I tend to favor protecting end-to-end in the Internet context, but I’m a bit worried about what the net neutrality rules will look like in practice. There are two ways to think of this problem. First, who is the target of regulatory action? The FCC’s rules seem to look at the CEO or CTO of an ISP or telecom company. I think the correct focus is farther down the corporate ladder: the IT folks who have to implement rules on their routers. The new rules seem fine as policy statements, but how do they translate into what you can and can’t do with bits?

Second, what existing practices are covered by the net neutrality rules? I worry there are some laudable practices that might run afoul of the rules – even if it’s unlikely the FCC would seek enforcement against them. (Safety that depends on agency discretion is not particularly comforting.) Here’s a fast list of practices that might violate net neutrality right now:

• Port blocking – can ISPs prevent you from sending e-mail except through their servers by blocking port 25? Many, including Verizon, already do. (See Rule 2 in the Press Release.)
• Network Address Translation – NAT rewrites IP addresses to ensure that packets reach their destination. Does altering header information violate the rules? (Rule 6 at least, maybe Rule 4.)
• Spam filtering – ISPs routinely drop connections, or quarantine messages, from known spammers and spam-friendly destinations. (Rules 1, 4.)
• VoIP routing – some telcos route their own VoIP traffic across their network rather than the public Internet, which is more efficient (assuming both ends of the conversation have the same provider). That’s almost certainly out. (Rule 5.)
• Virus prevention – some educational institutions scan connecting devices for Trojans / viruses / malware, or software that protects against them, and condition network access on passing this scan. (Rule 3, though doubtless the FCC would use the “harm” criterion as a dodge.)

So, I’m worried about how the FCC’s legal rules are implemented in code. I think we need a lot more guidance from the agency, particularly since net neutrality still feels somewhat like a solution in search of a problem…

The paper grew out of a seemingly simple question I tried to answer a couple of years ago, namely: if I put something into the public domain, can I take it out again? On the one hand, it seems like the answer would have to be “no” for policy reasons; otherwise, what happens to all the people who might have relied on the public-domain status of the work to create their own derivatives and remixes? But on the other hand, the copyright statute in the U.S. includes some fairly obscure provisions that seem to allow authors to change their minds any time they transfer ownership of their work. Those provisions exist to solve a completely different problem, but if applied literally, they could make it possible for authors to rescind a dedication of their own work to the public domain.  As I discuss in the paper, there might be some constitutional problems with that outcome, and downstream users of a (formerly) public-domain work may be able to raise a number of valid equitable defenses to any claim of copyright infringement.  But as a purely statutory matter (as many others have recognized), it’s hard to find a basis for upholding a permanent, irrevocable dedication of one’s copyright to the public domain.

I argue in the paper that these parts of the statute may create a big headache down the road for the open-source software community, and for other large-scale informational projects (like Wikipedia, for instance) whose legality depends on the provisions of specialized copyright licenses.  Legally, all those projects rest on an interlocking set of permissions among contributors to reuse one another’s work.  But under the statute, any of those permissions can be  revoked in the future, even if the contributor promised not to.  Possible problem: what happens when somebody who contributed code to an open-source project many years ago revokes permission to continue using their work?

In the paper, I take a couple of stabs at creatively reinterpreting existing copyright law to fix the problem, before ultimately throwing up my hands and kicking it over to Congress.  I’ll post the abstract of the paper after the jump.

Here is the abstract:

Federal law limits the free alienability of copyright rights to prevent powerful transferees from forcing authors into unremunerative bargains. The limiting mechanism is a statutory provision that permits authors or their heirs, at their sole election, to terminate any transfer or license of any copyright interest during a defined period. Indeed, the applicable provisions of the Copyright Act go so far as to invalidate purported waivers by authors of their statutory termination powers.

These statutory provisions may constitute an impediment to the effective grant of rights for the benefit of the public under widely used “open content” licensing arrangements, such as the GNU General Public License (”GPL”) for software or the Creative Commons family of licenses for other sorts of expressive works. Although recent case law suggests that such open-source or open-content licensing arrangements should be analyzed under the same rules that govern other copyright licenses, doing so necessarily raises the possibility of termination of the license. If GPL or Creative Commons-type licenses are subject to later termination by authors (or their heirs), and this termination power cannot validly be waived, then users of such works must confront the possibility that the licenses may be revoked in the future and the works effectively withdrawn from public use, with potentially chaotic results.

Although a number of judge-made doctrines may be invoked to restrict termination of a license granted for the benefit of the public, the better course would be for Congress to enact new legislation expressly authorizing authors to make a nonwaiveable, irrevocable dedication of their works, in whole or in part, to the use and benefit of the public—a possibility that the Patent Act expressly recognizes, but the Copyright Act presently does not.

Would love to hear any feedback.

When my consulting team did security stuff (note technical terminology) at Lotus, we found that the biggest risk from passwords is the Post-It note: users write down their passwords because security policies mandate ones that aren’t readily remembered. Try wandering around your office environment and see how many of these you can find 1) attached to monitors, 2) under keyboards, or 3) on office desk calendars / blotters. Far too much security protocol relies on conventional wisdom and accepted practice rather than empirical data.

There’s been significant fear and loathing of this proposal. At a recent legal meetup in NYC, I suggested that there may be a barrier – Section 230 of the CDA – to the FTC’s enforcement of this move (if it is adopted). Several participants thought I was a nutjob for making this argument, so I thought I’d set it forth and see what you think.

Section 230(c)(1) of the Communications Decency Act (47 U.S.C. 230(c)(1)) forbids treating a “provider or user of an interactive computer service… as the publisher or speaker of any information provided by another information content provider.” There are statutory exceptions for intellectual property law (but compare Doe v. Friendfinder with Perfect10 v. CCBill on this), the Electronic Communications Privacy Act, criminal law, and compatible state laws. The 230 shield has been interpreted quite broadly, though Roommates.com and Barnes v. Yahoo! suggest some chinks in its protection. (As always, I recommend highly Ken Myers’s Wikimmunity article on this topic.)

I’d argue 230 cabins the FTC’s Section 5 authority. Imagine a blogger who gets free passes from DreamWorks to “Transformers: Revenge of the Fallen” and, against the weight of all common sense, writes a paean to the movie, without mentioning the free tix. She’s now run afoul of the FTC guidelines: there’s no reason for the blogger’s audience to think that she got in for free, and the connection seems material to the review. What if the FTC goes after DreamWorks? In effect, the FTC’s argument is that DreamWorks is the speaker here: it helped generate the post by giving the blogger free entry to the film. (This stance is made more powerful by the fact that Transformers 2 appears to suck.) But that’s exactly what Section 230 forbids: the FTC treats DreamWorks as responsible for the blogger’s content. It seems this should work in the other direction as well – trying to hold the blogger liable for failure to disclose treats her as linked with DreamWorks and speaking on the company’s behalf. (This posture seems a closer case, though, since it imposes liability directly on the speaker / author, although what makes the blogger liable is connection to another Internet content provider.)

The obvious FTC rejoiner is an agency theory: the compensation arrangement makes the blogger a DreamWorks agent for this post. But that interpretation would render 230 a dead letter; we could readily concoct consideration-based arguments for most 230 cases that cut the other way. On this theory, Dontdatehimgirl.com would be liable for encouraging users to post stories about cads – in exchange for a public airing of their complaints, the site gets desirable content. Doe v. Friendfinder wouldn’t have to rely on a flimsy right of publicity claim: Ms. Doe could simply go after Friendfinder for the quid pro quo of attractive content in exchange for use of the service.

The employee as commenter / poster angle poses the problem neatly. If a DreamWorks publicity representative writes a blog comment, at the direction of the company’s CEO, trashing Ice Age: Dawn of the Dinosaurs as “a Blue Sky Studios plot to brainwash our children,” it is uncontroversial to hold DreamWorks liable for her speech. Firms can only act through their employees. But if she writes the same comment from home, with no studio input, based on her belief that animated squirrels are the devil’s minions, we’d be reluctant to hold DreamWorks liable. So, perhaps agency must enter the 230 analysis through the determination of who the “Internet content provider” is. I think it makes sense to separate employee blogging along these lines, but it does convert Section 230 from a relatively clear rule to more of a standard.

I don’t necessarily like the outcome here. Bloggers have been quite resistant to disclosure mandates (and even strong norms, at times) and are shocked, shocked to think that anyone could buy their support! Having the FTC push back, even if only in extreme cases, could be quite helpful. And it’s not just bloggers who are affected by this analysis – it would likely hold for Internet writing and endorsements more generally. Finally, the FTC is certain to dislike this suggestion that its Section 5 power wanes on the Internet (even though experts like Eric Goldman argue that other agencies, such as the SEC, are similarly constrained). But presumably this is what Congress wanted, and at minimum the Commission needs a cogent analysis of why its proposals escape the 230 driftnet.

This might be useful in getting Australia to reform its content classification system, which has some weird dichotomies in evaluating on-line vs. off-line material, and in dealing with different media for the same content. This particular quirk, though, seems like it’s vulnerable to gamesmanship: if I were an Australian gaming company, I’d surely submit complaints about my competitors’ games (especially foreign ones) – censorship could help my sales by eliminating alternatives.

Fun stuff. Hat tip to Boing Boing.

• The move to Web applications challenges the open source model – copyleft only works if you’re distributing software to your users. With network services, for example, the GPL becomes a permissive license – if you’re running a Web server that is under the GPL, you aren’t distributing the code, so there’s no obligation under the license to provide that code to your users. Web apps thus can undercut open source goals / obligations, and also have the effect of equalizing the various flavors of licenses (BSD, GPL, etc.).

• The Affero GPL seeks to move network-based services closer to the PC-based model for open source licensing – the AGPL modifies the GPL’s bargain by linking the source provision requirement to the modification of the underlying code and its distribution user interaction over a network [Update 26 May: Aaron corrected me!]. Copyright remains the fulcrum: modification (creation of a derivative work) gives the license its grip, ensuring that users have access to source code. In addition, the AGPL reduces vendor lock-in: if the vendor goes out of business, or begins behaving badly, users have the code. However…
• Data is the primary challenge to open source in cloud computing – access to source doesn’t help much if the data from a Web application remains inaccessible. Often, the only interface to a Web application’s data is via the site itself – if there’s no API, or a limited API, the transaction cost of shifting to a different vendor or application increases dramatically. This may be particularly acute for financial or business data.
• The set of social relationships that is critical to the Web – think Facebook – isn’t yet addressed by the open source model. Being able to set up your own version of Facebook is effectively worthless if you can’t migrate the social connections that characterize social networking. It’s hard to replicate the value of a Web community by taking the underlying code and installing it on your computer or server. (How well would “Bambauer’s Book” fare if I decided I was sick of Facebook and wanted to start my own?) Network effects can thus create lock-in.
• There are three key challenges in a world of cloud computing: data portability, privacy (typically governed by contract, but think also about Fourth Amendment issues), and compatibility (particularly protecting the integrity of social relationships during migration). Before networked apps, access to source took care of these concerns – you could examine both the data formats and how the data was processed by the code to address concerns. Terms of service – the parameters of the relationship between the user and the networked service – thus become critical in addressing these worries for cloud computing…
• For the GPL model to migrate to networked services, copyright and licenses aren’t enough – we also need technological features that protect user freedoms. This becomes difficult to mandate, though, as the universal applicability of copyright no longer does this work for us. To enable user autonomy, for example, data has to be portable, which means that network services must provide APIs to communicate with other services. Take for example LiveJournal – the code is under the GPL, but there’s no way to get access to all of the relevant data that a user creates and depends upon. In terms of data security, banks have become a model for why protected is needed.
• To replicate the GPL model for Web services, we need three things: 1) access to source, 2) carefully designed terms of service, and 3) technological features (such as data APIs).
• Aaron identified Identi.ca, a micro-blogging service ( = like Twitter), as a key proof of concept for open source Web services. It’s licensed under the AGPL v3 (#1 above). The service’s ToS specify which data is private and which is not (#2 above) – private data isn’t shared, but is only used to provide services to users, and Identi.ca will only turn data over to the government under a court order. The service also describes exactly what it does with the public data it stores, constraining its freedom with regards to that information. Finally, Identi.ca has an API (a clone of the Twitter API, evidently) that lets users get their data out of the service (#3 above). Users can also export relationships in a standardized format (Friend of a Friend). Identi.ca addresses the vendor lock-in concern by implementing the Open Authorization protocol, which allows separate instances of the network software to communicate with each other. This enables interoperability without exposing private data. If you want, you can have your own Identi.ca version – and it can talk with other versions! For Twitter addicts, Identi.ca will talk to Twitter (well, at Twitter) if you have an account for Tweeting.

I thought Aaron’s talk was absolutely fascinating. The key worry that remained with me is that we’re really dependent on vendors to make the open source model work: if they don’t enable tech features, such as data APIs, or put together obnoxious terms of service, we won’t get the equivalent of the GPL’s freedoms in the networked services world. It’s not clear how to counteract this – Aaron is bullish about best practices and the example set by services such as Identi.ca – but at least, thanks to Aaron and SFLC, we have an accurate sense of the challenges.

In addition to a pleasant trip down memory lane (except Jelly Rolls – I hate dueling pianos), this short raises some fun copyright questions. Is this a parody? If so, of what – South Park, Lotusphere, or both? If it’s of Lotusphere, aren’t we in infringing territory (at least in the Ninth Circuit) under Dr. Seuss v. Penguin Books? What about a trademark claim – this mash-up is good enough that I actually wondered if Trey Parker and Matt Stone were involved somehow? (And if so, what does this mean? Only crappy mash-ups are safe from legal liability?) If you’d asked me these questions when I was at Lotus, I’d have looked at you as though you asked about the release plans for Lotus Marmoset 1.0, but now that I’m a lawyer, I sit and ponder them.

Anyway, if you like the vid, here’s another one on Web design that is spot-on.