Now that the dust has settled on the long-awaited announcement of new DMCA circumvention exemptions, it’s time for an explanation of what these exemptions will (and will not) do for consumers and creators. We’ll start with a tremendously important exemption that we fear was somewhat overlooked in the excitement about jailbreaking and unlocking: breaking DVD encryption in order to take short clips for purposes of criticism and commentary for noncommercial use, educational use and documentary films.

This exemption represents many months of hard work by an array of public interest groups. EFF led the charge on behalf of vidders (with invaluable support from the Organization for Transformative Works, among others). The documentary films issue was pushed by the International Documentary Association, Kartemquin Films (a Chicago-based nonprofit) and the USC Gould School of Law Intellectual Property & Technology Law Clinic. The educational uses were championed by a group of educators from American University, the University of Pennsylvania, Temple University, and the University of Maryland, working with the Library Copyright Alliance.

In public comments and at numerous hearings, these groups called on the Librarian of Congress to bring copyright in line with its true purpose – promoting creativity and education – by removing the DMCA as a powerful legal impediment to fair use. Hollywood responded by suggesting that fair users should use “alternatives” to circumvention, such as pointing a camcorder at your television screen to “capture” a poor quality copy of a movie that is playing. In other words, fair users should pretend they are living and working in 1994. Happily, the rulemakers decided to let us live in the present, describing this suggestion as “specious.”

What this means.
Before this exemption was issued, the only people allowed to circumvent DVD encryption for fair use purposes were film and media studies professors. Now, that category has expanded to include all college and university professors and film and media studies students (as long as they are circumventing for educational purposes), documentary filmmakers, and noncommercial vidders. The user may take only a “short portion” of the original work for purposes of criticism and commentary, and she must reasonably believe she needs to break the DRM to accomplish that purpose.

What it doesn’t.
This exemption does not affect toolmakers – i.e., those that develop and provide the tools that make circumventing CSS possible. Nor can it stop Hollywood from attempting to impose other technical limits on the ability to copy, even for fair use purposes. Also, K-12 educators and students who aren’t in film and media studies classes have to keep using 20th century technology. Finally, even though the Register of copyrights has declared that using short portions of a movie for purposes of criticism or comment in a noncommercial video is a fair use (no surprise), Hollywood can still use tools like YouTube’s Content I.D. system to take down such videos with the flip of a switch.

What changed?
This exemption is long overdue, and therein lies a question: why now? After all, as the Register of Copyrights notes in the report that led to the rulemaking, it was clear back in 2000 that CSS could interfere with fair use in ways Congress didn’t anticipate when it passed the DMCA. The Register’s answer is that the factual record has changed: First, proponents submitted enough substantial evidence of hardship to support their cases. (Which points to a fundamental problem in the process – where it’s clear as a matter of pure logic that a given form of DRM is impeding fair use, it’s irrational to force fair users to suffer for years under legal threat until enough evidence of the harm is accrued.) Second, the market for DVDs has (supposedly) changed:

In past rulemakings, the MPAA has offered evidence that CSS protection was a critical factor in the decision to release motion pictures in digital format . . . [but] CSS-protected DVDs have continued to be the dominant form even though circumventions tools have long been widely available online. At this point in time, the suggestion that an exemption for certain noninfringing uses will cause the end of the digital distribution of motion pictures is without foundation.

We think the MPAA’s bluster that it would stop distributing DVD movies if an exception was granted for fair use circumvention should have never been credited by the Register, but it’s gratifying that the Register refuses to do so any longer.

Some Other Highlights
In the report that led to the rulemaking, the Register of Copyrights made a series of telling observations about encryption and fair use. For example, she implicitly acknowledged what we’ve been saying for years -- that DVD encryption is primarily designed not to restrict access, but to serve as a legal "hook" that forces technology companies to enter into license agreements before they build products that can play movies. As the Report puts it:

By design, the CSS encryption system serves as a link in a chain of legal and technological requirements that ultimately inhibit the possessor of a CSS-protected DVD from copying the work or works embodied in it.”

Of course, those license agreements do more than inhibit copying -- they define what the devices can and can't do, thereby protecting Hollywood business models from disruptive innovation.

Also notable is the Register’s fair use analysis, and particularly her conclusion that there was no evidence that taking short clips cause any harm to any actual market for the original works. Opponent of the exemption had argued, among other things, that they were experimenting with ways to get short clips to educators – in other words, a market might emerge. Not good enough, said the Register: “there was no evidence in the record that a viable or efficient mechanism for permissions or licensing exists or is likely to exist” for the next three years.

This exemption could go further -- for example, there's no sensible reason why literature students, or math students for that matter, should have been excluded. Nonetheless, it represents a big step in the right direction. Hopefully the next rulemaking will go further down the path.

This morning's Washington Post reveals that the Department Of Justice has been pressuring Congress to expand its power to obtain records of Americans' private Internet activity through the use of National Security Letters (NSLs).

NSLs, you may remember, are one of the most powerful and frightening tools of government surveillance to be expanded by the Patriot Act. These letters allow the FBI to secretly demand data from phone companies and internet service providers about the private communications of ordinary citizens. The letters include a gag order, which forbids recipients from ever revealing the letters' existence to their coworkers, their friends, or even to their family members, much less the public.

The gag order and the lack of oversight make this power ripe for abuse. Indeed, the FBI's systemic abuse of this power was confirmed both by a Department Of Justice investigation and in documents obtained by EFF through Freedom of Information Act litigation. Yet, in the years since that abuse became publicly known, there has been no reform of the law governing NSLs.

Now, the DOJ is asking Congress to pass vague and broad new language meant to expand the kinds of data that can be acquired through NSLs. This morning's Washington Post article suggests that the new language could allow access to detailed web browsing history, search history, location information, or even Facebook friend requests.

Considering the FBI's dismal record on surveillance abuses, this is a stunning and brazen request. They're asking Congress to reward bad behavior by allowing even more bad behavior. We're hoping that Congress will have the courage and integrity to turn them down. Keep reading Deeplinks for more news on this as it develops.

Tomorrow afternoon, legislators from the House Committee on Oversight and Government Reform will be holding a hearing on the topic of "Public Access to Federally-Funded Research." The hearing will be a perfect opportunity for key representatives to look into supporting public access policies — various requirements that scientific research funded by the federal government be made available on the Internet to the tax-paying public. EFF wrote about the benefits of public access policies earlier this year when the Office of Science and Technology Policy asked for input.

Tomorrow, members of the committee will no doubt hear about the excellent Federal Research Public Access Act, (FRPAA) a bill that would require a great deal of research funded by government agencies to be made publicly available through a digital database no later than six months after publication. The law is modeled after the National Institute of Health's Public Access policy, which on its own has granted millions of people access to critical, up-to-date medical research since it was implemented in 2008.

Public access policies essentially "close the loop" on tail end of the cycle of research funded by the government. Now, the public pays for scientific research through taxes, but in most cases, that same taxpayer-funded innovation and discovery gets locked up in journals, accessible only through expensive per-article fees or massively expensive institutional licenses. With the FRPAA, academic journals still get a critical window of time to be the first to publish important findings, but shortly thereafter, the public gets unprecedented access to the knowledge that they paid for.

You can catch the webcast of the hearing tomorrow at 2pm EDT (11am PDT) or attend the hearing in person if you're in Washington, D.C. Stay tuned to EFF for future updates on how to support the Federal Research Public Access Act and other public access efforts!

Copyright owners, take note: If you're going to use the streamlined Digital Millennium Copyright Act ("DMCA") process to require a service provider to remove allegedly infringing content, you'd better make sure you actually comply with the DMCA notice requirements. Otherwise a court may find, as occurred this week in Perfect 10 v. Google, that your "notice" didn't actually put anyone on "notice."

A quick recap: In 2004, porn company and frequent litigator Perfect 10 sued Google for direct and secondary copyright infringement. Perfect 10 claimed that Google violated its copyrights by linking to websites that hosted infringing material, caching websites that hosted infringing photos of nude models, and hosting infringing images uploaded by Blogger users. In 2007, the Ninth Circuit Court of Appeals reversed a preliminary injunction in favor of Perfect 10 on its direct infringement claims, and sent the case back to the district court for a determination of some of the secondary infringement claims. Google moved for summary judgment, asserting that it was protected from secondary liability by the DMCA safe harbors.

This week, Judge Howard Matz of the U.S. District Court in Los Angeles mostly agreed with Google, whittling Perfect 10's remaining case down to a small subset of allegedly infringing images. Why? Mainly because Perfect 10 didn't trouble itself to provide Google with the information Google needed to figure out what to take down in a form that Google could readily use.

The DMCA requires a proper takedown notice to identify the work claimed to be infringed, identify the reference (or link) to material claimed to be infringing, and provide enough information to permit the service provider to locate that reference or link. Even though providing this information should be pretty easy, Perfect 10 fell far short.

For example, many of its "notices" consisted of a cover letter, a spreadsheet with URLs (many of which linked only to a top-level URL for a website, as opposed to a specific infringing URL) and a hard drive or DVD containing Perfect 10's electronic files of its photos. Not good enough, said the court — the information required by the DMCA must be contained in a single written communication; forcing a service provider to cobble together adequate notice from a variety of sources is just too burdensome.

P10 evidently expected Google to comb through hundreds of nested electronic folders containing over 70,000 distinct files, including raw image files such as JPEG files and screen shots of Google search results, in order to find which link was allegedly infringing. [] In many cases, the file containing the allegedly infringing image does not even include a URL, or the URL was truncated. [] The spreadsheets also do not identify the copyrighted work that was allegedly infringed. . . . P10 then expected Google to search through a separate electronic folder—attached only to the June 28, 2007 DMCA notice—containing all of the more than 15,000 images that appeared on P10's website as of June 2007, in order to identify the copyrighted work that was infringed.

The court did find that a small subset of notices complied with the DMCA; for those few notices, Google must now show that it responded to those notices "expeditiously" under the circumstances.

The ruling is not unprecedented: numerous courts, including the Ninth Circuit have found that ISPs don't have to respond to deficient DMCA notices. But the issue of how much information about infringement providers need to have (and fail to act on) before they lose the protection of the safe harbors is being hotly contested in two other proceedings. Content owners are insisting that if ISPs have general knowledge of infringement on their services, they must take over the burden of stamping it out. We might think of Judge Matz's decision as one more vote in favor of keeping the burden of identifying copyright infringement where it has traditionally belonged — on the content owners themselves.

LIGATT Security, a controversial Georgia-based computer security firm, is embroiled in an ongoing flame war with its online detractors, who question the firm's legitimacy and stock prospects. Earlier this month, LIGATT upped the ante by filing suit in a Georgia court, threatening about 25 anonymous commenters on Yahoo! Message Boards and demanding a $5 million judgment and a court order prohibiting criticism. LIGATT CEO warned that he hoped the lawsuit would "set a trend" for other OTC companies facing online critics.

We hope not. EFF is frequently called upon to help protect the rights of anonymous speakers in similar suits, and the world does not need more facially deficient lawsuits targeting online critics. As we explain below, this complaint is a prime example of a case that should be dismissed. And, if LIGATT attempts to use this complaint to subpoena Yahoo! for the identities of its critics, the subpoenas might not only fail, but LIGATT may be forced to pay its critics' attorneys' fees.

It is not surprising that LIGATT has attracted controversy and commentary. The publicly traded company is headed by Gregory Evans, a self-described "media personality" who calls himself the "World's #1 Hacker." Evans' books include "Memoirs of a Hi-Tech Hustler," an account of the exploits that landed him in federal prison, and "How to Become the World's No. 1 Hacker," an allegedly plagiarized introduction to computer security. LIGATT has published provocative online videos advertising its services. And this is not the first time LIGATT has been criticized over its litigation.

The important legal question at this point, however, is not whether LIGATT's critics are right or wrong, but whether the complaint sets forth a valid claim. It does not. LIGATT and Evans' complaint asserts three primary claims: defamation, commercial disparagement, and "tortuous interference with contractual relations," which is a way of accusing the defendants of hurting its business relationships. The company also seeks an injunction against the defendants from posting any further defamatory comments against LIGATT Security, its subsidiary SPOOFEM.COM, or its CEO Evans, and demands $5 million dollars in damages. The alleged damages are double the most recent "Estimated Market Cap" for the whole company listed on its investor relations page.

Curiously, while LIGATT's press release announcing the lawsuit and the accompanying video claim the suit was filed against "stock bashers," the complaint never once references the company's stock or alleges stock manipulation. While federal and state law prohibit certain forms of stock manipulation, criticizing a publicly traded company and its CEO is not a valid legal cause of action in and of itself.

In its complaint, LIGATT claims the defendants posted "false and defamatory statements" on the Yahoo Technology message board and a few other websites. But the purported defamatory statements are never identified in the complaint, much less set forth. There is no attempt to tie each of the defendants to particular statements. Under long-standing Georgia law, failure to clearly identify defamatory statements in a complaint is grounds for dismissing a defamation claim (with leave to amend). The allegation in this complaint is insufficient because it is just a bald conclusion that the unidentified statements are "false and untrue and defamed Plaintiffs." Under Georgia law, libel complaints are subject to a strict standard, and "allegations ... characterizing the publication as libelous and libelous per se are mere conclusions not supported by the pleaded facts" that must be dismissed.

Similarly, if the defendants were to move this case to a federal court (which may be possible if the defendants are not from Georgia), allegations of specific statements would be required and the complaint would be dismissed under the federal pleading standard that requires more than "conclusory allegations" and "legal conclusions masquerading as facts" (recently explained in two Supreme Court decisions, commonly known as Iqbal and Twombly).

LIGATT's "commercial disparagement" claim is simply a variation of the original defamation claim, and hangs on the same unidentified "false and defamatory statements" thread. The court should dismiss the claim for the same reasons. Moreover, even if the actual statements were pled, a federal court in Georgia recently noted that Georgia law does not support this type of claim, and a Georgia Supreme Court opinion both refused to recognize the similar tort of injurious falsehood and held that plaintiffs could not recover twice under two theories.

The complaint’s final substantive claim, accusing the defendants of interfering with LIGATT's business contracts, would also fail because LIGATT must identify wrongful conduct and provide facts, not legal conclusions, to support the cause of action. The complaint, however, does not identify any wrongful conduct on the part of the defendants beyond the deficient defamation claim. This claim should fall with the rest of the house of cards.

California’s anti-SLAPP law is another hurdle for LIGATT. Most of the defendants are anonymous Does, who have exercised their constitutional right to speak pseudonymously online. To the extent that LIGATT wants to issue subpoenas to Yahoo!, located in California, to uncover the identities of the posters on the message board, LIGATT would be wise to realize that California law mandates attorneys' fees for anyone who prevails in quashing or modifying such a subpoena, if the underlying action involves the person's online free speech rights and the plaintiff does not make a prima facie showing of the cause of action.

When courts, both in California and throughout the country, consider whether to allow a subpoena to unmask an anonymous speaker, they use a First Amendment test that requires the plaintiffs to show they have a real case. As explained above, the complaint fails to allege sufficient facts to do so. Moreover, since the plaintiffs would likely be considered public figures for purposes of this lawsuit, LIGATT would have to show a prima facie case for actual malice--a significant and difficult hurdle to overcome.

Through this lawsuit and its press release, LIGATT is affirmatively seeking to encourage and extend a disturbing trend of using the legal system as a weapon to intimidate online critics. Often, these deficient lawsuits are used to unmask online critics, even when those critics are engaged in constitutionally protected speech. LIGATT's complaint is rife with conclusory allegations and exemplifies the deficiencies with most of these lawsuits. LIGATT should voluntarily dismiss this lawsuit, and not refile unless and until it can state a valid claim that a critic has actually violated the law, quoting specifically the allegedly defamatory speech and alleging facts that show how the quoted speech is false, defamatory and was made with actual malice.

San Francisco - The Electronic Frontier Foundation (EFF) won three critical exemptions to the Digital Millennium Copyright Act (DMCA) anticircumvention provisions today, carving out new legal protections for consumers who modify their cell phones and artists who remix videos — people who, until now, could have been sued for their non-infringing or fair use activities.

"By granting all of EFF's applications, the Copyright Office and Librarian of Congress have taken three important steps today to mitigate some of the harms caused by the DMCA," said Jennifer Granick, EFF's Civil Liberties Director. "We are thrilled to have helped free jailbreakers, unlockers and vidders from this law's overbroad reach."

The exemptions were granted as part of a statutorily prescribed rulemaking process, conducted every three years to mitigate the danger the DMCA poses to legitimate, non-infringing uses of copyrighted materials. The DMCA prohibits "circumventing" digital rights management (DRM) and "other technical protection measures" used to control access to copyrighted works. While the DMCA still chills competition, free speech, and fair use, today's exemptions take unprecedented new strides towards protecting more consumers and artists from its extensive reach.

The first of EFF's three successful requests clarifies the legality of cell phone "jailbreaking" — software modifications that liberate iPhones and other handsets to run applications from sources other than those approved by the phone maker. More than a million iPhone owners are said to have "jailbroken" their handsets in order to change wireless providers or use applications obtained from sources other than Apple's own iTunes "App Store," and many more have expressed a desire to do so. But the threat of DMCA liability had previously endangered these customers and alternate applications stores.

In its reasoning in favor of EFF's jailbreaking exemption, the Copyright Office rejected Apple's claim that copyright law prevents people from installing unapproved programs on iPhones: "When one jailbreaks a smartphone in order to make the operating system on that phone interoperable with an independently created application that has not been approved by the maker of the smartphone or the maker of its operating system, the modifications that are made purely for the purpose of such interoperability are fair uses."

"Copyright law has long held that making programs interoperable is fair use," confirmed Corynne McSherry, EFF's Senior Staff Attorney. "It's gratifying that the Copyright Office acknowledges this right and agrees that the anticircumvention laws should not interfere with interoperability."

EFF also won a groundbreaking new protection for video remix artists currently thriving on Internet sites like YouTube. The new rule holds that amateur creators do not violate the DMCA when they use short excerpts from DVDs in order to create new, noncommercial works for purposes of criticism or comment if they believe that circumvention is necessary to fulfill that purpose. Hollywood has historically taken the view that "ripping" DVDs is always a violation of the DMCA, no matter the purpose.

"Noncommercial videos are a powerful art form online, and many use short clips from popular movies. Finally the creative people that make those videos won't have to worry that they are breaking the law in the process, even though their works are clearly fair uses. That benefits everyone — from the artists themselves to those of us who enjoy watching the amazing works they create," added McSherry.

On EFF's request, the Librarian of Congress renewed a 2006 rule exempting cell phone unlocking so handsets can be used with other telecommunications carriers. Cell phone unlockers have been successfully sued under the DMCA, even though there is no copyright infringement involved in the unlocking. Digital locks on cell phones make it harder to resell, reuse, or recycle the handset, prompting EFF to ask for renewal of this rule on behalf of our clients, The Wireless Alliance, ReCellular and Flipswap. However, the 2009 rule has been modified so that it only applies to used mobile phones, not new ones.

"The Copyright Office recognizes that the primary purpose of the locks on cell phones is to bind customers to their existing networks, rather than to protect copyrights," said Granick. "The Copyright Office agrees with EFF that the DMCA shouldn't be used as a barrier to prevent people who purchase phones from keeping those phones when they change carriers. The DMCA also shouldn't be used to interfere with recyclers who want to extend the useful life of a handset."

Along with the exemptions that EFF championed, several other DMCA exemptions were expanded, granted or narrowed including one for documentary filmmakers and college-level educators, as well as some for security researchers.

For the full rulemaking order:
https://www.eff.org/files/filenode/dmca_2009/RM-2008-8.pdf

For more on the DMCA rulemaking:
http://www.eff.org/issues/dmca-rulemaking

Contacts:

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org

Corynne McSherry
Senior Staff Attorney
Electronic Frontier Foundation
corynne@eff.org

San Francisco - The Electronic Frontier Foundation (EFF) and a coalition of nonprofit groups have asked a federal appeals court to protect the "safe harbor" rules for online video service providers that encourage free expression and innovation on the Internet.

In an amicus brief filed Friday in UMG v. Veoh, EFF told the U.S. Court of Appeals for the 9th Circuit that Universal Music Group's (UMG's) effort to hold online video service Veoh responsible for infringing content uploaded by a minority of its users would thwart federal law and Congress's intent to stimulate electronic commerce and free speech.

"By creating a clear path for innovators like Veoh to limit their liability for the copyright violations of their users, the statutory safe harbors helped foster the innovation environment that has made YouTube, Flickr, eBay, Blogger, and myriad other hosting-based services possible," said EFF Senior Staff Attorney Corynne McSherry. "UMG is trying to turn back the clock and reinstate a climate of legal uncertainty that would harm new online businesses and the free expression they foster."

The safe harbors are part of the Digital Millennium Copyright Act (DMCA) and give sites immunity from monetary damages if they observe the DMCA's "notice and takedown" procedures for potentially infringing content and comply with other legal requirements. In a lawsuit first filed in 2007, UMG argued that the safe harbors don't apply to any service that "displays" or "distributes" copyrighted material, rather than simply "storing" it. Last year, a federal district court rejected that argument. UMG appealed.

"The safe harbors have proven to be a huge success in encouraging the growth of innovative platforms for free expression, hosting vibrant amateur creativity," said McSherry. "But under UMG's vision for the Internet, we'd get something a lot more like television, where nothing is seen until it's approved by an army of lawyers. That's why we're asking the appeals court to affirm the lower court's ruling."

Joining EFF in the amicus brief are the American Library Association, the Association of Research Libraries, the Association of College and Research Libraries, the Center for Democracy and Technology, the Computer and Communications Industry Association, the Internet Archive, NetCoalition, and Public Knowledge.

For the full amicus brief:
http://www.eff.org/files/filenode/umg_v_veoh/UMGvVeohAmicusBrief072310.p...

For more on this case:
http://www.eff.org/cases/umg-v-veoh

Contacts:

Corynne McSherry
Senior Staff Attorney
Electronic Frontier Foundation
corynne@eff.org

Join EFF for a plethora of appearances in Las Vegas, NV, at Black Hat USA 2010 and DEFCON 18. There is still time to register, and EFF supporters receive a 25% discount on Black Hat registration. Remember to stop by the EFF booths to get reduced-rate EFF memberships and top drawer swag! And be on the lookout for the limited edition "Things to Hack" t-shirt available only in Las Vegas.

Check out talks presented by members of our legal and technology teams throughout the week:

Wednesday, July 28
Kevin Bankston and Kurt Opsahl will play the role of the defense attorneys for an indicted hacker in the 2010 edition of Black Hat Hacker Court from 1515-1800 in Forum 25 at Caesar's Palace.

Thursday, July 29
EFF staffers will be at Vegas 2.0's 6th Annual Summit Fundraiser to thank our supporters, including the DEFCON 18 Getaway contest winners and the contest sponsors, Tenable Network Security, iSec Partners, and IOActive. As a special bonus, Summit attendees can receive a complimentary EFF Advocate Level membership and an opportunity to pick up the "Things to Hack" shirt at vastly reduced rates. Many thanks to Vegas 2.0 for their generosity in organizing this amazing benefit event.

Friday, July 30
On this big day for EFF, Marcia Hofmann will teach DEFCON attendees "How to Get Your FBI File (and Other Information You Want From the Federal Government)," from 1000-1050 in Track 3 at the Riviera Conference Center.

On Friday afternoon, Peter Eckersley will talk about the Panopticlick project on the "How Unique Is Your Browser?" panel from 1200 to 1250 in Track 2, and Jennifer Granick, Kevin, Marcia, and Kurt will teach about "The Law of Laptop Search and Seizure" in Track 3 from 1300 to 1350.

In the evening, Peter will join iSEC Partners' Jesse Burns in presenting "An Observatory for the SSLiverse" from 1700 to 1750 in Track 3. A gaggle of EFF attorneys and staff will answer your questions on the annual "Meet the EFF" panel from 1800-1850 in Track 1. From 2000 to 2050, Kevin and the ACLU's Nicole Ozer will present "Big Brother on the Big Screen: Fact/Fiction?" in Track 3.

Saturday July 31
Jennifer and Matt Zimmerman will discuss "Legal Developments in Hardware Hacking" from 1000 to 1050 in Track 1.

FULL CONFERENCE SCHEDULES:
Black Hat
DEFCON 18

Good news: another federal judge has ruled that violating a website terms of service is not a crime. But there's bad news, too — the court also found that bypassing technical or code-based barriers intended to limit access to or uses of a website may violate California's computer crime law.

The decision comes in Facebook v. Power Ventures, a case in which Facebook is suing a company that offers a tool for users to access and aggregate their personal information across social networking sites. Because Facebook's terms of service don't allow users to access their information through "automated means," Facebook claimed that Power accesses its service "without permission" in violation of California Penal Code Section 502. Facebook has also argued that Power broke the law by evading Facebook's effort to block the Power browser’s IP address, which was meant to try to keep users from accessing their Facebook accounts though the Power website.

EFF filed an amicus brief in this case, urging the court to reject Facebook's computer crime claims. We argued that turning any violation of terms of use into a crime would give websites unfettered power to decide what conduct is criminal, leaving millions of Internet users vulnerable to prosecution for everyday activities.

The court agreed with our position, relying heavily on our brief. This part of the ruling is great.

Unfortunately, the court also said that Power might be liable if it changed its IP address so that its browser could continue to interoperate with the Facebook service. In other words, it may be a crime to circumvent technological barriers imposed by a website, even if those measures are taken only to enforce the terms of service through code. There's nothing inherently wrong or unlawful about avoiding IP address blocking, and there are valid reasons why someone might choose to do so, including to sidestep anticompetitive behavior by other Internet services. As long as an end user is authorized to access a computer and the way she chooses doesn't cause harm, she should be able to access the computer any way she likes without committing a crime.

Overall, yesterday's opinion is an important precedent that aligns with United States v. Drew, a decision last year finding that a woman did not violate the federal hacking law when she created a fake MySpace profile, as well as recent Ninth Circuit cases. We welcome the court's rejection of terms of service violations as triggers for criminal liability, but will continue to work to demonstrate to courts that not all technological measures are created equal. If the measure seeks to control access to or use of data, then evasion of it is almost certainly criminal. But if the restriction merely seeks to impose owner preferences or terms of service on otherwise authorized users, bypassing it should not be a crime.

As other courts look at this issue, we hope that they will agree that code-based restrictions require a very fact-specific inquiry, and will remain open to the possibility that bypassing such measures should not necessarily be criminal.

Coauthored by Seth Schoen

The White House recently released a draft of a troubling plan titled "National Strategy for Trusted Identities in Cyberspace" (NSTIC). In previous iterations, the project was known as the "National Strategy for Secure Online Transactions" and emphasized, reasonably, the private sector's development of technologies to secure sensitive online transactions. But the recent shift to "Trusted Identities in Cyberspace" reflects a radical — and concerning — expansion of the project’s scope.

The draft NSTIC now calls for pervasive, authenticated digital IDs and makes scant mention of the unprecedented threat such a scheme would pose to privacy and free speech online. And while the draft NSTIC "does not advocate for the establishment of a national identification card" (p. 6), it’s far from clear that it won’t take us dangerously far down that road. Because the draft NSTIC is vague about many basic points, the White House must proceed with caution and avoid rushing past the risks that lay ahead. Here are some of our concerns.

Probably the biggest conceptual problem is that the draft NSTIC seems to place unquestioning faith in authentication — a system of proving one's identity — as an approach to solving Internet security problems. Even leaving aside the civil liberties risks of pervasive online authentication, computer security experts question this emphasis. As prominent researcher Steven Bellovin notes:

The biggest problem [for Internet security] was and is buggy code. All the authentication in the world won't stop a bad guy who goes around the authentication system, either by finding bugs exploitable before authentication is performed, finding bugs in the authentication system itself, or by hijacking your system and abusing the authenticated connection set up by the legitimate user. All of these attacks have been known for years.

The draft NSTIC says that, instead of a national ID card, it "seeks to establish an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions," which can be obtained "from either public or private sector identity providers." (p. 6) In other words, the governments want a lot of different companies or organizations to be able to do the task of confirming that a person on the Internet is who he or she claims to be.

Decentralized or federated ID management systems are possible, but like all ID systems, they definitely pose significant privacy issues. 1 There’s little discussion of these issues, and in particular, there’s no attention to how multiple ID's might be linked together under a single umbrella credential. A National Academies study, Who Goes There?: Authentication Through the Lens of Privacy, warned that multiple, separate, unlinkable credentials are better for both security and privacy (pp. 125-132). Yet the draft NSTIC doesn’t discuss in any depth how to prevent or minimize linkage of our online IDs, which would seem much easier online than offline, and fails to discuss or refer to academic work on unlinkable credentials (such as that of Stefan Brands, or Jan Camenisch and Anna Lysyanskaya).

Providing a uniform online ID system could pressure providers to require more ID than necessary. The video game company Blizzard, for example, recently indicated it would implement a verified ID requirement for its forums before walking back the proposal only after widespread, outspoken criticism from users.

Pervasive online ID could likewise encourage lawmakers to enact access restrictions for online services, from paying taxes to using libraries and beyond. Website operators have argued persuasively that they cannot be expected to tell exactly who is visiting their sites, but that could change with a new online ID mechanism. Massachusetts recently adopted an overly broad online obscenity law; it takes little imagination to believe states would require NSTIC implementation individuals to be able to access content somehow deemed to be "objectionable."

The draft NSTIC "envisions" that a blogger will use "a smart identity card from her home state" to "authenticate herself for . . . [a]nonymously posting blog entries." (p. 4) But how is her blog anonymous when it’s directly associated with a state-issued ID card?

The proposal mistakenly conflates trusting a third party to not reveal your identity with actual anonymity — where third parties don’t know your identity. When Thomas Paine anonymously published Common Sense in 1776, he didn’t secretly register with the British Crown.

Indeed, the draft NSTIC barely recognizes the value of anonymous speech, whether in public postings or private email, or anonymous browsing via systems like Tor. Nor does it address issues about re-identification, e.g. the ability to take different sets of de-identified data and link them so as to re-identify individuals.

Bellovin credits the draft NSTIC for suggesting the use of attribute credentials rather than identity credentials — that is, using credentials that could establish that you're authorized to do something without saying who you are. But, as he puts it, "We need ways to discourage collection of identity information unless identity is actually needed to deliver the requested service," and the draft NSTIC doesn't seem to address this.

The draft NSTIC seems to presuppose widespread use of smart ID cards. In one example, it envisions that an individual will use "a smart identity card from her home state" to "authenticate herself for a variety of online services," presumably modeled upon driver’s licenses. (p. 4)

One major concern, acknowledged briefly in the draft, is whether people's computers can really be secure enough to be used for these purposes — smart ID cards or no smart ID cards. As noted above, the vast majority of privacy and authentication vulnerabilities stem from buggy software, and when a computer is trivial to compromise, its users’ credentials are easy to steal. The NSTIC proposal could, in fact, decrease user privacy and enable identity theft: once a user’s digital ID is stolen, it could be used to both pose as the user and access all the user’s accounts and data.

Consider, for example, the proposal to use a state digital ID card to access health records and online banking. What happens next time you lose your wallet?

Furthermore, by consolidating your credentials, the NSTIC plan may provide the government with a centralized means of surveilling your online accounts. And if the government issues your digital ID itself, it won’t even need to approach a third party with any kind of legal process before surveilling you.

The draft NSTIC also mentions the development of a public-key infrastructure (PKI). (pp. 15, 27) We support good, widespread encryption, which could allow people to get correct public keys reliably and possibly cut down on phishing, spam, fraud, and pretexting. But as Bruce Schneier and Carl Ellison have explained, doing PKI properly isn’t easy.2 All of their concerns apply, in some form, to the NSTIC proposal.

Another concern that’s emerged recently is whether governments could coerce certificate authorities in a PKI to issue false credentials in order to facilitate surveillance. Chris Soghoian and Sid Stamm have reported on an industry claim that governments could get "court orders" giving them access to falsified cryptographic credentials. This threat seems greater if the government itself is running the PKI.

Much more could be said. The NSTIC is only a draft, and the Department of Homeland Security and the White House sought public input online through July 19th. Because of the importance of this issue, EFF has joined with a coalition of concerned civil liberties group to ask the Administrations for a longer comment period and a way to submit more detailed comments. We hope and expect that this will be only the beginning of a public debate about ID management online.

1. 1. See, e.g., Susan Landau et al., Achieving Privacy in a Federated Identity Management System.
2. 2. See Ten Risks of PKI: What You're Not Being Told about Public Key Infrastructure

Today the Eleventh Circuit issued an unfortunate amended decision in Rehberg v. Hodges. The case arose from an egregious situation in which, among other misconduct, a prosecutor used a sham grand jury subpoena to obtain the private emails of whistleblower Charles Rehberg after he brought attention to systematic mismanagement of funds at a Georgia public hospital.

The Court held that Mr. Rehberg's privacy interest in his emails held by his ISP was not "clearly established" and therefore his claim against the prosecutors could not proceed. The Court relied on a legal doctrine called qualified immunity, which holds that lawsuits against government officials for violations of constitutional rights cannot proceed unless those rights were "clearly established" at the time. The Court declined to rule on whether individuals have a privacy interest in the content of their emails.

We're disappointed in this decision. Not only is it wrong for Mr. Rehberg, who had his emails turned over to a prosecutor based on a sham subpoena, but it's troubling for the millions of individuals in the Eleventh Circuit who have their email stored with ISPs. Our most sensitive and private thoughts, ideas and correspondence are contained in our emails. The Fourth Amendment requires judicial supervision (usually a warrant) before the government can access your personal papers in order to protect against just the sort of abuse that Mr. Rehberg suffered -- a rogue government official seeking to get your emails from your ISP with no court oversight and then turning it over to others who seek to harm you.

While the decision is very bad news for Mr. Rehberg, the Court did take the opportunity to correct some erroneous analysis in the panel's previous decision. The earlier decision had held that the Fourth Amendment did not apply at all once an email was received by your ISP. The Court had written that a "person also loses a reasonable expectation of privacy in emails, at least after the email is sent to and received by a third party" and that "Rehberg's voluntary delivery of emails to third parties constituted a voluntary relinquishment of the right to privacy in that information." This is not the law, and the incorrect statements are no longer precedent. In other words, the Court did not rule out the possibility that there is a reasonable expectation of privacy in your email. That is useful and will be important to other cases moving forward, as law professor Paul Ohm, who wrote an amicus brief in the case, has noted.

However, the Court did not rule that there was privacy protection for your emails either. Rather than embracing the obvious conclusion that our constitutional protections need to be recognized for email content, the court ducked the question, claiming that email is simply too new a technology for them to decide whether the Constitution applies. With all due respect, email is far too important to the daily lives of millions of Americans for its constitutional status to be unclear. Email content must be protected by the Fourth Amendment whether stored with an ISP or not. It's long past time that the courts recognize that the constitutional privacy protections for our "papers" still apply when they are in digital form.

Today, San Mateo Superior Court Judge Clifford Cretan granted an application by the San Mateo County D.A.'s office to withdraw the controversial warrant it obtained to search the house of Gizmodo.com journalist Jason Chen. Accordingly, "[a]ll items seized [from Chen's home] shall be returned forthwith to Gizmodo.com and Jason Chen..."

While the D.A.'s withdrawal of the April 23rd warrant is certainly a positive step, this likely isn't the end of the matter. As EFF repeatedly noted at the time, the warrant-backed search of Chen's home was illegal as it violated California Penal Code section 1524(g)'s prohibition against the issuance of warrants for "unpublished information obtained or prepared in gathering, receiving or processing of information for communication to the public." As we pointed out, the police could (for example) attempt to subpoena the same material without running afoul of section 1524(g) and still proceed with their case.

In a landmark announcement issued today, the data protection officials across the European Union found that the way that EU Member States have implemented the data retention obligations in the 2006 EU Data Retention Directive is unlawful. The highly controversial 2006 EU Data Retention Directive compels all ISPs and telecommunications service providers operating in Europe to retain telecom and internet traffic data about all of their customers' communications for a period of at least 6 months and up to 2 years.

European privacy officials from the Article 29 Data Protection Working Party have been reviewing how the EU Member States have implemented these obligations in their national laws.

Among the most important findings of the Article 29 Working Party’s report are:

• "Service providers were found to retain and hand over data in ways contrary to the provisions of the [data retention] directive."
• "There are significant discrepancies regarding the retention periods, which vary from six months to up to ten years, which largely exceeds the allowed maximum of 24 months."
• "More data are being retained than is allowed. The data retention directive provides a limited list of data to be retained, all relating to traffic data. The retention of data relating to the content of communication is explicitly prohibited. However, it appears from the inquiry that some of these data are nevertheless retained."
• Regarding Internet traffic data: "Several service providers were found to retain URLs of websites, headers of e-mail messages as well as recipients of e-mail messages in "CC"- mode at the destination mail server.
• Regarding phone traffic data: "it was established that not only the location of the caller is retained at the start of the call, but that his location is being monitored continuously."
• "Member states have scarcely provided statistics on the use of data retained under the Directive, which limits the possibilities to verify the usefulness of data retention."
• "The provisions of the data retention directive are not respected and the lack of available sensible statistics hinders the assessment of whether the directive has achieved its objectives."

The timing of the Article 29 Working Party’s opinion is particularly sensitive because the European Commission is currently conducting an evaluation of the impact of the Data Retention Directive on economic operators and citizens in Europe. One of the possible outcomes of this evaluation is a recommendation that the Data Retention Directive should be amended or repealed in its entirety. The Article 29 Working Party has submitted its report to the European Commission to provide the Commission with vital empirical evidence for its evaluation of whether to recommend the amendment or repeal the Directive.

Once completed, the Commission’s evaluation will be sent to the European Parliament and the Council of Ministers. Reflecting the far-reaching impact and sensitive policy issues involved in the Data Retention Directive, three Commissioners are likely to be engaged in its review. The EU Commissioner for Home Affairs, Commissioner Malmström leads the evaluation process, but it is expected that Vice President of the Commission and EU Commissioner for Justice, Fundamental Rights and Citizenship, Commissoner Reding and the Commissioner for the Digital Agenda, Commissioner Kroes will also participate actively in the review process.

EFF, AK Vorrat and a coalition of over 100 organizations across Europe recently called for an end to mandatory data retention of telecom and Internet traffic data. In a joint letter sent last month to European Commissioners Malmström, Reding, and Kroes, the coalition urged the Commissioners to "propose the repeal of the EU requirements regarding data retention in favor of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime."

In her July 7 reply to the coalition letter, Commissioner Reding stated that, "the review of the EU Data Retention directive provides the European Commission, but also the 27 EU Member States and the European Parliament, with an opportunity to assess the effectiveness and proportionality of the measures included in the Directive. I will in this context ask for a particular focus on the considerable impact data retention may have on fundamental rights of all European citizens, especially with regard to their privacy."

With the recent adoption of the Lisbon Treaty and the entry into force of the Charter of Fundamental Rights, privacy and data protection has been strengthened in the European Union, including in the sensitive areas of law enforcement and crime prevention.

We must now see whether the European Commission will be faithful to the Charter of Fundamental Rights, and recommend the repeal of the overbroad 2006 Data Retention Directive.

New York - The Electronic Frontier Foundation (EFF) this week served a motion to quash dragnet subpoenas that put privacy and anonymity at risk for the operators of dozens of Internet blogs and potentially hundreds of commenters.

The subpoenas stem from a state lawsuit filed by New York residents Miriam and Michael Hersh alleging a conspiracy to interfere with their business interests. Issued to Google and Yahoo, the subpoenas demand the identities of users of ten email accounts, operators of 30 blogs and a website that had featured discussions of the plaintiffs among other matters, and the identities of everyone who had ever commented on those sites.

"The First Amendment protects individuals' right to speak anonymously and forces litigants to justify any attempts to unmask anonymous critics," said EFF Senior Staff Attorney Matt Zimmerman. "Litigants cannot forcibly identify entire communities of online speakers -- which include many speakers who no one would claim did anything wrong -- simply because the litigants are curious."

In the motion served on Monday, EFF urged the Supreme Court for Kings County, New York, to quash the subpoenas for failing to satisfy the requirements imposed by the First Amendment, as well as the requirements imposed by New York state law and the federal Stored Communications Act.

"Overbroad subpoenas targeting anonymous speakers without cause naturally creates a chilling effect that may discourage others from exercising their constitutional rights to participate in conversations that take place online," said Zimmerman. "We are asking the court to enforce these reasonable safeguards so that the rights of innocent speakers do not become collateral damage in a dispute between others."

Ron Lazebnik and the Samuelson-Glushko Intellectual Property & Information Law Clinic at Fordham University School of Law assisted EFF in the serving of this motion.

For the full motion to quash:
http://www.eff.org/files/filenode/hersh_v_cohen/UOJ-motiontoquashmemo.pdf

Contact:

Matt Zimmerman
Senior Staff Attorney
Electronic Frontier Foundation
mattz@eff.org

The Federal Trade Commission has some strong words for the former publishers of a defunct magazine and website for gay youth: don't sell or use personal information provided by your customers. It's probably illegal.

The warning came during a contentious bankruptcy proceeding filed by the publisher of XY Magazine, which was a widely circulated magazine for gay teens published from 1996 to 2007. The publisher also operated XY.com, a dating website for gay youth that at one point had as many as a million users. XY's privacy policies promised customers that their personal information would not be given or sold to anybody.

Now the publisher and his former business partners are fighting over who owns the customer information, which includes names, street addresses, phone numbers, credit card numbers, email addresses, personal stories submitted by readers, online profiles, contact lists, and photos, among other data.

In a letter (pdf) to the publisher's former business partners, the Federal Trade Commission said that any sale or transfer of the customer information would violate XY's privacy promises and likely the Federal Trade Commission Act, which prohibits unfair and deceptive acts and practices.

The FTC also suggested that any continued use of the information — even by the publisher himself — might disclose the customers' identities to third parties, which could also violate XY's privacy policies and the law. The Commission asked that the data be destroyed "to avoid the possibility that this highly sensitive data could fall into the wrong hands."

EFF has been keeping a watchful eye on this case, and is glad to see that the FTC is too.

The XY customer information reveals the sexual preferences of more than a million men. Some of them may be openly gay, but others may not want certain people — like family members or employers — to know their sexual orientation or that they explored their sexuality when they were younger. If disclosed either purposefully or unintentionally, this information could cause severe personal and professional repercussions. The privacy interests of the customers outweigh any limited commercial value this outdated but extremely sensitive information might have to anyone else.

Like the FTC, we believe that the XY customer information should be destroyed. This is the best way to ensure that the data will never be disclosed to anybody — as XY promised — and to protect the customers from potential harm. We hope the bankruptcy court will agree.

We were disappointed to read of deceptive comments made last month about EFF by ASCAP, the American Society of Composers, Authors and Publishers. Writing to its members, ASCAP claimed that EFF, Creative Commons and Public Knowledge are "influencing Congress against the interests of music creators." If these efforts are succesful, ASCAP warns, "we all know what will happen next: the music will dry up." The letter asks ASCAP's members to help fight this dire threat by making a donation to a "Legislative Fund for the Arts" which will be used to lobby Congress.

ASCAP's attacks were echoed a few days later by David Israelite, President of the National Association of Music Publishers (NMPA). In a talk to music publishers, Israelite called EFF "the new face of our enemy," and spoke of an "extremist, radical anti-copyright agenda."

Fortunately, the claims were laughable to anyone who's actually been paying attention to our work. In the wake of ASCAP's and Israelite's comments, blogs across the Internet have been quick to point out their flaws in detail. Particularly worth reading are responses from Wired's Threat Level, Create Digital Music, TechDirt, Creative Commons and Public Knowledge.

Interestingly, ASCAP's own members were among the first to challenge ASCAP's story. Perhaps the most thorough reply came from longtime ASCAP member L. Peter Deutsch, who, in an open letter to ASCAP, wrote "I was disgusted by your grossly one-sided letter soliciting my contribution to your 'Fund for the Arts.' ASCAP has consistently misrepresented the purpose, the history, and the facts of copyright."

As Deutsch goes on to point out, ASCAP's and NMPA's actions often seem to place the interests of the major record labels over those of the artists they claim to represent. In recent years, they've demanded fees from the Girl Scouts Of America for singing songs around a campfire, as well as from consumers for using unauthorized ring-tones in their cell-phones. Judging from the requests that NMPA made to the US government in April, it appears that their lobbying agenda in DC this year will have more to do with surveiling and censoring the Internet than with preventing music from "drying up".

If these organizations actually want to represent artists' best interests, then they should put their formidable resources towards helping artists and labels understand and adapt to the new challenges posed by the Internet, rather than fighting them. They should explore projects like EFF's proposed Voluntary Collective Licensing system, supporting innovative startups like BandCamp and Topspin, or educating artists in how to thrive without help from major labels. That's the kind of approach taken by smart groups like Future Of Music Coalition and The Independent Film & Television Alliance.

We're glad this episode has prompted some ASCAP members to take a closer look at whether the organization has been working in their best interests. We hope that ASCAP members keep making their concerns known to ASCAP, and that ASCAP starts paying attention.

Ever since Google’s January 2010 decision to cease censorship of its Chinese-language search engine, the world has watched closely to see what would happen next. The ensuing cat-and-mouse game of information repression and dissemination represented a serious challenge to the ability of the Internet to remain free and open in the face of totalitarian government censorship. Would Google cease all operations in China? Would China block access to Google altogether?

These questions came to a climax on June 30, when Google’s license to operate as an Internet Content Provider (ICP) from China’s Ministry of Industry and Information Technology was up for renewal. The days surrounding that deadline were full of complicated signals and maneuvers. First, on June 28, Google carefully walked back an aspect of its anti-censorship policy by requiring Chinese users to specifically choose an uncensored search portal, rather than sending them to it automatically (the full implications for users are not yet known). Later, on July 5, no official word had yet been issued as to the status of Google's license -- but observers noticed that what appeared to be an ICP license number had nonetheless been posted on Google.cn.

Finally, on July 9, it was officially announced that China had renewed Google’s license after all, and that unfiltered searches at Google.com.hk from China apparently remain unfiltered. It's a great victory, both for the people of China and for the free and open Internet. Access to unfiltered search is the gateway to the networked public sphere and the openness of the Internet. In practice, nothing has changed in that many Chinese citizens interested in circumventing the Great Firewall were already able to do so through the use of proxy systems such as Tor. It is the ceremonial acceptance of Google's workaround as nominally adhering to Chinese law that exposes the censorship regime's vulnerability.

Despite this, many remain critical of Google's decision to stay in China. Speculation abounds about whether Google made additional concessions to the Chinese government and about their commercial ambitions for a music service, its mobile phone business, and Chinese-language advertising opportunities.  

As Anupam Chander points out in his recent article Googling Freedom, dismissing these historic developments as mere profit maximization strategy misses important lessons for corporate responsibility and human rights, especially regarding Internet technologies. Dissecting the extent to which Google still has ties with China neglects the differences between divestment strategies of removing assets and the communication aspects of Internet access services. It underestimates the impact that information and communication technologies have for enabling the individual self-help to resist the state. The fact of the matter is that Google has remained faithful to principled engagement and its commitments to the Global Network Initiative principles.

As the global flows of information smash against the Great Firewall of China, Google.cn’s license renewal may very well mark a significant recognition by Chinese censors that their dams will have to be built differently. Could they have recognized inevitable defeat of their censorship regime in the face of Internet search at their borders and decided to focus their efforts elsewhere? The confrontation is certainly far from over and this event a postponement, as the power wielded by the Chinese censorship regime is constant in its blocking, surveillance, and cyber attacks.

Further clues as to the Chinese Government's new cyber-strategy can be found in a paper released last week by the China Academy of Social Sciences, which is backed by the Communist Party Government. That paper identified social networking sites as being at the center of China’s new media plans, and also claimed Facebook and other sites are vessels for US military political subversion.

For those Chinese citizens seeking Surveillance Self-Defense from the Great Firewall of China, the availability of proxy servers, anonymizers, P2P file sharing services, encrypted VoIP, and VPNs are commonplace. We hope more companies will also do their part in preserving the Global Internet in China.

Today EFF joined with Public Knowledge and other groups to urge the Supreme Court to reject a bogus copyright theory, and uphold your right to resell or even give away the products you own — even if they were originally sold abroad.

At issue in Costco v. Omega is Costco's sale of genuine Omega watches at a discount from the regular U.S. price. Costco was able to provide this markdown by buying the Omega watches overseas, where they were available at a lower price. Omega sued Costco, claiming that the discount chain violated its copyright, as a small copyrighted image was stamped on the back of its watches. While the first sale doctrine normally allows lawful owners of copyrighted works to redistribute the works as they like, Omega argued that because the watches were not made in the United States, first sale did not apply.

Surprisingly, the U.S. Court of Appeals for the 9th Circuit agreed with Omega, ruling that the watchmaker could use a tiny little logo to control re-sale of its watches. In the amicus brief filed today, EFF and others point out that this is a misreading of the law that, if upheld, would threaten the traditional rights and expectations of consumers and businesses:

In an increasingly interconnected world, where the manufacturing of tangible products and knowledge goods can be distributed easily and widely, consumers should be confident that they retain the same rights to their belongings regardless of where those goods or their labeling were produced. The decision below provides a recipe for ensuring that all goods — consisting of copyrighted content or not — can no longer be lawfully resold, given away, or imported after a lawful sale abroad.

All kinds of products have some some bit or piece that could be copyrighted. But that is no reason to impose new restrictions on secondary markets for lawfully acquired products. We hope the Supreme Court realizes as much, and rejects the Ninth Circuit’s outrageous ruling.

Many were shocked last year when a Massachusetts jury awarded $675,000 in damages against Joel Tenenbaum, who had been found liable for copyright infringement after using peer-to-peer networks to download and share thirty of the plaintiffs' songs. In a lengthy ruling issued today, federal district court Judge Nancy Gertner held that the jury’s award — which equaled $22,500 per song — was unconstitutional and reduced it dramatically, to $67,500.

Echoing Chief Judge Michael Davis' comments in Capitol v. Thomas, Judge Gertner observed that the original award was "unprecedented and oppressive." The judge also indicated that the reduced award was still too high, noting it was "more than I might have awarded in my independent judgment. But the task of determining the appropriate damages award in this case fell to the jury, not the Court. I have merely reduced the award to the greatest amount that the Constitution will permit given the facts of this case."

But the most interesting aspect of the ruling may be the court's conclusion that Congress never intended copyright's extraordinary statutory damages provisions — which permit an award of up to $150,000 per work if the defendant has willfully infringed — to apply to noncommercial users of peer-to-peer networks, even if they are found liable for willful infringement. After a lengthy review of the legislative history, Judge Gertner found that there was "substantial evidence indicating that Congress did not contemplate that the Copyright Act’s broad statutory damages provision would be applied to college students like Tenenbaum who file-shared without any pecuniary gain."

Taken together with Chief Judge Davis’s opinion imploring Congress to amend the Copyright Act to address liability and damages in peer-to-peer network cases, today's ruling sends a strong message in favor of restoring sanity to copyright damages. As many of the Doe defendants recently targeted in the United States Copyright Group mass lawsuits can doubtless attest, oppressive damages provisions are one reason even folks with legitimate defenses will settle rather than fight. And the problem with statutory damages goes well beyond the p2p context. One reason many fair users who are the victims of improper takedowns don't fight back is the prospect of going bankrupt if they stand up, fight back and, despite overwhelming odds in their favor, lose. It's a gamble with their life savings that most people just aren't willing to take, even when their works are clear fair uses and even if they get free legal help.

Kudos to Judge Gertner for recognizing that "no plausible rationale" could justify the original award, and that our Constitution does not permit grossly excessive damages — even in copyright cases.

EFF's defense of your digital rights is needed now more than ever. From onerous user agreements with monstrous blocks of legalese that take away your rights, to new forms of tracking and surveillance that erode your privacy as you use the Internet, to international efforts to force ISPs to monitor subscribers and become "copyright cops," the threats to our freedom and rights online continue.

Support EFF and help us continue to fight for your digital rights for another 20 years!

And see Nina Paley in San Francisco on July 20th for a showing of her fantastic feature length opus, "Sita Sings the Blues." A benefit for EFF and the Cartoon Art Museum, Nina will introduce the film and answer questions from members of the audience. Get your tickets now!