UPDATE: We held a very successful Boot Camp on Sept. 9! Thanks very much to our panelists and everyone who participated. We've recorded the panel, which you can access here. Continue to watch this space for additional resources for app developers and other innovators who have been the target of patent trolls.
As you probably know, we’ve been closelyfollowing the Lodsys mess and watching as the patent troll asserts its patents against companies large and small, and — famously and most egregiously — against small app developers. Large companies such as Best Buy, CVS, and the New York Times Company are fighting Lodsys in court (and challenging the validity of its patents). But those lawsuits could take years. In the meantime, app developers all over the world, many of who cannot afford legal counsel, face the uncertainty long-felt by the victims of patent trolls and are left wondering what they can and should do to protect themselves.
Are you an app developer? Have you been targeted by Lodsys? Do you wonder what Apple’s Motion to Intervene means? How about Google’s Notice of Reexamination? Will the situation change because Lodsys sued large app developers like EA and Rovio, too? What are the elements of a patent license?
Unfortunately, EFF cannot represent all of the app developers affected by Lodsys. But we can help answer some of your questions! So please join on us September 9 at 12:00 pm PST to talk with a distinguished panel of law professors and patent attorneys who will walk us through the basics of patent litigation. We’ll be streaming the panel live and taking your questions via twitter and email. If you’d like to join us, please email firstname.lastname@example.org and include your name, email address, professional affiliation, and let us know if you’ve already heard from Lodsys. In the meantime, continue to watch this space for more details. We look forward to hearing from you on September 9!
Two weeks ago, EFF published an analysis with researchers at Berkeley ICSI about the redirection of search traffic at a number of US ISPs. The company involved, Paxfire, contacted us to discuss its practices, and based upon those discussions and some further analysis we have a number of clarifications and updates to report. These clarifications are of course our own, and not Paxfire's.
Overall, Paxfire admits that it sends users' searches through its proxy servers (we call this redirection; Paxfire disagrees), and that while the proxies look at the searches for specific things, Paxfire maintains that it does not retain logs of these queries unless the user is searching for specific trademark terms using the search box in the browser. In those cases, the search and IP address are logged and the user is sent to the brand’s website directly, rather than to the search engine, and Paxfire and the ISP collect a fee for the referral. Thus, while the Paxfire technology examines and processes users’ queries and sometimes sends users a response different than the search engine results page they might have expected (and that is often even branded as a search engine in their browser), Paxfire strongly denies collecting or using any of that information for any purpose other than conducting its affiliate marketing businesses.
Based upon their representations, and assuming for these purposes that they are correct (a pending lawsuit may delve into the matter further), we agree that the blog post wasn’t clear enough about the possible differences between the fact that this data is redirected to Paxfire's proxies and what Paxfire says it actually retains, and is limited to retaining by its contracts with ISPs. We do think that the post should have been clearer on that issue. Accordingly, our blog post will be revised as follows:
In our post we said that Paxfire "collects" copies of all search terms and results. Taking Paxfire at its word, it would be more precise to say that it “receives, examines and processes all search terms and results, but only logs a small subset of search queries that were entered into a browser search box and are related to major trademarked brands.”
We said that "this allows Paxfire and/or the ISPs to directly monitor all searches made by the ISPs' customers and build up corresponding profiles, a process on which Paxfire holds a patent." Paxfire first disputes our characterization of "monitoring" and “profiles.” We should clarify that while the code on Paxfire's proxy servers examines and processes all affected users' searches, Paxfire maintains that its employees do not. And while it is true that Paxfire's proxies could be reconfigured to do more invasive monitoring of searches, Paxfire says that it does not do this and that its contracts with the ISPs do not allow it to do so. Again, for purposes of this blog post, we take them at their word and have removed these terms, but we will be watching the situation closely as it develops in the lawsuit and elsewhere.
Paxfire next disputes the characterization of one of their patents as describing the construction of profiles from searches. Accordingly, we have read that patent more closely. As with many software patents, it is a complicated and ambiguous document. There is no question that the patent overall describes tracking and profiling of Internet users. For instance, it says:
"In certain embodiments, the Internet appliance may return customer-specific, geographically-relevant, and/or time-relevant content based upon a profile stored for that particular requesting computer or ISP.", and
"In addition, the result page may be built dynamically in real time and/or on-the-fly based upon profile information stored for the ISP or based upon the IP Address of the requester. The IP Address may be used to localize the requester all the way down to a known individual user and/or provide information about the geo-location of the requesting computer."
However the actual claims in the patent are only about DNS-based profiling. Accordingly, in mentioning the patent, our post should have said that this Paxfire patent has patent claims only about DNS-based profiling, and not search-term based profiling. Paxfire also asserts that this particular patent has nothing to do with its current business activities. As a result, we're removing the reference to the patent entirely.
Paxfire has told us that it believes it has consent from the affected Internet users to perform the search redirections (and the typo-redirections, which is Paxfire’s other service) via ISPs' privacy policies and terms of service. Paxfire also claims that ISPs allow users to opt-out. We have a couple of things to say about this:
We have read a number (although not all) of the privacy policies and terms of service of the ISPs that use Paxfire, and we respectfully disagree that they create anything resembling informed consent for Paxfire’s behavior by users. In most instances, subscribers reading these documents would have no idea that Yahoo!, Bing or Google searches in their browser are actually not going to those search engines directly and, in some cases, aren’t going to the search engines at all.
If ISPs intend to make significant deviations from the way that Internet users expect the network to function, these changes should be opt-in, especially when the goal (as Paxfire makes crystal clear in its website come-on to ISPs) is not to serve customers as much as to leverage customer activities to create revenue for the ISP and Paxfire. This sort of business model needs to be made especially clear to the customers it affects.
Some bad ideas just won't die. In 2008, the Brazilian Senate passed a cybercrime bill that would have limited freedom of expression and threatened privacy online. Strong public opposition, including a speech by then-President Luiz Inácio Lula da Silva in which he denounced the bill, prevented it from ever becoming law.
Now the Brazilian Cybercrime bill is back. According to the Brazilian Institute for Consumer Defense, the bill would criminalize many of the common, everyday behaviors of online consumers, such as file sharing, or transferring the contents of a CD onto a computer.
Campaigns in opposition to the bill are in full force, including Mega Nao or "Big No," and Avaaz's petition to Save Brazil's Internet that has been signed by over 175,000 people. If you are in Brazil, sign now to make your voice heard and to protect digital civil liberties.
As part of an emerging international trend to try to ‘civilize the Internet’, one of the world’s worst Internet law treaties--the highly controversial Council of Europe (CoE) Convention on Cybercrime--is back on the agenda. Canada and Australia are using the Treaty to introduce new invasive, online surveillance laws, many of which go far beyond the Convention’s intended levels of intrusiveness. Negotiated over a decade ago, only 31 of its 47 signatories have ratified it. Many considered the Treaty to be dormant but in recent years a number of countries have been modeling national laws based on the flawed Treaty. Moreover, Azerbaijan, Montenegro, Portugal, Spain, and the United Kingdom are amongst those who have ratified within the last year. However, among non-European countries, only the U.S. has ratified the Treaty to date, making Canada and Australia’s efforts unique. The Treaty has not been harmless, and both Australia and Canada are fast-tracking legislation (Australia's lower house approved a cybercrime bill last night) that will enable them to ratify the Treaty, at great cost to the civil liberties of their citizens.
Leaving out constitutional safeguards
Australia’s invasive bill highlights one of the fundamental flaws of the Convention on Cybercrime: the Treaty’s failure to specify proper level of privacy protection necessary to limit the over-broad surveillance powers it grants law enforcement agencies. This creates problems in countries like Australia since, as the Australia Privacy Foundation points out, Australia lacks the legal constitutional safeguards afforded to many other democratic countries:
The CoE Convention has to be read within the context that applies in CoE countries – where there are substantial and actionable constitutional protections for human rights. The absence of any such countervailing protection for human rights in Australia makes it completely untenable for the Convention to be implemented in Australia without very substantial additional provisions that achieve a comparable balance.
Bills proposed in Canada (read here and here) are also affected by the Convention’s flaws as they adopt the lowest possible standard of protection against many of the invasive powers they grant. The bills provide law enforcement access to sensitive data on the mere suspicion it might be useful to an investigation. Indeed, at times they leave out the safeguards altogether, as noted in a letter from Canadian privacy scholars and civil society organizations:
[the legislation] will give state agents the power to access ...highly sensitive personal information, even where there is no reason to suspect it will assist in the investigation of any offense...What [this] facilitates, simply put, are unjustified and seemingly limitless fishing expeditions for private information of innocent and non‐suspicious Canadians.
Gag orders in place of oversight: Cultivating a culture of secrecy
The Convention’s most systemic flaw is that it seeks to impose detailed invasive surveillance powers without legal protections. Aside from failing to specify detailed adequate safeguards, it also leaves out the types of oversight mechanisms necessary to ensure its broad powers are not abused. Worse, the Convention takes active steps to reduce oversight and transparency by calling for limitations on when individuals can and cannot be notified that they are being surveilled upon.
The Australian bill even criminalizes any attempt to disclose the fact that the powers it grants to law enforcement have been used to spy on an individual. These gag orders will prevent anyone from disclosing the existence and content of interception warrants, all but ensuring innocent individuals will never know their civil liberties have been violated:
...it should be possible for individuals to find out that their communications have been subject to a preservation order or disclosed to law enforcement agencies once there is no longer any prejudice to an ongoing investigation.
Proposed Canadian legislation also paves the way to blanket and perpetual gag orders that will apply by default to the most invasive of the seizure powers it authorizes. These gag orders can insulate abuses of power --when innocent people are surveilled for no good reason--and they will never find out nor will be able to challenge the abuse of their rights, even in situations where there is no longer any risk to an ongoing investigation.
The far-reaching powers this legislation puts in place, if adopted at all, should be accompanied by equally far-reaching oversight regimes, not gag orders. Instead of preventing abuses from ever seeing the light of day, individuals should be notified when they have been surveilled, and the extent, nature and frequency of such surveillance must be subject to rigorous external oversight.
Tamir Israel, staff attorney, Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic.
Blanket gag orders are strongly disfavored under U.S. law, and at least one U.S. court of appeals has found a similar gag order provision partially unconstitutional. A provision of the PATRIOT Act permitted the government to obtain electronic communication transaction records from an Internet Service Providers without a court order. The law imposed a gag order on “National Security Letter” recipients, with extremely limited judicial review that required courts to accept the FBI’s assertions as true and placed the burden on the ISP to challenge the gag order after it had been issued. As EFF argued, such gag orders stifle free expression, and without any judicial oversight, the government was free to do what it wanted. The court agreed that the gag order provision was unconstitutional as written, but it construed the gag rules narrowly so as to pass First Amendment muster. The court found that the U.S. Justice Department could adopt additional procedures to cure the remaining defects—a result that EFF disagrees with because it is Congress’s job to write laws.
Forcing service providers to record your online activity
Countries are also using the Convention to put in place powers aimed at forcing service providers to store customer information for extended periods of time. While the Convention itself foresees targeted preservation orders in scenarios where there is a reason to believe the information would otherwise be vulnerable to loss or modification, Australian and Canadian bills ignore this important limitation. Also, while the Convention envisions a distinction between orders forcing service providers to preserve data they have already collected and orders aimed at forcing service providers to intercept and record data in real time, the misuse of proactive or ‘ongoing’ preservation orders aims to undermine this distinction.
In the U.S. and in Canada, for example, there have been cases where preservation powers have been misused to proactively compel service providers to retain data such as email or text messages that are not yet in their possession or control. Proactive preservation force service providers to record data they would never have otherwise retained, effectively bypassing legal protections in place for real-time electronic interceptions. As the U.S. DOJ notes in its manual on seizing electronic communications:
...should not be used prospectively to order providers to preserve records not yet created. If agents want providers to record information about future electronic communications, they should comply with the electronic surveillance statutes discussed in Chapter 4.
Instead of attempting to avoid such problems, the Australian bill embraces this confusion, and expressly grants law enforcement the right to order ‘ongoing preservation’. This, combined with the complete lack of any obligation to ensure preservation orders are narrowly targeted to capture relevant data at risk of deletion, opens the door to blanket retention orders aimed at real-time interception of communications services on a mass scale:
The Australian law, for example, is phrased in such broad terms that it could be applied indiscriminately, without any assurance that it will only be used to preserve data that is at risk of being destroyed:
The Bill could require an Internet Service Provider to preserve all stored communications (e.g. traffic and content data) for a telecommunications service (e.g. email, text messaging, mobile phone) for a specified period of time. Unless our concerns about the meaning of a ‘service’ are addressed, then under an ongoing domestic preservation notice, a Commonwealth agency could arguably request that a major carrier such as Telstra or Optus, preserve all emails used on its service for a 30 day period.
The proposed Canadian legislation also fails to ensure preservation demands will be used in a targeted manner and is likely to lead to voluntary retention of personal information that would not otherwise have been kept by telecommunications service providers.
Convention premised on outdated concepts of online data
The flaws inherent in the Convention itself are exacerbated by the fact that it was drafted over ten years ago and much has changed since then. The Convention was premised on the notion that ‘traffic data’ (data generated by computers as a by-product of online interactions) is ‘less sensitive’, and so should be more readily accessible to law enforcement. That was then, and this is now: Today’s ‘traffic data’ can include such sensitive information as your otherwise anonymous online identity or your social network of contacts. Mobile companies and our Internet services providers are now recording our whereabouts at every moment, and we are leaving far more detailed footprints that reveal sensitive information of our daily lives. Sensitive data of this nature warrants stronger protection, not an all-access pass.
Other things have changed in the online environment as well. The ongoing move towards cloud computing means that more and more of our information will be stored online. Nowadays, countless millions are trusting web-based email services such as Google Gmail to store years worth of private correspondence, and cloud services such as Dropbox or Google Docs store your most private documents. The Treaty could not envision this reality when it was drafted in 2001.
Ratifying the Cybercrime treaty would introduce not just one bad Internet law into each country's lawbook but invite the enforcement of all the world's worst Internet laws. Australia and Canada should hold this invasive treaty at bay.Governments must now think carefully about what the Treaty’s increased law enforcement powers will mean for citizen rights in this new digital context.
More than five years ago, EFF filed the first lawsuit aimed at stopping the government's illegal mass surveillance of millions of ordinary Americans' private communications. Whistleblower evidence combined with newsreports and Congressional admissions revealed that the National Security Agency (NSA) was tapped into AT&T’s domestic network and databases, sweeping up Americans’ emails, phone calls and communications records in bulk and without court approval.
Hepting v. AT&T, our case challenging the telecom giant’s illegal collaboration with the NSA, faced a barrage of attacks from the government -- including outrageous claims that national security prevented the courts from considering whether AT&T and the government were breaking the law and violating the Constitution. When that gambit seemed to be failing, the White House and the telecoms led a lobbying campaign to convince Congress to pass a law threatening to terminate our suit. When that law passed we filed a follow-up suit directly against the government, Jewel v. NSA, to open a second front in our fight to stop the spying.
On August 31, 2011, at 2 pm in Seattle, the Ninth Circuit Court of Appeals will hear a warrantless wiretapping double-feature, to decide whether the Hepting and Jewel cases can proceed. At stake will be whether the courts can consider the legality and constitutionality of the National Security Agency’s mass interception of Americans’ Internet traffic, phone calls, and communications records.
Jewel v. NSA, EFF’s case directly against the government and government officials, will be argued by EFF Senior Staff Attorney Kevin Bankston. The District Court dismissed Jewel on the grounds that, because millions of Americans had been illegally spied upon, no single American had standing to sue. The alarming upshot of the court's decision is that as long as the government spies on all Americans, the courts have no power to review or halt such mass surveillance even when it is flatly illegal and unconstitutional. EFF will argue that the number of people harmed should have no bearing on whether each individual -- whose own communications and communications records are being intercepted and diverted to the government -- should be able to sue.
On appeal, the government does not seriously defend the District Court’s reasoning but instead renews its old argument that the case should be dismissed based on the state secrets privilege, an argument that the District Court rejected back in 2007 in the Hepting case. That decision held, and EFF argues on appeal, that Congress has overridden the state secrets privilege when it comes to government wiretapping by providing specific security procedures in the Foreign Intelligence Surveillance Act (FISA) that govern how courts are supposed to handle secret evidence relating to electronic surveillance. The Jewel case will be heard in conjunction with Shubert v. Bush, another case against the government over the NSA’s mass surveillance that was dismissed by the District Court at the same time as the Jewel suit. Shubert counsel Ilann M. Maazel will argue that case.
EFF’s case against AT&T, along with approximately 34 other cases against various telecommunications carriers, will be argued by EFF Legal Director Cindy Cohn. The argument arises from the FISA Amendments Act (FAA), the law passed by Congress after a fierce battle in 2008 (and a last-minute flip-flop from then-Senator Obama). With the FAA, lawmakers gave the Executive Branch the unbounded authority to decide to selectively repeal the thirty-year old laws that prohibit companies from violating their customers’ privacy, effectively allowing the Executive to grant favored companies a “get out of lawsuit free” card.
EFF will argue that the law violates the Constitutional separation of powers and due process by, first, giving the President the right to effectively grant civil pardons to carriers and, second, stacking the deck in the courts to prevent meaningful review. EFF’s co-counsel, Harvey Grossman of the Illinois ACLU, will argue that the dismissal of the constitutional claims in the case is separately not allowed under the Constitution.
The outcome of both Jewel v. NSA and Hepting v. AT&T will be crucial not only to those who wish to stop the spying and regain the privacy of our communications, but to upholding the Constitutional limitations on the Executive Branch’s power. Under the Constitution, important decisions about surveillance of Americans are not the Executive’s alone, nor are decisions about whether the Constitution and Congress’ laws must be followed. We need to be vigilant about protecting ourselves, and ultimately the Constitution, against actions that ignore or overstep limits on Executive power, and that's why we're looking forward to these critical arguments in Seattle on August 31.
This spring, agents from Immigration and Customs Enforcement (ICE) executed a search warrant at the home of Nolan King and seized six computer hard drives in connection with a criminal investigation. The warrant was issued on the basis of an Internet Protocol (IP) address that traced back to an account connected to Mr. King's home, where he was operating a Tor exit relay.
An exit relay is the last computer that Tor traffic goes through before it reaches its destination. Because Tor traffic exits through these computers, their IP addresses may be misinterpreted as the source of the traffic, even though the exit node operator is neither the true origin of that traffic nor able to identify the user who is. While law enforcement officers have seized exit relays in othercountries, we weren't aware of any seizures in the United States until ICE showed up at Mr. King's home.
(UPDATE: A reader points us to this blog post detailing a Tor exit relay seizure in the United States in 2009.)
After the computers were seized, EFF spoke with ICE and explained that Mr. King was running a Tor exit relay in his home. We pointed out that ICE could confirm on the Tor Project's web site that a computer associated with the IP address listed in the warrant was highly likely to have been running an exit relay at the date and time listed in the warrant. ICE later returned the hard drives, warning Mr. King that "this could happen again." After EFF sent a letter, however, ICE confirmed that it hadn't retained any data from the computer and that Mr. King is no longer a person of interest in the investigation.
While we think it's important to let the public know about this unfortunate event, it doesn't change our belief that running a Tor exit relay is legal. And it's worth highlighting the fact that these unnecessary incidents are avoidable, and law enforcement agents and relay operators alike can take measures to avoid them in the future.
First, an IP address doesn't automatically identify a criminal suspect. It's just a unique address for a device connected to the Internet, much like a street address identifies a building. In most cases, an IP address will identify a router that one or more computers use to connect to the Internet. Sometimes a router's IP address might correspond fairly well to a specific user—for example, a person who lives alone and has a password-protected wireless network. And tracking the IP addresses associated with a person over time can create a detailed portrait of her movements and activities in private spaces, as we've pointed out in a case in which the government is seeking IP addresses of several Twitter users in connection with the criminal investigation of Wikileaks.
But in many situations, an IP address isn't personally identifying at all. When it traces back to a router that connects to many computers at a library, cafe, university, or to an open wireless network, VPN or Tor exit relay used by any number of people, an IP address alone doesn't identify the sender of a specific message. And because of pervasive problems like botnets and malware, suspect IP addresses increasingly turn out to be mere stepping stones for the person actually "using" the computer—a person who is nowhere nearby.
This means an IP address is nothing more than a piece of information, a clue. An IP address alone is not probable cause that a person has committed a crime. Furthermore, search warrants executed solely on the basis of IP addresses have a significant likelihood of wasting officers' time and resources rather than producing helpful leads.
In the case of Tor, the police can avoid mistakenly pursuing exit relay operators by checking the IP addresses that emerge in their investigations against publicly available lists of exit relays published on the Tor Project's web site. The ExoneraTor is another tool that allows anyone to quickly and easily see whether a Tor exit relay was likely to have been running at a particular IP address during a given date and time. The Tor Project can also help law enforcement agencies set up their own systems to query IP addresses easily. These simple checks will help officers concentrate their investigative resources on tracking down those actually committing crimes and ensure that they don't execute search warrants at innocent people's homes.
If you run an exit relay, consider operating it in a Tor-friendly commercial facility instead of your home to make it less likely that law enforcement agents will show up at your door. Also follow the Tor Project's advice for running an exit relay, which includes setting up a reverse DNS name for your IP address that makes it clear your computer is running an exit relay.
Current EFF members and donors are invited to join Senior Staff Attorneys Marcia Hofmann and Kurt Opsahl for drinks at a secret Seattle location on Wednesday, August 31st, to discuss that day's hearings on EFF's warrantless wiretapping cases before the 9th Circuit Court of Appeals. The court will consider the legality and constitutionality of the now nearly ten-year-old massive domestic surveillance programs that routinely deliver the everyday communications and communications records of millions of ordinary Americans to the National Security Agency. Senior Staff Attorney Kevin Bankston will argue in Jewel v. NSA, and EFF Legal Director Cindy Cohn will challenge the FISA Amendments Act in Hepting v. AT&T. These hearings begin on Wednesday, August 31, 2011, at 2 PM and are open to the public.
EFF's Speakeasy events are free, informal gatherings that give EFF members a chance to mingle with other local supporters and meet the people behind the world's leading digital civil liberties organization. It is also our chance to thank you, the EFF members who make this work possible.
SPEAKEASY: Seattle EFF Members-Only Happy Hour
Wednesday, August 31, 2011, from 6-8 PM
Seattle-area members will receive a personal invitation with location details by email on Tuesday, August 23rd. Your guests are welcome, but space is limited. Attendees must be 21 or older. No-host bar. For more information, contact email@example.com.
Not a member, or let your membership lapse this year? There's still time to sign up today at https://www.eff.org/join!
We've watched this year as Amazon, Google, and Apple have raced to roll out cloud-based music locker services. Each of these company's services signals something in common: an apparent fear of liability for de-duplicating files uploaded by their customers. (De-duplicating means that the service does not store multiple identical files on its servers, even if more than one customer individually uploads the same file.) This can be a huge waste of storage, to little purpose other than pacifying copyright owners more concerned over form than substance. Because of this, Amazon and Google store a distinct and separate file for every single file that is uploaded to their services, and Apple reportedly paid $150 million in licensing fees for, among other things, the ability to avoid this practice.
But it appears that all of this worry and extra work may have been in vain. Just yesterday, a court found that an early music locker service, MP3tunes, which uses a de-duplicating process, “is precisely the type of system routinely protected by the DMCA safe harbor(s).” This outcome represents an understanding of copyright law more in line with how technology actually works, and avoids an absurd result where a music locker needs to waste server space by storing thousands of copies of identical files. This means more efficient music locker services, which is good news for music fans and for companies coming up with new and better ways to give those fans access to music they already own.
The opinion in the Capitol Records vs. MP3tunes case contained other good news (EFF filed an amicus brief in this case earlier this year). For example, the court made clear that the music locker service—whether it de-dupes or not—is like any online service provider (OSP) and, therefore, is entitled to the DMCA safe harbor protections as long as it complies with other DMCA requirements.
One of those requirements is that the OSP maintain a repeat infringer policy. We’ve written before about this somewhat vague provision of the DMCA, and we were happy to see the MP3tunes court reaffirm what we already knew: that an OSP is only required to do “what it can reasonably be asked to do” and it has “no affirmative duty to police [its] users.” The court went even further, implying that a repeat infringer policy need only target “blatant infringers”:
There is a difference between users who know they lack authorization and nevertheless upload content to the internet for the world to experience or copy, and users who download content for their personal use and are otherwise oblivious to the copyrights of others. The former are blatant infringers that internet service providers are obligated to ban from their websites. The latter, like MP3tunes users who sideload content to their lockers for personal user, do not know for certain whether the material they are downloading violates the copyrights of others.
Other highlights from the opinion include: 1) a statement reaffirming that a notice under the DMCA must specifically list each work allegedly infringed and a representative list will not require an OSP to remove other works owned by the notifying party (“the DMCA does not place the burden of investigation on the internet service provider”); 2) a footnote saying that the DMCA applies to state copyright laws, meaning that it applies to sound recordings from before 1972 as well as after; and 3) language showing that services like MP3tunes, which do not directly benefit from infringement, deserve the same protections as popular search engines:
If enabling a party to download infringing material was sufficient to create liability, then even search engines like Google or Yahoo! would be without DMCA protection. In that case, the DMCA’s purpose—innovation and growth of internet services—would be undermined.
The news was not all good for MP3tunes, however. The court found that MP3tunes, upon receiving a valid takedown notice, has an obligation to remove the infringing materials not just from sideload.com (MP3tune's search engine populated with links to music), but from its customers' personal music lockers. The court also found MP3tunes liable for contributory infringement for failing to remove works from those personal lockers and held its founder, Michael Robertson, personally liable for infringement for certain files he downloaded. This is likely to amount to millions of dollars in damages for both Robertson personally and his company.
Overall, we were glad to see the Court get it right that music locker services fall safely within the DMCA’s safe harbors, which Congress designed to foster innovation on the Internet. MP3tunes and all the music locker services that have followed it give music fans more options for storing and listening to the music they already own, helping realize the promise of that innovation.