«Hal Abelson Ken Ledeen Harry Lewis Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London ...»
NET Act Makes Sharing a Crime Copyright infringement was not even a criminal matter in the U.S. until the turn of the twentieth century, although an infringer could be sued for civil damages. Infringement with a profit motive first became a crime in 1897. The maximum punishment was then a year in prison and a $1,000 fine. Things stayed that way until 1976, when Congress started enacting a series of laws that repeatedly increased the penalties, motivated largely by prompting from the RIAA and the MPAA (Motion Picture Association of America). By 1992, an infringement conviction could result in a ten-year prison sentence and stiff fines, but only if the infringement was done “for the purpose of commercial advantage or private financial gain.” Without a commercial motive, there was no crime.
That changed in 1994.
During the 1980s, MIT became one of the first universities to deploy large numbers of computer workstations connected to the Internet and open to anyone on campus. Even several years later, public clusters of networked powerful computers were not very common. In December 1993, some students in one of the clusters noticed a machine that was strangely unresponsive and was strenuously exercising its disk drive. When the computer staff examined this “bug,” they discovered that the machine was acting as a fileserver bulletin board—a relay point where people around the Internet were 200 BLOWN TO BITS uploading and downloading files. Most of the files were computer games, and there was also some word-processing software.
MIT, like most universities, prefers to handle matters like this internally, but in this case there was a complication: The FBI had asked about this very same machine only a few days earlier. Federal agents had been investigating some crackers in Denmark who were trying to use MIT machines to break into National Weather Service computers. While measuring network traffic into and out of MIT, the Bureau had noticed a lot of activity coming from this particular machine. The bulletin board had nothing to do with the Denmark operation, but MIT felt that it had to tell the FBI what was happening. An agent staked out the machine and identified an MIT undergraduate, accusing him of operating the bulletin board.
The Justice Department seized on the case. The software industry was growing rapidly in 1994, and the Internet was just starting to enter the public eye—and here was the power of the Internet being turned to “piracy.” The Boston U.S. Attorney issued a statement claiming that the MIT bulletin board was responsible for more than a million dollars in monetary losses, adding “We need to respond to the culture that no one is hurt by these thefts and that there is nothing wrong with pirating software.” What had occurred at MIT involved copyright infringement to be sure, but there was no commercial motive and hence no crime—no basis on which the Justice Department could act. There might have been grounds for a civil suit, but the companies whose software was involved were not interested in suing.
Instead, the Boston U.S. Attorney’s office, after checking with their superiors in Washington, brought a charge of wire fraud against the student, on the grounds that his acts constituted interstate transmission of stolen property.
At the trial, Federal District Judge Stearns dismissed the case, citing a Supreme Court ruling that bootleg copies do not qualify as stolen property.
Stearns chastised the student, describing his behavior as “heedlessly irresponsible.” The judge suggested that Congress could modify the copyright law to permit criminal prosecutions in cases like this if it so wished. But he emphasized that changing the rules should be up to Congress, not the courts. To accept the prosecution’s claim, he warned, would “serve to criminalize the conduct … of the myriad of home computer users who succumb to the temptation to copy even a single software program for private use.” He cited Congressional testimony from the software industry that even the industry would not consider such an outcome desirable.
Two years later, Congress responded by passing the 1997 No Electronic Theft (NET) Act. Described by its supporters as “closing the loophole” demonstrated by the MIT bulletin board, NET criminalized any unauthorized copying with retail value over $1000, commercially motivated or not. This
CHAPTER BALANCE TOPPLEDaddressed Judge Stearns’s suggestion, but it did not heed his caution: From now on, anyone making unauthorized copies at home, even a single copy of an expensive computer program, was risking a year in prison. After only two more years, Congress was back with the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999. Its supporters argued that NET had been ineffective in stopping “piracy,” and that penalties needed to be increased. The copyright arms race was in full swing.
The Peer-to-Peer Upheaval The NET Act marked the first time that the Internet had triggered a significant expansion of liability for copyright infringement. It would hardly be the last.
In the summer of 1999, Sean Fanning, a student at Northeastern University, began distributing a new file-sharing program and joined his uncle in forming a company around it: Napster. Napster made it easy to share files, especially music tracks, over the Internet, and to share them on a scale never before seen.
Here is how the system worked: Suppose Napster user Mary wants to share her computer file copy of Sarah McLachlan’s 1999 hit Angel. She tells the Napster service, which adds “Angel; Sarah McLachlan” to its directory, together with an ID for Mary’s computer. Any other Napster user who would like to get a copy of Angel, say Beth, can query the Napster directory to learn that Mary has a copy. Beth’s computer then connects directly to Mary’s computer and downloads the song without any further involvement from the Napster service. The connecting and downloading are done transparently by Napster-supplied software running on Mary’s and Beth’s computers.
The key point is that previous file-sharing set-ups like the MIT bulletin board were so-called centralized systems. They collected files at a central computer for people to download. Napster, in contrast, maintained only a central directory showing where files on other computers could be found. The individual computers passed the files among themselves directly. This kind of system organization is called a peer-to-peer architecture.
Peer-to-peer architectures make vastly more efficient use of the network than centralized systems, as Figure 6.1 indicates. In a centralized system, if many users want to download files, they must all get the files from the central server, whose connection to the Internet would consequently become a bottleneck as the number of users grows. In a peer-to-peer system, the central server itself need communicate only a tiny amount of directory information, while the large network load for transmitting the files is distributed over 202 BLOWN TO BITS
FIGURE 6.1 Underlying organization of traditional and peer-to-peer client-server network architectures.
On the top, a traditional centralized file distribution architecture, in which files are downloaded to clients from a central server. On the bottom, a Napster-style peer-to-peer architecture in which the central server holds only directory information and the actual files are transmitted directly between clients without passing through the server.
CHAPTER BALANCE TOPPLEDthe Internet connections of all the users. Even the slow connections common with personal computers in 1999 were enough for Napster’s peer-to-peer system to let millions of users share music files … which they did. By early 2001, two years after Napster appeared, there were more than 26 million registered Napster users. At some colleges, more than 80% of the on-campus network traffic could be traced to Napster. Students held Napster parties. You hooked up a computer to some speakers and to the Internet, invited your friends over—and for any song title requested, there it was. Someone among those millions of Napster users had the song available for downloading. This was the endless cornucopia of music; the universal jukebox.
Internet’s fundamental architecture. No central machine controls the network;
every machine in the network has equal rights to send any other machine a message. Machines connected to the Internet are, as the lingo has it, peers. The notion of the Internet as a network of peer machines communicating with each other directly—as opposed to a network of client machines mediated by central servers—was hardly new. Even the very first Internet technical specification, published in 1969, described the network architecture in terms of machines interacting as a network of peers. Systems incorporating peer-to-peer communication between larger computers had been in wide use since the early 1980s.
Napster showed that the same principle remained valid when the peers were millions of personal computers controlled by ordinary people. Napster’s use of peer-to-peer was illegal, but it demonstrated the potential of the idea.
Research and development in distributed computing took off. In 2000 and 2001, more than $500 million was invested in companies building peer-topeer applications. And transcending its roots as a technical network architecture, “P2P” became enshrined in techno-pop-culture-speak as a catchword for organizations of all types—including social, corporate, and political—that harness the power of myriad cooperating individuals without reliance on central authorities. As one 2001 review gushed, “P2P is a mindset, not a particular technology or industry.” Napster had also given an entire generation a taste of the Internet as universal jukebox for which people would clamor. Yet the recording companies, who worked together to combat illegal downloading, failed to collaborate to create a legal and profitable Internet music service to fill the vacuum left by Napster. Instead of capitalizing on file-sharing technology, they demonized it as a threat to their business. That technological rejectionism ratcheted up the rancor in the arms race, but it also did something even more short-sighted. The music companies surrendered a vast business opportunity to the profit of more imaginative entrepreneurs. Two years later, Apple would launch its iTunes music store, the first commercially successful music downloading service.
Sharing Goes Decentralized In the meantime, new file-sharing schemes sprouted up that explored new technical architectures in attempts to tiptoe around liability for secondary infringement. Napster’s legal Achilles’s heel had been its central directory. As the court had ruled, control of the directory amounted to control of the filesharing activity, and Napster was consequently liable for that activity. The new architectures got rid of central directories entirely. One of the simplest methods, called flooding, works like this: Each computer in the file-sharing network maintains a list of other computers in the network. When file-sharer
CHAPTER BALANCE TOPPLED
FIGURE 6.2 In contrast to Napster-style peer-to-peer systems illustrated earlier, decentralized file-sharing systems such as Grokster have no central directories.
206 BLOWN TO BITS No Safe Harbors The companies building the new generation of file-sharing systems hoped these distributed architectures would also immunize them against liability for secondary copyright infringement. After all, once users had the software, what they did with it was beyond the companies’ knowledge or control. So, how could the companies be held liable for what users did? To the recording industry, however, this was just Napster all over again: exploiting the Internet to promote copyright infringement on a massive scale. In October 2001, the RIAA sued the makers of three of the most popular systems—Grokster, Morpheus, and Kazaa—for damages of $150,000 per infringement.
The three companies responded that they had no control over the users’ actions. Moreover, their software was only one piece of the infrastructure that enabled file-sharing, and there were many other pieces. If the three software companies were liable, wouldn’t makers of the other pieces be liable as well?