If you live in the 9th Circuit, you don’t own your software anymore.

Posted by: David Brookshire

We’re all guilty of it. Tossing aside that thick packet that accompanied our new software. Clicking ‘I Agree’ to 50 pages of contract that we scrolled past or didn’t even bother clicking through to read. How could anyone be bound by a contract for a product they already paid for? These End-User License Agreements (or as the trade calls them, EULA’s) have frequently been ruled or legislated unenforceable for being unconscionable, in that they force a conditional contract upon the consumer after they think they’ve purchased a product. After all, few consumers read the terms and realize that the software they purchased is in fact being leased to them.

But the Court of Appeals for the Ninth Circuit took a different tack recently in Vernor v. Autodesk holding that a man who purchased old used copies of Autodesk from an office company was infringing copyright by selling them on eBay. The rationale was that the office company had not actually purchased the software from Autodesk, they had only leased it, and therefore could not sell the software to Vernor. Why is this an important (and awful) decision? Because the test the Ninth Circuit set out to determine if a EULA binds you and restricts your use of the product is:

“First, we consider whether the copyright owner specifies that a user is granted a license. Second, we consider whether the copyright owner significantly restricts the user’s ability to transfer the software. Finally, we consider whether the copyright owner imposes notable use restrictions.”

…or as I like to read it:

  1. The company says so
  2. The company says so
  3. The company says so

It doesn’t matter that the EULA was 90 pages of indecipherable print that you clicked past without a glance. It doesn’t matter that the contract wasn’t seen until after you purchased the product. It doesn’t matter that you might have actually never seen the contract all (how many times have you ignored the “Click to see the Terms of Service” link before clicking “I Agree”). All that matters is what the company says. In fact the ruling seems to imply that companies need to err on the side of being overly restrictive in their licenses so they can make sure they meet the “significantly restrictive” requirements.”

Effectively this ruling allows software companies to get all the protections of copyright law while preventing their consumers from enjoying any of their rights under the statute.

In the long run I think this is poor policy on the part of companies. Previously you had three main markets: those that purchased new copies of the software through you, those that purchased older versions through the secondary market, and those that pirated the software. While software companies often can convert users of the secondary market to new purchasers by including new features, there is no such effective enticement for software pirates who can get even the newest software for free. In eliminating the secondary market you are eliminating any customer who can’t afford your products new. These customers will either pirate the software, making them less likely to purchase it at any point later, or they will find a cheaper competitor’s product. Either way, Autodesk seems to be hurting themselves in the long run.

So if you are lucky enough to live in the jurisdiction of Ninth Circuit, congratulations; you no longer own the software you are purchasing. Just remember that the next time you fork over $600 for a copy of Rosetta Stone you won’t be getting any of that back by selling it used.


The Electronic Communications Privacy Act Needs a Software Update

Posted by: Girard Kelley

The Electronic Communications Privacy Act (ECPA) defines the privacy laws that regulate our digital life, from Internet websites we use everyday to the smart phones we carry in our pockets, but has not been updated since it was passed in 1986. Like floppy disks and cassette tapes, our privacy laws are outdated. In the 1980s, the Internet was still being developed, phones had cords, and snail mail was just postal mail. Technology has changed significantly since the eighties but our electronic privacy laws have not. This has created a confusing situation where our electronic communications, mobile location data and digital information stored online all fall under different jurisdictions and legal protections that may or may not be adequately protected.  Law enforcement on the other hand is struggling to balance individual privacy rights against the often times contradicting privacy laws and regulations in order to access digital information quickly and efficiently. The time has come to reform the ECPA to reflect stronger, more stringent privacy protections for electronic communications and digital media. This reform should attempt to balance individual privacy with the ability of law enforcement agencies to provide the accountability and accessibility needed to enforce our laws and protect the public.

Since the enactment of the ECPA in 1986 there have been significant changes in how we utilize technology and computers in our everyday life. These changes in utilization have had an enormous impact on our privacy rights as well as the legal implications of how technology laws are becoming more and more antiquated. First and foremost email technology has radically changed from its antiquated original use as a form of research communication exclusively found in Universities to its everyday ubiquitous adoption across the globe. Americans have embraced e-mail as their primary method for personal and business communication effectively transforming it from its original purpose and using it in ways the ECPA had never anticipated. The Digital Due Process campaign points out that the ECPA has not kept up with e-mail advancements since the 1980s. Email has seen the adoption of unlimited online storage capacities that no longer require users to download or remove email off servers, essentially leaving their email online indefinitely. According to NetworkWorld article; “Under ECPA rules, any e-mail left on a server over 180 days is considered abandoned and can be accessed by law enforcement without a warrant or probable cause. That may have made sense in 1986 when e-mail was almost always downloaded and didn’t sit idly on servers, but with Gmail, Yahoo Mail, and other Web-based e-mail services providing gigabytes of storage space, users now leave e-mail on cloud-based servers indefinitely.” These ECPA regulations were originally enacted with the intention to protect private email communications when in reality their antiquated understanding of technology actually removes those privacy protections.

Another such technology that the ECPA hasn’t kept up with is mobile location information. In 1986 cell phones were larger then the size of bricks, cost a fortune and did not store your location data. Jump ahead to 2010 and cellphones today have transformed into ubiquitous mobile Internet devices that constantly store and transmit location data to your service provider. This GPS location information is gathered in real time and can revel where an individual is at any moment and where they have been. This extremely sensitive and lucrative information for the Government and law enforcement agencies has been a focal point of heated debate in recent years in attempting to define our digital privacy rights. Issues such as these raise serious concerns about what type of legal protections and ownership citizens have to their own GPS location information stored with third-party service providers. Recently, in an effort to clear up this confusion the U.S. Court of Appeals for the District of Columbia Circuit addressed this issue of warrantless GPS tracking in United States v. Maynard, stating the opinion that; “It is one thing for a passerby to observe or even to follow someone during a single journey as he goes to the market or returns home from work. It is another thing entirely for that stranger to pick up the scent again the next day and the day after that, week in and week out, dogging his prey until he has identified all the places, people, amusements, and chores that make up that person’s hitherto private routine.” This modern day legal interpretation of GPS privacy should serve as the standard in which the government should be required to obtain a warrant before using your cell phone as a tracking device.

Technologies such as GPS and email communications continue to rapidly outpace the courts attempt to protect their utilizations with the law. Another such technology that has emerged and is outpacing our legal definitions is cloud computing. The term “cloud” is used to define the online storage space that service providers and business use to store customer information, host online services and process data. The cloud has fundamentally changed the infrastructure of the Internet and Internet Services in only the past few years and as a result more and more citizens are storing all their digital information online with a third-party service provider such as; emails, GPS location data, financial documents, photos, bank statements, medical records and legal documents. This surge of cloud computing with its unanticipated role in storing citizen’s digital data is essentially creating contradicting standards of who owns the digital information because of where it is physical located. The Digital Due Process campaign points out that; “A document stored on a desktop computer is protected by the warrant requirement of the Fourth Amendment, but the ECPA says that the same document stored with a service provider may not be subject to the warrant requirement.” This is a troubling distinction especially when you consider the legal implications of giving third party service providers consent to hand over your information to any government agency that requests it.

From a legal perspective the terms of service of many of these online Internet service providers vary drastically and often times indicate that by uploading your content to their online service you have given them third party consent to the information with only a few exemptions. These Terms of Services state that by uploading content to the service provider you are essentially handing over ownership of that information. Although seemingly insignificant to the average online user, their perception is because they can still ‘access’ their content they still ‘own’ it. This misunderstanding becomes an important privacy concern when these service providers are approached by law enforcement and asked to hand over all information on specific individuals. These third-party service providers much like a landlord having third party consent to enter your property have no incentive or legal authority to refuse to release this private information. The ECPA does not protect the dissemination of an individual’s private digital data, and provides no legal protections or required notifications to online users that service providers have handed over their information without the need for a warrant. This egregious lack of digital privacy goes against the original intentions of our founding fathers and the information they meant to protect. “Thomas Jefferson knew the papers and effects he stored in his office at Monticello would remain private.  Today’s citizens deserve no less protection just because their “papers and effects” might be stored electronically.” It is this disregard of our digital privacy laws that that needs to be addressed in a reform to the ECPA that better reflects the intentions of our founding fathers as we move forward adopting new technologies.

Online Cloud Backup Storage Services are another such technology the ECPA did not anticipate and does not adequately protect. Data uploaded to these services for the purpose of “backing up” more often then not are unencrypted and easily readable and accessible by other individuals and law enforcement. In order to prevent unauthorized access to your sensitive data you need to lock or encrypt your data stored on these services. Even service providers that claim to encrypt your data often times have the key to unlock that data on the very servers your data resides. This is analogous to locking your front door but leaving the key in the lock. Only Online Backup Service Providers that do not store the encryption key to your data on their servers are truly secure. If these companies were asked by the Government or law enforcement to hand over your data they would subsequently be able to decrypt it. The data would be considered useless to law enforcement who would be unable to decipherer or read it. The majority of Internet users today do not utilize encryption technologies and those that do are considered to have something to hide.

The general opinion of Internet users on encryption seems to be that because “I have nothing to hide, I do not care if law enforcement needs to examine my data”. This dangerous ideology of giving up personal privacy in exchange for perceived safety is what our founding fathers tried to protect us against. In the words of Benjamin Franklin, “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” This perceived tradeoff between privacy and safety is an ideology that desperately needs to change on the Internet. The ECPA needs an update in encryption technology to better reflect how it can be effectively utilized in today’s society, and how it can be used protect our digital data and constitutional freedoms.

The ECPA needs to recognize and look to resolve these deficiencies in understanding and implementing privacy protections for new technologies. This update needs to redefine the intended principles behind privacy through a revised and constantly evolving set of electronic privacy laws. Several technology rights organizations have already recognized this cause such as the Electronic Frontier Foundation, American Civil Liberties Union, Google, Center for Democracy & Technology and many others. These organizations have joined together with the Digital Due Process Collation(DDP) to outline several “Guiding Principles for ECPA Reform”.

        Technology and Platform Neutrality: A particular kind of information (for example, the content of private communications) should receive the same level of protection regardless of the technology, platform or business model used to create, communicate or store it.
        Assurance of Law Enforcement Access: The reform principles would preserve all of the building blocks of criminal investigations – subpoenas, court orders, pen register orders, trap and trace orders, and warrants – as well as the sliding scale that allows the government to escalate its investigative efforts.
        Equality Between Transit and Storage: Generally, a particular category of information should be afforded the same level of protection whether it is in transit or in storage.
        Consistency: The content of communications should be protected by a court order based on probable cause, regardless of how old the communication is and whether it has been “opened” or not.
        Simplicity and Clarity: All stakeholders – service providers, users and government investigators – deserve clear and simple rules.
        Recognition of All Existing Exceptions: Over the years, a variety of exceptions have been written into the ECPA, such as provisions allowing disclosures to the government without court orders in emergency cases. These principles should leave all those exceptions in place.

These guiding principles of reform from the Digital Due Process campaign do not call for the complete replacement of the ECPA, but instead advocate updating the ECPA to better adequately reflect our usage of technology in today’s society. The ECPA needs this update in order to better protect citizen’s digital privacy rights, balance law enforcement’s accessibility and accountability with digital information and return the original intentions of the Fourth Amendment to the United States Constitution that; “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause…” It is these reforms that will usher in a new era of technological innovation and adoption that require us to demand our dotRights today by spreading awareness and asking Congress to modernize our electronic privacy laws.

Jailbreaking and Games Consoles

Posted by: Andrei Toma

A few months ago the Librarian of Congress decided that jailbreaking your own iPhone is legal. What about game consoles?

For people unfamiliar with the terminology, jailbreaking originally referred to a process which allowed iPhone users to unlock their phone’s operating system in order to gain complete control of their phone in order circumvent any limitations imposed by Apple. In other words, a jailbroken iPhone breaks the economic network effect (sometimes known in the industry as a platform effect) Apple intended by allowing users to install software from more than simply the Apple Apps Store.

The same idea applies when jailbreaking an Xbox 360 game console. This type of jailbreaking has been traditionally referred to as ‘modchipping’ or ‘modding’ because the method involves soldering a silicon chip into the console. The process is relatively simple. It involves opening a console up and performing a bit of silicon surgery to alter the laser which reads Xbox disks. The altered laser then allows the console to read homebrewed games and software, as well as pirated copies. The purpose of jailbreaking any piece of electronic hardware is often to circumvent the Digital Rights Management (DRM).

Back in August 2009, federal Homeland Security agents arrested Mathew Crippen, a 27 year-old liberal arts student at California State University, at his Anaheim home for jailbreaking two Xbox 360’s.

The Government alleges that Crippen ran a circumvention racket from his home, clearly meriting the attention of the Immigration and Customs Enforcement (ICE) branch of the Department of Homeland Security. Well, more accurately, his activities merited federal attention after the Entertainment Software Association (ESA) reported Crippen as a potential violator of the Anti-Circumvention Provisions of the Digital Millennium Copyright Act of 1998 (DMCA). The ESA is a trade association of the videogame industry which combats copyright infringement and piracy. Nearly all major videogame software producing companies are members of the ESA, many of which are based in California.

Crippen believes a formal disgruntled neighbor reported him to the ESA, which then sent an undercover agent to Crippen requesting that Crippen jailbreak an Xbox 360. ICE then sent its own undercover agent to have another Xbox 360 jailbroken. After Crippen successfully jailbroke both consoles, authorities obtained a warrant to arrest Crippen and raid his home, where authorities further confiscated around a dozen different gaming consoles.

Crippen allegedly made some money from jailbreaking Xbox 360s. He allegedly charged 30 dollars a console for this service. Crippen claims it takes only 10 minutes to jailbreak an Xbox and that he learned how to do it online from Google searches on the topic.

The federal government charged Crippen with two counts of violation of the DMCA’s Anti-Circumvention Provisions that make it illegal for anyone to break software encryptions. Specifically, Crippen is charged under 17 U.S.C. ァァ 1201(a)(1)(A), 1204(a)(1). If found guilty, Crippen could face up to 10 years in jail and $1 million in fines for both offenses. His trial date is set for November 30th of this month.

Crippen claims that he did not modify the Xbox 360 consoles to allow their owners to play illegally pirated games, but rather so that the owners could use decrypted copies of DRM-laden lawfully-acquired gaming software and make backup copies of games already owned. Games inevitably get scratched and back-ups can be made (it has already been well established that making backups is perfectly legal), but back-ups cannot be used because of the DRM encryption of the consoles. A stock Xbox 360’s laser simply will not read games made on regular DVD disks. In order to fix that, an Xbox 360 needs the laser modified. Crippen claims he only helped people who wanted to make lawful backups of games they already owned. Section 117 of the Copyright Act, 17 U.S.C. § 117(a) specifically authorizes an owner of a copy of any computer software, including computer games, to make an archival copy of the program.

Stepping back for a moment, a rational reader may inquire how it could be illegal to modify any piece of electronic equipment. Except for guns, I can ordinarily alter almost everything I own anyway I please without the government having any business regulating me. My gut tells me the law should never make it illegal to modify a piece of hardware I already bought and paid for. Unfortunately, that is exactly what the DMCA’s anti-circumvention provision does.

The DMCA, with its Anti-Circumvention Provisions, is a very unique piece of legislation because it does not ask the purpose for which the altered hardware is being used, but makes the very alteration of software or, in this case, hardware illegal. No one is arguing that using jailbroken hardware to run pirated software/games should be legal; rather that jailbreaking hardware to run legal software should not be illegal.

The Librarian of Congress can choose to make certain exceptions to the DMCA every three years, which is what he did a few months ago by adding jailbreaking phones to the announced list of administrative exceptions to the Anti-Circumvention Provisions of the DMCA. The Registrar of Copyrights receives all exemptions proposals, holds a process of hearing and public comments, makes final recommendations, and the exclusions are then formally issued by the Librarian of Congress. To be clear, the mobile phone exception only applies to individuals jailbreaking their own phones and does not cover anyone jailbreaking phones for profit.

The trouble for Crippen is that gaming consoles are not on the list of exclusions. Xbox’s are also not mobile phones. Additionally, the government claims he was jailbreaking for profit not personal use. Crippen will need a fairly talented and creative lawyer to successfully convince a judge or jury that gaming consoles should be treated like phones under the DMCA.

Fair use is also a likely defense Crippen will offer against prosecution under the DMCA. Fair use includes things like reverse engineering, first amendment free speech, using copyrighted material for educational purposes, and the like. Unfortunately for Crippen, fair use may not help him both because he allegedly jailbroke consoles for money and because the Anti-Circumvention Provisions of the DMCA contain no express fair use provision and the courts have so far declined to read one into the statute. If Crippen jailbroke his own game console, the court still might find he did something illegal but its unlikely anyone would have reported him, and even if he was reported, the ESA would lack sufficient evidence to get him prosecuted. However, Crippen allegedly jailbroke other peoples consoles for money. If proven, such conduct could constitute a clear violation of the DMCA痴 Anti-Circumvention Provisions.

The ESA had to crack down on Crippen’s power grab on the gaming entertainment establishment’s market. It is just not possible to prosecute all console jailbreaks; so the ESA appears to be attempting to make an example of Crippen to discourage other people from jailbreaking their own consoles. It seems unconscionable to charge someone with a crime for which the potential sentence could be up to a $1,000,000 fine and ten years in prison, so the government is only seeking a three year prison sentence and no monetary penalty (as if Crippen could pay).

Even three years still seems like an awfully stiff penalty for enabling people to play and backup video games.