represent anunprecedented intrusion into the living rooms of law-abiding citizens, givingcommunication service providers unilateral control over what you can connect toyour home entertainment systems.Under existing law, those who have legitimately purchased communicationservices (e.g., cable TV, satellite, or broadband Internet services) are freeto connect whatever they like to the wires they pay for, so long as they do notviolate any otherwise applicable law. So, for example, you are free to connecta new TV, PC, VCR or TiVo to a cable television connection that you pay for.Similarly, you are free to connect a Wi-Fi wireless access point to your DSLline in order to share your broadband connection among several computers inyour house. This freedom has encouraged technology vendors to compete andinnovate in response to the demands of consumers.The proposed super-DMCA statutes reverse this traditional rule. Under thesestatutes, you would not be entitled to connect anything to your cable,satellite, or DSL line without the express permission of your service provider.The model MPAA bill accomplishes this by making it a crime to possess a deviceto "receive . transmit, [or] re-transmit" any communication service without the"express authorization" of the communication service provider. The variouspending state bills include similar language.This provision would make you a criminal for simply connecting a TV, PC, TiVoor VCR (all of which can "receive" communication services) to the cable TV linein your living room without your cable company's permission. It could also makeyou a criminal for connecting a Wi-Fi wireless gateway (which can "retransmit"Internet traffic) to your DSL or cable modem line without the permission ofyour ISP. The shift proposed by these bills is radical: all technology that isnot expressly permitted becomes forbidden. This would give communicationservice providers unprecedented control over the home entertainment and thetechnology marketplace. For example, your broadband ISP could force you to useonly certain brands of computers, or force you to pay extra if you wanted toconnect more than one computer to your DSL line. Cable and satellite TVservices could forbid you from using a TiVo, or could charge you extra toconnect a VCR to your TV. Bolting on the "Intent to Defraud"In the face of mounting criticism from several quarters, the MPAA has offeredto modify its proposal to reach only those who act with an "intent to defraud"a communication service provider. Rather than addressing the underlyingproblems with the measure, however, the "intent to defraud" revision merelyfurther muddies the waters.First, it is critical to note that this "intent to defraud" language has notbeen incorporated into all of the bills that are currently pending before statelegislatures. Moreover, it is too late to include this limitation in the statestatutes that have already been adopted. While the revision addresses some concerns, it leaves many legitimateactivities hip-deep in legal quicksand. For example, what if a subscriber tothe MusicNow digital music service connects an analog cassette deck to her PCin order to record streaming music for later playback in her car's cassettedeck? The fine print in the MusicNow subscriber agreement purports to forbidsubscribers from making any copies without authorization. Has she acted with an"intent to defraud" MusicNow? What if HBO begins broadcasting a notice beforeevery episode of the Sopranos, forbidding HBO subscribers from recording theprogram? If, notwithstanding this prohibition, a subscriber connects a TiVo inorder to record the program for later viewing, has he acted with an "intent todefraud" HBO? To take a third example, what if a researcher signs up for the pressplaydigital music service in order to evaluate the digital rights managementtechnologies being used by the service. Notwithstanding the fact that thepressplay user agreement forbids reverse engineering, the researcher engages inotherwise legal reverse engineering in order to develop tools that allow him totest the security of the service, and subsequently publishes his results in anacademic journal. Has the researcher acted with an "intent to defraud"pressplay?Each of these activities raises unsettled and controversial questions at thenexus of federal copyright and state contract laws. The proposed super-DMCAstatutes, however, constitute a sneaky, self-serving attempt by one industry tolegislate an answer to these important questions under cover of dark withoutpublic interest input. Bolting on an ambiguous "intent to defraud" qualifierdoes not redeem this flaw.Attacking AnonymityAnother provision of the various state super-DMCA statutes that has attractedconsiderable attention is the ban on devices that "conceal . the existence orplace of origin or destination of any communication." At a time when consumerprivacy and the constitutional right to anonymous speech are under attack froma variety of sources, this provision is particularly misguided.A simple ban on devices capable of concealing communication would make a widerange of multi-purpose tools illegal. Widely-used home networking equipmentcould be banned because it often includes "network address translation" (NAT)and firewall features that incidentally conceal the origin and destinations ofInternet communication. Some forms of encryption for email and web trafficmight fall within this provision. The use of "virtual private networking" (VPN)software by corporations to secure communication with off-site employees wouldalso be swept up by this provision. Products like Anonymizer that aim toprotect the privacy of Internet users against advertisers like Doubleclickmight also be imperiled. Perhaps recognizing the absurd overbreadth of thisprovision, the MPAA has offered to revise the language in its model bill toapply only where "such concealment is for the purpose of committing aviolation" of the prohibition on connecting a device without the expressauthorization of a communication service provider.Although this change represents a step in the right direction, it does notadequately address the failings of the provision. For example, as noted above,the ban on connecting unauthorized devices to your broadband DSL connectioncould reach home networking equipment that was not authorized by your ISP. Byinstalling a $50 Linksys router that includes NAT and firewall functions, youcould be liable for "concealing" communication even under the revised MPAAlanguage. Employees who use VPN software to access their corporate networkwithout the express authorization of their home ISPs would also run afoul ofeven the revised provision.A Chill on Computer Security ResearchThe proposed legislation will also chill legitimate computer security research.Security researchers advance their science by testing existing security systemsfor weaknesses. By discovering, documenting and reporting these weaknesses,security researchers teach vendors how to improve their systems, as well aswarning customers when those systems are compromised. Unfortunately, the proposed state "super-DMCA" bills will chill legitimateresearch in two ways. First, these measures make it unlawful to develop orpossess the tools that security researchers need in order to carry out theirwork. Researchers often design their own software tools in the course ofcarrying out their research and must distribute these tools to their colleaguesin order to enable peer-review of research results. These tools, moreover, maybe designed for the sole purpose of breaking the security systems that areunder examination. As a result, these tools would be banned by the proposedstate statutes, which lump all tools "primarily designed" to circumvent anyprotection system into the category of "unlawful communication devices." Earlyexperience with the DMCA suggests that computer security research has alreadysuffered at the hands of overbroad and poorly drafted legislation. The proposedstate super-DMCA statutes will only exacerbate this problem.Second, the statutes interfere with a researcher's ability to publish theresults of her research by banning the distribution of "plans or instructions"for making an "unlawful access device." By describing the weaknesses of asecurity technology, and describing research in enough detail to enable peerreview, researchers could well run afoul of this prohibition. This creates anunnecessary burden on the free speech rights of researchers and thepublications that seek to disseminate their work. This provision alsorepresents a substantial expansion beyond the boundaries of the DMCA, whichreaches only "technology," stopping short of "plans or instructions." In acountry where the First Amendment protects the publication of bomb makingplans, it seems particularly unwarranted to crack down on the publication ofinformation regarding computer security.Although the "intent to defraud" limitation may ameliorate these harms to someextent, for the reasons noted above, this last minute addition raises as manyquestions as it answers. Legal ambiguities in this context will only chillsecurity researchers and their institutions from engaging in sorely neededresearch activities.A Threat to Innovation and CompetitionAs discussed above, the proposed state super-DMCA proposals forbid a consumerfrom connecting anything to a communication service without the serviceprovider's express authorization. This creates an enormous opportunity foranticompetitive conduct. Broadband ISPs, for example, could require that theirsubscribers use only a particular brand of PC or operating system. AOL couldeffectively ban its subscribers from using any instant messanging softwareother than its own. Cable TV providers could limit subscribers to using onlycertain brands of VCRs and could ban TiVo in favor of their own proprietary PVRtechnologies. This outcome would be particularly ironic in the face of theFCC's decade-long effort to encourage the development of open, interoperablestandards for cable-compatible televisions.These scenarios are not far-fetched. Recent experience with the DMCA makes itclear that companies will not hesitate to use new legal protections in order torid themselves of competition. For example, Lexmark recently invoked the DMCAin an effort to eliminate the aftermarket for Lexmark laser printer tonercartridges. A leading garage door opener maker has also invoked the DMCA in aneffort to eliminate a competitor in the market for universal garage doorremotes.Recognizing the importance of interoperability, Congress included a reverseengineering exception in the DMCA. The MPAA's proposed state super-DMCAmeasures include no such exception, making them an even more severe threat tocompetition and consumer freedom of choice.Transferring law enforcement from public to private hands.The proposed state super-DMCA statutes transfer considerable new enforcementpowers from law enforcement authorities into private hands.Each of the pending state bills starts from an existing state penal lawprovision, extending its reach by adding a civil cause of action to what waspreviously a criminal statute. In other words, the bills authorize privateparties to sue in addition to local district attorneys. This change alone hasimportant consequences. When enacting criminal statutes, legislatures are oftenwilling to adopt broad and ambiguous language that they might not accept in acivil provision, counting on the discretion of a district attorney (who isoften an elected official) to prevent abusive application of the law. Privateparties are not subject to these institutional checks. In addition, where acriminal statute is involved, the state must prove its case "beyond areasonable doubt" and courts must interpret statutes narrowly. In civil cases,in contrast, a private party can prevail under the more lenient "more likelythan not" standard and there is no similar policy of narrow interpretation.Before new legal enforcement powers are delegated into private hands, prudentpolicy-makers should ask whether these new powers are justified and whetherthey can be too easily abused to the detriment of the public interest. Here,the MPAA has made virtually no showing that these additional powers should betransferred from the state into private hands.Dangerous RemediesThe proposed state law measures impose a variety of unreasonably one-sidedremedies on defendants.Remote Downgrades. The MPAA's proposed model bill authorizes a court to order"the remedial modification.of any communication or unlawful access device.thatis in the.control of the violator." When coupled with an "auto-update" feature,this provision could empower state courts to order technology companies toforce "downgrades" on consumers nation-wide. For example, TiVo retains theability to upgrade remotely the software on all TiVo units. AOL, Microsoft andApple also provide automatic upgrade functionality in their software, aimed atgiving customers the latest security and feature upgrades. If state courtconcludes that these vendors have the power to "control" their software, thecourt would have the power to order the "downgrade" of devices in homesnation-wide (and perhaps world-wide). Bestowing this remedial power on a statecourt would be unprecedented.One-Sided Attorneys' Fees. All of the proposed bills include one-sided"fee-shifting" clauses authorizing a court to force a losing defendant to payfor the attorneys of the prevailing plaintiff. One proposed measure, in fact,goes so far as to automatically require that a losing defendant pay theattorneys' fees of the victorious service provider.These provisions are not reciprocal, however. When a service provider wins, itcan collect attorneys' fees, but an innocent defendant is never entitled to areimbursement of fees. This is remarkable, when you consider that in most casesthe communication service provider will be a large business, while thedefendants are likely to be individuals or small businesses with limitedability to defend a lawsuit.Automatic Injunctions. The proposed state bills include provisions that wouldeffectively entitle plaintiffs to automatic preliminary injunctions, withouthaving to satisfy the traditional requirements of showing actual damage,irreparable harm or an inadequate remedy at law. Especially where software,instructions and plans are concerned, each of which has been recognized asprotected expression under the First Amendment, this sort of automaticinjunction threatens constitutional interests.Abusive damages. The proposed state bills would also give prevailing plaintiffsthe right to demand "statutory damages" in an amount ranging from $1,500 to$10,000 for each prohibited device. These statutory damages would apply even ifa plaintiff were unable to prove that it had suffered any actual damage at all.The bills also create enhanced criminal penalties based on the number ofprohibited devices and creates a separate offense for each device and for eachday that a person violates any provision. Multiplying remedies by the number of devices is an approach that quickly leadsto absurd results in the digital context. Where software is concerned, thenumber of copies has no necessary relationship to the harm suffered by aservice provider. For example, if a security researcher were to publish a paperthat included software held to be an "unlawful access device," and that paperwere downloaded by only 100 academic colleagues, the researcher would facedamages of at least $150,000. Similarly, because the proposed statutescriminalize mere possession of an "unlawful access device," a researcher couldface serious penalties simply for installing a tool on several computers in hisown research lab. The number of devices simply has no necessary relationship tothe harm involved, and thus should not be the basis for a penalty multiplier.What You Can DoThese bills are often whipping through state legislatures with very littleopportunity for public comment. MPAA lobbyists are presenting the measures as"consensus" bills, suggesting that no one opposes them. Even a few concernedletters from constituents can upset this lie, leading a state legislator to askquestions.Please take a moment to express your opposition to this measure to your statelegislators, should it be introduced in your state. Did you omit a paragraph? ... :blank: I printed it for my bathroom reading ... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.