In addition to its use protecting entertainment media from piracy, Digital Rights Management (DRM) has long-term potential for automating compliance with new regulations applying to both banks, insurers, investment companies and to health care providers. These include HIPAA, Gramm-Leach-Bliley and Sarbanes Oxley. A conference coming in late October will focus on both of those applications, in two parallel tracks. Quoting from the topic descriptions at: http://www.jupiterevents.com/drm/fall04/agenda2.html:
(read more ... )
Markets I: Financial Services
DRM technologies can enhance regulatory compliance and protection of highly sensitive information in financial services. In this panel, we'll discuss case studies and best practices for such applications as virtual deal rooms in mergers and acquisitions, NASD 2711 compliance for guarding against conflicts of interest among investment bankers and securities analysts, the Graham-Leach-Bliley Act for preserving confidentiality of consumer financial information, and Sarbanes-Oxley for integrity of accounting information.
Moderator:
Jude Umeh, Consultant, Spexx.Net Enterprises Limited
Speakers:
Jarad Carleton, Industry Analyst, Frost & Sullivan
Mitchell Jamel, CEO, DigitalRights LLC
Markets II: Pharmaceuticals and Healthcare
Biotech and pharmaceutical firms have a wide range of requirements for information security, ranging from IP protection in collaborations for drug development, contract manufacturing, clinical trials, and other areas; they are also subject to regulations under FDA CFR Part 11. Meanwhile, healthcare providers must protect patient records throughout treatment and insurance processes, as well as comply with regulations under HIPAA. In this panel, we discuss how DRM technologies complement existing techniques for addressing these concerns, and how DRM can help these organizations implement enterprise-wide approaches rather than the current silo approaches to protecting patient records and corporate IP.
Speaker:
Scott Selby, Associate, Booz Allen Hamilton Inc.
Please let me know if you are aware of online resources relevant to the use of DRM in financial services and health care regulatory compliance, at: douginhartford "at" earthlink.net.
Universities facing issues of unauthorized file sharing may find value in a new report, “University Policies and Practices Addressing Improper Peer-to-Peer File Sharing," issued by the Education Task Force of the Joint Committee of the Higher Education and Entertainment Communities of the American Council on Education.
Intended to be "illustrative, not prescriptive," it includes examples of institutional responses to various P2P and copyright issues. The Committee was formed in December, 2002, to work collaboratively to address the problem of unauthorized file sharing. An August 2003 paper, on the legal aspects of P2P file sharing, "Background Discussion of Copyright Law and Potential Liability for Students Engaged in P2P File Sharing on University Networks," is available on the American Council on Education web site in PDF form.
Thanks to: The Chronicle: Daily news: 03/30/2004 -- 04 (subscription required).
Downstream republishers of cracked secrets take limited comfort from the 2/27/04 decision for Andrew Bunner by the Court of Appeal in California. Limited to a ruling on a preliminary injunction, the opinion finds "little question" that the sharing of DeCSS "is unethical and and that it probably violates other laws." But an injunction against information no longer secret "can be justified only on a rationale of punishment and deterrence * * * ordinarily inappropriate in trade secret actions."
The opinion invites further research and analysis around its apparent limitations:
(Read more ... )
Background:
On February 27, 2004, a California appeals court ruled that an injunction against Andrew Bunner's publication of DeCSS constituted an improper prior restraint. The decision was in large part based upon the finding that the encryption algorithm affected by DeCSS had lost its "trade secret" status due to extensive publication of DeCSS over the Internet to "a worldwide audience ready and waiting to download and repost it." Electronic Frontier Foundation has the Court of Appeals decision in PDF.
Commentary:
Bunner was sued under California's Uniform Trade Secrets Act ("UTSA"), (Civ. Code §3426 et seq.) which protects information that is valuable because it is unknown to others. The Court decided only the propriety of an injunction against Bunner's disclosure of the information, not the propriety of other forms of deterrent sanctions.
The Court of Appeals found the element of secrecy important for two reasons, in both of which a temporal element was important:
According to the Court, the record showed that Bunner was a downstream discloser of information that had already passed into public knowledge. The Court quoted July discussions on Slashdot about interest in cracking CSS as evidence of "a worldwide audience ready and waiting to download and repost" DeCSS when it first appeared on October 6, 1999. By November 1999, DVD CCA had spotted and noticed 66 websites hosting either DeCSS or links to it, and Wired magazine had written that DeCSS was on the Net. See "DVD Piracy: It Can Be Done" (Wired November 1, 1999)
Bunner does not shield the original cracker.
None of these facts would apply to the original cracker. The Court noted the common theory that Jon Johansen, a Norwegian resident, cracked the CSS code by means of reverse engineering and was the original source of the DeCSS code. Had not "DVD Jon" shared DeCSS, it would not have become public knowledge.
In December, a Norwegian appeals court affirmed the acquital of Jon Johansen on criminal charges of breaking the CSS copy protection on DVDs he bought. The charges were brought by the Norwegian Economic Crime Unit (ØKOKRIM) under Norwegian Criminal Code 145(2), upon the complaint of DVDCCA and the Motion Picture Association of America (MPAA). The Norwegian court ruled that his action was legal under Norwegian law. An earlier acquittal had been appealed by the government. See "Legal victory for 'DVD hacker," BBC News 12/22/03, and " and "DVD-Jon" Defeats Hollywood: Consumer Rights Upheld in Norway," IP Justice.
Questions for further study:
The case of Russian programmer Dmitri Sklyarov is illustrative. While in Russia, Sklyarov allegedly programmed a bypass of Adobe's technical protection measures ("TPM"). While in the United States at a DEF CON conference speaking about the resulting software, Sklyarov was arrested and charged with a criminal violation of the DMCA, based upon a complaint by Adobe. The Justice Department later dropped charges against Sklyarov, allegedly in return for his testimony against his employer ElcomSoft (a software company based in Moscow) on a similar charge. At a jury trial in December 2002, ElcomSoft was acquitted. Post-verdict interviews with the jury indicated that they found that the ElcomSoft code was probably illegal, but that the DMCA was sufficiently confusing that they were not convinced that ElcomSoft's Russian managers knew that sharing the code they wrote was criminal.
The Bunner Court was careful to distinquish a case cited by the plaintiff, Underwater Storage, Inc. v. United States Rubber Co., 371 F.2d 950 (D.C.Cir. 1966). In that case, a Navy contractor took trade secrets and republished them as its own know-how. The Underwater Storage Court rejected the argument that subsequent publication insulated the defendant from liability for misappropriation, saying: "Once the secret is out, the rest of the world may well have a right to copy it at will; but this should not protect the misappropriator or his privies." 371 F.2d. at 955.
Questions for further study:
Bunner does not shield sharing in a closed community.
In the Bunner case, the enthusiasm and anticipation of the global programmer community for a CSS decoder, together with the culture of free code sharing, meant that whatever the threshold between "public knowledge" and "still secret" was quickly crossed. The Bunner Court did not attempt to define that threshold. Doing so will be more pertinent in a case in which the information was held more closely.
The Court noted that this case "does not fit neatly into classic business or commercial law concepts." Typically in trade secret cases, a competitor wrongfully takes trade secrets to exploit them, and has no interest in sharing the advantage with others (except perhaps for a sufficiently valuable consideration). Had DeCSS been held more closely and shared only among a controlled circle of users, it may never have reached the level of public disclosure that sacrificed its status as a trade secret.
Consider, hypothetically, a secret resale or exchange of code exploiting a trade secret, or confidential data wrongfully obtained. Such might be distributed through a controlled access "darknet" or among a limited number of conspirators -- none of which put it on the open Net. Would such breach the "public knowledge" threshold?
As holders of intellectual property rights and security organizations become more aggressive in monitoring and enforcing casual sharing of protected content, they may tend to drive "warez" swappers and users underground, into closed, "virtually gated" online communities. Entry to such communities may require exchange of valuable consideration, either in the form of cash, copyrighted code or secret data. The exclusivity and secrecy of such private networks may itself disqualify them from the protection of the Bunner decision's logic. Such networks may also be usefully analyzed under state, federal and international laws regarding conspiracy and racketeering.
Bunner does not shield against liability under other laws.
The Court's decision made clear that its decision was limited to the propriety of an injunction under the UTSA, and that the disclosure of the DeCSS code "is unethical and that it probably violates other laws. But what is in the public domain cannot be removed by action of the states under the guise of trade secret protection." Citing Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 at 481 (1974)
The DVD CCA did not bring claims under the DMCA, and there was no indication of complaints under the California law criminalizing theft of trade secrets (California Penal Code §499c) or the Economic Crime Act (California Penal Code §1203.33), which has been interpreted to cover theft of trade secrets valued over $50,000. People v. Farell, 48 P.2d 1155 (Cal. 2002). The narrow scope of the Court's decision leaves open the possibility of civil or criminal prosecution of original and "midstream" distributors of the DeCSS code under those statutes or others like them in force either inside or outside of the United States.
Copyfight has links to a variety of commentators on the decision: Copyfight: the Politics of IP
See also:
Due to the volume of comment spam, I have turned off comments on this posting. Trackbacks are welcome, as are private comments via email.
Readings are now online for first session of a reading group concerning the legal aspects of the PORTIA project. This semester, the group examines legal aspects of: copyright and digital rights management; SPAM and freedom-of-speech; privacy-preserving data mining; privacy-preserving data surveillance; and a topic to be announced. It will meet for five evening sessions at Yale Law School in New Haven, CT, starting February 5. (more ... )
The Yale Information Society Project describes the NSF-funded PORTIA (Privacy, Obligations, and Rights in Technologies of Information Assessment) as "a five-year, multi-institutional and multi-disciplinary attempt to examine, define and create technological systems that ensure the rights of data owners, data users, and data subjects. The project’s primary participants include professors from the Yale Computer Science department (as well as participants from other leading institutes in the U.S. and abroad). In addressing these issues, the project confronts difficult legal questions that pertain to privacy, intellectual property, and information law."
More info at:
Session1: Copyright, Digital Rights Management, and Privacy
Monday, February 9, 2004
Led by: Eddan Katz, ISP Fellow.
I plan to attend all five sessions. If either of my occasional readers are there, please introduce yourself.
Ross Anderson is a Reader in Security Engineering at Cambridge University. He maintains a collection of links to papers and other resources on the subject of Economics and Computer Security, including Peer-to-Peer issues and Trusted Computing.
"More and more people are realising that information insecurity is often due to perverse incentives rather than to the lack of technical protection mechanisms. " -- Ross Anderson, about the Economics and Security Resource Page
Technology and constitutional rights intersect in ways that challenge traditional expectations of the security of government and corporate secrets. Networks allow "smart mobs" of individuals to share information in ways that are fast, cheap and out of control. Those with an agenda can today extract and publish institutional secrets in ways that may be hard to detect, let alone remedy with money damages or sanctions.
Q: Where should government and business look for protection? Tighter information security? Tough criminal laws and prosecutions? Prayer?
Q: What is the future of institutional secrets? (More ... )
The Pentagon Papers
In 1971, someone leaked to the New York Times the "Pentagon Papers," a top-secret DOD study critical of the United States involvement in Vietnam. The Times began publishing articles based on the contents, but the United States sued to block any further publication of the Top Secret material. The case quickly reached the Supreme Court, which decided that the damage to national security from publication did not outweigh the damage to the freedom of the press from prior restraint. The Court's ruling is a landmark decision on the balance between secrecy and free press. New York Times Co. v. United States, 403 U.S. 713 (1971)
The nine separate opinions (6 to 3 in favor of the defendants) left open the possibility of criminal prosecution of the Times and the Post after publication, but found insufficient basis for prior restraint. Of the majority, two maintained that the First Amendment provided no room for any prior restraint of the press. The other four conceded that prior restraint could be justified in proper cases, some noting as exceptions publication of troop movements in time of war, prohibitions of obscenity, and restraints on publication of material in violation of copyright, which protects the form of expression rather than the ideas expressed. Ibid. Members of the Court have since written about the importance of the Pentagon Papers to a matter of significant public debate as an essential element in the outcome. Bartnicki v. Vopper, 532 U.S. 514 (2001).
The Cigarette Papers
In 1994, thousands of pages of internal documents previously kept secret by Brown & Williamson Tobacco Corporation were anonymously delivered to the University of California, San Francisco (UCSF) with portions also sent to Congressman Henry Waxman and the New York Times. In a related case, District Court Judge Harold Greene characterized the documents as possible evidence "supporting a 'whistle-blower's' claim that the tobacco company concealed from its customers and the American public the truth regarding the health hazards of tobacco products." Maddox v Williams 855 F.Supp. 406, at 414, 415 (D.D.C. 1994).
The university library added the papers to its tobacco industry archives, made them available to the public and prepared to publish scanned copies electronically. They quickly became a popular source for anti-tobacco litigators and activists, through whom B&W learned of UCSF's collection in January 1995. B&W demanded that UCSF return the documents, deny public access and disclose the names of all who had seen them, and sued when UCSF refused.
The California Superior Court allowed UCSF to keep the documents and publish them. In its opinion, it emphasized the lack of evidence that UCSF was involved in any wrongful taking of the documents, the fact that they were not being introduced into evidence against B&W, the strong public interest in the documents' relevance to public health issues, and the futility of action against UCSF when the documents were widely available elsewhere. The California Supreme Court let the decision stand and on June 30, 1995, the University began publishing the documents on the Web. A year later, both a hard-bound and an online analysis of the collection was published by University of California Press.
The DeCSS Algorithm
In 1999, "DVD Jon" Johanson, a Norwegian, reverse-engineered the proprietary technology inside the Content Scrambling System (CSS) used by the DVD Content Control Association (DVDCCA) to protect commercial DVDs from unauthorized copying. He wrote an algorithm that enabled unscrambling of the disks, and called it "DeCSS." He posted it on the Web and copies spread rapidly. When it learned about DeCSS, the DVDCCA demanded that operators of websites where it appeared take it down and sued those that refused, including Andrew Bunner.
In California, the Superior Court hearing the case against Bunner found that DVDCCA had a likely case for Bunner's violation of California's trade secret act (a version of the Uniform Trade Secrets Act or "UTSA"). The Court entered a preliminary injunction against Bunner using or disclosing DeCSS or linking to sites that disclosed it. The Court of Appeals found that DeCSS was "pure speech" and overturned the injunction as a First Amendment violation. In August of 2003, the California Supreme Court reversed the appellate decision and sent the case back for further proceedings.
The California high court agreed that DeCSS qualified as speech protected by the First Amendment, but ruled that an injunction could be justified by an actual trade secrets act violation. They balanced the governmental interests served by the trade secrets act against the magnitude of the speech restriction that would result from an injunction. They found that publishing the DeCSS code was not necessary to debate on a matter of substantial public interest such as that which characterized the 2001 decision in Bartnicki v. Vopper, 532 U.S. 514 (2001).
Justice Moreno, in his concurring opinion, agreed that an injunction could be justified in a proper protected speech case, but maintained that this was not one of them. He argued that the record was clear that DVDCCA had no case against Bunner because DeCSS was so widely disseminated that it was no longer actually "secret." As a result, he wrote, it was not protected by the trade secrets act, making an injunction an unlawful prior restraint on speech.
The case was sent back to the Superior Court for further consideration of the merits of the claim that the CSS technology is a protected secret and that Bunner's publication of DeCSS violated the trade secrets act. DVD Copy Control Association, Inc. v. Bunner, 31 Cal. 4th 864 (2003). The DeCSS code continues to be widely available on the Internet at international locations easily discoverable through use of a common search engine.
In December, a Norwegian appeals court affirmed the acquital of "DVD Jon" Johanson on criminal charges of breaking the CSS copy protection on DVDs he bought. The charges were brought by the Norwegian Economic Crime Unit (ØKOKRIM) under Norwegian Criminal Code 145(2), upon the complaint of DVDCCA and the Motion Picture Association of America (MPAA). The Norwegian court ruled that his action was legal under Norwegian law. An earlier acquittal had been appealed by the government. See "Legal victory for 'DVD hacker," BBC News 12/22/03, and " and "DVD-Jon" Defeats Hollywood: Consumer Rights Upheld in Norway," IP Justice.
The E-Voting E-Mails
In August of 2003, electronic copies of thousands of internal e-mail messages between employees and contractors of Diebold, Inc. were posted on a publicly accessible website. The e-mails indicated Diebold had knowledge of security flaws and regulatory violations involving its electronic voting software widely used by state and local governments. News of the material spread, and other websites hyperlinked to the compilation, including student websites hosted on university computers.
When Diebold learned of the material, its lawyers issued "takedown" notices to ISPs that were hosting the material or sites linking to it, triggering the "safe harbor" provisions of 17 U.S.C. §512, the Digital Millenium Copyright Act (DMCA). Universities responded by directing students to take down the material and links, and cut off Internet access of students who failed to comply. Rather than filing the counter-notifications provided for in the DMCA, students moved the files to other sites and urged others to copy the files and "mirror" the archive on multiple hosts elsewhere, which many did. At Swarthmore, an activist group's website tracked the efforts of Diebold, the reactions of universities and students, and the spread of mirror sites throughout the Internet.
The national media picked up the story in October, widely publicizing the existence of the documents and Diebold's attempts to discourage their publication. In November, the website of Congressman Denis Kucinich posted excerpts from the material, adding a public scolding of Diebold and a call for a Congressional investigation into its actions.
Online Policy Group (OPG), an ISP to which Diebold sent a takedown notice, filed a federal lawsuit to enjoin Diebold from further efforts to discourage publication. OPG got legal represetation from the Electronic Frontier Foundation (EFF) and the Center for Internet and Society Cyberlaw Clinic at Stanford Law School. In a November 17 procedural hearing on a motion for a preliminary injunction, the District Court judge's questions focused on the public interest in information about voting systems and First Amendment issues raised by the controversy.
Diebold seemed to realize that the harder it pushed, the more adverse publicity it got and the further the information spread. On November 24, it advised the District Court that it would not sue those hosting copies of the materials for copyright infringement and was withdrawing its DMCA notices, as an indication of its commitment to an open discussion of "helping America vote better."
http://www.eff.org/Legal/ISP_liability/OPG_v_Diebold/DieboldResponse.pdf.
_____________
Some sources:
The Pentagon Papers
The Cigarette Papers
The DeCSS Algorithm
The E-Voting E-Mails
In August 2003 the California Supreme Court resolved a conflict between the status of DeCSS software as protected speech and the status of trade secrets as protected property, applying the "Madsen" standard of scrutiny of speech restrictions proposed as a remedy for actual trade secret misappropriations. It found no application of the Bartnicki decision, which it read as limited to speech addressing matters of more substantial public concern than those involved in the publication of DeCSS. It reversed a Court of Appeals ruling that an injunction on use and republication of DeCSS was an unconstitutional prior restraint, and remanded for appellate review of the factual determinations in light of these principles.
Judge Moreno's concurrence called for a higher threshold of proof of actual trade secret misappropriation before allowing such restrictions on speech, cast doubt that DeCSS still actually qualified as a secret, and challenged the efficacy of license agreements that attempt to override statutory shelters for "reverse engineering."
DVD Copy Control Association, Inc. v. Bunner, 31 Cal. 4th 864 (2003).
Procedural Status
The controversy arose from the Internet publication of DeCSS, a program that decrypts content on DVDs secured with the Content Scrambling System ("CSS"). The program was developed by a licensee of CSS that reverse engineered its proprietary technology despite a provision in the license forbidding such reverse engineering. The program was widely republished on the Internet, one of its republishers being Mr. Bunner.
When DVD CCA discovered the decryption tool was at large, it filed legal action alleging trade secret misappropriation in violation of the California version of the Uniform Trade Secrets Act (UTSA), Cal. Civil Code §3426 et seq. The District Court found that DVD CCA was likely to prevail on the merits and issued a preliminary injunction against the defendants (one of whom was Mr. Bunner) forbidding use, copying, or distribution of DVD CCA's trade secrets generally and DeCSS specifically.
The Court of Appeals assumed as true the trial court finding that a trade secret misappropriation had occurred but found that the injunction constituted a prior restraint of "pure speech" and violated the First Amendment.
The California Supreme Court also assumed that a trade secret misappropriation had occurred, but reversed the Court of Appeals and remanded for further consideration, holding that the First Amendment did not preclude a preliminary injunction on the assumed facts.
The Court's Analysis
First, the Court acknowledged that computer code such as DeCSS qualified as speech protected by the First Amendment, citing, with discussion:
* Junger v. Daley, 209 F.3d 481 (6th Cir. 2000)
* Universal City Studios, Inc. v. Reimerdes, 111 F.Supp.2d 294 (S.D.N.Y. 2000)
* Universal City Studios, Inc. v. Corley, 273 F.3d 429 (2nd Cir. 2001)
* United States v. Elcom, Ltd., 203 F.Supp.2d 1111 (N.D.Cal. 2002)
Second, the Court found that the injunction was "content neutral" because its principal purpose was protection of a statutory property interest, with only incidental impact upon the content of the enjoined communication, citing, with discussion:
* Ruckelshaus v. Monsanto Co., 467 U.S. 986 (1984)
* Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 (1974)
* San Francisco Arts & Athletics, Inc. v. United States Olympic Comm., 483 U.S. 522 (1987)
As a "content neutral" sanction, the Court applied a lower level of scrutiny prescribed by Madsen v. Women's Health Center, 512 U.S. 753 (1994), under which the Court ust ask "whether the challenged provisions of the injunction burden no more speech than necessary to serve a significant government interest." Madsen, 512 U.S. at 765.
The Court distinguished the decision in Bartnicki v. Vopper, 532 U.S. 514 (2001), noting that "five justices in Bartnicki endorsed the application of a lesser standard even though the statute arguably prohibited 'pure speech.'" The California Supreme Court favored Rodney A. Smolla's analysis of Bartnicki in "Information as Contraband: The First Amendment and Liability for Trafficking in Speech" 96 Nw. U.L.Rev. 1099 (2002). In that article, Smolla makes the intriguing argument that the true holding of Bartnicki was expressed not by Justice Stevens' majority opinion, but by the combined opinions of the two concurring and the three dissenting justices in that case.
Bunner provides useful guidance about what might qualify as specially protected speech on matters of public concern. It does so through its discussion of why Mr. Bunner's situation does not qualify. The Court applied the test found in Connick v. Meyers, 461 U.S. 138 (1983) and examined the following elements of the content, form and context of the statements in question.
* The information in question was not publicly available and conveyed only technical information.
* DeCSS was not posted in order to comment on a public issue or to participate in a public debate. With the exception of a few "encryption enthusiasts," as the Court called them, the public would be interested only in the use of DeCSS, not the content of its code.
* The public debate over the use of encryption and copy protection of DVDs does not require disclosure of DeCSS, and the debate will not be impaired by enjoining its distribution.
Third, the Court noticed significant governmental interests served by California's trade secrets law, including innovation incentives, maintenance of commercial ethics and the protection of property interests. The Court found that the DeCSS content disclosed by Bunner did not address, involve or illustrate matters of substantial public concern, so that Bartnicki did not control its decision. It also saw a clear distinction from the cases involving attempts to enjoin publication of information lawfully obtained, such as:
* Florida Star v. B.J.F., 491 U.S. 524 (1989)
* Smith v. Daily Mail Publishing Co., 443 U.S. 97 (1979)
* Landmark Communications, Inc. v. Virginia, 435 U.S. 829 (1978)
* Oklahoma Publishing Co. v. District Court, 430 U.S. 308 (1977)
* Cox Broadcasting v. Cohn, 420 U.S. 469 (1975)
On balance, it found that the injunction satisfied the Madsen standard of scrutiny, assuming that an actual trade secret misappropriation occurred.
Fourth, the Court found that the injunction was not a prior restraint because it was content neutral and based upon unlawful conduct that had already occurred. It distinguished CBS Inc. v. Davis, 510 U.S. 1315 (1994) invalidating an injunction of a broadcast of a video revealing unsanitary practices in a meat packing plant. Without a finding that the video was unlawfully obtained, the substantial public concern with the facts revealed outweighed the interest of the packer in preventing the broadcast.
Finally, the Court applied the same analyses to dispose of Bunner's claims under the Constitution of the State of California.
It remanded the case for further review, emphasizing that the injunction was justified only if appellate review supported the finding that DVD CCA was likely to prevail at trial.
Judge Moreno's Concurring Opinion
In his opinion, Judge Moreno analyzed the case differently and questioned the validity of the trial court's findings. He cited the dangers that a preliminary injunction may work to bar protected speech before adjudication of the merits of the speaker's constitutional claims, citing Pittsburg Press Co. v. The Pittsburg Commission on Human Relations, 413 U.S. 376 (1973). Criticizing the majority's analysis as "incomplete," Judge Moreno characterized the injunction as "subject matter censorship" that was unjustified because DVD CCA's proprietary information had become so widely disseminated on the Internet that it was no longer actually a secret.
He acknowledged that trade secret laws serve sufficiently important societal purposes to justify limiting First Amendment rights in proper cases, citing:
* Cohen v. Cowles Media Co., 501 U.S. 663 (1991)
* Zacchini v. Scripps-Howard Broadcasting Co., 433 U.S. 562 (1977)
* Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 (1974)
* Ruckelshaus v. Monsanto, 467 U.S. 986 (1984).
He called for a more rigorous evidentiary standard in order to "separate meritorious trade secret claims from those involving protected speech." A plaintiff, contended Judge Moreno, "should be required to actually establish a likelihood of prevailing on the merits, regardless of the balance of harms," or the injunction may constitute a prior restraint.
He noted that a higher hurdle would also apply when substantial public concern was implicated, even when secrets were unlawfully obtained, as in New York Times v. United States, 403 U.S. 713 (1971).
He contended that there was "no likelihood that DVD CCA would prevail on the merits," because "DeCSS was not demonstrably secret in this case when Bunner republished it, and Bunner was neither alleged to be the original misappropriator nor to be in privity with any such misappropriator."
He also cast doubt on the use of a license agreement to nullify statutory language excepting reverse engineering from the definition of "improper means" of acquiring a trade secret, citing Bonito Boats, Inc. v. Thunder Craft Boats, Inc., 489 U.S. 141 (1989) and the exclusive jurisdiction of federal patent law.
Electronic voting software code was left unprotected by a contractor, then accessed and republished, according to Wired News E-Vote Software Leaked Online. A company spokesman for Sequoia Voting Systems stated that the disclosure of its code did not compromise the security of the system itself.
The recent history of such leaks involving Diebold software suggests that the disclosure may yield more benefit than harm, by opening once-secret proprietary code to independent security analysis. (Read more ... )
An unrelated disclosure of Diebold software in January led to software analysis of it at Johns Hopkins and Rice. Their report of security flaws (PDF) includes their recognition that "the integrity of the election process is fundamental to the integrity of democracy itself. And, unsurprisingly, history is littered with examples of elections being manipulated in order to
influence their outcome."
The analysts noted that despite warnings about security concerns with new computerized voting systems, "neither source code nor the results of any third-party certification analyses have been available for the general population to study, because vendors claim that secrecy is a necessary requirement to keep their systems secure."
The report detailed technical standards against which they evaluated the revealed software, and, in its abstract stated that "this voting system is far below even the most minimal security standards applicable in other contexts," and emphasized "the fallacy of the closed-source argument for such a critical system." Only once the code became accessible for independent tests were the security flaws disclosed.
These issues echo the cautions of security experts such as Bruce Schneier, author of Secrets and Lies.
This critical report led to an audit by the State of Maryland, which proceeded with installation of the system after encryption and digital rights management tools recommended in a SAIC report (PDF) were incorporated into the Diebold system and the state e-voting process.
SunnComm Technologies will not sue a Princeton grad student for issuing a Princeton University Computer Science Technical Report TR-679-03 that discloses a security flaw in SunnComm's software intended to block music piracy, according to the The Chronicle of Higher Education's Daily news for 10/13/2003. The company's stock lost value after the report of the student's disclosure, and it had threatened to sue under the Digital Millennium Copyright Act (DMCA). According to the Chronicle, the company's CEO said that "We feel that bringing legal action for damages against researchers in a higher-learning environment may contribute to a chilling effect on the type of research that faculty, staff, and students elect to pursue." (Read more ... )
(Editorial)
SunnComm chooses wisely when it steps back. The unbiased peer review of new security technologies is essential to the development of sound applications. Further, the United States Supreme Court has repeatedly protected academic freedom of universities under the First Amendment. Barring some overriding state interest or protectible property right, that freedom should include the right to study and publish factual information and opinion regarding the results of research by their students and faculty.
See eLawyer Blog: Reading: Schneier, Secrets & Lies (Digital Security in a Networked World), in which Schneier's strongly urges avoiding new or proprietary cryptography in favor of technologies and code algorithms that have been made public, analyzed and peer-tested for years by professionals.
See also Unintended Consequences: "Four Essential Freedoms" of a University Based in First Amendment, as re-affirmed in the June decisions regarding the University of Michigan.
Privacy International has made available the report on a twelve-month study involving over fifty experts and advocates from across the world, made possible by a grant from the Open Society Institute. The study, in PDF format is available at: Silenced: An International Report on Censorship and Control of the Internet. (Read More ... )
From the executive summary: "This study has found that censorship of the Internet is commonplace in most regions of the world. It is clear that in most countries over the past two years there has been an acceleration of efforts to either close down or inhibit the Internet. In some countries, for example in China and Burma, the level of control is such that the Internet has relatively little value as a medium for organised free speech, and its use could well create additional dangers at a personal level for activists. The September 11, 2001 attacks have given numerous governments the opportunity to promulgate restrictive policies that their citizens had previously opposed. There has been an acceleration of legal authority for additional snooping of all kinds, particularly involving the Internet, from increased email monitoring to the retention of Web logs and communications data. Simultaneously, governments have become more secretive about their own activities, reducing information that was previously available and refusing to adhere to policies on freedom of information."
Concerns over such monitoring and hazards are one motivation for the rising interest in "darknets," mentioned in a recent note "Darknets Offer Privacy" in Unintended Consequences.
Thanks to OnlineJournalism.com for the heads up on this study.
Economist Stan Liebowitz sees P2P file sharing as a significant problem for music publishers, and advocates use of Digital Rights Management (DRM) tools to allow both P2P file sharing and protection of copyrights. He takes issue with proposals for compulsory licensing, a method used in the past in similar situations. He maintains an online page of notes and links to his published and to-be-published papers and studies. (Read More ...)
Stan Liebowitz is an economist at the University of Texas at Dallas. He has studied the challenge of MP3 file sharing for several years and assisted with critiquing economists' amicus briefs filed in the Eldred case. His studies had led him to believe (and write) that file sharing technology would have a significant negative impact on the recording industry, and that DRM technologies would provide protection without sacrificing fair use. "Policing Pirates in the Networked Age" (Cato Institute 2002).
Further study and experience led him away from, then back again to that conclusion, expressed in the August 2003 note "The Day the Music Died". It predated RIAA's recent lawsuits against users, but anticipates them and the resulting controversy and repeats his support of experimentation with DRM as a solution. A few days ago, he released "Alternative Copyright Systems: The Problems with a Compulsory License" in which he concludes that cumpulsory licensing is not the solution in this instance, as it was with rights in broadcast music.
He also maintains an informal but more current page of links and notes on the subject of "Copyright Issues, Copying and MP3 Downloading". It contains useful links to his yet-to-be published studies and papers as well as the recent court decision involving RIAA v. Kazaa et al and the continuing controversy over the grant of subpoena powers and privacy.
Liebowitz' logic and data are not without critics, including that of Miriam Rainsford, a pro-file-sharing musician.
Comments and TrackBack, please.
Peer-to-peer (P2P) file sharing network hubs received simultaneous assaults by the Recording Industry Association of America (RIAA). Some industry figures have sharply criticized the RIAA's tactics as wrong-headed and counterproductive. Has the RIAA's latest assault on users of a potentially legal competing distribution channel carried it into the antitrust minefield? (Read more...)
RIAA presaged its main attack with reconnaissance strikes on selected targets that partially shaped the legal and tactical battlefield. In September, a force majeur push included several hundred lawsuits against network hubs, described as the more eggregious participants in the offering of large quantities of recordings copyrighted by RIAA members. Within days, some information about defendants emerged, and RIAA's first tactical victory was disclosed: a $2,000 settlement paid by the mother of a 12-year old defendant.
At the same time, RIAA's "Clean Slate Program", offered limited amnesty to those who used various P2P file sharing systems to download or share copyrighted works, if they submitted a potentially self-incriminating "Clean Slate Program Affidavit". No amnesty was offered to those not using P2P networks to copy or share copyrighted works.
On behalf of P2P network users, a lawsuit against RIAA has been filed, alleging unfair and deceptive practices in connection with the Clean Slate Program, and at least one United States Senator, Norman Coleman, (R. Minn.) has indicated that an investigation of the program is appropriate.
Some recording artists and labels have expressed support of P2P file sharing, due to increased exposure they do not get through the existing system. Further factual research may show the numerical proportion of the RIAA such group represents, and what percentage of the industry revenues accrue to such group.
Some have suggested that RIAA is missing the opportunity to negotiate for the conversion of the "outlaw" peer-to-peer network (lets call it P2P Net) into a licensed, low-cost channel for distribution of recordings and payment of artists. Some suggest that such a system would result in increased opportunities for new, "independent" artists and labels and would increase the supply and reduce the price of recordings in the market. For example, Tim O'Reilly suggests that the RIAA is more concerned about the dominant publishers losing their control of the market than in the interests of copyright holders.
One of those is John Synder, President of Artist House Records, who in February presented a formal proposal titled "Embrace file-sharing, or die" to the New York chapter of National Association of Recording Arts and Sciences (NARAS). His extended remarks review the state of the recorded music industry, suggest recent drops in CD sales are not due to piracy, and is highly critical of RIAA, about which he said: "They overstate their position, misinterpret their own data, and make dubious claims for artists' rights when the biggest abusers of artists' rights are their benefactors, the record companies themselves."
In a note at LawMeme, Ernest Miller speculates that the controversial litigation against file sharers "just might be part of an extremely clever plan of the RIAA's to get the law changed to outlaw Kazaa. "
Has RIAA strayed into the antitrust minefield?
Although "all is fair in love and war," this is just interstate commerce. Even conceding the lawful monopoly rights of copyright holders, the RIAA's tactics raise some interesting issues of antitrust law on which legal scholars can chew. Let the chewing begin with these debatable issues:
Query: Does RIAA's combined campaign go beyond legitimate enforcement of copyrights in the market for recordings and extend to an attempt to restrain competition in a separate but related market: the marketplace for distribution services?
Query: Does RIAA's Clean Slate Program constitute an attempt to intimidate consumers into a boycott of a potentially lawful competing distribution channel (P2P Net), in order to maintain its members' power in the market for distribution services?
Query: Does the RIAA's combined campaign result in economic harm to certain recording copyright holders and to recording consumers by restraining competition from P2P Net in the market for distribution services?
Query: In the event of any affirmative answers to the above queries, is RIAA's combined campaign included within qualified immunity doctrines such as (but not limited to) that described in Noerr Motor Freight?
The issue of copyright abuse was addressed briefly in the 2001 Napster decision. The court acknowledged it as a potential defense, but found a lack of evidence supporting it in that case. A scholarly paper by Daniel J. Gifford explores the developing law in this area. Will new evidence emerge in the discovery processes of the new lawsuits filed this week?
Comments and TrackBack, please.
DougSimpson.com/blog
GrepLaw | Ernest Miller on DRM, Privacy and Hemingway
GrepLaw is a blog at Harvard Law School's Berkman Center for Internet & Society. Ernest Miller is at Yale Law, and has been an editor at LawMeme, a law and technology blog there.
Miller explains for GrepLaw readers the Information Society Project at Yale Law School, and opines that blogs "are great places for law students to begin to find their voice and practice writing in this new medium. They will also be the center of more and more legal debate and analysis"
About the key issues of cyberlaw for the coming year, Miller tells GrepLaw: "The intersection of copyright law and the First Amendment is perhaps the key modern issue in this field. Until the theories of copyright and First Amendment can be reconciled, the law will continue to be confusing and come up with strange results. I am optimistic, though not overly so, that some movement on this front has already begun."
He has a lot to say about DRM and fair use, privacy and many other issues. An extended interview well worth reading.
First Monday has e-published "Giving E-mail back to the users". As an alternative to proposals for more strict legislation and "bounties" on spammers, the authors proposed a code solution to the spam problem.
From the abstract: "This paper argues that current legislative and private attempts to stop spam are either ineffective, or involve unacceptable tradeoffs. The key to solving the spam problem is recognizing the importance of e-mail authentication and the granting of permissions. Properly used, digital signatures can easily authenticate e-mail for effective spam control. The ability to manage public keys for verifying digital signatures provides each e-mail user the individual power to control who communicates with her and can therefore completely eliminate the practice of spamming. Finally, we recommend that software developers build the requisite capabilities for managing public keys into their e-mail programs. We argue for a technological solution as opposed to government legislation." (More ... )
The article, by grad students Trevor Tompkins and Dan Handley, is one of the peer-reviewed articles on First Monday, an online journal of academic papers dedicated to the Internet. First Monday is a Great Cities Initiative of the University of Illinois at Chicago Library, which (according to its website) has published 466 papers in 87 issues; these papers were written by 567 different authors. First Monday reports that it is indexed in INSPEC, LISA, PAIS and other services and that in the year 2002, users from 642,954 distinct hosts around the world downloaded 4,036,340 contributions published in First Monday.
First Monday is free, online, and digitally searchable. It invites paper submissions for possible publication, and provides an excellent style guide to writing for Internet publication.
Past contributors include Phil Agre, Virgilio Almeida, Aleksander Berentsen, John Seely Brown, Steve Cisler, Paul Duguid, Esther Dyson, Simson L. Garfinkel, Rishab Aiyer Ghosh, Michael H. Goldhaber, Andreas Harsono, Bernardo A. Huberman, David R. Johnson, Brian Kahin, Jessica Litman, Clifford Lynch, Miranda Mowbray, Bonnie Nardi, David F. Noble, Andrew M. Odlyzko, Ilya Prigogine, David Post, Eric S. Raymond, David Ronfeldt, Pamela Samuelson, Abigail Sellen, Linus Torvalds, Hal R. Varian, and Richard Wiggins.
Thanks to beSpacific for the pointer to this article.
DougSimpson.com/blog
Wired briefly sketches the new netwar weapons coded to counterattack MP3 file swappers: "Monsters of Rock". References codenames "Antinode", "Fester", "Freeze", "Shame", "Silence", "Suck" and "Tattle". Some of these tools mimic the tactics of Internet worms and viruses and bandwidth-draining DNS attacks. Others use "disinformation" tactics to create and direct MP3-seeking traffic to fake supernodes. Reminiscent of international netwar scenarios. Is all fair in love and war? (...More...)
RAND Corporation:
* The Advent of Netwar
* Networks and Netwars: The Future of Terror, Crime, and Militancy
Information Warfare, Cyberwar - Future of Internet & Computer Warfare (Infosyssec, current)
Bracing for guerrilla warfare in cyberspace (CNN, 1999)
The Great Cyberwar of 2002 (Wired, 1998) Fiction by John Arquilla, Pentagon advisor and professor of information warfare at Naval Postgraduate School.
CYBERWAR IS COMING! (1993) Introduction of "cyberwar" and "netwar" by John Arquilla and David Ronfeldt of RAND
DougSimpson.com/blog
Professionals using the Internet need to understand the principles and limits of cyberspace security processes as they use digital tools to communicate with clients and service providers. For the beginner and intermediate user of digital tools, a valuable book is one our friend and e-Lawyer commentator Ron Friedman recommended to me, which I just finished: Secrets & Lies: Digital Security in a Networked World, by Bruce Schneier (Wiley, 2000). Schneier is a cryptography specialist and author of "Applied Cryptography" (1993). In Secrets & Lies, he provides specific and practical guidance to maximizing the security you can obtain in your digital environment.
Read the rest of this comment on Secrets & Lies in my extended posting at: eLawyer Blog.
DougSimpson.com/blog
In January 2003, an EU Directive was proposed to standardize enforcement of intellectual property law within the European Community. The document detailed the perceived needs for which the solutions were proposed, including the implementation of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement). The proposal has met with criticism, most recently by IP Justice, which describes itself as "an international civil liberties organization that promotes balanced intellectual property law in a digital world. " On August 11, IP Justice released its "IPJ White Paper: Overbroad Provisions Threaten Civil Liberties, Innovation and Competition."
The IPJ paper opens with the charge that the proposal "contains a number of seriously troubling provisions that threaten innovation and competition and endanger the civil rights of all Europeans. Specifically, Article 9 creates broad and easily abused subpoena powers for intellectual property holders to obtain personal information on consumers. And Article 21 mandates a ban on technical devices that threatens innovation, competition, the fair use (fair dealing), and free of expression rights of Europeans."
A.P. reports in Digitally informed: Is price discrimination the next big trend in e-commerce? that recent studies by U. Minn. Professor Andrew Odlyzko suggest that digital rights management (DRM) may enable increasing price discrimination among customers using the Net for purchases. Professor Odlyzko, a mathematician formerly with Bell Labs, has been publishing scholarly articles about electronic publishing, e-commerce and security issues of the Internet for many years. His "Privacy, Economics, and Price Discrimination on the Internet,"(A. M. Odlyzko. Proc. ICEC03, ACM, 2003) is available at his page at the Digital Technology Center, where he is Assistant Vice President for Research, and DTC Director.
DougSimpson.com/blog
GartnerG2 and The Berkman Center for Internet & Society at Harvard Law School released "Copyright and Digital Media in a Post-Napster World". This 45-page white paper reviews basics of US and EU copyright law, the impact of digital technologies on the business models for music, movies, television and books. It includes briefs of cases dealing with fair use, the DMCA, constitutional issues, e-publishing rights and non-copyright laws protecting creative control or distribution, as well as sketches of pending legislation.
It includes a description of various forms of Digital Rights Management (DRM) tools that embody a rights model, such as Open Digital Rights Language (ODRL), extensible rights markup language (XrML), content scrambling system (CSS) and Johansen's DeCSS program, the Secure Digital Music Initiative (SDMI) and Macrovision's CDS-300.
The authors suggest that the history of "launch and crack" associated with DRM systems will continue, and "points to a longer-term requirement for media companies and copyright holders to shift away from a mindset of absolute control over every piece of content." (white paper, p. 38). The authors also suggest that using technology to enforce copyright rights cannot map the evolving doctrine of fair use, pointing to Prof. Lessig's writings on code as law. Further, they say, such control stifles or penalizes innovation. They close the DRM section by introducing GartnerG2's concept of "perfectly portable content," described in the paper.
The paper closes with some editorial remarks and a promise of another publication to be released addressing five scenarios of possible outcomes under different assumptions of the playout of tech, business, legislative and legal developments.
Swedish attorney and writer Mikael Pawlo, in Professor Fisher and the Red Eye, comments on the news of the professor's proposal of a system where "the creator of a recording would register it with the U.S. Copyright Office and would receive, in return, a unique file name, which would be used to track Internet transmissions of the work. The government would tax devices and services used to gain access to digital entertainment. The primary target of such a tax would be ISP access." The professor's own draft explication of his proposal is online at Berkman Center.
Pawlo warns that a Digital Rights Management (DRM) scheme and prohibition of copying for what would otherwise be "fair use" is implied in the proposal. He argues that such DRM would sacrifice privacy in favor of copyright protection. Pawlo argues instead for levies on recordable media, such as blank CD-Rs, with the resulting revenue being distributed to copyright proprietors by the collecting societies based upon statistical measures comparable to Nielsen ratings. Conceding that levies are less efficient than a DRM system, he favors their greater protection of individual privacy rights.
William Fisher is a professor at Harvard Law School and the director of the Berkman Center for Internet & Society.
Professor Lessig raises fundamental constitutional debates in "Code and Other Laws of Cyberspace" (Basic Books, 1999). Maintaining that "code is law," and that the freedom found in cyberspace's early years is only due to choices made by those architecting it. He sees the introduction of commerce to cyberspace as "constructing an architecture that perfects control -- an architecture that makes possible highly efficient regulation." (Lessig, Code, p. 6). He then argues for the maintenance of a creative commons to check controversial forms of control over cyberspace.
A few thoughts about the book follow:
Four themes repeat throughout the book's discussion of the tension between relatively perfect freedom and relatively perfect control in cyberspace:
Prof. Lessig maintains that the nature of cyberspace is about to flip from unregulability to regulability, through the use of "architectures of control." As examples, he introduces digital certificates, encryption and the public key infrastructure (PKI). He considers recent history of government action to increase the regulability of the Net, including requiring copy degradation in Digital Audio Tape (DAT) systems; the "V-Chip" in televisions; the failed "Clipper Chip" initiative and the 1998 Digital Millenium Copyright Act (DCMA) ban on software designed to defeat copyright management schemes.
He suggests that indirect governmental regulation could come through facilitating a certificate-rich Net, in which users must provide digital credentials to access certain services. He finds that increasing commercial applications on the Net increases government's ability to regulate indirectly. "When commerce writes code, then code can be controlled, because commercial entities can be controlled." Id p. 53.
He also sees certification tools as enabling regulation across state and international borders in ways not practical today. "With a simple way to verify citizenship, a simple way to verify that servers are discriminating on the basis of citizenship, and a federal commitment to support such local discrimination, we could easily imagine an architecture that enables local regulation of Internet behavior." Id p. 55-56. Lessig sees the market forces pressing towards the "zoning" of cyberspace based upon individual users' certificate qualifications.
Lessig ends the first part of the book with a public policy question for the reader:
"How the code regulates, who the code writers are, and who controls the code writers -- these are questions that any practice of justice must focus in the age of cyberspace. The answers reveal how cyberspace is regulated. My claim in this part of the book is that cyberspace is regulated, and that the regulation is changing. Its regulation is its code, and its code is changing." Id. p 60.
Prof. Lessig introduces a schematic of an individual as a dot, surrounded by four larger dots titled Architecture, Market, Norms and Law, each a source of constraints upon the individual. He reminds us that Law can modify the influence of the other three on the individual, and thereby constrain indirectly. He criticizes indirect regulation because "it muddies the responsibility for that constraint and so undermines political accountability. If transparency is a value in constitutional government, indirection is its enemy." Id p. 96.
He also uses the concept of constitutional "translation," and offers the example of the dissent of Justice Brandeis in Olmstead v. United States, 277 U.S. 438 (1928). In Olmstead, the Court decided that a telephone wiretap did not violate the Fourth Amendment because it was not a physical trespass. Brandeis argued that the Amendment should be translated so as to preserve its meaning despite changes in the technology since its enactment. Prof. Lessig says that Brandeis "wanted to read it differently, we would say, so that it protected the same" and points to this dissent as "a first chapter in the fight to protect cyberspace." Lessig, op cit, p. 116. Brandeis' dissenting viewpoint was not adopted until 1967, with the decision in Katz v. United States 389 U.S. 347 (1967), in which Justice Stewart's opinion created the "reasonable expectation of privacy," the core value of which was the protection of people, not places.
Regarding intellectual property, Prof. Lessig notes that a least two sorts of property protection are possible in cyberspace: "One is the traditional protection of law. The other protection is a fence, a technological device (a bit of code) that (among other things) blocks the unwanted from entering." Lessig, op cit p 122. He credits to a former research assistant the idea that: "since the intent of the 'owner' is so crucial here, and since the fences of cyberspace can be made to reflect that intent cheaply, it is best to put all the incentive on the owner to define access as he wishes. The right to browse should be the norm, and the burden to lock doors should be placed on the owner." Id. p. 123. This raises the basic question, says Prof. Lessig: "Should the law protect certain types of property -- in particular, intellectual property -- at all?" Id. p. 123.
Prof. Lessig goes on to assert that private fences (code) can displace public law as the primary protector of intellectual property in cyberspace. "We are not entering a time when copyright is more threatened than it is in real space. We are instead entering a time when copyright is more effectively protected than at any time since Gutenberg. The power to regulate access to and use of copyrighted material is about to be perfected." He goes on to point to Mark Stefik's work concerning "trusted systems" used to track and control copies of copyrighted material. "What copyright seeks to do using the threat of law and the push of norms, trusted systems do through the code." Lessig, op cit p. 130.
But the professor points out that public interests lie with not giving perfect control to the owners of intellectual property. "The law has a reason to protect the rights of authors, at least insofar as doing so gives them an incentive to produce. With ordinary property, the law must both create an incentive to produce and protect the right of possession; with intellectual property, the law need only create the incentive to produce." Id. p. 133. Fair use, for example, is one limit of copyright law, a limit "constitutionally structured to help build an intellectual and cultural commons." Id. p. 135. The limited duration of copyright protection is another. Lessig asks if private code built to protect intellectual property will also be written to include 'bugs' like fair use and limited terms of protection, concluding that "Loss of fair use is a consequence of the perfection of trusted systems." Id. p. 137.
Another loss is anonymity -- trusted systems need to track use and charge for it, yet monitoring destroys anonymity. Under the "Cohen Theorem," says Prof. Lessig, reading anonymously is "so intimately connected with speech and freedom of thought that the First Amendment should be understood to guarantee such a right," quoting an article in Conn. Law Review 28 (1996) (p. 981, 982). Lessig argues that cyberspace should be architected to preserve a commons to replace that inherent before code made possible "perfect control," pointing the reader to Boyle, "Shamans, Software and Spleens" (Harvard Univ. Press 1997).
Chapter 11 deals with privacy, and suggests three elements behind the constitutional concept of privacy: 1) to minimize intrusion (the right to be left alone); 2) preserve dignity; 3) constrain the power of the state to regulate. The author sees encryption as improving privacy, but argues also for "a kind of property right in privacy." Id. p. 160, and explains why his position is different for privacy rights than it is for intellectual property rights: "In the context of intellectual property, our bias should be for freedom. *** We should take a grudging attitude to property rights in intellectual property; we should support them only as much as necessary to build and support information regimes." Id. p. 162.
Prof. Lessig sees the architecture of the Net as a top protector of free speech, through which architecture the First Amendment (in code) has been effectively exported to the world. One way that happened is by removing architectural restraints on instant global publication of information and opinions, but also removing the function of a publisher that would edit for truth and establish a reputation. "In a world where everyone can publish, it is very hard to know what to believe." Id. p. 171. He addresses means of using the architecture in the application space to control troublesome content such as pornography within the limits of Ginsberg v. New York, comparing a "zoning" approach to a "filtering" approach. He also warns about the hazards of filtering that is both perfect and invisible, and argues for less control over speech than over privacy, and less control over intellectual property.
Code becomes more abstract in its later chapters as it addresses the latent ambiguities inherent in the conflicts and overlaps of competing sovereigns with interests in behavior in cyberspace. "We should understand the code in cyberspace to be its own sort of regulatory regime, and that this code can sometimes be in competition with the law's regulatory regime." Id. p. 205. He sees the emergence of globally unified regulation through code, shifting power from sovereigns to software, suggesting to the reader a reading of Wriston's "The Twilight of Sovereignty". (Scribner 1992). He also sees a certificate-rich Net as re-enabling sovereigns to claim some of their authority: "Sovereigns get this. They will come to understand that there is a different architecture for the Net that would enable their own control. When they do, they will push to facilitate the predicate to this architecture of regulability -- certificates. And when they do, we again will have to decide whether this architecture of regulability is creating the cyberspace we want." Id. p. 207-208.
An important, thought provoking book that should be required reading, and re-reading, for any student of cyberspace and the modern world.
Lawrence Lessig, "Code and Other Laws of Cyberspace" (Basic Books, 1999).
The "most read" story about privacy at Yale's LawMeme site is LawMeme - Accidental Privacy Spills: Musings on Privacy, Democracy, and the Internet. In this February 2003 piece, James Grimmelmann reminds us about the story of an individual who sends an informal but lengthy and broadly interesting email to a few friends, thinking it will be kept private, and within two weeks finds it picked up on MetaFilter, republished and discussed throughout the Internet. Of course, the author was Laurie Garrett, a Pulitzer prize winning science journalist and author, and the story was a chatty report of the goings-on she saw inside the controversial Davos conference of the World Economic Forum.
Grimmelmann's comprehensive and thoughtful posting muses about the social and ethical situation where one's informal email "crosses the bloodstream" and becomes a digital global phenomenon, and the revelations that the story has for privacy and the Internet. He insightfully notes that despite all the high-powered security technology one may employ, the weak link is always the unscrupulous, tactless or just plain clumsy person who has access to private information and lets it out. As he notes, "people make secure systems insecure because insecure systems do what people want and secure systems don't."
He also notes that in the age of cheap, ubiquitous scanners, even paper-based writings can be spread throughout the world in a matter of hours. The "CLICK-FORWARD" world that caught Laurie Garrett is becoming the "SCAN-FORWARD" world of tomorrow. As Grimmelmann observes: "The problem isn't just that the Internet is leaky; the Internet makes everything leaky."
The entry includes several reader comments on Grimmelmann's piece that reflect on whether various new technologies such as Microsoft's Palladium or Microsoft's Digital Rights Management tools might have been useful in this context. Such tools are designed to allow one to control with whom particular content may and may not be shared, at the architectural layer of the information medium, and have become of commercial interest in the context of peer-to-peer file sharing via Napster, Kazaa, etc.
Grimmelmann also cites a February 2000 paper "What the Publisher Can Teach the Patient: Intellectual Property and Privacy in an Era of Trusted Privication"
by Jonathan Zittrain of Harvard Law School. about the application of technology tools developed for the music industry to the preservation of personal medical information (an application of interest to those subject to HIPAA compliance). The point being to change an "Era of Promiscuous Publication" to an"Era of Trusted Privication": "one in which a well-enforced technical rights architecture would enable the distribution of information to a large audience while simultaneously, and according to rules generated by the controller of the information, not releasing it freely into general circulation."
Both articles are valuable reading to anyone dealing with privacy and the Internet.
Prism Legal Consulting's blog, Strategic Legal Technology commented on one large law firm's choice of document management outsourcer. Ron Friedman at Prism brings much experience in the field of customizing technology to law firms. His blog is one to watch develop. I look forward to him commenting on Digital Rights Management tools, increasingly valuable to comply with Gramm-Leach-Bliley and HIPAA.
Also, he was kind enough to add Unintended Consequences to his BlogRoll. Thanks, Ron.