Yesterday, while hundreds of sites (including this one, along with Google, Wikipedia, and Reddit) were going black to protest SOPA and PIPA, the Supreme Court released its own copyright blackout, Golan v. Holder (PDF). Justice Ginsburg’s majority opinion held that the First Amendment did not prohibit reclaiming works from the public domain.

Justice Breyer, joined by Justice Alito, gave a stirring dissent. Copyright law, he said, must be “designed to encourage new production,” not just redistribute works already created. Re-copyrighting already-written works “does not encourage anyone to produce a single new work.” Instead, backwards-looking copyright grants create a serious public choice problem:

Whereas forward-looking copyright laws tend to benefit those whose identities are not yet known (the writer who has not yet written a book, the musician who has not yet composed a song), when a copyright law is primarily backward looking the risk is greater that Congress is trying to help known beneficiaries at the expense of badly organized unknown users who find it difficult to argue and present their case to Congress.

We see the same problem with SOPA and PIPA. The legislation pits organized incumbents against future innovators. Congress risks being captured by the lobbying power of current copyright industries, organized in the MPAA and RIAA, before the artists who have yet to create and the industries who support them can find their political voice. But the SOPAstrike reminds us that more than industry interests are at stake here — the general public, the editors of and users of Wikipedia, the contributors and readers of Reddit and the coders and browsers of Mozilla also create and bring value to the Internet.

Golan reminds us too that we can’t count on the courts to help us where Congress gets copyright wrong. The majority leaves a great deal to Congressional discretion, as it did in Eldred (striking down a challenge to copyright term extension): “the Copyright Clause does not demand that each copyright provision, examined discretely, operate to induce new works.” In a chilling phrase, the Golan majority quotes the district court’s finding of a “settled rule that private censorship via copyright enforcement does not implicate First Amendment concerns.”

Perhaps a later Court will see the First Amendment as a stronger check on Congressional power to restrict speech in the name of copyright, but where we can’t count on 5 (Justices), defenders of free communications on the open Internet will need to count to 51% of Congress. Keep up the pressure, it’s having an impact!

As I wrote over on the Tor Project blog, SOPA and PIPA (the House’s “Stop Online Piracy Act” and the Senate’s “Protect-IP Act”) go beyond enforcement of copyright. These copyright bills would strain the infrastructure of the Internet, on which many free communications — anonymous or identified — depend. Originally, the bills proposed that so-called “rogue sites” should be blocked through the Internet’s Domain Name System (DNS). That would have broken DNSSEC security and shared U.S. censorship tactics with those of China’s “great firewall.”

Now, while we hear that DNS-blocking is off the table, the bills remain threatening to the network of intermediaries who carry online speech. Most critically to Tor, SOPA contained a provision forbidding “circumvention” of court-ordered blocking that was written broadly enough that it could apply to Tor — which helps its users to “circumvent” local-network censorship. Further, both bills broaden the reach of intermediary liability, to hold conduits and search engines liable for user-supplied infringement. The private rights of action and “safe harbors” could force or encourage providers to censor well beyond the current DMCA’s “notice and takedown” provision (of which Chilling Effects documents numerous burdens and abuses).

On January 18, we’re joining Wikipedia, Reddit, the MIT Media Lab, and hundreds of others in protest, turning a portion of the Tor site black to call attention to copyright balance and remind the US Congress and voters of the value of the open Internet.

U.S. citizens, please call or write, to urge your representatives to stop SOPA and PIPA. Elsewhere in the world, keep an eye out for similar legislation. and bring the fight there too.

The House’s Stop Online Piracy Act is in Judiciary Committee Markup today. As numerous protests, open letters, and advocacy campaigns across the Web, this is a seriously flawed bill. Sen. Ron Wyden and Rep. Darrell Issa’s proposed OPEN Act points out, by contrast, some of the procedural problems.

Here, I analyze just one of the problematic provisions of SOPA: a new”anticircumvention” provision (different from the still-problematic anti-circumvention of section1201). SOPA’s anticircumvention authorizes injunctions against the provision of tools to bypass the court-ordered blocking of domains. Although it is apparently aimed at MAFIAAfire, the Firefox add-on that offered redirection for seized domains in the wake of ICE seizures,[1] the provision as drafted sweeps much more broadly. Ordinary security and connectivity tools could fall within its scope. If enacted, it would weaken Internet security and reduce the robustness and resilience of Internet connections.

The anticircumvention section, which is not present in the Senate’s companion PROTECT-IP measure, provides for injunctions, on the action of the Attorney General:

(ii)against any entity that knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity or by another in concert with such entity for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses, search query results, payments, or ads] and taken in response to a court order issued under this subsection, to enjoin such entity from interfering with the order by continuing to provide or offer to provide such product or service. § 102(c)(3)(A)(ii)

As an initial problem, the section is unclear. Could it cover someone who designs a tool for”the circumvention or bypassing of” DNS blockages in general — even if such a person did not specifically intend or market the tool to be used to frustrate court orders issued under SOPA? Resilience in the face of technological failure is a fundamental software design goal. As DNS experts Steve Crocker, et al. say in their Dec. 9 letter to the House and Senate Judiciary Chairs, “a secure application expecting a secure DNS answer will not give up after a timeout. It might retry the lookup, it might try a backup DNS server, it might even restart the lookup through a proxy service.” Would the providers of software that looked to a proxy for answers –products “designed” to be resilient to transient DNS lookup failures –be subject to injunction? Where the answer is unclear, developers might choose not to offer such lawful features rather than risking legal attack. Indeed, the statute as drafted might chill the development of anti-censorship tools funded by our State Department.

Some such tools are explicitly designed to circumvent censorship in repressive regimes whose authorities engage in DNS manipulation to prevent citizens from accessing sites with dissident messages, alternate sources of news, or human rights reporting. (See Rebecca MacKinnon’s NYT Op-Ed, Stop the Great Firewall of America. Censorship-circumvention tools include Psiphon, which describes itself as an “Open source web proxy designed to help Internet users affected by Internet censorship securely bypass content-filtering systems,” and The Tor Project.) These tools cannot distinguish between Chinese censorship of Tiananmen Square mentions and U.S. copyright protection where their impacts — blocking access to Web content — and their methods — local blocking of domain resolution — are the same.

Finally, the paragraph may encompass mere knowledge-transfer. Does telling someone about alternate DNS resolvers, or noting that a blocked domain can still be found at its IP address — a matter of historical record and necessary to third-party evaluation of the claims against that site — constitute willfully “providing a service designed … [for] bypassing” DNS-blocking? Archives of historic DNS information are often important information to legal or technical network investigations, but might become scarce if providers had to ascertain the reasons their information was being sought.

For these reasons among many others, SOPA should be stopped.

I’m speaking at the beginning of next week at O’Reilly’s Android Open conference.

I’ll be talking on “Leveraging Openness,” strategic considerations for developers and users of the platform to use openness in their favor, supporting user autonomy rather than lock-in. More on that later.

I also appreciate Android’s openness at the practical level of the individual user. This weekend I put the CyanogenMod firmware on my Android phone, in response to security warnings about recently introduced logging functions, and so as not to lose root access with a stock upgrade. The process was simple, well-documented, and gives me the level of control I expect over a device that can track all my movements and communications.

Then there are the little things: I like to change the default screen density to take better advantage of the high-resolution screen, no problem. (Note, however, that in the latest version of the Android market, some apps check these settings and won’t install, claiming device incompatibility. The fix? Change the lcd_density back, install apps, and revert the change; those I’ve tried work just fine.)

Google’s announcement this morning that it had agreed to purchase Motorola Mobility for $12.5Billion sent MMI’s stock price soaring and set off another conversation about software patents and the smart-phone ecosystem.

Larry Page himself emphasized the patent angle of the merger in the corporate blog post:

We recently explained how companies including Microsoft and Apple are banding together in anti-competitive patent attacks on Android. The U.S. Department of Justice had to intervene in the results of one recent patent auction to “protect competition and innovation in the open source software community” and it is currently looking into the results of the Nortel auction. Our acquisition of Motorola will increase competition by strengthening Google’s patent portfolio, which will enable us to better protect Android from anti-competitive threats from Microsoft, Apple and other companies.

Android-users already faced several patent lawsuits, and after a coalition of Google’s opponents, including Microsoft, Apple, and Oracle, purchased Nortel’s patent portfolio for $4.5 Billion, Google and its Android partners (including HTC and Motorola) had reason to fear a deepening thicket. Without many patents of its own, Google couldn’t make the traditional counter-strike of suing its attackers for infringement. Motorola’s mobile portfolio (17,000 issued patents and 7,500 pending applications) adds to Android’s arsenal.

Of course Motorola also makes hardware — smartphones that run Android — but few analysts are emphasizing that point. There, the acquisition raises strategic questions for Google: Can it convincingly offer the Android platform to others with whom it now competes? Even if Google maintains Motorola as a separate business, as Page says it intends, will now-competing vendors such as HTC, Samsung, and Acer be reassured of Google+Motorola’s neutrality among them?

Owning a handset maker could improve Android, if it shortens the feedback loop for problem-reporting and new ideas, but it could hurt the platform — and its end-users — more if it scared off competing hardware vendors, shrinking the base to which new applications are written and reducing the diversity of options available to end-users. As proprietor of an open, multi-sided market, Google needs to serve Android’s hardware vendors, app developers, and end-users well enough that a good-sized group of each continue to bring it value — and so the end-users watch the ads whose sale puts money into Google’s pocket from it all. (Oh, and maybe the acquisition will revitalize GoogleTV, as Lauren Weinstein points out.)

The patent motivations are more straightforward. As we know, it doesn’t take deliberate copying to infringe a patent, and patents are granted on small enough increments of software advance that an independently developed application may incorporate dozens to hundreds of elements on which others claim patents, and at millions of dollars a lawsuit, it’s expensive to disprove them. At least if those others are also making phones or software, Google is now more likely to have patents on what they are doing too, paving the way for a cross-license rather than a lawsuit.

Wouldn’t we all be better off skipping those patent threats and cross-licensing transaction costs? As Google’s pre-Motorola travails showed, it’s almost* impossible to opt-out of the patent system by choosing to publish and not patent your own inventions. Unlike in copyright, where you can share under Creative Commons, for example, and just have to prove you never accessed another’s work if accused of infringement, you can only save yourself from patent claims by assuring that every bit of technology you use was published more than 17-20 years ago! (*Rare but not impossible: Richard Hipp of SQLite says he only uses 17-year old, published algorithms to keep his code free of patent clouds.)

In work-in-progress, I argue that patent’s incentives aren’t working right for software, because they come at too early a stage in development. Patents for software motivate lawsuits more than they induce or reward product development. Google+Motorola may prove to have non-patent benefits too, but its early indications shine a spotlight on the thorny thickets of the patent landscape.

Earlier this week, Facebook expanded the roll-out of its facial recognition software to tag people in photos uploaded to the social networking site. Many observers and regulators responded with privacy concerns; EFF offered a video showing users how to opt-out.

Tim O’Reilly, however, takes a different tack:

Face recognition is here to stay. My question is whether to pretend that it doesn’t exist, and leave its use to government agencies, repressive regimes, marketing data mining firms, insurance companies, and other monolithic entities, or whether to come to grips with it as a society by making it commonplace and useful, figuring out the downsides, and regulating those downsides.

…We need to move away from a Maginot-line like approach where we try to put up walls to keep information from leaking out, and instead assume that most things that used to be private are now knowable via various forms of data mining. Once we do that, we start to engage in a question of what uses are permitted, and what uses are not.

O’Reilly’s point –and face-recognition technology — is bigger than Facebook. Even if Facebook swore off the technology tomorrow, it would be out there, and likely used against us unless regulated. Yet we can’t decide on the proper scope of regulation without understanding the technology and its social implications.

By taking these latent capabilities (Riya was demonstrating them years ago; the NSA probably had them decades earlier) and making them visible, Facebook gives us more feedback on the privacy consequences of the tech. If part of that feedback is “ick, creepy” or worse, we should feed that into regulation for the technology’s use everywhere, not just in Facebook’s interface. Merely hiding the feature in the interface, while leaving it active in the background would be deceptive: it would give us a false assurance of privacy. For all its blundering, Facebook seems to be blundering in the right direction now.

Compare the furor around Dropbox’s disclosure “clarification”. Dropbox had claimed that “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password,” but recently updated that to the weaker assertion: “Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so).” Dropbox had signaled “encrypted”: absolutely private, when it meant only relatively private. Users who acted on the assurance of complete secrecy were deceived; now those who know the true level of relative secrecy can update their assumptions and adapt behavior more appropriately.

Privacy-invasive technology and the limits of privacy-protection should be visible. Visibility feeds more and better-controlled experiments to help us understand the scope of privacy, publicity, and the space in between (which Woody Hartzog and Fred Stutzman call “obscurity” in a very helpful draft). Then, we should implement privacy rules uniformly to reinforce our social choices.

Not satisfied with seizing domain names, the Department of Homeland Security asked Mozilla to take down the MafiaaFire add-on for Firefox. Mozilla, through its legal counsel Harvey Anderson, refused. Mozilla deserves thanks and credit for a principled stand for its users’ rights.

MafiaaFire is a quick plugin, as its author describes, providing redirection service for a list of domains: “We plan to maintain a list of URLs, and their duplicate sites (for example Demoniod.com and Demoniod.de) and painlessly redirect you to the correct site.” The service provides redundancy, so that domain resolution — especially at a registry in the United States — isn’t a single point of failure between a website and its would-be visitors. After several rounds of ICE seizure of domain names on allegations of copyright infringement — many of which have been questioned as to both procedural validity and effectiveness — redundancy is a sensible precaution for site-owners who are well within the law as well as those pushing its limits.

DHS seemed poised to repeat those procedural errors here. As Mozilla’s Anderson blogged: “Our approach is to comply with valid court orders, warrants, and legal mandates, but in this case there was no such court order.” DHS simply “requested” the takedown with no such procedural back-up. Instead of pulling the add-on, Anderson responded with a set of questions, including:

1. Have any courts determined that MAFIAAfire.com is unlawful or illegal inany way? If so, on what basis? (Please provide any relevant rulings)

2. Have any courts determined that the seized domains related to MAFIAAfire.com are unlawful, illegal or liable for infringement in any way? (please provide relevant rulings)
3. Is Mozilla legally obligated to disable the add-on or is this request based on other reasons? If other reasons, can you please specify.

Unless and until the government can explain its authority for takedown of code, Mozilla is right to resist DHS demands. Mozilla’s hosting of add-ons, and the Firefox browser itself, facilitate speech. They, like they domain name system registries ICE targeted earlier, are sometimes intermediaries necessary to users’ communication. While these private actors do not have First Amendment obligations toward us, their users, we rely on them to assert our rights (and we suffer when some, like Facebook are less vigilant guardians of speech).

As Congress continues to discuss the ill-considered COICA, it should take note of the problems domain takedowns are already causing. Kudos to Mozilla for bringing these latest errors to public attention.

A bit late for the rule’s “triennial” cycle, the Librarian of Congress has released the sec 1201(a)(1)(C) exceptions from the prohibitions on circumventing copyright access controls. For the next three years, people will not be ” circumventing” if they “jailbreak” or unlock their smartphones, remix short portions of motion pictures on DVD (if they are college and university professors or media students, documentary filmmakers, or non-commercial video-makers), research the security of videogames, get balky obsolete dongled programs to work, or make an ebook read-aloud. (I wrote about the hearings more than a year ago, when the movie studios demoed camcording a movie — that didn’t work to stop the exemption.)

Since I’ve criticized the DMCA’s copyright expansion, I was particularly interested in the inter-agency debate over EFF’s proposed jailbreak exemption. Even given the expanded “para-copyright” of anticircumvention, the Register of Copyrights and NTIA disagreed over how far the copyright holder’s monopoly should reach. The Register recommended that jailbreaking be exempted from circumvention liability, while NTIA supported Apple’s opposition to the jailbreak exemption.

According to the Register (PDF), Apple’s “access control [preventing the running of unapproved applications] does not really appear to be protecting any copyright interest.” Apple might have had business reasons for wanting to close its platform, including taking a 30% cut of application sales and curating the iPhone “ecosystem,” those weren’t copyright reasons to bar the modification of 50 bytes of code.

NTIA saw it differently. In November 2009, after receiving preliminary recommendations from Register Peters, Asst. Secretary Larry Strickling wrote (PDF):

NTIA does not support this proposed exemption [for cell phone jailbreaking]…. Proponents argue that jailbreaking will support open communications platforms and the rights of consumers to take maximum advantage of wireless networks and associated hardware and software. Even if permitting cell phone “jailbreaking” could facilitate innovation, better serve consumers, and encourage the market to utilize open platforms, it might just as likely deter innovation by not allowing the developer to recoup its development costs and to be rewarded for its innovation. NTIA shares proponents’ enthusiasm for open platforms, but is concerned that the proper forum for consideration of these public policy questions lies before the expert regulatory agencies, the U.S. Department of Justice and the U.S. Congress.

The debate affects what an end-user buys when purchasing a product with embedded software, and how far copyright law can be leveraged to control that experience and the market. Is it, as Apple would have it, only the right to use the phone in the closed “ecosystem” as dictated by Apple, with only exit (minus termination fees) if you don’t like it there? or is it a building block, around which the user can choose a range of complements from Apple and elsewhere? In the first case, we see the happenstance of software copyright locking together a vertically integrated or curated platform, forcing new entrants to build the whole stack in order to compete. In the second, we see opportunities for distributed innovation that starts at a smaller scale: someone can build an application without Apple’s approval, improving the user’s iPhone without starting from scratch.

NTIA would send these “public policy” questions to Congress or the Department of Justice (antitrust), but the Copyright Office and Librarian of Congress properly handled them here. “[T]he task of this rulemaking is to determine whether the availability and use of access control measures has already diminished or is about to diminish the ability of the public to engage in noninfringing uses of copyrighted works similar or analogous to those that the public had traditionally been able to make prior to the enactment of the DMCA,” the Register says. Pre-DMCA, copyright left room for reverse engineering for interoperability, for end-users and complementors to bust stacks and add value. Post-DMCA, this exemption helps to restore the balance toward noninfringing uses.

In a related vein, economists have been framing research into proprietary strategies for two-sided markets, in which a platform provider is mediating between two sets of users — such as iPhone’s end-users and its app developers. In their profit-maximizing interests, proprietors may want to adjust both price and other aspects of their platforms, for example selecting fewer app developers than a competitive market would support so each earns a scarcity surplus it can pay to Apple. But just because proprietors want a constrained environment does not mean that the law should support them, nor that end-users are better off when the platform-provider maximizes profits. Copyright protects individual works against unauthorized copying; it should not be an instrument of platform maintenance — not even when the platform is or includes a copyrighted work.

Google announced Friday that it would now be “personalizing” all searches, not just those for signed-in users. If your browser has a Google cookie, unless you’ve explicitly opted out, your search results will be customized based on search history.

Danny Sullivan, at Search Engine Land, wonders why more people aren’t paying attention:

On Friday afternoon, Google made the biggest change that has ever happened in search engines, and the world largely yawned. Maybe Google timed its announcement that it was personalizing everyone’s search results just right, so few would notice. Maybe no one really understood how significant the change was. Whatever the reason, it was a huge development and deserves much more attention than it has received so far.

I agree this is a big deal, even if it’s only the next step in a trend begun by customized search for signed-in users years ago. And except for here, I won’t even mention the P-word, “privacy.” Because on top of the implications of storing all a user’s search history, I wonder about the transparency of personalized search. How do we understand what search looks like to the world as it gets sliced up by history, location, and other inferences search providers make about their searchers?

As users, we’ve basically come to terms with the non-transparency of the search algorithms that determine which results to show and how to order them. We use the engine that mostly gets us relevant results (or perhaps, that offers shopping discounts). If we’re dissatisfied with the results Google returns, we can use Yahoo or Bing.

We also have some degree of trust that search isn’t systematically discriminating against particular pages or providers for undisclosed reasons. When Google received copyright takedown demands from the Church of Scientology years ago, prompting it to remove many links to “Operation Clambake,” Google sent the takedowns to Chilling Effects and linked them from its search pages so searchers could see why the search had apparently become more pro-Scientology in its results. More recently, the search engine has worked with the Berkman Center’s StopBadware to flag malware distribution points and let searchers know why sites have been flagged “harmful.” When a racist image appeared in searches for “Michelle Obama,” Google used an ad to explain why, but did not tweak algorithms to remove the picture.

How do we verify that this trust is warranted, that page visibility is a relative meritocracy? With open source, we could read the code or delegate that task to others. With a closed platform where we can’t do that, our next best alternative is implicit or explicit comparison of results with others. Investigative journalists might follow a tip-off that liberal media seemed to rank higher than conservative, and run some comparisons and questions to test and report back; search engine optimizers, motivated to improve their own pages’ rankings, might also alert us to biases that caused unfair demotions — we can believe we’re seeing a reasonable mix of digital camera stores because proprietors would complain if they were omitted. If something “feels wrong” to enough people, chances are it will bubble up through the crowd for verification (or debunking — see the complaints that iTunes “shuffle” feature isn’t random, by listeners who confuse randomness with a non-random even distribution). If a search engine failed to disclose payment-induced bias, the FTC might even follow with a complaint.

With personalized search, these crowd-sourced modes of verification will work less well. We won’t know if the biases we encounter in search are also seen by others, or if the store shuffles its end-caps when it sees us walk in. It would be easier for an Evil search provider to subtly tweak results to favor paying clients or ideologies, unnoticed.

Finally, I’m reminded of the “ants” in Cory Doctorow’s excellent Human Readable — an automated adaptive system so complex even its creators can’t debug it or determine its patterns. If someone is paying off the ants, society can’t trace the payments.

When I asked a version of this transparency question to the “real-time search” panel at Supernova, Barney Pell of Bing suggested that users don’t want to know how the search works, only that it gets them useful results. Part of my utility function, though, is fairness. I hope we can reconstruct that broader view in a world of ever-more-personalized search.

Why did it take nearly a decade for portable video to move beyond compact DVD players? Why can we do so much more with music CDs and their successors than with DVDs and theirs? I argue the difference is baked-in DRM and its legal side-effects.

Copyright scholars have been talking for a long time about the DMCA and its impact on fair use — if your media is locked by DRM, you may be forbidden technologically from legally permissible criticism or transformation. (See the extraordinary lengths to which the MPAA goes in trying to say this isn’t so.) This is a serious problem, but it has bothered me that the focus has often eclipsed another DRM-induced problem, the foreclosure of open innovation and development around digital media.

In a draft paper, The Imperfect is the Enemy of the Good: Anticircumvention Versus Open Innovation, that will appear in the Berkeley Technology Law Journal this spring, I argue that conflicts with open development are a serious architectural flaw in anticircumvention law and policy. As we recognize the value of disruptive and user-driven innovation, we should shape the law to help, not hinder, this decentralized development.

Under an anticircumvention regime, the producers of media content can authorize or deny authorization to technologies for playing their works. Open source technologies and their developers cannot logically be authorized. “Open-source DRM” is a contradiction in terms, for open source encourages user modification (and copyleft requires its availability), while DRM compels “robustness” against those same user modifications. Since DRM aims to control use of content while permitting the user to see or hear it, it can be implemented only in software or hardware that is able to override its user’s wishes—and can’t be hacked to do otherwise. For a DRM implementation to make any sense, therefore, its barriers against user modification of the rights management must be at least as strong as those against user access to its protected content.

I characterize a “DRM imperative” and explore the technical incompatibilities between regulation by code and exploration of code. We see DRM centralizing development and forcing the black-boxing of complementary media technology, in a widening zone as it mandates that protected media be played only on compliant devices, that those may output media content only to other compliant devices, etc. The home media network is thus progressively closed to open-source development.

Foreclosing open development costs us technically, economically, and socially. We lose predicted technological improvements, those of user-innovators (von Hippel) or disruptive technologies (Christensen) from outside the incumbent-authorized set, that could offer new options for content creators and audiences (such as better playback, library, mixing, and commerce options). We lose social and cultural opportunities for commons-based peer production.

You can find the draft paper at SSRN, bepress, or here in PDF.