April 21, 2014

avatar

Tech@FTC

Professor Ed Felten, while on loan to the Federal Trade Commission for 2011 and Spring 2012, has a new Tech Policy Blog, Tech@FTC. When he’s in his role as Chief Technologist of the FTC, he’ll blog there; when he’s wearing his regular hat as Professor of Computer Science and Director of the Center for Information Technology Policy, he’ll blog here at freedom-to-tinker.

Of course, the big news from the FTC this week is the official report, Protecting Consumer Privacy in an Era of Rapid Change, and I see that Ed has something to say about that. But he’s also got an article about SQL injection and our friend, little Bobby Tables.

avatar

A Freedom-of-Speech-based Approach To Limiting Filesharing – Part III: Smoke, smoke!

Over the past two days we have seen that filesharing is vulnerable to spamming, and that as a defense, the filesharers have used the IP block list to exclude the spammers from sharing files. Today I discuss how I think lawyers and laypeople should look at the legal issues. Since I am most decidedly not a lawyer, nothing I say here should be considered definitive. Hopefully, it is at least interesting.

An analogy:

Washington Square, in New York City, was for many years a place where drugs were sold. A fellow would stand around quietly saying to passersby “Smoke, smoke!” However, this so-called “steerer” held no drugs. His role was simply to direct the buyer to the “pitcher”, who had the drugs somewhere nearby, and who kept silent.

Even the strongest defender of free-speech rights understands that the “steerer’s” words are not just speech. His words are not similar to those of this article, though both simply say that someone in the park is selling. He is as legally responsible for the sale as the “pitcher”, because they are, according to legal terminology, “acting in concert”. He is a drug dealer who may never touch any drugs. Note also that the “steerer” receives payments from the illegal transactions – though it is not in fact legally necessary to be able to prove the payments to establish that he’s “acting in concert”. All that’s required is that the “steerer” and the “pitcher” share “community of purpose” in facilitating the illegal transaction.

In the Napster case, the court held that Napster, even though it did not have any copyrighted data on its servers, was liable for contributory infringement. To use Napster, a downloader would login to Napster’s central server, which connected the user to another user who had a file that was being searched for. Since it was Napster’s role to hook up the parties illegally exchanging files, it is reasonable to see this as analogous to the “steerer” in Washington Square – Napster didn’t have the infringing materials, but that really isn’t a defense.

The gnutella network is decentralized to solve the legal problem presented by the Napster decision. Nonetheless, there is something still centralized in gnutella: the IP block list. Users of LimeWire get their block list from LimeWire and only from LimeWire. Accordingly, if Napster was like the “steerer” in Washington Square, LimeWire furthers the “community of purpose” in a different way; it is someone who gives negative information rather than affirmative. He’s someone paid to stand in the park pointing out who are cheaters selling bad drugs, allowing the purchasers to find the good stuff.

What is a legitimate P2P spam filtering authority versus one that shares “community of purpose” with infringers? The former could legitimately act to keep the network from being flooded by those selling weight loss drugs, without facilitating infringing. There is probably no bright-line rule, but it is reasonably clear that LimeWire is well on the wrong side of any possible grey area.

It’s useful to compare gnutella spam cop LimeWire with e-mail spam cop AOL.

LimeWire does not clearly advertise its spam cop role as a feature of its software, and does not discuss its block list. (The LimeWire web site has only the cryptic description “We’re always working to protect you from viruses and unwanted sharing.”) There is no discussion anywhere about what sorts of sites and files it is blocking and for what reason. No notification is given by LimeWire to a site when it is blocked, nor is there any way given to contact LimeWire to remove yourself from the block list.

In comparison, blocking e-mail spam is, for AOL, a major selling point. AOL does not block bulk e-mailers (many of which are legitimate) on a whim. Every e-mail rejected by AOL is bounced with a notification to the sender, and there are detailed instructions to bulk e-mailers as to what they need to do to avoid running afoul of AOL’s filters. There is a way to contact AOL to remove oneself from the block list, if one is legitimate. The whole process is transparent.

It is clear that a legitimate spam cop cannot block spoofers, since any search for a non-infringing file would be unmolested by spoofs, yet it appears that LimeWire does block MediaDefender. In fact, LimeWire appears to be quietly promising to do so, when it says that it protects against “unwanted sharing”, whatever that is.

Lastly, it appears that LimeWire’s statements in court conceal what it is doing.

As we mentioned in the first post, there is an ongoing case, Arista v Lime Group. In its motion for Summary Judgement, LimeWire states

Likewise, LW does not have the ability to control the manner in which users employ the LimeWire software. Unlike the Napster defendants, LW does not maintain central servers containing files or indices of files. … LW’s system is like that analysed by the Ninth Circuit in Grokster, “truly decentralized”. … LW no more controls the actions of its customers than do any of the thousands of companies that provide hardware or other software used in connection with the internet.

This omits any discussion of LimeWire’s centralized block list. LW assuredly does control the manner in which LimeWire users employ the LimeWire software, because if a site is added to the IP block list, it is no longer visible to most LimeWire users. This is very far from the normal situation applying in other software used in connection with the internet.

Moreover, the plaintiffs’ attorneys appear to be unaware of the blocking of spoofs, as their reply motion makes no mention of it (nor the other hidden features of LimeWire software discussed yesterday).

While it might be possible to run a legitimate spam-blocking service for P2P networks, it would look rather different from what LimeWire is doing.

Conclusion

The best way to regulate filesharing effectively is to analyze the various players’ roles on free-speech grounds. The individual filesharers (when they share infringing material) are certainly violating the law, but in a small way that probably can’t be reasonably controlled. The publishers of the software that allows the network to run (including LimeWire) are exercising free speech – the fact that their code can be made to do something illegal should be irrelevant. However, LimeWire is facilitating infringing because of the way it runs its IP block list. If LimeWire were shut down, the gnutella network become useless for downloading infringing music. Because of their actions to keep the network safe for infringers – their “acting in concert” – LimeWire should be liable for contributory infringement.

This course will avoid free speech restrictions that trouble many. In terms of preventing infringing, it also will be far more productive than trying to target the small fish. It is an effective measure that respects rights.

[This series of posts has been a somewhat shortened version of an article here.]

avatar

A Freedom-of-Speech Approach To Limiting Filesharing – Part I: Filesharing and Spam

[Today we kick off a series of three guest posts by Mitch Golden. Mitch was a professor of physics when, in 1995, he was bitten by the Internet bug and came to New York to become an entrepreneur and consultant. He has worked on a variety of Internet enterprises, including one in the filesharing space. As usual, the opinions expressed in these posts are Mitch's alone. -- Ed]

The battle between the record labels and filesharers has been somewhat out of the news a bit of late, but it rages on still. There is an ongoing court case Arista Records v LimeWire, in which a group of record labels are suing to have LimeWire held accountable for the copyright infringing done by its users. Though this case has attracted less attention than similar cases before it, it may raise interesting issues not addressed in previous cases. Though I am a technologist, not a lawyer, this series of posts will advocate a way of looking at the issues, including legal, using a freedom-of-speech based approach, which leads to some unusual conclusions.

Let’s start by reviewing some salient features of filesharing.

Filesharing is a way for a group of people – who generally do not know one another – to allow one another to see what files they collectively have on their machines, and to exchange desired files with each other. There are at least two components to a filesharing system: one allows a user who is looking for a particular file to see if someone has it, and another that allows the file to be transferred from one machine to the other.

One of the most popular filesharing programs in current use is LimeWire, which uses a protocol called gnutella. Gnutella is decentralized, in the sense that neither the search nor the exchange of files requires any central server. It is possible, therefore, for people to exchange copyrighted files – in violation of the law – without creating any log of the search or exchange in a central repository.

The gnutella protocol was originally created by developers from Nullsoft, the company that had developed the popular music player WinAmp, shortly after it was acquired by AOL. AOL was at that time merging with Time Warner, a huge media company, and so the idea that they would be distributing a filesharing client was quite unamusing to management. Work was immediately discontinued; however, the source for the client and the implementation of the protocol had already been released under the GPL, and so development continued elsewhere. LimeWire made improvements both to the protocol and the interface, and their client became quite popular.

The decentralized structure of filesharing does not serve a technical purpose. In general, centralized searching is simpler, quicker and more efficient, and so, for example, to search the web we use Google or Yahoo, which are gigantic repositories. In filesharing, the decentralized search structure instead serves a legal purpose: to diffuse the responsibility so no particular individual or organization can be held accountable for promoting the illegal copying of copyright materials. At the time the original development was going on, the Napster case was in the news, in which the first successful filesharing service was being sued by the record labels. The outcome of that case a few months later resulted in Napster being shut down, as the US courts held it (which was a centralized search repository) responsible for the copyright infringing file sharing its users were doing.

Whatever their legal or technical advantages, decentralized networks, by virtue of their openness, are vulnerable to a common problem: spam. For example, because anyone may send anyone else an e-mail, we are all subject to a deluge of messages trying to sell us penny stocks and weight loss remedies. Filesharing too is subject this sort of cheating. If someone is looking for, say, Rihanna’s recording Disturbia, and downloads an mp3 file that purports to be such, what’s to stop a spammer from instead serving a file with an audio ad for a Canadian pharmacy?

Spammers on the filesharing networks, however, have more than just the usual commercial motivations in mind. In general, there are four categories of fake files that find their way onto the network.

  • Commercial spam
  • Pornography and Ads for Pornography
  • Viruses and trojans
  • Spoof files

The last of these has no real analogue to anything people receive in e-mail It works as follows: if, for example, Rihanna’s record label wants to prevent you from downloading Disturbia, they might hire a company called MediaDefender. MediaDefender’s business is to put as many spoof files as possible on gnutella that purport to be Disturbia, but instead contain useless noise. If MediaDefender can succeed in flooding the network so that the real Disturbia is needle in a haystack, then the record label has thwarted gnutella’s users from violating their copyright.

Since people are still using filesharing, clearly a workable solution has been found to the problem of spoof files. In tomorrow’s post, I discuss this solution, and in the following post, I suggest its legal ramifications.

avatar

Fascinating New Blog: ComputationalLegalStudies.com

I was inspired to post the essay I discussed in the prior post by the debut of the best new law blog I have seen in a long time, Computational Legal Studies, featuring the work of Daniel Katz and Michael Bommarito, both graduate students in the University of Michigan’s political science department.

Every single blog they have posted has caused me to smack my head once for not having thought of the idea first, and a second time for not having their datasets and skillz. Their visualization of who has gotten TARP funds and how they’re connected to legislators deserves to be printed on posters and hung up in newsrooms across the country (not to mention in offices on Capitol Hill). They’ve also shown good taste by building a bridge to this blog, linking favorably back to the great CITP work led by David Robinson on government openness.

I will have more to say about Dan and Mike’s new blog in the weeks and months to come, but for now it is enough to welcome them to the blogosphere.

avatar

Election Machinery blog

Students will be studying election technology and election administration in freshman seminar courses taught by at Princeton (by me) and at Stanford (by David Dill).  The students will be writing short articles on the Election Machinery blog.  I invite you all to read that blog over the next three months, to see what a small nonrandom sample of 18-year-olds is writing about the machinery of voting and elections.

 

avatar

China Now Re-Routing Google Requests

Reuters reports that, since the weekend, some requests for Google from inside China are being rerouted to other, government-approved search engines. (Link at wirednews.com)

UPDATE (3pm EDT, Sept. 10): Ben Edelman now has screenshots of redirected browsers. (Link thanks to greplaw.)

avatar

Wireless LANs, Security, and Intrusions

News.com has an article about drive-by spam. The idea is that a spammer will find a building with a wireless LAN. The spammer will then connect to that LAN, without permission, from outside the building, and use the building’s email server to send a big load of spam email.

This is abusive behavior. The spammer is exploiting the wireless network owner, who ends up paying for the email, and who might get blamed for spamming. (The network owner can prevent this by tightening up the security of their email system, but this is not cost-free, and it doesn’t excuse the drive-by spammer’s actions.)

The problem here is that wireless nets do not respect property lines, walls, or other physical boundaries. If you’re running a wireless network, it is almost certainly open to people outside your site. This is a security risk for you – drive-by spamming is only one of the ways an outsider could exploit the availability of your network. (And even if you turn on the “secure mode” of your wireless network, you’re probably not safe against a sophisitcated adversary.)

It seems reasonable to adopt the ethical principle that you should not use somebody else’s wireless net without permission. (And if you do use it, you should use it only to access the greater Internet, and not to use their internal servers.)

Now suppose you’re in a public place. You pop your wireless card into your laptop, and it finds a connection. What should you do? How do you know whether you have permission?

The answer is that you don’t know. Maybe the wireless net is open because of an oversight, or because its owner wasn’t able to close it. But maybe it’s open on purpose. Some sites use their wireless nets to provide complimentary service to their customers or to the public. Sharing your network feed is a neighborly thing to do, so an open wireless net might be an invitation rather than a mistake.

How can you tell the difference? Unfortunately, the technology doesn’t help. You just shove your network card into your laptop, and it either does or doesn’t find a connection. There’s nothing in the technology that helps you figure out whether the network’s owner objects to your using it. There might not even be an easy way to find out who the network owner is.

What we need is some kind of social norm to help us out. If “everybody knows” that a network configured one way is meant to be open to the public, and one configured otherwise is not, then the boundaries will be clear. Until then, we’ll just have to do our best to behave reasonably and treat others’ wireless nets with the same respect we should normally afford to others’ property.

Situations like this often invite legislation and legal line-drawing. That seems like a mistake here, as any new law would likely be farther from the “right” answer than the eventual social norm will be. So far I haven’t seen any proposed legislation regulating use of others’ wireless nets, but I wouldn’t be surprised to see some.

avatar

China Blocks Altavista

The Great Firewall of China is now blocking Altavista too.

avatar

Defense of Berman-Coble Bill Offered

In Politech today, Congressman Berman (through an aide) offers a defense of the proposed Berman-Coble bill. (This bill would legalize certain forms of hacking by copyright owners against users of file-sharing systems.)

The gist of the defense is that the bill would only shelter copyright holders from liability to the extent that they were actually preventing redistribution of their copyrighted works, but that any impairment of unrelated activities or legal file sharing would still be liable as under current law.

If that’s actually a correct reading of the bill, then the bill might not be as bad as people say. But it’s far from clear that that is the correct reading of the bill.

avatar

Adobe Files DMCA Challenge

Adobe has filed a federal lawsuit seeking a declaratory judgment that its Acrobat product does not violate the DMCA’s anti-circumvention provisions. (Here’s Adobe’s press release. I don’t have a link to the court papers yet.)

Here is the story, as far as I can tell at this point:
Any TrueType-compatible font can be labeled with bits saying whether permission is granted to embed the font into documents. Adobe Acrobat apparently does not always obey the bits’ commands. Adobe says they have good reasons for this, and that in any case Acrobat’s use of fonts does not infringe any copyright. The other party (International Typeface Corporation, or ITC) says that Acrobat is a DMCA-violating circumvention device.

It’s way to early to speculate about the merits of Adobe’s case. But there is some karmic justice in the fact that Adobe, which kicked off the Sklyarov/Elcomsoft DMCA mess, now finds itself on the other end of a DMCA threat.