EFF today released Unintended Consequences: 12 Years Under the DMCA. This is the sixth update to the report, which aims to catalog all the reported instances where the DMCA's ban on tampering with DRM have been abused to stymie fair use, free speech, and competition, rather than to attack "piracy."
Congress enacted the DMCA's ban on bypassing DRM at the urging of entertainment industry lobbyists who argued that DRM backed by law would quell digital copyright infringement. Of course, 12 years later, that exactly hasn't worked out. Nor is it likely to ever work out. But lots of industries have recognized that these provisions of the DMCA are good for other things—like impeding scientific research and legitimate competition. The Unintended Consequences report collects these stories, including oldies like Lexmark's effort to block toner cartridge refilling and new cases like the lawsuit against RealDVD.
Although in many cases the DMCA abuser backs down or is beaten in court, the abuses and resulting chilling effect on legitimate activities continues. And even though the U.S. Copyright Office is considering proposed exemptions to the DMCA, that proceeding won't prevent more abuses in the future.
As we've pointedoutrepeatedly, poor design decisions in YouTube's "Content ID" system have resulted in over-blocking of videos that remix copyrighted materials. Today we got perhaps the most vivid example of the problem: the "silencing" of a lecture by Prof. Larry Lessig about the cultural importance of remix creativity. This is just the latest of many examples. We've been on YouTube's case for more than two years about this problem, and it's high time for YouTube to fix the Content ID system to respect the kinds of fair uses that are at the heart of remix creativity.
How did Prof. Lessig's video trigger the Content ID block? He included "snippets" (I use that word intentionally, as Google does in the context of its own Book Search product, to refer to small portions that should qualify as a fair use) from several remix videos. As a result, the audio track of his lecture included excerpts of several well-known songs. Apparently at least one of those songs is owned by Warner Music, which has chosen to automatically mute the audio track of any video when the Content ID system detects the presence of those songs. It's not clear which song triggered the block—the Content ID system doesn't tell you that.
Of course, in close cases, reasonable minds can differ about whether a particular use of a song qualifies as a fair use (although some cases are easy). But that's no excuse for the automated Content ID filter to block them—if a copyright owner has a good faith belief that any particular remix video crosses the line, it is free to send a formal DMCA takedown notice. Sending a notice is not hard, nor expensive, as demonstrated by the fact that copyright owners routinely send hundreds of thousands of these notices to YouTube. YouTube's Content ID system even will flag all the videos for the copyright owner's review.
But unlike the automated Content ID blocking, DMCA takedown notices at least put a human into the loop, and these humans must take fair use into account before issuing the notice. In contrast, an automated match by the Content ID system results in an automated removal, even where the copyright owner does not object to the use (and, as poorlybehaved as Warner Music has been in the past, I can't imagine it really wants to censor Prof. Lessig's lecture).
Fortunately, YouTube permits users to "dispute" automated Content ID removals, and that's why Prof. Lessig's video is once again available. But that's not nearly good enough. First of all, YouTube's procedures for "removing" videos have created considerable confusion and consternation among users, and it's a fair bet that most YouTube users aren't aware of their ability to "dispute" these removals. Second, the thousands of lawsuits brought by record labels against individuals for file-sharing has created an atmosphere of fear that makes many YouTubers hesitant to go toe-to-toe with a major record label.
There's just no excuse for the Content ID system to be blocking remix videos. There's nothing in the law that requires YouTube to do this. In fact, section 512(m)(1) of the DMCA makes it clear that service providers do not need to install filters or monitor their services at all, much less allow copyright owners to use filters to block remixes.
Nor is there any engineering reason why the system should be designed this way. The filter can fix this problem by insisting that the audio and video tracks both come from the same copyrighted work and that the entire (or almost entire) video is drawn from the same copyrighted work. Unless these conditions are met, "block" should not be an option available to copyright owners. If a copyright owner wants to take down a remix video, they should have to follow the rules Congress established in the DMCA.
This is exactly what EFF, joined by numerous other public interest groups, asked YouTube to do in 2007 in our Fair Use Principles for User Generated Content. It's a shame that YouTube, a company that has become synonymous with remix creativity, can't find the time to fix its own Content ID system to protect remixers from unnecessary censorship.
This week, an Italian magistrate convicted three Google employees for an Internet video that none of them had produced, uploaded, or even seen. The case arose from an Italian video that was uploaded in 2006 to Google Video, which showed a disabled child being bullied by other schoolchildren. An advocacy organization and the boy's father in Milan pushed for a criminal prosecution; a local prosecutor decided to pursue a case against four individual Google employees. In the decision, a defamation charge was dropped, but three of the named executives were found guilty of a charge related to Italy's privacy laws, and each sentenced to a six month suspended sentences.
We may not see the Italian decision stand for long, and cannot imagine a similar case happening in most Western countries. But it represents a growing temptation of courts and lawmakers worldwide: to find excuses to strip away the protection the law grants to Internet intermediaries. It's also an intimation of the very serious consequences to the Net and free speech if those safe harbors are weakened.
Europe has, in theory at least, at the EU level, strong protections for Internet intermediaries in its E-Commerce Directive: Article 14 of that directive provides that hosting providers are not responsible for the content they host, as long as they are not informed of its illegal character, and they act promptly when informed of it. Article 15 clarifies that hosts do not need to monitor hosted content for potentially illegal content.
This judgement guts both these principles. The court dismissed the allegation of criminal defamation but upheld a charge of illegally handling personal data on the basis that a video is personal data, and that under EU data protection law, Google needed prior authority before distributing that personal data.
This interpretation of the law means that Google is co-responsible for the legality of content containing the images of persons -- before anyone has complained about the content. That effectively means to comply with the decision, any intermediary working within Italy must now pre-screen every piece of video with anyone who appears within it, or risk prosecution. As the judgement stands, it also presents such a wide definition of personal data that it might effectively require that all hosts pre-screen all content be it video, text, audio or data.
The unconscionable fact that this prosecution is of individuals, while devastating for those involved, is only part of the problem. The whole Internet relies on the fact that third-parties can carry messages without having to self-police, interfere with those messages or take responsibility for millions of others' communications.
The Net is made of intermediaries, and attacks on the safe harbor protections for those intermediaries is under way across the world. In China, it's called ISP "self-discipline". In the United States, it's rightsholders demanding secondary or even tertiary liability for infringement by users, or loopholes in net neutrality, or attempts to weaken the protections of CDA 230. Italy may choose to unfairly victimize three American executives in this case, but the openness of the entire Internet risks becoming a victim if the safe harbors are compromised elsewhere.
Yesterday, Microsoft used a Digital Millennium Copyright Act (DMCA) takedown notice to demand that a copy of the "Microsoft® Online Services Global Criminal Compliance Handbook" (the Compliance Manual) be removed from Cryptome, a security website. As a result, Network Solutions felt obliged to takedown the entire Cryptome.org domain, a repository for thousands of important and controversial documents.
As is often the case, the ensuing uproar simply called more attention to the document in question. Yesterday evening, Microsoft wrote to Network Solutions and withdrew its takedown demand, while insisting that its copyright concern was nevertheless legitimate.
We appreciate that Microsoft acted quickly to correct its error, but are still disappointed that Microsoft nonetheless insists that, in the words of Evan Cox, outside counsel for Microsoft, "Microsoft has a good faith belief that the distribution of the file that was made available at that address infringes Microsoft's copyrights."
To the contrary, as we explain below, Cryptome's publication of the Compliance Manual is a clear fair use under the Copyright Act.
To determine whether a use of a work is fair, courts engage in a case-by-case analysis, starting with the four factors set out in the Act: the purpose and character of the use; the nature of the work; the amount and substantiality of the work; and the harm to the market for the work.
On the first factor, Cryptome used the manual for a noncommercial, transformative purpose—to educate the public on how the government and Microsoft work together and to illustrate how much information is available about internet users. Cryptome did not stand to profit, and was not seeking to exploit the work for money.
Cryptome's use is also transformative because it does not merely supersede original, but instead "adds something new." Cryptome took a work designed to inform law enforcement how to work effectively with Microsoft, and, by putting it in a new context, formed the basis for newsworthy criticism of Microsoft and its compliance practices.
The "nature of the work," factor also favors fair use: factual works like the Compliance Manual receive only thin protection under copyright law, especially where the material has been published.
The extent of permissible fair use copying varies with the purpose and character of the use, and, as the Ninth Circuit has held, "[i]f the secondary user only copies as much as is necessary for his or her intended use, then this factor will not weigh against him or her." While Cryptome copied the whole work, the whole work was necessary for the public to understand Microsoft's policies for allowing the government to obtain personal information about them.
The market harm factor balances the benefit the public will derive if the use is permitted and the financial gain the copyright owner will receive if the use is denied. Here, the public, many of whom have personal information stored by Microsoft, benefits by being informed of Microsoft's compliance practices. And, since Microsoft does not sell or license the manual, posting it on Cryptome didn't cost Microsoft a penny. As explained by the Supreme Court, a "use that has no demonstrable effect upon the potential market for, or the value of, the copyrighted work need not be prohibited in order to protect the author's incentive to create." This factor favors fair use as well.
The four factors are balanced in light of the purposes of copyright. And here, Microsoft does not need any copyright incentive to create the manual—it has plenty of business incentives to create a guide that will reduce the costs of its interactions with law enforcement. At the same time, Cryptome's publication serves the welfare of the public by allowing the public to know how their information may be involuntarily disclosed to the government.
Evaluating all the factors together, a court should find that Cryptome's publication of the Compliance Manual is a fair use.
Yesterday evening, the U.S. House of Representatives voted overwhelmingly to renew three expiring provisions of the USA PATRIOT Act, after the Senate abandoned the PATRIOT reform effort and approved the extension by a voice vote on Wednesday night.
Disappointingly, the government's dangerously broad authority to conduct roving wiretaps of unspecified or "John Doe" targets, to secretly wiretap of persons without any connection to terrorists or spies under the so-called "lone wolf" provision, and to secretly access a wide range of private business records without warrants under PATRIOT Section 215 were all renewed without any new checks and balances to prevent abuse. Despite months of vigorous debate, when PATRIOT renewal bills providing for greater oversight and accountability were approved by the Judiciary Committees of both the House and the Senate, Democratic leaders' push for reform fizzled in the face of staunch Republican opposition buoyed by recent hot-button events such as the attempted bombing of an airliner on Christmas Day and the shooting at Fort Hood.
The renewed PATRIOT provisions were originally set to expire on December 31, 2009, but Congress ran out of time last year and temporarily extended them until February 28th, this coming Sunday. The new extension is expected to be signed by the President before then.
The one silver lining? Despite a push by Republican leaders for a four-year extension, the renewed provisions are now set to expire in one year. So, although this battle's been lost, the effort to roll back PATRIOT's worst excesses is far from over. Thank you to everyone who took action to support PATRIOT reform this past year; we hope that you'll continue the fight with us in the next year.
Update: YouTube responded to the letter from EFF and the National Coalition Against Censorship by doing just what we asked. They state: "We have re-reviewed your videos and have reinstated them with an age gate." This is good news, and YouTube is to be commended for correcting its error. Amy Greenfield's channel now has her videos.
Still, the fact that it took two nationally known groups to bring this matter to YouTube's attention is troubling. It demonstrates that YouTube still has work to do to create a viable appeals process. In addition, as we noted below, YouTube should still change its policy to expressly allow artistic works that contain nudity, and give individual artists the same freedom it reserves for professional television and film.
Previous Post: Today EFF and the National Coalition Against Censorship (NCAC) wrote to YouTube, asking the video hosting giant to reconsider its removal of the work of internationally recognized video artist Amy Greenfield.
Amy Greenfield received notice from YouTube that her works, which contain some artistic nudity, did not conform with YouTube’s "community standards." Under YouTube's policies, "films and television shows may contain [full nudity]; however, videos originating from the YouTube user community must abide by the YouTube Community Guidelines and are not permitted to include such content." (emphasis in original). The Community Guidelines purport to allow nudity with “some educational, documentary and scientific content, but only if that is the sole purpose of the video and it is not gratuitously graphic,” but does not recognize the value of nudity in art.
When video artists present works that have clear artistic, political or educational merit, YouTube should allow the artist to post the material with at least the same freedom as major studio films and television. If a user community video is flagged as inappropriate, YouTube should at least have an appeals process to allow an artist to explain the artistic merit. While we understand YouTube's desire to keep pornography off its servers, it must also understand that not all nude art is pornographic.
The Department of Defense has released more than 800 heavily-redacted pages of intelligence oversight reports, detailing activities that its Inspector General has “reason to believe are unlawful.” The reports are the latest in an ongoing document release by more than a half-dozen intelligence agencies in response to a Freedom of Information Act (FOIA) lawsuit filed by EFF in July 2009.
The reports, submitted to the Intelligence Oversight Board (IOB) by various Department of Defense components, cover the period from 2001 through 2008. The IOB’s role within the Executive Office of the President is to ensure that each component of the intelligence community works within the Constitution and all applicable laws. As such, the Inspector General of each intelligence agency is required to submit periodic reports to the IOB, which in turn is required to forward to the Attorney General any report identifying an intelligence activity that violates the law. Intelligence oversight reporting is rarely disclosed to the public.
This new release, from various Defense components including the Army and the Joint Chiefs of Staff, comes in four parts, see here. Much of the reported improper activity consisted of intelligence gathering on so-called “U.S. Persons,” including citizens, permanent residents and U.S.-based organizations. Although Defense agencies are generally prohibited from collecting such information (except as part of foreign intelligence or counter-intelligence activity), it is apparent from the unredacted reports released to EFF that some DoD components have had chronic difficulty complying with that prohibition.
Pg 98: A report that the Joint Forces Command, working with the FBI, improperly collected and disseminated intelligence on Planned Parenthood and a white supremacist group called the National Alliance, as part of preparations for the 2002 Olympics.
Pg 122-137: A NORAD intelligence briefing improperly included intelligence on an anti-war group called Alaskans for Peace and Justice in 2005.
Pg 257-258: A 2006 report that NORAD had procedural problems relating to collecting information on U.S. Persons.
Pg 19: A 2008 report that Army Signals Intelligence in Louisiana intercepted civilian cell phone conversations.
Pg 65: A 2008 report that Army Cyber Counterintelligence officers attended the Black Hat hacker conference without disclosing their Army affiliation and without prior authorization to do so.
Pg 173: A report that the Air Force Office of Special Investigations (AFOSI) set up a “honey pot” computer system to identify foreign threats in May 2006. In October 2007, AFOSI realized that the honey pot system might have been in violation of a sealed Foreign Intelligence Surveillance Court (FISC) order that required a Foreign Intelligence Surveillance Act (FISA) warrant for such activity. AFOSI was not privy to the FISC order and only knew of it from public media reporting. The operation was suspended. Amazingly, when the Air Force asked the Justice Department to see the FISC order at issue, DOJ’s National Security Division denied the Air Force’s request.
According to the release schedule ordered by a federal judge last December, we expect to receive additional IOB reports from the CIA, National Security Agency, the Office of the Director of National Intelligence and the Department of Defense later this month. We will post the documents to our website as we receive them.
Let's say you are a blogger who writes about music regularly and includes links to music in your posts. How do you avoid having your blog censored off the Internet by "DMCA takedown notices" sent out by music industry lawyers (as happened last week to several blogs hosted by Blogger)?
Of course, you could get authorization from all the relevant copyright owners before you post or link to a song. Unfortunately, that's virtually impossible for many music bloggers. In some cases, it may be impossible to figure out who the copyright owners are (consider the problem of live concert bootlegs, rare B-sides, out-of-print material, defunct labels). In other cases, you might have authorization from someone, but it could end up being the wrong person (i.e., an independent promoter or member of the band who doesn't actually have all the rights to give you). And even if you get authorization from all the right people, you could still find yourself on the receiving end of a DMCA takedown from the entity that controls the copyright in another country (because your blog can be accessed from that country).
In other words, it's quite likely that many music bloggers can never be sure that a DMCA takedown notice won't arrive someday.
If one does arrive, your blog hosting service probably won't take your side. The law gives online hosting services strong incentives to comply with takedown notices—prompt responses to takedown notices are often the only reliable shield that hosting services have against copyright infringement lawsuits and potentially hundreds of thousands of dollars of damages. No matter how much your hosting service values your business, it is not likely that they will be willing to bet their business to save your blog.
While most hosting providers will let you send a "DMCA counter-notice" to contest a bogus takedown notice, sending a counter-notice can have serious consequences if you're not absolutely sure that you had all the necessary legal rights to post the songs or links in question. Sending a DMCA counter-notice is serious business, as it leaves the copyright owner with few options (other than suing) in order to keep the song down. So we recommend that bloggers research copyright law and, if in doubt, consult a qualified attorney (or contact EFF) before sending DMCA counter-notices.
The DMCA also gives hosting services strong incentives to "terminate repeat infringers." That's why most blog hosting services will delete your account (and thus your entire blog) after receiving multiple DMCA takedown notices. The industry norm seems to be a "3 strikes" policy, although the number of "strikes" can vary. This policy can be particularly unfair when a copyright owner sends multiple DMCA takedown notices all at once, or within a few days of each other — you can find your blog deleted before you even find out who was complaining or can send a DMCA counter-notice. Many hosting providers also mark every DMCA takedown notice on your "permanent record" — simply deleting the file or the link won't expunge the "strike" on your account (generally, only a DMCA counter-notice will do that). So a DMCA takedown notice received for your blog might still count as a "strike" years later (again, this is because service providers want to be able to tell a court that they were good about "terminating repeat infringers," lest they lose their shield against copyright infringement lawsuits).
Of course, you may be able to talk the copyright owner into withdrawing a DMCA notice ("your marketing department sent me an email saying this link was legit"). And there may be informal strategies that work most of the time (like deleting links after a short period of time). However, at the end of the day, it's nearly impossible to be sure you'll never receive a DMCA takedown notice.
With that in mind, here are a few practical things you can do to minimize the disruption that the DMCA process might inflict on your blog:
Get your own domain name: Most blogging platforms will allow you to use your own domain name for your blog, which will make it easier for your readers to find you if DMCA takedown notices force you to change hosting providers. So, for example, if your blog is at YOURNAME.blogspot.com, and your account gets terminated, you probably will never be able to use that URL again. In contrast, if your blog were at www.YOURNAME.com, you could get a new account from another hosting provider and keep your URL the same. And don't register your domain through the same company that hosts your blog—that should reduce the risk that you'll find both your blog and your domain name deleted by your hosting provider in response to DMCA takedown notices.
Back up your blog, be ready to move it: Make sure that whatever blogging platform you use, it allows you to easily back up your entire blog in a format that makes it easy to republish elsewhere. Have a game plan ready for migrating your blog to a new hosting service quickly if that becomes necessary.
Make sure your hosting provider can reach you: If a copyright owner wants to send a DMCA takedown notice aimed at your blog, they will probably start by doing a reverse DNS look-up to figure out who is hosting it. So make sure that entity (whether it's a full-service blog hosting service like Blogger or a colo hosting your own server) knows how to reach you. Keep your email address up to date, be sure that messages from your blog hosting service are "white-listed" in any spam filters that you use.
Choose a service that has clear DMCA policies: Not all hosting providers accept DMCA counter-notices—make sure yours does, just in case you need to use it. Ask your hosting provider how many "strikes" it takes before your account is terminated. Ask whether "strikes" drop off your account after a period of time. Generally, you're better off with a hosting provider that has thought about these questions and implemented clear policies.
Study up a bit: A little studying up before hand can go a long way towards avoiding problem later. A good place to start is EFF's Legal Guide to Bloggers, which contains frequently asked questions about copyright, the DMCA process, and a host of other legal issues that bloggers might face. The Citizens Media Law Project at Harvard also has a great legal guide online.