Wednesday, June 24, 2009

DMCA Questions from the Copyright Office

Are you a copyright geek (preferably a lawyer) and interested in helping me (pro bono) with my reply to the Copyright Office? I can do the writing by myself, I just need help with strategy/legal questions. If so, please get in touch.

As many of my regular readers know, late last year, I (and the fantastic Berkman cyberlaw clinic) submitted a request for an exemption to the Digital Millennium Copyright Act. One month ago, I testified in person to argue in support of my request.

We originally requested two exemptions. The Copyright Office has now sent us some follow up questions with regard to the second exemption.

The second exemption text was for:
Lawfully purchased sound recordings, audiovisual works, and software programs distributed commercially in digital format by online music and media stores and protected by technological measures that depend on the continued availability of authenticating servers, prior to the failure of the authenticating servers for technologists and researchers studying and documenting how the authenticating servers that effectuate the technological measures function.

The Copyright Office has asked us to:
Please provide your reaction to the following limitation: "...when the information obtained by the technologists and researchers is used only to provide access to works protected by the technological measures that depend on the continued availability of an authenticating server when [1] access is provided only to persons to whom access had been provided by the authentication server prior to its failure, [2] the authentication server has permanently ceased functioning, and [3] the provider of the service has neither made alternatives means of access to the works available nor provided a refund for the loss of access to the purchased copies of the works.

Would it be appropriate to limit the persons who would be eligible to invoke the exemption? Why? If you believe it would be appropriate to limit the persons eligible for the exemption, what criteria could be used?

Are there any other appropriate ways to properly tailor the scope of the exemption

I still haven't had much time to think about this in depth. Our reply is due on July 10th.

My plan is to try and come up with a rough draft in the next week or so, and then put it online in a wiki for people from the Internet to comment on and edit.

Tuesday, June 23, 2009

FOIA: Following the money trail

Sent by fax today to the Computer Crime & Intellectual Property Section (CCIPS) at the Department of Justice:

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5 U.S.C. §552. I am seeking records, invoices and any other information detailing the amount of money paid by the Department of Justice to major providers of Internet based services to compensate them for the time and resources used in responding to subpoenas, warrants, pen registers, trap & trace requests and national security letters.


At the recent Computers, Freedom and Privacy Conference in Washington DC, Alan Davidson, Google’s Director of Government Relations and Public Policy revealed to the audience that Google routinely charges the government for the time and resources spent responding to requests by the Government for Google customers’ data.

This practice is permitted by various statutes. For example, 18 U.S.C. §§ 2518(4) states that:
Any provider of wire or electronic communication service, landlord, custodian or other person furnishing such facilities or technical assistance shall be compensated therefor by the applicant for reasonable expenses incurred in providing such facilities or assistance.

Likewise, the 2008 Protect America Act amended the Foreign Intelligence Surveillance Act to state:
The Director of National Intelligence and Attorney General may direct a person to …. immediately provide the Government with all information, facilities, and assistance necessary to accomplish the acquisition … The Government shall compensate, at the prevailing rate, a person for providing information, facilities, or assistance pursuant to subsection (e).

While Google is one of the first Internet based service providers to admit to this practice, it is likely that the practice is widespread.

My request

I request all records, invoices, memos and any other information detailing the amount of money paid by the Department of Justice to major providers of Internet based services to compensate them for the time and resources used in responding to subpoenas, warrants, pen registers, trap & trace requests and national security letters.

At the very least, this request shall include documents relating to Apple, Google, Microsoft, Yahoo, Facebook, MySpace, America Online, AT&T, Verizon, Comcast, Sprint and T-Mobile.

The scope for this request shall include all documents created between January 01, 2006 and January 01, 2009.

Monday, June 22, 2009

Do we need net neutrality at 35,000ft?

Just here for the step-by-step instructions? Click here to skip the explanation

Gogo Inflight Internet Wireless is the sole provider of in-flight Wi-Fi in the United States -- and is already installed aboard planes in the domestic fleets of Delta, American and Virgin America.

While their service is awesome -- their pricing plans currently involve some fairly horribly discriminatory pricing. "Mobile" devices including iPhones, Nokia handsets and various Windows Mobile devices pay $7.95 for flights of any length, whereas laptops pay $9.95 or $12.95 based on the length of the flight.

Metered pricing is currently a hot topic in telecom circles, primarily due to the fact that the carriers want to be able to gouge extract as much of a profit out of their customers as possible.

Gogo does not implement metered pricing. iPhones and laptops are provided with the same amount of bandwidth, and as far as I can tell, neither receives priority over the other. There are no bandwidth caps, nor any additional charges for using too much data during a single flight. Gogo simply wants to be able to charge its customers more money for watching a YouTube video on a laptop screen than an iPhone -- even though that laptop does not put any more of a burden on Gogo's network than the iPhone.

This is unfair, unreasonable, and frankly, something that the FCC should look into and prohibit.

Luckily, Gogo doesn't have any verifiable way to identify the kind of device a customer is using, and so it has opted to rely upon the self-reported User Agent string transmitted by the on-device Web browser.

This browser string is something under the control of the user (at least those a little bit tech savvy), and by manipulating this information, it is possible to connect a laptop to the Gogo Inflight Internet Wireless system for the cheaper $7.95 price normally restricted to mobile devices.

Best of all, if combined with a discount coupon (easily found online), this price can be reduced further, to a quite reasonable $3.95 for a 5+ hour flight.

Enabling fair, non-discriminatory pricing for Gogo Inflight Internet Wireless

Gogo's acceptable use policy requires that consumers not use the service in order to "engage in any fraud or misrepresentation." As a result, the following information is provided for purely educational purposes as an act of communications policy related activism. Do not follow these steps without first consulting with a lawyer.

Step 1. Download and install the User Agent Switcher Firefox add-on (this needs to be done before your flight).

Step 2. Restart Firefox.

Step 3. Select the Tools-> User Agent Switcher -> Options -> Options menu.

Step 4. Select the User Agents tab, and then click on the "Add" button to create a new user agent.

Step 5. In the "Description" field, type in "iPhone"

Step 6. Now that you have added the new user agent, you have to tell the browser to start using it. Do so by going to Tools -> User Agent Switcher, and then select the new iPhone option.

Step 7. Once you are on board a Gogo enabled flight, wait till the plane is above 10,000 ft, and connect to the open gogoinflight wireless access point.

Step 8. Type in any web site address. You will be redirected to the Gogo portal, and will be prompted to pay for wireless access.

Step 9. You should see a $7.95 option for mobile Internet access for your flight.

Should you wish to save a few more bucks, Gogo seems to regularly offer discount codes, further bringing the price down.

Step 10. After you have paid for the service, and are connected to the Internet, you can switch the user-agent string back to the default Firefox setting.

Tuesday, June 16, 2009

An open letter to Google

This six page letter (pdf) to Google's CEO, Eric Schmidt, is signed by 38 researchers and academics in the fields of computer science, information security and privacy law. Together, they ask Google to honor the important privacy promises it has made to its customers and protect users' communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.

Google already uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers' login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session. However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google's Web applications from an unsecured network, and Google.s existing efforts are little help.

Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers. sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords. Google should now extend this degree of protection to users of Gmail, Docs and Calendar.

Rather than forcing its customers to "opt-in" to adequate security, Google should make security and privacy the default.

View the full letter at

Wednesday, June 10, 2009

A shot across the bow

At Computers, Freedom and Privacy last week, Google's DC policy guru Alan Davidson revealed that the company has between 1-20 employees working full time to respond to requests for private customer information from law enforcement. He also revealed that Google asks for financial compensation from the Government for the time required to satisfy these requests -- he noted that this practice is permitted by law.

Google is not alone in this. All major Internet companies receive thousands of requests per year, and as a "matter of policy", they all refuse to discuss this, or to give the public even a rough idea of how many requests they get.

A recent Newsweek article comes the closest, revealing that Facebook gets between 10-20 requests per day from law enforcement agencies.

This silence needs to end. We need transparency, sunshine, and some accountability. If users realized how often their data is disclosed to police, and how often it occurs without a warrant or any judicial oversight, many would be shocked.

So -- if you work in the privacy, legal or policy department of a major Internet provider (as I know a few of my readers do), consider this your warning.

You either need to come clean voluntarily, or the information will be forced out. Your customers have a right to know.

My first avenue of attack will be via a number of FOIA requests (see below) -- if that fails, I'll have to ramp things up a bit. The current level of secrecy is simply not acceptable.

(Sent to Criminal Division, Department of Justice)

Dear FOIA Officer:

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5 U.S.C. §552. I am seeking records concerning guidance, reference manuals and sample requests provided to law enforcement agencies by major internet companies, search engines, web mail providers, and social networks.


A recent Newsweek article ( revealed that:

"NEWSWEEK reviewed both Facebook and MySpace documents that let law-enforcement agencies know what information they track and how to obtain it; MySpace's guide is more robust, offering agencies templates with language geared specifically to be admissible in court. Both sites disclose that they cooperate with police in the terms that users agree to when they sign up."

Practically all Internet related businesses have a legal compliance department. Some, like MySpace, are open 24 hours per day, 7 days a week. A list containing contact information for over 100 of these offices can be found here:

The same Newsweek article also revealed that:

"[Facebook] says it tends to cooperate fully and, for the most part, users aren't aware of the 10 to 20 police requests the site gets each day."

It is likely that other major Internet companies receive a similar number of requests. As a result, it is not surprising that the companies have created guides and sample requests for law enforcement agencies, in order to help to streamline requests, and reduce the amount of manpower required to handle each subpoena.

My request

I request any records, including memoranda, handbooks, emails, policies and procedures provided to the Department of Justice by Internet service providers, phone and cable providers, search engines, instant messaging companies, and social networking sites. Such documents likely contain guidance and frequently answered questions related to requests for subscriber information, and may also contain sample subpoenas and search warrant applications.

At the very least, this request shall include documents provided by or relating to Apple, Google, Microsoft, Yahoo, Facebook, MySpace, America Online, AT&T, Verizon, Comcast, Sprint and T-Mobile.

The scope for this request shall include all documents created between January 01, 2005 and May 10, 2009. It is likely that the Computer Crime & Intellectual Property Section (CCIPS) within the DOJ Criminal Division will have the most relevant documents.