February 28, 2012

EU Court of Justice: Social Networks Can’t Be Forced to Monitor and Filter to Prevent Copyright Infringement

February 17, 2012 | By Gwen Hinze

In another important victory for Internet users’ fundamental rights and the open Internet, the highest court in Europe ruled yesterday that social networks cannot be required to monitor and filter their users’ communications to prevent copyright infringement of music and movies.  The European Court of Justice (ECJ) found that imposing a broad filtering obligation on social networks would require active monitoring of users’ files in violation of EU law and could undermine citizens’ freedom of expression.

The SABAM v. Netlog decision follows a landmark ruling by the ECJ in the SABAM v. Scarlet Extended case in November 2011, where the Court held that a Belgian ISP (Scarlet) could not be required to adopt a system to filter and block the transfer of potentially copyright infringing music files on its network. In that case, the Belgian copyright collective management organization SABAM had obtained an injunction (a court order) against the ISP, requiring it to install a system that would filter all of its users’ communications for potential copyright-infringing material.

Yesterday’s ruling also involved SABAM. It had sought a similarly broad injunction against Belgian social media platform Netlog.  The 2001 EU copyright directive mandates that copyright holders be able to obtain injunctions against intermediaries whose services are used by third parties to infringe copyright, but that is bounded by other EU obligations, including protection of citizens’ fundamental rights. The ECJ was asked to rule on the permissible scope of these injunctions, given their impact on Internet users’ fundamental rights and online service providers’ businesses.

The ECJ found that forcing Netlog to install a filtering system that would identify and prevent its users from making available any potentially copyright infringing files would require “active observation” of Netlog’s users. Following the 2011 SABAM v Scarlet decision, it held that implementing such a system would fall afoul of the key principle in Article 15 of the EU e-Commerce Directive, which prohibits EU member states from imposing a general obligation on ISPs and hosting services to monitor information they transmit or store, or to actively seek facts or circumstances that indicate illegal activity.

The Court also criticized the injunction on a second basis. In the 2011 Scarlet ruling and the 2008 Promusicae v. Telefonica decision, the ECJ held that in adopting measures to protect copyright holders, EU member states and courts must strike a fair balance between the protection of copyright, and the protection of the fundamental rights of individuals and businesses who are affected by those measures. The Court found that the filtering system being sought by SABAM required the identification, systematic analysis, and processing of information connected with the profiles of Netlog’s users. This would violate Netlog’s users’ right to protection of their personal data, enshrined in Article 8 of the Charter of Fundamental Rights of the EU. In addition, because the filtering system could not effectively distinguish between lawful and unlawful content, it could block lawful content, and undermine Netlog users’ right to receive and impart information protected under Article 11 of the Charter.

Given the protection required of citizens’ fundamental rights under the Charter of Fundamental Rights, the ECJ concluded that courts in EU countries can’t issue injunctions against hosting service providers that require them to install a filtering system with features as broad as the one in this case which (a) was directed at information stored on the hosting platform’s servers by its users, (b) applied indiscriminately to all its users, (c) was installed as a preventative measure (requiring hosting services to decide whether content is infringing), (d) was at the sole expense of the hosting provider, and (e) for an unlimited period of time.

So what does all this mean? Here’s a couple of our thoughts.

The ECJ ruling is directed at EU member countries, but it will have significant implications for the future of the global Internet. Injunctions are one of several strategies that intellectual property rightsholders have been pursuing to force Internet intermediaries to become copyright police. In countries around the world, IP rightsholders have used injunctions to impose filtering, blocking and user termination obligations on Internet intermediaries. These efforts are likely to expand under ACTA, because it requires signatory countries to make available broad injunctions to IP rightsholders, including temporary injunctions while a case is pending. By precluding pre-emptive filtering and blocking injunctions, the SABAM v. Scarlet and SABAM v. Netlog rulings set an important limit on this strategy for EU countries.

Because injunctions are issued by courts, usually after a process of weighing up all affected parties’ interests, measures imposed in this way theoretically provide better protection for Internet users than those adopted in private party voluntary agreements such as those we’ve seen in Ireland and Belgium. As we’ve noted elsewhere, Internet intermediaries are not competent to make legal determinations about whether particular content or conduct infringes copyright. Copyright holders’ efforts to require Internet intermediaries to take on this role under the guise of greater “co-operation” raise serious concerns about due process, transparency and accountability, and online free expression. In that respect, we welcome the ECJ’s clarification on the scope of injunctions available under EU law.

At the same time, we recognize that the ECJ’s Scarlet and Netlog decisions will now lead to increased lobbying pressure from rightsholder groups to change EU law, perhaps as part of the European Commission’s review of the 2004 Intellectual Property Rights Enforcement Directive. Let’s hope that EU policymakers approach this in as thoughtful and balanced a way as the ECJ.

Permalink • Print • Comment

What Does It Mean to be “Pro-Technology and Pro-Internet?”

February 24, 2012 | By Mitch Stoltz

Ahead of the Academy Awards this weekend, Chris Dodd, head of the Motion Picture Association of America, would like to assure you that "Hollywood is pro-technology and pro-Internet." But what does that mean? The comments filed at the Copyright Office this month by MPAA and RIAA, together with the Business Software Alliance, the Entertainment Software Association, and other copyright owners' groups, paint a clear picture of these groups' vision for the future of the Internet and digital technologies.

EFF is asking the Copyright Office for legal exemptions to the Digital Millennium Copyright Act to allow jailbreaking (or "rooting") of smartphones, tablets, and game consoles, so that people can run their software of choice on the devices they own. EFF is also asking for exemptions that will allow noncommercial video remixers to use video clips from DVDs and online video services. Other organizations are asking for exemptions for various forms of digital video, accessibility for the disabled, and other important projects. Under the DMCA, exemptions expire every three years, and have to be justified all over again. Many of you sent comments and signed petitions in support of EFF's exemption requests, and the Copyright Office received almost 700 comments.

MPAA and friends don't approve of a single one of the exemption requests. "The risk associated with encouraging people to circumvent and test the limits of fair use is too high," they say, and the makers of computing devices should be able to stop "unintended uses" of their products. In fact, say the entertainment lobbies, giving you the ability to modify your own devices for your own use will "wreak havoc" on "markets for consumer access to works."

Let's unpack this. Almost everything we do on the Internet or with digital media makes a copy—even viewing a webpage. In many cases, the fair use rule of copyright law is what keeps these everyday activities from being copyright violations. But proving definitively that a use is fair often requires a courageous artist or entrepreneur to go to court and risk massive penalties for the chance of having a judge say that what they're doing is legal. According to the entertainment lobbies, the U.S. government should not encourage people to do this.

Ironically, most of the devices that let us create and experience movies, music, software, and so on "test the limits of fair use"—and many have wound up in court. If this were discouraged, we may never have had the VCR, the MP3 player, the digital video recorder, image-searching websites, or social networks—at least not without asking the entertainment industries' permission first. 

And speaking of permission, MPAA regrets that "the Copyright Office missed an opportunity to endorse" the custom of "asking permission" before innovating.

So what should the Copyright Office be doing? MPAA et al. humbly suggest that the Office should be protecting the "ongoing viability of business models" that create "predictability with respect to how works will be accessed and how copyrighted software and technologies used to facilitate such access will be used and manipulated." You won't find that in any law, although it sounds a lot like the goals of the now-defunct SOPA and PIPA bills. Again, let's look behind the euphemisms: the entertainment lobbies want the U.S. government to protect their members' bottom lines by regulating how digital technologies can be used. Only uses that receive Hollywood's permission, and are "predictable," should pass muster.

Apparently this is what Mr. Dodd means when he says "Hollywood is pro-technology and pro-Internet": technology that blocks "unintended uses" and an Internet subject to Hollywood's veto power. SOPA and PIPA may be dead, but the agenda behind them seems alive and well.

Permalink • Print • Comment

How Internet Companies Would Be Forced to Spy on You Under H.R. 1981

February 23, 2012 | By Rainey Reitman

Online commentators are pointing to the Internet backlash against H.R. 1981 as the new anti-SOPA movement. While this bill is strikingly different from the Stop Online Piracy Act, it does have one thing in common: it’s a poorly-considered legislative attempt to regulate the Internet in a way experts in the field know will have serious civil liberties consequences. This bill specifically targets companies that provide commercial Internet access – like your ISP – and would force them to collect and maintain data on all of their customers, even if those customers have never been suspected of committing a crime.

Under H.R. 1981, which has the misleading title of Protecting Children From Internet Pornographers Act of 2011, Congress would force commercial Internet access providers to keep for one year a “log of the temporarily assigned network addresses the provider assigns to a subscriber to or customer of such service that enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section.”  Let’s break that down into simple terms.

Temporarily Assigned Network Addresses: More than IP Addresses

Under this proposal, ISPs would have to maintain “temporarily assigned network addresses” to enable the identification of a subscriber. At a minimum, this refers to the IP addresses assigned by ISPs, including the Internet services associated with mobile phones.  It could also potentially include mobile phone numbers or other forms of cell phone identification, such as the three major mobile device identifiers: IMEI, IMSI, TMSI. These are the tracking IDs for your mobile devices, the unique identifiers that mobile phone companies use to track handsets and the accounts associated with them.

IP Addresses Aren't a Perfect Identifier

An IP address is like a street address or a phone number; it's the arrow that points packets of information your way when people send you things over the Internet. But it cannot tell you who is actually sitting behind a computer screen, typing at a computer.

Currently IP addresses by themselves aren’t a perfect way to identify individuals. One reason is because there are only a limited number of IPv4 addresses (the current schema most ISPs use to allocate IP addresses), and so there are many situations in which a bunch of Internet users are sharing a single IP address. This strategy, called Network Address Translation (NAT), is a creative way to deal with the shortage of IP addresses while we are still in the protracted process of transitioning to IPv6. All of which is to say: H.R. 1981 mandates that companies keep a log of assigned network addresses in order to identify customers, but IP addresses are only one clue in figuring out a user's identity.

IP Addresses: Useful for Location Tracking

But there’s another element many commentators are forgetting: even if a single IP address isn’t a perfect identifier, a collection of IP addresses assigned to a user can be combined with other data elements to create a frighteningly detailed map of a person’s location over time. For example, law enforcement could review the IP addressses an individual used to log onto her email account over the period of several months to create a detailed picture of when she was at home, when she went to work, when she was in transit, and when she went to sleep – and whether there were certain days she deviated from her typical schedule.

IP addresses can also indicate information about a user's physical proximity to other users. For example, if two people are using the same IP address at the same time, they are likely at the same location. Law enforcement might be very interested in how IP addresses can indicate one's associations in this way.

Law enforcement could also demand that a social network hand over the IP addresses and logged-in times of an individual using its service. Law enforcement could then combine this information with data from an ISP or mobile carrier to figure who was assigned to each of those IP addresses. For mobile providers, each entry could be combined with data about one’s GPS location. So a law enforcement agent could know when an individual was posting to a social network as well as her location. ISPs will be slightly less exact but still provide a detailed portrait of an individual’s physical location each time she logged in. 

This is no nightmare scenario. This is exactly what the U.S. government attempted when it pressured Twitter to hand over Icelandic parliamentarian Birgitta Jónsdóttir’s data as part of the WikiLeaks investigation. And we’ve seen numerous other occasions where law enforcement pressured Internet companies to hand over the IP addresses and times of individuals using their services.

Law enforcement is coming to understand that IP addresses are a powerful key to location data and to tracking people's movements over time. But in order for this data to be most useful to them, they need ISPs and mobile carriers to keep records of who is assigned to which IP addresses, and when.

The Supreme Court has already decided that tracking an individual’s car with a GPS device for months at a time without a search warrant is blatantly unconstitutional.  But by passing H.R. 1981, law enforcement hopes to create a mountain of data that will facilitate the location tracking of anyone who uses the Internet, if that person is under suspicion for any reason in the coming year.

Detailed Banking Information

Because the actual language of the bill is somewhat vague, activists at Demand Progress have correctly noted that this legislation might force Internet companies to retain even more data just to be on the safe side. The proposed bill is an amendment to 18 USC § 2703, the law currently defining the circumstances under which companies that store electronic data on customers must disclose it to the government. H.R. 1981 is attempting to amend and expand this law in a way that “enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section.”

So what is subsection (c)(2)?  It requires a provider to turn over to the government without a warrant:

  • Name
  • Address
  • Records of session times and durations
  • Length of service (including start date) and types of service utilized
  • Credit card or bank account number

The language of H.R. 1981 is dangerously unclear – it would definitely require a network to maintain an historical log of IP addresses, but will ISPs believe it also requires them to maintain detailed records on customers’ addresses, credit card, and bank information? Such an interpretation would create a honeypot of sensitive data ripe for overly ambitious law enforcement agents, malicious hackers, or even accidental disclosures.

This Attack on the Internet Has Nothing to Do With Child Pornography

H.R. 1981 is touted as a way to crack down on child pornography, but the data retention mandates of this bill will affect every Internet user who uses a U.S. ISP.  It’s sad to see our legislators using the mantle of child pornography to order Internet companies to spy on users, forcing ISPs to keep mountains of unnecessary data about innocent Internet subscribers in the hopes that it might one day be useful to law enforcement.  That’s exactly why Representative Zoe Lofgren proposed an amendment to rename the bill the 'Keep Every American's Digital Data for Submission to the Federal Government Without a Warrant Act of 2011.'

This type of legislation goes against the fundamental values of our country where individuals are treated as innocent until proven guilty. H.R. 1981 would uproot this core American principle, forcing ISPs to treat everyone like a potential criminal. 

Help us defeat the Internet spying bill. Contact Congress today.

Permalink • Print • Comment
« Previous Page
Made with WordPress and Semiologic • Sky Gold skin by Denis de Bernardy