Aegean Associates, Inc.

The entire family of devices built on the iPhone OS (iPhone, iPod Touch, iPad) have been designed to run only software that is approved by Apple—a major shift from the norms of the personal computer market. Software developers who want Apple's approval must first agree to the iPhone Developer Program License Agreement.

So today we're posting the "iPhone Developer Program License Agreement"—the contract that every developer who writes software for the iTunes App Store must "sign." Though more than 100,000 app developers have clicked "I agree," public copies of the agreement are scarce, perhaps thanks to the prohibition on making any "public statements regarding this Agreement, its terms and conditions, or the relationship of the parties without Apple's express prior written approval." But when we saw the NASA App for iPhone, we used the Freedom of Information Act (FOIA) to ask NASA for a copy, so that the general public could see what rules controlled the technology they could use with their phones. NASA responded with the Rev. 3-17-09 version of the agreement.

UPDATED: we are now also posting the most recent version of the agreement, dated January 2010.

This "license agreement" is particularly relevant right now, given the imminent launch of the iPad and anytime-now issuance of the U.S. Copyright Office's ruling regarding jailbreaking of the iPhone.

So what's in the Agreement? Here are a few troubling highlights:

Ban on Public Statements: As mentioned above, Section 10.4 prohibits developers, including government agencies such as NASA, from making any "public statements" about the terms of the Agreement. This is particularly strange, since the Agreement itself is not "Apple Confidential Information" as defined in Section 10.1. So the terms are not confidential, but developers are contractually forbidden from speaking "publicly" about them.

App Store Only: Section 7.2 makes it clear that any applications developed using Apple's SDK may only be publicly distributed through the App Store, and that Apple can reject an app for any reason, even if it meets all the formal requirements disclosed by Apple. So if you use the SDK and your app is rejected by Apple, you're prohibited from distributing it through competing app stores like Cydia or Rock Your Phone.

Ban on Reverse Engineering: Section 2.6 prohibits any reverse engineering (including the kinds of reverse engineering for interoperability that courts have recognized as a fair use under copyright law), as well as anything that would "enable others" to reverse engineer, the SDK or iPhone OS.

No Tinkering with Any Apple Products: Section 3.2(e) is the "ban on jailbreaking" provision that received some attention when it was introduced last year. Surprisingly, however, it appears to prohibit developers from tinkering with any Apple software or technology, not just the iPhone, or "enabling others to do so." For example, this could mean that iPhone app developers are forbidden from making iPods interoperate with open source software, for example.

You will not, through use of the Apple Software, services or otherwise create any Application or other program that would disable, hack, or otherwise interfere with the Security Solution, or any security, digital signing, digital rights management, verification or authentication mechanisms implemented in or by the iPhone operating system software, iPod Touch operating system software, this Apple Software, any services or other Apple software or technology, or enable others to do so

Kill Your App Any Time: Section 8 makes it clear that Apple can "revoke the digital certificate of any of Your Applications at any time." Steve Jobs has confirmed that Apple can remotely disable apps, even after they have been installed by users. This contract provision would appear to allow that.

We Never Owe You More than Fifty Bucks: Section 14 states that, no matter what, Apple will never be liable to any developer for more than $50 in damages. That's pretty remarkable, considering that Apple holds a developer's reputational and commercial value in its hands—it's not as though the developer can reach its existing customers anywhere else. So if Apple botches an update, accidentally kills your app, or leaks your entire customer list to a competitor, the Agreement tries to cap you at the cost of a nice dinner for one in Cupertino.

Overall, the Agreement is a very one-sided contract, favoring Apple at every turn. That's not unusual where end-user license agreements are concerned (and not all the terms may ultimately be enforceable), but it's a bit of a surprise as applied to the more than 100,000 developers for the iPhone, including many large public companies. How can Apple get away with it? Because it is the sole gateway to the more than 40 million iPhones that have been sold. In other words, it's only because Apple still "owns" the customer, long after each iPhone (and soon, iPad) is sold, that it is able to push these contractual terms on the entire universe of software developers for the platform.

In short, no competition among app stores means no competition for the license terms that apply to iPhone developers.

If Apple's mobile devices are the future of computing, you can expect that future to be one with more limits on innovation and competition (or "generativity," in the words of Prof. Jonathan Zittrain) than the PC era that came before. It's frustrating to see Apple, the original pioneer in generative computing, putting shackles on the market it (for now) leads. If Apple wants to be a real leader, it should be fostering innovation and competition, rather than acting as a jealous and arbitrary feudal lord. Developers should demand better terms and customers who love their iPhones should back them.

San Francisco - The Electronic Frontier Foundation (EFF) filed a friend-of-the-court brief today urging a federal court judge to block two criminal statutes that unconstitutionally limit the free expression of millions of adults who use the Internet and other electronic forms of communication, bringing the threat of criminal sanctions for private, lawful speech.

At issue are provisions of federal law that require anyone who produces a visual depiction of sexually explicit expression to maintain extensive records -- including copies of drivers' licenses, the dates and times images were taken, and all URLs where images were posted -- and often force public disclosure of a creator's home address. Even more troubling, the regulations allow law enforcement warrantless entry into homes or offices in order to inspect the records that are supposed to be kept. While these statutes regulate the commercial pornography industry, they also likely apply to a staggering number of Americans who create and share images of themselves over social networks, online dating services, personal erotic websites, and text messaging.

"The plain language of the statute subjects ordinary Americans, who are using emerging communications technologies at an ever-increasing rate, to onerous record-keeping and inspection requirements for lawful speech. They could face up to five years in prison if they don't follow the statutory requirements to the letter," said EFF Senior Staff Attorney Matt Zimmerman. "Speakers who engage in private, expressive activity protected by the First Amendment should not be at risk of criminal sanctions for violating an overbroad statute that they likely know nothing about."

A coalition of artists, producers, distributors, and educators filed suit against the provisions last year, arguing that the law censored their artistic and educational work. In its amicus brief in support of the coalition filed today, EFF asked the judge to throw out the record-keeping regulations as an unconstitutional chill on adult free expression in the digital age.

"Digital cameras, camcorders, and the Internet make it easy to create and share lawful adult material in a wide variety of ways. Thousands of ordinary Americans are doing just that, only to find themselves subject to these record-keeping and inspection requirements," said EFF Civil Liberties Director Jennifer Granick. "This just doesn't square with the Constitution."

For the full amicus brief:
http://www.eff.org/files/filenode/fsc_v_holder/EFF%20Amicus%20Brief.pdf

For more on Free Speech Coalition v. Holder:
http://www.eff.org/cases/free-speech-coalition-v-holder

Contacts:

Matt Zimmerman
Senior Staff Attorney
Electronic Frontier Foundation
mattz@eff.org

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org

The Obama Administration has been slowly ramping up its attention to intellectual property issues. Over the past few months, we've seen an IP "summit" at the White House. We've seen the successful nomination of a new cabinet-level "IP Czar" position. We've seen the announcement of a new DOJ task force for IP issues. What does it all portend?

Unfortunately, many signs suggest that the administration is paying far more attention to the interests of the entertainment industry than to the public good. At the same time, there are a few positive efforts and indications, so we're holding out hope that things could improve.

The first bad omen came last December, when Vice President Biden invited the RIAA, MPAA and other representatives of the mainstream entertainment industry to a closed-door "Piracy Summit" at the White House. Although Biden's office sold the summit as "bringing together all the stakeholders" in the piracy debate, it failed to invite a single representative of the public interest or the technology industry.

One outcome previewed at the summit was the formation of a new Department Of Justice "Intellectual Property Task Force", which was formally announced in February. Unfortunately, the Department of Justice already has a history of coming down disproportionately hard on victims of the copyright conflict. And while the task force's announcement stressed that IP crime "threatens not only our public safety but also our economic wellbeing," it didn't even pay lip-service to the harms to privacy, free speech, and innovation in the industry's long war on piracy.

Later in February, the government's new IP Enforcement Coordinator (IPEC), Victoria Espinel, announced that "the Federal Government is currently undertaking a landmark effort to develop an intellectual property enforcement strategy" and asked for public input into what this strategy should look like. A major component of the request seeks information about "the costs to the
U.S. economy resulting from intellectual property violations," which in the past has mainly been expressed through skewed, erroneous accounts of the supposed effects of piracy from entertainment industry lobbyists. However, the IPEC is also demanding an unprecedented level of rigor from these studies:
Submissions directed to the economic costs of violations of intellectual property rights must clearly identify the methodology used in calculating the estimated costs and any critical assumptions relied upon, identify the source of the data on which the cost estimates are based, and provide a copy of or a citation to each such source. [Emphasis mine.]

Since some of these poorly executed studies have appeared to successfully persuade members of Congress to change copyright law only in ways that favor the entertainment industry, it's refreshing to see the IPEC pushing for greater validity. To that end, we look forward to seeing the Obama Administration publicly debunk the empty rhetoric that circulates around questions of unauthorized file sharing and its economic effects.

There are other bright points. Late last year, the Administration supported looser international copyright protections for reading materials for the blind. Limitations and exceptions to copyright are a critical "safety valve" in copyright that helps preserve free expression, access to knowledge, and other human rights, and we hope to see them defended by the Administration in other contexts as well.

While IP enforcement appears to have center stage, there are other double-standards and unintended consequences in copyright and trademark law, all of which could benefit from some attention from the White House. The orphan works conundrum remains unsolved. Copyright term and licensing issues stymie creators and archivists. The anti-circumvention provisions of the DMCA still obstruct innovators.

But will the Obama Administration and Congress choose to face these tough, important issues? At the next IP summit, will advocates for questions like these have a seat at the table? Or will the public interest side of intellectual property law and policy continue to languish unaddressed? Time will tell.

Last month, we celebrated the 20th anniversary of the founding of EFF at the DNA Lounge in San Francisco, joined by Adam Savage, the founders of EFF and dozens of other Internet luminaries. For non-local EFF supporters, we've put the gorgeous photos that John Adams and Johnny Grace captured at the event up on our Flickr page.

Don't forget to check out EFF's 20th Anniversary commemorative t-shirt and poster designed by EFF senior designer Hugh D'Andrade! These are still available in our shop and through our donation page. You can also download hi-res versions and wallpaper from our flickr page here.

(photo by John Adams)

(photo by Johnny Grace)

(photo by John Adams)

(Photo by John Adams)

(Photo by Johnny Grace)

Thanks to everyone who joined us or donated — and here's to another 20 years!

We often criticize DMCA takedown abuse here at EFF, but last week's Cryptome snafu highlights another facet of the problem: how a DMCA takedown for one item can result in the removal of lots of lawful material.

To recap, Cryptome posted Microsoft’s global criminal compliance manual. Microsoft sent a DMCA takedown notice to Cryptome’s domain name registrar and web hosting provider, Network Solutions, alleging that the post infringed copyright. Under the DMCA, a web hosting provider is protected from copyright infringement liability if, among other things, it “expeditiously” disables access to material properly identified in a DMCA takedown notice. Network Solutions asked Cryptome to remove the Microsoft compliance manual. Cryptome refused explaining that the document was posted in order to help the public better understand Microsoft's practices, and followed up with a DMCA counternotice. Network Solutions promptly shut down the entire Cryptome website. Thus, a complaint about a single document caused significant collateral damage to the perfectly legal material on Cryptome.

This illustrates a basic problem built into the DMCA safe harbors. Microsoft’s notice targeted just one document. Network Solutions, however, couldn’t take down that single document, so opted to take down the entire site. Thus, although Cryptome's beef was with Microsoft, Cryptome also had to persuade Network Solutions to take a chance of losing safe harbor protection (although not much of a chance, because Cryptome’s posting was protected by the fair use doctrine). Because Network Solutions wasn't willing to take that small risk, a whole lot of speech was temporarily disappeared.

We’ve recently seen the same scenario with music bloggers, who may have their entire sites taken down as a result of complaints about a few links to music they’re reviewing.

And sometimes it's not even enough to find a courageous hosting provider. Last year a takedown notice targeting a single site parodying the U.S. Chamber of Commerce resulted in a takedown of the websites of over 300 activist organizations hosted by MayFirst/PeopleLink. The Chamber of Commerce went "upstream," targeting one of MayFirst's upstream service providers, Hurricane Electric. When MayFirst pushed back, Hurricane shut off service, thus pulling the plug on unrelated websites, email and other online tools.

In all of these cases, copyright owners reach out to a "weak link," the service provider with the least incentive to resist the takedown notice. Unless it has a free lawyer, the cost of doing a fair use analysis and defending a lawsuit—even if the service provider knows it will win—is almost certainly more than a service provider is charging any individual customer, or even a whole bunch of "innocent bystander" customers.

This unfortunate outcome is particularly ironic because Congress gave service providers protections in the DMCA. Service providers who care about free speech have better options:

• Remember, if your only relationship to the material targeted is that you provide connectivity to a downstream service, you should qualify for the 512(a) safe harbor, and, therefore don’t have an obligation to take the material down.
• Remember also that you don’t need the safe harbor if the material is a non-infringing fair use. In clear cases, you can bypass DMCA procedures.
• If thinking about fair use doesn’t make business sense, or you’re not sure, keep in mind that the DMCA requires only that you act “expeditiously” to respond to a takedown notice. Courts have found that providers should take down material within a few days of receiving a notice. So if you realize complying with a takedown notice will result in taking down much more material than the notice identifies, take the time to notify the person who sent the notice about the collateral damage it may cause. They may elect to withdraw it, especially where they are likely to face public criticism for causing an overbroad takedown.
• Give your customer a chance to re-jigger their service to avoid such collateral damage.
• Be sure to offer customers a clear counter-notice procedure—the DMCA provides protection for service providers that restore content in response to counter-notices.

Customers who also care about free speech should vote with their wallets and look for providers who will commit to following these suggestions. The safe harbors were supposed to help protect free speech, and they often do—but only if copyright owners, service providers, and internet users follow their common sense as well their business sense.

San Francisco - The Electronic Frontier Foundation (EFF) submitted a petition signed by more than 7000 people to the Federal Communications Commission (FCC) today demanding that the agency close a loophole for copyright enforcement in its proposed regulations for network neutrality.

The petition is part of EFF's reply comments in the FCC's net neutrality rulemaking. The FCC's proposed rules generally prohibit ISPs from discriminating or blocking lawful content, but include a loophole for 'reasonable network management' by ISPs. The proposed rules then define 'reasonable network management" to include measures taken by ISPs to block unlawful content or transmissions. This exception would effectively permit ISPs to violate net neutrality rules and block lawful activities in the name of copyright enforcement.

"We can't afford to let lawful speech become collateral damage in Hollywood's war on copyright infringement," said EFF Senior Staff Attorney Fred von Lohmann. "Net neutrality regulations should not excuse ISPs that interfere with lawful content just because they claim they were acting as copyright cops."

EFF's original comments to the FCC, submitted in January, also question whether the FCC has the legal authority or political independence necessary to properly regulate the Internet. Additionally, EFF has called on the FCC to protect the interests of individuals who offer open WiFi Internet access to their neighbors or local communities.

"Before the ink is dry on net neutrality regulations, we already see corporate lobbyists and 'public decency' advocates pushing for loopholes," said EFF Civil Liberties Director Jennifer Granick. "A loophole like this could swallow network neutrality, with ISPs claiming copyright enforcement as a pretext for all sorts of discriminatory behavior."

For EFF's full reply comments to the FCC:
http://www.eff.org/files/filenode/nn/EFF%20NN%20reply%20comments2b.pdf

For more on net neutrality:
http://www.eff.org/issues/net-neutrality

Contacts:

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org

Fred von Lohmann
Senior Staff Attorney
Electronic Frontier Foundation
fred@eff.org

EFF today released Unintended Consequences: 12 Years Under the DMCA. This is the sixth update to the report, which aims to catalog all the reported instances where the DMCA's ban on tampering with DRM have been abused to stymie fair use, free speech, and competition, rather than to attack "piracy."

Congress enacted the DMCA's ban on bypassing DRM at the urging of entertainment industry lobbyists who argued that DRM backed by law would quell digital copyright infringement. Of course, 12 years later, that exactly hasn't worked out. Nor is it likely to ever work out. But lots of industries have recognized that these provisions of the DMCA are good for other things—like impeding scientific research and legitimate competition. The Unintended Consequences report collects these stories, including oldies like Lexmark's effort to block toner cartridge refilling and new cases like the lawsuit against RealDVD.

Other new additions to the report include Apple's use of the DMCA to lock iPhone owners to Apple's own App Store for software, Apple's DMCA threats against Bluwiki for hosting discussions about iPod interoperability, and Texas Instruments' use of the DMCA to threaten calculator hobbyists trying to write their own operating systems.

Although in many cases the DMCA abuser backs down or is beaten in court, the abuses and resulting chilling effect on legitimate activities continues. And even though the U.S. Copyright Office is considering proposed exemptions to the DMCA, that proceeding won't prevent more abuses in the future.

San Francisco - Twelve years after the passage of the controversial Digital Millennium Copyright Act (DMCA), the law continues to stymie fair use, free speech, scientific research, and legitimate competition. A new report from the Electronic Frontier Foundation (EFF) collects reported examples of abuses of the DMCA and the ongoing harm the law continues to inflict on consumers, scientists, and small businesses.

The U.S. Copyright Office is currently mulling proposed exemptions to the DMCA's ban on "circumventing" digital rights management (DRM) and "other technical protection measures" used to restrict access to copyrighted works. The Copyright Office is empowered to grant exemptions to the law every three years to mitigate the harms that DRM otherwise would impose on legitimate, non-infringing uses of copyrighted materials.

The triennial Copyright Office rulemaking, however, has not been enough to prevent abuses of the DMCA. EFF's report details the numerous harms stemming from the DMCA's ban on circumventing DRM, including Apple's attempts to lock down the iPhone and force users into its App Store. Also new in this year's report is the account of hobbyists threatened by Texas Instruments for blogging about potential modifications to the company's programmable graphing calculators as well as the story behind the legal attacks on Real DVD and other products that create innovative new ways for consumers to enjoy DVD content they have legitimately purchased.

"The DMCA's ban on tampering with digital locks on content is a dangerous anachronism, a holdover from a time when people thought DRM could solve all of Hollywood's problems," said EFF Senior Staff Attorney Fred von Lohmann. "The DMCA's ban on bypassing DRM has failed to stem digital copyright infringement, but it has unfortunately been repurposed as a cudgel to threaten legitimate research and competitors."

Among the DMCA exemption requests currently before the Copyright Office are three from EFF. One asks for an exemption for amateur creators who use excerpts from DVDs in order to create new, noncommercial remix videos. Another would explicitly exempt cell phone "jailbreaking," allowing iPhones and other handsets to run applications from any source. EFF's third proposal asks for a renewal of an exemption previously granted for unlocking cells phones so they can be used with any mobile carrier. A final decision on these and other requests is expected from the Copyright Office within the next few weeks.

For "Unintended Consequences: Twelve Years Under the DMCA":
http://www.eff.org/wp/unintended-consequences-under-dmca

For more on EFF's exemption requests:
http://www.eff.org/cases/2009-dmca-rulemaking

Contact:

Fred von Lohmann
Senior Staff Attorney
Electronic Frontier Foundation
fred@eff.org

Pittsburgh - On Monday, March 8, at 4 p.m., board members of the Electronic Frontier Foundation (EFF) will discuss the societal impact of technology design in a panel at Carnegie Mellon University.

Technology design can maximize or decimate our basic rights to free speech, privacy, property ownership, and creative thought. The panel will discuss some good and bad design decisions through the years and the ramifications of those decisions.

Monday's panel is free and open to the public.

WHAT:
Architecture Is Policy: The Legal and Social Impact of Technical Design Decisions

WHEN:
4 p.m.
Monday, March 8

WHERE:
Newell-Simon Hall, Room 3305
Carnegie Mellon University
Pittsburgh, PA 15213

WHO:
Ed Felten (Professor of Computer Science and Public Affairs and Director of the Center for Information Technology Policy, Princeton University)
Dave Farber (Distinguished Career Professor of Computer Science and Public Policy in the School of Computer Science, Carnegie Mellon University)
Lorrie Cranor (Associate Professor of Computer Science and of Engineering and Public Policy, Director of the CyLab Usable Privacy and Security Laboratory [CUPS], Carnegie Mellon University)
John Buckman (EFF Board Chair, Serial Entrepreneur)
Cindy Cohn (EFF Legal Director, Moderator)

Contact:

Rebecca Jeschke
Media Relations Director
Electronic Frontier Foundation
press@eff.org

As we've pointed out repeatedly, poor design decisions in YouTube's "Content ID" system have resulted in over-blocking of videos that remix copyrighted materials. Today we got perhaps the most vivid example of the problem: the "silencing" of a lecture by Prof. Larry Lessig about the cultural importance of remix creativity. This is just the latest of many examples. We've been on YouTube's case for more than two years about this problem, and it's high time for YouTube to fix the Content ID system to respect the kinds of fair uses that are at the heart of remix creativity.

How did Prof. Lessig's video trigger the Content ID block? He included "snippets" (I use that word intentionally, as Google does in the context of its own Book Search product, to refer to small portions that should qualify as a fair use) from several remix videos. As a result, the audio track of his lecture included excerpts of several well-known songs. Apparently at least one of those songs is owned by Warner Music, which has chosen to automatically mute the audio track of any video when the Content ID system detects the presence of those songs. It's not clear which song triggered the block—the Content ID system doesn't tell you that.

Of course, in close cases, reasonable minds can differ about whether a particular use of a song qualifies as a fair use (although some cases are easy). But that's no excuse for the automated Content ID filter to block them—if a copyright owner has a good faith belief that any particular remix video crosses the line, it is free to send a formal DMCA takedown notice. Sending a notice is not hard, nor expensive, as demonstrated by the fact that copyright owners routinely send hundreds of thousands of these notices to YouTube. YouTube's Content ID system even will flag all the videos for the copyright owner's review.

But unlike the automated Content ID blocking, DMCA takedown notices at least put a human into the loop, and these humans must take fair use into account before issuing the notice. In contrast, an automated match by the Content ID system results in an automated removal, even where the copyright owner does not object to the use (and, as poorly behaved as Warner Music has been in the past, I can't imagine it really wants to censor Prof. Lessig's lecture).

Fortunately, YouTube permits users to "dispute" automated Content ID removals, and that's why Prof. Lessig's video is once again available. But that's not nearly good enough. First of all, YouTube's procedures for "removing" videos have created considerable confusion and consternation among users, and it's a fair bet that most YouTube users aren't aware of their ability to "dispute" these removals. Second, the thousands of lawsuits brought by record labels against individuals for file-sharing has created an atmosphere of fear that makes many YouTubers hesitant to go toe-to-toe with a major record label.

There's just no excuse for the Content ID system to be blocking remix videos. There's nothing in the law that requires YouTube to do this. In fact, section 512(m)(1) of the DMCA makes it clear that service providers do not need to install filters or monitor their services at all, much less allow copyright owners to use filters to block remixes.

Nor is there any engineering reason why the system should be designed this way. The filter can fix this problem by insisting that the audio and video tracks both come from the same copyrighted work and that the entire (or almost entire) video is drawn from the same copyrighted work. Unless these conditions are met, "block" should not be an option available to copyright owners. If a copyright owner wants to take down a remix video, they should have to follow the rules Congress established in the DMCA.

This is exactly what EFF, joined by numerous other public interest groups, asked YouTube to do in 2007 in our Fair Use Principles for User Generated Content. It's a shame that YouTube, a company that has become synonymous with remix creativity, can't find the time to fix its own Content ID system to protect remixers from unnecessary censorship.

This week, an Italian magistrate convicted three Google employees for an Internet video that none of them had produced, uploaded, or even seen. The case arose from an Italian video that was uploaded in 2006 to Google Video, which showed a disabled child being bullied by other schoolchildren. An advocacy organization and the boy's father in Milan pushed for a criminal prosecution; a local prosecutor decided to pursue a case against four individual Google employees. In the decision, a defamation charge was dropped, but three of the named executives were found guilty of a charge related to Italy's privacy laws, and each sentenced to a six month suspended sentences.

We may not see the Italian decision stand for long, and cannot imagine a similar case happening in most Western countries. But it represents a growing temptation of courts and lawmakers worldwide: to find excuses to strip away the protection the law grants to Internet intermediaries. It's also an intimation of the very serious consequences to the Net and free speech if those safe harbors are weakened.

Europe has, in theory at least, at the EU level, strong protections for Internet intermediaries in its E-Commerce Directive: Article 14 of that directive provides that hosting providers are not responsible for the content they host, as long as they are not informed of its illegal character, and they act promptly when informed of it. Article 15 clarifies that hosts do not need to monitor hosted content for potentially illegal content.

This judgement guts both these principles. The court dismissed the allegation of criminal defamation but upheld a charge of illegally handling personal data on the basis that a video is personal data, and that under EU data protection law, Google needed prior authority before distributing that personal data.

This interpretation of the law means that Google is co-responsible for the legality of content containing the images of persons -- before anyone has complained about the content. That effectively means to comply with the decision, any intermediary working within Italy must now pre-screen every piece of video with anyone who appears within it, or risk prosecution. As the judgement stands, it also presents such a wide definition of personal data that it might effectively require that all hosts pre-screen all content be it video, text, audio or data.

The unconscionable fact that this prosecution is of individuals, while devastating for those involved, is only part of the problem. The whole Internet relies on the fact that third-parties can carry messages without having to self-police, interfere with those messages or take responsibility for millions of others' communications.

The Net is made of intermediaries, and attacks on the safe harbor protections for those intermediaries is under way across the world. In China, it's called ISP "self-discipline". In the United States, it's rightsholders demanding secondary or even tertiary liability for infringement by users, or loopholes in net neutrality, or attempts to weaken the protections of CDA 230. Italy may choose to unfairly victimize three American executives in this case, but the openness of the entire Internet risks becoming a victim if the safe harbors are compromised elsewhere.

Yesterday, Microsoft used a Digital Millennium Copyright Act (DMCA) takedown notice to demand that a copy of the "Microsoft® Online Services Global Criminal Compliance Handbook" (the Compliance Manual) be removed from Cryptome, a security website. As a result, Network Solutions felt obliged to takedown the entire Cryptome.org domain, a repository for thousands of important and controversial documents.

As is often the case, the ensuing uproar simply called more attention to the document in question. Yesterday evening, Microsoft wrote to Network Solutions and withdrew its takedown demand, while insisting that its copyright concern was nevertheless legitimate.

We appreciate that Microsoft acted quickly to correct its error, but are still disappointed that Microsoft nonetheless insists that, in the words of Evan Cox, outside counsel for Microsoft, "Microsoft has a good faith belief that the distribution of the file that was made available at that address infringes Microsoft's copyrights."

To the contrary, as we explain below, Cryptome's publication of the Compliance Manual is a clear fair use under the Copyright Act.

To determine whether a use of a work is fair, courts engage in a case-by-case analysis, starting with the four factors set out in the Act: the purpose and character of the use; the nature of the work; the amount and substantiality of the work; and the harm to the market for the work.

On the first factor, Cryptome used the manual for a noncommercial, transformative purpose—to educate the public on how the government and Microsoft work together and to illustrate how much information is available about internet users. Cryptome did not stand to profit, and was not seeking to exploit the work for money.

Cryptome's use is also transformative because it does not merely supersede original, but instead "adds something new." Cryptome took a work designed to inform law enforcement how to work effectively with Microsoft, and, by putting it in a new context, formed the basis for newsworthy criticism of Microsoft and its compliance practices.

The "nature of the work," factor also favors fair use: factual works like the Compliance Manual receive only thin protection under copyright law, especially where the material has been published.

The extent of permissible fair use copying varies with the purpose and character of the use, and, as the Ninth Circuit has held, "[i]f the secondary user only copies as much as is necessary for his or her intended use, then this factor will not weigh against him or her." While Cryptome copied the whole work, the whole work was necessary for the public to understand Microsoft's policies for allowing the government to obtain personal information about them.

The market harm factor balances the benefit the public will derive if the use is permitted and the financial gain the copyright owner will receive if the use is denied. Here, the public, many of whom have personal information stored by Microsoft, benefits by being informed of Microsoft's compliance practices. And, since Microsoft does not sell or license the manual, posting it on Cryptome didn't cost Microsoft a penny. As explained by the Supreme Court, a "use that has no demonstrable effect upon the potential market for, or the value of, the copyrighted work need not be prohibited in order to protect the author's incentive to create." This factor favors fair use as well.

The four factors are balanced in light of the purposes of copyright. And here, Microsoft does not need any copyright incentive to create the manual—it has plenty of business incentives to create a guide that will reduce the costs of its interactions with law enforcement. At the same time, Cryptome's publication serves the welfare of the public by allowing the public to know how their information may be involuntarily disclosed to the government.

Evaluating all the factors together, a court should find that Cryptome's publication of the Compliance Manual is a fair use.

Yesterday evening, the U.S. House of Representatives voted overwhelmingly to renew three expiring provisions of the USA PATRIOT Act, after the Senate abandoned the PATRIOT reform effort and approved the extension by a voice vote on Wednesday night.

Disappointingly, the government's dangerously broad authority to conduct roving wiretaps of unspecified or "John Doe" targets, to secretly wiretap of persons without any connection to terrorists or spies under the so-called "lone wolf" provision, and to secretly access a wide range of private business records without warrants under PATRIOT Section 215 were all renewed without any new checks and balances to prevent abuse. Despite months of vigorous debate, when PATRIOT renewal bills providing for greater oversight and accountability were approved by the Judiciary Committees of both the House and the Senate, Democratic leaders' push for reform fizzled in the face of staunch Republican opposition buoyed by recent hot-button events such as the attempted bombing of an airliner on Christmas Day and the shooting at Fort Hood.

The renewed PATRIOT provisions were originally set to expire on December 31, 2009, but Congress ran out of time last year and temporarily extended them until February 28th, this coming Sunday. The new extension is expected to be signed by the President before then.

The one silver lining? Despite a push by Republican leaders for a four-year extension, the renewed provisions are now set to expire in one year. So, although this battle's been lost, the effort to roll back PATRIOT's worst excesses is far from over. Thank you to everyone who took action to support PATRIOT reform this past year; we hope that you'll continue the fight with us in the next year.

Update: YouTube responded to the letter from EFF and the National Coalition Against Censorship by doing just what we asked. They state: "We have re-reviewed your videos and have reinstated them with an age gate." This is good news, and YouTube is to be commended for correcting its error. Amy Greenfield's channel now has her videos.

Still, the fact that it took two nationally known groups to bring this matter to YouTube's attention is troubling. It demonstrates that YouTube still has work to do to create a viable appeals process. In addition, as we noted below, YouTube should still change its policy to expressly allow artistic works that contain nudity, and give individual artists the same freedom it reserves for professional television and film.

Previous Post: Today EFF and the National Coalition Against Censorship (NCAC) wrote to YouTube, asking the video hosting giant to reconsider its removal of the work of internationally recognized video artist Amy Greenfield.

Amy Greenfield received notice from YouTube that her works, which contain some artistic nudity, did not conform with YouTube’s "community standards." Under YouTube's policies, "films and television shows may contain [full nudity]; however, videos originating from the YouTube user community must abide by the YouTube Community Guidelines and are not permitted to include such content." (emphasis in original). The Community Guidelines purport to allow nudity with “some educational, documentary and scientific content, but only if that is the sole purpose of the video and it is not gratuitously graphic,” but does not recognize the value of nudity in art.

When video artists present works that have clear artistic, political or educational merit, YouTube should allow the artist to post the material with at least the same freedom as major studio films and television. If a user community video is flagged as inappropriate, YouTube should at least have an appeals process to allow an artist to explain the artistic merit. While we understand YouTube's desire to keep pornography off its servers, it must also understand that not all nude art is pornographic.

The Department of Defense has released more than 800 heavily-redacted pages of intelligence oversight reports, detailing activities that its Inspector General has “reason to believe are unlawful.” The reports are the latest in an ongoing document release by more than a half-dozen intelligence agencies in response to a Freedom of Information Act (FOIA) lawsuit filed by EFF in July 2009.

The reports, submitted to the Intelligence Oversight Board (IOB) by various Department of Defense components, cover the period from 2001 through 2008. The IOB’s role within the Executive Office of the President is to ensure that each component of the intelligence community works within the Constitution and all applicable laws. As such, the Inspector General of each intelligence agency is required to submit periodic reports to the IOB, which in turn is required to forward to the Attorney General any report identifying an intelligence activity that violates the law. Intelligence oversight reporting is rarely disclosed to the public.

This new release, from various Defense components including the Army and the Joint Chiefs of Staff, comes in four parts, see here. Much of the reported improper activity consisted of intelligence gathering on so-called “U.S. Persons,” including citizens, permanent residents and U.S.-based organizations. Although Defense agencies are generally prohibited from collecting such information (except as part of foreign intelligence or counter-intelligence activity), it is apparent from the unredacted reports released to EFF that some DoD components have had chronic difficulty complying with that prohibition.

Some specific items of interest include:

Part 1

• Pg 98: A report that the Joint Forces Command, working with the FBI, improperly collected and disseminated intelligence on Planned Parenthood and a white supremacist group called the National Alliance, as part of preparations for the 2002 Olympics.
• Pg 122-137: A NORAD intelligence briefing improperly included intelligence on an anti-war group called Alaskans for Peace and Justice in 2005.
• Pg 257-258: A 2006 report that NORAD had procedural problems relating to collecting information on U.S. Persons.

Part 3

• Pg 53-54: A report from 2003 of a closed investigation into prisoner abuse at Abu Ghraib and other sites in Iraq.
• Pg 60: A report from 2006 of improper intelligence (in the TALON program) on an anti-recruiting group.
• Pg 112: A report from 2007 of an Army Reserve officer routinely collecting data on U.S. Persons exercising their free speech rights.

Part 4

• Pg 19: A 2008 report that Army Signals Intelligence in Louisiana intercepted civilian cell phone conversations.
• Pg 65: A 2008 report that Army Cyber Counterintelligence officers attended the Black Hat hacker conference without disclosing their Army affiliation and without prior authorization to do so.
• Pg 173: A report that the Air Force Office of Special Investigations (AFOSI) set up a “honey pot” computer system to identify foreign threats in May 2006. In October 2007, AFOSI realized that the honey pot system might have been in violation of a sealed Foreign Intelligence Surveillance Court (FISC) order that required a Foreign Intelligence Surveillance Act (FISA) warrant for such activity. AFOSI was not privy to the FISC order and only knew of it from public media reporting. The operation was suspended. Amazingly, when the Air Force asked the Justice Department to see the FISC order at issue, DOJ’s National Security Division denied the Air Force’s request.

According to the release schedule ordered by a federal judge last December, we expect to receive additional IOB reports from the CIA, National Security Agency, the Office of the Director of National Intelligence and the Department of Defense later this month. We will post the documents to our website as we receive them.

Let's say you are a blogger who writes about music regularly and includes links to music in your posts. How do you avoid having your blog censored off the Internet by "DMCA takedown notices" sent out by music industry lawyers (as happened last week to several blogs hosted by Blogger)?

Of course, you could get authorization from all the relevant copyright owners before you post or link to a song. Unfortunately, that's virtually impossible for many music bloggers. In some cases, it may be impossible to figure out who the copyright owners are (consider the problem of live concert bootlegs, rare B-sides, out-of-print material, defunct labels). In other cases, you might have authorization from someone, but it could end up being the wrong person (i.e., an independent promoter or member of the band who doesn't actually have all the rights to give you). And even if you get authorization from all the right people, you could still find yourself on the receiving end of a DMCA takedown from the entity that controls the copyright in another country (because your blog can be accessed from that country).

In other words, it's quite likely that many music bloggers can never be sure that a DMCA takedown notice won't arrive someday.

If one does arrive, your blog hosting service probably won't take your side. The law gives online hosting services strong incentives to comply with takedown notices—prompt responses to takedown notices are often the only reliable shield that hosting services have against copyright infringement lawsuits and potentially hundreds of thousands of dollars of damages. No matter how much your hosting service values your business, it is not likely that they will be willing to bet their business to save your blog.

While most hosting providers will let you send a "DMCA counter-notice" to contest a bogus takedown notice, sending a counter-notice can have serious consequences if you're not absolutely sure that you had all the necessary legal rights to post the songs or links in question. Sending a DMCA counter-notice is serious business, as it leaves the copyright owner with few options (other than suing) in order to keep the song down. So we recommend that bloggers research copyright law and, if in doubt, consult a qualified attorney (or contact EFF) before sending DMCA counter-notices.

The DMCA also gives hosting services strong incentives to "terminate repeat infringers." That's why most blog hosting services will delete your account (and thus your entire blog) after receiving multiple DMCA takedown notices. The industry norm seems to be a "3 strikes" policy, although the number of "strikes" can vary. This policy can be particularly unfair when a copyright owner sends multiple DMCA takedown notices all at once, or within a few days of each other — you can find your blog deleted before you even find out who was complaining or can send a DMCA counter-notice. Many hosting providers also mark every DMCA takedown notice on your "permanent record" — simply deleting the file or the link won't expunge the "strike" on your account (generally, only a DMCA counter-notice will do that). So a DMCA takedown notice received for your blog might still count as a "strike" years later (again, this is because service providers want to be able to tell a court that they were good about "terminating repeat infringers," lest they lose their shield against copyright infringement lawsuits).

Of course, you may be able to talk the copyright owner into withdrawing a DMCA notice ("your marketing department sent me an email saying this link was legit"). And there may be informal strategies that work most of the time (like deleting links after a short period of time). However, at the end of the day, it's nearly impossible to be sure you'll never receive a DMCA takedown notice.

With that in mind, here are a few practical things you can do to minimize the disruption that the DMCA process might inflict on your blog:

• Get your own domain name: Most blogging platforms will allow you to use your own domain name for your blog, which will make it easier for your readers to find you if DMCA takedown notices force you to change hosting providers. So, for example, if your blog is at YOURNAME.blogspot.com, and your account gets terminated, you probably will never be able to use that URL again. In contrast, if your blog were at www.YOURNAME.com, you could get a new account from another hosting provider and keep your URL the same. And don't register your domain through the same company that hosts your blog—that should reduce the risk that you'll find both your blog and your domain name deleted by your hosting provider in response to DMCA takedown notices.
• Back up your blog, be ready to move it: Make sure that whatever blogging platform you use, it allows you to easily back up your entire blog in a format that makes it easy to republish elsewhere. Have a game plan ready for migrating your blog to a new hosting service quickly if that becomes necessary.
• Make sure your hosting provider can reach you: If a copyright owner wants to send a DMCA takedown notice aimed at your blog, they will probably start by doing a reverse DNS look-up to figure out who is hosting it. So make sure that entity (whether it's a full-service blog hosting service like Blogger or a colo hosting your own server) knows how to reach you. Keep your email address up to date, be sure that messages from your blog hosting service are "white-listed" in any spam filters that you use.
• Choose a service that has clear DMCA policies: Not all hosting providers accept DMCA counter-notices—make sure yours does, just in case you need to use it. Ask your hosting provider how many "strikes" it takes before your account is terminated. Ask whether "strikes" drop off your account after a period of time. Generally, you're better off with a hosting provider that has thought about these questions and implemented clear policies.
• Study up a bit: A little studying up before hand can go a long way towards avoiding problem later. A good place to start is EFF's Legal Guide to Bloggers, which contains frequently asked questions about copyright, the DMCA process, and a host of other legal issues that bloggers might face. The Citizens Media Law Project at Harvard also has a great legal guide online.

In our last post, we set out some of Google's numbers for the total number of books that would fall under the amended settlement agreement. Now let’s look at how many and what sorts of rightsholders have come forward as a result of the oft-criticized notice program conducted by Google and the plaintiffs. For starters:

Number of Books Google Says are Subject to the Settlement: About 10 million

According to Rust Consulting, the company administering the notice program, 44,450 claim forms (both online and hardcopy) have been received as of February 8, plus 485 "lists" (a kind of modified claim request). The claims relate to approximately 1.13 million books and 21,829 "inserts" (i.e., things like a short story or article in an anthology). Of the 1,107,620 books claimed online, 619,531 are classified by Google as out-of-print and 488,089 are classified as in-print.

Total number of claimants: 44,450

So, of the 10 million books potentially covered by the amended settlement on Google's numbers, rightsholders have spoken up for a little more than 10%. Because there may be disagreements between the author and the publisher about who owns the rights, it is possible that some of these claims are actually competing claims for the same book.

Percentage of books claimed on Google's numbers: about 10%

As of the January 28 deadline for opting out, Rust reports receiving 6,818 requests for "exclusion" (which Rust uses here to mean simply "opting out of the settlement"). Adding that number to the 44,450 claiming responses makes a total of a little over 50,000 rightsholder responses, with about 87% choosing to participate in some form in the settlement and 13% opting out altogether. Keep in mind that those who objected to the settlement—and there were over 500 objections filed—had to stay in the settlement in order to object, so the 87% number shouldn’t be read as consisting only of those who favor the settlement.

Percentage of responding rightsholders who have opted out: 13%

Percentage of responding rightsholders who have chosen to participate in some form: 87%

The “Exhibit D” document of Rust Consulting's submission, consisting of four tables, was initially unhelpful and unenlightening, because none of the columns seemed to be properly labeled. However, upon EFF's request, Google promptly had Rust provide a clearer document, which has the missing information (Google says that the prior problem was due to scanning and that the document has not changed). Google confirmed one error in the first table: the correct number of online publisher claims should be 4,312 and 880 for agent claims.

The publisher claims account for 787,942 out of the 1,107,620 books claimed, or 71%, with an average of 895 books per claiming account. It is interesting that a relatively small number of publishers accounted for the bulk of the claimed works.

Percentage of books claimed by publishers: 71%

Percentage of books claimed by authors: 29%

At the fairness hearing, the lawyer for the Science Fiction Writers group raised concerns that publishers are claiming works that are out-of-print, which is problematic since in many instances those rights should have reverted to the authors. The attorney noted that the Google Books settlement appeared to be creating an opportunity for publishers to try to claim ongoing rights, and corresponding income, from works that they had abandoned and to which they may not have current contractual rights. This is one of many criticisms raised by author groups as well as the Department of Justice at the fairness hearing -- that the settlement rides roughshod over the contractual relationships between authors and publishers.

These numbers help clarify the picture, at least a bit. We hope Google, the plaintiffs, and Rust Consulting will provide even more numbers moving forward so that the public can continue to assess the settlement even as the Court deliberates.

In the wake of yesterday's fairness hearing on the Google Book Search settlement, this might be a good time, while Judge Chin is deliberating, to take a moment to update some of the numbers about the settlement. These numbers were culled from settlement documents (thanks to Prof. James Grimmelmann for much of that), Google's presentation at the fairness hearing, and congressional testimony.

[Note: these are Google's numbers and it wouldn't be surprising if others disputed them.]

First, how many books are there? Overall, Google engineer Dan Clancy said that Google's research indicates that there were over 174 million books total worldwide in bibliographic records.

Total number of books in bibliographic records in the world = 174m.

At the fairness hearing, however, Google's lawyer Daralyn Durie told the Court that there are approximately 42 million books total in the collections of libraries partnered in Google's digitization project.

Total number of books held by Google partner libraries = 42m.

How many of these fall under the terms of the settlement, which is limited to in-copyright books published in the U.S., Canada, U.K., Australia, and New Zealand? After subtracting public domain works (estimated at 20% by Google), excluding foreign works, and accounting for duplicate works, Google estimates that 10 million books are subject to the terms of the amended settlement.

Total number of books subject to the amended settlement = 10m.

Of this number, Google believes that half (~5 million) are in-print and half (~5 million) are out-of-print. In earlier Congressional testimony, Google estimated that no more than 20% (or ~1 million) of the out-of-print works would turn out to be true "orphan works" (i.e., works whose copyright owners could not be found).

Google's Dan Clancy estimates that Google has scanned 12 million books so far, which includes 2 million scanned through its Partner Program, another 2 million public domain works, and foreign works that are outside the amended settlement.

Some other numbers to keep in mind while pondering all of this: the Authors Guild claims a membership of over 8,500 and the Association of American Publishers claims to represent over 300 publishers, while 30,000 authors and publishers have already struck deals to be in Google Books through Google's Publisher Partner Program.

As we've explained before, a number of Hollywood movie studios have been on the war path against Redbox, the kiosk-based DVD rental operation, because Redbox offers DVD new releases for rent at 99 cents per night. Thanks to the first sale doctrine in copyright law, Redbox's business is completely legal—the company buys legitimate DVDs to stock their kiosks. Great for consumers, and a great alternative for those who might otherwise opt for an unauthorized alternative online.

But Hollywood wasn't pleased, and took a number of steps to interfere with Redbox's business, which in turn led to lawsuits. Earlier this week, Redbox and Warner Brothers settled their litigation, with Redbox promising not to offer Warner DVDs until 28 days after the DVD goes on sale. In other words, no more Warner new releases in the Redbox kiosks. Analysts predict this will be a blueprint for similar settlements with other Hollywood studios.

The Media Wonk has published a great recap of what happened, detailing how the movie studios put pressure on distributors and retailers and ultimately succeeded in subverting the first sale doctrine:

I’m assuming the studios’ were well-advised in their campaign against Redbox, and managed to strong-arm the wholesalers and big-box retailers without actually violating antitrust laws. But it’s still worth noting, I think, the extraordinary lengths to which they were willing to go to thwart the plain language and intent of an inconvenient portion of copyright law.

The First Sale Doctrine was promulgated–first by courts and later by Congress–precisely to deny publishers control over the secondary market in copies of works. It evolved to ensure that the practical application of the copyright statute would not be inconsistent with the Constitutional purpose of copyright itself: “To promote the progress of science and useful arts.” It does that by encouraging a robust and innovative market in copies, including a robust secondary market.

Through their many Redbox machinations, the studios have found a way around the plain purpose of the First Sale Doctrine by effectively (if not quite illegally) fixing the price of DVDs in the secondary market.

Over the weekend, Google announced significant changes to its new social networking service, Buzz. Responding to criticism (including EFF's), Google moved away from the system in which Buzz automatically sets you up to follow the people you email and chat with most. Instead, Google has adopted an auto-suggest model, in which you are shown the friend list with an option to de-select people before publishing the list. While a full opt-in model would be less likely to result in inadvertent disclosures of private information, this is a significant step forward.

In addition, Google said it would show current Buzz users the setup process again, giving a second chance to review and confirm the follower list "over the next couple weeks." We recommend that all current Buzz users immediately turn off the public list, and review their friend list before making it public again. (Instructions)

Google will also stop automatically connecting Picasa Web Albums and Google Reader shared items, and allow users to hide Buzz from Gmail or disable it completely.

These problems arose because Google attempted to overcome its market disadvantage in competing with Twitter and Facebook by making a secondary use of your information. Google leveraged information gathered in a popular service (Gmail) with a new service (Buzz), and set a default to sharing your email contacts to maximize uptake of the service. In the process, the privacy of Google users was overlooked and ultimately compromised.

Though Google responded quickly to these privacy concerns, they never should have happened in the first place. While Buzz previously had a lot of these privacy options available, the user interface failed to provide users with the setting users had reasonably expected. Google should follow fair information practices and make secondary uses of information only with clear, unequivocal user consent and control.

Part of the problem may have stemmed from Google's testing process. The BBC reports that Google only tested Buzz internally with its employees, omitting "extensive trials with external testers - used for many other Google services." Google employees are sophisticated power-users who will meticulously review the available settings. However, a good user interface for privacy must work for all users, and match the default settings with the expectations of the users. Only through broad based testing can Google be sure that users are giving informed consent.

Next week Google will face a federal judge and ask for approval of the Google Books settlement. EFF has raised privacy concerns, including the possibility that Google might make secondary uses of the Books information. Buzz's disastrous product launch highlights the danger posed by this possibility, and showcases the need for firm enforceable commitments to protecting user privacy.

Reports are coming in of additional privacy issues.

The Register reports that "Google Buzz is susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located." While a security blog now reports this was fixed, Google should conduct a thorough security review to ensure that no other problems persist.

PC World notes that Google's "vanity URL" functionality presents users with an unfortunate choice: Either expose your email address to the general public, or host your profile at a monstrously long numeric URL. Google ought to provide a third, middle-of-the-road option by allowing users to select a simple and memorable URL which is not based on their email address.