Author Archive
The Megaupload Chilling Effects Hit
As I noted on Friday, the seizure of popular cyberlocker Megaupload demonstrates that, even without controversial new legislation, our government already has extraordinarily broad powers to take down U.S.-registered websites (including any site in the .com and .org domains) before anyone has been tried for illegal conduct, let alone convicted. While the evidence presented in the indictment charging Megaupload’s executives with criminal racketeering and copyright infringement certainly seems damning, I also worried about the broader chilling effect such seizures could have on cloud storage services generally.
It didn’t take long for those effects to become apparent. The cyberlocker Filesonic has now disabled file sharing functionality: Users can still upload files for personal storage, but can’t create public links to enable others to access those files. (Though I’m not sure what prevents someone from simply creating a dummy account, uploading files, and then publicly posting the login information.) Another cyberlocker, Uploaded.to, is just blocking all traffic from U.S. Internet addresses, though it’s not at all clear how much legal protection that’s likely to afford them. You can hardly blame them for being skittish: The Megaupload indictment suggests that the U.S. government considers a wide array of cyberlocker business practices to be ipso facto evidence of criminal intentions, even though there are arguably legitimate reasons for many of them. Yet the government doesn’t think it has to wait for a trial, or give the folks who run a site an opportunity to explain their practices, before seizing an entire domain—which would be an effective death sentence for many startups.
If you think all cyberlockers are nothing more than piracy tools, and there’s no legitimate reason to make use of cloud storage for anything but personal backups, this might sound like an entirely healthy development. It’s a little more worrying to those of us who see many valid reasons that law abiding individuals—even those who lack contracts with major record labels and movie studios, or the funds and tech savvy to run their own servers—might want to share large files with friends and colleagues, or distribute them to the general public.
To be sure, such services aren’t going to vanish entirely. Established corporations like Google have sophisticated filter algorithms that can help identify copyrighted content—though those are trivially defeated by file compression and encryption—and large, well paid legal teams to handle copyright compliance and fend off lawsuits, like the one Google’s own YouTube continues to fight with content behemoth Viacom. The question is whether these are the only companies we want offering such services. Is the market for cloud-based platforms that enable sharing (which is one of the big selling points of cloud computing) a market we’re prepared to see effectively closed off to startups that can’t preemptively police every user-uploaded file to Hollywood’s satisfaction? Because that is the predictable effect of a regulatory environment where investors know a nascent site can be summarily yanked offline by a district judge who thinks a Tumblr is some sort of gymnastics aficionado.
If you’re only thinking about current, known uses of the Internet, this might not seem like that big a deal: Why do we need lots of different platforms for sharing large files? But then, just a few years ago it was hard to envision why we might want a platform for sharing streams of 140-character messages (“Just a bunch of people gabbing about what they had for lunch, ho-ho-ho!”) or a platform where anyone, not just Professional Content Creators, could upload short videos (“Amateur videos? Sounds like an excuse to steal movies!”) or half the other technologies that are so profoundly shaping 21st century life.
The last innovation is always safe. That’s why it’s easy to claim concrete examples of the harm regulation might do are hyperbolic fearmongering: Nobody’s going to shut down YouTube or Twitter now, because we’ve already seen the incredible value creation they enable, even if they also make it a bit easier to infringe copyrights. And anyway, the success stories eventually get big enough to afford their own fancy lawyers. It’s the next platform that we risk strangling in the cradle, because every new medium starts out recapitulating old media content before it becomes truly generative. Early radio is full of people reading newspapers and books out loud. Early TV and film looks like what you get when someone points a camera at a stage play.
File lockers still look like nothing but piracy tools to a lot of people, because most of us aren’t yet generating and sharing gigabytes worth of content on a daily basis. But it doesn’t take a whole lot of imagination to imagine a world where that’s not at all the case, a world where cheap, ubiquitous, powerful computing and rising bandwidth and falling storage costs make collaborative creation of high definition sound, video, and—who knows—maybe entire 3D environments a nigh universal recreational activity. (Like TV has been for the last couple generations, only with fewer dead brain cells.)
That world can be run by Google and Sony and a few other behemoths capable of negotiating byzantine licensing deals (and filtering protocols), with incumbents ill-disposed to see the value in anything that isn’t easily shoehorned into their existing business models. Or we can have a more dynamic, open world where someone with a cool idea for a platform can give it a try without spending more money on lawyers than servers first. The interesting, important question isn’t—as regulatory advocates want to make it—whether Megaupload should go out of business. Odds are it will and should, after a proper trial. It isn’t even whether sites like Rapidshare or Hotfile ought to follow suit. The interesting, important question is whether we’re going to have a legal climate that’s capable of giving rise to the second kind of cultural ecosystem, or one that’s only hospitable to the first kind.
“Jones”ing for a Fourth Amendment Upgrade
Today’s unanimous Supreme Court ruling in United States v. Jones makes it clear that government installation and use of GPS tracking devices is a Fourth Amendment “search”—but it may be the concurring opinions, rather than Justice Scalia’s majority opinion, that are most significant for Americans’ privacy in the 21st century.
As Jim Harper notes, Justice Scalia ruled on the relatively narrow grounds that installing the tracking device involved physical intrusion on the suspect’s property, triggering Fourth Amendment protections. Yet as Justices Alito and Sotomayor observe in separate concurrences—and as I pointed out in a previous post on this case—there are plenty of means for tracking a target’s location in public that don’t require such intrusion. One of the most popular with law enforcement is cell-phone tracking, either by means of a court order demanding records from the phone company directly, or through the use of devices known as “Stingrays” or “Triggerfish.” There’s also the use of license-plate recognition cameras, and even aerial surveillance drones. The broader question that’s crucial to determining the extent of our privacy rights in the long term, then, is the one Scalia’s opinion pointedly declines to reach: Does prolonged, technologically-assisted location surveillance impinge on a citizen’s “reasonable expectation of privacy,” even when it does not require physical intrusion?
Justice Alito, joined by three other justices, says that it can indeed—and in this case, did. The placement of a tiny device on the undercarriage of a car parked in a public place, Alito argues, does not sufficiently “interfere” with a suspect’s property interests to constitute a Fourth Amendment “seizure,” nor is it a “search” until police activate and begin monitoring the device. If the police had simply slipped a business card into the tire, after all, the physical intrusion would be too minor in itself to count as an actionable trespass. Instead, Alito insists, it is necessary to proceed to the harder question of whether such intensive location monitoring violates our reasonable social expectations of privacy, even as we move around in public. Though the concurrence is reluctant to say exactly when that expectation is breached, Alito notes that round-the-clock surveillance over a full month would be so costly to carry out by conventional physical observation that it exceeds what reasonable people expect—and so triggers the Fourth Amendment’s warrant requirement.
Perhaps most intriguing is Sotomayor’s brief concurrence. For Sotomayor, either the property rationale relied on by Scalia or the “expectations” analysis deployed by Alito would suffice to find a Fourth Amendment violation here. That’s crucial, because it means that there are at least five votes on the current Court for the view that we have some Fourth Amendment protection against intensive, high-tech location tracking, even in public, and even when the method doesn’t require physical intrusion. Yet even more important than that may be this passage:
More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. [...] This approach is ill suited to the digital age, in which people reveal a greatdeal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. [...] But whatever the societal expectations, they can attain constitutionally protectedstatus only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.
This is a pretty big deal. Fourth Amendment scholars have been warning for decades—and with increasing alarm—that modern communications technology could turn constitutional privacy protections into an empty formality if we’re regarded as waiving those protections whenever we “expose” information to a third party. It is inherent to the nature of the Internet and mobile telecommunications, after all, that almost everything we do online—and, increasingly, much that we do offline as well—leaves a trace in the vast databases of one corporation or another.
Sotomayor’s concurrence signals a recognition that we need to move beyond what privacy scholar Daniel Solove has called “The Secrecy Paradigm,” which assumes that whatever is not totally secret (or very nearly so) is effectively “public.” In other words, if your Internet provider has a record of every Web site you visit, there’s no invasion of privacy when the government decides to have a look at the list. At least one Justice, evidently, recognizes that this is an indefensible inference—and one hopes she’s not alone.
FBI Reminds Us Government Already Has MegaPower to Take Down Websites
Online activists were still busy celebrating a successful day of protest against proposed (and now shelved) Internet censorship legislation when the Justice Department pulled the popular cyberlocker site Megaupload offline Thursday, and indicted its owners on charges of criminal copyright infringement. It was a serendipitously timed demonstration of two important facts.
First, the U.S. legal system is perfectly capable of reaching criminal suspects overseas. Megaupload is incorporated in Hong Kong, and its CEO was arrested (along with three employees) in New Zealand. That’s significant because supporters of laws like the Stop Online Piracy Act (SOPA) and PROTECT-IP Act (PIPA) typically claim they’re helpless to do anything about overseas sites by more conventional means, necessitating aggressive new enforcement powers with streamlined hearings that give short shrift to due process. Now, if the people behind Megaupload are, in fact, guilty of criminal activity—and the indictment certainly looks damning—the government will have the opportunity to prove it beyond a reasonable doubt before a jury, which will also get to hear any exculpatory facts or arguments the defendants are able to offer. It can be a slow process, but it’s also how we’re supposed to do things in the United States: we don’t just issue orders branding people or sites as “rogues,” we convict them.
Second, if you’re worried about the government taking down U.S.-registered sites, which include any site in the .com and .org domains, wherever their servers might be located, then SOPA and PIPA aren’t really what you should be concerned about: the government already has that power under the PRO-IP Act of 2008. There are good reasons SOPA and PIPA attracted more attention: Instead of “seizing” domains directly at the registry, they would have imposed blocking and filtering obligations on thousands of ISPs and search engines, creating a whole host of technological and security problems. There was also the private right of action, which seemed more susceptible to abuse by overzealous copyright owners who were able to find a friendly judge. But the central power of the government to shut down web domains is already there in PRO-IP, and has been used to seize hundreds of sites already—wrongfully in at least some cases. Incidentally, those absurdly inflated phony statistics I wrote about earlier this month—the ones the Government Accountability Office has debunked, which even the content industries have finally stopped using—were heavily cited as evidence for why PRO-IP was needed, featuring prominently in press releases by the bill’s authors.
The owners of Megaupload don’t seem like particularly sympathetic characters, but the abrupt seizure of the domain before trial ought to give us a bit of pause. The site was plainly used to enable an enormous amount of copyright infringement—and judging by the indictment, the site’s operators appear to not only have known about this, but encouraged it in order to bolster their ad revenues. But that doesn’t mean that’s all the site was used for. Plenty of people made legitimate use of the site for cloud storage, or to (legally) share large files with friends, family, or colleagues. Indeed, no small number of major-label recording artists declared in song that they used the site for just such purposes. Journalist Adam Penenberg tweeted this morning that he was in the habit of using the site to share recordings of his interviews with a transcription service. If you Google around, of course, you’ll mostly see evidence of the more illicit uses—but that’s because people don’t post a link publicly on the Internet when they’re trying to share a file in a more limited way. Taking the entire domain down has affected all those legitimate uses along with the illicit ones.
What’s Next for SOPA and PIPA?
With popular sites all over the Internet “going dark” to protest well-intentioned but ill-considered antipiracy legislation, the Stop Online Piracy Act and PROTECT-IP Act are shedding supporters faster than Anthony Weiner on a Twitter spree. But as I explain in a Cato podcast today, neither is dead yet: Rep. Lamar Smith has pledged to continue marking up SOPA next month, and PIPA is still set for a cloture vote next week.
In a huge about-face, given their prior intransigence on this point, both have said they’re prepared to remove, at least temporarily, an onerous and controversial provision to require DNS blocking of accused “rogue sites,” which is an encouraging sign. But if DNS blocking was the worst piracy-fighting proposal on the table, it’s hardly the only one.
The Justice Department and private copyright owners can still seek to have entire foreign sites branded as infringers, triggering an array of remedies that would still deter technological investment and innovation, and still impose serious burdens on American companies and ordinary Internet users. Contrary to the claims of SOPA and PIPA supporters, copyright holders have often been perfectly able to sue the foreign “rogue sites” they cite as evidence new legislation is needed… the problem is that sometimes, they lose. Instead of all that messy litigation, SOPA and PIPA would establish one-sided hearing mechanism that mocks true due process. Any site a single friendly judge deems “rogue” would still be starved of advertising and subscription revenue. American search engines and other “information location tools” would still have to filter their content to redact any links to the shunned site. As Wikileaks has learned, repressive regimes have long known, and the Supreme Court acknowledged in Citizens United, economic regulation can silence speech (and run afoul of the First Amendment) as effectively as overt censorship.
That means we’re bound to see many more stories like the one entrepreneur Dmitri Shapiro tells: His innovative company Veoh won repeated copyright lawsuits filed by movie studios, but was still killed off by the cost of litigation. SOPA and PIPA will ensure that future lawsuit targets lack the means to fight back—which almost certainly means they’ll never get off the ground in the first place.
Such fears are hardly “hypothetical,” as Rep. Smith likes to argue, given industry’s ugly history of abusing copyright law to squelch competition and criticism. Remember, at the end of the day, that the market position of major studios and record labels is very much bound up with their control of traditional distribution channels. Artists don’t need to be signed to a major label in order to record a great album—but they’re key to marketing the album and getting it into stores.
Any large platform that gives creators an easy way to reach audiences directly, or gives consumers easier mobile access to their legal content, will inevitably do two things: It will enable some amount of copyright infringement, because that’s what digital communications technologies tend to do, and it will cut out incumbent middlemen by circumventing their distribution channels. Industry complains loudly (and often rather dishonestly) about the first effect; the more serious long term threat to their business models is the second.
We’ve already seen a decade of futile efforts to stop unauthorized circulation of copyrighted materials online by “cracking down” ever harder. More new regulations aren’t likely to do the job—but the collateral damage they inflict will keep rising. As a recent and very thorough study by the Social Science Research Council argues, and Netflix has already shown within the United States, the most effective remedy for piracy is to make content easily available online at an attractive price. Since it’s become a “political fact” that we Must Do Something Right Now to reduce online infringement, why not try that?
Internet Regulation & the Economics of Piracy
Earlier this month, I detailed at some length why claims about the purported economic harms of piracy, offered by supporters of the Stop Online Piracy Act (SOPA) and PROTECT-IP Act (PIPA), ought to be treated with much more skepticism than they generally get from journalists and policymakers. My own view is that this ought to be rather secondary to the policy discussion: SOPA and PIPA would be ineffective mechanisms for addressing the problem, and a terrible idea for many other reasons, even if the numbers were exactly right. No matter how bad last season’s crops were, witch burnings are a poor policy response. Fortunately, legislators finally seem to be cottoning on to this: SOPA now appears to be on ice for the time being, and PIPA’s own sponsors are having second thoughts about mucking with the Internet’s Domain Name System.
That said, I remain a bit amazed that it’s become an indisputable premise in Washington that there’s an enormous piracy problem, that it’s having a devastating impact on U.S. content industries, and that some kind of aggressive new legislation is needed tout suite to stanch the bleeding. Despite the fact that the Government Accountability Office recently concluded that it is “difficult, if not impossible, to quantify the net effect of counterfeiting and piracy on the economy as a whole,” our legislative class has somehow determined that—among all the dire challenges now facing the United States—this is an urgent priority. Obviously, there’s quite a lot of copyrighted material circulating on the Internet without authorization, and other things equal, one would like to see less of it. But does the best available evidence show that this is inflicting such catastrophic economic harm—that it is depressing so much output, and destroying so many jobs—that Congress has no option but to Do Something immediately? Bearing the GAO’s warning in mind, the data we do have doesn’t remotely seem to justify the DEFCON One rhetoric that now appears to be obligatory on the Hill.
The International Intellectual Property Alliance—a kind of meta-trade association for all the content industries, and a zealous prophet of the piracy apocalypse, released a report back in November meant to establish that copyright industries are so economically valuable that they merit more vigorous government protection. But it actually paints a picture of industries that, far from being “killed” by piracy, are already weathering a harsh economic climate better than most, and have far outperformed the overall U.S. economy through the current recession. The “core copyright industries” have, unsurprisingly, shed some jobs over the past few years, but again, compared with the rest of the economy, employment seems to have held relatively stable at a time when you might expect cash-strapped consumers to be turning to piracy to save money.
Since the core function of copyright is to incentivize the production of creative works, it’s also worth looking for signs of declining output associated with filesharing. Empirically, it’s surprisingly hard to find an effect. Rather, a recent survey study by Felix Oberholzer-Gee of the Harvard Business School concluded that “data on the supply of new works are consistent with the argument that file sharing did not discourage authors and publishers” from producing more works, at least in the U.S. market.
So, for instance, Nielsen SoundScan data shows new album releases stood at 35,516 in 2000, peaked at 106,000 in 2008, and (amidst a general recession) fell back to mid-decade levels of about 75,000 for 2010. That’s against a general background of falling sales since 2004—mostly explained by factors unrelated to piracy—which finally seems to have reversed in 2011. The actual picture is probably somewhat better than that, because SoundScan data are markedly incomplete when it comes to the releases by indie artists who’ve benefited most from the rise of digital distribution.
How Copyright Industries Con Congress
I’ve yet to encounter a technically clueful person who believes the Stop Online Piracy Act will actually do anything to meaningfully reduce—let alone “stop”—online piracy, and so I haven’t bothered writing much about the absurd numbers the bill’s supporters routinely bandy about in hopes of persuading lawmakers that SOPA will be an economic boon and create zillions of jobs. If the proposed solution just won’t work, after all, why bother quibbling about the magnitude of the problem? But then I saw the very astute David Carr’s otherwise excellent column on SOPA’s pitfalls, which took those inflated numbers more or less as gospel. If only because I’m offended to see bad data invoked so routinely and brazenly, on general principle, it’s important to try to set the record straight. The movie and music recording industry have gotten away with using statistics that don’t stand up to the most minimal scrutiny, over and over, for years, to hoodwink both Congress and the general public. Wherever you come down on any particular piece of legislation, this is not how policy should get made in a democracy, and it’s high time they were shamed into cutting it out.
The bogus numbers Carr cites—which I’ll get to in a moment—actually represent a substantial retreat from even more ludicrous statistics the copyright industries long peddled. In my previous life as the Washington editor for the technology news site Ars Technica, I became curious about two implausible sounding claims I kept seeing made over and over—and repeated by prominent U.S. Senators!—in support of more aggressive antipiracy efforts. Intellectual property infringement was supposedly costing the U.S. economy $200–250 billion per year, and had killed 750,000 American jobs. That certainly sounded dire, but those numbers looked suspiciously high, and I was having trouble figuring out exactly where they had originated. I did finally run them down, and wrote up the results of my investigation in a long piece for Ars. Read the whole thing for the full, farcical story, but here’s the upshot: The $200–250 billion number had originated in a 1991 sidebar in Forbes, but it was not a measurement of the cost of “piracy” to the U.S. economy. It was an unsourced estimate of the total size of the global market in counterfeit goods. Beyond the obvious fact that these numbers are decades old, counterfeiting of physical goods imported in bulk and sold by domestic retail distributors is, rather obviously, a totally different phenomenon with different policy implications from the problem of illicit individual consumer downloads of movies, music, and software. The 750,000 jobs number had originated in a 1986 speech (yes, 1986) by the secretary of commerce estimating that counterfeiting could cost the United States “anywhere from 130,000 to 750,000″ jobs. Nobody in the Commerce Department was able to identify where those figures had come from.
These are the numbers that were driving U.S. copyright policy as recently as 2008—and I’m still seeing them repeated in “fact sheets” circulated by SOPA boosters. Finally, in 2010, the Government Accountability Office released a report noting that these figures “cannot be substantiated or traced back to an underlying data source or methodology.” Now, if a single journalist could discover as much with a few days work, minimal due diligence should have enabled highly paid lobbyists to arrive at the same conclusion. The only way to explain the longevity of these figures, if we charitably rule out deliberate deception, is to infer that the people repeating them simply did not care whether what they were saying was true. If I were a legislator, I would find this more than a little insulting
As Carr’s piece suggests, SOPA’s corporate backers have fallen back on new numbers, but they’re still entirely bogus:
The Motion Picture Association of America cites figures saying that piracy costs the United States $58 billion annually. Mark Elliot, an executive from the U.S. Chamber of Commerce, said in a letter to The New York Times that such piracy threatened 19 million American jobs
Only $58 billion! We’re making progress! So where does that figure come from? The source here is a paper released by the Institute for Policy Innovation, and authored by one Stephen Siwek, an MBA and principal of a consulting firm called Economists Incorporated that produces economic analysis for hire on behalf of (among others) businesses seeking to influence policy makers. That does not, in itself, invalidate the research, but we should at least begin with the recognition that we are not dealing here with impartial academic studies produced by a university or government research agency.
SOPA: An Architecture for Censorship
The Stop Online Piracy Act—a bill misleadingly named for its aspirations, not its probable effect—has provoked an outpouring of justified opposition, much of it centered on two primary concerns: The virtual certainty that it will result in the ancillary blocking of much legitimate free speech, and the damage it would do to the basic architecture of the open Internet. One point I haven’t seen pressed forcefully enough thus far, however, is that architectural and free speech concerns are not entirely independent. The practical effect of SOPA will be to create an architecture for censorship—both legal and technological—that will radically alter the costs of engaging in future censorship unrelated to piracy or counterfeiting.
SOPA is a 70 page statute establishing a detailed legal process by which the Justice Department can initiate blocking of supposed pirate domains by ISPs and search engines, and by which private parties can seek orders requiring payment processors and ad networks to sever ties. After flying largely below the radar of public attention for many months, we’re finally seeing sustained scrutiny and fierce debate over the bill. But the portion of the bill laying out the specific types of criminal conduct that trigger this Rube Goldberg censorship machine occupy just a couple of paragraphs. With the legal framework in place, expanding it to cover other conduct—obscenity, defamation, “unfair competition,” patent infringement, publication of classified information, advocacy in support of terror groups—would be a matter of adding a few words to those paragraphs. One sentence slipped in as a rider on some must-pass omnibus bill would do it: “Section 102(2)(B) is amended to add ‘or civil action under 17 USC §271′.”—voila, a nuclear weapon for patent trolls.
Then there’s the technological architecture. If SOPA passes, thousands of commercial ISPs, colleges, small businesses, nonprofits, and other entities that maintain domain servers are going to have to reconfigure their networks, potentially at substantial cost, in order to easily comply with the new law. There is an introductory clause in the latest version of the bill stipulating that no network operator will be required to implement a specific technology or redesign their networks in any particular manner in order to be considered in compliance. But let’s think realistically about what compliance will look like. Genuine “rogue sites” often operate via dozens of different domains, which means we’re apt to see regular updates to the government’s standing blacklist, potentially adding dozens or hundreds of domains in one go. Any sane network operator is just going to build a filter that reads off the current list of banned domains from a government feed and automatically stops resolving them. (This will, incidentally, be an enormously attractive attack surface for hackers: Spoof the SOPA feed—either at the source or to a particular provider—and you’ve got an instant bulk denial of service attack!)
Once the up-front costs of implementing that filter mechanism are paid, the marginal cost of additional censorship is effectively zero for the providers. It won’t much matter to the providers, at that point, whether the blacklist contains 10 domains or 10,000. The technology itself, needless to say, will be indifferent to the rationale for blacklisting. The filter will just automatically implement the list of domains it’s given; it won’t know or care whether they’re being blocked for hosting pirated movies, Hamas propaganda, or the Pentagon Papers.
These twin architectures will obliterate major institutional barriers to Internet censorship generally, not just censorship for antipiracy purposes. Political actors—or special interest groups—who want to expand the scope of blocking will no longer have to justify putting in place a wholly new system of Internet blocking. Instead, the rhetorical question will become: Now that we’ve got this whole filter architecture in place for music and movie pirates, how can we possibly justify not using it for sites that host terrorist propaganda or classified documents, for sites that implement a patented business model without permission, for sites enabling speech some U.S. court has held libelous, and for whatever new moral panic is gracing the cover of Time in five years. Surely you’re not suggesting that illicit downloads of Norbit are a bigger problem than whatever outrage Joe Lieberman is fulminating against this week, are you?
Changing legal and technological architectures also changes the costs of future political decisions that make use of those architectures. Speech is more likely to stay free when censorship isn’t. The cheaper the muzzle, the dimmer the prospects for online expression.
How Would SOPA Be Used?
Proponents of the Stop Online Privacy Act (SOPA) and its Senate counterpart PROTECT-IP often affect incredulity that anyone would “defend piracy” by describing their valiant attempts to stamp out “rogue sites” as a threat to free speech or innovation. Recording Industry Association of America head Cary Sherman, for instance, recently insisted to The New York Times that the bills are “specifically designed to focus on the worst of the worst sites whose model is predicated on theft.” This would be more convincing if the content industries weren’t so clearly continuing their long, proud tradition of making aggressive and overbroad copyright claims that would impede speech and innovation.
In the 80s, Universal Studios famously sued Sony to block the sale of Betamax VCRs, which could be used to “facilitate” the infringement of copyrights in shows and movies aired on broadcast television. Blocking VCR sales, of course, might also have strengthened the market position of the DiscoVision laserdisc system being developed by MCA, Universal’s parent company. The Supreme Court eventually vindicated Sony, but Universal did manage to persuade one lower court to rule in their favor. If SOPA’s blocking provisions could be implemented in the physical world, every VCR (and maybe every Sony product) would have stopped working after that first favorable ruling, until Sony could meet the burden of proving its innocence in a U.S. court. Of course, under a rule like that, consumers might have been wary of buying a VCR in the first place.
And today? It’s the Universal Music Group heading to court, after using a dubious copyright claim to take down an embarrassing video in which pop stars sing the praises of the site Megaupload. Megaupload, you see, is a file locker site, and the recording industry has made it crystal clear that it’s at the top of the industry’s list of “rogue sites” that should be targeted under SOPA. Indeed, when the content industries talk about why SOPA is needed, they invariably cite file lockers generally as the very epitome of a “rogue site.” It is, therefore, a little awkward to have their own artists pointing out the obvious: File lockers can be used by pirates to share infringing files, but also host an enormous amount of perfectly legitimate content, uploaded by users who would be effectively silenced (and cut off from their own files) if the entire site were blocked. Similarly, the recording industry thinks copyright gives it the power to veto cloud-based music storage services, which serve as a kind of virtual hard drive from which users can remotely access and play their own legally purchased and uploaded music. It’s a great convenience for consumers—but the labels think they can use copyright to stop it unless they’re paid a cut.
Why Hayek Would Hate SOPA
Watching the House Judiciary Committee’s markup session on the latest version of the Stop Online Piracy Act, I’m struck by how the bill exemplifies what F.A. Hayek called the “Fatal Conceit” of government planners and regulators. As Rep. Jason Chaffetz noted with incredulity, a bill that would perform major surgery on the Internet is moving forward, at breakneck speed, without any doctors in the room. Legislators who think it’s cute to make jokes about how little they understand network technology are endorsing regulation of that technology, in statutory language has only just been introduced in its current form, without so much as a hearing from the actual engineers who are loudly warning of its grave defects. But the “fatal conceit” is inherent in the attempt to issue this kind of top-down mandate on the Internet, even with the best expert advice.
In many ways, the Internet is a perfect embodiment of Hayek’s concept of an evolved “spontaneous order.” Its enormous complexity is the product of relatively simple rules that allow individuals to deploy their local knowledge productively without having to understand the total system. Each layer in the “stack” of protocols in the Internet is independent, which means I can write a network application or generate content without having to understand the details of Internet addressing, packet routing, or how WiFI and Ethernet work: I just need to know how to pass application data to the next layer.
Moreover, the standards themselves are the product of gradual evolution, as engineers voluntarily adopt them following a long process of deliberation and consensus-building. Often, that makes the process necessarily quite slow. As former assistant DHS secretary and NSA general counsel Stewart Baker observes, the vital DNSSEC standard, designed to secure the Internet addressing system and guard against malicious hijacking of Internet traffic, has been in the works for 15 years. But SOPA would create massive regulatory uncertainty about the status of client software robustly implementing that standard. In short, argues Baker, “SOPA will kill DNSSEC,” to the detriment of global cybersecurity. Legislators seem to imagine that they can simply add language saying that their mandates aren’t meant to impair cybersecurity, as if uttering the magic words were enough to make it so. But you can’t just inject a top-down national mandate into a global evolutionary process and expect to achieve the effects the planners intend without disruptive consequences.
This isn’t just a narrow issue with one specific protocol, though. The general approach of SOPA is to attempt to solve a content problem—copyrighted material circulating illicitly—with a mandate targeting a completely different level of the Internet’s architecture, where domain names are translated into network addresses.That guarantees a poor fit between regulatory aims and outcomes, and enormously magnifies the likelihood of unpredictable and unintended consequences. That unpredictability is increased because—in what might otherwise seem like a wise example of regulatory flexibility—SOPA leaves it to providers to pick the best method of blocking forbidden sites, which means we’re likely to see different providers testing a variety of approaches. A dramatic example of how attempts to blocking can generate unexpected cascading failures was provided in 2008, when Pakistan ordered the blocking of YouTube—and inadvertently broke access for millions of users around the world.
Some legal scholars have suggested a “Layers Principle” to guide Internet policymaking. In brief, legislators and regulators should respect the independence of Internet layers by targeting solutions, as nearly as possible, at the layer where the problem exists. The Digital Millennium Copyright Act takes this sort of approach by providing a notice-and-takedown mechanism that targets specific cases of infringing content. SOPA, by contrast, violates this principle by seeking to solve a content problem by regulating the Internet’s addressing system. A Congress that displayed a modicum of humility about its ability to effectively redirect the operation of such a complex, organic, evolving system would accept that these blunt and broad interventions, however well-intentioned, are more likely to damage the system than achieve the intended result.
The New SOPA: Now With Slightly Less Awfulness!
On Thursday, the House Judiciary Committee is slated to take up the misleadingly named Stop Online Piracy Act, an Internet censorship bill that will do little to actually stop piracy. In response to an outpouring of opposition from cybersecurity professionals, First Amendment scholars, technology entrepreneurs, and ordinary Internet users, the bill’s sponsors have cooked up an amended version that trims or softens a few of the most egregious provisions of the original proposal, bringing it closer to its Senate counterpart, PROTECT-IP. But the fundamental problem with SOPA has never been these details; it’s the core idea. The core idea is still to create an Internet blacklist, which means everything I say in this video still holds true:
Read the rest of this post »
Big Brothers, PRODIGAL Sons, and Cybersecurity
I wrote on Monday that a cybersecurity bill overwhelmingly approved by the House Permanent Select Committee on Intelligence risks creating a significantly broader loophole in federal electronic surveillance law than its boosters expect or intend. Creating both legal leeway and a trusted environment for limited information sharing about cybersecurity threats—such as the idenifying signatures of malware or automated attack patterns—is a good idea. Yet the wording of the proposed statute permits broad collection and disclosure of any information that would be relevant to protecting against “cyber threats,” broadly defined. For now, that mostly means monitoring the behavior of software; in the near future, it could as easily mean monitoring the behavior of people.
A recent—and somewhat sensationalistic—Fox News article rather breathlessly describes a newly-unveiled security system dubbed PRODIGAL, or Proactive Discovery of Insider Threats Using Graph Analysis and Learning, which “has been built to scan IMs, texts and emails . . . and can read approximately a quarter billion of them a day.” The article explains:
“Every time someone logs on or off, sends an email or text, touches a file or plugs in a USB key, these records are collected within the organization,” David Bader, a professor at the Georgia Tech School of Computational Science and Engineering and a principal investigator on the project, told FoxNews.com.
PRODIGAL scans those records for behavior — emails to unusual recipients, certain words cropping up, files transferred from unexpected servers — that changes over time as an employee “goes rogue.” The system was developed at Georgia Tech in conjunction with the Defense Advanced Research Projects Agency (DARPA), the Army’s secretive research arm that works on everything from flying cars to robotic exoskeletons.
Don’t panic just yet: This is strictly being deployed on the networks of government agencies and contractors that handle sensitive information—places where every employee is well aware that their use of the network is subject to close scrutiny, and with good reason. There’s not really anything to say in principle against the use of such systems in this context, or for that matter on closed business networks where users are on clear notice that such monitoring occurs.
It would, by contrast, be a clear and quite outrageous invasion of privacy for such large-scale behavioral monitoring to be conducted on the residential or mobile broadband networks Americans rely on to provide their personal Internet connectivity—a fortiori if the goal is to share the results with the government without a court order. As I read it, however, House Intel’s cybersecurity bill would at least arguably permit precisely that.
Under the current language, as long as an Internet provider had a credible good faith belief that it was collecting and sharing behavioral information for one of several broadly defined “cybersecurity purposes”—say, by creating behavioral profiles of potential hackers, disruptive cyberactivists, or “misappropriators” of intellectual property—they’d enjoy full civil and criminal immunity for such actions. That would make any contractual promises to abstain from such monitoring unenforceable—in the highly unlikely event that ordinary users were even able to determine reliably what sort of information was being shared. It would be, to put it as mildly as possible, extraordinarily poor civic hygiene to enable the construction of this kind of quasi-public/quasi-private monitoring and profiling architecture.
This is not, I believe, the sort of thing the bill’s own architects aspire to bring about. But the abstract language employed in pursuit of technological neutrality here avoids the risk of obsolescence only by sacrificing predictability. Courts have recently begun signalling that they’re belatedly inclined to start insisting on full Fourth Amendment search warrants whenever government seeks digitally stored private contents, closing down statutory loopholes that sometimes gave investigators easier access. And now, just as one backdoor closes, a new backchannel granting access to otherwise private and protected material without any judicial process opens up? It does not take a cynic to predict that there will be a potent and persistent incentive to stretch any such channel as wide as the elastic bonds of the English language will permit.
The cleanest way to foreclose this is not to paste in a bunch of after-the-fact usage controls, minimization protocols, or special reports to Congress—though those aren’t bad ideas either. It’s to admit that Congress lacks psychic powers, which may entail that statutes regulating protean areas of technology have to be (or ought to be) swapped for the newer model about as often as iPhones. The specific, narrow categories of sharing everyone thinks are important and unobjectionable from a privacy perspective can be specifically, narrowly authorized now. In a decade, when we’re beaming thoughts directly to each other via quantum-entangled biomechanical brain implants, we can decide what specific statutory language solves the novel security problems of that technology, in a manner consistent with the Fourth Amendment.
The Security Theater Cycle
“What we obtain too cheap,” Thomas Paine famously wrote, “we esteem too lightly”—and it turns out that the converse holds true as well. It’s a well known and robustly confirmed finding of social psychology that people tend to ascribe greater value to things they had to pay a high cost to obtain. So, for instance, people who must endure some form of embarrassing or uncomfortable hazing process or initiation rite to join a group will report valuing their participation in that group much more highly than those admitted without any such requirement—which is one reason such rituals are all but ubiquitous in human societies as a way of creating commitment. Studies suggest that people are more likely to read automobile reviews after purchasing a new car than before—suggesting that people are sometimes less concerned with spending money in the most judicious fashion than with convincing themselves, after the fact, that they have done so. More morbidly, relatives of soldiers killed in action sometimes become much more fervent supporters of the war that cost them a loved one—because the thought that such a grave loss served no good purpose is too much to stomach.
I suspect that this phenomenon may help explain the dispiriting state of affairs described by an airline industry insider in an important Wired piece on airport security. The short version: we’ve spent some $56 billion on “enhancing” airport security over the past decade, with almost no actual security enhancement to show for it. We’re spending huge amounts of money and effort on burdensome passenger screening that doesn’t seem very effective, while neglecting other, far more vulnerable attack surfaces. It is, when you think about it, a somewhat strange priority given the abundance of highly vulnerable domestic targets. Reinforced cockpit doors and changed passenger behavior pretty much made a repeat of a 9/11-style suicide hijacking of a domestic flight infeasible—at negligible economic and privacy cost—long before we started installing Total Recall style naked-scanners, which makes explosives the real remaining risk. Yet the notable bombing attempts by passengers we’ve seen since 9/11 have (a) originated outside the United States, and (b) been foiled by alert passengers after the aspiring bomber slipped through the originating country’s formal screening process.
This shouldn’t be terribly surprising: when a terror group has already managed to get an operative into the United States, a domestic flight (that can’t be turned into a missile) would be one of the stupider, riskier targets to select, given the enormous array of much softer target options that would be available at that point, even assuming pre-9/11 airport security protocols. As far as I’m aware, the last time a passenger successfully detonated a bomb on a U.S. domestic flight was in 1962. This presents something of a puzzle: Why have we focused so disproportionately on this specific attack vector, at such disproportionate cost, when the terrorists themselves have not? Why haven’t we reallocated scarce resources to security measures (such as better screening of airline employees) that would provide greater security benefit at the margins? One possibility is that, having accustomed ourselves to submitting to the hassle and indignity of ever more aggressive passenger screening, we become more disposed to believe that these measures are necessary.
It’s become commonplace to refer to many aspects of airport screening—the removal of shoes, the transparent plastic baggies for your small allotment of shampoo—as “security theater.” Security guru Bruce Schneier coined the term to refer to security measures whose ritualistic purpose is to make passengers feel safer, even though they do almost nothing to actually increase safety. But on reflection, this seems wrong. It probably holds true in the immediate aftermath of a high-profile attack or disaster. Once the initial heightened fear subsides, however, these visible and elaborate security measures probably do more to increase our perception of risk than to assuage our fears. It is, after all, something of a cliche that hyperprotective parents tend to end up raising children who see the world as a more dangerous place. Overreacting to childhood illnesses is one reliable way of producing adult hypochondriacs down the road.
Security theater, then, isn’t only—or even primarily—about making us feel safer. It’s about making us feel we wouldn’t be safe without it. The more we submit to intrusive monitoring, the more convinced we become that the intrusions are an absolute necessity. To think otherwise is to face the demeaning possibility that we have been stripped, probed, and made to jump through hoops all this time for no good reason at all. The longer we pay the costs—in time, privacy, and dignity no less than tax dollars—the more convinced we become that we must be buying something worth the price. Hence, the Security Theater Cycle: the longer the ritual persists, the more normal it comes to seem, the more it serves as psychological proof of its own necessity.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
