|
|
|
Online Security, a global provider of computer forensics and information technology risk mitigation since 1997
|
|
Go back
| |
 |
DMCA criminal liability for software developers
|
|
| |
 |
|
| |
Safeguard or overkill?
|
|
| |
Write Code – Go to Jail:
Posted: Apr 24 2002
Bill Reilly
Write Code – Go to Jail: A look at the DMCA criminal liability for non-US software developers
Imagine you are a European software development firm who specializes in network security software and one of the programs you have been developing tests the quality of encryption algorithms. You post the program on your website as freeware, hoping that other programmers might be able to contribute to the code. Over Easter, you plan a trip with your family to Disneyland in California. However, waiting at the airport as you get off the plane are federal marshals to escort you to your new accommodation. You are visiting a different kind of Fantasyland than you had intended. So what can you do to lessen the chances of having an extended US vacation in a federal holding cell?
This scenario is not something from Tomorrow Land, but rather a similar scenario is being played out in federal court in California. A Russian company is being criminally prosecuted for developing software in Moscow that allegedly violates the anti-circumvention provisions of the Digital Millenium Copyright Act ("DMCA"). This article will explain the relevant criminal provisions of the DMCA, and explore how the US Attorney has applied the law to foreign software developers. Finally, taking both into consideration, I will suggest theoretical suggestions for non-US firms facing such dilemmas.
Essentially, this article looks at the public documents filed in the case by the prosecution and tries to make suggestions on how to avoid falling into their jurisdictional argument. While many, if not all, of the prosecutions arguments should be denied, the important point is that they have made these arguments to the Northern District Federal Court, and until these provisions of the DMCA are tossed out, there is nothing stopping the US Attorney from applying the same rules to a similar scenario
It must be strongly noted here that this area of the law has not been tested in court, and any interpretation of the DMCA is only a general opinion. The purpose of this article is not to provide specific advise, but to increase the awareness of non-US software developers of the legal traps that they can fall into if they are not careful with their Internet distribution strategies.. Any software developer who believes that the DMCA might apply to them should seek adequate legal counsel to advise them on the specifics of their situation.
The DMCA:
So what is the DMCA and how can it apply to non-US companies? The DMCA is a highly controversial law passed by Congress and signed by President Clinton in 1998. While some parts of the DMCA cleared up some contentious issues, like ISP liability for content posted by third parties, other parts of the Act, most notably 17 USC Section 1201, have created a storm of controversy for its breadth and severity. Section 1201 is titled “Violations Regarding Circumvention of Technological Measures” and it states that “no person shall circumvent a technological measure that effectively controls access to a work protected under this title.”
It is helpful to define a few of these concepts. According to the DMCA, to “Circumvent a technological measure” means to “descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.” So what is a “technological measure?” The statute defines it as a measure that ''effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.”
In other words, the Act prohibits someone from bypassing a control without authorization from the copyright owner. In some ways, while controversial, at least there is an element of intent to access something that someone else is trying to keep you out of without their approval.
However, it is more controversial to prohibit someone from even writing the code that someone else could use to bypass the control. It all comes down to “fair uses” and the rights to access the copyrighted content without the approval of the owner. In the US, as well as most international copyright treaties, there is a carefully negotiated balance between the rights of the creator and the users.
In order to provide incentive for creators to create content, the US government will grant the creator a limited monopoly so he can market and control his content without fear that someone will simply copy his efforts. However, in exchange for this limited monopoly, copyright law provides certain fair uses of the content as a defense to an infringement claim. Section 107 of the copyright code allows certain fair uses of the copyrighted content without authorization from the owner for criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, and research. But these fair uses are not absolute.
The court will look at several factors, such as the purpose and character of the use, the nature of the content, the amount of the work that was copied, and the effect that the copied material will have on the market value of the work. Copyright fair use is a very complicated area of the law. But the reason in explaining the finer points of copyright law is to demonstrate that there are legitimate statutory fair uses of copyrighted material. However, digital technology allows owners to lock up their copyright material that others might have a legitimate fair use to access the content.
Essentially, digital copyright owners have broken the balance that entitled them to the monopoly in the first place by locking content in a box and possessing the only key.
It is important to understand this distinction because the DMCA goes one step further than just allowing copyright owners to lock up their content away from fair uses. The DMCA prevents anyone from even making the lock picking sets that others can use to unlock content for their possible fair uses of the content.
Section 1201(b) states that “no person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that … is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner, …has only limited commercially significant purpose or use other than to circumvent protection afforded by a technological measure, … or ) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing protection afforded by a technological measure.” In other words, Section 1201(b) criminalizes the development of software lock picking sets that are designed to circumvent a copyright control.
In most states, lock picking sets are legal to manufacture and possess, but become illegal to possess when the set is used for a criminal purpose. There are legitimate uses for lock picking sets. However, you can not use them to commit a crime. The same goes for guns, crow bars, archery sets, etc… It is not illegal in any of these cases to make these items. There are laws already on the books that prohibit their use in crimes. Copyright law also provides for criminal penalties for willfully violating someone’s copyrights.
In the 1970’s and 1980’s, Congress did not outlaw cassette recorders or VHS machines, despite attempts to do so by the recording industry. However, the DMCA does precisely that – it outlaws the development of digital lock picking sets without even any illegal purpose. Not only is the development of the lock picking set illegal, but there are extremely serious penalties associated with writing such code in your office. The maximum penalty for each trafficking charge is five years in prison and $500,000 in penalties. In the Russian programmer case, the company is facing 5 different counts of the DMCA, each posing a liability of $500,000, not to mention the years at Club Fed.
Jurisdiction and non-US Companies:
Even if one assumes the DMCA is constitutional, how can the US government prosecute a non-US national for coding a program in Russia, where the program itself is legal? Jurisdiction is one of the most complicated areas of US law, and is even more so when applied to cyberspace.
There are very few court decisions on the matter. Essentially, for a court to get control of you, it must have personal jurisdiction and subject matter jurisdiction over you. In order to get personal jurisdiction over a non-resident, the court must find that there is sufficient “contacts” between the US and the person charged with the crime.
The federal courts would first look to see if the state has a law on its books that says non-residents can be tried in their courts, as long as it complies with the US Constitution. However, this is almost never a problem. The challenge for the prosecutor is to show that the contacts with the state are at a minimum level.
This means that they have to show that the defendant “purposefully availed” himself of the benefits of the laws of the state, and that it was foreseeable for him to be brought into court there. The prosecutors must also argue that it would not violate the defendant’s Constitutional Due Process rights, and yes, foreigners have such rights.
Without getting into too much civil procedural detail, essentially the court is going to look at any contracts you made in the forum, whether your web site is active (people can transact business, like download software, etc…) or whether it is a passive “pamphlet” site, where your server is physically located, the extent of prior business or legal contacts in the forum, whether you have targeted your material or efforts at selling in the forum, etc… Essentially, the court is trying to determine if you would have thought it was likely you could, someday, be sued in the state.
There is also the issue of subject matter jurisdiction. This is essentially whether the law itself states that it applies to you. Normally, Congress must explicitly say that the law applies “extraterritorially,” or to non-residents, located in another sovereignty. Anti-terrorism, child pornography, cybercrime and drug-related statutes are a few that expressly say so.
One serious issue with the DMCA is whether it can be applied “overseas” because it is not obvious that Congress explicitly authorized the law to extent that far. However, the point of the article is not to debate the future of the DMCA, but rather suggest ways to stay out of harms way.
So, if you are a software developer who might be writing code that may potentially violate the above anti-circumvention provisions of the DMCA, what can you do?
I. The Location of Your Servers or Web Hosting Service:
As I mentioned above, there are many areas of cyberspace jurisdiction and the DMCA that have not been tested in court. The best way to avoid being a test case is to be as conservative as possible in your online activity. One way to help avoid US jurisdiction is to make sure your ISP’s servers are not located within any US jurisdiction, such as the 50 US states and its territories. There are several things to watch out for that can be subtle. Someone should go through all of your public HTML code to make sure there are no “a href” links to US located server sites. You can do this by running a traceroute on the domain name or IP address and see if it ends up in a US-located server.
One must be careful to check all links. For example, if your shareware version is linked to a shareware site that is in the US, that might account for “trafficking” in the contraband software because it was digitally sent to the US by none other than yourself.
II. Your Website:
The court will be looking at the extent that you have targeted the US in order to determine whether it is reasonable to assume that you could have foreseen being sued in the US. It is okay if your website is in English, most likely. If you have more than one language, you might use the British flag for the English language icon. Of course, if it is in German, or Danish, then you would have a better argument.
When reviewing your web site, look for any references to the US that can be construed as “targeting” or attempting to influence US consumers or commerce. For example, do you have US consumer testimonials? Are your products priced only in US dollars? While this is not determinate of US contacts because of the global nature of the dollar, it could be further evidence of US relations.
One thing to remember when exploring your web site is to imagine that each page could appear as an exhibit in a prosecution against you. Is there anything in the HTML code you do not want to have to explain to a jury?
III. Telephone and contact information:
It would not be advisable to have a US-based toll free number, such as a 1-800 number, that can only be accessed within the US. It is best to only have non-US addresses, telephone numbers, fax numbers and personnel.
IV. Metatags:
Another critical area of the web site is the metatags. Watch out for any words that can be used to suggest either criminal intent or targeting the US. You will know them when you see them. Metatags have been used against the web site owner in numerous case already, typically to show bad faith in trademark infringement. In a criminal copyright case, the prosecution can use metatag words to help argue that the defendant willfully violated the statute.
V. Top Level Domain:
The top level domain of your firm should not be too prejudicial in context of the other non-US elements of your activity. A “dot com” domain is so universal, that it hardly can be construed as constituting a US business, or targeting or passing off as a US company. However, there are some cases that hold that the location of the domain registrar can implicate US jurisdiction, but these are primarily domain name disputes. So a “dot com” domain name that points to an IP address outside of US jurisdiction should not involve any issues of trafficking in the US, or an intent to target the US market.
VI. Declarations and Warnings:
It could be helpful to explicitly state, in an obvious location on the download page, that the software may be in violation of the DMCA, and that you do not approve of any US-based download of the software. The warning should also state that it is the responsibility of the downloader to insure that software complies with local law, as it is impossible for the software developer to know where it is being downloaded and the legal climate of its final destination. Currently, it is impossible to identify with 100% certainty the actual origin of the downloader.
It can also be argued that, as a non-US company, you are not obligated to spend your funds and employee time to comply with US-law, a country in which you have no contacts with, either prospective or actual. (If you do have contacts with the US, do not despair: read the last section.) The location of the warning should be in an obvious location, such as directly under the download link or even better, as a click through page, where the downloader has to click on a button acknowledging he is not from the US, and it will not be used to violate US copyright law.
However, if you wanted to add another level of security, you could implement a reverse IP lookup to deny access to the file to IP addresses that “could” originate from the US. This is not perfect technology, but it would be evidence to a court that you took reasonable measures to comply with US law.
VII. The Software:
The location of the allegedly contraband software is increasingly important. In the public Sklyarov indictment filed August 28, 2001 www.denmarket.dk, the prosecution made a big deal of the location of the software. The government noted that the software was available for purchase on the Elcomsoft website which was hosted by an ISP in Chicago, Illinois, and that a registration key was sent by the company to the downloader in the US.
In order to help play it safe, it is best not to host any questionable software on your own domain, no matter where it is located. Rather, host it on another domain located outside of the US and provide a link to that domain. Nevertheless, by further distancing yourself from the process, you also lose control over the circumstances that control the download, such as any representations or suggestions that you are targeting the US.
One concern about linking from your site to a site that hosts the allegedly contraband software program is whether the courts will apply the logic in the alt.2600 Remierdes case that banned even the linking to another site. 2600 publishes a paper “hacker” magazine and hosts a web site that contains content of interest to the hacking community.
The web site posted an article about DeCSS, a program that defeated the DVD anti-circumvention controls of CSS. The web site also posted a link to the DeCSS source and object code. Amazingly, the court held that the defendants were barred from "knowingly linking any Internet web site operated by them to any other web site containing DeCSS, or knowingly maintaining any such link, for the purpose of disseminating DeCSS." Universal II, 111 F. Supp. 2d at 346-47.
This was a controversial holding for several reasons that are relevant to non-US software developers. First, the court essentially said that although the DMCA expressly states that it will not interfere with “fair uses” of copyright material and therefore anti-circumvention devices can be protected to lock out fair uses, the court somehow held that the DMCA concerns itself only with building the lock boxes, and does not concern itself with what someone does with the content after they have picked the lock on the box. I know, it doesn’t make sense. But the court started with a conclusion, and tried to find a way to reach that conclusion.
The second relevant finding in the 2600 case for software developers is the court’s analysis for determining when a web site can link to “bad” programs. When considering whether a web site can be prohibited from linking, the court will require clear and convincing evidence that those responsible for the link:
(a) know at the relevant time that the offending material is on the linked-to site, (b) know that it is circumvention technology that may not lawfully be offered, and (c) create or maintain the link for the purpose of disseminating that technology.
The appellate court noted that this test may be too strict, and that a lesser standard of proof than “clear and convincing evidence” may be acceptable. One argument that may work in favor of non-US developers who link to their software on another non-US site is that there is no clear and convincing evidence that the software is not being legally offered. It is technically only unlawful if the software is downloaded in the US and it is impossible for the developer to know who is downloading the software on a 3rd party web site, as long as the software is lawful where ever it is being hosted.
In summary, one should be very careful hosting the software on your own non-US server because the act of someone in the US downloading it could be construed as “trafficking.” If one hosts the software on another 3rd party non-US server and provides a link to the software, make sure any contracts with that 3rd party makes no reference to the US.
VIII. Transactions:
The choice of credit card transaction processor is a very important consideration; perhaps the most important. The US Attorney noted several times in the Sklyarov indictment that the company contracted with “an online payment service, RegNow, based in Issaquah, Washington.” Normally, software developers do not handle the credit card transactions internally for security and management reasons.
However, most of the largest software transaction and distribution firms are in the US. Using one of these services could subject you to US jurisdiction because you are formally entering into a contractual business relationship with a US company, sending the software purposefully into the US, and conducting sales within the US. It is really asking for trouble to essentially have a US distributor for your software that may violate the DMCA.
Also, the distributor’s typical contract contains a “forum selection” clause that specifies the jurisdiction where disputes are to be settled, which is typically where the US distributor is located. This is another positive argument for the prosecution that you had sufficient “contacts” with the US. You might want to check out an analysis of the different shareware registration firms to find the best, non-US firms at www.blackcatsystems.com
IX. Promotion:
The courts will often look at the extent that the software company promoted the product within its jurisdiction. This can take the form of targeted e-mail correspondence, advertisement in media and on other web sites, white papers, and even web forms on your own web site. However, participation in conferences can also be persuasive to a court seeking jurisdiction. Sklyarov attended a convention in Las Vegas to discuss the nuances of the program, and the FBI affidavit and the US Attorney’s indictment seem to stress the fact that he was here to promote the software.
X. Correspondence:
Obviously, one can not effectively run a software development company in paranoia mode for very long by obsessing about tripping over the laws of every nation that has citizens wired on the Internet. However, it is advisable to watch out for the digital paper trail you leave on the Internet because it will end up being used against you in court if it supports any of the prosecution arguments, like “willfulness,” “intent to circumvents,” etc…
Essentially, the prosecution is going to scour the Usenet and Internet for comments made by you and your employees about the product and your intent behind the motivation to make it. Did you get in any political discussion on Slashdot or a Usenet group about the DMCA? Did you offer advice to a US resident about how to use your product to circumvent copyright controls? Are their any incriminating statements made on archived versions of your web page that can be revived on the Way Back Machine www.archive.org? Essentially, try to consider the impact of political or controversial statements when you publish comments in the Internet. They may come back to bite you and provide the prosecution with that needed “clear and convincing” evidence.
XI. Copyright protections:
The area of copyright notification is a tricky one. In the software license agreement, and on the web page, one should be careful about expressly stating that all the rights under US copyright law are reserved. Obviously, it weakens the argument that it is unreasonable for you to be subject to penalties of US copyright law, if you explicitly sought the protections of US copyright law for yourself. There really isn’t a good solution to maintaining your rights to protect your copyrights in the US, but avoid DMCA liability. Under the Berne Convention, copyright protections are reciprocal amongst signatory members. (Note: This is another area where you should seek specific legal advice. I do not know the consequence of not stating that the software is protected by U.S. Copyright Laws.
Software does not have to be registered to be protected. Copyright protection subsists from the time the work is created in fixed form. The copyright in the work of authorship immediately becomes the property of the author who created the work. US copyright registration is not a condition of copyright protection. If the work is not registered, the owner can only recover actual damages and lost profits.
There are atleast 8 different International copyright treaties, and the scope of your protections will depend on which treaties your country has signed. A decent summary of International copyright treaty relationships can be found at www.loc.gov .
Is it enough to place the user on notice that the software is protected under the International Berne Convention? I’m sure each jurisdiction is different.)
XII. Notification and Defensive Measures:
If you ever receive a letter from the US demanding that you take down software that someone thinks is violating Section 1201, it would be wise to immediately cut the links from your web site and contact your lawyer.
Do not ignore the letter or respond personally to the letter because it will only worsen your situation. However, a quick response to the letter could create a favorable impression with the court, and a well-written letter from your attorney could diffuse the entire situation before it gets out of hand.
If you do receive such a letter, be very cautious travelling to the US. The US company may attempt to gain personal jurisdiction over your company by seizing someone in authority while on a visit to the US.
You might want to review your server logs to see if the FBI or the US Attorney has visited your site, how often, and which pages have they visited. (In fact, you may want to write a daemon program that notifies you whenever someone accesses your site from a US government IP address or domain name. This could grant you advance warning of a surprise indictment. Perhaps it would even be wise to review the server logs prior to any US visit.)
XIII. Companies with Present Contacts in the US:
The bottom line is that you should make sure that nothing on your website indicates that you targeted the US or had any form of relationship with the US. However, because the US is such an economic powerhouse, it is often not that simple. Companies will often find themselves with extensive US contacts, and a program that may or may not be considered illegal contraband. What should they do if they can’t isolate themselves neatly from US jurisdiction?
The first thing the company should do is try not to violate Section 1201(b)(1)(A) and Section 1201(b)(1)(C). Once again, as none of the subsections have been tested in court, these suggestions are merely academic conjecture.
A. Trafficking in Technology Primarily Designed to Circumvent Technology that Protects a Right of a Copyright Owner:
Subsection 1201(b)(1)(A) essentially prohibits the trafficking in technology that is primarily produced “for the purpose of circumventing protection afforded by a technological measure.” The key here is not to traffic in the software in the US. This means following much of the above concepts to stay clear of the US.
The more a firm has at stake in the US, the more it might want to invest in origination filtering technology. Hopefully, the courts will follow the analogy that, while it is illegal to sell cigars in the US, the US can not prohibit all commercial contacts with non-US retailers who sell Cuban cigars in their stores overseas.
Likewise, if a software development firm has a bundle of software it sells in the US, but sells the anti-circumvention device to only non-US clients, hopefully the court would not seek to extend jurisdiction over that non-US activity, particularly since the DMCA does not appear to expressly confer extraterritorial jurisdiction to Section 1201.
However, the courts may find that the nature of the crime implies the non-US application. This is a highly unsettled area of the law at the moment and you will need competent legal representation to keep a breast of new developments.
B. Trafficking in Technology Marketed for Use in Circumventing Technology that Protects a Right of a Copyright Owner:
Subsection 1201(b)(1)(A) essentially prohibits the trafficking in a device that “is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof.”
Essentially, the difference between these two subsections is the marketing element, compared to the design element. One must be very careful about the distribution structure and the marketing copy accompanying the web site, including web page text and metatags. This subsection appears to focus more on the marketing channels, than the device itself. In the marketing copy, even though it isn’t targeted to US end users, one should stress the fair uses of the product, if there are any.
Aside from the risk of providing the prosecution with ammunition, any potential infringing uses of the software should never be highlighted, because it could also violate domestic and international copyright laws. Once again, extreme care should be taken with the distribution structure to ensure there is no physical or contractual US involvement.
One possible method of staying on the safe side of the DMCA is to require online registration prior to downloading the program. The form can be configured to deny access to the download page if the user enters a US address in the input box.
If the other above suggestions are followed, and the developer deploys a form that can deny access to US users based on their response, it might persuade a court that you did not willfully intend to traffic in the US. However, be aware that the prosecution will look under every public posting and every line of html code to find evidence to the contrary.
Conclusion:
Unfortunately, writing the wrong kind of software code in your own country, where it is perfectly legal, can get you thrown in jail in the US if you upload your program onto the Internet. Until the courts decide whether the anti-circumvention provisions of the DMCA are Constitutional, software developers need to make sure they take every precaution that they do not “traffic” in code that violates the DMCA. One good place to keep track of the judicial progress on these issues is at the Electronic Frontier Foundation - www.eff.org
If you believe that you have conducted research or have developed a product that might violate the DMCA, you should seek legal advice about the legality of your products and your DMCA liability. And on your next trip to the US, be sure to pack the book Living in Prison: The ecology of survival by Hans Toch.
Bill Reilly is a California-based network security attorney, member of the California Bar and a GIAC-certified Advanced Incident Handler. Bill Reilly can be contacted at reilly@ebutik.com or US: (415) 771-3463.
Copyright(c) 2002 William Reilly. All rights reserved.
This article does not in any way offer legal advice of any kind. Rather, the article is meant as a comment and analysis of a statute and may not be taken for specific legal advice. Please seek legal advice from an attorney in your jurisdiction for advice specific to your situation.
Go Top
|
|
|
|
