FC: RIAA replies to Politech post, clarifies position on hacking PCs

[Declan McCullagh <declan () well com>]

[I promised Jano that I would send out RIAA's sur-reply with no editorial 
comment prepended, and here it is. It's a response to: 
http://www.politechbot.com/p-02702.html --Declan]

**********

From: JCabrera () riaa com
Subject: Re: RIAA claims it never wanted to hack PCs, was misunderstood
To: Declan McCullagh <declan () well com>
Date: Wed, 24 Oct 2001 14:05:26 -0400

That's a good question. The answer to whether our proposal would permit a
copyright holder to hack computers and delete information is: No,
absolutely not.

Here is why:

First, our language would have applied only to actions that do no more than
"impair the availability" of data, a program, or a computer. (Note that
section 1030 refers to both the "integrity" and "availability" of data. Our
language addressed only availability.)  Thus, if any action taken to
protect copyright had the effect of deleting, altering or destroying data,
a program or a computer -- even unintentionally --  that would still be
defined as "damage" under the Computer Fraud and Abuse Act and the
copyright holder would have been subject to suit.

Second, our language would only have protected "reasonable" measures.
Actions that caused damage to a computer would not be "reasonable."

Finally, our language provided no immunity from criminal investigation or
prosecution.  Thus, any actions taken by a copyright holder to protect its
works would be at risk of criminal liability, a substantial guarantee that
such actions would be reasonable ones.

That all said, we recognize that a perfectly reasonable human being -- when
shown this language without any context -- could think that it would allow
any number of things, including hacking and what not. But in fact, that is
not the case. Once the language is read carefully, in context as an
amendment to an amendment to an existing statute (a very long and complex
statute) that clearly does not allow anyone to damage a user's data or
computer, we would hope that that same reasonable human being would agree
that there has simply been a misunderstanding.

**********

[The next message is a reply from R. Polk Wagner, an assistant professor at 
the University of Pennsylvania's law school who teaches intellectual 
property law, to the above message from the RIAA. --DBM]

Date: Wed, 24 Oct 2001 15:47:10 -0400
Subject: Re: RIAA claims it never wanted to hack PCs, was misunderstood
From: "R. Polk Wagner" <polk () law upenn edu>
To: Declan McCullagh <declan () well com>

>> From: JCabrera () riaa com
>> Subject: Re: RIAA claims it never wanted to hack PCs, was misunderstood
>> To: Declan McCullagh <declan () well com>
>>
>>
>> That's a good question. The answer to whether our proposal would permit a
>> copyright holder to hack computers and delete information is: No,
>> absolutely not.
>>
>> Here is why:
>>
>> First, our language would have applied only to actions that do no more than
>> "impair the availability" of data, a program, or a computer. (Note that
>> section 1030 refers to both the "integrity" and "availability" of data. Our
>> language addressed only availability.)  Thus, if any action taken to
>> protect copyright had the effect of deleting, altering or destroying data,
>> a program or a computer -- even unintentionally --  that would still be
>> defined as "damage" under the Computer Fraud and Abuse Act and the
>> copyright holder would have been subject to suit.
>>

Fair enough.  But he's saying that _another_ law would presumably trip them
up, not this particular law.  It obviously raises the question about why
they felt they should seek an exception from this new law, if the CFAA would
stop them anyway.  I simply don't know enough about the details of the CFAA
to understand their strategy here.  But as the Wired News article pointed
out, something seemed to be up.

And it doesn't change the thrust of the controversy: that the RIAA was
seeking an exception to new causes of action relating to hacking.



>> Second, our language would only have protected "reasonable" measures.
>> Actions that caused damage to a computer would not be "reasonable."
>>

It might if the intent of the hack was reasonable, even if things went wrong
and caused all sorts of trouble.

Did the proposed language mean that: (1) the "intent" had to be reasonable
(i.e., related to copyright protection) or (2) that the "techniques" had to
be reasonable (i.e., not disproportionate) or (3) that the "end result" had
to be reasonable (i.e., unexpected consequential damages).


>> Finally, our language provided no immunity from criminal investigation or
>> prosecution.  Thus, any actions taken by a copyright holder to protect its
>> works would be at risk of criminal liability, a substantial guarantee that
>> such actions would be reasonable ones.
>>

Again, this is certainly correct.  Other penalties and limitations might
apply.  But the question remains: _why_ seek the new shield from liability?
They've answered that for us: to preserve their existing right (in their
view) to use technological measures (which may include hacking).


>> That all said, we recognize that a perfectly reasonable human being -- when
>> shown this language without any context -- could think that it would allow
>> any number of things, including hacking and what not. But in fact, that is
>> not the case. Once the language is read carefully, in context as an
>> amendment to an amendment to an existing statute (a very long and complex
>> statute) that clearly does not allow anyone to damage a user's data or
>> computer, we would hope that that same reasonable human being would agree
>> that there has simply been a misunderstanding.
>>

Sure.  Reasonable people can disagree about the meaning and intent of
statutory language, as well as differ in their speculation about the effect
of the text once enacted.  One person's misunderstanding is another's
perfectly reasonable position.  That's precisely why we should be talking
about this, and challenging the RIAA to explain it's intent.

I don't doubt at all the veracity of the RIAA's claims here: that the
changes to the law were likely to restrict their ability to use
technological measures to enforce copyrights, and that their proposals were
intended to return the law to it's prior position.

But that's the point.


Best,

Polk

--
=====================================
R. Polk Wagner
University of Pennsylvania Law School
3400 Chestnut Street
Philadelphia, Pennsylvania  19104
http://www.law.upenn.edu/polk/
=====================================

**********

Date: Wed, 24 Oct 2001 14:56:11 -0400
Subject: Re: FC: RIAA claims it never wanted to hack PCs, was misunderstood
From: "R. Polk Wagner" <polk () law upenn edu>
To: <declan () well com>

On 10/24/01 12:04 PM, "Declan McCullagh" <declan () well com> wrote:

> I thank the RIAA for replying. There seems to be only one important
> question here: Did the RIAA's now-abandoned amendment do what legal
> analysts, such as the folks I quoted in my article, say it would?
>

Note that the RIAA's response makes this an issue about baselines.

The facts are not (and weren't) really in dispute.  Congress was considering
measures that related to civil penalties for hacking.  The RIAA admits that
these measures would have affected their ability to conduct technological
activities to enforce copyrights.  Accordingly, they sought to exempt
copyright owners from the new measures.

The RIAA suggests that the weren't seeking any "new" powers, but just to
maintain their status quo powers.  Okay.  But of course this assumes we all
agree that the "status quo" gave content owners the right to hack (and
especially the apparent shield from consequential liability they proposed).

To folks who oppose the copyright owners' use of hacking to enforce
copyrights, the distinction between (1) an explicit new power and (2) a
shield from liability is going to seem a little thin, eh?

Yet the most ironic thing about this "debunking" is that it merely confirms
RIAA's desire/plan to hack -- which is what people were objecting to.  Their
response to your article: that the law was changed in other ways to preserve
their legal right to hack ("never mind"). Somehow I don't think this
provides much comfort; nor does it debunk the suggestion that they're at
least strongly considering hacking as a copyright enforcement tool.


--
=====================================
R. Polk Wagner
University of Pennsylvania Law School
3400 Chestnut Street
Philadelphia, Pennsylvania  19104
http://www.law.upenn.edu/polk/
=====================================

**********

From: "Trei, Peter" <ptrei () rsasecurity com>
To: "'declan () well com'" <declan () well com>
Subject: RE: RIAA claims it never wanted to hack PCs, was misunderstood
Date: Wed, 24 Oct 2001 16:42:25 -0400
MIME-Version: 1.0

OK, up front:

1. I Am Not A Lawyer.
2. This letter contains my *personal opinion*, not that
of my employer.

 From: Declan McCullagh[SMTP:declan () well com] wrote:

> Subject:FC: RIAA claims it never wanted to hack PCs, was
> misunderstood

> I thank the RIAA for replying. There seems to be only one
> important question here: Did the RIAA's now-abandoned
> amendment do what legal analysts, such as the folks I quoted
> in my article, say it would?

> If the answer to that question is "yes" -- if the RIAA's
> amendment would permit a copyright holder to hack computers
> and delete information -- then it doesn't matter what the RIAA
> now insists its intentions were. The RIAA has some very bright
> lawyers who don't draft amendments carelessly. The truth is in
> the language of the legislation; the rest is spin.

> This is not meant to be an attack on the RIAA. The group has
> done some laudable work in the past on First Amendment issues,
> and sometimes gets unfairly attacked in the
> Net.community. Somehow, though, I don't think this is one of
> those times.

> The RIAA's proposed amendment to the USA anti-terrorism bill:
> http://www.wartimeliberty.com/article.pl?sid=01/10/14/1756248

> Previous Politech message:
> http://www.politechbot.com/p-02656.html

> -Declan

> *********

Declan: I think you're original interpretation was spot
on. The proposed amendments immunized copyright holders for
any damage they do to a system in protecting their copyrights.

Note that there are two proposed versions of the amendment,
differing only in the inclusion of 'reasonably' in the second,
which qualifies the types of measures that a copyright holder
can use. I guess they figured - 'well, why not try to get
unreasonable powers if we can?'

Under the first version, if a copyright holder caught you in
public listening to a bootleg Metallica MP3, he could smash
your player with a sledgehammer, and walk away. Under the
second, he might be able to seize it from you, delete the
offending file, and hand it back (subject to court
interpretations of 'reasonably').

The letter from the RIAA is a masterful example of spin and
lawyer talk. I have a longer version of this letter deconstructing
it, which I could send you tomorrow if you want.

Peter Trei

**********

Date: Wed, 24 Oct 2001 12:40:01 -0400
To: declan () well com, politech () politechbot com
From: Philo <philo () radix net>
Subject: Re: FC: RIAA claims it never wanted to hack PCs, was
  misunderstood
Cc: JCabrera () riaa com
In-Reply-To: <5.0.2.1.0.20011024115532.02617410 () mail well com>

At 12:04 PM 10/24/2001 -0400, Declan McCullagh wrote:
> I thank the RIAA for replying. There seems to be only one important 
> question here: Did the RIAA's now-abandoned amendment do what legal 
> analysts, such as the folks I quoted in my article, say it would?
>
> If the answer to that question is "yes" -- if the RIAA's amendment would 
> permit a copyright holder to hack computers and delete information -- then 
> it doesn't matter what the RIAA now insists its intentions were. The RIAA 
> has some very bright lawyers who don't draft amendments carelessly. The 
> truth is in the language of the legislation; the rest is spin.

Declan, more to the point - nowhere in the reply from RIAA do they say they 
have no interest in pursuing illegal copies to personal machines. In fact, 
there seems to be a tacit admission that's where they were going:

>    But we've also said that there were technical measures that could be
>    used to address the problem. We didn't get very specific about what
>    those technical measures were, but we always made clear that we would
>    rely on technological solutions to address technological problems.
>
>    And in fact, a number of companies have developed the technology for
>    these technical measures. Some of them may already be in use, but at
>    RIAA, we've been analyzing the law to make sure that using these
>    technical measures would be completely lawful.
>
>    A couple of weeks ago, the Senate made public for the first time the
>    anti-terrorism legislation it had privately been drafting. And when we
>    looked at it, we found that one of the provisions in this massive bill
>    would have changed existing law in a way that would prevent us from
>    using technical measures that would otherwise have been perfectly
>    lawful.

It reads to me like there's lots of room here for "we were starting to 
think of going viral to protect our work, but the new legislation would've 
made that illegal and we just had to protect the option"

This quote is particularly disingenuous:

>    Contrary to what you may have seen, read or heard the recording industry
>    never lobbied congress to give us the ability to hack into PCs, plant
>    viruses, destroy MP3 files on people's computers, and worse. That is
>    complete nonsense, and totally untrue.

No, the RIAA didn't want the ability created; they wanted an existing 
ability protected. Talk about splitting hairs and spin control.

I look forward to reading more legal analysis regarding the proposed amendment.

Philo
philo () radix net AOLIM: philo589         ICQ: 9802707
Get legal advice or find a local attorney: http://www.lawguru.com/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

**********

Date: Wed, 24 Oct 2001 13:16:06 -0400
Subject: Re: FC: RIAA claims it never wanted to hack PCs, was misunderstood
From: Richard Forno <rforno () infowarrior org>
To: <declan () well com>
CC: <politech () politechbot com>

Declan, some comments on your RIAA note, and ending with an observation.

rf


> Contrary to what you may have seen, read or heard the recording industry
> never lobbied congress to give us the ability to hack into PCs, plant
> viruses, destroy MP3 files on people's computers, and worse. That is
> complete nonsense, and totally untrue.

Under Clintonian English, it all depends on how you define "hack."

> And we've said that the real solution ? the long-term solution ? is a
> marketplace solution. That we have to get into the marketplace and offer
> not only a legitimate alternative, but a better alternative that will
> attract consumers because of the value we provide.

Under Entertainment Cartel English, "marketplace solution" equals collusion
with vendors and content providers. The DVD Copy Control Assn. is a prime
example of a 'marketplace solution' in action.

> But we've also said that there were technical measures that could be
> used to address the problem. We didn't get very specific about what
> those technical measures were, but we always made clear that we would
> rely on technological solutions to address technological problems.

Perhaps work to insure any MP3 player is unable to exchange files with PCs
or other players unless done under a RIAA-endorsed 'technical DRM solution'
like the MPAA-endorsed 1384 HDTV interfaces?

> And in fact, a number of companies have developed the technology for
> these technical measures. Some of them may already be in use, but at
> RIAA, we've been analyzing the law to make sure that using these
> technical measures would be completely lawful.

Sure - who needs to 'hack' if the recording industry cartel agrees to only
sell products with DRM technical solutions, solutions that exist "in the
marketplace" that could facilitate a backdoor for 'authorized use' by the
device manufacturer and/or its agents (eg, RIAA). Yes, I use the term
'cartel' for a reason. RIAA is no different than OPEC or Cali.

> A couple of weeks ago, the Senate made public for the first time the
> anti-terrorism legislation it had privately been drafting. And when we
> looked at it, we found that one of the provisions in this massive bill
> would have changed existing law in a way that would prevent us from
> using technical measures that would otherwise have been perfectly
> lawful.

As I said, it all depends on how one defines 'technical measures.'

> The provision wasn't aimed at anything we were doing or thinking of
> doing. Nor was it aimed at technical measures used by ISPs, and eBay,
> and other businesses to protect the integrity of their products and
> their systems. But inadvertently, this change in the law would have
> prevented us from using technical measures to protect copyrighted works.

'Technical measures' in this respone by RIAA is like the Bill Gates mantra
that Microsoft makes 'great software' - how about giving details, and not
nebulous verbiage? Sounds like RIAA is taking its lessons in conducting
public relations from Pentagon news briefings.

> When we discovered the change, we brought it to the attention of the
> Department of Justice; the Senate staff working on the bill; and other
> industry groups. The staff confirmed that the effect on us was
> inadvertent, and asked us to propose a fix, a "patch" to eliminate the
> problem for our industry. We did so ? based on suggestions from the
> Department of Justice and Senate staff.

More like they discovered it and nearly had a heart attack.

> Ultimately, the Senate staff figured out a way to change their original
> provision to eliminate its unintended effect, and that worked just fine
> for us. And it worked for a whole lot of other industry groups that also
> felt that this provision had to be fixed ? the ISP community, telecom
> companies, the NetCoalition, the Chamber of Commerce, as well as content
> industries like motion pictures and music.

Let's remember that RIAA and MPAA are siblings under King Jack and Queen
Hillary. I'm waiting for the Thirty Years' War to begin over DRM.  :)

> There is nothing unusual about what happened here, especially in the
> hectic closing days of a Congressional session. But somehow, it became a
> story that we were looking for special new powers to hack into personal
> computers.

Maybe not to them, but it sure appeared like Hollywood was trying to do what
Justice was doing, namely trying to get as much power as possible during
this once-in-a-lifetime golden opportunity to rush things through Congress
without prolonged public hearings, scrutiny, and comment. Very sneaky!

> What's worse ? we were accused of equating Internet piracy with
> terrorism. We may take Internet piracy seriously, but we're not insane.

Seems to be the thing to do by industry - wasn't it only last week that
Microsoft essentially equated the full disclosure of security problems to
supporting computer crime and information terrorism? That's how many of us
security folks read it.

RIAA and their MPAA sibling take profits more seriously, and as we've seen,
will pursue anything that guards their turf from new technologies,
distributions, or ideologies. These clowns are terrified that the paradigm
shifted and  consumers have the demonstrated technical ability (matching a
desire long ignored by the entertainment cartels) to pick and chose what
they want to listen or watch, and not be forced into settling for whatever
teeney-bopper's looks will sell the most albums.

> It's one thing to be criticized for what we do ? that's fair game. But
> to be vilified for what we don't do ? that's very disheartening.

Crocidile tears are being shed, and no sympathy should be given. Two
observations:

- They DON'T listen to their customers' desires to pick and choose their
entertainment, something we've complained about for years. Now that it's
been proven that folks CAN do this (Napster, etc), the cartels play the
victim while scrambling to bastardize technology that not only restricts
what, where, and how people listen to music, but also what artist cuts get
released, if at all. Even Microsoft XP is catering to the needs of Hollywood
and not supporting the alleged "pro-piracy" MP3 format in default XP
installations, charging $30 or so for that as an 'add-on' feature.
(Remember the collusion reference I mentioned earlier?)

- They DON'T embrace technology to better society or make it more
convienient for end-users (eg, endorsing fair use), but they DO embrace it
to enable them to better control the content information in today's
information-based society. We saw this with VCRs, the demise of DAT, etc. If
they can't innovate protection, they legislate it under such things as DMCA.

> Unfortunately, we get a lot of that. Half of what is written about us is
> just plain wrong. And that's why we really do appreciate you taking the
> time to read this, giving us a chance to set the record straight on this
> one.

Truth is in the eyes of the beholder, and that the entertainment cartels are
notorious for spinning their version of "the truth." (Remember King Jack's
alleged real-time download of 'Gladiator' in the Senate hearing room to
demonstrate how quick someone could 'pirate' movies? They ran it from a
CD-ROM, there was no live net connection in the hearing room!)

RIAA is is the same industry cartel terrified of CD burners and technology
in the hands of the general public. Whether it's taxing blank CDs, new CD
burners, DMCA, or 'technical measures' and collusion with vendors (eg, DVD
CCA), this scares them to death.

According to RIAA, sales of (overpriced) CDs were down for the first part of
2001, down 2.7 percent from the previous year.  Forget the fact that the
economy has been dismal this year, and that in economic hardships, luxury
items (like overpriced CDs) are often passed over until consumers are more
confident to spend lavishly on such items......nevertheless, RIAA blames
their financial woes on technology in the hands of the masses. Although they
didn't come out and say it (who EVER takes the direct approach in
Washington?) - they make a strong suggestion and imply that consumer piracy
was to blame for their losses. According to RIAA's President Queen Hillary.:

"Many in the music community are concerned about the continued use of CD-Rs
(compact disc recordables) and we believe this issue deserves further
analysis. A preliminary survey of tech savvy online music enthusiasts
recently conducted for the RIAA showed that nearly one out of two consumers
surveyed downloaded in the past month and nearly 70 percent burned the music
they downloaded. All of this activity continues to show the passion of the
consumer for music and the need for both legal protection and legitimate
alternatives," concluded Rosen.  (http://www.riaa.org/News_Story.cfm?id=446)

Message to RIAA - It's The Economy, Stupid!

My 2 cents.

Rick Forno
infowarrior.org

Add'l Reading:

National Security and Individual Freedoms:  How the Digital Millenium
Copyright Act (DMCA) Threatens Both
http://www.infowarrior.org/articles/2001-05.html

**********

From: "Richard Willey" <richard.willey () windriver com>
To: <declan () well com>
Subject: RE: RIAA claims it never wanted to hack PCs, was misunderstood
Date: Wed, 24 Oct 2001 09:54:23 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Declan

I am a long time lurker.
I found the RIAA letter a bit disingenuous.
It certainly does not match the subject line "RIAA claims it never
wanted to hack PCs, was misunderstood"

Carefully read the following clause:

    But we've also said that there were technical measures that could
be
    used to address the problem. We didn't get very specific about
what
    those technical measures were, but we always made clear that we
would
    rely on technological solutions to address technological
problems.

    And in fact, a number of companies have developed the technology
for
    these technical measures. Some of them may already be in use, but
at
    RIAA, we've been analyzing the law to make sure that using these
    technical measures would be completely lawful.

    A couple of weeks ago, the Senate made public for the first time
the
    anti-terrorism legislation it had privately been drafting. And
when we
    looked at it, we found that one of the provisions in this massive
bill
    would have changed existing law in a way that would prevent us
from
    using technical measures that would otherwise have been perfectly
    lawful.

What the RIAA is claiming is that they currently have both the legal
right to hack individuals PCs.  They also have the necessary
"technical measures".

The wording of the Senate's Anti-Terrorism legislation would remove
their existing rights to hack individuals PCs so the RIAA attempted
to have an ammendment added to restore this capability.

You wrote:

>I thank the RIAA for replying. There seems to be only one important
>question here: Did the RIAA's now-abandoned amendment do what legal
>analysts, such as the folks I quoted in my article, say it would?

In my mind, the really important question is what assumptions is the
RIAA operating under today?

Richard Willey

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBO9byPtZbGc4pZHvJEQLJegCg2QSiEkTx/6iZXkiGzgq7Vj3lIGIAnRQQ
Yc1Xgg7r/uv+7YclX8BDideG
=6Iqb
-----END PGP SIGNATURE-----

**********

From: "Ben" <bmw () carolina rr com>
To: <declan () well com>
Cc: <JCabrera () riaa com>
References: <5.0.2.1.0.20011024115532.02617410 () mail well com>
Subject: Re: RIAA claims it never wanted to hack PCs, was misunderstood
Date: Wed, 24 Oct 2001 14:08:12 -0400


It bothers me just a bit to know that the RIAA gets to insert proposals into
legislation when it and the government agree that it will be affected, while
actual citizens like us only get to learn how it will affect us after we get
home from work, the day it passed. And that's assuming that the mainstream
press, who's job it is to keep us informed about earth-shattering changes
like the DMCA, bothers to cover the story. That is, in itself, a gamble and
a conflict of interest; since members of the RIAA, like Warner Bros. (Time
Warner/AOL), own almost all major news outlets, (www.cjr.org/owners). And,
well, with Rupert Murdock's well documented habit of making his agenda news
coverage, and the investigation into the CEO of General Electric, who
supposedly cheered and directed NBC  from behind the scenes, to call the
election for George Bush, excuse me if I don't seem optimistic. Oh well. Who
needs balance of power, right? I just don't remember electing J. Cabrera, is
all.

**********




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------