July 22, 2024

IEEE blows it on the Security & Privacy copyright agreement

Last June, I wrote about the decision at the business meeting of IEEE Security & Privacy to adopt the USENIX copyright policy, wherein authors grant a right for the conference to publish the paper and warrant that they actually wrote it, but otherwise the work in question is unquestionably the property of the authors. As I recall, there were only two dissenting votes in a room that was otherwise unanimously in favor of the motion.

Fast forward to the present. The IEEE Security & Privacy program committee, on which I served, has notified the authors of which papers have been accepted or rejected. Final camera-ready copies will be due soon, but we’ve got a twist. They’ve published the new license that authors will be expected to sign. Go read it.

The IEEE’s new “experimental delayed-open-access” licensing agreement for IEEE Security & Privacy goes very much against the vote last year of the S&P business meeting, bearing only a superficial resemblance to the USENIX policy we voted to adopt. While both policies give a period of exclusive distribution rights to the conference (12 months for USENIX, 18 months for IEEE), the devil is in the details.

For the IEEE, authors must assign “a temporary joint and undivided ownership right and interest in all copyright rights” to the IEEE, giving the IEEE an exclusive to distribute the paper for 18 months. Thereafter, the license “expires.”

Those quotation marks around “expires” are essential, because there’s language saying “IEEE shall nonetheless retain the sole and exclusive right to archive the Work in perpetuity” which sounds an awful lot to me like they’re saying that the agreement doesn’t actually expire at all. It just moves into a second phase. For contrast, USENIX merely retains a non-exclusive right to continue distributing the paper. That’s an essential difference.

There are some numbered carve-outs in the IEEE contract that seem to allow you to post your manuscript to your personal web page or institutional library page, but not to arXiv or anything else. (What if arXiv were to offer me a “personal home page service?” Unclear how this license would deal with it.) This restriction appears to apply in both the initial 18 month phase and the “in perpetuity” phase.

My conclusion: authors of papers accepted to IEEE Security & Privacy should flatly refuse to sign this. I don’t have a paper of my own that’s appearing this year at S&P, but if I did, I’d send them a signed copy of the USENIX agreement. That’s what the members agreed upon.

Disclosure: I am currently running for the board of directors of the USENIX Association. That’s because I like USENIX. Of all the venues where I publish, USENIX has been the most willing to break with traditional publishing models, and my platform in running for USENIX is to push this even further. Getting ACM and IEEE caught up to USENIX is a separate battle.

This Week in Copyright – SOPA, Golan, and Megaupload

It has been an exceptionally busy week for copyright policy. We heard from all three branches of the US Federal Government in one way or another, while the citizens of the Internet flexed their muscles in response.

The most covered story of the week was the battle over SOPA and PIPA — the twin proposed bills that aimed to cut down on online piracy of copyrighted works by giving the government significant new authority to block access to allegedly infringing web sites. Other authors on this blog have pointed out how the bills show inconsistency in the copyright industry’s position on regulating the internet, could threaten free speech in repressive regimes, and may ultimately be found by the courts to violate fundamental constitutional liberties. On Wednesday some of the most popular sites on the web “went dark” or otherwise heightened awareness of the issue, and the surge citizen pleas to Congress caused a surprising reversal of momentum in the House and Senate. [Update: Both PIPA and SOPA have now been shelved.]

Buried in the day’s developments was the Judicial branch’s copyright contribution. In a highly anticipated decision, the Supreme Court ruled on the case of Golan v. Holder. At issue was the question of whether or not Congress had the right to make a law that moved public domain works into copyright. Opponents of this law claimed that such a move violated not only the First Amendment, but also the purpose of the Copyright Clause — not to mention and age-old legal principles. The majority did not agree, and in a 6-2 vote it stated that individuals do not have any particular right that guarantees their use of the public domain, so they have no claim if Congress removes materials from it. Justices Breyer and Alito dissented, explaining that the ruling upset the delicate balance that the Founders had struck in affording limited monopoly rights to content creators. Nevertheless, the majority clearly demonstrated that the Judicial branch continues to trend toward greater expansion of copyright protection.

On Thursday, the Executive Branch weighed in. The Department of Justice announced that it had seized the domain name and servers of the popular file-sharing site Megaupload and had indicted several of the site’s operators. Although Megaupload claimed to be complying with US copyright law — in particular the notice-and-takedown provisions of the Digital Millennium Copyright Act — the feds claimed that the operators knew full well that the majority of the content on the site was infringing. Within minutes of the announcement, hacktivist group Anonymous had launched a denial-of-service attack on the Department of Justice web site, which remained unreachable for hours [Update: days].

Opponents of SOPA and PIPA welcomed the opportunity to reflect on why these developments demonstrated the shortcomings of the proposed bills. Some of them noted that the DoJ’s actions were done without any additional authority from harmful new bills, while others observed that such approaches to enforcement are ultimately ineffective — they observed that it was only a matter of time until Megaupload returned, or the many other file-sharing sites filled their shoes. By Thursday night, all four GOP presidential candidates had come out against SOPA.

It is hard to consolidate all of these developments into a coherent story of where things are headed. However, a few things seem clear. First, the SOPA/PIPA backlash is shows us that the internet can help citizens to rally a truly remarkable effort that penetrates the beltway bubble. Second, internet freedom is a compelling and accessible counter-narrative to copyright maximalism and government policing. Third, the courts continue to favor an approach to copyright that emphasizes property rights of those who have already created works over the free speech rights of those who may rely on those works to create new works. Fourth, the enforcement arms of the government are interested in taking ever-more-extreme measures to take down those accused of infringement, and are committing more taxpayer resources to a problem that continues to grow despite their approach.

But perhaps most significantly, this week shows us that there is just plain turmoil in this area. Policymakers are struggling to find good answers, and sometimes their “solutions” provoke far more criticism than praise.

"Stolen" LinkedIn Profiles and the Misappropriation of Ideas

The common law tort of “hot news” misappropriation has been dying a slow and justified death. Hot news misappropriation is the legal doctrine on which news outlets like the Associated Press have repeatedly relied over the years to try to prevent third-party dissemination of factual information gathered at the outlets’ expense. Last June, the Second Circuit Court of Appeals dealt a blow to the hot news doctrine when it held that financial firms engaged in producing research reports and recommendations concerning publicly traded securities could not prevent a third party website from publishing news of the recommendations soon after their initial release. The rationale for the court’s decision was that state law claims of hot news misappropriation can only very rarely survive federal preemption by the Copyright Act, which excludes facts from the scope of copyright protection. The rule that facts are not eligible for copyright (called the fact-expression dichotomy) is at the heart of the copyright system and serves the interests of democracy by promoting the unfettered dissemination of important news to the populace. Creative arrangements of facts can be protected under copyright law, but individual facts cannot.

Given the declining fortunes of the hot news doctrine, I was a little surprised to discover a recent case out of Pennsylvania called Eagle v. Morgan, in which the parties are fighting over ownership of a LinkedIn account containing the plaintiff’s profile and her professional connections. The defendant, Eagle’s former employer, asserted a state law counterclaim for misappropriation of ideas. Ideas, as it happens, are—like facts—excluded from the scope of federal copyright protection for a compelling policy reason: If we permit the monopolization of ideas themselves, we will stifle the communal intellectual progress that intellectual property laws exist to promote. Copyright law thus protects only the expression of ideas, not ideas themselves. (This principle is known as the idea-expression dichotomy.) Accordingly, section 102(b) of the Copyright Act denies copyright protection “to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied.” The statute really could not be clearer.

In its opinion denying Eagle’s motion for judgment on the pleadings, the trial court did not consider whether the state law tort of misappropriation of ideas is federally preempted by the Copyright Act, which seems to me to be a really important legal question. The court explained that a claim for misappropriation of an idea in Pennsylvania has two elements: “(1) the plaintiff had an idea that was novel and concrete and (2) the idea was misappropriated by the defendant.” To determine whether a misappropriation has occurred, the court further explained, Pennsylvania law requires consideration of three factors:

(1) the plaintiff “has made substantial investment of time, effort, and money into creating the thing misappropriated such that the court can characterize the ‘thing’ as a kind of property right,” (2) the defendant “has appropriated the ‘thing’ at little or no cost such that the court can characterize the defendant’s actions as ‘reaping where it has not sown,’” and (3) the defendant “has injured the plaintiff by the misappropriation.”

Setting aside the oddity of classifying digital information as a “thing,” the first of these factors collides head on with the Supreme Court’s clear repudiation in Feist Publications v. Rural Telephone Service of the “sweat of the brow” theory of intellectual property.

In Feist, the Court held that “sweat of the brow” as a justification for propertizing information “eschew[s] the most fundamental axiom of copyright law—that no one may copyright facts or ideas.” Given copyright law’s express prohibition on the propertization of ideas, there is a strong case to be made that state law claims for misappropriation of ideas are in direct conflict with both the letter and spirit of the federal copyright scheme. On that basis, they are akin to claims of hot news misappropriation, and they should likewise be treated as preempted.

Stopping SOPA's Anticircumvention

The House’s Stop Online Piracy Act is in Judiciary Committee Markup today. As numerous protests, open letters, and advocacy campaigns across the Web, this is a seriously flawed bill. Sen. Ron Wyden and Rep. Darell Issa’s proposed OPEN Act points out, by contrast, some of the procedural problems.

Here, I analyze just one of the problematic provisions of SOPA: a new “anticircumvention” provision (different from the still-problematic anti-circumvention of section 1201). SOPA’s anticircumvention authorizes injunctions against the provision of tools to bypass the court-ordered blocking of domains. Although it is apparently aimed at MAFIAAfire, the Firefox add-on that offered redirection for seized domains in the wake of ICE seizures, [1] the provision as drafted sweeps much more broadly. Ordinary security and connectivity tools could fall within its scope. If enacted, it would weaken Internet security and reduce the robustness and resilience of Internet connections.

The anticircumvention section, which is not present in the Senate’s companion PROTECT-IP measure, provides for injunctions, on the action of the Attorney General:

(ii)against any entity that knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity or by another in concert with such entity for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses, search query results, payments, or ads] and taken in response to a court order issued under this subsection, to enjoin such entity from interfering with the order by continuing to provide or offer to provide such product or service. § 102(c)(3)(A)(ii)

As an initial problem, the section is unclear. Could it cover someone who designs a tool for “the circumvention or bypassing of” DNS blockages in general — even if such a person did not specifically intend or market the tool to be used to frustrate court orders issued under SOPA? Resilience in the face of technological failure is a fundamental software design goal. As DNS experts Steve Crocker, et al. say in their Dec. 9 letter to the House and Senate Judiciary Chairs, “a secure application expecting a secure DNS answer will not give up after a timeout. It might retry the lookup, it might try a backup DNS server, it might even restart the lookup through a proxy service.” Would the providers of software that looked to a proxy for answers –products “designed” to be resilient to transient DNS lookup failures –be subject to injunction? Where the answer is unclear, developers might choose not to offer such lawful features rather than risking legal attack. Indeed, the statute as drafted might chill the development of anti-censorship tools funded by our State Department.

Some such tools are explicitly designed to circumvent censorship in repressive regimes whose authorities engage in DNS manipulation to prevent citizens from accessing sites with dissident messages, alternate sources of news, or human rights reporting. (See Rebecca MacKinnon’s NYT Op-Ed, Stop the Great Firewall of America. Censorship-circumvention tools include Psiphon, which describes itself as an “Open source web proxy designed to help Internet users affected by Internet censorship securely bypass content-filtering systems,” and The Tor Project.) These tools cannot distinguish between Chinese censorship of Tiananmen Square mentions and U.S. copyright protection where their impacts — blocking access to Web content — and their methods — local blocking of domain resolution — are the same.

Finally, the paragraph may encompass mere knowledge-transfer. Does telling someone about alternate DNS resolvers, or noting that a blocked domain can still be found at its IP address — a matter of historical record and necessary to third-party evaluation of the claims against that site — constitute willfully “providing a service designed … [for] bypassing” DNS-blocking? Archives of historic DNS information are often important information to legal or technical network investigations, but might become scarce if providers had to ascertain the reasons their information was being sought.

For these reasons among many others (such as those identified by my ISP colleague Nick), SOPA should be stopped.

The Latest in Nationwide Internet User Identification – Part 1 (The Ancient State Law "Pure Bill of Discovery")

Plaintiffs are engaging in aggressive and questionable new tactics in a growing wave of federal copyright “John Doe” lawsuits. In those lawsuits, the obvious objective of the plaintiffs is to discover from Internet Service Providers (ISPs) the personal identities of many of the ISPs’ subscribers. The plaintiffs typically present the ISPs with long lists of subscriber IP addresses that have allegedly been used in copyright infringement. Many of these plaintiffs have generated a business model around such suits and are often referred to as “copyright trolls“. The orders permitting “John Doe” discovery necessarily precede the naming of the defendants, and many if not most defendants are likely to settle rather than bear the expense of a defense (not to mention, in many cases, the embarrassment of association with pornographic works). Thus, at least for those defendants, the lawsuits effectively begin and end when their names and contact information are provided to the plaintiffs. Many of the copyright plaintiff attorneys would have it no other way – operating form-based lawsuit “factories” and harvesting settlements, and getting out without presenting any evidence at trial.

The response of the federal judges has been mixed. Many of them just grant the requested relief. In the interest of protecting privacy rights, a few judges have properly appointed attorneys ad litem to represent the unidentified Does. Some have decided that the joinder of numerous defendants in a single lawsuit is improper, and dismissed all the Does except for a single John or Jane. Others have required that the plaintiffs demonstrate a good faith belief that the subscriber-defendants reside in the forum and/or are otherwise subject to the personal jurisdiction of the court.

More recently, the copyright plaintiffs are turning to the state courts – an odd tactic given that copyright infringement claims may only be asserted in federal court. Remember, though, that these plaintiffs appear to be far more interested in the personally identifiable information of Internet subscribers (and coercing settlements), than in the actual pursuit of litigation. As such, they are simply motivated to seek, in the least number of lawsuits, as many Internet subscriber identifications for as many IP address/date/time stamps from as many ISPs as possible.

Consistent with such an objective, the plaintiffs’ lawyers have dusted off an ancient proceeding known as a “pure bill of discovery” – an equitable action that originated in the 19th century, before discovery was even available in legal proceedings under common law. As it turns out, this action is still available under a narrow set of circumstances in some states, including Florida, primarily where discovery is not otherwise obtainable and there is no adequate remedy at law.

Plaintiffs use this action to seek discovery in state court – presumably to avoid some of the same hurdles encountered in federal court. In Florida (the preferred jurisdiction so far), they contend that they should be permitted to file a “pure bill of discovery” for any alleged infringement, so long as they can somehow connect the alleged infringement to that jurisdiction (for example, because another alleged member of the same BitTorrent “swarm” – who could even be the plaintiff’s forensic investigator – was allegedly located in Florida).

But these plaintiffs aren’t using the “pure bill of discovery” the way it is supposed to work.

Because the “pure bill of discovery” is for the sole purpose of obtaining discovery, the “defendants” in such an action should be the person from whom the information is sought. Here, that would be the ISPs. However, suing dozens and dozens of ISPs located across the country in a Florida state court could be inconvenient and costly to the plaintiffs given that the ISPs would need to be served with process and a significant number of the ISPs would likely resist. In addition, if there were actual adversaries (i.e., ISP defendants), the plaintiffs would have to demonstrate their rights and convince the court that they are entitled to relief in an adversarial hearing before an order could be issued and before any subpoenas could be issued.

Preferring otherwise, the plaintiffs are suing the (unrepresented, unnamed, and defenseless) Doe defendants in their “pure bill of discovery” actions. That doesn’t make sense, you may say, because the plaintiffs are not seeking any discovery from the Does. True – in a “pure bill of discovery” action, the plaintiff has to be seeking discovery from the defendants in that action. To address this detail, the plaintiffs’ lawyers fictionally assert that they are seeking to require the Does to “confirm” that the identifying information to be provided by the ISPs is “accurate.” And, naturally, before the Doe defendants can “confirm” that they are who they are said to be, the plaintiffs need to uncover their names. So, after filing the lawsuit in a state court, the plaintiffs file an ex parte motion for discovery seeking to issue discovery requests to a long list of ISPs located across the nation (many beyond the state court’s jurisdiction), to obtain the personally identifiable information of hundreds of individual subscribers (i.e., the John Does). These ex parte motions actually get granted tout de suite.

Although the ISPs (much less the John Does) don’t have any opportunity to be heard beforehand, the ISPs can oppose the discovery requests once those requests are served on them. As a practical matter, though, most of the ISPs don’t; and those that do may simply be met with a voluntary dismissal by the plaintiff (as to those Does only), who would presumably rather not have the court actually hear the arguments made. Thus, the plaintiffs for the most part can readily obtain the necessary personally identifiable information to threaten to sue the alleged infringers (in federal court) and, in all likelihood, obtain quick settlement.

To the extent these plaintiffs get away with it, they have found a way to obtain a court order without opposition that permits nationwide identification of mass defendants in a single lawsuit. Assuming the Doe defendants settle, and anecdotal evidence suggests that many do, bothersome details such as service of process, personal jurisdiction, venue, joinder, and even advocacy in a court of law can be avoided entirely.

And why stop with seeking federal copyright claims? If these proceedings can actually be used in the way the plaintiffs are using them, there’s no reason why anyone couldn’t sue in Florida state court in order to get identifying subscriber information for subscribers located anywhere, from any ISP or other communications provider, under any legal theory. It seems to be the perfect tool of stealth and expedience, unless you happen to believe in the protection of fundamental individual rights and that the role of our judicial system is to resolve cases or controversies. It is hard to imagine that this antediluvian equitable action was intended to serve as a settlement weapon in abusive mass copyright litigation.