More Florida RIghts removed

[nexusgroove]

You're about to lose your ability to use TiVo, your firewall, and keep your

privacy. This bill has secretly passed the Florida legislature and will become

law once Jeb Bush signs it in a few weeks! Did you know this???

Florida State "Super-DMCA" Legislation:

MPAA's Stealth Attack on Your Living Room

Fred von Lohmann

Senior Intellectual Property Attorney

fred@e...

Recently, the Motion Picture Association of America (MPAA) has been pressing

states to enact new legislation aimed at criminalizing the possession of what

they call "unlawful communication and access devices." These measures represent

an unprecedented attack on the rights of technologists, hobbyists, tinkerers

and the public at large. In essence, these proposals would allow "communication

service providers" to restrict what you can connect to your Internet connection

or cable or satellite television lines.

These measures represent a stealth effort to dramatically expand the reach of

the federal Digital Millennium Copyright Act (DMCA), which has already put fair

use, innovation, free speech and competition in peril since being enacted in

1998.

The Electronic Frontier Foundation (EFF) strongly opposes these state

"super-DMCA" bills as unnecessary and overbroad. The proposed bills represent

the worst kind of special interest legislation, sacrificing the public interest

in favor of the self-serving interests of one industry.

Resources

For the latest news about the status of the various bills, as well as updates

about what you can do to share your views with state legislators, check EFF's

"Super-DMCA" Action Center page. Another excellent resource is Professor Edward

Felten's page on these bills.

Background

The MPAA's state lobbyists have been stealthily pushing these state super-DMCA

measures since at least 2001. Even before these activities crossed activists'

radar, six states (Delaware, Illinois, Michigan, Oregon, Pennsylvania and

Wyoming) had already enacted them into law. Similar bills have been introduced

and are currently pending in Arkansas, Colorado, Florida, Georgia,

Massachusetts, Tennessee and Texas.

The bills are generally offered as amendments to existing state criminal laws

relating to signal theft, that is, getting cable television without paying for

it. Since these signal theft laws vary from state to state, the super-DMCA

proposals also vary in their wording.

Nevertheless, all of the proposed bills appear to be derived from a single

"model bill" developed by MPAA lobbyists and thus share common traits. First,

they would all impose a new ban on the possession, development, or distribution

of a broad array of "communication" and "unlawful access" devices, along with a

ban on devices that enable anonymous communication. All the bills also create a

new right to bring civil lawsuits to enforce these provisions.

The definitions used in the bill are absurdly broad. The bill protects

"communication services," which includes any "service lawfully provided for a

charge or compensation" delivered via electronic means using virtually any

technology. This would include every wire in your house for which you pay a

fee, including your telephone, cable TV, satellite and Internet lines. This

category also sweeps in any Internet-based subscriptions services, including

digital music services such as pressplay, MusicNow, or Rhapsody.

The super-DMCA bills would regulate the possession, development and use of

"communication devices" and "unlawful access devices." A "communication device"

is virtually any electronic device you might connect to any communication

service. The definition of "unlawful communication device" is somewhat

narrower, sweeping in any device that is "primarily designed, developed,

.possessed, used or offered. for the purpose of defeating or circumventing" a

technological protection measure used to protect a communication services.

The proposed bills generally prohibit four categories of activity:

1.. Possession, development, distribution or use of any "communication

device" in connection with a communication service without the express

authorization of the service provider.

2.. Concealing the origin or destination of any communication from the

communication service provider.

3.. Possession, development, distribution or use of any "unlawful access

device."

4.. Preparation or publication of any "plans or instructions" for making any

device having reason to know that such a device will be used to violate the

other prohibitions.

These proposals dramatically expand the power of entertainment companies, ISPs,

cable companies and others to control what you can and can't connect to the

services that you pay for. If enacted, they will slow innovation, impair

competition and seriously undermine a consumer's right to choose what

technologies they use in their homes.

These Bills are Unnecessary

Why is this additional law needed? The MPAA has circulated a "one-pager"

explaining in vague terms that additional measures are necessary to "update"

existing state laws to address the problem of "Internet piracy" and "cable

theft." Copyright infringement and cable service theft, however, are already

clearly prohibited under existing laws, both state and federal. The federal

laws include traditional copyright infringement, as well as the DMCA, the

Computer Fraud and Abuse Act (CFAA), and prohibitions on illicit cable and

satellite descrambling equipment. There are a variety of existing state law

remedies, as well, including laws banning signal theft and computer intrusion.

Providers of communication services can also bring breach of contract actions

if their customers violate any restrictions included in their subscription

agreements. In short, state super-DMCA measures are redundant and unnecessary

as penalties for Internet copyright infringement or cable service theft.

The MPAA has failed to identify any specific problem that the proposed bills

reach that is not already addressed by existing law. In fact, when asked by

Massachusetts legislators why an additional law was needed, a representative of

the MPAA could only answer, "I don't know. The lawyers tell me we need this."

It is telling that state law enforcement personnel, the very people who enforce

the existing cable theft laws, have not called for or supported the super-DMCA

proposals.

All Things Not Expressly Permitted are Forbidden

Whatever their intended target, state super-DMCA bills represent an

unprecedented intrusion into the living rooms of law-abiding citizens, giving

communication service providers unilateral control over what you can connect to

your home entertainment systems.

Under existing law, those who have legitimately purchased communication

services (e.g., cable TV, satellite, or broadband Internet services) are free

to connect whatever they like to the wires they pay for, so long as they do not

violate any otherwise applicable law. So, for example, you are free to connect

a new TV, PC, VCR or TiVo to a cable television connection that you pay for.

Similarly, you are free to connect a Wi-Fi wireless access point to your DSL

line in order to share your broadband connection among several computers in

your house. This freedom has encouraged technology vendors to compete and

innovate in response to the demands of consumers.

The proposed super-DMCA statutes reverse this traditional rule. Under these

statutes, you would not be entitled to connect anything to your cable,

satellite, or DSL line without the express permission of your service provider.

The model MPAA bill accomplishes this by making it a crime to possess a device

to "receive . transmit, [or] re-transmit" any communication service without the

"express authorization" of the communication service provider. The various

pending state bills include similar language.

This provision would make you a criminal for simply connecting a TV, PC, TiVo

or VCR (all of which can "receive" communication services) to the cable TV line

in your living room without your cable company's permission. It could also make

you a criminal for connecting a Wi-Fi wireless gateway (which can "retransmit"

Internet traffic) to your DSL or cable modem line without the permission of

your ISP. The shift proposed by these bills is radical: all technology that is

not expressly permitted becomes forbidden. This would give communication

service providers unprecedented control over the home entertainment and the

technology marketplace. For example, your broadband ISP could force you to use

only certain brands of computers, or force you to pay extra if you wanted to

connect more than one computer to your DSL line. Cable and satellite TV

services could forbid you from using a TiVo, or could charge you extra to

connect a VCR to your TV.

Bolting on the "Intent to Defraud"

In the face of mounting criticism from several quarters, the MPAA has offered

to modify its proposal to reach only those who act with an "intent to defraud"

a communication service provider. Rather than addressing the underlying

problems with the measure, however, the "intent to defraud" revision merely

further muddies the waters.

First, it is critical to note that this "intent to defraud" language has not

been incorporated into all of the bills that are currently pending before state

legislatures. Moreover, it is too late to include this limitation in the state

statutes that have already been adopted.

While the revision addresses some concerns, it leaves many legitimate

activities hip-deep in legal quicksand. For example, what if a subscriber to

the MusicNow digital music service connects an analog cassette deck to her PC

in order to record streaming music for later playback in her car's cassette

deck? The fine print in the MusicNow subscriber agreement purports to forbid

subscribers from making any copies without authorization. Has she acted with an

"intent to defraud" MusicNow? What if HBO begins broadcasting a notice before

every episode of the Sopranos, forbidding HBO subscribers from recording the

program? If, notwithstanding this prohibition, a subscriber connects a TiVo in

order to record the program for later viewing, has he acted with an "intent to

defraud" HBO?

To take a third example, what if a researcher signs up for the pressplay

digital music service in order to evaluate the digital rights management

technologies being used by the service. Notwithstanding the fact that the

pressplay user agreement forbids reverse engineering, the researcher engages in

otherwise legal reverse engineering in order to develop tools that allow him to

test the security of the service, and subsequently publishes his results in an

academic journal. Has the researcher acted with an "intent to defraud"

pressplay?

Each of these activities raises unsettled and controversial questions at the

nexus of federal copyright and state contract laws. The proposed super-DMCA

statutes, however, constitute a sneaky, self-serving attempt by one industry to

legislate an answer to these important questions under cover of dark without

public interest input. Bolting on an ambiguous "intent to defraud" qualifier

does not redeem this flaw.

Attacking Anonymity

Another provision of the various state super-DMCA statutes that has attracted

considerable attention is the ban on devices that "conceal . the existence or

place of origin or destination of any communication." At a time when consumer

privacy and the constitutional right to anonymous speech are under attack from

a variety of sources, this provision is particularly misguided.

A simple ban on devices capable of concealing communication would make a wide

range of multi-purpose tools illegal. Widely-used home networking equipment

could be banned because it often includes "network address translation" (NAT)

and firewall features that incidentally conceal the origin and destinations of

Internet communication. Some forms of encryption for email and web traffic

might fall within this provision. The use of "virtual private networking" (VPN)

software by corporations to secure communication with off-site employees would

also be swept up by this provision. Products like Anonymizer that aim to

protect the privacy of Internet users against advertisers like Doubleclick

might also be imperiled. Perhaps recognizing the absurd overbreadth of this

provision, the MPAA has offered to revise the language in its model bill to

apply only where "such concealment is for the purpose of committing a

violation" of the prohibition on connecting a device without the express

authorization of a communication service provider.

Although this change represents a step in the right direction, it does not

adequately address the failings of the provision. For example, as noted above,

the ban on connecting unauthorized devices to your broadband DSL connection

could reach home networking equipment that was not authorized by your ISP. By

installing a $50 Linksys router that includes NAT and firewall functions, you

could be liable for "concealing" communication even under the revised MPAA

language. Employees who use VPN software to access their corporate network

without the express authorization of their home ISPs would also run afoul of

even the revised provision.

A Chill on Computer Security Research

The proposed legislation will also chill legitimate computer security research.

Security researchers advance their science by testing existing security systems

for weaknesses. By discovering, documenting and reporting these weaknesses,

security researchers teach vendors how to improve their systems, as well as

warning customers when those systems are compromised.

Unfortunately, the proposed state "super-DMCA" bills will chill legitimate

research in two ways. First, these measures make it unlawful to develop or

possess the tools that security researchers need in order to carry out their

work. Researchers often design their own software tools in the course of

carrying out their research and must distribute these tools to their colleagues

in order to enable peer-review of research results. These tools, moreover, may

be designed for the sole purpose of breaking the security systems that are

under examination. As a result, these tools would be banned by the proposed

state statutes, which lump all tools "primarily designed" to circumvent any

protection system into the category of "unlawful communication devices." Early

experience with the DMCA suggests that computer security research has already

suffered at the hands of overbroad and poorly drafted legislation. The proposed

state super-DMCA statutes will only exacerbate this problem.

Second, the statutes interfere with a researcher's ability to publish the

results of her research by banning the distribution of "plans or instructions"

for making an "unlawful access device." By describing the weaknesses of a

security technology, and describing research in enough detail to enable peer

review, researchers could well run afoul of this prohibition. This creates an

unnecessary burden on the free speech rights of researchers and the

publications that seek to disseminate their work. This provision also

represents a substantial expansion beyond the boundaries of the DMCA, which

reaches only "technology," stopping short of "plans or instructions." In a

country where the First Amendment protects the publication of bomb making

plans, it seems particularly unwarranted to crack down on the publication of

information regarding computer security.

Although the "intent to defraud" limitation may ameliorate these harms to some

extent, for the reasons noted above, this last minute addition raises as many

questions as it answers. Legal ambiguities in this context will only chill

security researchers and their institutions from engaging in sorely needed

research activities.

A Threat to Innovation and Competition

As discussed above, the proposed state super-DMCA proposals forbid a consumer

from connecting anything to a communication service without the service

provider's express authorization. This creates an enormous opportunity for

anticompetitive conduct. Broadband ISPs, for example, could require that their

subscribers use only a particular brand of PC or operating system. AOL could

effectively ban its subscribers from using any instant messanging software

other than its own. Cable TV providers could limit subscribers to using only

certain brands of VCRs and could ban TiVo in favor of their own proprietary PVR

technologies. This outcome would be particularly ironic in the face of the

FCC's decade-long effort to encourage the development of open, interoperable

standards for cable-compatible televisions.

These scenarios are not far-fetched. Recent experience with the DMCA makes it

clear that companies will not hesitate to use new legal protections in order to

rid themselves of competition. For example, Lexmark recently invoked the DMCA

in an effort to eliminate the aftermarket for Lexmark laser printer toner

cartridges. A leading garage door opener maker has also invoked the DMCA in an

effort to eliminate a competitor in the market for universal garage door

remotes.

Recognizing the importance of interoperability, Congress included a reverse

engineering exception in the DMCA. The MPAA's proposed state super-DMCA

measures include no such exception, making them an even more severe threat to

competition and consumer freedom of choice.

Transferring law enforcement from public to private hands.

The proposed state super-DMCA statutes transfer considerable new enforcement

powers from law enforcement authorities into private hands.

Each of the pending state bills starts from an existing state penal law

provision, extending its reach by adding a civil cause of action to what was

previously a criminal statute. In other words, the bills authorize private

parties to sue in addition to local district attorneys. This change alone has

important consequences. When enacting criminal statutes, legislatures are often

willing to adopt broad and ambiguous language that they might not accept in a

civil provision, counting on the discretion of a district attorney (who is

often an elected official) to prevent abusive application of the law. Private

parties are not subject to these institutional checks. In addition, where a

criminal statute is involved, the state must prove its case "beyond a

reasonable doubt" and courts must interpret statutes narrowly. In civil cases,

in contrast, a private party can prevail under the more lenient "more likely

than not" standard and there is no similar policy of narrow interpretation.

Before new legal enforcement powers are delegated into private hands, prudent

policy-makers should ask whether these new powers are justified and whether

they can be too easily abused to the detriment of the public interest. Here,

the MPAA has made virtually no showing that these additional powers should be

transferred from the state into private hands.

Dangerous Remedies

The proposed state law measures impose a variety of unreasonably one-sided

remedies on defendants.

Remote Downgrades. The MPAA's proposed model bill authorizes a court to order

"the remedial modification.of any communication or unlawful access device.that

is in the.control of the violator." When coupled with an "auto-update" feature,

this provision could empower state courts to order technology companies to

force "downgrades" on consumers nation-wide. For example, TiVo retains the

ability to upgrade remotely the software on all TiVo units. AOL, Microsoft and

Apple also provide automatic upgrade functionality in their software, aimed at

giving customers the latest security and feature upgrades. If state court

concludes that these vendors have the power to "control" their software, the

court would have the power to order the "downgrade" of devices in homes

nation-wide (and perhaps world-wide). Bestowing this remedial power on a state

court would be unprecedented.

One-Sided Attorneys' Fees. All of the proposed bills include one-sided

"fee-shifting" clauses authorizing a court to force a losing defendant to pay

for the attorneys of the prevailing plaintiff. One proposed measure, in fact,

goes so far as to automatically require that a losing defendant pay the

attorneys' fees of the victorious service provider.

These provisions are not reciprocal, however. When a service provider wins, it

can collect attorneys' fees, but an innocent defendant is never entitled to a

reimbursement of fees. This is remarkable, when you consider that in most cases

the communication service provider will be a large business, while the

defendants are likely to be individuals or small businesses with limited

ability to defend a lawsuit.

Automatic Injunctions. The proposed state bills include provisions that would

effectively entitle plaintiffs to automatic preliminary injunctions, without

having to satisfy the traditional requirements of showing actual damage,

irreparable harm or an inadequate remedy at law. Especially where software,

instructions and plans are concerned, each of which has been recognized as

protected expression under the First Amendment, this sort of automatic

injunction threatens constitutional interests.

Abusive damages. The proposed state bills would also give prevailing plaintiffs

the right to demand "statutory damages" in an amount ranging from $1,500 to

$10,000 for each prohibited device. These statutory damages would apply even if

a plaintiff were unable to prove that it had suffered any actual damage at all.

The bills also create enhanced criminal penalties based on the number of

prohibited devices and creates a separate offense for each device and for each

day that a person violates any provision.

Multiplying remedies by the number of devices is an approach that quickly leads

to absurd results in the digital context. Where software is concerned, the

number of copies has no necessary relationship to the harm suffered by a

service provider. For example, if a security researcher were to publish a paper

that included software held to be an "unlawful access device," and that paper

were downloaded by only 100 academic colleagues, the researcher would face

damages of at least $150,000. Similarly, because the proposed statutes

criminalize mere possession of an "unlawful access device," a researcher could

face serious penalties simply for installing a tool on several computers in his

own research lab. The number of devices simply has no necessary relationship to

the harm involved, and thus should not be the basis for a penalty multiplier.

What You Can Do

These bills are often whipping through state legislatures with very little

opportunity for public comment. MPAA lobbyists are presenting the measures as

"consensus" bills, suggesting that no one opposes them. Even a few concerned

letters from constituents can upset this lie, leading a state legislator to ask

questions.

Please take a moment to express your opposition to this measure to your state

legislators, should it be introduced in your state.

[vipnerd]

Originally posted by nexusgroove

You're about to lose your ability to use TiVo, your firewall, and keep your

privacy. This bill has secretly passed the Florida legislature and will become

law once Jeb Bush signs it in a few weeks! Did you know this???

Florida State "Super-DMCA" Legislation:

MPAA's Stealth Attack on Your Living Room

Fred von Lohmann

Senior Intellectual Property Attorney

fred@e...

Recently, the Motion Picture Association of America (MPAA) has been pressing

states to enact new legislation aimed at criminalizing the possession of what

they call "unlawful communication and access devices." These measures represent

an unprecedented attack on the rights of technologists, hobbyists, tinkerers

and the public at large. In essence, these proposals would allow "communication

service providers" to restrict what you can connect to your Internet connection

or cable or satellite television lines.

These measures represent a stealth effort to dramatically expand the reach of

the federal Digital Millennium Copyright Act (DMCA), which has already put fair

use, innovation, free speech and competition in peril since being enacted in

1998.

The Electronic Frontier Foundation (EFF) strongly opposes these state

"super-DMCA" bills as unnecessary and overbroad. The proposed bills represent

the worst kind of special interest legislation, sacrificing the public interest

in favor of the self-serving interests of one industry.

Resources

For the latest news about the status of the various bills, as well as updates

about what you can do to share your views with state legislators, check EFF's

"Super-DMCA" Action Center page. Another excellent resource is Professor Edward

Felten's page on these bills.

Background

The MPAA's state lobbyists have been stealthily pushing these state super-DMCA

measures since at least 2001. Even before these activities crossed activists'

radar, six states (Delaware, Illinois, Michigan, Oregon, Pennsylvania and

Wyoming) had already enacted them into law. Similar bills have been introduced

and are currently pending in Arkansas, Colorado, Florida, Georgia,

Massachusetts, Tennessee and Texas.

The bills are generally offered as amendments to existing state criminal laws

relating to signal theft, that is, getting cable television without paying for

it. Since these signal theft laws vary from state to state, the super-DMCA

proposals also vary in their wording.

Nevertheless, all of the proposed bills appear to be derived from a single

"model bill" developed by MPAA lobbyists and thus share common traits. First,

they would all impose a new ban on the possession, development, or distribution

of a broad array of "communication" and "unlawful access" devices, along with a

ban on devices that enable anonymous communication. All the bills also create a

new right to bring civil lawsuits to enforce these provisions.

The definitions used in the bill are absurdly broad. The bill protects

"communication services," which includes any "service lawfully provided for a

charge or compensation" delivered via electronic means using virtually any

technology. This would include every wire in your house for which you pay a

fee, including your telephone, cable TV, satellite and Internet lines. This

category also sweeps in any Internet-based subscriptions services, including

digital music services such as pressplay, MusicNow, or Rhapsody.

The super-DMCA bills would regulate the possession, development and use of

"communication devices" and "unlawful access devices." A "communication device"

is virtually any electronic device you might connect to any communication

service. The definition of "unlawful communication device" is somewhat

narrower, sweeping in any device that is "primarily designed, developed,

.possessed, used or offered. for the purpose of defeating or circumventing" a

technological protection measure used to protect a communication services.

The proposed bills generally prohibit four categories of activity:

1.. Possession, development, distribution or use of any "communication

device" in connection with a communication service without the express

authorization of the service provider.

2.. Concealing the origin or destination of any communication from the

communication service provider.

3.. Possession, development, distribution or use of any "unlawful access

device."

4.. Preparation or publication of any "plans or instructions" for making any

device having reason to know that such a device will be used to violate the

other prohibitions.

These proposals dramatically expand the power of entertainment companies, ISPs,

cable companies and others to control what you can and can't connect to the

services that you pay for. If enacted, they will slow innovation, impair

competition and seriously undermine a consumer's right to choose what

technologies they use in their homes.

These Bills are Unnecessary

Why is this additional law needed? The MPAA has circulated a "one-pager"

explaining in vague terms that additional measures are necessary to "update"

existing state laws to address the problem of "Internet piracy" and "cable

theft." Copyright infringement and cable service theft, however, are already

clearly prohibited under existing laws, both state and federal. The federal

laws include traditional copyright infringement, as well as the DMCA, the

Computer Fraud and Abuse Act (CFAA), and prohibitions on illicit cable and

satellite descrambling equipment. There are a variety of existing state law

remedies, as well, including laws banning signal theft and computer intrusion.

Providers of communication services can also bring breach of contract actions

if their customers violate any restrictions included in their subscription

agreements. In short, state super-DMCA measures are redundant and unnecessary

as penalties for Internet copyright infringement or cable service theft.

The MPAA has failed to identify any specific problem that the proposed bills

reach that is not already addressed by existing law. In fact, when asked by

Massachusetts legislators why an additional law was needed, a representative of

the MPAA could only answer, "I don't know. The lawyers tell me we need this."

It is telling that state law enforcement personnel, the very people who enforce

the existing cable theft laws, have not called for or supported the super-DMCA

proposals.

All Things Not Expressly Permitted are Forbidden

Whatever their intended target, state super-DMCA bills represent an

unprecedented intrusion into the living rooms of law-abiding citizens, giving

communication service providers unilateral control over what you can connect to

your home entertainment systems.

Under existing law, those who have legitimately purchased communication

services (e.g., cable TV, satellite, or broadband Internet services) are free

to connect whatever they like to the wires they pay for, so long as they do not

violate any otherwise applicable law. So, for example, you are free to connect

a new TV, PC, VCR or TiVo to a cable television connection that you pay for.

Similarly, you are free to connect a Wi-Fi wireless access point to your DSL

line in order to share your broadband connection among several computers in

your house. This freedom has encouraged technology vendors to compete and

innovate in response to the demands of consumers.

The proposed super-DMCA statutes reverse this traditional rule. Under these

statutes, you would not be entitled to connect anything to your cable,

satellite, or DSL line without the express permission of your service provider.

The model MPAA bill accomplishes this by making it a crime to possess a device

to "receive . transmit, [or] re-transmit" any communication service without the

"express authorization" of the communication service provider. The various

pending state bills include similar language.

This provision would make you a criminal for simply connecting a TV, PC, TiVo

or VCR (all of which can "receive" communication services) to the cable TV line

in your living room without your cable company's permission. It could also make

you a criminal for connecting a Wi-Fi wireless gateway (which can "retransmit"

Internet traffic) to your DSL or cable modem line without the permission of

your ISP. The shift proposed by these bills is radical: all technology that is

not expressly permitted becomes forbidden. This would give communication

service providers unprecedented control over the home entertainment and the

technology marketplace. For example, your broadband ISP could force you to use

only certain brands of computers, or force you to pay extra if you wanted to

connect more than one computer to your DSL line. Cable and satellite TV

services could forbid you from using a TiVo, or could charge you extra to

connect a VCR to your TV.

Bolting on the "Intent to Defraud"

In the face of mounting criticism from several quarters, the MPAA has offered

to modify its proposal to reach only those who act with an "intent to defraud"

a communication service provider. Rather than addressing the underlying

problems with the measure, however, the "intent to defraud" revision merely

further muddies the waters.

First, it is critical to note that this "intent to defraud" language has not

been incorporated into all of the bills that are currently pending before state

legislatures. Moreover, it is too late to include this limitation in the state

statutes that have already been adopted.

While the revision addresses some concerns, it leaves many legitimate

activities hip-deep in legal quicksand. For example, what if a subscriber to

the MusicNow digital music service connects an analog cassette deck to her PC

in order to record streaming music for later playback in her car's cassette

deck? The fine print in the MusicNow subscriber agreement purports to forbid

subscribers from making any copies without authorization. Has she acted with an

"intent to defraud" MusicNow? What if HBO begins broadcasting a notice before

every episode of the Sopranos, forbidding HBO subscribers from recording the

program? If, notwithstanding this prohibition, a subscriber connects a TiVo in

order to record the program for later viewing, has he acted with an "intent to

defraud" HBO?

To take a third example, what if a researcher signs up for the pressplay

digital music service in order to evaluate the digital rights management

technologies being used by the service. Notwithstanding the fact that the

pressplay user agreement forbids reverse engineering, the researcher engages in

otherwise legal reverse engineering in order to develop tools that allow him to

test the security of the service, and subsequently publishes his results in an

academic journal. Has the researcher acted with an "intent to defraud"

pressplay?

Each of these activities raises unsettled and controversial questions at the

nexus of federal copyright and state contract laws. The proposed super-DMCA

statutes, however, constitute a sneaky, self-serving attempt by one industry to

legislate an answer to these important questions under cover of dark without

public interest input. Bolting on an ambiguous "intent to defraud" qualifier

does not redeem this flaw.

Attacking Anonymity

Another provision of the various state super-DMCA statutes that has attracted

considerable attention is the ban on devices that "conceal . the existence or

place of origin or destination of any communication." At a time when consumer

privacy and the constitutional right to anonymous speech are under attack from

a variety of sources, this provision is particularly misguided.

A simple ban on devices capable of concealing communication would make a wide

range of multi-purpose tools illegal. Widely-used home networking equipment

could be banned because it often includes "network address translation" (NAT)

and firewall features that incidentally conceal the origin and destinations of

Internet communication. Some forms of encryption for email and web traffic

might fall within this provision. The use of "virtual private networking" (VPN)

software by corporations to secure communication with off-site employees would

also be swept up by this provision. Products like Anonymizer that aim to

protect the privacy of Internet users against advertisers like Doubleclick

might also be imperiled. Perhaps recognizing the absurd overbreadth of this

provision, the MPAA has offered to revise the language in its model bill to

apply only where "such concealment is for the purpose of committing a

violation" of the prohibition on connecting a device without the express

authorization of a communication service provider.

Although this change represents a step in the right direction, it does not

adequately address the failings of the provision. For example, as noted above,

the ban on connecting unauthorized devices to your broadband DSL connection

could reach home networking equipment that was not authorized by your ISP. By

installing a $50 Linksys router that includes NAT and firewall functions, you

could be liable for "concealing" communication even under the revised MPAA

language. Employees who use VPN software to access their corporate network

without the express authorization of their home ISPs would also run afoul of

even the revised provision.

A Chill on Computer Security Research

The proposed legislation will also chill legitimate computer security research.

Security researchers advance their science by testing existing security systems

for weaknesses. By discovering, documenting and reporting these weaknesses,

security researchers teach vendors how to improve their systems, as well as

warning customers when those systems are compromised.

Unfortunately, the proposed state "super-DMCA" bills will chill legitimate

research in two ways. First, these measures make it unlawful to develop or

possess the tools that security researchers need in order to carry out their

work. Researchers often design their own software tools in the course of

carrying out their research and must distribute these tools to their colleagues

in order to enable peer-review of research results. These tools, moreover, may

be designed for the sole purpose of breaking the security systems that are

under examination. As a result, these tools would be banned by the proposed

state statutes, which lump all tools "primarily designed" to circumvent any

protection system into the category of "unlawful communication devices." Early

experience with the DMCA suggests that computer security research has already

suffered at the hands of overbroad and poorly drafted legislation. The proposed

state super-DMCA statutes will only exacerbate this problem.

Second, the statutes interfere with a researcher's ability to publish the

results of her research by banning the distribution of "plans or instructions"

for making an "unlawful access device." By describing the weaknesses of a

security technology, and describing research in enough detail to enable peer

review, researchers could well run afoul of this prohibition. This creates an

unnecessary burden on the free speech rights of researchers and the

publications that seek to disseminate their work. This provision also

represents a substantial expansion beyond the boundaries of the DMCA, which

reaches only "technology," stopping short of "plans or instructions." In a

country where the First Amendment protects the publication of bomb making

plans, it seems particularly unwarranted to crack down on the publication of

information regarding computer security.

Although the "intent to defraud" limitation may ameliorate these harms to some

extent, for the reasons noted above, this last minute addition raises as many

questions as it answers. Legal ambiguities in this context will only chill

security researchers and their institutions from engaging in sorely needed

research activities.

A Threat to Innovation and Competition

As discussed above, the proposed state super-DMCA proposals forbid a consumer

from connecting anything to a communication service without the service

provider's express authorization. This creates an enormous opportunity for

anticompetitive conduct. Broadband ISPs, for example, could require that their

subscribers use only a particular brand of PC or operating system. AOL could

effectively ban its subscribers from using any instant messanging software

other than its own. Cable TV providers could limit subscribers to using only

certain brands of VCRs and could ban TiVo in favor of their own proprietary PVR

technologies. This outcome would be particularly ironic in the face of the

FCC's decade-long effort to encourage the development of open, interoperable

standards for cable-compatible televisions.

These scenarios are not far-fetched. Recent experience with the DMCA makes it

clear that companies will not hesitate to use new legal protections in order to

rid themselves of competition. For example, Lexmark recently invoked the DMCA

in an effort to eliminate the aftermarket for Lexmark laser printer toner

cartridges. A leading garage door opener maker has also invoked the DMCA in an

effort to eliminate a competitor in the market for universal garage door

remotes.

Recognizing the importance of interoperability, Congress included a reverse

engineering exception in the DMCA. The MPAA's proposed state super-DMCA

measures include no such exception, making them an even more severe threat to

competition and consumer freedom of choice.

Transferring law enforcement from public to private hands.

The proposed state super-DMCA statutes transfer considerable new enforcement

powers from law enforcement authorities into private hands.

Each of the pending state bills starts from an existing state penal law

provision, extending its reach by adding a civil cause of action to what was

previously a criminal statute. In other words, the bills authorize private

parties to sue in addition to local district attorneys. This change alone has

important consequences. When enacting criminal statutes, legislatures are often

willing to adopt broad and ambiguous language that they might not accept in a

civil provision, counting on the discretion of a district attorney (who is

often an elected official) to prevent abusive application of the law. Private

parties are not subject to these institutional checks. In addition, where a

criminal statute is involved, the state must prove its case "beyond a

reasonable doubt" and courts must interpret statutes narrowly. In civil cases,

in contrast, a private party can prevail under the more lenient "more likely

than not" standard and there is no similar policy of narrow interpretation.

Before new legal enforcement powers are delegated into private hands, prudent

policy-makers should ask whether these new powers are justified and whether

they can be too easily abused to the detriment of the public interest. Here,

the MPAA has made virtually no showing that these additional powers should be

transferred from the state into private hands.

Dangerous Remedies

The proposed state law measures impose a variety of unreasonably one-sided

remedies on defendants.

Remote Downgrades. The MPAA's proposed model bill authorizes a court to order

"the remedial modification.of any communication or unlawful access device.that

is in the.control of the violator." When coupled with an "auto-update" feature,

this provision could empower state courts to order technology companies to

force "downgrades" on consumers nation-wide. For example, TiVo retains the

ability to upgrade remotely the software on all TiVo units. AOL, Microsoft and

Apple also provide automatic upgrade functionality in their software, aimed at

giving customers the latest security and feature upgrades. If state court

concludes that these vendors have the power to "control" their software, the

court would have the power to order the "downgrade" of devices in homes

nation-wide (and perhaps world-wide). Bestowing this remedial power on a state

court would be unprecedented.

One-Sided Attorneys' Fees. All of the proposed bills include one-sided

"fee-shifting" clauses authorizing a court to force a losing defendant to pay

for the attorneys of the prevailing plaintiff. One proposed measure, in fact,

goes so far as to automatically require that a losing defendant pay the

attorneys' fees of the victorious service provider.

These provisions are not reciprocal, however. When a service provider wins, it

can collect attorneys' fees, but an innocent defendant is never entitled to a

reimbursement of fees. This is remarkable, when you consider that in most cases

the communication service provider will be a large business, while the

defendants are likely to be individuals or small businesses with limited

ability to defend a lawsuit.

Automatic Injunctions. The proposed state bills include provisions that would

effectively entitle plaintiffs to automatic preliminary injunctions, without

having to satisfy the traditional requirements of showing actual damage,

irreparable harm or an inadequate remedy at law. Especially where software,

instructions and plans are concerned, each of which has been recognized as

protected expression under the First Amendment, this sort of automatic

injunction threatens constitutional interests.

Abusive damages. The proposed state bills would also give prevailing plaintiffs

the right to demand "statutory damages" in an amount ranging from $1,500 to

$10,000 for each prohibited device. These statutory damages would apply even if

a plaintiff were unable to prove that it had suffered any actual damage at all.

The bills also create enhanced criminal penalties based on the number of

prohibited devices and creates a separate offense for each device and for each

day that a person violates any provision.

Multiplying remedies by the number of devices is an approach that quickly leads

to absurd results in the digital context. Where software is concerned, the

number of copies has no necessary relationship to the harm suffered by a

service provider. For example, if a security researcher were to publish a paper

that included software held to be an "unlawful access device," and that paper

were downloaded by only 100 academic colleagues, the researcher would face

damages of at least $150,000. Similarly, because the proposed statutes

criminalize mere possession of an "unlawful access device," a researcher could

face serious penalties simply for installing a tool on several computers in his

own research lab. The number of devices simply has no necessary relationship to

the harm involved, and thus should not be the basis for a penalty multiplier.

What You Can Do

These bills are often whipping through state legislatures with very little

opportunity for public comment. MPAA lobbyists are presenting the measures as

"consensus" bills, suggesting that no one opposes them. Even a few concerned

letters from constituents can upset this lie, leading a state legislator to ask

questions.

Please take a moment to express your opposition to this measure to your state

legislators, should it be introduced in your state.

Did you omit a paragraph? ... :blank:

I printed it for my bathroom reading ...