Court Protects Privacy of Satellite Receiver Owners

Legal Analysis by Fred von Lohmann

Last month, EFF filed an amicus brief in Echostar v. Freetech, where Echostar sought the identities of every consumer who purchased a Freetech "CoolSat" free-to-air (FTA) satellite receiver during the past five years. EFF argued that this demand, issued in discovery in a lawsuit between Echostar and Freetech, represented an unwarranted intrusion into the privacy of individual consumers. Today, the court agreed, issuing an order blocking Echostar's subpoenas.

The ruling potentially sets an important precedent, as it represents the first time a federal court has explicitly rejected a third-party subpoena on the basis of the privacy interests of nonparty consumers.

Echostar is the company behind the DISH satellite TV service. Freetech makes receivers for unencrypted, free-to-air satellite transmissions (there are many free, unencrypted satellite channels). In December 2007, Echostar sued Freetech, alleging that the Freetech CoolSat receiver was specifically designed for after-market modification to enable unauthorized reception of DISH programming. According to Echostar, Freetech "sold thousands of these FTA Receivers to consumer pirates for the sole purpose of circumventing [Echostar]'s Security System."

In the course of discovery, Echostar sent subpoenas to the distributors of CoolSat receivers, demanding that they hand over their customer lists, including the name, address, email address, and purchase details for every person to have purchased a CoolSat receiver over the past 5 years.

As EFF explained in its amicus brief, these subpoenas represent a serious intrusion into the privacy of legitimate purchasers of these FTA receivers. Not only would it be an intrusion to be contacted by Echostar about a device you purchased months or years ago, but other satellite TV companies have used customer lists to launch mass litigation campaigns against consumers. After DirecTV obtained similar customer lists in litigation in 2001, it sent more than 170,000 letters to individuals demanding "settlements" of $3,500.

In refusing to allow Echostar to obtain the CoolSat customer lists, the court specifically weighed Echostar's need for the information against the privacy interests of the customers whose information would be disclosed. The court expressed concern that "both those who purchase the FTA receivers for proper and improper purposes will be swept up in the process." The court went on to conclude that "the requests for customer lists, therefore, could lead to the perceived harassment of legitimate users and a concomitant chilling effect on the purchase and lawful use of Freetech's FTA receivers."

Kudos to the court for keeping the privacy interests of nonparties in mind as commercial litigants dispatch third-party subpoenas that would otherwise carelessly intrude into the lives of individual consumers.

[Permalink]

And Walmart Makes Three: Another Music Service Plans to Shut Down DRM Support

Deeplink by Corynne McSherry

Following in the footsteps of MSN Music and Yahoo! Music, Walmart has notified customers that it will be shutting off its DRM servers in less than two weeks. Walmart's been selling DRM-free music since February, but anyone who bought music before that date will not be able to transfer those songs to “unauthorized computers,” or access the songs after changing operating systems. Walmart, like MSN and Yahoo!, advises customers to back up their music to a CD if they want to be able to access it in the future. So, Walmart customers get to invest more time, labor and money in order to continue to enjoy the music for which they have already paid.

We’ve warned music fans for years that they could lose their DRM-wrapped music if vendors decided to withdraw support for it. So we're not surprised that three major vendors have done just that. What is surprising is that Walmart has not learned from MSN Music and Yahoo! Music's experience and made some effort to make things right with its customers. When consumers protested the shutdown of its DRM servers, MSN Music decided to delay that shutdown until 2011. Yahoo! decided to go ahead with its shutdown, but offered refunds to customers damaged by the cutoff. Notwithstanding this recent history, Walmart is still willing to make customers pay the price for the retailer's own faulty business decisions.

We'll tell Walmart what we told MSN Music and Yahoo! Music: To make things right, the company should do the following:

• Issue a full public apology to its customers.
• Offer to refund the purchase price of the affected downloads or, at the customer's option, provide replacements from an online store that offers the same tracks in a DRM-free format.
• Ensure that all Walmart buyers have (or have permanent access to) receipts identifying dates, amounts, and titles purchased, so they have proofs of purchase. Or, better yet, offer to cover their legal costs if they are hit with a copyright infringement claim based on a DRM-crippled song purchased through Walmart.

We hate to sound like, um, a broken record, but this is yet another demonstration that DRM is bad business. It's bad for the consumers who don't actually own the music they pay for; it's bad for the rightsholders who lose out when legal copies of their songs are worth less than illegally obtained copies; and it's bad for the companies that must choose between maintaining a defective technology or violating the trust of their customers.

[Permalink]

minilinks for 2008-09-26

Deeplink by Hugh D'Andrade

• Spore Makers Sued for Duplicitous DRM
  Game maker Electronic Arts is facing a lawsuit for the use of copy protection that secretly installs a restrictive program on a user's computer.
  
• ISP: It's Impossible For Us to Stop Illegal P2P
  A Belgian ISP, ordered by a court to stop illegal file-sharing, now says that effective filtering is impossible.
  
• Analysis on EFF's Case Against the NSA
  ArsTechnica's Julian Sanchez has some thoughts on the implication of EFF's new case against the government.
  
• MySpace Music Debut
  MySpace has teamed up with four major labels to offer unlimited streaming music supported by advertising.
  
• Chrome for Privacy Fanatics
  A spinoff from Google's new browser, called Iron, offers to make protecting user privacy the browser default.
  
• The End of Video Sharing?
  NBC says it has been successful in protecting videos, and has managed to keep the Olympics and recent SNL skits from popping up on YouTube.
  
• Encryption Mandatory in Nevada?
  A new law appears to require that all transmissions over the Internet be protected with encryption. How times have changed!
  
• Wiretap This!
  A supporter has put our new NSA wiretapping graphic on a shirt — all proceeds to be donated to EFF!
  

[Permalink]

YouTube Anti-Scientology Takedowns: Good News, Bad News

Commentary by Eva Galperin

Now that the dust has settled on the anti-Scientology video takedown controversy, it's time to take stock. For those of you who missed this one: on September 4th and 5th, hundreds and possibly thousands of videos critical of the Church of Scientology were taken down as a result of DMCA notices reportedly sent by by American Rights Counsel, Dr. Oliver Schaper, the Schaper Company, Media House Enterprises, and ContentFactory America. It rapidly became clear that these entities did not hold the copyrights to the materials they claimed to be infringed, including footage from a Clearwater City Commission meeting and a man-on-the-street interview. In addition, many of these videos were obvious fair uses, such as independent news reports.

Here’s the good news: YouTube quickly realized something was fishy, and began investigating. Within days, YouTube suspended the accounts that had sent out the allegedly fraudulent DMCA takedown notices, reinstated the accounts that had been suspended for multiple allegations of copyright infringement, and put most of the videos back up on YouTube, all without waiting to receive DMCA counter-notices from YouTube users who had had their videos taken down.

Well done, YouTube. The company identified a problem and worked to resolve it and protect users, rather than waiting passively for the takedown targets to send counter-notices. As we noted last month, online service providers play a crucial role in preserving and promoting online political speech, and YouTube seems to have taken that role seriously here.

Now, the bad news: if YouTube had not been proactive in dealing with what appeared to be fraud, the Anti-Scientology videos might still be down today. Very few YouTube users filed DMCA counter-notices in response to the takedowns, apparently out of concern for their privacy. The DMCA-compliant counter-notices must normally include the full name, address, and telephone number of the alleged copyright infringer. YouTube passes this information along to the party making the copyright infringement claim. Scientology critics, reportedly concerned about Scientology’s alleged Fair Game policy, were reluctant to surrender their anonymity.

And here's more bad news: not only would takedown targets have to give up their own private information to get their videos restored, they had no guarantee that they would in turn be given the names and addresses of the people who sent the DMCA notices. The DMCA does not require Online Service Providers, such as YouTube, to pass on the identifying information in the DMCA takedown notice to the alleged infringer. Without that legal requirement, YouTube, as well as other OSPs, are reluctant to reveal this information for fear of violating the sender's privacy. That lack of quid pro quo is not just unfair, it makes it very difficult for takedown targets to determine whether the notices are from legitimate owners, and to pursue legal action when notices are sent improperly.

But now back to the good news: YouTube and other OSPs can take steps to remedy this imbalance. They should require individuals who send takedown notices to agree, in advance, to disclosure of their identifying information. If circumstances caution against disclosure (e.g., if the takedown target has been harassing or stalking the copyright holder in some way), copyright holders can use an agent to send the takedown, giving the alleged infringer a point of contact while protecting the individual's personal privacy. Whether the DMCA is being used as a tool of censorship or to press a legitimate copyright claim, transparency and openness is critical, and the copyright holder should have the courage to stand up and be counted.

We understand YouTube is aware of the problem and is considering ways to correct it. We hope that happens soon, before the next wave of abusive takedowns hits.

[Permalink]

Capitol v. Thomas: Judge Orders New Trial, Implores Congress to Lower Statutory Penalties for P2P

Legal Analysis by Corynne McSherry

Joining the ranks of federal district judges in Arizona and Massachusetts, District of Minnesota Chief Judge Michael Davis today concluded [44-page PDF] that simply making a music file available in a shared file does not violate copyright law, and ordered a new trial in Capitol Records v. Jammie Thomas.

The case made headlines last year as the first peer-to-peer file-sharing case to go all the way to trial. In October 2007, a jury held Thomas liable and awarded $222,000 in damages to the record companies, based in whole or in part (it wasn't clear) on an instruction that merely making a file available violates a copyright owner's distribution right. Earlier this year, Chief Judge Davis said he was concerned that he might have made a mistake with that instruction and asked for more briefing on whether Thomas deserved a new trial. EFF, joined by Public Knowledge, the United States Internet Industry Association, and the Computer and Communications Industry Association filed an amicus brief urging the Court to reject the RIAA's making available theory.

One key holding:

The Court’s examination of the use of the term “distribution” in other provisions of the Copyright Act, as well as the evolution of liability for offers to sell in the analogous Patent Act, lead to the conclusion that the plain meaning of the term “distribution” does not including making available and, instead, requires actual dissemination.

. . .

If simply making a copyrighted work available to the public constituted a distribution, even if no member of the public ever accessed that work, copyright owners would be able to make an end run around the standards for assessing contributor copyright infringement.

In addition, Chief Judge Davis called on Congress to amend the Copyright Act:

The Court would be remiss if it did not take this opportunity to implore Congress to amend the Copyright Act to address liability and damages in peer-to-peer network cases such as the one currently before this Court. . . . While the Court does not discount Plaintiffs’ claim that, cumulatively, illegal downloading has far-reaching effects on their businesses, the damages awarded in this case are wholly disproportionate to the damages suffered by Plaintiffs. Thomas allegedly infringed on the copyrights of 24 songs—the equivalent of approximately three CDs, costing less than $54, and yet the total damages awarded is $222,000—more than five hundred times the cost of buying 24 separate CDs and more than four thousand times the cost of three CDs. While the Copyright Act was intended to permit statutory damages that are larger than the simple cost of the infringed works in order to make infringing a far less attractive alternative than legitimately purchasing the songs, surely damages that are more than one hundred times the cost of the works would serve as a sufficient deterrent.

. . .

Unfortunately, by using Kazaa, Thomas acted like countless other Internet users. Her alleged acts were illegal, but common. Her status as a consumer who was not seeking to harm her competitors or make a profit does not excuse her behavior. But it does make the award of hundreds of thousands of dollars in damages unprecedented and oppressive.

EFF applauds Chief Judge Davis's thorough rejection of the RIAA's effort to rewrite copyright law and thereby avoid the trouble of actually proving any infringement has occurred. And we wholeheartedly endorse the court's call to amend the Copyright Act's oppressive damages provisions.

[Permalink]

DoJ Agrees: IP Enforcement Bill is a Bad Idea

Legislative Analysis by Fred von Lohmann

Yesterday, the Department of Justice delivered a letter to Senators Specter and Leahy, blasting S.3325, the "Enforcement of Intellectual Property Right Act of 2008." In the letter, the DoJ echoes, almost exactly, the concerns that EFF and other public interest groups have had for months:

We strongly oppose Title I of the bill, which not only authorizes the Attorney General to pursue civil remedies for copyright infringement, but to secure "restitution" damages and remit them to the private owners of infringed copyrights. First, civil copyright enforcement has always been the responsibility and prerogative of private copyright holders, and U.S. law already provides them with effective legal tools to protect their rights....

Second, Title 1's departure from the settled framework above could result in Department of Justice prosecutors serving as pro bono lawyers for private copyright holders regardless of their resources. In effect, taxpayer-supported Department lawyers would pursue lawsuits for copyright holders, with monetary recovery going to industry.

Third, the Department of Justice has limited resources to dedicate to particular issues, and civil enforcement actions would occur at the expense of criminal actions, which only the Department of Justice may bring. In an era of fiscal responsibility, the resources of the Department of Justice should be used for the public benefit, not on behalf of particular industries that can avail themselves of the existing civil enforcement provisions.

Unfortunately, pressed by the entertainment industry, the Judiciary Committee has already approved S.3325, and the measure has been "hotlined" for speedy passage by unanimous consent. Let's hope that Congress, even if it won't listen to the public interest community, will listen when the Department of Justice itself says this is bad legislation.

UPDATE: Congress listens! At the request of Senator Ron Wyden of Oregon, the civil enforcement provisions have been stripped out of S.3325:

I am happy to announce that after substantial discussions Chairman Leahy and the Senate Judiciary Committee have agreed to remove provisions from S.3325 that would have resulted in a massive gift of scarce federal resources to Hollywood and the recording industry.

[Permalink]

global minilinks for 2008-09-23

miniLinks by Danny O'Brien

• South Korean Government Seeks to End Anonymity, Allow Arbitrary Content Takedown
  All forum and chat room users will be required to make verifiable registrations using their real names; Web sites can be taken down for 30 days if they receive complaints of fraud or slander.
• Confidential Data on Millions of Norwegians Sent to Media
  CD containing all Norway's tax records (which are public) also included ID numbers (which are not).
• France Scales Back Big Brother Database, But Protests Continue
  The "Evige File" will not contain every French citizen active in politics, just those who "pose a security risk."
• ...Has It Killed Three Strikes Too?
  No sign of the Olivennes proposal on the French Senate schedule; rumor is that the Edvige protests have delayed it indefinitely (Google translation).
• British Police Decline to Investigate Phorm
  Says there was no "criminal intent" in unauthorised scanning of British Telecom subscribers' web traffic.
• Is the ITU Undermining Internet Anonymity?
  Declan McCullough reports on a proposal to more directly track the source of IP traffic, edited by, among others, Cisco, a Chinese ministry, and the NSA.
• Turkey bans biologist Richard Dawkins' Website
  Due to "defamatory" review of Turkish creationist book.
• Tech Companies: Why Doesn't US Champion Fair Use Abroad?
  CCIA points out that US trade negotiators are happy to include strong copyright requirements in trade agreements, but never include fair trade or liability protection for intermediaries.

[Permalink]

Comcast Unveils Its New Traffic Management Architecture

Technical Analysis by Peter Eckersley

Late on Friday night, Comcast filed an overview of its new traffic management arrangements with the FCC. This is the long term replacement for its controversial practice of using forged TCP Reset packets to limit the use of peer to peer protocols.

The new system appears to be a reasonable attempt at sharing limited bandwidth amongst groups of users. Unlike TCP RST spoofing, it doesn't explicitly discriminate against some applications, and it doesn't threaten protocol developers with interoperability problems and uncertainty about network behavior.

Comcast's objective here is still largely to prioritize non-P2P traffic above P2P traffic. But the criterion they use is the amount of data a cable modem sends during each 15 minute period, which is a much fairer rule than examining the traffic protocol. The way deprioritization works is simple: high priority machines get to send data, and if there is any transmission capacity left over, the low priority machines get a share of that.

EFF is proud that our work helped to expose Comcast's misadventures in network management last year, and we're pleased to see Comcast returning to congestion management practices that are transparently disclosed and avoid protocol discrimination.

The new traffic management setup should not be confused with the 250 GB/month cap which Comcast announced last month; the two will exist side by side.

[Read the entire post]

Government Files to Dismiss NSA Telecom Surveillance Cases

Announcement by Kurt Opsahl

Late Friday night, the Government started the formal process for retroactive immunity for the telecommunications companies sued by EFF and others for their involvement in the warrantless surveillance of millions of ordinary Americans. The immunity is a key part of the unconstitutional FISA Amendments Act passed by Congress in July. EFF will be challenging the new law as unconstitutional and that challenge is set for a hearing before federal judge Vaughn Walker, along with the government's dismissal motion [PDF], on December 2, 2008. To support its attempt to shut the courthouse doors on plaintiffs, the Government filed a "certification" from Attorney General Mukasey. The key substance of the Government's submission was filed in secret with the court, but the Attorney General also filed a public certification [PDF]. In addition, the Government submitted some legislative history documents [PDF].

[Permalink]

DOJ View on Email Privacy May Hamper Prosecution of Palin Hackers

Legal Analysis by Kurt Opsahl

On Wednesday, some hackers apparently obtained unauthorized access to Gov. Sarah Palin's Yahoo! email account by posing as Gov. Palin and getting a new password (Michelle Malkin and Wired News have details). Yesterday we noted that, based on the facts in newspaper reporting, a court would likely consider this a violation of the Stored Communications Act (SCA).

However, the Department of Justice may be hamstrung in any prosecution of this invasion of privacy by its restrictive view of "electronic storage." The SCA prohibits unauthorized "access to a wire or electronic communication while it is in electronic storage." The act defines "electronic storage" as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof," or in the alternative as "any storage of such communication by an electronic communication service for purposes of backup protection of such communication."

Under Ninth Circuit precedent, both received and unreceived emails are in electronic storage. This is because when the recipient accesses an email but does not delete it, it moves from storage incident to transmission to backup storage under the second part of the SCA's "electronic storage" definition. See Theofel v. Farey-Jones, 359 F.3d 1066, 1075 (9th Cir. 2003)(finding that “obvious purpose” for storing a message on the provider’s server after delivery is to provide a second copy of the message in the event it needs to be downloaded again). Thus, since Gov. Palin and Yahoo! are both in the Ninth Circuit (Alaska and California respectively), it would violate the SCA to obtain unauthorized access to her emails, whether opened or not.

The DOJ, however, strongly disagrees with Theofel. According to its Prosecuting Computer Crimes Manual, the DOJ "continues to question whether Theofel was correctly decided, since little reason exists for treating old email differently than other material a user may choose to store on a network." Rather, the DOJ argues:

If the recipient chooses to retain a copy of the communication on the service provider's system, the retained copy is no longer in "electronic storage" because it is no longer in "temporary, intermediate storage ... incidental to ... electronic transmission," and neither is it a backup of such a communication.

The DOJ's interpretation of the SCA means that any emails that Gov. Palin had already opened (but left on the Yahoo! Mail servers) would not be protected under this email privacy law. This would mean no SCA privacy protection for the majority, if not the entirety, of the Gov. Palin's email messages at issue. As the DOJ acknowledges, "[i]f Theofel's broad interpretation of 'electronic storage' were correct, prosecutions under section 2701 would be substantially less difficult..." On the flip side, if the DOJ were right and Theofel were wrong, any hacker responsible for obtaining access to those emails - or any other individual's opened messages - could not be prosecuted under the SCA.

What happened to Gov. Palin shows why Theofel is good for privacy. As more and more people use Web mail like Yahoo!, Gmail, Hotmail and others, they also will naturally leave opened email on the server. People should not have to sacrifice their privacy protections under the law when they do so.

[Permalink]