In May, Montana adopted a new statute that limits government access to the contents of electronic communications stored by service providers. EFF applauds this new privacy safeguard. We thank the Governor for cutting two flawed terms concerning the level of judicial review and records stored abroad, as we requested in a letter with the Center for Democracy & Technology.
Unfortunately, the new Montana law also allows the government to prevent providers from notifying their customers of records demands. Much like federal law that authorizes gags on service providers, this provision violates the First Amendment on its face.
What Montana Got Right
Service providers maintain an ever-growing volume of our highly private digital content. If government wants to seize this content from the providers, it should first get a search warrant from a court based on probable cause of crime. In the watershed Warshak decision in 2010, the U.S. Court of Appeals for the Sixth Circuit held that the Fourth Amendment requires a warrant in these circumstances. For many years, EFF and other privacy advocates have asked legislators to codify this critical standard. We succeeded in California. Congress remains a workinprogress.
The bill that the Montana Legislature initially sent its Governor was significantly less protective than Warshak. Specifically, it would have allowed government to seize digital content from service providers based either on a court warrant, or on “an investigative subpoena,” which in Montana can be issued on a lesser standard than probable cause.
EFF and CDT sent the Governor a letter seeking an amendatory veto of this provision. The Governor issued such a veto, requiring a court finding of probable cause for either a warrant or an investigative subpoena. The Legislature then enacted this change.
The Governor also fixed a second problem that we raised. The original bill would have required service providers to turn over digital content “regardless of where the information is held.” In other words, a Montana warrant would purportedly empower police to seize digital content stored outside the United States, including the content of foreign persons living in foreign countries.
EFF and CDT objected that a comparable rule by a foreign country would intrude on the digital liberties of U.S. persons. The Governor vetoed this problematic extraterritoriality clause, and the Legislature enacted the statute without it. We hope other states and Congress will follow this lead.
Montana, Meet Microsoft v. DOJ
Unfortunately, the Montana law also replicates a serious constitutional flaw in federal law and promises to violate service providers’ First Amendment rights. The law allows Montana authorities to ask a court to gag providers and prevent them from informing users that their data has been turned over. The wording of this provision is quite similar to a gag order provision in the federal Stored Communications Act, 18 U.S.C. § 2705; both laws allow the government to get a gag based on the assertion that notice to the user might interfere with an investigation or cause other harms. However, a federal court recently allowed a First Amendment challenge to Section 2705 by Microsoft to proceed. The court found that Microsoft had plausibly argued that Section 2705 violates the First Amendment because it does not require the government to demonstrate that a gag is truly necessary. If anything, the Montana law is even weaker on this ground because it requires only that the government claim that notification of a user “may” cause a specific harm, where Section 2705 requires that harm “will” result.
In light of the Microsoft case, the Montana gag order provision may be vulnerable to a constitutional challenge, and EFF will be keeping a close eye on it. As always, we’re happy to hear from anyone who might need our assistance in this regard.
This week, EFF joined Creative Commons, Wikimedia, Mozilla, EDRi, Open Rights Group, and sixty other organizations in signing an open letter [PDF] addressed to Members of the European Parliament expressing our concerns about two key proposals for a new European "Digital Single Market" Directive on copyright.
These are the "value gap" proposal to require Internet platforms to put in place automatic filters to prevent copyright-infringing content from being uploaded by users (Article 13) and the equally misguided "link tax" proposal that would give news publishers a right to compensation when snippets of the text of news articles are used to link to the original source (Article 11).
The joint letter addresses these two muddle-headed proposals by stating:
The provision on the so-called "value gap" is designed to provoke such legal uncertainty that online services will have no other option than to monitor, filter and block EU citizens’ communications if they want to have any chance of staying in business. ...
More and more voices have joined the protest by academics and a variety of stakeholders (including some news publishers) against this [link tax] provision. The Council cannot remain deaf to these voices and must remove any creation of additional rights such as the press publishers’ right.
IMCO Proposal Lowers the Bar for Awful Copyright Policy
Incredibly, since the letter was drafted, the proposals have gotten even worse. In our last post on this topic, we highlighted some of the atrocious amendments to the original text being pushed by the CULT (Committee on Culture and Education) of the European Parliament, notably to give producers and performers an unwaiveable copyright-like power to demand additional payments for the use of their work by online streaming services. But the CULT committee doesn't have a monopoly on bad ideas for European copyright.
One of the other committees, the Internal Market and Consumer Protection Committee (IMCO), will be finalizing its own recommendations for the amendment of the Digital Single Market Directive in a vote on 8 June. On Wednesday Member of the European Parliament (MEP) Julia Reda sounded the alarm about a sly move by EPP Group Shadow Rapporteur to IMCO, MEP Pascal Arimont, to propose that the committee accept an alternative "compromise" text, that far from being a compromise, checks off every item on the copyright maximalist wish-list.
As regards the upload filtering mandate, the "compromise" would extend this mandate to cover not only content hosts, but also "any service facilitating the availability of such content," apparently including search engines and link directories. Only small startups would be exempt from this filtering requirement, and only for a maximum period of five years.
The safe harbor that protects Internet platforms from copyright liability for users' content would also be abolished for any Internet platform that uses an algorithm to improve the presentation of such content—and it's hard to imagine any platform that doesn't do that. As such, it is no exaggeration to say that if this became law, it would no longer be safe to operate a user-generated content website in Europe.
If this wasn't bad enough, the Shadow Rapporteur's proposal goes all out in favor of the Commission's unpopular link tax proposal, extending it even further so that it would cover all uses of news snippets both online and offline, and last for 50 rather than 20 years. The new monopoly right would also be extended to scientific and academic journals, allowing them to demand fees for the use of abstracts of articles. Only the use of single words and bare hyperlinks would be exempted from the link tax, meaning that as few as two words quoted from a news article would raise liability for copyright-like fees payable to publishing organizations.
A Ban on Image Search
Another of the senseless proposals that has been published this week, this time not by the Shadow Rapporteur of IMCO but by the CULT committee again, is a proposed amendment to extend the "value gap" proposal to include a new tax on search engines that index images, as for example Google and Bing do. This proposed amendment [PDF] provides:
Information society services that automatically reproduce or refer to significant amounts of visual works of art for the purpose of indexing and referencing shall conclude licensing agreements with right holders in order to ensure the fair remuneration of visual artists.
It's unclear how much support this particular proposed amendment may have, but should it find its way into the final CULT committee report, we can well imagine that just as Google News shut down in Spain following Spain's implementation of a link tax for news publishers, the closure of image search services won't be far behind. It's hard to see that outcome as being any less detrimental to artists as it would be for users.
European lawmakers need to draw a line in the sand, and stop giving oxygen to copyright holders' most fanciful demands. If you are European or have friends in Europe, you can help deliver this message by contacting members of the IMCO committee and of the CULT committee to urge them to oppose such extremist rent-seeking proposals.
Since last year, Indian citizens have been required to submit their photograph, iris and fingerprint scans in order to access legal entitlements, benefits, compensation, scholarships, and even nutrition programs. Submitting biometric information is needed for the rehabilitation of manual scavengers, the training and aid of disabled people, and anti-retroviral therapy for HIV/AIDS patients. Soon police in the Alwar district of Rajasthan will be able to register criminals, and track missing persons through an app that integrates biometric information with the Crime and Criminal Tracking Network Systems (CCTNS).
These instances demonstrate how intrusive India’s controversial national biometric identity scheme, better known as Aadhaar has grown. Aadhaar is a 12-digit unique identity number (UID) issued by the government after verifying a person’s biometric and demographic information. As of April 2017, the Unique Identification Authority of India (UIDAI) has issued 1.14 billion UIDs covering nearly 87% of the population making Aadhaar, the largest biometric database in the world. The government asserts that enrollment reduces fraud in welfare schemes and brings greater social inclusion. Welfare schemes that provide access to basic services for marginalized and vulnerable groups are essential. However, unlike countries where similar schemes have been implemented, invasive biometric collection is being imposed as a condition for basic entitlements in India. The privacy and surveillance risks associated with the scheme have caused much dissension in India.
Identity and Privacy in India
Initiated as an identity authentication tool, the critical problem with Aadhaar is that it is being pushed as a unique identifier to access a range of services. The government continues to maintain that the scheme is voluntary, and yet it has galvanized enrollment by linking Aadhaar to over 50 schemes. Aadhaar has become the de-facto identity document accepted at private, banks, schools, and hospitals. Since Aadhaar is linked to the delivery of essential services, authentication errors or deactivation has serious consequences including exclusion and denial of statutory rights. But more importantly, using a unique identifier across a range of schemes and services enables seamless combination and comparison of databases. By using Aadhaar, the government can match existing records such as driving license, ration card, financial history to the primary identifier to create detailed profiles. Aadhaar may not be the only mechanism, but essentially, it's a surveillance tool that the Indian government can use to surreptitiously identify and track citizens.
This is worrying, particularly in context of the ambiguity regarding privacy in India. The right to privacy for Indian citizens is not enshrined in the Constitution. Although, the Supreme Court has located the right to privacy as implicit in the concept of “ordered liberty” and held that it is necessary in order for citizens to effectively enjoy all other fundamental rights. There is also no comprehensive national framework that regulates the collection and use of personal information. In 2012, Justice K.S. Puttaswamy challenged Aadhaar in the Supreme Court of India on the grounds that it violates the right to privacy. The Court passed an interim order restricting compulsory linking of Aadhaar for benefits delivery, and referred the clarification on privacy as a right to a larger bench. More than a year later, the constitutional bench is yet to be constituted.
The delay in sorting out the nature and scope of privacy as right in India has allowed the government to continue linking Aadhaar to as many schemes as possible, perhaps with the intention of ensuring the scheme becomes too big to be rolled back. In 2016, the government enacted the 'Aadhaar Act' passing the legislation without any debate, discussion or even approval of both houses of Parliament. In April this year, Aadhaar was made compulsory for filing income tax or PAN number application and the decision is being challenges in Supreme Court. Defending the State , the Attorney-General of India claimed that the arguments on so-called privacy and bodily intrusion is bogus, and citizens cannot have an absolute right over their body! The State’s articulation is chilling, especially in light of the Human DNA Profiling Bill seeking the right to collect biological samples and DNA indices of citizens. Such anti-rights arguments are worth note because biometric tracking of citizens isn't just government policy - it is also becoming big business.
Role of Private Companies
Private companies supply hardware, software, programs, and the biometric registration services for rolling out Aadhaar to India’s large population. UIDAI’s Committee on Biometrics acknowledges that biometrics data are national assets though American biometric technology provider L-1 Identity Solutions, and consulting firms Accenture and Ernst and Young can access and retain citizens' data. The Aadhaar Act introduces electronic Know-Your-Customer (eKYC) that allows government agencies and private companies to download data such as name, gender and date of birth from the Aadhaar database at the time of authentication. Banks and telecom companies using authentication process to download data and auto-fill KYC forms and to profile users. Over the last few years, the number of companies or applications built around profiling of citizens’ personally sensitive data has grown exponentially.
A number of people linked with creating the UIDAI infrastructure have founded iSPIRT, an organisation that is pushing for commercial uses of Aadhaar. Private companies are using Aadhaar for authentication purposes and background checks. Microsoft has announced SkypeLite integration with Aadhaar to verify users. Others, such as TrustId and Eko are integrating rating systems into their authentication services and tracking users through platforms they create. In essence such companies are creating their own private database to track authenticated Aadhaar users and they may sell this data to other companies. The growth of companies that share and combine databases to profile users is an indication of the value of personal data and its centrality for both large and small companies in India.
Integrating and linking large biometrics collections to each other, which are then linked with traditional data points that private companies hold such as geolocation or phone number enables constant surveillance to take over. So far, there has been no parliamentary discussion on the role of private companies. UIDAI remains the ultimate authority in deciding the nature, level and cost of access granted to private companies. For example, there is nothing in Aadhaar Act that prevents Facebook from entering into an agreement with the Indian government to make Aadhaar mandatory to access WhatsApp or any of its other services. Facebook could also pay data brokers and aggregators to create customer profiles to add to its ever growing data points for tracking and profiling its users.
Security Risks and Liability
A series of data leakages have raised concerns about which private entities are involved, and how they handle personal and sensitive data. In February, UIDAI registered a complaint against three companies for storing and using biometric data for multiple transactions. Aadhaar numbers of over 130 million people and bank account details of about 100 million people have been publicly displayed through government portals owing to poor security practices. A recent report from Centre for Internet and Society (CIS) showed that a simple tweaking of URL query parameters of the National Social Assistance Programme (NSAP) website could unmask and display private information of a fifth of India's population.
Such data leaks pose a huge risk as compromised biometrics can never be recovered. The Aadhaar Act establishes UIDAI as the primary custodian of identity information, but is silent on the liability in case of data breaches. The Act is also unclear about notice and remedies for victims of identity theft and financial frauds and citizens whose data has been compromised. UIDAI has continued to fix breaches upon being notified, but maintains that storage in federated databases ensures that no agency can track or profile individuals.
After almost a decade of pushing a framework for mass collection of data, the Indian government has issued guidelines to secure identity and sensitive personal data in India. The guidelines could have come earlier, and given large data leaks in the past may also be redundant. Nevertheless, it is reassuring to see practices for keeping information safe and the idea of positive informed consent being reinforced for government departments. To be clear, the guidelines are meant for government departments and private companies using Aadhaar for authentication, profiling and building databases fall outside its scope. With political attitudes to corporations exploiting personal information changing the world over, the stakes for establishing a framework that limits private companies commercializing personal data and tracking Indian citizens are as high as they have ever been.
As the campaign points out, the adoption of fair use would not harm copyright owners, but would simply authorize many everyday uses of copyright material that are currently technically infringing, such as forwarding emails, backing up movies, and sharing memes or mash-ups. That's one reason why Australia's Productivity Commission recommended the adoption of fair use as an improvement to Australia's patchwork of technologically-specific exceptions, such as a rule that allows format shifting from VHS tapes, but not from DVDs.
Why has Wikipedia, which is hosted in the U.S., jumped into this debate? Because the online encyclopedia provides an excellent example of the opportunity that the fair use doctrine creates for valuable information to be shared, without damaging the interests of creators. For example, in an article on Australian band Crowded House, you can hear a few bars of some of their most well-known tracks, and in a page about Aboriginal artist Albert Namatjira, a small representation of his art can be found.
Would anyone wishing to listen to Crowded House forgo purchasing their album because they can hear a few seconds of the same music on Wikipedia? Of course not, and that's one of the factors that make Wikipedia's partial reproduction of their music fair. But because Australia lacks a fair use right, Wikipedia could not be hosted in Australia without risking being found to infringe copyright. It's high time for this to change, for the sake of Australian users, creators, and innovators alike.
Other countries around the world are recognizing the benefits of fair use. South Africa is currently proposing to introduce a new fair use right into its own copyright law, adding to a growing list of countries that have done the same, including Israel, Malaysia, the Philippines, Thailand, Taiwan, Singapore, and South Korea.
Australians can join this growing movement and support the campaign for fair copyright by emailing their politicians, or by sharing the #faircopyrightoz hashtag on social media.
The Supreme Court’s recent decision in Impression Products v. Lexmark International was a big win for individuals’ right to repair and modify the products they own. While we’re delighted by this decision, we expect manufacturers to attempt other methods of controlling the market for resale and repair. That’s one reason we’re giving this month’s Stupid Patent of the Month award to Ford’s patent on a vehicle windshield design.
D786,157 is a design patent assigned to a subsidiary of Ford Motor Company. While utility patents are issued for new and useful inventions, design patents cover non-functional, ornamental aspects of a product.
Unlike utility patents, design patents have only one claim and usually have little or no written description. The patent only covers the non-functional design of a certain product. But design and utility patents are alike in an important way: both are intended to reward novelty. According to U.S. law, the Patent Office should issue design patents only for sufficiently new and original designs. By that test alone, it’s easy to see that the windshield patent should never have been issued.
Why did Ford apply for the patent on its windshield design? One possible reason is that it’s the automotive industry’s latest attempt to control the market for repair. If the shape of your windshield is patented by Ford, then no one else can replace it without risking costly patent litigation.
In the Supreme Court Lexmark opinion, Justice John Roberts specifically noted the danger of automobile manufacturers shutting out competition in the repair space:
Take a shop that restores and sells used cars. The business works because the shop can rest assured that, so long as those bringing in the cars own them, the shop is free to repair and resell those vehicles. That smooth flow of commerce would sputter if companies that make the thousands of parts that go into a vehicle could keep their patent rights after the first sale. Those companies might, for instance, restrict resale rights and sue the shop owner for patent infringement. And even if they refrained from imposing such restrictions, the very threat of patent liability would force the shop to invest in efforts to protect itself from hidden lawsuits.
If the Patent Office continues to issue stupid design patents like Ford's windshield patent, it risks giving manufacturers carte blanche to decide who can repair their products. And customers will pay the price.
S.B. 21 would require all police surveillance technology purchases and policies to go through a public approval process. That means a city council or board of supervisors could veto a proposed technology or demand a change in policy, whether it be for drones, license plate readers, or face recognition. Under the bill, law enforcement agencies would also produce transparency reports every two years regarding the equipment they've acquired. If we're successful, California will lead the country in accountability for police technology.
More than 800 Californians sent emails to their state senators urging support for S.B. 21, and it paid off. The bill passed on a solid 21-15 margin.
Tell your member of the state Assembly to support S.B. 21.
If you used our tool already to contact your state senator, we thank you, but you should take the action a second time. Now our tool will direct you to your member of the California Assembly.
If this is your first time hearing about S.B. 21, I recommend EFF's recent op-ed in the San Diego Union-Tribune. For a firsthand account of surveillance oversight, check out this illuminating letter from former Lemon Grove Mayor Mary Sessom in support of S.B. 21.
Law Enforcement Should Not Be Able to Bypass the Fourth Amendment to Search Your Devices
Sending your computer to Best Buy for repairs shouldn’t require you to surrender your Fourth Amendment rights. But that’s apparently what’s been happening when customers send their computers to a Geek Squad repair facility in Kentucky.
We think the FBI’s use of Best Buy Geek Squad employees to search people’s computers without a warrant threatens to circumvent people’s constitutional rights. That’s why we filed a Freedom of Information Act (FOIA) lawsuit today against the FBI seeking records about the extent to which it directs and trains Best Buy employees to conduct warrantless searches of people’s devices. Read our complaint here [PDF].
EFF has long been concerned about law enforcement using private actors, such as Best Buy employees, to conduct warrantless searches that the Fourth Amendment plainly bars police from doing themselves. The key question is at what point does a private person’s search turn into a government search that implicates the Fourth Amendment. As described below, the law on the question is far from clear and needs to catch up with our digital world.
California Case Highlights FBI’s Problematic Use of Geek Squad Informants
A federal prosecution of a doctor in California revealed that the FBI has been working for several years to cultivate informants in Best Buy’s national repair facility in Brooks, Kentucky, including reportedly paying eight Geek Squad employees as informants.
According to court records in the prosecution of the doctor, Mark Rettenmaier, the scheme would work as follows: Customers with computer problems would take their devices to the Geek Squad for repair. Once Geek Squad employees had the devices, they would surreptitiously search the unallocated storage space on the devices for evidence of suspected child porn images and then report any hits to the FBI for criminal prosecution.
At no point did the FBI get warrants based on probable cause before Geek Squad informants conducted these searches. Nor are these cases the result of Best Buy employees happening across potential illegal content on a device and alerting authorities.
Rather, the FBI was apparently directing Geek Squad workers to conduct fishing expeditions on people’s devices to find evidence of criminal activity. Prosecutors would later argue, as they did in Rettenmaier’s case, that because private Geek Squad personnel conducted the searches, there was no Fourth Amendment violation.
The judge in Rettenmaier’s case appeared to agree with prosecutors, ruling earlier this month that because the doctor consented both orally and in writing to the Geek Squad’s search of his device, their search did not amount to a Fourth Amendment violation. The court, however, threw out other evidence against Rettenmaier after ruling that FBI agents misstated key facts in the application for a warrant to search his home and smartphone.
We disagree with the court’s ruling that Rettenmaier consented to a de-facto government search of his devices when he sought Best Buy's help to repair his computer. But the court's ruling demonstrates that law enforcement agents are potentially exploiting legal ambiguity about when private searches become government action that appears intentionally designed to try to avoid the Fourth Amendment.
When Do Informants’ Actions Become Government Searches?
The FBI's use of Geek Squad employees to do their dirty work of searching people's devices without warrants is in part possible because there is a legal distinction between searches conducted by purely private parties and searches by private parties done on behalf of government agents.
The Fourth Amendment protections for “persons, houses, papers, and effects, against unreasonable searches and seizures,” only protects against searches conducted by state actors or someone deputized to act on their behalf.
That means if a private actor—like your next door neighbor—breaks into your home and finds evidence of a crime, there’s nothing keeping the police from using your illegally gotten property or information against you. The neighbor may be liable for trespass, but it wouldn't amount to a Fourth Amendment violation. This is called the “private search” rule and it applies unless a court determines that the private actors are working for the government when conducting the illegal searches.
The federal appeals court covering California and other western states has ruled that determining whether a party is a state or private actor comes down to two elements: (1) whether government officials knew of and agreed to the intrusive search and (2) whether the party conducting the search intended to assist law enforcement or further her own ends.
Under this rubric, the FBI's Geek Squad informants should plainly qualify as agents of the government. The records disclosed thus far indicate that FBI agents paid Geek Squad informants to conduct these wide-ranging searches of customers' devices, suggesting that officials both knew about the searches and directed the informants to conduct them. The payments Geek Squad informants received also demonstrate that they conducted the searches with the intent to assist the FBI.
Because both factors are present in the FBI's use of Geek Squad informants, we think any court encountering facts similar to Rettenmaier's should rule that the Fourth Amendment applies to the searches conducted at Best Buy facilities. Because the Fourth Amendment generally requires the FBI to obtain warrants before searching devices, the warrantless searches by Geek Squad personnel were the result of an unconstitutional search and thus any evidence obtained as a result of the illegal searches should be thrown out of court.
However, even if the Geek Squad is found to be a state actor, the government may still argue that computer owners waived any reasonable expectation of privacy in their digital files when they consented to Best Buys terms for repairing their devices. The U.S. Supreme Court applies a reasonable person standard when a property owner is aware that they are consenting to a government search.
This proved to be the pivotal argument in Rettenmaier's case, as the government argued in its briefs that computer owners waived their Fourth Amendment rights by signing a written form stating that they are “on notice that any product containing child pornography will be turned over to the authorities.”
We disagree with the government's flawed argument. While the Best Buy service contract does put customers on notice that it will report child porn to the FBI if it finds it, we don't think it comes close to informing customers that Geek Squad employees are working for the FBI and will search their hard drives far beyond the scope of permission customers gave. As the Rettenmaier motions show, it appears that Best Buy staff searched unallocated storage space where the problems with the computer would not be found.
When a customer turns their devices over to Best Buy or any other repair shop, their consent to searches of their devices should be limited to where the problems with the computer are located. Thus, customers cannot plausibly consent to expansive searches of their entire devices.
A real world analogy highlights the absurdity of the government's argument. When you go to the doctor for a sore throat, you don’t expect the doctor to order an MRI of your entire body.
The FBI's exploitation of the private search doctrine by relying on Geek Squad informants to conduct searches of people's devices is incredibly problematic. As technology advances, the wealth of information that may be stored or accessed from our digital devices implicate profoundly more private spheres of our lives, from protected medical and financial information to personal information about our friends, family, and loves ones.
If courts continue to rule that the Geek Squad informants are not state actors, then they are free to turn over any evidence they find to the government and law enforcement can then “reconstruct” the private party’s search free of any Constitutional taint to then obtain a warrant for the evidence. This subverting of Constitutional protections is made possible by an outdated and problematic legal concept known as the “Third Party Doctrine” that bars Fourth Amendment protection when a user “voluntarily shares” information with a third party (here, the Geek Squad), thus defeating any reasonable expectation of privacy in the evidence. This legal theory has been applied to eviscerate individual privacy interests in such private information as bank records shared with your financial institution and cell-site location information shared with your cell phone providers and produced to law enforcement without a warrant.
Currently, there’s a circuit split on how this search “reconstruction” may take place. In the Fifth and Seventh Circuits, courts permit law enforcement to search the entire computer without a warrant based on the private party’s search. In contrast, the Sixth and Eleventh Circuits restrict government searches only to the files searched by the private party. And in at least one district court in the Northern District of Indiana, the court decided that a private computer repairman had the authority to consent to a government search on behalf of the computer owner by virtue of his possession of the device.
We think that the FBI's use of Geek Squad informants is not an isolated event. Rather, it is a regular investigative tactic law enforcement employ to obtain digital evidence without first getting a warrant as the Fourth Amendment generally requires. EFF continues to look for opportunities to challenge this type of law enforcement behavior. If you have had your digital devices sent to the main Best Buy repair hub in Brooks, Kentucky for repair and it resulted in criminal proceedings against you, contact us at email@example.com.
The Supreme Court struck a blow today [PDF] for your right to own the things you buy, reversing a lower court decision that had given patent owners the power to sue customers who paid in full for a patented item but then used it in a way the patent owner didn't care for. The Court's reasoning will help us protect your rights from overbroad copyright and other restrictions, like the ones written into "end user license agreements" for software or imposed by technological restrictions given legal teeth by Section 1201 of the DMCA.
Lexmark tried every legal trick in the book to keep you from refilling your own printer cartridges, and had finally found a sympathetic ear at the Federal Circuit, the Federal Court of Appeals with jurisdiction over patent law. The Federal Circuit agreed with Lexmark that a patent owner could write their own rules that customers would have to follow or face liability for patent infringement. Even someone who later acquired a product, like the companies that refill printer cartridges, would have to abide by these restrictions.
Together with Public Knowledge and R Street, EFF filed an amicus brief [PDF] at the Supreme Court. We explained that the ability of patent owners to sell products into the stream of commerce while also writing a wishlist of anti-competitive restrictions, would be a disastrous expansion of patent law, hindering competition, innovation, and your freedom to tinker with and repair your own stuff.
The Supreme Court agreed, explaining that when a patent owner "chooses to sell an item, that product is no longer within the limits of the monopoly and instead becomes the private individual property of the purchaser, with the rights and benefits that come along with ownership." The Court emphasized that, by default, people have every right to make, sell, and use things. The limited monopoly that the government bestows upon a patent owner is a deviation from the norm of free market competition and ownership of personal property, and is subject to important limits in order to protect the public interest.
The Court also rejected the argument, raised perennially by rightsholders, that they are entitled to profit via the business model of their choosing, even if that business model requires an expansive reading of the patent or copyright monopoly they enjoy. This argument arises in many contexts. For example, we've seen video game console makers argue that your traditional rights to modify your gaming console must be restricted to enable the loss-leader business model of selling inexpensive consoles and pricey games. Makers of Internet-of-Things devices often require a subscription to function. And manufacturers often try to place restrictions on reselling digital goods, repair markets, and other uses that the law has traditionally allowed customers to engage in. A rightsholder may be able to make more money if you have to pay to exercise your existing rights, but ownership of a patent or copyright should not be a hunting license that allows an owner to control and destroy any business that threatens their profits. Today, the Supreme Court reaffirmed that a patent does not confer unfettered control of consumer goods to the patent owner.
The reasoning in the Court's decision also demonstrates why Section 1201 of the DMCA has become dangerously overbroad. The Chief Justice used the auto industry as an example of a market that would be hindered if manufacturers retained a legal right to control the repair and resale of the devices they sold. This argument won't be a surprise to anyone who followed the latest rulemaking process, in which we convinced regulators to (at least temporarily) relieve some of Section 1201's restrictions on auto repair.
Overall, the decision reinforces the freedoms of device owners and fends off the monopolistic threat of patent rights eliminating fair, essential competition in markets for repair and third-party innovation. We applaud the Supreme Court for striking this blow on behalf of the public, and look forward to seeing the ripples of the decision in the years to come.