Trouble with Facebook

I'm still not sure about the whole Facebook thing, but this is a video that makes me think twice about the whole endeavour.

One of the interesting legal issues raised is indeed correct (read the terms of use). By posting on Facebook you are granting the company:

"By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content."

The "get out clause" is of course to close the account, but they will retain copies of the content nonetheless. I must not be the only person who finds this troubling.

Furthermore, here is a funny legal conundrum for you. According to the above, I'm granting Facebook a licence to use the work because all of my posts from my blog are sent to Facebook, but my blog is published under a Creative Commons licence. Which prevails?

Fairytale use

Absolutely brilliant video. Watch some unexpected characters explaining the basics of copyright law. In a faraway land...

Travel

I will be travelling to Sri Lanka, Spain and Croatia over the next few weeks, but I will try to update the blog whenever possible, wireless weather permitting.

Forever Copyright

(via David Berry) The New York Times has published the most misinformed article on the copyfight that I have ever read, and believe me, I have read some humdingers! The premise is simple. Great ideas last forever, right? So, why should not copyright last forever as well? Property rights do not expire when you die, so why should copyright?

I wish I had the time, the talent, and the inclination to give this article its well-deserved thrashing. Perhaps a few ideas will do. To show my contempt, I will even enumerate my criticism in the lowliest format known to man, the bullet point!

• For the thousandth time, intellectual property does not equate real property. Ideas are intangible, non-rivalrous goods. With ideas, you can have your pie, and eat it too!
  
• Repeat after me, copyright was not designed by the framers of the American Constitution. Google "Statute of Anne".
  
• When a work goes into the public domain, it is not "expropriated" by the State, it simply is not awarded protection any more.
  
• So, your poor starving grandchildren may not be able to profit from your work 70 years after death. They may have to *gasp* find jobs! Or here's a novel idea, they could find lost notes from granddad's works and release a new book under his name!

I better stop before my pancreas goes into over-drive.

Update: Check out Lessig's wiki against Helprin's article.

Fraud law used to fight P2P

(via Suw Charman) A man in London has been arrested for being the UK's representative of AllofMP3, the Russian infamous for selling subscription services at a fraction of "legal" downloads sites, but that does not pay royalties to artists.

According to the IFPI, the arrest is part of a growing set of actions against the site, which include IP blocking, and denial of credit card transactions for purchases on the site. While I have no sympathy whatsoever with AllofMP3, I find the legislation used to arrest this man quite an interesting change in strategy for the copyright industry. The man was not arrested under copyright enforcement legislation, he was arrested under fraud prevention, namely section 2 of the Fraud Act 2006. This section reads:

"Fraud by false representation
(1) A person is in breach of this section if he-
(a) dishonestly makes a false representation, and
(b) intends, by making the representation-
(i) to make a gain for himself or another, or
(ii) to cause loss to another or to expose another to a risk of loss.
(2) A representation is false if-
(a) it is untrue or misleading, and
(b) the person making it knows that it is, or might be, untrue or misleading.
(3) "Representation" means any representation as to fact or law, including a representation as to the state of mind of-
(a) the person making the representation, or
(b) any other person.
(4) A representation may be express or implied.
(5) For the purposes of this section a representation may be regarded as made if it (or anything implying it) is submitted in any form to any system or device designed to receive, convey or respond to communications (with or without human intervention)."

The original press story is wrong, the arrest is not about licensing music, it's about fraudulent misrepresentation. The above criminal offence also applies for online communications, and it seems a fair enough fraud-prevention type, if you misrepresent for your own commercial gain or to cause loss to another, you will be commiting a crime. This particular case applies to Allofmp3.com because the Russian site states that it gives money to artists, which does not seem to be the case. This is false representation in accordance to the above, and therefore the site's London representative can be held criminally liable.

As a wider implication, it seems like people should be careful about what they post online.

City of Merchants

(An auction house in City of Heroes)

(via Ashley Theunissen) The UK's Fraud Advisory Panel has issued a recommendation asking for regulation of the fledgling economies in virtual worlds. According to this group, virtual costumers are increasingly involved in commercial transactions in virtual environments. These virtual online communities "... are a combination of internet chat room, 3D games and next generation internet environment in which residents can choose what they look like and what they do, with goods and services traded using virtual money." According to the recommendations, the risks to users are:

• Credit card fraud against genuine customers and suppliers
• Hacking into databases and identity theft
• New opportunities for money laundering via false online identities
• Tax evasion and unregulated cross-border money movements
• Sales of age-restricted goods and services to minors.

Being my cynical self, I just cannot see why more regulation is needed for these activities. We already have regulation for credit card fraud, regardless of the object being purchased. Similarly, hacking and illegal database entry are already covered in the UK's Computer Misuse Act. Is online money laundering a problem? And if so, how is it any different from offline money laundering? I'm similarly sceptical about calls to treat online currencies as real money. The report's author stated that virtual money issuers should report to financial regulators, just as other money issuers do.

Perhaps I'm just suffering from the cyber-libertarian bug, but I'm increasingly sceptical of calls to regulate online environments when there is already perfectly serviceable legislation that does the job quite well. Similarly, why should you regulate currency that only operates in a limited private virtual environment? It's like trying to regulate Monopoly money! Just because some people may ascribe value to the online currency, it does not mean that it should be immediately subject to regulation.

I have been experiencing the intricacies of a nascent virtual economy in City of Heroes. The game was famous amongst other MMOs by its lack of crafting and economic structure. However, the latest update to the game has introduced an invention system that has added an economic value to in-game goods. Players will now receive recipes and salvage that can be used to craft enhancements to their powers and rare costume parts (such as the tech wings pictured above). Not only that, there are now auction houses in which players can blind-bid on items, which has meant that the game has found an economy overnight.

This has been quite an interesting phenomenon to witness. How does an economy assert itself from the start? The markets were crazy early-on, and some people made quite a lot of cyber-cash, but the market has been settling after the initial blip, with truly rare items acquiring disproportionate value, while common items have dropped even below NPC rates. This is community and market regulation at its best, and I cannot see how any governmental regulation would serve to do anything but get in the way of normal enjoyment.

What do you know? I'm turning into John Perry Barlow!

Web site? What's a web site?

(via Rebecca Henderson) A cloud of shame has now descended upon the UK's legal community. The Honourable Mr Justice Openshaw, a High Court judge hearing the Internet terrorism trial in London, has admitted that he did not understand what a web site was. According to Yahoo News, he told the court that "The trouble is I don't understand the language. I don't really understand what a Web site is". How depressing.

Nevertheless, I am an optimist and I prefer to look on the bright side of life. At least the judge was honest and did not pretend to know all about the Internet while producing a dreadful judgement.

Data Protection film-making

Faceless is an unusual film for many reasons. The plot, apparently, talks of a world where everybody's faceless due to calendar reform (huh?), but one day a woman wakes up and finds she has a face (Terry Gilliam meets Kafka).

What makes the film truly unique is that it is the world's first CCTV feature thanks to the magic of the Data Protection Act 1998 and of London's unequalled surveillance network. The film-maker, Manu Luksch, has created a story by simply walking in front of CCTV cameras, and then making a data subject request to obtain the data held about her. She then edited out the faces in the crowd (save her own) and edited the footage with a voice over. According to the director/script-writer/actress:

"For FACELESS, the filmmaker swaps data controllers for a film team, already installed surveillance devices for cameras and cranes, and a lawyer for a script writer. The process of accessing these images activates multiple legal layers of regulations concerning these recordings: Data Protection Act 1998, Article 8 Human Rights Act 1998, Freedom of Information Act 2000, as well as aspects of copyright and image rights. It is this information that mirrors the way society relates to its techno/mediated environment and tries to arrange and control itself. The arrangements expressed in these legal codes is used to craft a story."

I think the Data Protection aspect is pretty straightforward. Data subjects have the right to access data held on them, and this includes CCTV footage. However, I find the copyright aspects intriguing. Who owns CCTV footage? I'm guessing that the owner is the institution making the recording, and I am guessing that the editing together of all the images is enough to warrant originality. What about image and personality rights?

(Via BBC's Digital Planet podcast)

Perfect 10 v Google

The U.S. Ninth Circuit has decided an appeal on the Perfect 10 v Google case, and has sent it back to the district court. For those unfamiliar with the case, Perfect 10 is an adult content provider who sued Google over Google Image thumbnails, claiming that the tiny images displayed after a search constitute direct and secondary infringement.

(Pictured, a gratuitous llama inline image to illustrate the point)

At the heart of the direct infringement case is Google's practice of displaying reduced-sized inline picture. An inline is an HTML element that displays content hosted elsewhere. Perfect 10's argument was that such depictions are directly infringing copyright, and the district court agreed in first instance. Now the Ninth Circuit has found that these images were not direct infringement, because they were not "copied" in the important sense, a decision that will be welcome by bloggers and website designers everywhere. The relevant part of the decision says:

"Instead of communicating a copy of the image, Google provides HTML instructions that direct a user’s browser to a website publisher’s computer that stores the full-size photographic image. Providing these HTML instructions is not equivalent to showing a copy. First, the HTML instructions are lines of text, not a photographic image. Second, HTML instructions do not themselves cause infringing images to appear on the user’s computer screen. The HTML merely gives the address of the image to the user’s browser. The browser then interacts with the computer that stores the infringing image. It is this interaction that causes an infringing image to appear on the user’s computer screen. Google may facilitate the user’s access to infringing images. However, such assistance raises only contributory liability issues, see Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 545 U.S. 913, 929-30 (2005), Napster, 239 F.3d at 1019, and does not constitute direct infringement of the copyright owner’s display rights."

This is an extremely interesting decision for many reasons. Firstly, it brings back a bit of common sense to copyright litigation. It still leaves open the issue of secondary or contributory liability, but it legitimises the common practice undertaken everywhere on the Internet of making images available through inline tags.

Now we need a case in the UK on this, and also a sensible decision on linking.

Cyberwar 1.0

The mainstream press has been reporting on what could very well be the world's first cyberwar. A diplomatic conflict between Estonia and Russia over a bronze statute has resulted in what seems to be a series of coordinated attacks against Estonian institutions. Denial-of-service attacks have brought down websites belonging to news sources, the parliament and presidency, political parties, banks and telecomms firms. The sites were overwhelmed by requests from Russia, which prompted the blocking of foreign IP addresses to the affected sites. There has not been any indication that the attacks come from the Russian government, after all, Russia has a long-standing hacker tradition, but it is interesting to witness the disruptive power of concerted attacks against a national target.

No word as to how many bits have lost their lives in the conflict.

AACS to sue the MPAA?

(via Machine-Envy and PanGloss) It's amazing what a little hacktivism and playing around with search engines can do. If AACS starts issuing more cease-and-desist letter to take down the much-commented HD-DVD key from websites, they may have to remove this one.

And then Think Geek has a set of notes from a secret meeting at the AACS, which we reproduce:

Lessons Learned:
1) When trying to keep a secret, serving people legal notice re: its existence slightly less than effective. Possibly deploy ninjas next time?
2) Members of online communities object to posts being removed. Ask owners of affected sites to replace posts with smiley face emoticons.
3) Allowing lawyers to create public relations policy = bad idea.
4) "Cease and Desist" kinda does the opposite.

Action items:
1) See what other numbers we can get. Check on availability of 0 and 1 as vital part of circumvention technology.
2) DMCA not working: investigate banning computers?
3) Appeal to the kids. Introduce "Ernie the Encryption Key!"
4) Expire the key. They can't possibly crack it again, can they?

I like the ninja idea. Killer DRM Ninja Strikeforce vs The Pirates of Cyberspace. Now, that's a film I would pay to see.

PayPal now a bank

PayPal has sent an email to all its UK subscribers announcing that it will now be considered a bank. The message reads:

"Currently, PayPal (Europe) Ltd. is the service provider for PayPal in the EU. PayPal (Europe) Ltd. is a UK company regulated and authorised by the Financial Services Authority (FSA) in the UK as an electronic money institution. This authorisation enables PayPal to provide its service throughout the EU. From 2 July 2007, a new PayPal company, PayPal (Europe) S.à r.l. & Cie, S.C.A. (PayPal Luxembourg), will become the service provider for PayPal in the EU. This is a Luxembourg entity regulated as a bank by the Commission de Surveillance du Secteur Financier (CSSF), the Luxembourg equivalent of the FSA. PayPal Luxembourg will provide the PayPal service throughout the EU."

As it says, PayPal used to be an Electronic Money Institution regulated in the UK, but it will now be a full financial institution in Luxembourg (i.e a bank). This piece of news was particularly welcomed by Lilian Edwards and yours truly. Former students and the few people who have read our musings on the subject may recall that I have always claimed that PayPal behaved like a bank, and that it should be regulated as one. One of the small perks of academic life is being able to say "I was right all along!" (followed by the small voice inside of you saying "who cares?", but I digress).

For those who wonder about the causes for this move, according to the Telegraph it has been prompted by fears of competition from Google Checkout, the new payment systems from, guess who? Google. It is an interesting move. PayPal will have to comply with more stringent regulation, as financial institutions are scrutinised more closely. It seems clear to me that whatever commercial reasons, the user is the winner, as there is now more certainty about PayPal's European operations.

(via Lilian Edwards)

Spanish jazz club wins case on copyleft claims

Last week we reported on the case brought by Spain's collecting agency SGAE against a bowling bar in Alicante, which lost on its claim that it only played "copyleft" music.

Almost immediately, another case has come out, this one in favour of the claimant bar. As I reported last week, the reason for all of these cases in Spain is that Article 150 of the Spanish Copyright Law provides a defence against legal action from collecting societies if the defendant can prove that he/she does not play music of artists represented by SGAE. The new case has been won by the defendant in a sentence in Salamanca, and in a very interesting ruling that provides a detailed description of copyleft and Creative Commons.

The case deals with jazz club Birdland, which was sued by SGAE claiming payment for failing to pay royalties for making music available to the public in the locale. As with other cases, the club owner claimed as his defence that they played only alternative and free music. It came down then to the element of proof, but before that, the judge-magistrate Luis Sanz Acosta, delivered a rather accurate description of copyleft and Creative Commons:

"...in recent years we have seen the rise of so-called "música libre" in our country, very much an Internet phenomenon as a medium for music distribution. From a distribution model very much circumscribed to the sale and rent of works, controlled by content industry, there is now an almost unlimited model, thanks to the global diffusion provided by the Internet, in which creators themselves, without industry intermediaries, can make digital copies of their work available to the public. This phenomenon has originated the coexistence of different content distribution models with regards to the new possibilities offered by the Internet:

a) The traditional model, based on copyright protection, which seeks to restrict access and use of online content, by using negotiating formulae of restrictive nature and technological control measures, expressed in the so-called "Digital Rights Management".

b) A model that provides free online access to content, on occasions allowing personal use (implicit licensing models), and in other situations, the free redistribution of the work, its transformation and even its public economic exploitation, with the only proviso of citing the source. These are models of public domain and general licences (General Public License), such as, for example, the Creative Commons licences, which include a copyleft clause.

With this copyleft clause, the owner allows, by means of a general public licence, the transformation or modification of his work, compelling the author of the modified work to make it available to the public with the same conditions, that is, allowing free access and further transformation. With the Creative Commons licences, the rights-holder reserves the right of economic exploitation and can forbid modifications. It is vital then to distinguish Creative Commons licences that have, and have not, the copyleft clause. In some instances there will be Creative Commons licences that include the copyleft clause (translation mine, traduttore = traditore)."

This is close enough to what the movement is all about, although it still confuses some of the terminology, but it is clear that the judge understood the concepts involved, and that he was willing to look at the evidence in a fair manner. When it came to that, SGAE presented a detective and one of their local representatives. They produced a recording that was found to have been made in another establishment altogether, a fact that did not go down well with the judge. On the other hand, Birdland's owners were able to produce several witnesses that attested to the fact that the jazz club played alternative and unusual "música libre", which was available from download from two computers installed in the bar. Similarly, the judge heard from the technicians who installed the computer equipment. It was clear that SGAE produced poor evidence, while Birdland substantiated their case quite well. The relevant part of the ruling reads:

"Certainly, from the presented evidence it is not possible to claim that each and every one of the musical works communicated to the public in the demanded establishment have been granted freely by their authors through a Creative Commons licence, but to demand such proof, in those exhaustive terms, would be to demand evidence as diabolical as to ask SGAE to prove that each and every one of the songs communicated in the locale belongs to their represented artists. [...] Hence, the evidence has the consequence that it breaks the presumption that the music communicated to the public in the establishment had to be, at least partially, musical works managed by SGAE. With that presumption in tatters, it is the plaintiff who has the burden to prove that the music played in the locale is managed by them. Well, as things stand, it is evident that SGAE's evidence has been lacking and irrelevant."

A pretty impressive result for copyleft-playing locales in Spain. Besides, any sentence that uses the word 'diabolical' deserves my unashamed and utter respect.

(Thanks to all who emailed about this, including Erick Iriarte, Ignasi Labastida and Miguel Peguera. Also thanks to Javier de la Cueva for his excellent report)

Linux infringes Microsoft's patents

Fortune Magazine has published an interview with Microsoft's Steve Ballmer, where he has made the comment that Linux infringes 235 of its software patents, and it will be looking for licences from developers and corporate users. As your friendly neighbourhood Prophet of Doom, I have been announcing the advent of the Great Software Patent War for some time now. Yes, I know, being right all the time is tiring and risky business, Cassandra had a cruel fate after all.

The argument put forward by Microsoft seems straightforward. "We own some patents, Linux implements some of those inventions in their code, if you want to use Linux, then you must pay us". Nobody has been sued yet, but it is obvious that the interview has been designed in order to issue a blunt threat against Linux users and developers to enter into negotiations with Microsoft.

This threat is unlike the much debated and scorned SCO v IBM case, where SCO has been conducting a lengthy (and ultimately futile) suit arguing copyright infringement by IBM and Red Hat. Unfortunately for Free and Open Source developers and users, Microsoft's claims have more weight given the strength of software patent claims in the United States. 235 patents are not something to be shrugged-off, this could truly spell the demise of many small-scale FOSS projects.

I've been trying to figure out the strategy behind this, after all, there was a feeling in some sectors that Microsoft had been warming towards FOSS. There was the adoption of an open source strategy, and the heavily talked-about deal between Novell and Microsoft. Under that deal, Microsoft and Novell promised not to enforce each other's patents, while Novell promised to pay Microsoft a percentage of its revenue. This deal, of course, is not kosher in Free Software circles. Moglen made it clear that the GPL v3 would be re-drafted in order to make such a deal a breach of the GPL, which was eventually done with the latest draft. According to the new version:

"You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a patent license (a) in connection with copies of the covered work conveyed by you, and/or copies made from those, or (b) primarily for and in connection with specific products or compilations that contain the covered work, which license does not cover, prohibits the exercise of, or is conditioned on the non-exercise of any of the rights that are specifically granted to recipients of the covered work under this License [...]"

This convoluted clause is designed specifically to attack the Novell and Microsoft deal, hence its nightmarish wording. Similarly, the new GPL contained a clause that could eventually be used to make the patent licence contained in the new GPL into a viral clause similar to existing copyleft clause in GPL v2. Obviously, these developments seemed to prompt action from Redmond, and today's announcement seems precisely to do that.

But why now? It seems obvious that the threat is designed to issue a clear threat against the GPL v3, and perhaps it attempts to influence the draft's discussion. This may be the reason why the FSS, Stallman and Moglen have answered forcefully, almost with a "bring it on" attitude. They know that the pendulum is swinging against unfettered software patents, and that this case could very well prove to be the silver bullet that fatally wounds the current system. Imagine a situation where large numbers of corporate Linux users are sued by Microsoft. The result could very well be a legislative push against broad patentability. Microsoft is also playing with fire by entering into IBM's turf. As one of open source's corporate patrons, IBM has an impressive software patent arsenal that it could deploy if things get to an all out litigation battle. It is an open secret in the industry that as things stand, everyone is infringing someone else's patents, and what sustains the balance at the moment is a complex network of cross-licensing between industry giants. I have always believed this is one of the reasons why FOSS projects have managed to remain litigation-free so far. If Microsoft sues, will IBM retaliate? What would such a case look like?

Expect geekdom and the blogosphere to go nuclear over this one.

Sued for NOT using DRM?

This is a bizarre take on copyright law. DRM manufacturers Media Rights Technologies (MRT) and BlueBeat.com have issued cease and desist letters against Apple, Microsoft, Real and Adobe for not including their technological protection measures in products like Windows, iPod and Flash Player. I could try to explain the convoluted reasoning behind this, but I will let MRT's press release do it for me:

"The Digital Millennium Copyright Act (DMCA) was signed into law by President Clinton in 1998 to disseminate and protect the arts in the digital age. It makes illegal and prohibits the manufacture of any product or technology that is designed for the purpose of circumventing a technological measure which effectively controls access to a copyrighted work or which protects the rights of copyright owners. Under the DMCA, mere avoidance of an effective copyright protection solution is a violation of the act.
MRT and BlueBeat have developed a technological measure which effectively controls access to copyrighted material. [...] Therefore, Media Rights Technologies (MRT) and BlueBeat.com have issued cease and desist letters to Microsoft, Adobe, Real Networks and Apple with respect to the production or sale of such products as the Vista OS, Adobe Flash Player, Real Player, Apple iTunes and iPod."

This is probably nothing more than a publicity stunt, and should not be taken seriously, but imagine the implications of a world that operated in this twisted reading of the law. You could be sued for all sorts of passive behaviours and inaction!

(via Ronald Chichester).

WOW Visa

Because nothing says "I'm a geek" like a piece of plastic with the picture of an elf on it.



So many jokes, so little time...

(via Colin Miller)

M@rking...

It's that time of year again.



Following this method could help alleviate the pain.

Top 10 passwords

Everyone is going to be blogging this in the next few days, so I might as well share it.

This is the list of Top 10 passwords according to PC Magazine:

1. password
2. 123456
3. qwerty
4. abc123
5. letmein
6. monkey
7. myspace1
8. password1
9. link182
10. (your first name)

password? myspace1? link182? Some people do deserve to have their data stolen.

Electronic Money Strikes Back

I have been a long-time critic of electronic money. We've been hearing about how we'll all be ditching our banknotes and coins within "the next two years" since 1998. Similarly, we've had a regulatory response to the subject which has been particularly inadequate, as it was drafted with specific technologies in mind, while the market has moved towards account-based systems such as PayPal.

Now UK banks have charted the roll-out of a payment system to be included in new debit and credit cards that will allow electronic payment for amounts under ten pounds. The new system is a "contact-less" or swipe-through system similar to that used by London Transport in their Oyster Card scheme. An RFID system will be placed in the cards, which can make payment as easy as flashing out your card. The scheme has been piloted here in Edinburgh, in 11 shops surrounding the Royal Bank of Scotland. The scheme will then be tested in London, and then, as film villains like to say, the world (cue maniacal laughter).

I must admit that this seems like the real deal. It will be convenient, and it is set to reduce the cost of handling cash for businesses, so there is a strong incentive for adoption by intermediaries. It's also added to existing payment systems, so there will be no need to get extra cards to our already bulging wallets.

This feels strangely un-climactic. I cannot be curmudgeonly about new technologies! I must be losing my edge.

Update: The system is called payWave for Visa and PayPass for Mastercard (insert snarky comment about names here).

Another Spanish bar loses on copyleft licences

(via Erick Iriarte) Javier de la Cueva has posted a report on yet another defeat for copyleft against the Sociedad General de Autores y Editores (SGAE) in Spain, this time in Alicante.

The ruling from 21 March 2007 decides on an appeal to a previous decision with regards to a bowling bar called Bowling Vistahermosa in Alicante. The reason why we have been witnessing so many cases with regards to copyleft music in Spain is because Article 150 of the Spanish Copyright Law provides a defence against legal action from collecting societies (namely SGAE). If a collecting agency requests payment for licensing of music in a bar, it is a legitimate defence to "allege, subject to due substantiation, the lack of representative qualification of the plaintiff or of authorization by the owner of the exclusive rights, or failure to pay the corresponding remuneration." In other words, defendants may claim that they do not play music of artists represented by SGAE.

In this case, as in previous ones, the bar argued that they did not play SGAE-managed music, but that they played copyleft music. The case dates from 2002-2004, so it's important to note that this is not a Creative Commons case. The problem was one of evidence, as the court found that there was not enough evidence that locale did play only copyleft music. SGAE presented only two witnesses, one a local representative, and one a detective, and both argued that they had attended the bowling bar, and that id played regular commercial music, including "dance music and reggaeton". The defence, on the other hand, did not present any admissible evidence as to the fact that it played copyleft music, therefore the defeat.

These cases should not be seen as a defeat to copyleft licences, they respond to a very idiosyncratic twist of copyright procedural rules in Spain. The lesson to be learnt, if any, is that pursuing these type of actions against the SGAE seems counter-productive.

However, I believe that Bowling Vistahermosa deserved to lose from the fact that it plays reggaeton. Ugh.

AACS vows to fight bloggers over number

(via David Berry) The BBC reports that AACS has vowed to fight against bloggers, aggregators, and all sort of users who have posted the now infamous key online. I must admit that my original scepticism has dissipated, and I cannot possibly believe that AACS would ever dream to take on the Web 2.0 posse.

Assuming that the master key posted all over the Internet actually works (and there is now little doubt that it does), its posting indeed is a very important element of a circumvention device for an effective technological protection measure as defined by legislation all over the world. In the U.S., posters of the key could be in breach of anti-circumvention measures enacted by the DMCA ( s 1201 17 U.S. Code, see Fred Von Lohmann's analysis).

In Europe, anti-circumvention measures are protected by the EU Copyright Directive, which states that:

"Art. 6: 1. Member States shall provide adequate legal protection against the circumvention of any effective technological measures, which the person concerned carries out in the knowledge, or with reasonable grounds to know, that he or she is pursuing that objective.
2. Member States shall provide adequate legal protection against the manufacture, import, distribution, sale, rental, advertisement for sale or rental, or possession for commercial purposes of devices, products or components or the provision of services which:
(a) are promoted, advertised or marketed for the purpose of circumvention of, or
(b) have only a limited commercially significant purpose or use other than to circumvent, or
(c) are primarily designed, produced, adapted or performed for the purpose of enabling or facilitating the circumvention of, any effective technological measures."

And in the UK, s296ZB of the CDPA applies, as it establishes an offence for knowingly making available to the public a circumvention device.

So, to put it in vulgar parlance, we're screwed, right?

Not necessarily. Firstly, there may be a case to be made that the actual key, in and by itself, is not a circumvention device in the sense of the law. You cannot break protection with just the key, and I'm pretty sure that not a lot of people would know how to do it right away, as the decoding software is still needed. Secondly, I would argue that many people simply replicated the number not knowing what it did, they simply got caught in the hype sweeping the Net. A lot of the legislation places a requirement of knowledge, there is mens rea required as posting of the circumvention device must be done knowing that it is, indeed, a circumvention device. Thirdly, there is a matter of safety in numbers. Googling the number, there are 1,010,000 hits without hyphens, 908,000 results with hyphens, and even 482 results with underlines. And these are only searchable items. There are hundreds of non-searchable examples!

I guess the more popular your blog, the more likely you're to be prosecuted. Thankfully, that rules me out (famous last words).

University students' identities revealed to RIAA

(via George Sakellariadis) The University of Wisconsin-Madison will be revealing the identity of 53 of its students to the RIAA after the educational institution lost a case against the music industry. The students are file-sharers, and it means that they will almost certainly be receiving some of the infamous "settlement letters", and could even be slapped with lawsuits for infringement.

Remember kids, don't download on campus. And if you do, use a secure system.

A digital bully den?

I've read an interesting article in The Independent by Yasmin Alibhai-Brown, and while I don't agree with it, I've been noticing an increase in cyber-scepticism and technophobic criticism against all things online. While some of the protestations can be classed as the typical grumbling against change from the Luddites, some of the criticism may be justified.

The Alibhai-Brown piece is a good example of this. Why should she complain about a friend who's late for a dinner party because he was playing around in Second Life? Would she publish the same criticism if he was late because of reading the newspaper, or watching the news? Being late for an appointment is irrelevant to the technological cause, it's bad manners. Similarly, complaining about people married to their Blackberries fails to realise that those people are simply rude, and if they did not have their devices, they would ignore you anyway.

However, the article may have a point about the growing virulence of expression online. The Kathy Sierra affair has helped to uncover the ugly side of sexist targeting of online personae. Similarly, anyone who has spent any time in an online community will be familiar with the disruptive change that happens to some people as soon as they're behind a keyboard. After all, anonymity + keyboard + audience = frakwad. There seems to be a growing fear that the Internet brings out the worst in some people. Closet racists, misogynists and homophobes can find communities of similarly-minded people where they will reinforce their own prejudices by producing feedback and looking at the world from their own perspective, and filtering out any dissenting opinion. This has been expressed in Cass Sunstein's excellent Republic.com, and I think that is indeed cause for concern.

The Internet can offer the world at our fingertips, yet increasingly many choose it to connect to the cyber-sewer of the mind.

On a lighter note, Lilian Edwards has sent me this wonderful picture (click to enlarge):

HD-DVD brought down by Web 2.0

Back in January I had reported on the hacking of HD-DVD protection by improper key management. AACS, makers of the DRM protecting the new format, vowed to try to shut down BackupHDDDVD, which is instrumental to some part of the cracking process. At the time I thought it was likely to be the last we would hear about this topic, after all, cracked protection is hardly news, is it? Once the how-to had been posted in Ed Felten's blog, the game was up. Or so I thought...

In order to understand the cracking process, we need to understand keys. Felten explains it best, so here he goes:

"In AACS, each player device is assigned a DeviceID (which might not be unique to that device), and is given decryption keys that correspond to its DeviceID. When a disc is made, a random “title key” is generated and the video content on the disc is encrypted under the title key. The title key is encrypted in a special way that specifies exactly which devices’ decryption keys are able to extract the title key, and the result is then written into a header field on the disc.
When a player device wants to read a disc, the player first uses its own decryption keys (which, remember, are specific to the player’s DeviceID) to extract the title key from the disc’s header; then it uses the title key to unlock the content."

However, January's vulnerability was limited, as it could not decrypt the title's key, it was only a player key, which would be useless by itself. Suggestions were made to have a title key database that cracking software could access, but as far as I know it was not implemented. That was the state of play until yesterday, when a key was released to the public which allegedly can be used to decrypt most existing titles. Apparently, this is a processing key, something akin to a master key. I have not been able to find the first source of the key, although some sites have posted a link to a removed WordPress blog here. The earliest post I could find in this meme is here. Perhaps in the days of Web 2.0, it is impossible to find sources. Anyway, what we know for sure is that someone posted this somewhere (vagueness is also very web 2.0):

"Spread this number. Now.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. It's the HD-DVD processing key you can use to decrypt and play most HD-DVD movies in Linux. Movie studios are going ballistic over this leak, so Digg the story up and make it reach the front page."

This was like DeCSS all over again, but this time with blogs, YouTube, Digg and the whole force of a meme-churning machine. In other words, AACS does not stand a chance. That doesn't mean they did not try! Apparently the number made front page of Digg, who then received a Cease & Desist letter and decided to remove the stories and even cancel user's accounts. Needless to say, the slightest whiff of censorship sent the copyfight warriors on overdrive, and we had a t-shirt (pictured), replication in countless blogs, and even a song uploaded on YouTube. Some of the discussions in Slashdot and Wired have been worth reading as sociological examples of slighted self-righteous geekdom. I can imagine this repeated in chat-rooms across the world:

"Replicate this number, it allows you to copy your HD-DVDs"
"But, I don't own any"
"Doesn't matter man, they're trying to censor us!"

Digg realised they were losing the good will of geekdom, so they posted a "we hear ya", together with the dreaded number on the title. They have decided to "go down fighting" and side with the rebelling masses.

I may be forgiven for being my cynical self, but I must admit that I'm getting slightly suspicious about this whole affair, I'm missing some very basic information in order to make sure that this is a legitimate issue. Here are some problems that I have with the news:

1. Where is the original post? Has it really been taken down?
2. The earliest key replication seems to come from a meme post designed to anger the masses. No, you cannot copyright numbers, but keys may be protected as part of an effective technological protection measure.
3. AACS has not made any official declaration that it's pursuing infringers, something that they have done in the past.
4. I would like to see Digg's cease-and-desist letter, it seems to me like lawyers for the industry moved incredibly fast.
5. There's something about the whole story that smells like urban legend to me. The meme has spread too fast in order to get accurate information.
6. Has anyone actually tried to use the key?

It's possible that my suspicions are misplaced. If that is the case, AACS may have committed the biggest blunder by trying to suppress the key; the level of dissemination is such that it will be impossible to recall it. This may prove to be a case study of how useless cease-and-desist may become in the Web 2.0 era. Even if the story proves to be a clever hoax, copyright owners should heed the lesson.

Update. Some interesting replication strategies from David Berry:

• Doom9 original thread.
  
• Saved version of the original Digg post and discussion here.
  
• Domain names here, here, and here.
  
• A techno song here.
  
• Wired blog post here.
  
• More madness here.
  

But I still haven't seen any first-hand report that anyone has actually used the key to crack an HD-DVD.

Update 2: Chilling effects has posted the AACS C&D letter to Google, so I guess that makes it official, the key seems legit. If AACS wants to take it down, there must be a reason.
"Ladran Sancho, señal que caminamos".

Update 3: Fred von Lohmann from EFF has posted a warning against posting the key.

Microsoft wins patent case in US Supreme Court

The United States Supreme Court has ruled on Microsoft v AT&T, a dispute over patent infringement abroad. Patent law is pre-eminently national, so it does not apply over items manufactured and sold in other countries. American patent law has only one exception to that rule, and it is if components have been manufactured in the U.S. and then are assembled abroad then there can be infringement actionable by U.S. courts (s271(f) 35 U.S. Code).

The case is whether there is patent infringement for a software product that may be sent in a master disk from the United States, and then assembled and sold abroad. AT&T owns a patent over speech-encoder (RE32580), and it sued Microsoft arguing that Microsoft Windows contains code which infringes their patent claim. AT&T included in their infringement suit international claim for all copies of Windows manufactured and sold abroad, a claim that Microsoft contended.

The U.S. Supreme court was asked two questions, is Windows a component in the sense of s271(f)? Here the answer was yes. If so, was the component supplied from the United States? The answer here was no, as evidence pointed out that the physical master disks were shipped from places outside of the United States to overseas assembly factories, even if there was a presumption that some of the software could have been coded in the U.S. AT&T protested that this was a loop-hole in the legislation. The Court recognised that was potentially a concern, but that it was up to the Legislative to plug the hole. They commented:

"AT&T urges that reading §271(f) to cover only those copies of software actually dispatched from the United States creates a 'loophole' for software makers. Liability for infringing a United States patent could be avoided, as Microsoft's practice shows, by an easily arranged circumvention: Instead of making installation copies of software in the United States, the copies can be made abroad, swiftly and at small cost, by generating them from a master supplied from the United States [...] The 'loophole', in our judgment, is properly left for Congress to consider, and to close if it finds such action warranted."

However important this discussion is, to me the most important part from a foreign perspective is the unambiguous statement against extraterritoriality. The ruling states:

"Any doubt that Microsoft’s conduct falls outside §271(f)’s compass would be resolved by the presumption against extraterritoriality, on which we have already touched. The presumption that United States law governs domestically but does not rule the world applies with particular force in patent law."

It's refreshing to see extraterritoriality shut down in certain terms by the U.S. Supreme Court. This is heartening, as it helps to maintain software patent madness well within American borders. We can only hope that it stays there.