[ale] State "Super-DMCA" Legislation: MPAA's Stealth Attack on Your Living Room

Jim Popovitch jimpop at yahoo.com
Sun Apr 20 22:44:42 EDT 2003


http://www.eff.org/IP/DMCA/states/200304_sdmca_eff_analysis.php

State "Super-DMCA" Legislation:
MPAA's Stealth Attack on Your Living Room
Fred von Lohmann
Senior Intellectual Property Attorney
fred at eff.org

Recently, the Motion Picture Association of America (MPAA) has been pressing
states to enact new legislation aimed at criminalizing the possession of what
they call "unlawful communication and access devices." These measures represent
an unprecedented attack on the rights of technologists, hobbyists, tinkerers and
the public at large. In essence, these proposals would allow "communication
service providers" to restrict what you can connect to your Internet connection
or cable or satellite television lines.

These measures represent a stealth effort to dramatically expand the reach of
the federal Digital Millennium Copyright Act (DMCA), which has already put fair
use, innovation, free speech and competition in peril since being enacted in
1998.

The Electronic Frontier Foundation (EFF) strongly opposes these state
"super-DMCA" bills as unnecessary and overbroad. The proposed bills represent
the worst kind of special interest legislation, sacrificing the public interest
in favor of the self-serving interests of one industry.

Resources
For the latest news about the status of the various bills, as well as updates
about what you can do to share your views with state legislators, check EFF's
"Super-DMCA" Action Center page. Another excellent resource is Professor Edward
Felten's page on these bills.

Background
The MPAA's state lobbyists have been stealthily pushing these state super-DMCA
measures since at least 2001. Even before these activities crossed activists'
radar, six states (Delaware, Illinois, Michigan, Oregon, Pennsylvania and
Wyoming) had already enacted them into law. Similar bills have been introduced
and are currently pending in Arkansas, Colorado, Florida, Georgia,
Massachusetts, Tennessee and Texas.

The bills are generally offered as amendments to existing state criminal laws
relating to signal theft, that is, getting cable television without paying for
it. Since these signal theft laws vary from state to state, the super-DMCA
proposals also vary in their wording.

Nevertheless, all of the proposed bills appear to be derived from a single
"model bill" developed by MPAA lobbyists and thus share common traits. First,
they would all impose a new ban on the possession, development, or distribution
of a broad array of "communication" and "unlawful access" devices, along with a
ban on devices that enable anonymous communication. All the bills also create a
new right to bring civil lawsuits to enforce these provisions.

The definitions used in the bill are absurdly broad. The bill protects
"communication services," which includes any "service lawfully provided for a
charge or compensation" delivered via electronic means using virtually any
technology. This would include every wire in your house for which you pay a fee,
including your telephone, cable TV, satellite and Internet lines. This category
also sweeps in any Internet-based subscriptions services, including digital
music services such as pressplay, MusicNow, or Rhapsody.

The super-DMCA bills would regulate the possession, development and use of
"communication devices" and "unlawful access devices." A "communication device"
is virtually any electronic device you might connect to any communication
service. The definition of "unlawful communication device" is somewhat narrower,
sweeping in any device that is "primarily designed, developed, .possessed, used
or offered. for the purpose of defeating or circumventing" a technological
protection measure used to protect a communication services.

The proposed bills generally prohibit four categories of activity:

Possession, development, distribution or use of any "communication device" in
connection with a communication service without the express authorization of the
service provider.  Concealing the origin or destination of any communication
from the
communication service provider.  Possession, development, distribution or use of
any "unlawful access device."  Preparation or publication of any "plans or
instructions" for making any device having reason to know that such a device
will be used to violate the other prohibitions.
These proposals dramatically expand the power of entertainment companies, ISPs,
cable companies and others to control what you can and can't connect to the
services that you pay for. If enacted, they will slow innovation, impair
competition and seriously undermine a consumer's right to choose what
technologies they use in their homes.

These Bills are Unnecessary
Why is this additional law needed? The MPAA has circulated a "one-pager"
explaining in vague terms that additional measures are necessary to "update"
existing state laws to address the problem of "Internet piracy" and "cable
theft." Copyright infringement and cable service theft, however, are already
clearly prohibited under existing laws, both state and federal. The federal laws
include traditional copyright infringement, as well as the DMCA, the Computer
Fraud and Abuse Act (CFAA), and prohibitions on illicit cable and satellite
descrambling equipment. There are a variety of existing state law remedies, as
well, including laws banning signal theft and computer intrusion. Providers of
communication services can also bring breach of contract actions if their
customers violate any restrictions included in their subscription agreements. In
short, state super-DMCA measures are redundant and unnecessary as penalties for
Internet copyright infringement or cable service theft.

The MPAA has failed to identify any specific problem that the proposed bills
reach that is not already addressed by existing law. In fact, when asked by
Massachusetts legislators why an additional law was needed, a representative of
the MPAA could only answer, "I don't know. The lawyers tell me we need this."

It is telling that state law enforcement personnel, the very people who enforce
the existing cable theft laws, have not called for or supported the super-DMCA
proposals.

All Things Not Expressly Permitted are Forbidden
Whatever their intended target, state super-DMCA bills represent an
unprecedented intrusion into the living rooms of law-abiding citizens, giving
communication service providers unilateral control over what you can connect to
your home entertainment systems.

Under existing law, those who have legitimately purchased communication services
(e.g., cable TV, satellite, or broadband Internet services) are free to connect
whatever they like to the wires they pay for, so long as they do not violate any
otherwise applicable law. So, for example, you are free to connect a new TV, PC,
VCR or TiVo to a cable television
connection that you pay for. Similarly, you are free to connect a Wi-Fi wireless
access point to your DSL line in order to share your broadband connection among
several computers in your house. This freedom has encouraged technology vendors
to compete and innovate in response to the demands of consumers.

The proposed super-DMCA statutes reverse this traditional rule. Under these
statutes, you would not be entitled to connect anything to your cable,
satellite, or DSL line without the express permission of your service provider.
The model MPAA bill accomplishes this by making it a crime to possess a device
to "receive . transmit, [or] re-transmit" any communication service without the
"express authorization" of the communication service provider. The various
pending state bills include
similar language.

This provision would make you a criminal for simply connecting a TV, PC, TiVo or
VCR (all of which can "receive" communication services) to the cable TV line in
your living room without your cable company's permission. It could also make you
a criminal for connecting a Wi-Fi wireless gateway (which can "retransmit"
Internet traffic) to your DSL or cable modem line without the permission of your
ISP. The shift proposed by these bills is radical: all technology that is not
expressly
permitted becomes forbidden. This would give communication service providers
unprecedented control over the home entertainment and the technology
marketplace. For example, your broadband ISP could force you to use only certain
brands of computers, or force you to pay extra if you wanted to connect more
than one computer to your DSL line. Cable and satellite TV services could forbid
you from using a TiVo, or could charge you extra to connect a VCR to your TV.

Bolting on the "Intent to Defraud"
In the face of mounting criticism from several quarters, the MPAA has offered to
modify its proposal to reach only those who act with an "intent to defraud" a
communication service provider. Rather than addressing the underlying problems
with the measure, however, the "intent to defraud" revision merely further
muddies the waters.

First, it is critical to note that this "intent to defraud" language has not
been incorporated into all of the bills that are currently pending before state
legislatures. Moreover, it is too late to include this limitation in the state
statutes that have already been adopted.

While the revision addresses some concerns, it leaves many legitimate activities
hip-deep in legal quicksand. For example, what if a subscriber to the MusicNow
digital music service connects an analog cassette deck to her PC in order to
record streaming music for later playback in her car's cassette deck? The fine
print in the MusicNow subscriber agreement purports to forbid subscribers from
making any copies without authorization. Has she acted with an "intent to
defraud" MusicNow? What if HBO begins broadcasting a notice before every episode
of the Sopranos, forbidding HBO subscribers from recording the program? If,
notwithstanding this prohibition, a subscriber connects a TiVo in order to
record the program for later viewing, has he acted with an "intent to defraud"
HBO?

To take a third example, what if a researcher signs up for the pressplay digital
music service in order to evaluate the digital rights management technologies
being used by the service. Notwithstanding the fact that the pressplay user
agreement forbids reverse engineering, the researcher engages in otherwise legal
reverse engineering in order to develop tools that allow him to test the
security of the service, and subsequently publishes his results in an academic
journal. Has the  researcher acted with an "intent to defraud" pressplay?

Each of these activities raises unsettled and controversial questions at the
nexus of federal copyright and state contract laws. The proposed super-DMCA
statutes, however, constitute a sneaky, self-serving attempt by one industry to
legislate an answer to these important questions under cover of dark without
public interest input. Bolting on an ambiguous "intent to defraud" qualifier
does not redeem this flaw.

Attacking Anonymity
Another provision of the various state super-DMCA statutes that has attracted
considerable attention is the ban on devices that "conceal the existence or
place of origin or destination of any communication." At a time when consumer
privacy and the constitutional right to anonymous speech are under attack from a
variety of sources, this provision is particularly misguided.

A simple ban on devices capable of concealing communication would make a wide
range of multi-purpose tools illegal. Widely-used home networking equipment
could be banned because it often includes "network address translation" (NAT)
and firewall features that incidentally conceal the origin and destinations of
Internet communication. Some forms of encryption for email and web traffic might
fall within this provision. The use of "virtual private networking" (VPN)
software by corporations
to secure communication with off-site employees would also be swept up by this
provision. Products like Anonymizer that aim to protect the privacy of Internet
users against advertisers like Doubleclick might also be imperiled. Perhaps
recognizing the absurd overbreadth of this provision, the MPAA has offered to
revise the language in its model bill to apply only where "such concealment is
for the purpose of committing a violation" of the prohibition on connecting a
device without the express
authorization of a communication service provider.

Although this change represents a step in the right direction, it does not
adequately address the failings of the provision. For example, as noted above,
the ban on connecting unauthorized devices to your broadband DSL connection
could reach home networking equipment that was not authorized by your ISP. By
installing a $50 Linksys router that includes NAT and firewall functions, you
could be liable for "concealing" communication even under the revised MPAA
language. Employees who use VPN software to access their corporate network
without the express authorization of their home ISPs would also run afoul of
even the revised provision.

A Chill on Computer Security Research
The proposed legislation will also chill legitimate computer security research.
Security researchers advance their science by testing existing security systems
for weaknesses. By discovering, documenting and reporting these weaknesses,
security researchers teach vendors how to improve their systems, as well as
warning customers when those systems
are compromised.

Unfortunately, the proposed state "super-DMCA" bills will chill legitimate
research in two ways. First, these measures make it unlawful to develop or
possess the tools that security researchers need in order to carry out their
work. Researchers often design their own software tools in the course of
carrying out their research and must distribute these tools to their colleagues
in order to enable peer-review of research results. These tools, moreover, may
be designed for the sole purpose of breaking the security systems that are under
examination. As a result, these tools would be banned by the proposed state
statutes, which lump all tools "primarily designed" to circumvent any protection
system into the category of "unlawful communication devices." Early experience
with the DMCA suggests that computer security research has already suffered at
the hands of overbroad and poorly drafted legislation. The proposed state
super-DMCA statutes will only exacerbate this problem.

Second, the statutes interfere with a researcher's ability to publish the
results of her research by banning the distribution of "plans or instructions"
for making an "unlawful access device." By describing the weaknesses of a
security technology, and describing research in enough detail to enable peer
review, researchers could well run afoul of this prohibition. This creates an
unnecessary burden on the free speech rights of researchers and the publications
that seek to disseminate their work. This provision also represents a
substantial expansion beyond the boundaries of the DMCA, which reaches only
"technology," stopping short of "plans or instructions." In a country where the
First Amendment protects the publication of bomb making plans, it seems
particularly unwarranted to crack down on the publication of information
regarding computer security.

Although the "intent to defraud" limitation may ameliorate these harms to some
extent, for the reasons noted above, this last minute addition raises as many
questions as it answers. Legal ambiguities in this context will only chill
security researchers and their institutions from engaging in sorely needed
research activities.

A Threat to Innovation and Competition
As discussed above, the proposed state super-DMCA proposals forbid a consumer
from connecting anything to a communication service without the service
provider's express authorization. This creates an enormous opportunity for
anticompetitive conduct. Broadband ISPs, for example, could require that their
subscribers use only a particular brand of PC or operating system. AOL could
effectively ban its subscribers from using any instant messanging software other
than its own. Cable TV
providers could limit subscribers to using only certain brands of VCRs and could
ban TiVo in favor of their own proprietary PVR technologies. This outcome would
be particularly ironic in the face of the FCC's decade-long effort to encourage
the development of open, interoperable standards for cable-compatible
televisions.

These scenarios are not far-fetched. Recent experience with the DMCA makes it
clear that companies will not hesitate to use new legal protections in order to
rid themselves of competition. For example, Lexmark recently invoked the DMCA in
an effort to eliminate the aftermarket for Lexmark laser printer toner
cartridges. A leading garage door opener maker has also invoked the DMCA in an
effort to eliminate a competitor in the market for universal garage door
remotes.

Recognizing the importance of interoperability, Congress included a reverse
engineering exception in the DMCA. The MPAA's proposed state super-DMCA measures
include no such exception, making them an even more severe threat to competition
and consumer freedom of choice.

Transferring law enforcement from public to private hands.
The proposed state super-DMCA statutes transfer considerable new enforcement
powers from law enforcement authorities into private hands.

Each of the pending state bills starts from an existing state penal law
provision, extending its reach by adding a civil cause of action to what was
previously a criminal statute. In other words, the bills authorize private
parties to sue in addition to local district attorneys. This change alone has
important consequences. When enacting criminal statutes, legislatures are often
willing to adopt broad and ambiguous language that they might not accept in a
civil provision, counting on the discretion of a district attorney (who is often
an elected official) to prevent abusive application of the law. Private parties
are not subject to these institutional checks. In addition, where a criminal
statute is involved, the state must prove its case "beyond a reasonable doubt"
and courts must interpret statutes narrowly. In civil cases, in
contrast, a private party can prevail under the more lenient "more likely than
not" standard and there is no similar policy of narrow interpretation.

Before new legal enforcement powers are delegated into private hands, prudent
policy-makers should ask whether these new powers are justified and whether they
can be too easily abused to the detriment of the public interest. Here, the MPAA
has made virtually no showing that these additional powers should be transferred
from the state into private hands.

Dangerous Remedies
The proposed state law measures impose a variety of unreasonably one-sided
remedies on defendants.

Remote Downgrades. The MPAA's proposed model bill authorizes a court to order
"the remedial modification of any communication or unlawful access device that
is in the.control of the violator." When coupled with an "auto-update" feature,
this provision could empower state courts to order technology companies to force
"downgrades" on consumers nation-wide. For example, TiVo retains the ability to
upgrade remotely the software on all TiVo units. AOL, Microsoft and Apple also
provide automatic upgrade functionality in their software, aimed at giving
customers the latest security and feature upgrades. If state court
concludes that these vendors have the power to "control" their software, the
court would have the power to order the "downgrade" of devices in homes
nation-wide (and perhaps world-wide). Bestowing this remedial power on a state
court would be unprecedented.

One-Sided Attorneys' Fees. All of the proposed bills include one-sided
"fee-shifting" clauses authorizing a court to force a losing defendant to pay
for the attorneys of the prevailing plaintiff. One proposed measure, in fact,
goes so far as to automatically require that a losing defendant pay the
attorneys' fees of the victorious service provider.

These provisions are not reciprocal, however. When a service provider wins, it
can collect attorneys' fees, but an innocent defendant is never entitled to a
reimbursement of fees. This is remarkable, when you consider that in most cases
the communication service provider will be a large business, while the
defendants are likely to be individuals or small businesses with limited ability
to defend a lawsuit.

Automatic Injunctions. The proposed state bills include provisions that would
effectively entitle plaintiffs to automatic preliminary injunctions, without
having to satisfy the traditional requirements of showing actual damage,
irreparable harm or an inadequate remedy at law.  Especially where software,
instructions and plans are concerned, each of which has been recognized as
protected expression under the First Amendment, this sort of automatic
injunction threatens constitutional
interests.

Abusive damages. The proposed state bills would also give prevailing plaintiffs
the right to demand "statutory damages" in an amount ranging from $1,500 to
$10,000 for each prohibited device. These statutory damages would apply even if
a plaintiff were unable to prove that it had suffered any actual damage at all.
The bills also create enhanced criminal penalties based on the number of
prohibited devices and creates a separate offense for each device and for each
day that a person violates any provision.

Multiplying remedies by the number of devices is an approach that quickly leads
to absurd results in the digital context. Where software is concerned, the
number of copies has no necessary relationship to the harm suffered by a service
provider. For example, if a security researcher were to publish a paper that
included software held to be an "unlawful access device," and that paper were
downloaded by only 100 academic colleagues, the researcher would face damages of
at least $1,500,000. Similarly, because the proposed statutes criminalize mere
possession of an "unlawful access device," a researcher could face
serious penalties simply for installing a tool on several computers in his own
research lab. The number of devices simply has no necessary relationship to the
harm involved, and thus should not be the basis for a penalty multiplier.

What You Can Do
These bills are often whipping through state legislatures with very little
opportunity for public comment. MPAA lobbyists are presenting the measures as
"consensus" bills, suggesting that no one opposes them. Even a few concerned
letters from constituents can upset this lie, leading a state legislator to ask
questions.

Please take a moment to express your opposition to this measure to your state
legislators, should it be introduced in your state.


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list