«Hal Abelson Ken Ledeen Harry Lewis Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London ...»
What about Microsoft, whose operating system lets users of one computer copy files from other computers? What about Cisco, whose routers relay the unlicensed copyrighted material? What about the computer manufacturers, whose machines run the software? Wouldn’t a ruling against the file-sharing network software companies expose the entire industry to liability?
The Supreme Court had provided guidance for navigating these waters with the landmark 1984 case Sony v. Universal Studios. In an episode that foreshadowed the Grokster suit 17 years later, the MPAA had sued Sony Corporation, charging Sony with secondary infringement for selling a device that was threatening to ruin the motion picture industry: the video cassette
recorder. As the President of the MPAA thundered before Congress in 1982:
“I say to you that the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone.” In a narrow 5 to 4 decision, the Supreme Court ruled in Sony’s favor, holding that even though there was widespread infringement from people using VCRs … the sale of copying equipment, like the sale of other articles of commerce, does not constitute contributory infringement if the product is widely used for legitimate, unobjectionable purposes. Indeed, it need merely be capable of substantial noninfringing uses.
The technology industries applauded. Here was a reasonably clear criterion they could rely on in evaluating the risk in bringing new products to market.
Showing that a product was capable of substantial noninfringing uses would provide a “safe harbor” against allegations of secondary infringement.
CHAPTER BALANCE TOPPLEDThis 1984 scenario—a new technology, a threatened business model—was now being replayed in the 2001 Grokster suit. The file-sharing companies were quick to cite the Sony ruling in their defense, explaining that there were many noninfringing uses of file sharing.
In April 2003, the Central California Federal District Court agreed that this case was different from Napster, and dismissed the suit, citing the Sony decision and commenting that the RIAA was asking the court to “expand existing copyright law beyond its well-drawn boundaries.” In reaction, the RIAA immediately began its campaign of suing individual users of the file-sharing software—the campaign that would later snag Tanya Andersen and Jammie Thomas.
The District Court’s ruling was appealed, and it was upheld by the Ninth
Circuit, the same court that had ruled against Napster three years earlier:
In short, from the evidence presented, the district court quite correctly concluded that the software was capable of substantial noninfringing uses and, therefore, that the Sony-Betamax doctrine applied.
The RIAA naturally appealed, and when the Supreme Court agreed to review the decision, the entire networked world held its breath. Were content publishers to have no legal recourse against massive file-sharing? Would the
Sony safe harbor be overturned? In June 2005, the Court returned a unanimous verdict in favor of the RIAA:
We hold that one who distributes a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, is liable for the resulting acts of infringement by third parties.
A Question of Intent The content industry had won, although it ended up with less than it had hoped for. The MPAA wanted the court to be explicit in weakening the Sony “substantial noninfringing use” standard. Instead, the court declared that the Sony case was not at issue here, and it would not revisit that standard. The file-sharing companies’ liability, the court said, stemmed not from the capabilities of the software, but from the companies’ intent in distributing it.
The technology industries (other than the three defendants, who were driven out of business) breathed an immediate sigh of relief that Sony had been left intact. But this was quickly followed by second thoughts. The 208 BLOWN TO BITS
Better to be conservative and not introduce products with features that might prompt a lawsuit, even if you are reasonably sure that your products are legal.
We can speculate about products and features that are unavailable today due to the uncertainties in Grokster’s “intent” standard, coupled with penalties for secondary infringement penalties that could lead to nightmarish fines.
Companies are naturally reluctant to give examples, but one might ask why songs shared wirelessly with Microsoft Zune players self-destruct after three plays, or why Tivo recorders don’t have automatic commercial skipping or let you move recorded movies to a PC. Non-coincidentally, in 2002, the CEO of a major cable network characterized skipping commercials while watching TV as theft, although he allowed that “I guess there could be a certain amount of tolerance for going to the bathroom.” But speculating about the consequences of liability alone is largely pointless, because these liability risks have not been increasing in a vacuum. A second front has opened up in the copyright wars. Here, the weapons are not lawsuits, but technology.
Authorized Use Only Computers process information by copying bits—between disk and memory, between memory and networks, from one part of memory to another.
Actually, most computers are able to “keep” bits in memory only by recopying them over and over, thousands of times a second. (Ordinary computers use what is called Dynamic Random Access Memory, or DRAM. The copying is what makes it “dynamic.”) The relation of all this essential copying to the kind of copying governed by copyright law has been intellectual fodder for legal scholars—and for lawyers looking for new grounds on which to sue.
Computers cannot run programs stored on disk without copying the program code to memory. The copyright law explicitly permits this copying for the purpose of running the program. But suppose someone wants simply to look at the code in memory, not to run it. Does that require explicit permission from the copyright holder? In 1993, a U.S. Federal Circuit Court ruled that it does.
Going further, computers cannot display images on the screen without copying them to a special part of memory called a display buffer. Does this mean that, even if you purchase a computer graphic image, you can’t view the image without explicit permission from the copyright holder each time?
A 1995 report from the Department of Commerce argued that it does mean exactly this, and went on to imply that almost any use of a digital work involves making a copy and therefore requires explicit permission.
210 BLOWN TO BITS Digital Rights and Trusted Systems Legal scholars can debate whether copyright law mandates a future of “authorized use only” for digital information. The answer may not matter much, because that future is coming to pass through the technologies of digital rights management and trusted systems.
The core idea is straightforward. If computers are making it easy to copy and distribute information without permission, then change computers so that copying or distributing without permission is difficult or impossible. This is not an easy change to make; perhaps it cannot be done at all without sacrificing the computer’s ability to function as a general-purpose device. But it’s a change that’s underway nonetheless.
Here is the issue: Suppose (fictitious) Fortress Publishers is in the business of selling content over the Web. They’d like the only people getting their content to be those whose pay. Fortress can start by restricting access on their web site to registered users only, by requiring passwords. Much web content is sold like this today—for instance, Wall Street Digest or Safari Books Online.
The method works well (or at least has worked well so far) for this type of material, but there’s a problem with higher-value content. How does Fortress prevent people who’ve bought its material from copying and redistributing it?
One thing Fortress can do is to distribute their material in encrypted form, in such a way that it can be decrypted and processed only by programs that obey certain rules. For instance, if Fortress distributes PDF documents created with Adobe Acrobat, it can use Adobe LiveCycle Enterprise Suite to control whether people reading the PDF file with Adobe Reader are allowed to print it, modify it, or copy portions of it. Fortress can even arrange to make a document “phone home” over the Internet—i.e., to notify Fortress whenever it is opened and report the IP address of the computer that is opening it. Similarly, if Fortress prepares music files for use with Windows Media Player, it can use Microsoft Windows Media Rights Manager to limit the number of times the music can be played, to control whether it can be copied to a portable player or a CD, force it to expire after a certain period of time, or make it phone home for permission each time it’s played so that the Fortress web server can check a license and require payment if necessary.
The general technique of distributing content together with control information that restricts its use is called digital rights management (DRM). DRM systems are widely used today, and there are industry specifications (called rights expression languages) that detail a wide range of restrictions that can be imposed.
DRM might appear to solve Fortress’s problem, but the approach is far from airtight. How can Fortress be confident that people using their material are
CHAPTER BALANCE TOPPLEDusing it with the intended programs,
ENCRYPTION AND DRMthe ones that obey the DRM restrictions? Encrypting the files helps, but Chapter 5 explains public-key as explained in Chapter 5, attackers encryption and digital signatures— break that kind of encryption all the the technologies that make public time—it happens regularly with PDF distribution of encrypted material and Windows Media. More simply, possible. The “messages” that Alice someone could modify the document and Bob are exchanging might be reader or the media player program not text messages, but rather music, to save unencrypted copies of the videos, illustrated documents, or material as they are running, and anything at all. As the first koan then distribute those copies all over says, “it’s all just bits.” Thus, the encryption technologies that Alice the Internet for anyone’s use.
To prevent this, Fortress could and Bob use for secret communicarely on the computer operating sys- tion can be used by content supplitem to require that any program ers to control the conditions under manipulating their content must be which consumers can watch movies certified. Before a program is run, or listen to songs.
the operating system checks a digital signature for the program to verify that the program is approved and has not been altered. That’s better, but a really clever attacker might alter the operating system so that it will run the modified program anyway. How could anyone prevent that? The answer is to build a chip into every computer that checks the operating system each time the machine is turned on. If the operating system has been modified, the computer will not boot. The chip should be tamper-proof so that any attempt to disable it will render the machine inoperable.
This basic technique was worked out during the 1980s and demonstrated in several research and advanced development projects, but only since 2006 has it been ready for wide deployment in consumer-grade computers. The required chip, called a Trusted Platform Module (TPM), was designed by the Trusted Computing Group, a consortium of hardware and software companies formed in 1999. More than half of the computers shipped worldwide today contain TPMs. Popular operating systems, including Microsoft Windows Vista and several versions of GNU/Linux, can use them for security applications.
One application, trusted boot, prevents the computer from booting if the operating system has been modified (for example, by a virus). Another application, called sealed storage, lets you encrypt files in such a way that they can be decrypted only on particular computers that you specify. Given today’s concerns over viruses and Internet security, it’s a safe bet that TPMs will become pervasive. One industry estimate shows that more than 80% of laptop PCs will include TPMs by 2009.