Spitzer Suit Shows the Right Way to Fight Spyware

Posted by Wendy Seltzer

The New York State Attorney General's office today announced it has filed a lawsuit against Intermix Media for deceiving users into installing and using spyware. The complaint charges Intermix civilly with several violations of New York statute and common law. The lawsuit is a step forward for end-users' rights to control their own computers, and shows the right way to address the spyware problem: with lawsuits, not new laws.

The New York State complaint and attached affirmation run through a veritable catalogue of deceptive acts and practices perpetrated on users: surreptitious installation of browser toolbars that link to Intermix sites; interception of web requests to redirect users to Intermix websites; hijacking of users' browser homepages; installation of hidden programs and controls to report user activity back to Intermix and display advertising; and addition of an "updater" program that allowed Intermix remotely and secretly to install new programs on users' computers.

The only notice provided to users, who thought they were merely downloading screensavers or visiting websites with active plugins, would have come if they followed through six screens to a tiny link to "Terms of Service," passed disclaimers that asserted "Virus-Checked: Passed," and "Spyware-Checked: Passed," read through a cryptic "End-User License Agreement," and found its buried references to the ride-along "GripPack" and "NetGuide" -- a process that would still not have alerted them to the full activities of the host of programs taking up residence on their computers.

Spitzer's complaint charges Intermix with violating New York state's General Business Law sections 349 and 350, prohibitions on "deceptive acts or practices" and "false advertising." It also charges the company with "trespass to chattels" for interfering with the use of personal computers onto which the software was downloaded. Any user who has unwittingly found a computer infested with these rogue programs will likely concur.

The complaint is only the beginning of a lawsuit, of course, but the screenshots and descriptions it attaches leave little doubt that promoting spyware in the guise of a screensaver is a "deceptive act." If the company doesn't agree to stop on its own, it's quite likely a judge will put an end to these practices -- using the tools provided by existing laws similar to those available in many states.

The lawsuit comes as Congress and many state governments consider anti-spyware legislation. Bills have been introduced in both the House and Senate with detailed lists of prohibited activities, such as "modifying settings relating to the use of the computer or to the computer's access to or use of the Internet, including ... altering the default Web page that initially appears when a user of the computer launches an Internet browser" (S. 687) or prescribing specific wording to be used in gaining user consent: "'This program will collect and transmit information about you and your computer use and will collect information about Web pages you access and use that information to display advertising on your computer. Do you accept?'" (H.R. 29).

While the Congressional efforts are well-meaning, such specific legislation is bound to be both too narrow and too broad. A law that targets web browser bookmarks and start pages says nothing about instant messenger traffic. And what about the portable device that connects to the Internet but offers no way to accept or reject the terms of a useful new feature? New tech-specific laws will look outdated in five years (if not sooner) as the technology changes. Moreover, some of the federal proposals would preempt state law, blocking the very laws that may be most effective against malware.

No one likes invasive spyware. As Spitzer's complaint shows, however, older, more general laws already prohibit these deceptive practices. Rather than rushing to regulate a field that's still changing, with laws whose impact on legitimate software development we can't adequately predict, we should focus on enforcment of these existing laws. Kudos to the New York State AG for doing just that.

Links:

AP story, via NYT

Verified Petition (complaint)

Affirmation with exhibits

[Permalink]

California Anti-RFID Bill Gains Momentum

Posted by Donna Wentworth

A California bill (SB 682) that would bar the use of radio frequency identification (RFID) tags in state-issued ID cards yesterday cleared the Senate Judiciary Committee -- the first major hurdle on the way to becoming law.

The good news comes in the wake of a public admission by a US State Department official that the Department is rethinking parts of its dangerous and profoundly misguided plan to put insecure RFID chips in all US passports. Of course, "rethinking" isn't nearly enough. There is no good reason to use RFIDs in ID documents to begin with, and no amount of rethinking will make that any more or less true.

"All this talk about shields, crypto, and authentication is only a means of avoiding the real question: why do we need to use RFIDs in the first place?" said EFF Senior Staff Attorney Lee Tien, who testified [PDF] Tuesday before the Judiciary Committee. "Contact cards and optical readers are the far better solution. They can perform all the important functions of RFIDs without sacrificing our privacy and safety."

EFF, the ACLU, and the Privacy Rights Clearinghouse are co-sponsors of the bill, which is authored by California Senator Joe Simitian (D-Palo Alto). Other supporters include AARP California, California Alliance Against Domestic Violence, California Alliance for Consumer Protection, California National Organization for Women, Capitol Resource Institute, Consumer Action, Statewide California Coalition for Battered Women, and the State of California Commission on the Status of Women.

"This isn't a partisan issue," added Tien. "Putting RFID tags in state-issued credentials that most people can't live without -- like driver's licenses, student IDs, or health or medical benefits cards -- would expose us to unacceptable privacy risks in the course of everyday life, and that's a problem for everyone."

For additional information on SB 682 and the dangers of RFIDs in IDs, see:

• EFF Testimony Before the CA Senate Judiciary Committee [EFF; PDF]
• EFF's Comments with the State Department on RFIDs in Passports [EFF; PDF]
• An Orwellian Invasion of Privacy [San Jose Mercury News]
• Bowing to Critics, US to Alter Design of Electronic Passports [NYT; reg. req.]
• RFID Kills [Bill Scannell]
• Why Use Remotely-Readable Passports? [Edward Felten]
• US Considering Wireless Passport Protection [Edward Felten]
• RFID Passports at CFP [Edward Hasbrouck]
• Follow-up to CFP Debate on RFID Passports [Edward Hasbrouck]

[Permalink]

FECA and Commercial Skipping

Posted by Fred von Lohmann

So Marty Schwimmer (The Trademark Blog) asked whether the Family Entertainment and Copyright Act creates copyright immunity for those who make devices capable of auto-magically skipping commercials (like the ReplayTV 4000). The answer is no, but it's interesting how we get there.

The statute creates a new copyright exception for "the making imperceptible, by or at the direction of a member of a private household, of limited portions of audio or video content of a motion picture." At first blush, you might think that would greenlight automated commercial skipping. Not so, according to the committee report that accompanies the measure, which says that "this Act has no bearing on either the legality or illegality of such services or any litigation over the issue."

Why not? The committee report appends an analysis by the Copyright Office explaining that the commercials are, themselves, separate and independent "motion pictures" for the purposes of the Copyright Act, and thus the Act would immunize skipping of "limited portions" of commercials, but not entire commercials.

The Copyright Office's line of reasoning is interesting for several reasons:

• It appears to be in some tension with the Seventh Circuit's statement (in dicta) that commercial skipping "amount[s] to creating an unauthorized derivative work." See In re Aimster Copyright Litigation, 334 F.3d 643, 647 (7th Cir. 2003). If I follow Judge Posner's logic, the television program with its embedded commercials constitutes a single work (though perhaps he meant that it was a compilation of multiple works).
• If the Copyright Office is right, then who would have standing to sue over commercial skipping? It would appear that the companies that own the copyrights in movies and TV programming would be out of luck, since they don't own the copyrights in the commercials. And even assuming for a moment that the program and commercials together constitute a compilation, it would be the broadcaster who creates and owns rights in the compilation (since different broadcasters insert different commercials), not the owner of the movie or TV program. At least I think that's how it plays out.

This debate is more than academic, as it suggests that the claims against ReplayTV for enabling commercial skipping should have been dismissed. It's too bad that SonicBlue/ReplayTV was forced into bankruptcy before the Copyright Office could hand them such fascinating ammunition to use against Hollywood!

[Permalink]

Family Entertainment and Copyright Act Passes

Posted by Fred von Lohmann

As many have reported, the Family Entertainment and Copyright Act of 2005 (S.167/H.R. 357), recently passed the House, which also issued a committee report about the bill. Since the identical language had already passed the Senate in February, the measure now goes to President Bush for signature.

There has been some alarmist reporting about the bill. While it's decidedly a mixed bag, I think the bill should be marked as more victory than a defeat for the public interest side in the copyfight.

There are three main parts of the new law. First, it makes camcording in movie theaters a federal crime. Of course, camcording is already a copyright infringement in virtually any circumstance the movie studios should care about, and thus is already punishable as a federal crime. Verdict: unnecessary and redundant.

Second, it modifies the criminal provisions of the Copyright Act to impose liability on those who distribute a "prerelease" work (for everything other than movies, prerelease means what you think it does; for movies, it means anything before the DVD release). Does this mean you can now be hauled off to jail for sharing a single movie on BitTorrent? Unfortunately, yes. But there are a few points to keep in mind: thanks to the NET Act, existing law already makes it a criminal offense to reproduce or distribute copies totaling more than $1,000 in retail value, which probably already reached many of the movie filesharers the feds are after; the new law only applies to material not yet released on DVD; and federal authorities have thus far shown no eagerness for throwing the book at people sharing one movie on BitTorrent. So while this is certainly a step in the wrong direction (of particular concern is the leverage it will give federal law enforcement folks over anyone caught sharing a prerelease work), panic seems premature. (UPDATE: for more on this, see Eric Goldman's comments.)

Third, the new law creates an exception in the Copyright Act meant to permit companies like ClearPlay to make DVD players and related technologies that are able to automatically skip and mute portions of DVDs. In ClearPlay's case, these technologies are intended to enable users to avoid coarse language, nudity, and violence, though the law would also permit other approaches (how about a "Jar-Jar free" version of Star Wars: Episode 1, ClearPlay?). This change is definitely a step in the right direction, as it empowers innovators to deliver technologies that let you control how the movies you own or rent are presented in your living room. After all, if you had the money, you could hire a butler to do this kind of thing for you. The trouble with the new law is that it is very narrowly crafted, so is unlikely to answer some of the more far-reaching and important questions raised in the lawsuit against ClearPlay, which will now likely be dismissed thanks to the legislative fix.

The real silver lining here emerges when you consider where the entertainment industry started back in 2003, and where they've ended up in 2005. After two years of heavy investments in lobbying Congress for a host of outrageous changes to copyright laws (like the Induce Act), the entertainment moguls managed to enact only a tiny sliver of their agenda, and only by granting concessions to ClearPlay.

Thanks to all the copyfighters in DC like Public Knowledge, the library associations, the CEA, CDT, and others who have been holding the line. And thanks to the tens of thousands of EFF members and citizens who have been writing members of Congress about these issues.

[Permalink]

AACS - More Useless DRM

Posted by Fred von Lohmann

In November 2002, the now-famous "Microsoft Darknet Paper" laid out the argument for why DRM is not only futile in a P2P world, but actually counter-productive (because DRM drives otherwise legit customers to the Darknet).

Well, now we have yet another example of the futility side of the equation. Princeton professor Ed Felten recently posted a lucid discussion of the new AACS encryption system intended for use on next-generation high-density DVD media (a.k.a. Blueray or HD-DVD). The verdict: it will not slow P2P sharing of movies. Why? Because its design essentially ignores the P2P reality we live in.

The chief improvement of AACS over its thoroughly discredited DVD precursor, CSS, is that it provides for a much larger number of "device keys," which in turn makes it easier to revoke the keys of any player key that has been cracked. But here's the problem, succinctly described by Educated Guesswork:

And of course, AACS only works if you can identify which key was compromised. If people just rip their DVDs and post the compressed plaintext, there's no way of knowing which player was compromised and so you can't revoke it.

In other words, one smart hacker in Moldova extracts the key from a licensed player (likely not terribly hard for a motivated attacker with a lab), uses the key to rip movies from HD-DVDs, and posts the resulting files to the P2P networks. From there, even the most unsophisticated can simply download the movie, with no need to circumvent the DRM. And the guardians of AACS are powerless to do anything about this threat, because they have no way of figuring out what device key has been compromised.

So why are they bothering with it? Not because it will slow "digital piracy" (always the public justification for DRM and laws like the DMCA that support it), but because it will give the Hollywood Cartel more power over the market for next-gen DVD players. When a Chinese company makes a player that fails to pay AACS royalties, or makes its product too easy to modify, or ignores region coding, or otherwise fails to toe the line, the Hollywood Cartel can "revoke" that player's device key. Suddenly, everyone who owns that player can no longer play new movies.

Ah, yes -- use DRM to punish the innocent in the hope of pressuring player makers into obedience, all the while doing nothing to slow filesharing. Isn't it time we started to question the premise of DRM sytems like this, as well as the laws intended to support them?

[Permalink]

Blogging WIPO: Final Resolution

Posted by Ren Bucholz

We won big this week. First, there is a genuinely substantive policy discussion going on within WIPO about its obligations to be more than an IP-factory and instead explore its capacity as a positive force for the social and economic development of its member states. Not only was the majority of the meeting spent discussing the excellent Friends of Development proposal, but the good guys secured two more meetings to focus on reforming WIPO, defeating those who wanted to limit the process to a single additional meeting. Second, WIPO agreed to open the next two events to the 17 non-accredited non-government organizations (NGOs) that fought hard to attend this first meeting.

The Chair's summary of the proceedings and the next steps in the process have been reproduced for your convenience after the jump. WIPO has now ended its first Inter-Sessional Intergovernmental Meeting (IIM) on the Development Agenda. The next meeting will be June 20-22, where delegates will consider comments on the proposals from the 14 Friends of Development, the US, the UK, Mexico, and any other proposals put forward. The third meeting will be some time in July. That meeting will finalize the report to the WIPO General Assembly.

Update: Notes from Day 3 are after the jump.

[Read the entire post]

Blogging WIPO's Development Agenda Meeting - Day 2

Posted by Donna Wentworth

For 30 years, the World Intellectual Property Organization (WIPO) has worked primarily to expand the scope of intellectual property protection around the globe. Whether it's bringing patents to countries where previously there were none, or expanding the entitlements of copyright holders in developed countries, WIPO has always started from the premise that more IP is always better for everyone.

That's changing. Countries around the world -- even across the "north-south" divide of developed and developing nations -- are becoming wary of over-protecting intellectual works. Everything from free speech and open source software to the availablity of essential medicines is impacted by runaway legal regimes, and the world is taking notice.

At WIPO, the most concrete expression of this concern has come from a 14-country coalition called the "Group of Friends of Development" (GFoD), which submitted a fantastic proposal at the Development Agenda meetings on the need for IP policy that fosters the economic and social development of countries, not just the development of IP regimes. The proposal states:

"While intellectual property protection may in particular circumstances promote creativity and innovation, it is neither the only way nor necessarily the most efficient or appropriate means for doing so at all times and in all sectors of the economy. Similarly, it is highly questionable that upward harmonization of intellectual property laws, leading to more stringent standards of protection in all countries, irrespective of their levels of development, should be pursued as an end in itself. WIPO must, as a matter of course, examine and address all features of existing intellectual property rights, including the economic and social costs that IP protection may impose on developing and least developed countries, as well as on consumers of knowledge and technology in both the North and the South."

Below the jump are the running notes from Day 2 of the Development Agenda meetings (see Day 1 notes here). Stay tuned -- we'll have more on how these concepts are being received when the last of the "civil society" groups speak and the official meeting proceedings are published.

[Read the entire post]

Bloggers Speak Up in Apple Case

Posted by Donna Wentworth

Groups working to protect journalists' press freedoms, the creator of a blog-search tool, weblog publishers, and more than a dozen individual online journalist/bloggers filed a friend-of-the-court brief (PDF) today in Apple v. Does -- the case in which Apple Computer is seeking to unmask online journalists' confidential sources for articles about forthcoming Apple products.

The amici urged the court to adopt "a functional test for the newsgatherers' privilege that does not discriminate between reporters, regardless of the medium in which they publish." They ask the court to "adopt a test that will not impede journalists' use of the Internet to report news by limiting their constitutional protections when they publish there."

The amici are (in alphabetical order)

• Jack M. Balkin
• The Center for Individual Freedom
• Julian Dibbell
• Feedster, Inc.
• The First Amendment Project
• A. Michael Froomkin
• Gawker Media, Inc.
• Gothamist, LLC,
• Groklaw
• Happy Mutants, LLC
• Ben Hammersley
• Joichi Ito
• Joel Johnson
• Kimberly A. Kralowec
• LawMeme
• Rebecca MacKinnon
• Joshua Micah Marshall
• The Media Bloggers Association
• Markos Moulitsas
• Reporters Without Borders
• Glenn Harlan Reynolds
• Peter Rojas
• Jay Rosen
• Scott Rosenberg
• Doc Searls
• Silicon Valley Watcher
• Kevin Sites
• Eugene Volokh

For full descriptions of the amici, see the application for leave to file the brief (PDF).

Previous amicus briefs in this case:

• News publishers' brief (PDF)
• Internet service providers' brief (PDF)

[Permalink]

Blogging WIPO's Development Agenda Meeting - Day 1

Posted by Ren Bucholz

We're in Geneva at the World Intellectual Property Organization's (WIPO) first big meeting on intellectual property and the Development Agenda. The world's premiere IP-expansionists are considering the radical proposal that more rightsholder protections aren't always in the best interests of developing nations. Several copyfighters have been taking collaborative notes all day inside the cavernous main hall, and you can check out the transcript after the jump.

[Also see Pedro de Parangua Moniz's notes from today!]

[Read the entire post]

EFF Urges State Department to Drop RFID Passport Plan

Posted by Donna Wentworth

As we reported last week, the US State Department is pushing to embed insecure radio-frequency identification (RFID) chips in all new US passports. These chips would broadcast your name, date of birth, nationality, unique passport number, and any other personal information contained in the passport to anyone with a compatible RFID reader.

Security experts have pointed out that because the new passports would indiscriminately expose your personal information to strangers, they could be used as "terrorist beacons," providing a terrorist, kidnapper, or thief with a means of covertly scanning a crowd at an airport -- or any other public place -- for American targets. But there are numerous other ways that RFID passports threaten your safety, privacy, and basic civil liberties.

This week, EFF, joined by EPIC, PrivacyActivism, Privacy Rights Clearinghouse, the World Privacy Forum, and privacy activist Bill Scannell, filed comments [PDF] with the State Department, providing a detailed critique of the RFID passport proposal and urging the Department to abandon it.

"RFID in passports is a terrible idea, period. But on top of that, the State Department is acting without the appropriate authority and without conducting any form of credible cost-benefit analysis," said EFF Senior Attorney Lee Tien. "It's asking Americans to sacrifice their safety and privacy 'up front' for a dangerous experiment that it hasn't even bothered to justify."

As our comments point out, under the State Department's plan there would be millions of RFID passports (and passport holders) and thousands upon thousands of authorized passport readers around the world. Each authorized passport reader would itself represent a threat to the privacy of passport holders and would have to be secured. Because the technology would be so widespread and persistent over time, the likelihood of reverse engineering and thus security compromise would be high. At the same time, because so many people would be carrying RFID passports, the magnitude of harm associated with security compromise would be large - and it is unclear how well the system would recover once it is compromised.

EFF will shortly provide an easy way for you to speak out against RFID passports -- stay tuned to EFFector and the EFF Action Center for details.

[Permalink]