It's so bloggy to talk about blogging, but I have to say that blogging the terrific Yale cybercrime conference gave me new insights into the blogging process.

This was a truly enjoyable conference, made more so for me by the fact that I wasn't performing myself.  I had no paper to sweat over and revise at the last moment.  So, instead, I could work at absorbing what people were saying.  For me, blogging forces me to focus on the themes being brought out in real-time.  Then, when I've finished an entry, I can see it as a whole -- beginning to end, introduction to triumphant conclusion.  This not only helps me to grasp what's going on but also reveals to me what makes a presentation great.

What makes it great?  Clarity, forcefulness, meta-ness.  Many of the speakers at the Yale conference had all of these qualities.  (Michael Froomkin has these things going for him too, and I was busily blogging his talk when my right fourth finger slipped and I pressed a mysterious "backwards" function button that wiped out my entry.  Sorry, Michael.)  A beginning, a middle, and an end.  A strong voice.  Not reading from notes.  Conviction laced with a sense of humor.  Awareness of time (great speakers never run short on time).  And, most importantly, something to say that matters -- and that the speaker deeply understands. 

Sitting in the timeless classroom (literally -- Yale's Room 127 has no clocks, but does have a lot of portraits on the walls), I felt that I was contributing in some way by writing about what was going on.  I probably felt a little guilty about being there "just" as a participant rather than a speaker, but blogging gave me something to do.  (Note to self:  do not respond to IMs from two different people at the same time while attempting to record what's going on -- this happened during Zittrain's talk, and I'm sorry.  Sorry, Jon.)

So, although blogging means you DO sometimes have to say you're sorry (after all, if I'd gotten distracted while taking hand-notes no one would know), it adds a dimension to conferences that I enjoy.

Jack Balkin is up.  He presents three problems: 

first, what are the different forms of cyberprotest, and how do they relate to the freedom of speech?

second, what is the conflict between freedom of speech and other rights (let's clump those rights as "property")?

third, why is cyberprotest difficult to do?

First, point of freedom of speech is to support democracy. 

Think about different forms of cyberprotest as different forms of technologies; eg, sit-ins, hack-ins, allow small cells to do information-sharing (to get around filters), google-bombing (more). You can divide types of cyberprotest that enhance free flows of information (routing around) from those that block the flow of information.  Both types can be disruptive -- but in different ways. 

But this is a rough cut:  Although the idea of freeing information sounds "good," and the kind of thing activists would be interested in, there may be times to limit the flow (viruses, worms, child porn).  Central question is under what conditions is it a good idea to use code to free up the flow of information.

Second:  You have a factory, people organize, decide to walk out.  Is this freedom of association/speech or criminal conspiracy and destruction of expected profits.  Beginning of 20th century, walkouts are seen as destruction of property.  Then a big debate over what part of this we call speech and what part we call destruction of property.

This is the same problem we have with cyberprotest.

Three phases of protest: first, courts say this is conspiracy and destruction of profits; second, courts say this is freedom of association and speech (AFL v. Swing, eg).  Labor unions have right to organize, even if action lowers profits.  So we get to the third stage: now labor protest treated as a highly regulated subject, treated in labor law.  Completely out of the First Amendment category.

Balkin is not saying these same three stages will happen.  But boundary between speech and destruction of property is not a fixed line.  It changes over time through social movements.  So our view of what's "appropriate" for cyberprotest will inevitably change.

Back to the first rough cut: blocking v. facilitating.  That's too simple.  But there's no a priori way to divide what's cyberprotest and what's destruction.  Dead cow (Oxblood Ruffin hacktivist group) focuses on routing around, which seems appropriate to Balkin.  They also, interestingly enough, say that they don't want technologies to be used for "illegal" speech (like child porn).  But what's the baseline for determining what we think of as illegal speech?  Dead cow seems to be working with US baseline re what's "illegal".  But that choice of baseline is worth talking about.  An important question.

Third point:  what produces the development of technologies of cyberprotest.  Answer:  The Temptations.  Balkin will explain the link.

The key problem in cyberspace speech is proximity and attention.  Have to get the attention of your audience, and have to get next to them (picket around them).  Find some place where people interested in your speech will listen to you.

Balkin student wrote a paper about cyberprotest.  His conclusion was that internet didn't create spaces in proximity to other spaces.  You can move easily around, but you can't interpose yourself between audience and person you're criticizing.  Everyone is your neighbor but you can't get next to anybody. "I Can't Get Next To You, Babe" -- that's The Temptations.

Virtual worlds allow this kind of proximity.  Eg, Third Voice required that the audience join in, to get attention of people who agree with you AND disagree with you (and have no idea you exist). [what about Gator?]  Interest in 1A is also to encounter people you don't know.  Eg, parody sites!  Will take creative minds to design these spaces that will solve problem of proximity and attention.  When they arrive, let's not assume that they're destroying property, but decide whether they're promoting basic democratic values of routing around and glomming on.

Bravo! 

Jon Zittrain is up now to talk about filtering in China and circumvention of such filtering. And hacktivism.

Shows a DMCA notice received by Google for infringing search listing -- threat is that Google will be sued unless it takes result down.  Google even says that there are things you're not seeing.  So Google is cooperating in taking things away from public view (supply side filtering).

If you're China, and you want to stop your citizens from seeing things, you stop people from even seeing google.com (shows search page from Beijing University).  Shows lists posted of blocked sites.  All of MIT and Brown blocked; and all US courts.

JZ did a dialup to Beijing (from his office in Cambridge) to see what could be seen -- but that was expensive.  Then Ben Edelman and JZ asked Chinese servers what was available (eg, search results on google.com for "Tibet" -- top search results unavailable from Chinese servers).  And people out in the world found many other additional sites blocked.  Over 50K were blocked.

Doing this work is becoming more difficult.  (And empirical research is hard!)  Effort to do this entails assuming that China blocks sites for everyone (or not).  Looks as if what's going on is more subtle.  If you type political name into Google, suddenly you won't get access to Google any more. 

Evolving towards a drivers license approach - eg, junior highs do this.  Maybe countries may someday as well -- AUPs for citizen use.  We'll be taught what we should do and what we shouldn't. 

Saudi Arabia also does this -- and allows sites to be unblocked.  Gave JZ two weeks to see what's blocked.  Both SA and China block some common things (like Amnesty International).

Pennsylvania does this too.  Discusses Pappert case statute.  Order can go out to PA ISP saying don't allow Pennsylvanians to go out to particular sites.  (JZ didn't mention that CDT is leading this litigation; see ABDavidson presentation.)

JZ is tracking all of this using the OpenNet Initiative.  Accepting help.

Now:  circumvention.  OpenNet has a circumvention lab in Toronto.  Internet offers opportunity to unhook civil disobedience from wrong being attacked -- before maturation of social moment.  [distracted for a few minutes]

Quick tour of JZ efforts.  Thanks!

Lee Tien:  How does a user know when a device has been redesigned to limit what the user can do?

Deeply, this is a question about the nature of law.  We have a legal sense that appeals to a sense of legitimacy and discourse.  Where architectural regulation hides what it does, we're heading out of law and into instrumental control.  We're leaving the realm of law and any moral dimension/legitimacy issue.

Cf. seatbelt regulation.  Everyone knows about that and can see it.  But when we talk about privacy we're talking about govt attempting to change the conditions of social experience.  From a 4A standpoint the standard is reasonable expectation of privacy -- and if we have no concern about govt steps to design things, we won't know what has happened to our privacy or what is reasonable.  We won't have the opportunity to experience that privacy.  (eg, never having had doors on phone booths would have changed the Katz result).

So rearchitecting network to expose information (creating an audit trail, as Nimrod suggests) may foreclose personal experiences that might inform expectations about privacy.  Eg, zipcode plus birthdate is enough to re-identify 80-90% of data -- triangulation is very easy.  Yahoo! gets this information all the time from users.  Do I know what the invisible consequences of my actions are?  What do you need to know when you're on the internet or using DRM?  How is that that you know you're being injured in some way? 

Do users need to know design options (could it have been done differently so this wouldn't have happened)?  Without knowing the harm, how can your expectations be shaped?

When you're dealing with systems, parts of these systems are in shadow -- so we can't know how these work (eg, PCs, telephones).  Metaphor of architecture means we only perceive in bits and pieces.

Finally, in the world of enforcement -- we don't talk much about the way automated enforcement changes things.  Rules can have a normative career; enforcement of rules is an entrepreneurial event.  You make a decision, using your discretion, that has cost.  That's not the case in architectural decisions to enforce.  Additionally, architectural enforcements are private and unseen.  We can't work on the social meaning of a rule.

Excellent, thoughtful talk by Lee.

Paul Ohm gets up and confesses that his boss is John Ashcroft.  Gets a laugh (post John Podesta talk last night about Ashcroft as destroyer of civil liberties).

Technology in the courtroom:  Too much of it, and not enough of it ("hyperlinks are typically blue").

Digital evidence review:  we look at hard drives for things (what will they do when hard drives go away?).

But question is:  is the person looking at hard drive an expert?  Do we need a Daubert hearing?  Usual answer is "yes."  If we're going to have someone saying child porn is there, we need to be able to say that person was an expert.  Certification as an expert is viewed as needed. 

But it shouldn't be that everyone talking about a hard drive file has to be qualified as an expert.  Eg, if someone pulls fibers on behalf of the FBI, we don't need to say that person is an expert.  This high hurdle won't change Ohm's job -- there are plenty of resources there.  But for small-time prosecutors, it creates enormous costs.

Second:  Court opinions in the surveillance/seach and seizure field are rare.  And they describe technology clumsily.  Where statutory construction depends on this, we're in trouble.  It's not that judges can't understand technology, but analogies don't work well, and litigants don't help them, and labels for things change rapidly.  Eg, arguing to the court that "the internet is like a giant tube, and if you put too much into it it will burst" (for distributed denial of service).  Doesn't help people understand things.

And even use of "email" as a term, without further description or definition, doesn't help people much.  Over time, things change.  So we can't understand the scope of the precedent.

Eg, under Stored Communications Act, what does "electronic storage" mean? defines line between search warrants (storage) and subpoenas (if not storage).  Kozinski focused on "backup protection" element -- all email systems are in backup protection.  But what's he talking about?  POP, IMAP, webmail? entire logic turned on this distinction, but we can't tell what's going on. 

In CDA case:  Stevens says web pages "generally also contain 'links' to other documents created by that site's author"... "typically, the links are either blue or underlined text"

He gets a big laugh and applause.

One of the paper-writing winners (Nicolai Seitz) is standing up to talk about the problems of transborder enforcement of requests for information.

In 80% of all German cases, access to data located abroad is necessary for criminal investigations inolving the internet, he says.  Usually, people ask for letters rogatory, but this takes an enormous amount of time.  And evidence is often deleted.  There have been some improvements in the EU cybercrime convention, but these are inadequate often.

The solution?  Transborder search might do it.  But this might violate the international principle of territoriality.  And, such efforts might make changes on foreign soil.

He points to cybercrime convention.  Article 32(b) doesn't cover transborder search without consent (does cover search with consent).  There's a case (Ivanov-Gorhskov) that does touch on this issue, but FBI has overreached and we're worried (FBI accessed password-protected servers in Russia and downloaded evidence in form of data).  Terrorism may be seen by FBI as a good enough reason to trigger transborder searches and create admissable evidence.

This Russian case is an egregious example of overreaching by US, and we would be outraged if they did it here.  But it underscores the need for some transnational cooperation agreements about this subject.  We have no standardized international practices.  Seitz thinks foreign retrieval of not-freely-accessible data should be illegal.

Richard Clarke is the Washington personality of the week.  Marc Rotenberg testified in early December 2003 before the same Commission on a separate issue re security/privacy issues for going forward in preventing attacks. 

Four key points he made then:

1. long tradition of privacy protection for communications and records stored by governments.  Established during times when US faced nuclear weapons, unrest, assassinations -- but Congress went ahead and set them up.

2.  Sept. 11 provides major challenges, and the people involved in coordinating in govt. efforts completely changes the Terry landscape.  Checks and balances have been changed.

3.  Our understanding of privacy enhancing technologies following 9/11 has changed.  We thought there were tools that could enhance privacy -- TIA bothersome because message was that it would protect privacy, because govt surveillance under it would be less intrusive than other alternatives.

To understand this issue, three dimensions:

1.  What do we mean by privacy enhancing.

2.  What's relationship between federal govt and legal obs to safeguard privacy

3.  How does this all work in practice.

First, definitional problem.  What is a privacy enhancing technology?  Prior to 9/11, we all thought definition was an electronic world where transactions could occur that were verifiable and authenticated, but personally identifiable information wouldn't be necessary.  So these techniques would limit use of this personal information.

In the physical world, we can imagine cash, postage stamps etc. -- forms of value that allow transactions without personally identifiable information.  How translate this to the online world?  This was our core concept prior to 9/11.

No one proposed in Florida in 2000 that there should be an availability to check that vote had gone through.  Why?  Because concept of anonymity at that point, and recognition of need to sever transaction from surveillance is a core part of our democratic society.

This concept of a privacy enhancing technology was derailed by two processes:  first, in the private sector, the view that we wouldn't provide legal obligations to collection and use in the digital world.  it's just notice and choice.  So we saw P3P emerge to translate rights and obligations into a market-based transaction where anything goes. 

Post 9/11, law enforcement said we need to enable surveillance that respect privacy -- but what they meant by privacy was "within the context of a larger scheme that anticipates surveillance."  So, when a vote is cast, it becomes possible to link transaction back to the identified individual.  That's a principle without a boundary.

Rotenberg thought this idea died in the Clipper chip era.  People then said to open the door to this form of storage would create unlimited opportunities for abuse. 

Now our challenge is:  where do we stop?  If you assume all information might be useful in some investigation, where do we draw the line?

Go back to Brandeis dissent in Olmstead v. US.  What would be the appropriate 4A standard to apply to the conduct of telephone surveillance?  Was this warrant-based, or just out there in the ether?  Court said no physical entry has occurred, it's just information out there in the ether; if you are concerned, go to Congress.

Holmes dissented ("a dirty business").  Brandeis said:  look at surveillance in electronic space -- this is far more invasive than what would happen in physical space.  In electronic space, we're unbounded by space and time.  Could be lots of people talking, on many different subjects.  He argues for a higher standard of oversight, because oppty to obtain information is so vast.

When you go to wiretap statute of 1968, it's a "super warrant" when compared to what you get in physical space.  Constitutional response is based on fear that govt will overreach. 

So answer about incorporation of techniques to protect privacy post 9/11 is to keep in mind:  to the extent actors seek to comply with legal obligations and claim that they are "privacy enhancing," then technologies must incorporate auditing, transparency, all other requirements -- because of the enormous risk of government misuse.

Sonia Katyal is up, reminding us that it's important to think about the relationships among public/private law enforcement and surveillance.  Cyberspace allows us to contemplate the limits and possibilities of architecture and law.

Focusing on piracy surveillance:  monitoring users.  Convergence between modes of consumer surveillance and law enforcement -- but quite distinct from both.  An extrajudicial regime of copyright enforcement that poses serious complications for privacy, security, and anonymity.

Basic premise of the paper is an architecture of p2p transmissions.  Rise of piracy surveillance in cyberspace is attributable to this type of architecture.  In property, we have bricks for architecture; in cyberspace, architecture is permeable, allows facilitation of surveillance.  As consumer surveillance rises, we see rise of piracy surveillance.  (By piracy surveillance, she means monitoring that encompasses private notions of infringement; done privately; extralegal -- outside of ongoing litigation). 

Interesting from an IP perspective, because this kind of surveillance alters understanding of IP rights in cyberspace, by giving copyright a predatory and invasive and panoptic dimension.  Speech-based judgments as well.  Enables a copyright owner to determine whether or not an individual is engaging in fair use (and raises substantial due process concerns).

Three major forms of surveillance:  raise similar issues.  Eg, monitoring, using smart agents or bots that search for files.  Key problem raised by that is seen in Verizon case (challenge to 512(h)).  Disclosure of identity with very little real judicial oversight.

Also, problem that similar (but noninfringing) files will be caught up in this.

And how do we protect anonymous speech.

Two other forms of surveillance:  DRM collecting consumer information.  And interference (self-help).

Normative conclusions:  This modes raise complicated questions about the intersection of privacy and identity.  We shouldn't avoid enforcement, but should do it to fit freedom of speech and informational privacy.  Don't force tradeoff between privacy and protection of property.

Orin Kerr is up.  His suggestion is that computer-related crimes will end up with a different set of procedural rules -- "network" criminal procedures.  Even if crimes remain the same, they're committed in different ways.  New facts will trigger needs for new laws.

Start with physical world crime -- bank robbery.  Fred will walk in, go to teller, hands note, teller gives money, goes to car, runs away. 

Cop will show up -- what does he do? He looks for eyewitness testimony.  He also observes what the bank is like and whether there are trace materials of the crime.  He will collect physical evidence tying the crime to Fred.  Eg, the threatening note.

Fred gets out of prison, says he'll be an online bank robber.  He'll hack into the bank.  Logs onto ISP and passes through intermediaries to hide his tracks.   Sets up account, fills with money, sends money offshore.

Now you're the police officer called to investigate this crime.  You'll notice a really different crime scene.  No physical evidence, no eyewitnesses.  Just zeros and ones.  Have to trace evidence back to attacker, but can't do it in traditional ways. 

So you start from bank victim, track back through intermediaries. Hope that system admin has these records.  Trace back to Fred's ISP, and hope that ISP will help you.  But you don't have proof beyond a reasonable doubt -- you only have electronic evidence from third parties.  You have to get a search warrant and go to the target's home -- then forensically analyze Fred's computer.  Fred might keep notes ("I'm looking forward to hacking into the bank tonight.")  You seize the drive and image it, then run a string searcdh for that account number.  Takes weeks.

Different set of processes.  What does this mean for law?  Means that we need new rules to regulate these processes.  4th Amendment and 5th Amendment are tailored to the physical world.  Eg, search rules are about "the entry of the place."  Also, collecting physical evidence is about 4th Amendment seizure rules.  So how do those rules map on to facts of investigations of online crimes?

They don't map well.  You either get extraordinarily expansive rules or rules that are too narrow (where there are no real threats).  We need a relatively balanced set of rules.

Eg, if you want to get records from a third party, you have to get a subpoena.  No privacy protection there.  Traditional 4A doesn't apply to third-party stored information.  This just isn't a problem in the offline world.  So we have new facts where the information is collected and stored in a different way.  Old rule doesn't help.

Last stage -- forensics.  Bunch of interesting problems.  If you map what has to happen to 4A rules, you have big issues.  For a warrant, you have to describe things and only take that.  But in online crime, might be lots of other evidence involved.  Can't get a pinpointed warrant -- have to seize more than you have probable cause to seize.  What about making a bitstream copy?  Is that a seizure of a person's computer?  Traditionally, no -- not a seizure, just making a copy.  So govt could run off a copy and search that!  But intuitively that seems like a problem.

So what will happen in response to this problem?  We've begun to see a new field of network criminal procedure evolving.  Eg, ECPA, and 18 USC 2703, regulates process of going to third-party provider and asking for information.  So it's more than a mere a subpoena.  Statute recreates warrant requirement from the physical world.

Similarly, for forensics, courts are creating new rules to cover these last-stage searches.  So, eg., in a home, the police can't look for physical information that hasn't been described.  But electronically there's no restriction.  So courts have changed rule that governs whether intent matters when you're searching a computer.  Outside scope of warrant/inside distinction doesn't matter.  Subjective intent, though, does matter.  We'll ask agent "what were you thinking when you accessed this file."  Courts are responding to changed set of facts by looking at intent. 

We'll see more and more computer-specific set of rules.  A new body of law to study.

Great presentation.  Good work, Orin!

Beryl Howell, formerly counsel to the Senate Judiciary Committee, is up talking about real-world problems caused by crimes on digital networks.  Moral for all three stories:  specific laws directed to specific problems are very important.  So we need to keep updating these laws to fix mistakes and keep up with changes in technology.

First -- leak of many staffers' memos.  Two Republican staffers had taken thousands of documents and zipped them up with passwords.  Taken from common server.  No staffers were supposed to look at other staffers' memos, but permissions were set incorrectly and the files were wide open.  Appalling breach of custom.  Was a crime committed under the CFAA?  Or just an immoral action?  What does "authorized access" mean?

"Authorized access" was intended to be a case-by-case inquiry.  [note that civil liability requires damage as well, so a higher standard than the criminal part.]  Seems to be "you know it when you see it."

Second case:  FBI agents arrive at a suburban house, say computer being used to distribute child porn.  Teenager there had downloaded Kazaa, downloaded files that contained child porn, then had become a supernode, being used as a pointer.  Teenager had enough files for a felony.  Had he been emailing images to his friends? going to specific sites and downloading them beyond Kazaa?  Son said he wasn't aware of anything.  Child porn is strict liability; hard to do forensic exams because examiners don't want to be in possession of it either.  Happy ending:  prosecutor declined to prosecute.  But signals that technology can take you over a line.  Is the user at fault, or the technology?

Third case:  Company target of embarrassing emails with sexually explicit attachments (sexually explicit patents) sent on their behalf; clients took business elsewhere.  Company seemed incapable of stopping it.  Insecure wifi points and student internet accounts used to send these messages; couldn't track spoofer down.  Howell's company did an investigation.  Complaining emails about these attachments were also spoofed (from "wounded grizzly").  Started talking to wounded grizzly; got an extortion demand for 17million.  Suspect surveilled; able to pinpoint him as spoofer.  Arrested him two weeks ago; found ricin and guns in his house.  Threats you think you're aware of are just the tip of the iceberg.

So we have a problem: limits of CFAA.  Couldn't go after "wounded grizzly" because act unclear; stymied legitimate self-help efforts.

Alan Davidson from CDT is up.  Why does criminal law only seem to expand?  Does it ever go the other direction?  "how many laws have you broken today?"  There's a disconnect between social norms and the laws we have on the books.  Why can't we allow rulesets to evolve -- and why can't we have different views about what's wrong online v. what's wrong offline?  A lot of policy FUD here.  Will rote application of offline law lead to unintended consequences.

Three quick examples:  the case of the nation of felons.  How do we think about criminal copyright?  Has changed dramatically in the last ten years?  We've have criminal copyright for a long time on the books.  Was a misdemeanor for a long time.  With 1997 NET act, we got rid of "commercial profit" requirement; instead said if you distribute works of greater than X value over Y days, you're guilty.

And in 1998, DMCA creates new crimes for circumvention and removal of information.

So we're responding to a felt need to protect material, but what's wrong with this picture?  Millions of people regularly violate this law.  And this is likely to get worse.  Expectations offline (first sale, fair use) drive us to use works online.  Technology that precludes these kinds of uses will be counter-intuitive for a lot of people.  Seems odd from morality perspective -- "criminal" activities may not be felt as wrong.  And from deterrence/utilitarian perspective; these laws aren't having a large effect.  What does it mean for the rule of law if millions of people routinely ignore it?

Two approaches:  House Judiciary committee; maybe problem is that it's too hard to bring these cases (so eliminate wilfulness, make a single copy made a available on a P2P network trigger wilfulness).  Second, give govt civil enforcement powers here.  This seems to resonate with online social norm.  A speeding ticket and not a felony.  We may be overreaching in our expansion of criminal law.

Second:  case of culpable carrier.  Creating criminal liability for ISPs.  Challenge in Pappert case:  DA can get ex parte order from judge based on showing that child porn is there; gets order saying "you must block material from this source."  Make sure they can't see this web site.  Couple things wrong with that.  ISPs block bluntly -- by blocking IP address.  This blocks all other things hosted there.  We discovered over a million blocked based on 500 blocking orders coming out of PA.  Well-intentioned law leads to incredible overbreadth.  Trend is to look to ISPs to hold liable.  Begins to jeopardize end-to-end model.

Third case:  case of the aborted Koogle family vacation to France.  Tim Koogle subject of criminal action in France based on larger Yahoo! case.  So he can't go there.  This was ultimately resolved just last year when charge dismissed [is that true?], but leaves open question about how to deal with criminal laws.  US govt will certainly do this (eg, Elcomsoft).  Calls into question relationship between individuals and govt. 

In DC, legislators only expand laws -- don't contract them. 

Five modest suggestions:

1. go slow re cybercrimes

2. revise defs of crimes and access

3. prefer civil enforcement (things less harmful in the online context)

4. issues of international prosecution

5.  tie to social norms more carefully

this was the best presentation on this panel.  Very substantive and thoughtful -- great job, Alan.

I'm delighted to say that I've been added to the roster of Fellows of The Information Society Project at Yale Law School. This means more trips to New Haven ("The Hub"), and, with luck, some engaging meetings in New York. Thanks.

I'm here in Room 127 of the Yale Law School for a cybercrime conference.  So far, we had an excellent keynote from Dan Geer, and Tony Rutkowski (VP of Regulatory Affairs at VeriSign) is getting up to talk now.

But I'm distracted by a conversation I had with someone before the meeting began.  He said that this whole game of ICANN and VOIP and lots of other worries is essentially over -- FCC plans to assert jurisdiction over the DNS as an IP-enabled service (and assert jurisdiction over email and any other application that uses IP).  He pointed to an FCC NPRM (MC 04-36) in support of this assertion.  He also said that the EC has issued a similar notice.  These notices point to a limited set of obligations for providers.  Game over, in this individual's view.

Back to Tony.  He's pointing to the fact that there are very few content intercepts in the real world.  Most requests are made for subscriber information.  Law enforcement access is essential, and all we're talking about is what costs will be paid by whom.  Anonymity is over.  Key developments are happening in the private sector.  In the public sector, we're talking about the cybercrime treaty (probably will come into effect this year), the UK data retention code, and the FCC CALEA proceeding.  Europe cares only about data retention; they're way past CALEA.

He says re CALEA proceeding: 

Coverage:  Nothing really new here (real time access to data is a fact of life under state and federal law); we're just shifting costs to providers.  And need capabilities in place in order to do this stuff.  Law enforcement has a critical need for access in today's nomadic architecture environment.  He says this is innovative.

Compliance:  Creative, more flexible, adopts 15 month benchmark approach to enforcement.

Costs:  Pass on implementation costs to subscribers; transparency is good; service bureaus make the costs minor; parity with other regulatory mandates (E911, Universal Service); costs are trivial compared to stored data production via subpoenas. (that's an interesting point, if true, and Tony seems to know what he's talking about.)

More when the next panel comes up.

Paul Marino is going to help me pull together some surprising Machinima materials to show the Copyright Office.  This will help me pose questions to the group -- like who owns what and why, and what if another avatar wanders by?  Thanks to Ernest Miller for the suggestion.

I just watched another Red vs. Blue movie, and I'll need Paul's help making a zippy demo out of this.  All ideas welcome.

Next Thursday, I'm giving a lunchtime talk to the Copyright Office (part of a program called The Copyright Office Comes To New York).  Send me your suggestions.  This is my chance to say something sensible.

I thought I'd talk about the feeling of being in Canada in June 2003, during an otherwise uneventful ICANN meeting, when Lawrence v. Texas came down.  The Canadians were feeling awfully smug and superior.  They didn't have to tussle with any ridiculous anti-sodomy laws.  They had even worked peacefully through the issue of same-sex marriage.  They were waaay ahead of us, and surprised at our lame approach to these issues.

I'd mention with sadness the prospect of more election-year debate over same-sex marriage.  (Fighting over who gets to marry whom seems completely pointless to me, and I'm embarrassed that those who govern us are even worried about it.) 

Then I'd talk about the recent Canadian copyright decision to which Michael Geist has pointed us.  Once again, our friendly neighbors to the north seem to be waaay ahead of us.  According to Michael, the Court concluded that the Canadian analogue to the fair use affirmative defense "should be granted a large and liberal interpretation."  Indeed, Michael points out that the court shaped this "exception" to copyright infringement (in our parlance, this defense) as new copyright rights for users.  Users' rights.  Those Canadians have the idea that these rights need to be balanced against the rights of copyright holders. They also think that it's appropriate for manufacturers to presume that their machines will be used for lawful purposes -- and they seem to think that copying for personal purposes is different and special.  Hmmm.

Then I'd talk about some of the more outrageous elements of the broadcast flag proceeding (continued studio role as gatekeepers) and what's coming up next via the analog hole funnel (lingering on nomenclature here).

So:  don't blame Canada, blame us if we can't get this right; don't press for more laws or tech mandates at the moment; keep the FCC out of copyright policy; let Congress decide the difficult questions of secondary copyright liability.  Congress has been decidedly not technology neutral when it comes to the internet (section 230 comes to mind).  We should want to avoid another Lawrence v. Texas moment 15 years from now -- when we come to our senses after a great deal of wasted time.

Look forward to your comments.

The New England Spring Flower Show is on right now in an enormous hall near the JFK Library.  It doesn't have much to do with copyright, but it has a lot to do with spring.  They've created warmth and color (deep oranges, bright blues) by forcing flowers to bloom and then bringing crowds by to admire them.  I'm not a gardener, but I'm related to generations of gardeners, and I have respect for the enterprise.

The kind of gardening that takes place at the Spring Flower Show is carefully planned and executed.  It's a celebration of control; the plants are spaced beautifully and placed against each other so as to show up well; silvers and blues, rough and smooth.  It isn't spring -- not yet -- and many of the blooms don't belong together because (the gardeners tell me) they'd never be present at the same time in the real world.  But they're all there in the convention hall, blooming bravely under bright white lights.    

The moss is dying right and left, and many of the flowers are starting to look tired -- I guess it's a strain, being forced to bloom. 

If you think about it, it's what will happen in the minds of the gardeners that's really interesting; they'll bring ideas home and try them in their own back yards.  Notes were being taken; advice was being sought.  There is beauty made possible by the control in the convention hall, and a great deal of work has gone into making those exhibits possible.  But the show gardens, although ordered, can't be owned.  No one seemed too worried when pictures were taken of their model gardens by amateurs.

It's good to get away from ownership once in a while.  We so easily go too far.

So (as they say in cybercircles) I've been working on some new ideas.  The Cigarettes and Copyrights article is gaining flesh ("don't let the broadcast flag go through, because the FCC has exceeded its jurisdiction and is making copyright policy").  Now I'm working on a new project.

The main idea here is that we take lazy shortcuts in reifying information.  We use property concepts ("trespass to chattels") in talking about automatic searching of information that will do nothing other than lower costs.  We confuse objects with information when we talk about whether people have rights to access content stored in a particular format ("you can watch that DVD and take notes; you don't have a right to manipulate that content when it's in DVD form").  Software is a hard case, and sometimes it's not clear whether it is speech (bits) or action (atoms). 

But these lazy shortcuts are ultimately quite destructive.  After all, law is about people.  Law is supposed to serve people.  So we should serve core human values in developing legal frameworks.  People progress through acquiring (participating in, creating) metainformational depth.  That's what maturing and learning is; that's what a cultural conversation is. 

What's interesting and different about information (as opposed to clods of dirt) is that it interacts and amplifies in ways that dirt doesn't.  It's not just that information isn't scarce -- although that's a difference too.  That difference isn't as fundamental, though.  It's that information isn't conserved and interacts with other information in ways that create (taa-dah) metainformational depth.  Dirt can't do this.

So, any time we unnecessarily reify information, or drag in bodies of assumptions that are based on objects, we're cutting ourselves off from basic human interests in metainformational interesting-ness.  We don't even know what we're missing.  But it's very likely that more complex and interesting clumping is being truncated.  Without that clumping, we can't learn. 

We need to have different (more sensitive, more freeing) regimes for information than we do for real property, and we need to be careful about lazy theoretical shortcuts that don't do us any favors.  Pieces of dirt can't talk, so they're fine under real property law.  But as humans we need to be careful not to cut off our own conversations.

Just a quick link to an International Herald Tribune article about the ICANN meetings last week.

And a link to the PFIR request for an "internet meltdown" conference ASAP.

These two articles connect, of course.  ICANN is under attack, but that doesn't mean the internet is melting down.  ICANN has nothing to do with spam, spyware, security, or content.  All of those issues can and should be addressed by better tools that users can understand.

We're getting close to the end of the public forum section of the ICANN Rome meetings.  Two big pieces of news here tie together.

First, the ccNSO has been formed.  It's true that it could use more members from around the world, and it's true that the ccTLD constituency still meets separately from the ccNSO.  (This is inside baseball - stay with me.)  But what's important here is that ICANN has been encouraged to recognize that the country code domains are capable of making their own policies and do not need to be put under centralized control.  Most decisions affecting the country codes should be (and will be) left to local initiatives.  The ICANN Board clearly does not need to be involved. 

The next step will be to allow the ccTLDs to have more say over the IANA function (the part of this operation that changes nameserver information for TLDs) -- it's my understanding that IANA won't say what staff does what, how long requests take on average to be implemented, or how much it costs to perform its job.  But that's for later.

The second key piece of data here is that Bruce Tonkin gave a terrific presentation about the need for standardized processes (written dockets, timelines) when considering registry/registrar requests for contractual amendments.  Now, one response to such a request could be the ICANN Board just saying "Yes."  But the Board is under worldwide scrutiny, and Bruce's point is that ad hockery has not served the Board (or ICANN) well. 

The relationship between these two topics is:  ICANN is trying to clarify its place in the world (eg, not making local rules for registries) and professionalize its relationship with the contracts it has signed.  These are both good steps, and they'll help ICANN survive. 

I am at the ICANN meeting in Rome.  The big story here is that ICANN is under attack for not sticking to its narrow mission -- technical coordination of the DNS and IP numbering system.  People here are referring obliquely to the VeriSign lawsuit as "recent events" (as in "in light of recent events").  This euphemism reminds me of words used to reference the US Civil War ("the late unpleasantness").

The lawsuit will force a fundamental reexamination of ICANN's role in the world.  It will, I hope, provide some needed clarity for the businesses that are involved in the domain name system.  ICANN will survive this unpleasantness -- in fact, it is likely that ICANN will come out the better for it.

By acting as if it is indeed a regulator of the internet, ICANN has made itself into a rather large target.  So attacks are coming from several quarters -- it's not just VeriSign, it's the UN and WSIS who are gunning for ICANN.  In fact, there are direct links between the VeriSign suit and the WSIS/UN initiative.

Here's the connection:  by forcing registries to sign elaborately detailed contracts as a condition of entering the root, by acting as if its role in approving new registry services includes the right to tweak the implementation of those services, and by generally claiming to represent the global internet community, ICANN has made itself look like a useful lever for control.  There aren't very many levers when it comes to the internet -- there are very few chokepoints online.  So when governments are frustrated by spam and security problems, they look at ICANN and say it must be doing a bad job.  Governments also notice the control that the US Department of Commerce continues to have over ICANN and are troubled.

If ICANN stuck to its knitting and focused on its coordination role, it would present a smaller target to the litigating, globetrotting community.  ICANN should be boring.  ICANN isn't purely technical (just notice who goes to these meetings, and read the UDRP), but it should act like a standards body -- opening new TLDs, accrediting registries, and providing a forum for discussion of multilingual issues.  If it did this, no civil servant would want to be involved, and governments could more readily defer to its actions.

There are spam, security, spyware, and content problems online.  Connectivity is also a problem.  But these are not problems ICANN is equipped to solve.  I am optimistic for ICANN's future, as long as it sticks to its job.

Here is a link to the report issued today by the Council on Economic Development.  Times coverage is here.

Mainstream businesses are becoming concerned about rushing too quickly to protect intellectual property rights through legislation or rulemaking -- such as the technology mandates recently suggested by the FCC in connection with its broadcast flag rulemaking.  The report presents a centrist, "go slow" set of recommendations.

Leonard Slatkin did a great thing last night:  he made an entire hall of jaded, sophisticated concertgoers (bathing in the cream bath that is Carnegie Hall) really listen to Beethoven's 9th.  And it's all related to the current battle between innovation and intellectual property overreaching.

Slatkin turned around and talked to the hall about Mahler's re-orchestration of this symphony.  He pointed out that Beethoven died sixty years before Mahler's prime as a great opera conductor and composer, and that during those sixty years a lot changed:  orchestras got bigger, halls got bigger, and instruments evolved.  Notes that a flute couldn't play in B's time became accessible.  (There are still notes that the sopranos in the Kennedy Center chorus couldn't reach last night, but let's be charitable: pitch has gone up an awful lot since B's time, and human vocal cords haven't changed that much.)

Mahler, as a guy with dramatic flair and an urge to actually hear the melodies of the piece, liberally redrafted the orchestration of the 9th.  He used massed winds to emphasize points.  He changed dynamics and articulations.  He had the entire wind section raise their bells (a very Mahlerian move) to play what had been a lone piccolo's trill near the end of the last movement.  He marked up the famous recitative so it would sound meaningful instead of plodding.  Slatkin illustrated this for us, using the orchestra to provide musical examples.  Slatkin pointed out that lots of conductors had done similar things to the 9th -- the Szell 9th, the Toscanini 9th, the Walter 9th. 

He ended by saying that during the last 25 years or so we've adopted this prayerful, pure (my words, not his) approach to "classical" music.  We see and hear these works as unchanging and unchangeable.  But that's not what they are -- they're not frozen in amber, they're not things we're supposed to respect in the abstract.  They change with the times.

Some people near me arrived after this portion of the concert, before the NSO actually played the symphony all the way through.  When I told them about what they'd missed, one woman said: "Oh, well, I'm very familiar with the piece," as if she couldn't imagine that it might change.  And then she told her husband that the symphony was 70 minutes long.  Wellll, maybe it is and maybe it isn't! It depends what's being done to it.

Maybe (here's the tie-in to innovation and intellectual property) we're in an era in which we're beginning numbly to accept that "content" is just provided to us.  It's an atom, a thing that floats in space, unchanging.  We can hear or see it, as part of a mass content-absorption experience, but we are at a distance from it. 

But musical experiences are informational.  They're made of bits, not of atoms.  They should happen anew every single time, if things are going well.  Music isn't wallpaper, and you don't "acquire" concerts.  You experience them. 

Anyway, the performance was stunningly beautiful, full-hearted, and novel.  Maybe that's just me.  I thought it was. 

And I did get the sense that everyone in the hall who had been there for Slatkin's talk was listening intently with new ears. 

The truly talented Paul Marino came to talk this afternoon about Machinima, and I'm looking for volunteers to help me with "Property Law: The Video Game."  Seriously, folks, this is big.

Paul (and many others) are working on and using tools that make film-making within a real-time 3D environment easy for the rest of us.  They're using game engines (like Quake) as a way to produce movies.  This all started with teenagers recording what they themselves were doing in the game -- so they could show their friends -- and has amplified into a new way to make animated movies with a real director's touch. 

Paul (who is writing a book that will be coming out soon) says that Machinima was coined in Scotland and means "machine cinema."  At this point, people are deep into building post-production tools that provide all kinds of control.  There are some breathtaking films on this site.  Watch the one with the flower.

Basically, the Machinima tools take a game environment (many different game environments) as a given, and allow directors to choose camera angles, lay down "tracks" of different characters (so they appear to interact), add music -- you name it.  Game developers have mostly been quite receptive to Machinima, because it provides another channel for their engines.  So far, the licensing part of all this is a little ad hoc, but will likely become more standard in time.  This may be the way the next blockbuster animated film gets made.

Paul pointed us towards Red v. Blue, a group in Austin that's making very funny films using Halo.  Guys just talking and standing around in a multiplayer game, talking about standing around.  Take my word for it -- it's funny.

You can imagine all the gamer sorts of things that can happen in these films -- characters gathering together to be directed (people playing characters who are playing actors), avatars wandering on to the set, killing/maiming (but not really in what Paul showed us)..

He showed us some very realistic character work for which the interface for human directors would be sliders.  Raise a slider, raise an eyebrow!  And if you have a .wav file of someone speaking, that will drive the character's speech.  Really neat (words fail me at this point).

If you join the Machinima Academy, you can get a tool that allows creation of these things for a modest yearly fee.  As long as you don't make commercial films.  Paul did a demo for us in about 3 minutes -- very impressive.

So the law professors started asking questions:

can we load documents in and make this a course?

can we modify the environments?

can we use this to stage reenactments of accidents?

Paul pointed us to Adobe Atmosphere, a virtual world tool that allows for documents to be involved.  I'm most interested in the course applications.  What if you walked into a property course, and it was a game like one of these films?  (This is a lot of work for the professor.) 

But it might just be the future.

Part of the premise of the accountable net is that each individual will be setting up his/her own set of rules for who they connect to (this is a who rather than a what question -- trustworthy sources of bits).  We're still working on the paper, so there's nothing to blog yet, but the roadshow has been quite constructive. 

At the Berkman Center last week, we heard from several people who are concerned about making any changes at the ISP level.  The worry is that packets won't be guaranteed to get anywhere unless they find a route through congenial ISPs.  If any ISP can block anything, the reasoning goes, we'll end up with a net that doesn't actually interconnect.  No quality of service guarantees.

The response to this is that ISPs, to be valuable, will want to connect to networks that make adequate security guarantees (and enforce them).  So interconnection will be desirable and growing.  Backbones will want to make the same deals.

It's at the individual level that things get most interesting.  Let's assume that we flip the default setting and connect only to those we actually trust (or who are recommended to us).  In a sense, we will have set up an individual set of "laws" for online interactions.  We could even draw a picture of these laws so that we'd understand them for ourselves in a continuously updated way.  If we're not up to doing this for ourselves, we could go to vendors of rules and get the package that made sense.

Now, if laws can be bought and sold in this fashion, what does that mean for our respect for and understanding of "real" law?  If "real" law only governs atoms, is it more or less meaningful to us?  It may be that we end up with two complementary systems, with overlaps.  After all, the sovereign who has power over us, physically, could try to mandate particular sets of default rules -- a tricky task to enforce.  Things will be moving too quickly for the sovereign to keep up with our filters and connections.

But a new question does arise -- what happens to respect for "real" law when another system of rules exists that has legal effect in the online world?

Two recent (or upcoming) ICANN moments should cause concern. 

First, the sTLD beauty contest.  The application requirements for these sTLDs make it seem as if registries are applying for venture funding rather than a string.  Take a look, particularly at the financial and business plan requirements.  Headcounts down to the mailroom.  Travel plans.  It's as if ICANN has hired an investment banker to look into these plans.  ICANN has no special competency in any of these areas, and it would make much more sense -- and fit ICANN's limited role so much better -- if ICANN had a neutral third party develop minimum technical/financial standards.  ICANN could then then roll TLDs (not sponsored, not unsponsored, just TLDs) out as applications came in and were approved. 

Second, the suggestion that ICANN needs a Policy Development Process about changes to the "architecture and operations" (or "services and actions" -- pick your broad description) of a registry.  Although the staff says (and I believe them) that all they're doing is trying to develop a coherent process for responding to registry requests to amend their contracts, it's very clear that other constituencies view this PDP as an opportunity to ensure that no registry does anything without their permission.  This has gone far out of scope and needs to be hauled back.  Yes, we need a docket for the process and substance of actions ICANN is taking -- but we don't need one or another constituency blocking registry services for idiosyncratic reasons. 

The idea is that registries are free to innovate unless there is a consensus policy in existence to the contrary.  This PDP should not be viewed as changing that default setting, which is set forth in each of the contracts ICANN has signed with gTLDs.  Nor should the sTLD process be looked on as a model for future TLD activities.  It's time to move on to an ICANN that is more clearly in the business of technical coordination.

The MPAA comments in the broadcast flag proceeding are worth reading.

At p.9, the MPAA asserts that "the focus of attention on unauthorized redistribution should be on whether a proposed technology affirmatively and reasonably constrains unauthorized distribution beyond the local environment. . . " What the MPAA means by this is that it believes no content protection technology that allows transmission of content online could ever be added to Table A.

What does that mean in humanspeak?  Well, it means that if you're using a "compliant" TV and you see a news clip that you'd like to send to your parents (who, let's assume, don't live with you), you won't be able to.  Nope, not unless you find a way to make a hard copy and mail it to them in a box (and they have a compliant device in their home that they understand and can use to play the recording).  Sounds cumbersome, doesn't it?  Sort of puts things in a box. 

Focusing on a "tightly defined geographic area" for redistribution allowed by content protection technologies seems odd in the age of the internet.  But even stranger is the MPAA's contention that software demodulators (code that "tunes" TV signals so that people can see them) must be covered by the flag rule.  So this means that the FCC is now in the business of assuring the "compliance" and "robustness" of code.  Software demodulators, the MPAA claims, can only be sold on the market if they are incorporated in a compliant "Demodulation Product."  Again, the box:  software "tuners" will have to be sold in a box with approved hardware in order to be legal. And won't be available, separately, for use in PCs (unless the digital outputs of those PCs are adequately robust and protected).

This is shaping up to be quite a battle.  Stay tuned (but don't use software to do so).

It would be good to get mainstream computer enthusiasts interested in this proceeding.  What's the best way to do that?

There's reputable work going on with human cloning. A group of South Korean scientists has figured out how to clone a human embryo.

Immediately, we're into the circle of ethical handwringing that is familiar to us all. But a new intersection struck me as I listened to the stories on the radio.

There's a sense that we want to hold technology back, to prohibit certain kinds of copying that some view as immoral. I have a strong view on this when it comes to humans: so much about a pre-wired person is shaped by their environment that a clone could turn out entirely differently than its original. I refuse to worry about cloning, and I think the importance of creating useful stem cells far outweighs any concerns about creating embryo copies that are "human" in some sense.

Similarly, the copyright debate (particularly in the broadcast flag setting) is often focused on limiting technology so as to prohibit certain kinds of copying that some view as immoral.

I'm going to make a provocative suggestion:  Although it is true that too much copying produces cancer (or destructive infringement), the machines that make copying possible don't have moral content.  So there is no reason to punish copying machines when they do their job -- either when copying  embryos or content. 

Additionally, the act of copying is purely informational.  Too much of it, or too much public distribution of it, can be considered wrongful (cancerous or infringing), but small amounts of copying for personal purposes don't meet this test.

Don't punish technology.  Punish people who copy too much.  (And let stem cell research flourish.)

A good property/cyberlaw connection for this week.  Courts often strongly discourage self-help in landlord-tenant disputes because of the risk of violence, even when the landlord and tenant have agreed in a lease that the landlord may retake if there's a breach of the lease conditions.  (Tomorrow's case:  Berg v. Wiley.) 

We just don't like vigilantes.  And we point to things like eviction summary proceedings as the place landlords should go.

In the copyright context, though, we're encouraging self-help by content owners by saying that technical copy protections are in effect the law of the land.  We say that it's too cumbersome to go to court and fight about each individual infringement.  Instead, just fix it through technology.  (Looking around, I find that Julie Cohen figured this out a while ago.  Maybe I can provide a different spin.)

In the broadcast flag setting, we've gone even further.  Not only are we saying that technical copy protection is the law of the land, but the FCC has attempted to claim that the flag has nothing to do with copyright.  So there's no chance that anyone could say "wait a minute, go to court before you say I'm infringing, don't prompt violence through self-help."  It's not about copyright.  It's about I Love Lucy.  It's about the American Way.  It's completely unconnected from legal liability rules.  "We have to use self-help," say the studios, "because otherwise broadcast television as we know it will cease to exist."

There's no contract in place between broadcasters and the public, as there was in the Berg case (a lease that had pretty clearly been breached).  There's no claim that copyrights are being infringed by non-compliant demodulators (because the FCC's jurisdiction would be weakened).  But self-help is being written into regulations nonetheless.  

Surely that's doubly wrong.  Self help is wrong in the first place (as the Berg court reminds us), but self help that claims no legal background for justification must be really wrong. 

I've been thinking about how to present a suite of offerings to law students -- a basic cyberlaw course, a seminar for case studies, a group of people working on papers -- and I think something that's missing is actual technical expertise (both in me and in many students).  We have long textual introductions in articles that explain, over and over again, how the DNS works, for example.  Surely it's time to standardize and expect that that knowledge as well as more sophisticated understanding.

So I think I'm going to suggest a technology course (or set of course-lets) to run alongside the basic cyberlaw course.  The technology course would be pass/fail, so as to eliminate anxiety.  It might consist of a few long sessions, or one short session a week.  I've seen a sample tutorial that is given at Harvard, and I thought it was great.  I'd like to have someone do something like that at Cardozo.

The comments I got on "what is cyberlaw" were extremely helpful, and I'm going to adopt a more modular, case-studies approach next year.  This is another authentic plea for commentary:

What should law students (or business students, or any graduate student in a relevant field) know about the internet, networks generally, or the personal computer?  How is this best taught? 

Last night, John Palfrey, David Johnson, and I gave the first roadshow presentation of the Accountable Net, a paper that we're working on. We talked to a group of Yale and Harvard cyberscholars. 

David led off, summarizing the paper wisely; John cleaned up, sagely noting what points we weren't taking on (e.g., the longtime discussions about whether the internet can be governed at all); and in between I said some things about the strengths and weaknesses of the paper.  A very intense discussion ensued.  All involved were brilliant and insightful.

It's too early to talk about the paper in any specific way on this blog -- the three of us are still thinking through what its scope will be, and we go up and down in our various assessments of its possible impact. 

But it's not too early to talk about whom to trust.  From my perspective, choices of private labeling/filtering systems, choices of private DRM, choices of platforms, choices of private content -- all of this is good.  I assume that competition will produce lots of choices for the future of communication online.  I refuse to be worried about allowing private firms to make these kinds of decisions for us if we're too technically incompetent to make them for ourselves.

(Note yesterday's NYT front-page story about how incompetent people are at arranging for their own online security, and how important it is that they learn about this; note that Cardozo's own Zach Rubenstein made a point of talking about how idiotic law professors are in particular on this subject.  But I digress.)

I also think that we're at a crucial moment of growing knowledge and understanding of individual power to form communities online.  Social software, brutal and blunt though it is right now, is taking off.  We're all linking wildly.  We're learning how to include as well as exclude.  We will someday have much more nuanced understandings of our own online networks, and we'll be accountable to each other as individuals for what we send and receive.

So I trust private firms, and I trust individuals, to come up with a scenario that is a viable alternative to some sort of locked-down, government-controlled future internet.  That alternative may be more filtered and more limited than the internet we have today, but it's better than the vision that the copyright industry and the Department of Homeland Security have of online life.

But I heard last night from several people who are not as optimistic about human nature and who do not want to privilege private firms (of any size or description) in providing forms of "governance" through linking/filtering tools.  There's a sharp split between those who trust governments and those who cannot imagine trusting governments (much less groups of governments) in the creation of rules about non-physical-harm-causing bits.  There's a deep divide between the common-carrier, we're-all-in-this-together-and-it's-got-to-be-fixed view of the internet and the let's-fix-it-ourselves view.

Yes, this is a simple and obvious set of points.  But it may be that we're not as distant from the "can it be governed at all" set of arguments as we'd like to be.  We'd like to say, "oh, that's SO late 1996," but in fact we haven't progressed very far.  Some people think: governments have a role when it comes to atoms, and have physical power over ISPs in their countries, but most online problems aren't easily addressable in any mass way (much less fixable) by courts and legislators.  Other people think:  nothing much has changed here, of course governments should be fixing spam and content issues and everything else under the sun, bring in more treaties right away.

And the two camps aren't drawing more closely together -- at least not yet. 

Tomorrow morning, at 10 am in 2141 Rayburn, the Subcommittee on Courts, the Internet, and Intellectual Property is holding a hearing on "Internet Domain Name Fraud -- New Criminal and Civil Enforcement Tools."  At that hearing, the Subcommittee will be considering a new Whois bill creating new penalties for people who provide false data when registering a domain name.

We need to raise our collective eyebrows at this bill (which was suddenly dropped the evening before this hearing).  The title of the bill is the "Fraudulent Online Identity Sanctions Act." (FOISA)

First of all, it includes in the category of "willful" trademark infringements those of a "violator. . [who] knowingly provided material and misleading false contact information to a domain name registrar. . ."  This is significant, because monetary damages for trademark infringement can be increased up to three times if the infringement is willful -- and usually "willful" is a question left up to a judge.  It's also significant that there doesn't appear to be a necessary connection between what the violator has done and the whois data issue. 

Secondly, the bill amends the Copyright Act by adding to the "willful" language for damages in that Act the idea that an infringement shall be considered to be willful where "the court finds that the infringer. . . knowingly provided material and misleading false contact information to a domain name registrar."  Again, this is significant because willful copyright infringement can mean increased statutory damages awards of as much as $150,000.  And the bill ties this amendment to cases of "infringement occuring at or in connection with an online location" -- clearly broad language intended to get at P2P file trading.  Again, usually courts decide "willfulness" on a case-by-case basis.

This is like sentencing guidelines for intellectual property law.

And, in fact, it is.

The final section of the bill adds a sentencing mandate for "falsification relating to domain names in connection with offenses."  Maximum penalty:  increased by 7 years if, "in furtherance of that offense," the defendant provided material and misleading false contact information to a registrar.

This is outrageous, and here's why.  As a matter of ICANN policy, domain name registrants in gTLDs under contract with ICANN (with certain limited exceptions) are required to provide, and registrars are required to publish online, data about themselves -- including phone numbers and email addresses for technical contacts.  The vast majority of registrants in gTLDs are small businesses and individuals.  Small businesses and individuals worry about privacy and spam, and it is well-known that WHOIS information is regularly mined by spammers. 

It is already unfair to force registrants to provide all this data, and as a result many registrants do lie.  IP interests view the WHOIS database (an artifact of a gentler, academic age, and not mandated by any law) as their special red telephone information mother lode.  So they want to ensure its accuracy by mandating hugely enhanced damages if someone fails to tell the truth.  Law enforcement also has this interest.

There are ways to help both IP interests and law enforcement to data by providing special access to approved entities.  But it won't be accurate.  It costs far too much money for registrars to verify this data, and individuals will, predictably, continue to lie.

As Officer Short Shrift says in the Phantom Tollbooth, we're all guilty, guilty, guilty, and should be sent away for six million years.

From "Music, the Brain, and Ecstasy":

"[Composers] who lose their youthful rebelliousness are in grave danger of losing their talent as well.  Such was the destiny of Mendelssohn and Saint-Saens.  After a youth brimming in confidence and daring, Mendelssohn essentially worked himself to death in academic life, all the while becoming more and more conservative in his outlook and more and more detail-oriented in his composing -- a perfectionism he described late in life as his 'dread disease.'  Saint-Saens suffered a worse fate, becoming so reactionary late in life that he schemed to quash the careers of youthful free spirits like Debussy.  He once wrote in regret, 'I ran after the chimera of purity of style and perfection of form.'  The innovative Berlioz, who knew Saint-Saens as a glittering prodigy, was less charitable:  'He knows everything but lacks inexperience.'"

In our musings about the accountable net meme/essay/road show, I and my co-authors have thought that a positive view of accountability (friends pointing friends to great content) might be a breakthrough.  Rather than just shielding ourselves from spam/spyware/security problems by only accepting bits from sources we can verify (something that technology is now making possible), we could also be pointed by our friends to great, worthwhile stuff.  Like blogs, but bigger.

The problem is, as Cory Doctorow reminded us three years ago, that people are lazy, people lie, it's hard to describe things, and no schemes are neutral.  So it might be difficult to rely only on the individual choices of content of people/ISPs you trust to get you to things you want to see. 

Of course, Doctorow's comment was about metadata.  And it might be that you could create an aggregated set of links that was really the collection of useful stuff that people you trust had decided to link to -- rather than stuff that had been described in some consistent way.

But people are still lazy, and they still do lie, and it's hard to get them to join block associations.  Some people join, sure, but not everyone.  Is it too optimistic to hope that virtual block associations will arise to point us to worthwhile material, while protecting us from destructive bits?  Maybe.  And our machines are increasingly dark to us -- incomprehensible boxes that swallow useful text without warning.  (For a different view of computers, read Dream Machine by Waldrop.  I just tried to link to it and lost this post, twice, so you're on your own in finding it.)

Anyway, the question is whether the accountable net can also be the pathway to everything useful and worthwhile online, and if this new net, built by us, can avoid the problems that make governments want to regulate.  Stay tuned -- road show begins this week.

The FTC yesterday issued its proposed rule on email that contains "sexually oriented material."  The complexity of the scheme is mind-boggling, and I'm not sure how an emailer would know that his/her/its message is subject to the rule.

Stay with me here.  As USA TODAY reports,

Unsolicited pornography will have to bear a label reading "SEXUALLY-EXPLICIT-CONTENT:" in the subject line and the messages themselves will not be allowed to contain graphic material, the FTC said.

Sexually oriented material is defined by the CAN SPAM Act to be "any material that depicts sexually explicit conduct (as that term is defined in section 2256 of title 18, United States Code), unless the depiction constitutes a small and insignificant part of the whole, the remainder of which is not primarily devoted to sexual matters." 

The Title 18 definition includes "simulation" of various acts.  In a footnote, the FTC says that "[a]lthough the definition of "sexually oriented material" refers to "sexually explicit conduct," the Commission proposes substituting the word "content" for the word "conduct" in the Proposed Mark because the substance of an e-mail message is more accurately defined by use of the word "content."

(a) IN GENERAL.—The Commission may issue regulations to implement the provisions of this Act . . .

(b) LIMITATION.—Subsection (a) may not be construed to authorize the Commission to establish a requirement pursuant to section 5(a) to include any specific words, characters, marks, or labels in a commercial electronic mail message, or to include the identification required by section 5(a)(5)(A) in any particular part of such a mail message (such as the subject line or body).

So that portion of the industry can't effectively be filtered out, even though it is probably much easier for a sender to know when it's sending an unsolicited commercial email than it is to know that it's sending "sexually oriented material."  Not that any labeling requirement makes legal sense, of course.

The USA TODAY story ends with a startlingly candid discussion with an FTC spokesperson:

Hile said the agency is especially interested to hear whether the measure will encounter any technical hurdles. Free-speech arguments will carry less weight as the agency has been directed by Congress to develop the labels, he said.

"We don't have a whole lot of discretion in this," Hile said. "I guess we can't prevent commenters from saying, 'What a stupid idea,' or 'It violates the Constitution' or whatever, but we can't do anything with that."

Or whatever.

At John Palfrey's suggestion, I've started using the h2o rotisserie system for my cyberlaw class. Tonight the first posts are available for the class to read -- not the public, so I can't link to what the class has said. I also spent much of the day interviewing students for a fellowship program.  Here's my report.

It seems clear to me that large lecture classes are very good for conveying generalized information and preparing for the bar.  They're good for talking about legal reasoning.  They're good for letting you sense the mood of the room about a particular topic.  But they're not good for individual participation, really, because they're so inefficient.  Everyone has to listen to one-at-a-time comments (or the lecturer).  You can't take in more.  Your inner dialogue is always running -- "boy, that's a weird thing to say," or "huh, interesting," or "what's next, let's move on" -- but if you actually started to murmur all this you'd destroy the class.  Terribly inefficient in terms of communications.  Very few channels of real conversations.

Threads of posts may have some benefits along these lines.  You can mutter (constructively, within rules of posting etiquette) and add to what's going on.  You can have several simultaneous conversations about the subject.  You can hear an individual more clearly, without always being focused on whoever is at the front of the room.  But there are also downsides -- if you relied on posted threads for a law school class, it would be a hit-or-miss form of learning.  It's hard to get a sense of the room.  

In the interview sessions today, I was reminded yet again of how much you learn about someone and how much you can (perhaps) teach them when you talk to them one-on-one.  The sense of the room in this setting is the magical third entity created in a conversation between two people -- the shared channel, which can feel almost tangible.  But it doesn't scale -- it takes a lot to have faculty members sit and talk to a single student.  It doesn't happen frequently.

So perhaps a good new model course would be a combination of lecture, thread, and tutorial.  Or maybe just thread and tutorial.  Skip the lecture.  You could meet with the class as a whole a few times during the semester, providing themes and suggested readings; prompt active threaded/rated discussions; and meet personally twice with each student for an hour or so.  It's work for the teacher, but it's more of a 21st century kind of learning (combined with ancient tutorial methods).  Post modern law school life.   

I've been a slacker as a blogger.  But I'm back!  I've decided what the beginning of a cyberlaw course is:  some technology, not enough for some and too much for others.  I've asked the class to discuss whether lawyers should have to learn about technology.  Maybe some of them will comment on this blog.

My new absorption is to learn about VoIP.  I don't understand how a router can tell whether a particular communication is a "telephone call" or an email.  As far as I know, the public internet wasn't designed to make sure that there aren't transmission delays.  But humans get very antsy when there's any delay in sound on a phone call.

So VoIP packets have to get priority, somehow.  How does this work?  Does IPv6 provide more information fields so that a router can give priority to a packet that's addressed in a particular way?  Is this why the FCC is looking for comments on IPv6?  Be patient with me, I'm learning.

The FBI wants VoIP to be classified as a telecommunications service, so that the FCC can regulate to ensure back doors to these communications (CALEA-like).  But I bet there are many ways to set up VoIP calls, some more elaborate than others, and it does seem that the FCC is not interested in having some elaborate CALEA mandate for every single one of these services.

And how would CALEA work for all IP calls?  How could you ensure that the back door was always there, without mandating that special routers and special addresses were always used by your citizens?  Wouldn't that amount to creating a new internet?

Yours in VoIP, Susan

David Pogue's story in Thursday's Circuits about the Apple GarageBand software got my attention.  Mr. Pogue is a musician, a pianist with a lot of history in musical theater, and his article is a hymn to the possibilities of GarageBand:

For $100. . ., Apple will sell you a four-octave, touch-sensitive MIDI keyboard that produces no sound of its own. But when plugged into GarageBand, its plastic keys trigger (from the Mac's speakers) the sound of a $50,000 Yamaha grand piano, an orchestra full of strings, the brassy sting of rock-hall trumpets, or any of 185 other sampled instrument sound variations.

At this point, GarageBand is a 64-track digital tape recorder. The program can even count you in with clicks - the software equivalent of, "And-a one! And-a two! And-a three! And-a four!" - and provide a metronome as you play.

I can hear his excitement.  This is neat!  This makes it possible for everyone to be a composer/arranger/producer!  Boy, this is going to be fun.  And, in fact, he goes on with an enthusiastic "this is neat" set of paragraphs:

In the "American Idol" era, it's clear that commercial talent, if not great musical talent, is always out there, untapped and undiscovered. How can a gifted singer or talented play-by-ear instrumentalist reach what could be a grateful audience? Not by mailing out demo tapes recorded with the church accompanist, that's for sure.

It won't be long before the GarageBand creations of no-name singers and players start popping up on Web sites - indeed, it won't be long before Web sites start popping up just to accommodate them - bypassing the talent scouts and gatekeepers of the American recording industry. GarageBand and the Internet give tomorrow's stars their own democratic recording and distribution channels.

...[W]hen you consider both the fledgling state of the 1.0 version of this program and the immense musical and commercial forces it could one day unleash, you might conclude that there is, after all, an i-name that might have suited this remarkable software: iPotential.

Mr. Pogue is excited, and he is convinced that this software is going to change the musical world.  It's got a low pricepoint, it's usable by regular people, and it's flexible (though too focused on pop sounds -- Mr. Pogue wishes for a solo violin once in a while).  I'm with him.  I get excited about this stuff too, and I truly believe (I believe!) making these tools available removes the mystery and perceived expense of making your own music.  I can imagine zillions of arrangements and magical new tunes being released into the unsuspecting cybersphere, to be listened to and shared by everyone.  Go, Apple!

So tools are emerging that let us manipulate all kinds of content.  We can carry video around with us, make it ourselves, share it.  We can do almost anything with music.  We can take pictures, morph pictures, phone pictures; watch television on our phones, watch ourselves on our phones, download scenes of other people talking on their phones, walk down the street talking on the phone and sending pictures.  Complete flexibility.

But there were two (maybe three) stories in today's paper that make this flexibility seem like jangling, meaningless chatter.  One was about Wal-Mart locking in employees over night:

For more than 15 years, Wal-Mart Stores Inc., the world's largest retailer, has locked in overnight employees at some of its Wal-Mart and Sam's Club stores. It is a policy that many employees say has created disconcerting situations, such as when a worker in Indiana suffered a heart attack, when hurricanes hit in Florida and when workers' wives have gone into labor.

The other was about a woman who has stayed on the outskirts of the job market for thirty years, working hard but never being promoted, always falling into problems that are caused by her other problems.  She loses her teeth because she's poor, and because she has no teeth she doesn't advance.  She moves from place to place to find work, and because of these moves her disabled daughter can't make any progress.  She just can't seem to get a break.  When social workers get together to try to figure out how to help her take care of her daughter, the one thing they don't consider is calling her employer to ask that she be put on a regular shift:

She asked a supervisor and got brushed off, but nobody else -- not the school principal, not the doctor, not the myriad agencies she contacted -- nobody in the profession of helping thought to pick up the phone and appeal to the factory manager or the foreman or anybody else in authority at her workplace.

Indeed, this solemn regard for the employer as untouchable and beyond the realm of persuasion unless in violation of the law permeates the culture of American antipoverty efforts, with only a few exceptions. . . . Wages and hours are set by the marketplace, and you cannot expect magnanimity from the marketplace. It is the final arbiter from which there is no appeal.

Putting these two strands together makes you ask what new tools could emerge online that would actually affect the lives of people in Vermont or Maine that can't make enough money to move through life comfortably.  They're isolated -- they're in places without real jobs -- but they have phone lines.  They don't care too much about morphing video or scoring a demo tape (maybe they do).  They need actual jobs.  What does this cyberlife do for them?

Finally, the third story, in Adam Liptak's review today of three books about the AOL/Time Warner merger.  His characterization of Kara Swisher captures the jangling sound I'm hearing this morning:

Her book sometimes reads like comments from the dais [at an internet business conference]. ''I am still a believer,'' she writes. ''In the wake of the crash, true faith in the eventual dominance of the Internet is not an easy thing to admit to. In fact, largely because of this one disastrous deal, saying you believe in the Internet as a revolutionary medium is a bit like admitting to a capital crime.''

. . . [T]he title ["There Must be a Pony In Here Somewhere"] captures something of Swisher's own attitude. She remains, she says over and over, thoroughly optimistic about the transformative power of the Internet.

New machines for aiding classroom teaching.  First -- for or against wireless? I'm for, with some groundrules.  Is there a switch you can pull on a classroom wall when you don't want wireless?  If there isn't, we should invent one.

Second -- how about a randomizer for calling on people?  That the professor could use to take notes about what happened?

Third -- how about a randomizer that the class could use for calling on other people in the class?

Fourth -- how about a group visualization tool that would show how a randomly generated group dealt with an issue? so the classroom could be in constant town meeting mode? yes, you could vote on how entertaining the professor was.

Just some thoughts.  Tomorrow:  ICANN's stld RFP.

There's a certain amount of kerfuddle/foofarah going on about Adobe's decision (in consultation with the Treasury) not to permit copying of currency. Is this agreement a good, working example of the accountable net (good private sector action not to "connect" with something that probably is illegal) or is it privatized government by parties who want continued government contract work and will easily knuckle under?

We could see this action as similar to Yahoo!'s not allowing people to sell lock-picks through Yahoo! stores. Lock-picks could be used for perfectly legal and even artistic purposes but the risk that they'll be used for illegal house-breaking purposes is great.

But, then again, I see the Yahoo! action as more a part of the accountable internet than the Adobe action.  Yahoo! really does connect to or facilitate the stores it hosts.  By contrast, Adobe has no real relationship to linking or filtering -- it's more like copiers intentionally not being good enough to make convincing copies of money.

So, on reflection, I see the Adobe action as kowtowing. Not being accountable, just being limiting.  A picture of a dollar is just bits, and there have been artists who have legitimately thought of and produced copies of currency as art.   Adobe's step is much more like a broadcast flag sort of attempt -- make it illegal to copy particular bits without authorization.

The problem is that the unintended consequences of Adobe's action may be great -- this may be the trimtab for copyright interests.  After all it's the PASSING of a bill to pay for something (or making available to huge numbers of people of a copyrighted work) that is illegal. The mere copying shouldn't be

I've been working on my cyberlaw syllabus over the last week, adding in all the things I want to read with my students.  (There will be a huge supplement to the casebook.)  Here's the challenge with which I need help:  cyberlaw is usually taught as a mish-mosh of modules -- a drop of privacy, a smattering of trademark, a heh-heh at the Barlow manifesto, a moment of copyright (and, in my case, a big dollop of the broadcast flag/analog hole debate), and some bemusement at internet governance.

But maybe the real subject is not the application of terrestrial law to the internet.  Maybe that's not even interesting.  Maybe we need to study what's emerging online and how or whether it consists of sets of rules that individuals and ISPs and corporations and governments are following.  But how do I reveal that?  How do we find it in a law school classroom?  What's on the exam (a frequent question I get)? 

Send me samples of what a real cyberlaw course should cover.  Maybe I should drop all this cybersquatting stuff and the old funny historical cases (and even the new funny cases), much as I enjoy them.  Maybe we should spend the whole term on ICANN and the broadcast flag and the CDT v. Pappert case. 

Let me know.  This is an authentic plea for commentary.

There's a great fight going on right now in Philadelphia. If you haven't seen the briefs in CDT v. Pappert, go take a look.

The case is about a Pennsylvania statute that mandates that Pennsylvania ISPs remove access to sites that the AG believes contain child pornography.  Now, child pornography is abhorrent and any ISP will cooperate in taking down such sites that it is hosting. But the problem is that in complying with the statute with respect to sites the ISPs don't themselves host, ISPs are (rationally) using either IP blocking ("null routing") or "domain poisoning" techniques, both of which (particularly the IP number blocking) result in rendering inaccessible millions of perfectly legal sites.

From CDT's/ACLU's opening brief: 

The research reveals that of the almost 30 million web sites analyzed, over 90% share an IP address with at least one other web site, over 75% share with fifty other web sites, and almost 50% share with over five hundred other web sites. . . .

The importance of this case cannot be overstated. [T]his case raises grave First Amendment implications for the viability of the Internet as a “vast democratic for[um],” where anyone can be a publisher and vast libraries of information are available at the touch of a button. . . In this case, the Attorney General in one state directed ISP blocking orders at just a few hundred illegal web sites – and as a result more than a thousand times more legal sites were blocked. Statistically, for each illegal web site targeted, more than one thousand lawful sites were blocked. If this law were duplicated in fifty states and vigorously enforced by even a few state officials, the Internet – a precious resource that has become a vital medium for exercising First Amendment rights – would be severely compromised. The Pennsylvania Statute sets a dangerous precedent, and it is critical to the future of the Internet that it be struck down.

One of my favorite moments in the pleadings comes from this portion of the AG's brief:

A URL is neither a person, nor a real forum, nor a limited commodity. It is a little string of letters and numbers that acts as a superficial label. URLs are infinite in quantity. Even complete retirement of one will not diminish speech. Speech can always find another URL, and probably pretty close to the out-of-commission string. The new URL will be in the same cyber-space, accessible in the same physical places, as the retired URL. It can relate to the same IP address, which is the true computer address. Disablement of an ISP’s customers’ access to a particular URL for even an indefinite time does not implicate First Amendment rights

To which CDT replied:

[T]the Attorney General suggests that the state can disable URLs perpetually because they are not speech, and because they are limitless and fungible. But as Plaintiffs explained in their opening brief, under current case law URLs, standing alone, may in fact be protected speech. . . .;

And they are certainly not fungible. Users of the Internet often access web sites by "bookmarking" their URLs or remembering them. The fact that Amazon.com could provide access to its site through the substitute address "www.creamcheese.com" would hardly make the blockage of "www.amazon.com" de minimis for either the site owner or users. URLs often constitute valuable intellectual property that parties fight hard over in  rademark litigation. Nor are URLs unlimited. While as a theoretical matter it may seem that way, as a practical matter useful URLs are scarce. Indeed, the lack of useful URLs has directly led to pressure over the past few years to add a new "top level domain" (TLD) such as ".biz" to supplement ".com" and ".net."

In any event, Plaintiffs’ claim under Near and Vance does not turn on whether URLs are speech, are fungible, or are in short supply. Under those cases, the state simply cannot prevent speech from ever occurring at a particular location on the Internet because at one time it displayed illegal materials. . . . Furthermore, the Attorney General does not even address the fact that some Informal Notices have explicitly directed that access to an IP address be disabled. IP addresses are valuable and are currently in short supply (especially in certain parts of the world).

These overblocked sites are places. Their addresses may look like strings of meaningless text to the AG. But they are places nonetheless, and a prior restraint with respect to their visibility would be wrong. The law just hasn't caught up with the realities of online life. Yes, child porn is wrong, and that's what makes this a tough case to make a lot of noise about. But the soccer sites and community areas wrongly blocked by ISPs struggling to comply with this negotiated law (take a look at the history of the law's creation) deserve to be seen -- and we don't want more laws like this popping up in the US.

It's a fascinating and (on the CDT side) well-briefed case.  Wish I could be there.