Information Law Possum (discontinued)

My friend and colleague Richard Staeuber has been interviewed by TheStreet.com about the headwind Apple is facing in many European countries because of its non-interoperable DRM system (FairPlay).

The article also mentions that Steve Jobs has recently blamed the major labels for obliging Apple to impose DRM protection on iTunes, and that he would be happy to sell non-DRM’ed music.  EFF’s Jason Shultz doubts that this statement could be taken at face value.

At the current state of play it doesn’t seem to make much business sense to try to bind consumers to iPods through iTunes:  First, the vast majority of songs played on iPods is not DRMed, and–as anti-DRM activists rightly claim–it is logically impossible to prevent the use of non-DRMed music by selling DRMed music.  Second, iPods somehow appear to be cooler than a) iTunes files and b) MP3 players of Apple’s competitors, and they’re expensive:  If a consumer wants to replace her iPod, I surmise that it would be cheaper in most cases to replace it by a no-name player and either burn-and-rip her iTunes or buy the respective songs at another online music store, than buying a new iPod.

My take on the story is that Steve Jobs’ statement is compatible with Apple’s business interests–at least in the short or mid-term.  The situation would only be different if a) the next generation of iPods is a flop or if b) non-DRMed music were not available anymore.

This is–to take up the title of a post by Professor John Palfrey–day 4 of the Viacom-Youtube saga. Viacom has retracted its copyright claim regarding Jim Moore’s home video. Three things will remain:

1. Jim Moore’s video on YouTube.
2. 10,000+ articles/posts on the story that will eventually go the way of everything on the web–to the Internet Archive.
3. A loss of reputation on the part of Viacom (allbeit certainly limited both in terms of time and audience).

I’m not quite sure whether Viacom was aware of this reputation risk when it decided to send cease-and-desist letters to Youtube. But the big echo this case has caused hopefully will change that and thus lead to a more targeted use of cease-and-desist letters under the DMCA. And the risk isn’t likely to decrease in the future, as the community is organizing around takedowns.

By the way, it would be interesting to know which risk a corporate compliance risk manager would quantify as higher: the risk of having to pay compensation under DMCA § 512(f) (see latter part of this post by J.P.) or the reputation risk associated with sending unjustified cease-and-desist letters.

My friend and colleague Thomas Hautle has added an interesting antithesis to my earlier post on self-erasing paper: He basically argues that the employees of many companies handle hardcopies containing sensitive information very carelessly, e.g. by throwing them away on their way home. As long as that happens, he goes on, self-erasing paper can mitigate these information security risks.

So here’s an attempt for a synthesis:

• If a company has a sound information security policy, and has taken the necessary steps to enforce it, self-erasing paper creates an additional security risk, which can be tackled without difficulty, given the company’s information security culture.

• If information security isn’t a big issue for the management of a company (i.e. if a company has a bad management), self-erasing paper might well lower the company’s risk exposure.

To conclude, this isn’t just a question of whether the glass is half-full or half-empty, but self-erasing paper adds to the complexity of corporate information management, but — luckily — not in a way that is necessarily detrimental for those who are unable to manage that complexity.

My friend and colleague James Thurman, the FIR-HSG’s top news hub, pointed me to a piece of news hardly noticed on this side of the atlantic: Xerox’ efforts to develop erasable — or rather: self-erasing — paper.

As the New York Times reports, the researchers have developed a specially coated paper with a light yellow tint. The printed information on the paper disappears within 16 to 24 hours or immediately when the paper is heated. (Is this perhaps a user-friendly further development of thermal paper?) The only limit in the printing-and-disappearing process appears to be paper life.

This is potentially wonderful news for our environment: According to a Xerox study, the average Dilbert of this planet prints 1,200 pages per month, 250 of which are returned to the recycling bin the same day.

The New York Times continues:

Brinda Dalal, [an anthropologist with Xerox], has discovered … a notable change in the role of paper in modern offices, where it is increasingly used as a medium of display rather than storage. Documents are stored on … computers and printed only as needed; for meetings, editing or reviewing information.

In other words: instead of going paperless, as many people predicted in — as far as I can remember — the early Nineties, we are often using hardcopies as sort of an outsourced short-time memory.

As far as I can tell, the law still considers paper as a storage medium, and if erasable paper is a success on the market, it will be extremely interesting to see if this triggers changes in the law, in a sense that the role of paper as a permanent storage medium will be legally less important than nowadays.

Speaking of the new paper’s possible market success, one drawback might be the compliance costs the introduction of this paper necessarily generates:

• For instance, I am not sure how erased “erased” really will be — in other words: can we be sure that nobody, not even a criminologist, will be able to read the information that has faded on a piece of erasable paper? For nothing is more dangerous than covert information. If the information can be regained, employees should be made aware of this issue, and they might even be instructed to treat the paper as if it contained sensitive information, or forbidden to print sensitive information onto that paper.
• In the latter scenario, the human factor will remain as a residual risk, but it can also be the primary risk. One rather harmless example would be the intern who by mistake mails a large number of invoices printed on the erasable paper to his employer’s customers.
• In any event, the self-erasing paper should be easily distinguishable from ordinary paper. I have doubts that a yellowish tint will be enough in this respect.

Fingers crossed that these risks and compliance costs won’t outweigh the economies caused by the use of erasable paper!