Those closest to Aaron certainly believe so. His family, in a statement, decried the “intimidation and prosecutorial overreach” of the US Attorney’s Office. At the funeral, Aaron’s father remarkedthat his son had been “killed by the government.” On the other hand, it has been widely documented — perhaps no more poignantly than by Aaron, himself — that the young programmer had long suffered from depression.

Regardless, we need not ascribe blame for Aaron’s suicide to realize that the stiff penalties and heavy-handed prosecution Aaron faced are both dangerous and asinine. Regrettably, they are also not outliers. Instead, they are the product of decades of vague and uninformed technology legislation and enforcement.

Law and Technology

In 2006, the late Senator Ted Stevens (R-AK) famously described the Internet as a “series of tubes,” providing fodder for late-night comics and activists who argued that an aging Congress was woefully out of touch with the realities of technology. Despite lawmakers’ limited understanding, though, the impact the law has on technological change can be profound.

To prove that aphorism, one need look no further than the historical development of peer-to-peer (P2P) file sharing. Since Napster broke onto the scene in 1999, lawmakers, courts, and P2P providers have been engaged in a game of legal cat-and-mouse. When Napster’s liability was predicated on its use of centralized servers to list and index available files, a new generation of P2P providers created decentralized networks. When decentralized Grokster was found liable for copyright infringement under a new theory of inducement liability, BitTorrent (an innovative and relatively unlitigated protocol) gained prominence.

The growth of P2P file-sharing highlights two truths about technology and law — first, that law has the ability to affect the trajectory of technological advancement, and second, that technologists may ultimately be able to find and exploit the gray areas in the law. In many ways, innovative technology is much like a young sapling in a dense forest — angling and contouring to reach to the limited sunlight available.

Vague and Overbroad Laws

One method lawmakers have used to ensure that laws continue to work in the face of new and unanticipated technology is to pass legislation with broad, encompassing language. While doing so might accomplish the intended task, such legislation can often end up being used in ways wholly unforeseen (and arguably unwanted) by legislators. An example of this can be found in Section 1201 of the 1998 Digital Millenium Copyright Act (DMCA). The provision criminalized circumvention of “technological protection measures” that protect access to or prevent copying of copyrightable works. The intended effect of the law was to help copyright owners curb piracy of digitally disseminated works by ensuring that any technological “locks” would not be quickly broken.

In reality, the law has been used to criminalize far broader activity than piracy. In 2010, the Ninth Circuit ruled on MDY Industries, LLC v. Blizzard Entertainment, Inc., a suit brought by the makers of the popular online game World of Warcraft. At issue was a program known as Glider, a bot automating the play of early levels of the game. Because Blizzard had sought to prevent bots through its own software (and because Glider had found a way around these ‘protection measures’), the court held that Glider’s creator had violated the DMCA.

While grounded in sound logic by the court, the outcome was irrational. In effect, a law intended to defend against piracy had made it a criminal act to cheat in a video game.

Aaron’s Charges

Aaron wasn’t indicted for a violation of §1201. The law he allegedly violated, though — the Computer Fraud and Abuse Act (CFAA) — is plagued with similar vagueness and absurdity,cataloged expertly by Marcia Hofmann of the Electronic Frontier Foundation (EFF). In her piece, she highlights the law’s reliance on the undefined phrase “exceeds authorized access.” As she notes, the broad language has often been used to criminalize activity that exceeds the law’s intent of preventing hacking.

Aaron’s indictment was much of the same — the government’s allegations seem to have relied heavily on the idea that Aaron had “exceeded his authority” by violating JSTOR and MIT’s terms of service and by bypassing restrictions JSTOR had put into place. But, as Aaron’s would-have-been expert witness detailed, this was far from a “criminal hack.” While the indictment breathlessly mines for salacious bits (like Aaron breaking into a wiring closet and seeking to avoid capture with a bicycle helmet mask), the reality of what Aaron did is far more benign — he broke the rules of a website and service provider. Yet, because of the overbroad and undefined language of the CFAA, prosecutors were able to treat the violation of JSTOR’s terms of service as a violation of federal law.

Where to Go From Here

Aaron’s death need not be in vain. In the past week, Representative Zoe Lofgren (D-CA) announced a bill known as Aaron’s Law, which would amend the CFAA to ensure that breaches of terms of service agreements would not independently constitute “exceeding authorized access.” This is a great first step, and something that should be passed by Congress immediately.

The legislative patch, though, does not solve all of our problems. Congress is still woefully under-informed about technology and still subject to powerful lobbying efforts that lead to the passage of vague and overbroad laws. The cruel irony of Aaron’s suicide is that he was among the best situated to create an effective change agent for Congress; his organization, Demand Progress, was instrumental in preventing the passage of the controversial Stop Online Piracy Act. Today, Aaron’s death serves as a tragic reminder of the potential impact of the law on technology and technologists. Tomorrow, we must hope it inspires the technological community to take a more active role in legislation, education, and congressional outreach.

Facebook seeks to raise $5 Billion in its initial public stock offering, making it the largest Internet IPO on record.  It is believed that its stock offering will value the company $75 and $100 billion.  Mark Zuckerberg, however, will maintain his control over Facebook with voting power of almost 60 percent of total shares.  Meanwhile, Facebook is coming under a siege of patent lawsuits.  In 2011, Facebook was named as a defendant in 22 patent infringement suits.

Google announced its new privacy policy, which is set to become effective on March 1.  The new policy will allow it to track users’ activities across YouTube, Gmail, its search engine, and nearly all of its other sites.  Users will not be able to opt out, which may trigger more scrutiny from federal regulators.

On January 23, the Supreme Court held that attaching a GPS device to track a vehicle constitutes a search under the Fourth Amendment and requires a warrant.  The ruling is considered a victory for privacy rights in the age of advanced technology, but some argue it was too narrowly reasoned on the basis of the physical intrusion of attaching the device.

Congress indefinitely shelved the controversial antipiracy bills SOPA and PIPA after over 7,000 websites, including Wikipedia and Google protested the bills, handing a crushing blow to the traditional media industry.

Following the shutdown of file-sharing site Megaupload last month and arrest of 7 company employees, Federal prosecutors announced that Megaupload user data would be deleted as early as Thursday (Feb. 2).  However, a nonprofit group stepped in at the last minute, announcing on Wednesday that it would work with data-storage providers to create a website that will allow legitimate Megaupload users retrieve their data.

Authorizing infringement

In a nearly two hundred-page judgment, Justice Dennis Cowdroy found that the applicant companies had succeeded in proving that users of iiNet’s services had “made available online,” “electronically transmitted,” and “copied” certain films. However, the applicants had failed to show that iiNet had “authorized” those infringements. The case centered around the use by iiNet’s customers of the peer-to-peer BitTorrent protocol to share movie files, in breach of the studios’ copyrights. The critical issue in the case was whether iiNet, by failing to take any steps to stop infringing conduct, authorized the copyright infringement by its users. Under Australian copyright law, authorizing the infringement of copyright by another is itself treated as an infringement.

Three step reasoning

There were three main steps to Justice Cowdroy’s reasoning:

1. He found that, though iiNet had knowledge of the infringements and did not act to stop them, this did not lead to a finding of authorization. Under the Australian law of authorization, there is a distinction between providing the “means” of infringement, and providing a “precondition” for infringement. Justice Cowdroy distinguished the present facts from earlier cases, including a 2005 Federal Court ruling in a case brought against the licensors of the Kazaa file-sharing software. In the Kazaa case, the software provided the “means” for infringement, whereas in the case of internet services, there did “not appear to be any way to infringe the applicants’ copyright from the mere use of the internet.” Here, the means of infringements at issue was the BitTorrent system, which iiNet had no control over.
2. AFACT had pushed for iiNet to implement a system of notification, suspension, and termination of infringing customers, but the judge found that this would not have been a “reasonable step” for the purposes of Section 101(1A)(a) of the Copyright Act 1968. This section provides that, in determining whether a person has authorized infringement, a court must consider, among other things, (a) the extent of the person’s power to prevent the infringement; (b) the nature of any relationship existing between that person and the infringer; and (c) whether the person took “any other resonable to steps to prevent or avoid” the infringement. The judge noted that “[t]he applicants appear to premise their submissions on a somewhat binary view of the world whereby failure to do all that is requested and possible to co-operate with copyright owners to stop infringement occurring, constitutes approval of copyright infringement. Such view is not the law. It is possible to be neutral. It is possible to prefer one’s own interests to those of the copyright owners.” (para. 504). iiNet could therefore not be held to be authorizing the infringements on the basis that they had failed to adopt a system such as the one urged by the applicants.
3. iiNet could not be seen as sanctioning, approving or countenancing copyright infringement, as it had done no more than to provide an internet service to its customers. In the Kazaa case the respondents intended copyright infringements to occur, and the software was deliberately structured to achieve this result. By contrast, in this case there was no evidence that iiNet “favored” infringement in its provision of access to the internet.

A disappointing ruling

The judge noted that the applicants would be disappointed by the ruling, as it was clear that infringement of their copyrights was occuring on a large scale, worldwide (para. 19). Yet this fact did not compel him to find authorization of infringement merely because “something must be done.” Australian law recognizes no positive obligation to protect the copyright of others, and the judge found that iiNet provides a legitimate communication service which is neither intended nor designed to infringe copyright (para.20). Justice Cowdroy is also reported to have remarked that “[i]f the ISPs become responsible for the acts of their customers, essentially they become this giant and very cheap mechanism for anyone with any sort of legal claim.”

The battle may not be over, however, as reports from before the ruling was issued suggest that AFACT may appeal the decision to the High Court of Australia, which could take another two years.

ISP liability in the United States

In the United States, secondary liability for copyright is dealt with as a matter of vicarious or contributory infringement, rather than “authorization” (though the concepts involved are similar). However, ISPs are protected from copyright infringement claims by Section 512(a) of the Copyright Act, which provides that service providers will not be liable for “infringement of copyright by reason of the provider’s transmitting, routing, or providing connections for, material through a system or network controller or operated by or for the service provider.” This section provides strong protection for ISPs, and likely explains why a case such as the one brought against iiNet in Australia has not been brought against a U.S. ISP.

Timeline

The first trial took place in 2007. A jury found that Thomas-Rasset (then simply Thomas) had “willfully” infringed and held her liable for $222,000 in damages. That figure came from a penalty of $9,250 per song, out of the $150,000 per song maximum permitted by the Copyright Act .

Thomas was granted a retrial because of a jury instruction that making a copyrighted file “available” was sufficient to show infringement. Federal Judge Michael Davis, who presided over the first trial, came to believe after appeal that his jury instructions were incompatible with Eighth Circuit precedent. Citing National Car Rental System, Inc. v. Computer Associates International, Inc. (8^th Cir. 1993), Judge Davis decided that the plaintiff had to show that defendant actually shared a file with a third party, rather than simply making the file available for sharing.

In the second trial in 2009, Judge Davis set aside a jury award of $1.92 million, calling it “monstrous” and pointing out that Thomas-Rasset did not make a monetary profit from her infringement. Davis reduced the damages to $54,000, allowing the parties to accept the award or proceed to a third trial.

The RIAA not only accepted the damages, but reduced them further in a settlement offer of $25,000. The RIAA’s terms allowed Thomas-Rasset to pay the award in installments to a fund for musicians. As a condition for the settlement, the RIAA said the judge would have to vacate his remittur (reduction) of the jury award.

Thomas-Rasset’s lawyers have announced her intention to reject this and any other settlement offer that requires her to pay damages. The RIAA’s deadline for accepting the offer was last Friday, January 29^th.

Issues

The major issue raised in this case is the constitutionality of the awards against Thomas-Rasset—and, by implication, future file-sharers like her. She intends to challenge the constitutionality of not only the $1.92 million jury award in the second trial, but also the judge’s reduced award. Even the reduced award, her lawyers contend, is unconstitutionally excessive: it is 2,250 times the usual $1 price of a downloaded song.

The RIAA is adamantly opposed to any finding that the judge’s awarded damages are unconstitutional. Moreover, the RIAA is trying to vacate the judge’s remittur because it is keen to prevent any precedent allowing judges to reduce jury awards in copyright infringement cases. That is why the vacature (making the original judgment legally void) of the remittur was the sole—and firm—condition of its settlement offer. For its absolute insistence on this point, the RIAA has been accused of bullying. Joe Sibley, one of Thomas-Rasset’s attorneys, recently described the situation as the RIAA trying to “scare” people into paying “exorbitant” damages. Nevertheless, the RIAA continues its attempt to vacate the remittur and thus keep the legal door open for million-dollar damages awards in file-sharing cases.

This trial raises another issue, namely what exactly it takes to prove infringement against a particular individual. Proving that songs were shared from a particular computer or IP address is often simple. However, proving that a particular user of that computer was the infringer is a different matter. Here, the files were shared from Thomas-Rasset’s password-protected computer at her IP address, using a username she had used for a number of years. The two juries evidently found this compelling evidence of Thomas-Rasset’s guilt, although Thomas-Rasset’s lawyers argued that anyone could have used the computer and username in question. Judge Davis was not convinced by and did not approve of Thomas-Rasset’s attempts to suggest that her children or ex-boyfriend infringed using her computer. The defense lawyers argued that alternative explanations were possible, and that MAC and IP addresses (identifiers for a particular computer that are transmitted during file-sharing) can be spoofed, though they offered no evidence that this had happened here.

Possible Future Developments

Wired recently described the RIAA as “winding down” its lawsuit campaign against file-sharers and shifting its efforts to getting internet access to infringers cut off. But there are still loose ends. Thomas-Rasset insists on going to a third trial rather than accepting a settlement. Therefore, it is still unclear whether there will be the precedent of a judge setting aside a jury award in a copyright infringement case will stand. That will depend on the outcome of the third trial.  Additionally, Thomas-Rasset’s challenge to the constitutionality of the judge’s award is still unresolved.

Furthermore, a second infringement case with a U.S. defendant also went to trial in July 2009: the recording industry’s suit against Joel Tenenbaum. The jury held Tenenbaum liable for $22,500 per song; since he was found to have infringed 30 songs, this amounted to $675,000 in damages. The judge finalized the jury award in December 2009. Like Thomas-Rasset, Tenenbaum is challenging the award’s constitutionality. Anyone who has ever shared a song using BitTorrent, Kazaa, or LimeWire should probably pay attention to what happens next.

• Chief U.S. District Judge Vaughn Walker in San Francisco decided to allow showing the trial challenging California’s Proposition 8 on YouTube, reports the San Francisco Chronicle.  The Wall Street Journal Law Blog questions whether that’s a good thing.

• Patent Librarian notes that Wikipedia citations in patent applications are up 59%, but Patently-O puts that increase in perspective.

• A report commissioned by the French government recommends taxing Google on their online advertising revenues in France to help fund legal outlets to buy media hurt by online piracy, reports the Mercury News.  President Sarkozy supports the measure, says PC World.

• The Wall Street Journal reports that Philip K. Dick’s estate claims Google infringed on its intellectual property by using the name “Nexus One” for the new Google-branded phone.  It brings to mind this recent post by Seth Godin.

• The Electronic Frontier Foundation responds to Bono’s recent New York Times Op-Ed, in which the musician / global icon lamented media piracy and suggested digital tracking be used to help criminal enforcement.

• Law.com provides an insightful guide to mining web 2.0 as a source of evidence.

• The Colorado Department of Transportation created an iPhone app to tell users if they’re too drunk to drive, the latest in a series of state efforts “to reach out to the Twitter-iPhone-Facebook generation,” according to the Wall Street Journal.

• The Ninth Circuit Court of Appeals affirmed [decision, pdf] a district court ruling that tasers should only be used in limited circumstances, as they pose a greater threat to their targets than other non-lethal police weapons.  The San Jose Mercury News reports on the suit that originated from a city police officer using a stun gun on a San Jose State student.

• Broadcom agreed to settle the securities fraud class action against it, says the Wall Street Journal Law Blog.

• The L.A. Times reports that the California Science Center has been sued for canceling a showing of film attacking Darwinian evolution and promoting intelligent design.

• Blizzard helps police make a drug arrest of a suspect tracked by his World of Warcraft account, posts kokomo perspective.

What’s a Torrent?

In 2001, Bram Cohen developed the BitTorrent protocol. The BitTorrent protocol transfers information by breaking it up, encrypting it and disbursing it to multiple computers. To be usable, the information is then reassembled from the multiple source computers at a single workstation.

This technique sets the BitTorrent protocol apart from previous peer-to-peer technologies. In most other peer-to-peer technologies, such as Kazaa, a single file is downloaded in its entirety from a single source on the network. The BitTorrent protocol – and similarly designed programs – differ in that every instance of the program can download sections of any file from multiple peers simultaneously. Once obtained, the file is then reconstructed on the downloading computer and shared in a similar manner on the network.

Seizing upon this new file-sharing method, a number of search engines quickly developed to utilize the BitTorrent protocol. These search engines index torrent files and make them searchable by users. Thus, people can easily search and share media, including movies, music and televisions shows, over the Internet using these websites. Two of the most popular torrent websites are isoHunt and TorrentSpy.

Copyright Problems (and Possible Solutions)

While these torrent websites provide an efficient method of file-sharing, they also face copyright problems similar to those that plagued previous generations of peer-to-peer technologies. Using the BitTorrent protocol and other similar programs, users can easily distribute illegal copies of copyrighted works. Such illegal sharing can mean trouble for the torrent websites and their users.

One potential “safe harbor” that might save these torrent websites from being shut down for copyright infringement is the Digital Millennium Copyright Act (PDF link), which was passed by Congress in 1998. Under the DMCA, websites that perform services such as database searches that might turn up copyrighted material can be exempt from liability if they take down the copyrighted material once it is properly identified through certain takedown procedures.3

Current Lawsuits

On February 26, 2006, The Motion Picture Association of America (MPAA), acting on the behalf of major movie studios, sued a number of torrent websites including isoHunt and TorrentSpy. In its press release (PDF link), the MPAA stated that these websites “encourage” copyright infringement. By accusing the websites of “encouraging” infringement, the MPAA is making the case that the torrent websites knowingly link to copyrighted work and are thus ineligible for protection under the safe harbor provision of the DMCA.

But the torrent websites themselves are not the only ones who should be worried about these lawsuits. During the early phases of the lawsuit against TorrentSpy, a federal judge ordered TorrentSpy to start keeping a log of all users who connect to the server (PDF link). Obviously, this could mean trouble for the millions of users of these websites.

Torrent Websites’ Responses

Both TorrentSpy and isoHunt have changed their tactics in response to the judge’s order. TorrentSpy has started identifying and blocking users from the US, such that American users cannot do searches on the site. Instead, US users are forwarded to a page titled TorrentSpy Acts To Protect Privacy. Ironically, part of TorrentSpy’s stated reasoning for this is that as an EU-based entity they must follow EU privacy laws and hence cannot link identifying information to activities on the website.

isoHunt’s approach is in some ways similar to TorrentSpy’s: first and foremost, isoHunt moved its servers to Canada in an attempt to escape US jurisdiction. However, unlike TorrentSpy, isoHunt has also created a takedown process, which allows content owners to remove content from the site. isoHunt also started blocking access to torrent trackers operated by isoHunt itself. isoHunt’s strategy is clearly to cease to become a distributor (at least to US citizens), and instead to become ‘only’ a specialized search engine – much like Google or YouTube. As such, isoHunt might then be able to seek protection from the DMCA’s safe harbor provision.

So Now What?

It remains to be seen whether or not isoHunt’s approach will fly in court. Taken at face value, the language of the DMCA’s safe harbor provision applies only to Internet Service Providers (PDF link) doing things like transmitting email, rather than search engines like isoHunt or even Google. While a court might be willing to give a critical piece of infrastructure like Google the benefit of the doubt when interpreting this language, it seems unlikely that a court would give isoHunt similar leeway. As a result, TorrentSpy’s approach – disassociate yourself altogether from US users – may prove the more reliable one.

It is worth noting that the technology both sites use to block US users is imperfect. The article Guide for Canadians Wanting To Use Demonoid points out a number of mechanisms which allow Americans to sneak around these blocks.13 Any court looking at the problem will face an interesting and apparently unprecedented question: if a website makes a good-faith effort to block Americans from using the service, but they get access anyway, is the website liable in the US, or does liability shift primarily to the people trying to get access? At this time, the answer looks academic, as operations of both groups have shifted outside the US, but whatever the court decides may have interesting implications for future cases involving organizations (like Google) that can’t just get up and move when they are sued.

By Hailey DeKraker, Shawn Oakley, Luis Villa and Sarah Calvert. Originally posted at the Columbia Program on Law and Technology blog.