It's so bloggy to talk about blogging, but I have to say that blogging the terrific Yale cybercrime conference gave me new insights into the blogging process.

This was a truly enjoyable conference, made more so for me by the fact that I wasn't performing myself.  I had no paper to sweat over and revise at the last moment.  So, instead, I could work at absorbing what people were saying.  For me, blogging forces me to focus on the themes being brought out in real-time.  Then, when I've finished an entry, I can see it as a whole -- beginning to end, introduction to triumphant conclusion.  This not only helps me to grasp what's going on but also reveals to me what makes a presentation great.

What makes it great?  Clarity, forcefulness, meta-ness.  Many of the speakers at the Yale conference had all of these qualities.  (Michael Froomkin has these things going for him too, and I was busily blogging his talk when my right fourth finger slipped and I pressed a mysterious "backwards" function button that wiped out my entry.  Sorry, Michael.)  A beginning, a middle, and an end.  A strong voice.  Not reading from notes.  Conviction laced with a sense of humor.  Awareness of time (great speakers never run short on time).  And, most importantly, something to say that matters -- and that the speaker deeply understands. 

Sitting in the timeless classroom (literally -- Yale's Room 127 has no clocks, but does have a lot of portraits on the walls), I felt that I was contributing in some way by writing about what was going on.  I probably felt a little guilty about being there "just" as a participant rather than a speaker, but blogging gave me something to do.  (Note to self:  do not respond to IMs from two different people at the same time while attempting to record what's going on -- this happened during Zittrain's talk, and I'm sorry.  Sorry, Jon.)

So, although blogging means you DO sometimes have to say you're sorry (after all, if I'd gotten distracted while taking hand-notes no one would know), it adds a dimension to conferences that I enjoy.

Jack Balkin is up.  He presents three problems: 

first, what are the different forms of cyberprotest, and how do they relate to the freedom of speech?

second, what is the conflict between freedom of speech and other rights (let's clump those rights as "property")?

third, why is cyberprotest difficult to do?

First, point of freedom of speech is to support democracy. 

Think about different forms of cyberprotest as different forms of technologies; eg, sit-ins, hack-ins, allow small cells to do information-sharing (to get around filters), google-bombing (more). You can divide types of cyberprotest that enhance free flows of information (routing around) from those that block the flow of information.  Both types can be disruptive -- but in different ways. 

But this is a rough cut:  Although the idea of freeing information sounds "good," and the kind of thing activists would be interested in, there may be times to limit the flow (viruses, worms, child porn).  Central question is under what conditions is it a good idea to use code to free up the flow of information.

Second:  You have a factory, people organize, decide to walk out.  Is this freedom of association/speech or criminal conspiracy and destruction of expected profits.  Beginning of 20th century, walkouts are seen as destruction of property.  Then a big debate over what part of this we call speech and what part we call destruction of property.

This is the same problem we have with cyberprotest.

Three phases of protest: first, courts say this is conspiracy and destruction of profits; second, courts say this is freedom of association and speech (AFL v. Swing, eg).  Labor unions have right to organize, even if action lowers profits.  So we get to the third stage: now labor protest treated as a highly regulated subject, treated in labor law.  Completely out of the First Amendment category.

Balkin is not saying these same three stages will happen.  But boundary between speech and destruction of property is not a fixed line.  It changes over time through social movements.  So our view of what's "appropriate" for cyberprotest will inevitably change.

Back to the first rough cut: blocking v. facilitating.  That's too simple.  But there's no a priori way to divide what's cyberprotest and what's destruction.  Dead cow (Oxblood Ruffin hacktivist group) focuses on routing around, which seems appropriate to Balkin.  They also, interestingly enough, say that they don't want technologies to be used for "illegal" speech (like child porn).  But what's the baseline for determining what we think of as illegal speech?  Dead cow seems to be working with US baseline re what's "illegal".  But that choice of baseline is worth talking about.  An important question.

Third point:  what produces the development of technologies of cyberprotest.  Answer:  The Temptations.  Balkin will explain the link.

The key problem in cyberspace speech is proximity and attention.  Have to get the attention of your audience, and have to get next to them (picket around them).  Find some place where people interested in your speech will listen to you.

Balkin student wrote a paper about cyberprotest.  His conclusion was that internet didn't create spaces in proximity to other spaces.  You can move easily around, but you can't interpose yourself between audience and person you're criticizing.  Everyone is your neighbor but you can't get next to anybody. "I Can't Get Next To You, Babe" -- that's The Temptations.

Virtual worlds allow this kind of proximity.  Eg, Third Voice required that the audience join in, to get attention of people who agree with you AND disagree with you (and have no idea you exist). [what about Gator?]  Interest in 1A is also to encounter people you don't know.  Eg, parody sites!  Will take creative minds to design these spaces that will solve problem of proximity and attention.  When they arrive, let's not assume that they're destroying property, but decide whether they're promoting basic democratic values of routing around and glomming on.

Bravo! 

Jon Zittrain is up now to talk about filtering in China and circumvention of such filtering. And hacktivism.

Shows a DMCA notice received by Google for infringing search listing -- threat is that Google will be sued unless it takes result down.  Google even says that there are things you're not seeing.  So Google is cooperating in taking things away from public view (supply side filtering).

If you're China, and you want to stop your citizens from seeing things, you stop people from even seeing google.com (shows search page from Beijing University).  Shows lists posted of blocked sites.  All of MIT and Brown blocked; and all US courts.

JZ did a dialup to Beijing (from his office in Cambridge) to see what could be seen -- but that was expensive.  Then Ben Edelman and JZ asked Chinese servers what was available (eg, search results on google.com for "Tibet" -- top search results unavailable from Chinese servers).  And people out in the world found many other additional sites blocked.  Over 50K were blocked.

Doing this work is becoming more difficult.  (And empirical research is hard!)  Effort to do this entails assuming that China blocks sites for everyone (or not).  Looks as if what's going on is more subtle.  If you type political name into Google, suddenly you won't get access to Google any more. 

Evolving towards a drivers license approach - eg, junior highs do this.  Maybe countries may someday as well -- AUPs for citizen use.  We'll be taught what we should do and what we shouldn't. 

Saudi Arabia also does this -- and allows sites to be unblocked.  Gave JZ two weeks to see what's blocked.  Both SA and China block some common things (like Amnesty International).

Pennsylvania does this too.  Discusses Pappert case statute.  Order can go out to PA ISP saying don't allow Pennsylvanians to go out to particular sites.  (JZ didn't mention that CDT is leading this litigation; see ABDavidson presentation.)

JZ is tracking all of this using the OpenNet Initiative.  Accepting help.

Now:  circumvention.  OpenNet has a circumvention lab in Toronto.  Internet offers opportunity to unhook civil disobedience from wrong being attacked -- before maturation of social moment.  [distracted for a few minutes]

Quick tour of JZ efforts.  Thanks!

Lee Tien:  How does a user know when a device has been redesigned to limit what the user can do?

Deeply, this is a question about the nature of law.  We have a legal sense that appeals to a sense of legitimacy and discourse.  Where architectural regulation hides what it does, we're heading out of law and into instrumental control.  We're leaving the realm of law and any moral dimension/legitimacy issue.

Cf. seatbelt regulation.  Everyone knows about that and can see it.  But when we talk about privacy we're talking about govt attempting to change the conditions of social experience.  From a 4A standpoint the standard is reasonable expectation of privacy -- and if we have no concern about govt steps to design things, we won't know what has happened to our privacy or what is reasonable.  We won't have the opportunity to experience that privacy.  (eg, never having had doors on phone booths would have changed the Katz result).

So rearchitecting network to expose information (creating an audit trail, as Nimrod suggests) may foreclose personal experiences that might inform expectations about privacy.  Eg, zipcode plus birthdate is enough to re-identify 80-90% of data -- triangulation is very easy.  Yahoo! gets this information all the time from users.  Do I know what the invisible consequences of my actions are?  What do you need to know when you're on the internet or using DRM?  How is that that you know you're being injured in some way? 

Do users need to know design options (could it have been done differently so this wouldn't have happened)?  Without knowing the harm, how can your expectations be shaped?

When you're dealing with systems, parts of these systems are in shadow -- so we can't know how these work (eg, PCs, telephones).  Metaphor of architecture means we only perceive in bits and pieces.

Finally, in the world of enforcement -- we don't talk much about the way automated enforcement changes things.  Rules can have a normative career; enforcement of rules is an entrepreneurial event.  You make a decision, using your discretion, that has cost.  That's not the case in architectural decisions to enforce.  Additionally, architectural enforcements are private and unseen.  We can't work on the social meaning of a rule.

Excellent, thoughtful talk by Lee.

Paul Ohm gets up and confesses that his boss is John Ashcroft.  Gets a laugh (post John Podesta talk last night about Ashcroft as destroyer of civil liberties).

Technology in the courtroom:  Too much of it, and not enough of it ("hyperlinks are typically blue").

Digital evidence review:  we look at hard drives for things (what will they do when hard drives go away?).

But question is:  is the person looking at hard drive an expert?  Do we need a Daubert hearing?  Usual answer is "yes."  If we're going to have someone saying child porn is there, we need to be able to say that person was an expert.  Certification as an expert is viewed as needed. 

But it shouldn't be that everyone talking about a hard drive file has to be qualified as an expert.  Eg, if someone pulls fibers on behalf of the FBI, we don't need to say that person is an expert.  This high hurdle won't change Ohm's job -- there are plenty of resources there.  But for small-time prosecutors, it creates enormous costs.

Second:  Court opinions in the surveillance/seach and seizure field are rare.  And they describe technology clumsily.  Where statutory construction depends on this, we're in trouble.  It's not that judges can't understand technology, but analogies don't work well, and litigants don't help them, and labels for things change rapidly.  Eg, arguing to the court that "the internet is like a giant tube, and if you put too much into it it will burst" (for distributed denial of service).  Doesn't help people understand things.

And even use of "email" as a term, without further description or definition, doesn't help people much.  Over time, things change.  So we can't understand the scope of the precedent.

Eg, under Stored Communications Act, what does "electronic storage" mean? defines line between search warrants (storage) and subpoenas (if not storage).  Kozinski focused on "backup protection" element -- all email systems are in backup protection.  But what's he talking about?  POP, IMAP, webmail? entire logic turned on this distinction, but we can't tell what's going on. 

In CDA case:  Stevens says web pages "generally also contain 'links' to other documents created by that site's author"... "typically, the links are either blue or underlined text"

He gets a big laugh and applause.

One of the paper-writing winners (Nicolai Seitz) is standing up to talk about the problems of transborder enforcement of requests for information.

In 80% of all German cases, access to data located abroad is necessary for criminal investigations inolving the internet, he says.  Usually, people ask for letters rogatory, but this takes an enormous amount of time.  And evidence is often deleted.  There have been some improvements in the EU cybercrime convention, but these are inadequate often.

The solution?  Transborder search might do it.  But this might violate the international principle of territoriality.  And, such efforts might make changes on foreign soil.

He points to cybercrime convention.  Article 32(b) doesn't cover transborder search without consent (does cover search with consent).  There's a case (Ivanov-Gorhskov) that does touch on this issue, but FBI has overreached and we're worried (FBI accessed password-protected servers in Russia and downloaded evidence in form of data).  Terrorism may be seen by FBI as a good enough reason to trigger transborder searches and create admissable evidence.

This Russian case is an egregious example of overreaching by US, and we would be outraged if they did it here.  But it underscores the need for some transnational cooperation agreements about this subject.  We have no standardized international practices.  Seitz thinks foreign retrieval of not-freely-accessible data should be illegal.

Richard Clarke is the Washington personality of the week.  Marc Rotenberg testified in early December 2003 before the same Commission on a separate issue re security/privacy issues for going forward in preventing attacks. 

Four key points he made then:

1. long tradition of privacy protection for communications and records stored by governments.  Established during times when US faced nuclear weapons, unrest, assassinations -- but Congress went ahead and set them up.

2.  Sept. 11 provides major challenges, and the people involved in coordinating in govt. efforts completely changes the Terry landscape.  Checks and balances have been changed.

3.  Our understanding of privacy enhancing technologies following 9/11 has changed.  We thought there were tools that could enhance privacy -- TIA bothersome because message was that it would protect privacy, because govt surveillance under it would be less intrusive than other alternatives.

To understand this issue, three dimensions:

1.  What do we mean by privacy enhancing.

2.  What's relationship between federal govt and legal obs to safeguard privacy

3.  How does this all work in practice.

First, definitional problem.  What is a privacy enhancing technology?  Prior to 9/11, we all thought definition was an electronic world where transactions could occur that were verifiable and authenticated, but personally identifiable information wouldn't be necessary.  So these techniques would limit use of this personal information.

In the physical world, we can imagine cash, postage stamps etc. -- forms of value that allow transactions without personally identifiable information.  How translate this to the online world?  This was our core concept prior to 9/11.

No one proposed in Florida in 2000 that there should be an availability to check that vote had gone through.  Why?  Because concept of anonymity at that point, and recognition of need to sever transaction from surveillance is a core part of our democratic society.

This concept of a privacy enhancing technology was derailed by two processes:  first, in the private sector, the view that we wouldn't provide legal obligations to collection and use in the digital world.  it's just notice and choice.  So we saw P3P emerge to translate rights and obligations into a market-based transaction where anything goes. 

Post 9/11, law enforcement said we need to enable surveillance that respect privacy -- but what they meant by privacy was "within the context of a larger scheme that anticipates surveillance."  So, when a vote is cast, it becomes possible to link transaction back to the identified individual.  That's a principle without a boundary.

Rotenberg thought this idea died in the Clipper chip era.  People then said to open the door to this form of storage would create unlimited opportunities for abuse. 

Now our challenge is:  where do we stop?  If you assume all information might be useful in some investigation, where do we draw the line?

Go back to Brandeis dissent in Olmstead v. US.  What would be the appropriate 4A standard to apply to the conduct of telephone surveillance?  Was this warrant-based, or just out there in the ether?  Court said no physical entry has occurred, it's just information out there in the ether; if you are concerned, go to Congress.

Holmes dissented ("a dirty business").  Brandeis said:  look at surveillance in electronic space -- this is far more invasive than what would happen in physical space.  In electronic space, we're unbounded by space and time.  Could be lots of people talking, on many different subjects.  He argues for a higher standard of oversight, because oppty to obtain information is so vast.

When you go to wiretap statute of 1968, it's a "super warrant" when compared to what you get in physical space.  Constitutional response is based on fear that govt will overreach. 

So answer about incorporation of techniques to protect privacy post 9/11 is to keep in mind:  to the extent actors seek to comply with legal obligations and claim that they are "privacy enhancing," then technologies must incorporate auditing, transparency, all other requirements -- because of the enormous risk of government misuse.

Sonia Katyal is up, reminding us that it's important to think about the relationships among public/private law enforcement and surveillance.  Cyberspace allows us to contemplate the limits and possibilities of architecture and law.

Focusing on piracy surveillance:  monitoring users.  Convergence between modes of consumer surveillance and law enforcement -- but quite distinct from both.  An extrajudicial regime of copyright enforcement that poses serious complications for privacy, security, and anonymity.

Basic premise of the paper is an architecture of p2p transmissions.  Rise of piracy surveillance in cyberspace is attributable to this type of architecture.  In property, we have bricks for architecture; in cyberspace, architecture is permeable, allows facilitation of surveillance.  As consumer surveillance rises, we see rise of piracy surveillance.  (By piracy surveillance, she means monitoring that encompasses private notions of infringement; done privately; extralegal -- outside of ongoing litigation). 

Interesting from an IP perspective, because this kind of surveillance alters understanding of IP rights in cyberspace, by giving copyright a predatory and invasive and panoptic dimension.  Speech-based judgments as well.  Enables a copyright owner to determine whether or not an individual is engaging in fair use (and raises substantial due process concerns).

Three major forms of surveillance:  raise similar issues.  Eg, monitoring, using smart agents or bots that search for files.  Key problem raised by that is seen in Verizon case (challenge to 512(h)).  Disclosure of identity with very little real judicial oversight.

Also, problem that similar (but noninfringing) files will be caught up in this.

And how do we protect anonymous speech.

Two other forms of surveillance:  DRM collecting consumer information.  And interference (self-help).

Normative conclusions:  This modes raise complicated questions about the intersection of privacy and identity.  We shouldn't avoid enforcement, but should do it to fit freedom of speech and informational privacy.  Don't force tradeoff between privacy and protection of property.

Orin Kerr is up.  His suggestion is that computer-related crimes will end up with a different set of procedural rules -- "network" criminal procedures.  Even if crimes remain the same, they're committed in different ways.  New facts will trigger needs for new laws.

Start with physical world crime -- bank robbery.  Fred will walk in, go to teller, hands note, teller gives money, goes to car, runs away. 

Cop will show up -- what does he do? He looks for eyewitness testimony.  He also observes what the bank is like and whether there are trace materials of the crime.  He will collect physical evidence tying the crime to Fred.  Eg, the threatening note.

Fred gets out of prison, says he'll be an online bank robber.  He'll hack into the bank.  Logs onto ISP and passes through intermediaries to hide his tracks.   Sets up account, fills with money, sends money offshore.

Now you're the police officer called to investigate this crime.  You'll notice a really different crime scene.  No physical evidence, no eyewitnesses.  Just zeros and ones.  Have to trace evidence back to attacker, but can't do it in traditional ways. 

So you start from bank victim, track back through intermediaries. Hope that system admin has these records.  Trace back to Fred's ISP, and hope that ISP will help you.  But you don't have proof beyond a reasonable doubt -- you only have electronic evidence from third parties.  You have to get a search warrant and go to the target's home -- then forensically analyze Fred's computer.  Fred might keep notes ("I'm looking forward to hacking into the bank tonight.")  You seize the drive and image it, then run a string searcdh for that account number.  Takes weeks.

Different set of processes.  What does this mean for law?  Means that we need new rules to regulate these processes.  4th Amendment and 5th Amendment are tailored to the physical world.  Eg, search rules are about "the entry of the place."  Also, collecting physical evidence is about 4th Amendment seizure rules.  So how do those rules map on to facts of investigations of online crimes?

They don't map well.  You either get extraordinarily expansive rules or rules that are too narrow (where there are no real threats).  We need a relatively balanced set of rules.

Eg, if you want to get records from a third party, you have to get a subpoena.  No privacy protection there.  Traditional 4A doesn't apply to third-party stored information.  This just isn't a problem in the offline world.  So we have new facts where the information is collected and stored in a different way.  Old rule doesn't help.

Last stage -- forensics.  Bunch of interesting problems.  If you map what has to happen to 4A rules, you have big issues.  For a warrant, you have to describe things and only take that.  But in online crime, might be lots of other evidence involved.  Can't get a pinpointed warrant -- have to seize more than you have probable cause to seize.  What about making a bitstream copy?  Is that a seizure of a person's computer?  Traditionally, no -- not a seizure, just making a copy.  So govt could run off a copy and search that!  But intuitively that seems like a problem.

So what will happen in response to this problem?  We've begun to see a new field of network criminal procedure evolving.  Eg, ECPA, and 18 USC 2703, regulates process of going to third-party provider and asking for information.  So it's more than a mere a subpoena.  Statute recreates warrant requirement from the physical world.

Similarly, for forensics, courts are creating new rules to cover these last-stage searches.  So, eg., in a home, the police can't look for physical information that hasn't been described.  But electronically there's no restriction.  So courts have changed rule that governs whether intent matters when you're searching a computer.  Outside scope of warrant/inside distinction doesn't matter.  Subjective intent, though, does matter.  We'll ask agent "what were you thinking when you accessed this file."  Courts are responding to changed set of facts by looking at intent. 

We'll see more and more computer-specific set of rules.  A new body of law to study.

Great presentation.  Good work, Orin!

Beryl Howell, formerly counsel to the Senate Judiciary Committee, is up talking about real-world problems caused by crimes on digital networks.  Moral for all three stories:  specific laws directed to specific problems are very important.  So we need to keep updating these laws to fix mistakes and keep up with changes in technology.

First -- leak of many staffers' memos.  Two Republican staffers had taken thousands of documents and zipped them up with passwords.  Taken from common server.  No staffers were supposed to look at other staffers' memos, but permissions were set incorrectly and the files were wide open.  Appalling breach of custom.  Was a crime committed under the CFAA?  Or just an immoral action?  What does "authorized access" mean?

"Authorized access" was intended to be a case-by-case inquiry.  [note that civil liability requires damage as well, so a higher standard than the criminal part.]  Seems to be "you know it when you see it."

Second case:  FBI agents arrive at a suburban house, say computer being used to distribute child porn.  Teenager there had downloaded Kazaa, downloaded files that contained child porn, then had become a supernode, being used as a pointer.  Teenager had enough files for a felony.  Had he been emailing images to his friends? going to specific sites and downloading them beyond Kazaa?  Son said he wasn't aware of anything.  Child porn is strict liability; hard to do forensic exams because examiners don't want to be in possession of it either.  Happy ending:  prosecutor declined to prosecute.  But signals that technology can take you over a line.  Is the user at fault, or the technology?

Third case:  Company target of embarrassing emails with sexually explicit attachments (sexually explicit patents) sent on their behalf; clients took business elsewhere.  Company seemed incapable of stopping it.  Insecure wifi points and student internet accounts used to send these messages; couldn't track spoofer down.  Howell's company did an investigation.  Complaining emails about these attachments were also spoofed (from "wounded grizzly").  Started talking to wounded grizzly; got an extortion demand for 17million.  Suspect surveilled; able to pinpoint him as spoofer.  Arrested him two weeks ago; found ricin and guns in his house.  Threats you think you're aware of are just the tip of the iceberg.

So we have a problem: limits of CFAA.  Couldn't go after "wounded grizzly" because act unclear; stymied legitimate self-help efforts.

Alan Davidson from CDT is up.  Why does criminal law only seem to expand?  Does it ever go the other direction?  "how many laws have you broken today?"  There's a disconnect between social norms and the laws we have on the books.  Why can't we allow rulesets to evolve -- and why can't we have different views about what's wrong online v. what's wrong offline?  A lot of policy FUD here.  Will rote application of offline law lead to unintended consequences.

Three quick examples:  the case of the nation of felons.  How do we think about criminal copyright?  Has changed dramatically in the last ten years?  We've have criminal copyright for a long time on the books.  Was a misdemeanor for a long time.  With 1997 NET act, we got rid of "commercial profit" requirement; instead said if you distribute works of greater than X value over Y days, you're guilty.

And in 1998, DMCA creates new crimes for circumvention and removal of information.

So we're responding to a felt need to protect material, but what's wrong with this picture?  Millions of people regularly violate this law.  And this is likely to get worse.  Expectations offline (first sale, fair use) drive us to use works online.  Technology that precludes these kinds of uses will be counter-intuitive for a lot of people.  Seems odd from morality perspective -- "criminal" activities may not be felt as wrong.  And from deterrence/utilitarian perspective; these laws aren't having a large effect.  What does it mean for the rule of law if millions of people routinely ignore it?

Two approaches:  House Judiciary committee; maybe problem is that it's too hard to bring these cases (so eliminate wilfulness, make a single copy made a available on a P2P network trigger wilfulness).  Second, give govt civil enforcement powers here.  This seems to resonate with online social norm.  A speeding ticket and not a felony.  We may be overreaching in our expansion of criminal law.

Second:  case of culpable carrier.  Creating criminal liability for ISPs.  Challenge in Pappert case:  DA can get ex parte order from judge based on showing that child porn is there; gets order saying "you must block material from this source."  Make sure they can't see this web site.  Couple things wrong with that.  ISPs block bluntly -- by blocking IP address.  This blocks all other things hosted there.  We discovered over a million blocked based on 500 blocking orders coming out of PA.  Well-intentioned law leads to incredible overbreadth.  Trend is to look to ISPs to hold liable.  Begins to jeopardize end-to-end model.

Third case:  case of the aborted Koogle family vacation to France.  Tim Koogle subject of criminal action in France based on larger Yahoo! case.  So he can't go there.  This was ultimately resolved just last year when charge dismissed [is that true?], but leaves open question about how to deal with criminal laws.  US govt will certainly do this (eg, Elcomsoft).  Calls into question relationship between individuals and govt. 

In DC, legislators only expand laws -- don't contract them. 

Five modest suggestions:

1. go slow re cybercrimes

2. revise defs of crimes and access

3. prefer civil enforcement (things less harmful in the online context)

4. issues of international prosecution

5.  tie to social norms more carefully

this was the best presentation on this panel.  Very substantive and thoughtful -- great job, Alan.

I'm delighted to say that I've been added to the roster of Fellows of The Information Society Project at Yale Law School. This means more trips to New Haven ("The Hub"), and, with luck, some engaging meetings in New York. Thanks.

I'm here in Room 127 of the Yale Law School for a cybercrime conference.  So far, we had an excellent keynote from Dan Geer, and Tony Rutkowski (VP of Regulatory Affairs at VeriSign) is getting up to talk now.

But I'm distracted by a conversation I had with someone before the meeting began.  He said that this whole game of ICANN and VOIP and lots of other worries is essentially over -- FCC plans to assert jurisdiction over the DNS as an IP-enabled service (and assert jurisdiction over email and any other application that uses IP).  He pointed to an FCC NPRM (MC 04-36) in support of this assertion.  He also said that the EC has issued a similar notice.  These notices point to a limited set of obligations for providers.  Game over, in this individual's view.

Back to Tony.  He's pointing to the fact that there are very few content intercepts in the real world.  Most requests are made for subscriber information.  Law enforcement access is essential, and all we're talking about is what costs will be paid by whom.  Anonymity is over.  Key developments are happening in the private sector.  In the public sector, we're talking about the cybercrime treaty (probably will come into effect this year), the UK data retention code, and the FCC CALEA proceeding.  Europe cares only about data retention; they're way past CALEA.

He says re CALEA proceeding: 

Coverage:  Nothing really new here (real time access to data is a fact of life under state and federal law); we're just shifting costs to providers.  And need capabilities in place in order to do this stuff.  Law enforcement has a critical need for access in today's nomadic architecture environment.  He says this is innovative.

Compliance:  Creative, more flexible, adopts 15 month benchmark approach to enforcement.

Costs:  Pass on implementation costs to subscribers; transparency is good; service bureaus make the costs minor; parity with other regulatory mandates (E911, Universal Service); costs are trivial compared to stored data production via subpoenas. (that's an interesting point, if true, and Tony seems to know what he's talking about.)

More when the next panel comes up.

Paul Marino is going to help me pull together some surprising Machinima materials to show the Copyright Office.  This will help me pose questions to the group -- like who owns what and why, and what if another avatar wanders by?  Thanks to Ernest Miller for the suggestion.

I just watched another Red vs. Blue movie, and I'll need Paul's help making a zippy demo out of this.  All ideas welcome.

Next Thursday, I'm giving a lunchtime talk to the Copyright Office (part of a program called The Copyright Office Comes To New York).  Send me your suggestions.  This is my chance to say something sensible.

I thought I'd talk about the feeling of being in Canada in June 2003, during an otherwise uneventful ICANN meeting, when Lawrence v. Texas came down.  The Canadians were feeling awfully smug and superior.  They didn't have to tussle with any ridiculous anti-sodomy laws.  They had even worked peacefully through the issue of same-sex marriage.  They were waaay ahead of us, and surprised at our lame approach to these issues.

I'd mention with sadness the prospect of more election-year debate over same-sex marriage.  (Fighting over who gets to marry whom seems completely pointless to me, and I'm embarrassed that those who govern us are even worried about it.) 

Then I'd talk about the recent Canadian copyright decision to which Michael Geist has pointed us.  Once again, our friendly neighbors to the north seem to be waaay ahead of us.  According to Michael, the Court concluded that the Canadian analogue to the fair use affirmative defense "should be granted a large and liberal interpretation."  Indeed, Michael points out that the court shaped this "exception" to copyright infringement (in our parlance, this defense) as new copyright rights for users.  Users' rights.  Those Canadians have the idea that these rights need to be balanced against the rights of copyright holders. They also think that it's appropriate for manufacturers to presume that their machines will be used for lawful purposes -- and they seem to think that copying for personal purposes is different and special.  Hmmm.

Then I'd talk about some of the more outrageous elements of the broadcast flag proceeding (continued studio role as gatekeepers) and what's coming up next via the analog hole funnel (lingering on nomenclature here).

So:  don't blame Canada, blame us if we can't get this right; don't press for more laws or tech mandates at the moment; keep the FCC out of copyright policy; let Congress decide the difficult questions of secondary copyright liability.  Congress has been decidedly not technology neutral when it comes to the internet (section 230 comes to mind).  We should want to avoid another Lawrence v. Texas moment 15 years from now -- when we come to our senses after a great deal of wasted time.

Look forward to your comments.

The New England Spring Flower Show is on right now in an enormous hall near the JFK Library.  It doesn't have much to do with copyright, but it has a lot to do with spring.  They've created warmth and color (deep oranges, bright blues) by forcing flowers to bloom and then bringing crowds by to admire them.  I'm not a gardener, but I'm related to generations of gardeners, and I have respect for the enterprise.

The kind of gardening that takes place at the Spring Flower Show is carefully planned and executed.  It's a celebration of control; the plants are spaced beautifully and placed against each other so as to show up well; silvers and blues, rough and smooth.  It isn't spring -- not yet -- and many of the blooms don't belong together because (the gardeners tell me) they'd never be present at the same time in the real world.  But they're all there in the convention hall, blooming bravely under bright white lights.    

The moss is dying right and left, and many of the flowers are starting to look tired -- I guess it's a strain, being forced to bloom. 

If you think about it, it's what will happen in the minds of the gardeners that's really interesting; they'll bring ideas home and try them in their own back yards.  Notes were being taken; advice was being sought.  There is beauty made possible by the control in the convention hall, and a great deal of work has gone into making those exhibits possible.  But the show gardens, although ordered, can't be owned.  No one seemed too worried when pictures were taken of their model gardens by amateurs.

It's good to get away from ownership once in a while.  We so easily go too far.

So (as they say in cybercircles) I've been working on some new ideas.  The Cigarettes and Copyrights article is gaining flesh ("don't let the broadcast flag go through, because the FCC has exceeded its jurisdiction and is making copyright policy").  Now I'm working on a new project.

The main idea here is that we take lazy shortcuts in reifying information.  We use property concepts ("trespass to chattels") in talking about automatic searching of information that will do nothing other than lower costs.  We confuse objects with information when we talk about whether people have rights to access content stored in a particular format ("you can watch that DVD and take notes; you don't have a right to manipulate that content when it's in DVD form").  Software is a hard case, and sometimes it's not clear whether it is speech (bits) or action (atoms). 

But these lazy shortcuts are ultimately quite destructive.  After all, law is about people.  Law is supposed to serve people.  So we should serve core human values in developing legal frameworks.  People progress through acquiring (participating in, creating) metainformational depth.  That's what maturing and learning is; that's what a cultural conversation is. 

What's interesting and different about information (as opposed to clods of dirt) is that it interacts and amplifies in ways that dirt doesn't.  It's not just that information isn't scarce -- although that's a difference too.  That difference isn't as fundamental, though.  It's that information isn't conserved and interacts with other information in ways that create (taa-dah) metainformational depth.  Dirt can't do this.

So, any time we unnecessarily reify information, or drag in bodies of assumptions that are based on objects, we're cutting ourselves off from basic human interests in metainformational interesting-ness.  We don't even know what we're missing.  But it's very likely that more complex and interesting clumping is being truncated.  Without that clumping, we can't learn. 

We need to have different (more sensitive, more freeing) regimes for information than we do for real property, and we need to be careful about lazy theoretical shortcuts that don't do us any favors.  Pieces of dirt can't talk, so they're fine under real property law.  But as humans we need to be careful not to cut off our own conversations.

Just a quick link to an International Herald Tribune article about the ICANN meetings last week.

And a link to the PFIR request for an "internet meltdown" conference ASAP.

These two articles connect, of course.  ICANN is under attack, but that doesn't mean the internet is melting down.  ICANN has nothing to do with spam, spyware, security, or content.  All of those issues can and should be addressed by better tools that users can understand.

We're getting close to the end of the public forum section of the ICANN Rome meetings.  Two big pieces of news here tie together.

First, the ccNSO has been formed.  It's true that it could use more members from around the world, and it's true that the ccTLD constituency still meets separately from the ccNSO.  (This is inside baseball - stay with me.)  But what's important here is that ICANN has been encouraged to recognize that the country code domains are capable of making their own policies and do not need to be put under centralized control.  Most decisions affecting the country codes should be (and will be) left to local initiatives.  The ICANN Board clearly does not need to be involved. 

The next step will be to allow the ccTLDs to have more say over the IANA function (the part of this operation that changes nameserver information for TLDs) -- it's my understanding that IANA won't say what staff does what, how long requests take on average to be implemented, or how much it costs to perform its job.  But that's for later.

The second key piece of data here is that Bruce Tonkin gave a terrific presentation about the need for standardized processes (written dockets, timelines) when considering registry/registrar requests for contractual amendments.  Now, one response to such a request could be the ICANN Board just saying "Yes."  But the Board is under worldwide scrutiny, and Bruce's point is that ad hockery has not served the Board (or ICANN) well. 

The relationship between these two topics is:  ICANN is trying to clarify its place in the world (eg, not making local rules for registries) and professionalize its relationship with the contracts it has signed.  These are both good steps, and they'll help ICANN survive. 

I am at the ICANN meeting in Rome.  The big story here is that ICANN is under attack for not sticking to its narrow mission -- technical coordination of the DNS and IP numbering system.  People here are referring obliquely to the VeriSign lawsuit as "recent events" (as in "in light of recent events").  This euphemism reminds me of words used to reference the US Civil War ("the late unpleasantness").

The lawsuit will force a fundamental reexamination of ICANN's role in the world.  It will, I hope, provide some needed clarity for the businesses that are involved in the domain name system.  ICANN will survive this unpleasantness -- in fact, it is likely that ICANN will come out the better for it.

By acting as if it is indeed a regulator of the internet, ICANN has made itself into a rather large target.  So attacks are coming from several quarters -- it's not just VeriSign, it's the UN and WSIS who are gunning for ICANN.  In fact, there are direct links between the VeriSign suit and the WSIS/UN initiative.

Here's the connection:  by forcing registries to sign elaborately detailed contracts as a condition of entering the root, by acting as if its role in approving new registry services includes the right to tweak the implementation of those services, and by generally claiming to represent the global internet community, ICANN has made itself look like a useful lever for control.  There aren't very many levers when it comes to the internet -- there are very few chokepoints online.  So when governments are frustrated by spam and security problems, they look at ICANN and say it must be doing a bad job.  Governments also notice the control that the US Department of Commerce continues to have over ICANN and are troubled.

If ICANN stuck to its knitting and focused on its coordination role, it would present a smaller target to the litigating, globetrotting community.  ICANN should be boring.  ICANN isn't purely technical (just notice who goes to these meetings, and read the UDRP), but it should act like a standards body -- opening new TLDs, accrediting registries, and providing a forum for discussion of multilingual issues.  If it did this, no civil servant would want to be involved, and governments could more readily defer to its actions.

There are spam, security, spyware, and content problems online.  Connectivity is also a problem.  But these are not problems ICANN is equipped to solve.  I am optimistic for ICANN's future, as long as it sticks to its job.

Here is a link to the report issued today by the Council on Economic Development.  Times coverage is here.

Mainstream businesses are becoming concerned about rushing too quickly to protect intellectual property rights through legislation or rulemaking -- such as the technology mandates recently suggested by the FCC in connection with its broadcast flag rulemaking.  The report presents a centrist, "go slow" set of recommendations.