February 19, 2018

Debugging Legislation: PROTECT IP

There’s more than a hint of theatrics in the draft PROTECT IP bill (pdf, via dontcensortheinternet ) that has emerged as son-of-COICA, starting with the ungainly acronym of a name. Given its roots in the entertainment industry, that low drama comes as no surprise. Each section name is worse than the last: “Eliminating the Financial Incentive to Steal Intellectual Property Online” (Sec. 4) gives way to “Voluntary action for Taking Action Against Websites Stealing American Intellectual Property” (Sec. 5).

Techdirt gives a good overview of the bill, so I’ll just pick some details:

  • Infringing activities. In defining “infringing activities,” the draft explicitly includes circumvention devices (“offering goods or services in violation of section 1201 of title 17”), as well as copyright infringement and trademark counterfeiting. Yet that definition also brackets the possibility of “no [substantial/significant] use other than ….” Substantial could incorporate the “merely capable of substantial non-infringing use” test of Betamax.
  • Blocking non-domestic sites. Sec. 3 gives the Attorney General a right of action over “nondomestic domain names”, including the right to demand remedies from (A) domain name system server operators, (B) financial transaction providers, (C), Internet advertising services, and (D) “an interactive computer service (def. from 230(f)) shall take technically feasible and reasonable measures … to remove or disable access to the Internet site associated with the domain name set forth in the order, or a hypertext link to such Internet site.”
  • Private right of action. Sec. 3 and Sec. 4 appear to be near duplicates (I say appear, because unlike computer code, we don’t have a macro function to replace the plaintiff, so the whole text is repeated with no diff), replacing nondomestic domain with “domain” and permitting private plaintiffs — “a holder of an intellectual property right harmed by the activities of an Internet site dedicated to infringing activities occurring on that Internet site.” Oddly, the statute doesn’t say the simpler “one whose rights are infringed,” so the definition must be broader. Could a movie studio claim to be hurt by the infringement of others’ rights, or MPAA enforce on behalf of all its members? Sec. 4 is missing (d)(2)(D)
  • WHOIS. The “applicable publicly accessible database of registrations” gets a new role as source of notice for the domain registrant, “to the extent such addresses are reasonably available.” (c)(1)
  • Remedies. The bill specifies injunctive relief only, not money damages, but threat of an injunction can be backed by the unspecified threat of contempt for violating one.
  • Voluntary action. Finally the bill leaves room for “voluntary action” by financial transaction providers and advertising services, immunizing them from liability to anyone if they choose to stop providing service, notwithstanding any agreements to the contrary. This provision jeopardizes the security of online businesses, making them unable to contract for financial services against the possibility that someone will wrongly accuse them of infringement. 5(a) We’ve already seen that it takes little to convince service providers to kick users off, in the face of pressure short of full legal process (see everyone vs Wikileaks, Facebook booting activists, and numerous misfired DMCA takedowns); this provision insulates that insecurity further.

In short, rather than “protecting” intellectual and creative industry, this bill would make it less secure, giving the U.S. a competitive disadvantage in online business. (Sorry, Harlan, that we still can’t debug the US Code as true code.)

In DHS Takedown Frenzy, Mozilla Refuses to Delete MafiaaFire Add-On

Not satisfied with seizing domain names, the Department of Homeland Security asked Mozilla to take down the MafiaaFire add-on for Firefox. Mozilla, through its legal counsel Harvey Anderson, refused. Mozilla deserves thanks and credit for a principled stand for its users’ rights.

MafiaaFire is a quick plugin, as its author describes, providing redirection service for a list of domains: “We plan to maintain a list of URLs, and their duplicate sites (for example Demoniod.com and Demoniod.de) and painlessly redirect you to the correct site.” The service provides redundancy, so that domain resolution — especially at a registry in the United States — isn’t a single point of failure between a website and its would-be visitors. After several rounds of ICE seizure of domain names on allegations of copyright infringement — many of which have been questioned as to both procedural validity and effectiveness — redundancy is a sensible precaution for site-owners who are well within the law as well as those pushing its limits.

DHS seemed poised to repeat those procedural errors here. As Mozilla’s Anderson blogged: “Our approach is to comply with valid court orders, warrants, and legal mandates, but in this case there was no such court order.” DHS simply “requested” the takedown with no such procedural back-up. Instead of pulling the add-on, Anderson responded with a set of questions, including:

  1. Have any courts determined that MAFIAAfire.com is unlawful or illegal inany way? If so, on what basis? (Please provide any relevant rulings)
  2. Have any courts determined that the seized domains related to MAFIAAfire.com are unlawful, illegal or liable for infringement in any way? (please provide relevant rulings)
  3. Is Mozilla legally obligated to disable the add-on or is this request based on other reasons? If other reasons, can you please specify.

Unless and until the government can explain its authority for takedown of code, Mozilla is right to resist DHS demands. Mozilla’s hosting of add-ons, and the Firefox browser itself, facilitate speech. They, like they domain name system registries ICE targeted earlier, are sometimes intermediaries necessary to users’ communication. While these private actors do not have First Amendment obligations toward us, their users, we rely on them to assert our rights (and we suffer when some, like Facebook are less vigilant guardians of speech).

As Congress continues to discuss the ill-considered COICA, it should take note of the problems domain takedowns are already causing. Kudos to Mozilla for bringing these latest errors to public attention — and, as Tom Lowenthal suggests in the do-not-track context, standing up for its users.

cross-posted at Legal Tags

Super Bust: Due Process and Domain Name Seizure

With the same made-for PR timing that prompted a previous seizure of domain names just before shopping’s “Cyber Monday,” Immigration and Customs Enforcement struck again, this time days before the Super Bowl, against “10 websites that illegally streamed live sporting telecasts and pay-per-view events over the Internet.” ICE executed seizure warrants against the 10, ATDHE.NET, CHANNELSURFING.NET, HQ-STREAMS.COM, HQSTREAMS.NET, FIRSTROW.NET, ILEMI.COM, IILEMI.COM, IILEMII.COM, ROJADIRECTA.ORG and ROJADIRECTA.COM, by demanding that registries redirect nameserver requests for the domains to 74.81.170.110, where a colorful “This domain name has been seized by ICE” graphic is displayed.

This domain name has been seized

As in a previous round of seizures, these warrants were issued ex parte, without the participation of the owners of the domain names or the websites operating there. And, as in the previous rounds, there are questions about the propriety of the shutdowns. One of the sites whose domain was seized was Spanish site rojadirecta.com / rojadirecta.org, a linking site that had previously defeated copyright infringement claims in Madrid, its home jurisdiction. There, it prevailed on arguments that it did not host infringing material, but provided links to software and streams elsewhere on the Internet. Senator Ron Wyden has questioned the seizures, saying he “worr[ies] that domain name seizures could function as a means for end-running the normal legal process in order to target websites that may prevail in full court.”

According to ICE, the domains were subject to civil forfeiture under 18 U.S.C. § 2323(a), for “for illegally distributing copyrighted sporting events,” and seizure under § 981. That raises procedural problems, however: when the magistrate gets the request for seizure warrant, he or she hears only one side — the prosecutor’s. Without any opposing counsel, the judge is unlikely to learn whether the accused sites are general-purpose search engines or hosting sites for user-posted material, or sites providing or encouraging infringement. (Google, for example, has gotten many complaints from the NFL requesting the removal of links — should their domains be seized too?)

Now I don’t want to judge one way or the other based on limited evidence. Chilling Effects has DMCA takedown demands from several parties demanding that Google remove from its search index pages on some of these sites — complaints that are themselves one-side’s allegation of infringement.

What I’d like to see instead is due process for the accused before domain names are seized and sites disrupted. I’d like to know that the magistrate judge saw an accurate affidavit, and reviewed it with enough expertise to distinguish the location of complained-of material and the responsibility the site’s owners bear for it: the difference between direct, contributory, vicarious, and inducement of copyright infringement (for any of which a site-owner might be held liable, in appropriate circumstances) and innocent or protected activity. As Joe Hall has written here, domain names can’t defend themselves.

In the best case, the accused gets evidence of the case against him or her and the opportunity to challenge it. We tend to believe that the adversarial process, judgment after argument between the parties with the most direct interests in the matter, best and most fairly approaches the truth. These seizures, however, are conducted ex parte, with only the government agent presenting evidence supporting a seizure warrant. (We might ask why: a domain name cannot disappear or flee the jurisdiction if the accused is notified — the companies running the .com, .net, and .org registries where these were seized have shown no inclination to move or disregard US court orders, while if the name stops resolving, that’s the same resolution ICE seeks by force.)

If seizures must be made on ex parte affidavits, the magistrate judges should feel free to question the affiants and the evidence presented to them and to call upon experts or amici to brief the issues. In their review, magistrates should beware that a misfired seizure can cause irreparable injury to lawfully operating site-operators, innovators, and independent artists using sites for authorized promotion of their own materials.

I’d like to compile a set of public recommendations to the magistrate judges who might be confronted with these search warrants in the future, if ICE’s “Operation In Our Sites” continues. This would include verifying that the alleged infringements are the intended purpose of the domain name use, not merely a small proportion of a lawful general-use site.