November 30, 2023

Archives for April 2003

Students Write About RIAA/Student Lawsuits

Two of the best sources on the RIAA vs. student lawsuits come, appropriately, from other students.

Joe Barillari, a student in my “Information Technology and the Law” course at Princeton, has written an interesting analysis of the case against his fellow Princeton student Dan Peng. [Annoying disclaimer: Joe doesn’t speak for me; I don’t speak for Joe; neither of us speaks for Princeton.]

Zack Rosen, a student at Illinois, has written a primer on file sharing/searching technologies. He also describes how the “Napster-like” functionality, on which RIAA builds their contributory infringement case against the students, bears a very close similarity to search ffunctionality provided by Microsoft in Windows.

LaBrea Unavailable Due To Illinois SuperDMCA

Tom Liston, the author of the award-winning LaBrea security software, has announced that he will no longer make LaBrea available, because of concerns over the Super-DMCA, which has already become law in his native Illinois.

Network administrators can use LaBrea to set up a kind of virtual tarpit that entangles attempts by outsiders to scan their networks. (Network scanning is the online equivalent of walking down a hallway and trying to turn all of the doorknobs you find.) LaBrea uses a clever bit of indirection to trap scanners. Unfortunately, that indirection involves concealing the source and destination addresses of some network packets, so it raises Super-DMCA concerns.

I’m sure the supporters of the Super-DMCA in Illinois didn’t know that network scanning can be frustrated by a subtle method involving the concealment of packet addresses. They didn’t mean to ban LaBrea. But they may have done so accidentally. That’s what happens when you enact overbroad technology regulation.

Security Research Muzzled in Georgia

A state court in Georgia has issued temporary restraining order, which forced the cancellation of a conference panel this past weekend. A company called Blackboard, which sells campus automation systems to colleges and universities, convinced the court to block the publication of embarrassing details about Blackboard products.

Blackboard sent a demand letter. Blackboard filed a complaint, which convinced the court to issue a temporary restraining order. A mirror of one defendant’s web site is also available.

The complaint is constructed, as the lawyers say, “artfully”. They vilify one of the defendants, without saying much about the other defendant; but they ask for an injunction against both. They gleefully quote one defendant calling himself a “hacker”, apparently unaware that “hacker” is still a legitimate term of respect in some circles. They quote a law against distributing “access codes” and then trumpet a defendant’s distribution of “code”. And so on.

There is no mention in these documents of the enormous free speech issue here. The injunction is a prior restraint on speech, which prevented the defendants from speaking to an specific audience that had gathered to hear them. Yet somehow neither Blackboard nor the court indicated that any consideration of the First Amendment was even necessary.

The court will hold a hearing on the case tomorrow.

UPDATE (April 17, 8:50 AM): The hearing has been deferred for 45 days. Also note that, contrary to some reports, the complaint and injunction did not mention the DMCA. For more information about this case, see John R. Hall’s FAQ.

Will the RIAA Sue Google?

Recently, the RIAA sued four college students for alleged copyright violations, including contributory infringement. The contributory infringement claims are based on assertions that the students ran search engines that can be used to find infringing files.

Jacques Distler asks this question: When will they sue Google? Certain parts of the RIAA’s complaint against the students could be reused with little or no modification in a suit against Google. For example, here is part of their compliant against Daniel Peng:

Defendant has installed, operates, and maintains a computer server that provides indexing and search processing functions for users of that LAN. Defendant’s server actively scours the network for files that others have designated for copying and distribution, and indexes the names of those files even without the knowledge or acquiescence of network users who have so designated those files, and without the consent of the copyright owners of the works embodied in those files. Defendant’s server intentories the music files each user has disgnated for copying and distribution, maintains a centralized index of the names of those music files, and makes that index available to users of the LAN. In this manner, files that a user maintains on his or her hard drive are made available for copying and distribution by all users of the LAN regardless of the intention of the users who initially designated those files, and often without their knowledge.

Defendant further has established and maintains an Internet site containing a copyright notice that is accessible over the World Wide Web at the URL By accessing that web site, users of the LAN search for and locate sound recordings that Defendant has indexed for copying and distribution by typing in search terms into a search window provided by Defendant. Results of the search are then returned to the user. These results include the file names of the sound recordings that match the search term and the location on the LAN of users’ computers that are making those sound recordings available for copying and distribution over the LAN. A user need only click on a particular search result, and the file containing the sound recording is automatically downloaded – i.e., copied and saved – directly from the offering user’s computer to the hard drive of the requesting user’s computer.

Substitute “Internet” for “LAN”, and change the URL to, and this whole description applies to Google.

Distler also provides an example of how someone might use Google to find copyrighted music.


This week, the MPAA reportedly has narrowed its Super-DMCA legislation yet again, this time to add special carve-outs to protect ISPs and telephone companies. This is supposed to improve the bill.

Actually, the carve-outs probably make the bills worse. One of the principal criticisms of the previous version is that it was too tilted in favor of communication service providers – a category that includes ISPs and telcos. Tilting the bill even further, by giving ISPs and telcos special protections, won’t resolve the problems with the bills.

In general, the existence of specialized carve-outs is a warning sign that a bill is overbroad. A carve-out is necessary when a bill’s original language is so broad that it would impact common, legitimate practices. Perhaps, in theory, we could enumerate all of the legitimate practices that would be banned by an overbroad bill and then create a carve-out for each one. In practice, though, this just isn’t going to happen. What will happen instead is that important interest groups, such as large established industries, will get their carve-outs, and others won’t. And the technologies of the future – the ones that haven’t been invented yet – won’t have anyone to speak on their behalf, and so won’t get the carve-outs they need.

A basic tenet of software engineering is that it’s better to get the design right in the first place than to do a sloppy job and patch up the problems later. Patched designs tend to be buggier and less robust than solidly built ones, because patched designs tend to fail whenever something unexpected happens. Apparently this principle applies to law as well as to code.