-
Notifications
You must be signed in to change notification settings - Fork 0
/
2600-lessons.htm
537 lines (534 loc) · 41.3 KB
/
2600-lessons.htm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
<html>
<head>
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
<title>Lessons of 2600: Linking Rules for "Hacking" and Other Alternative
Websites</title>
</head>
<body bgcolor="#666666" text="#000000" link="#00D700" vlink="#00FF00" alink="#C0C0C0">
<div align="center"><center>
<table border="0" cellpadding="0" cellspacing="0" width="614" height="507">
<tr>
<td colspan="4" width="602" height="88"><p align="center"><img
src="http://www.denmarket.dk/cyberlaw/liac-good.JPG" alt="liac-good.JPG (30176 bytes)"
width="600" height="86"></td>
</tr>
<tr>
<td valign="top" align="left" width="125" height="1" bgcolor="#AEAEAE"> <p> </p>
<p><font face="Arial" color="#6A6A6A"><small><strong> <a
href="http://www.denmarket.dk/cyberlaw"
style="color: rgb(106,106,106); border-left: medium none; border-right: medium none; border-top: medium none; border-bottom: medium none rgb(192,192,192)">home</a></strong></small></font></p>
<p><small><font face="Arial" color="#6A6A6A"><strong> articles</strong></font></small></p>
<p><small><font face="Arial" color="#6A6A6A"><strong> tools</strong></font></small></p>
<p><small><font face="Arial" color="#6A6A6A"><strong> biography</strong></font></small></p>
<p><small><font face="Arial" color="#6A6A6A"><strong> contact</strong></font></small></td>
<td valign="top" align="left" width="22" rowspan="2" height="379" bgcolor="#FFFFFF"></td>
<td width="458" rowspan="2" height="379" bgcolor="#FFFFFF"><b> <p ALIGN="CENTER">Lessons of
2600: Linking Rules for "Hacking" and Other Alternative Websites</b></p>
<p ALIGN="CENTER"><em>By William Reilly</em></p>
<p>Joe Whitehat operates a web site devoted to exploring network security vulnerabilities
and other "hacking-related" issues. Joe’s objective is to provide a public
forum for members of the Internet security field to share their knowledge of exploits and
vulnerabilities. Joe does not host programs on his server. Rather, he provides links to
programs of interest to the community. On one of Joe’s pages, he provides a link to a
program that is able to defeat an access control measure on a new type of digital format.
The fact that the new access control measure is so easily defeated is a topic of sincere
interest in the research and network security community because the weakness in the
algorithm used in this measure may be point to weaknesses in their own access control
measures. One day, Joe receives a certified letter demanding that he delete the
hyperlinked reference to the program from his website, or face the consequences of
"trafficking" in a technology that is for use in "circumventing a
technological measure that effectively controls access to a work protected under the
Copyright Act." What is Joe supposed to do?</p>
<p>Joe would argue that he only provides a link to the site, and that he can’t be
responsible for the illegal acts of others. The copyright owners aren’t charging him
with copyright infringement, but rather a highly controversial subsection of the DMCA,
which bans the act of circumventing, the development and trafficking of tools used to
circumvent, and trafficking in the tools that can infringe on the work after it has been
circumvented or accessed. Joe would surely try to suggest that he is not
"trafficking" in the program by making the argument that it is not illegal for a
newspaper to publish the address of a store that sells obscene material. He, like the
newspaper, is merely pointing to the address where the illegal contraband may be located.
Unfortunately for Joe, a New York federal District Court and a Second Circuit Court of
Appeal has found that under certain circumstances discussed below, the court can force Joe
to delete the links to the DMCA offending material. </p>
<p>This article will look at the court’s linking arguments and suggest ways that web
site owners can avoid falling into the category of being a "trafficker" by
following the rules set out by the court. It should be stressed that this is only the
current law in the Second Circuit, which includes the states of Connecticut, New York and
Vermont. However, other jurisdictions could consider these holdings
"persuasive," which means that they don’t have to follow the rules set out
in the cases, but they can use them if they find the application of the law was
appropriate. <ol>
<b>
<li>What Can you Host on Your Website?:</b></li>
</ol>
<p>The first thing to clarify is what you can have on your website, and what you can link
to. If you are a US-based website, which means either a business or server presence
located in a US State or territory, then you likely will fall under some US jurisdiction.
Just because you are a "cyber" company with no tangible assets does not mean
that you are above US jurisdiction. As the US Attorney has argued in the
Elcomsoft/Sklyarov DMCA criminal case, you can fall under US personal jurisdiction even if
you are a Moscow software development company with no assets, personnel, or presence in
the US. In that case, the Moscow-base company offered software that potentially violated
the DMCA anti-circumvention provisions on an Internet server based in Chicago and entered
into a distribution agreement with a Washington state-based online software distributor
and transaction processor. The US Attorney argued that the act of offering the software on
the Chicago server, as well as the distribution agreement that allegedly targeted US
consumers, was enough to bring criminal charges against the Russian firm. They gained
personal jurisdiction over the company when one of its employees came to the US to speak
at DefCon. If no one from the company ever stepped foot in the US, they had no assets in
the US, and the program was legal in Russia, then the US government could not have done
anything against the Russian company. In order to extradite someone from another country
to the US, there must be a bilateral treaty where the act was illegal in both countries
and the crime was committed in the requesting country by the defendant. Since the program
was arguably legal in Russia, extradition was not an option. </p>
<p> <b></p>
<p>The Broad Rules of Thumb:</b></p>
<p>The first broad rule of thumb is that you should never store on a website any content
that could subject you to a lawsuit. This goes for ISPs, discussion groups, as well as
commercial and private web sites. </p>
<p>Objectionable content can be defamatory, which can lead to civil damages if the person
can show that there is defamatory language that tends to adversely affects one’s
reputation, can be shown to be "of and concerning the plaintiff," is published
on the Internet by someone who directly was responsible for writing the statement or by a
secondary person knew or should have known that the statements were defamatory, and that
there was damage to the plaintiffs reputation as a result. Content can also infringe on
another’s intellectual property, such as copyright, trademarks and patents. If you
receive notice that there is infringing material on your site, it is wise to pull it
immediately and then seek counsel from an attorney. Content can also be criminal if, for
example, it contains obscene material or malicious code. These are some of the types of
content that you should not reside on your server if you are a US resident, US company,
commercially target the US or have a US-based server. </p>
<p>The second broad rule of thumb in light of the holding in the <i>Universal et al. v.
Reimbursed et al </i>case, is that you should be very careful when you provide a hyper
link from you website to another site that might contain any "actionable" or
legally objectionable content. In <i>Reimerdes</i>, the Motion Picture Association of
America sought to prohibit Eric Corley from hosting and linking to a program that
threatened the viability of their DVD access control measures. Corley was a print and
electronic publisher of the well-known "hacker" magazine <i>2600</i>, which
provides extensive research, news and other articles on phreaking, hacking, cracking, and
network security. In November 1999, Corley posted a copy of the decryption program
"DeCSS" on his 2600.com website and also provided many hyperlinks to other
server sites that hosted DeCSS. The District Court in New York issued a permanent
injunction that barred Corley from posting DeCSS on his website or from "knowingly
linking via a hyperlink to any other website containing DeCSS. Corley sought appellate
review of the lower court holding, where the Second Circuit Court of the Appeals upheld
the trial court link injunction. This case is a good case to discuss because Corley lost
on every point in two federal courts. </p>
<p> <b></p>
<p>What Can You Link To and Why:</p>
<p>1. Never Taunt the Court or the Plaintiff:</b></p>
<p>In the <i>2600 </i>case, there are three words that seriously impacted their defense
– "electronic civil disobedience." The trial court referred to that
statement three times in the ruling, each time with an increasing distaste for the
defendant. When the court issued a preliminary injunction prohibiting Corley from hosting
the DeCSS program on his site, he encouraged visitors to download the program from other
servers via hyperlinks on his site as a sign of "electronic civil disobedience."
To make matters worse, Corley wrote on the website "We have to face the possibility
we may be forced into submission. For that reason it’s especially important that as
many of you as possible, all throughout the world, take a stand and mirror these
files." In the plaintiff’s brief, it was also noted that Corley defied "the
authorities to shut down his site promoting the free copying of DVDs, stating that
‘there is no lawyer that can prevent us,’ and announced: "Notice: The DVD
Copy Control Association are c---suckers!" The court also noted that Corley placed
the hyper links to the mirrored sites only after he ensured that the other sites were in
fact the posting DeCSS code. </p>
<p>The court was not amused. Judge Kaplan wrote that the "defendants obviously hoped
to frustrate plaintiff’s recourse to the judicial system by making effective relief
difficult or impossible." Those are strong words that you don’t want to ever
have a judge make about your actions. In other words, Judge Kaplan said that by
encouraging others to download DeCSS on other sites as an act of disobedience, Corley was
trying to get around the system to harm the plaintiffs. The judge ensured he had the last
laugh.</p>
<p>It is important to understand that Corley could have been liable for money damages. The
MPAA sought damages pursuant to 17 U.S.C. Section 1203(c) and (b), which would have been
statutory damages of $2,500 per offer of DeCSS! These damages could have been
"incalculable," as Judge Kaplan explained. However, because the defendants had
no assets to speak of, and that the damage amount was too speculative to calculate, the
court held that there was an inadequate remedy at law and therefore injunctive relief was
the only available remedy.</p>
<p>The most obvious lesson to be learned from the above reaction is that you should never
taunt the court’s ability to comprehend the technology or enforce judgements. Judges
unofficially use what is called a "smell test" to size up the character and
motive of the parties in an action. When there are signs that one side is acting in a
cocky, arrogant, and underhanded sly manner, the courts are not going to be favorably
predisposed to that party, to say the least. While Corley’s exasperation with the
situation he found himself in with the MPAA is understandable, in the end it was
counterproductive because the court saw it as evidence of his intent to violate the DMCA
and recognition on his part that the program was controversial and legally questionable. </p>
<p> </p>
<p> <b></p>
<p>2. Write all copy and messages with careful deliberation:</b></p>
<p>Whenever you are writing copy for a website, you unfortunately always have to consider
how that text would look in the courtroom as "Exhibit 659." Also, with much of
the Internet cached on the Way Back Machine and other archives, not only your present
words, but all of your past online statements can be used against you. So the words used
on a web site, even if taken down by you at a later time, could be cached somewhere on the
Internet. </p>
<p>Also, prosecutors and lawyers have become savvy at researching newsgroup archives and
discussion groups for written statements that can be used against you. Whenever you submit
comments on Slashdot or your favorite newsgroup, you need to think about the consequences
of the statement. Is it an opinion that, if used in court, could weaken a position about
actions on your website? Most laws require some form of intent, knowledge or notice, and
barring some statement made on the witness stand or in a deposition, they need to prove it
by bringing in other statements or actions to show you intended the consequence of your
"wrongful" actions. For example, in order to prove that you developed a piece of
software to duplicate copyrighted music, your argument that there are significant
non-infringing uses of the program is shot down if there is a newsgroup discussion where
you brag about how the program is going to bring the music monopoly to its knees. In the
Napster saga, Judge Patell found that internal e-mails indicated that the Napster founders
had copyright infringement as the motive for their program. A document authored by
co-founder Sean Parker mentioned the need to remain ignorant of users' real names and IP
addresses "since they are exchanging <i>pirated </i>music." The same document
stated that, in bargaining with the RIAA, Napster will benefit from the fact that "we
are not just making <i>pirated </i>music available but also pushing demand." Judge
Patell found that "these admissions suggest that facilitating the unauthorized
exchange of copyrighted music was a central part of Napster, Inc.'s business strategy from
the inception." Like diamonds, digital messages are forever.</p>
<p>By now you should be aware that linking to anything on another site that could get you
in trouble if it was located on your own site is a dangerous activity. But it doesn’t
mean that all links to online contraband should be banned. If that were the case, then
there would be a great "chilling effect" on web-based communication because
hyperlinks lie at the heart of the web’s interactivity. The courts have been
concerned that such a blanket ban would be unconstitutional because it would be a form of
prior restraint, or communication that is prohibited even before it is made. For example,
the court in <i>2600</i> was concerned that "legitimate" news outlets, like the
New York Times, would be liable for links on their website that discussed controversial
subjects. The trial court in <i>2600</i> developed a simple formula to guide courts and
web site owners through this potential minefield. The Court of Appeals hinted that the <i>2600
</i>linking formula was even too rigid and that they would be willing to work with a more
"chilling" formula. </p>
<p> <b></p>
<p>3. The <i>2600 </i>Linking Test:</b></p>
<p>Judge Kaplan developed a simple linking formula to help determine when links to
"contraband" should be restricted or banned and to limit the potential for a
chilling effect on "legitimate" links by the media. He required that there
should be clear and convincing evidence that those responsible for the link:<ol TYPE="A">
<ol TYPE="A">
<li>know at the relevant time that the offending material is on the linked-to site</li>
<li>know that it is circumvention technology that may not lawfully be offered and </li>
<li>creates or maintains the link for the purpose of disseminating the technology.</li>
</ol>
</ol>
<p> <ol TYPE="A">
<b>
<li>know at the relevant time that the offending material is on the linked-to site</li>
</b><p>The court held that Corley violated each of these elements of the test. First,
Judge Kaplan held that he was aware at the relevant time that the offending material was
on the linked-to site because he checked on the DeCSS availability before he placed the
link from 2600. Obviously, if you provide a link that directly points to the .exe, .tar or
.zip file, you are aware that the material is on the linked-to site. If it deep links to a
page that only contains the material, that is also an inference that you were aware that
the material was located on the site at the relevant time. However, if it points to a home
page on a web site that has a lot of other content, hopefully legal, then you might be in
a gray zone where the court will apply the "smell test." </p>
<p>The lesson here is to be careful how you link to the other web site. A disclaimer that
states you have no affiliation, financial or otherwise, with the 3<sup>rd</sup> party
websites, and that you have not checked the links for the any actual offending material
might be helpful. However, the courts don’t pay a lot of attention to self-serving
disclaimers if there is other evidence to the contrary. For example, how much credence do
you think a court is going to give the KaZaA peer-to-peer file trading program when it
states in its license agreement that "KaZaA does not condone activities and actions
that breach the copyright of artists and copyright owners - as a KaZaA user you are bound
by the KaZaA Terms of Use and laws governing copyright in each country." I would not
like to be the defense counsel trying to argue in good faith that KaZaA is totally
oblivious to any copyright infringement going on because of their software and that those
who wanted to use the software to infringe have read the license terms and declined from
using the software for fear of violating the terms of the license. Do they really think
that people who are willing to infringe on the copyrights of others are going to comply
with the terms of a license agreement that denies the very infringing function of the
software itself? </p>
<p> </p>
<b>
<li>know that it is circumvention technology that may not lawfully be offered </li>
</b><p>However, it is the second prong of the test that the court just almost ignored.
Corley argued that he didn’t know that the software was unlawful, but because of the
statements on the website, that argument was not taken seriously. Amazingly, Judge Kaplan
satisfied this prong by noting that "[t]hey now know that dissemination of DeCSS
violates the DMCA." His own test requires knowledge at the time the offense was
committed that there be clear and convincing evidence that the defendant "knew"
that it can not be lawfully offered. When Corley posted the link, there was a huge debate
about whether the program was illegal because the DMCA’s anti-circumvention
provisions had not been interpreted by a court. Nevertheless, Judge Kaplan reasoned that
since they now know it is illegal, that satisfied the element that they also knew it at
the time they posted it. </p>
<p>In the Elcomsoft case, it submitted a motion arguing that its program, AEPBR, was legal
in Russia, provided significant fair uses to legitimate users and that Section 1201(b) was
Constitutionally vague because it was unclear that their program was illegal. They did not
market the program as a way to defeat access controls on the Adobe E-book reader. The
court will decide on the merits of the motion ironically on April Fools Day 2002. </p>
<p>The lesson here is that there should be no reference on the website that you are aware
that this specific piece of software is likely to be illegal. Links to cracking software,
serial number lists, trojan programs and other malicious code should be avoided because
there is a high inference they are illegal in Europe and the US. But programs in the gray
zone, like AEPBR and DeCSS, are arguably questionable and the court is going to look for
admissions by you or the website that recognizes its questionable legal status. </p>
<b>
<li>creates or maintains the link for the purpose of disseminating the technology</b></li>
</ol>
<p>Finally, the court had an easier time justifying the last prong – that the link
was created for the purpose of disseminating the technology. Corley stated that was his
intention on his website. </p>
<p> <b></p>
<p>4. Link to Pages that Contains A Lot of Legitimate Content</b></p>
<p>The court, in a footnote, commented that "deep links to a page containing only
DeCSS located on a site that contains a broad range of other content, all other things
being equal, would be more likely to be found to have linked for the purpose of
disseminating DeCSS." However, the court seemed to infer that a link to a "home
page of the linked-to site" would be less likely to be found a dissemination. </p>
<p> <b></p>
<p>5. Don’t Advertise the Link as a Way to Get Around a Law:</b></p>
<p>The court noted that sites "that advertise their links as a means of getting DeCSS
presumably will be found to have created the links for the purpose of disseminating the
program." This was the case on 2600.com, and the court came down hard on Corley as a
result. Remember that the courts are going to look hard at your motivation for posting
links or hosting software. The court in <i>2600</i> wanted to draw a line between
"legitimate" news sources, such as the <i>New York Times</i>, and hacking sites,
such as <i>2600.</i> The court recognized that legitimate network security boards and web
sites provide a significant role in promoting scientific dialog, research and development.
There is nothing wrong with strongly criticizing ideas and laws. That is protected speech.
However, if that critical speech is combined with links to "illegal" contraband
as a way to resist the ideas or laws, then the court could view that as an intent to
traffic in the contraband. But if the site seriously discusses the program and provides a
link to another "serious" website that contains the program without a deep link
directly to the program, then the court may view the link in a more speech-protected
manner. The website should be devoid of all references to supporting hacking, cracking,
etc… - check the metatags and archived versions of the website!</p>
<p> <b></p>
<p>7. "Add Your Own Link" Scripts:</b></p>
<p>There is code that allow users to automatically submit links to a site without the
involvement of the website owner. This might place the website in the bulletin board
status where the court will look at the extent of editorial discretion to see if and when
the bulletin board operator was on notice of infringing material. If no discretion is
exerted, then the operator is likely put on notice when he receives a take down notice
informing him of the offending material. It is wise to pull the content immediately and
then try to sort out who is wrong. It could be argued that the same applies to links
automatically submitted and posted on the site without the owner’s involvement or
awareness. </p>
<p>However, this is not an advisable approach because the court is likely to see through
this if it was developed to avoid notice. Website operators do have some responsibility
for the content of their sites. It would be risky to test the court’s interpretation
of your intent. </p>
<p> <b></p>
<p>8. To "href" or Not to "href=": </b></p>
<p>In the two <i>2600 </i>opinions, the court went into extensive discussion about the
Constitutional protection and status of hyperlinks. Specifically, Corley argued that the
links are constitutionally protected expression and the court must apply the highest form
of First Amendment scrutiny. Judge Kaplan noted that a hyperlink contains both speech and
non-speech elements. A hyperlink "conveys information, the Internet address of the
linked webpage, and has the functional capacity to bring the content of the linked webpage
to the user's computer screen." Judge Kaplan concluded that a hyperlink is content-
neutral because it is performs a function without regard to the speech component of the
hyperlink. Basically, if a prohibition is content-neutral, the court applies a less
rigorous test than it does against restrictions placed on the content of the speech.
Content neutral means that Congress isn’t trying to restrict speech based on a
message, but rather time, place or manner of the speech and it applies to all relevant
messages, regardless of what is said. One way to think about neutral content is whether
the law treats a sign that is in English the same as a sign written in Swahili. If it bans
all signs regardless of the message, the court will apply something called the
O’Brien test. The court will look at the regulation to see if it served a substantial
governmental interest and the regulation was unrelated to the suppression of free
expression. In other words, does the restriction on the neutral speech involve a
substantial government interest and that the purpose of the law is not to restrict certain
speech. </p>
<p>Judge Kaplan was looking at the impact of the injunction on the hyperlink ban and
determined that a hyperlink is functional more than expressive because the point of the
"href" code that creates the link is meant to provide instructions to the
browsers and servers to deliver a specific page located on another server. </p>
<p>Both the trial court and the appellate court made a huge issue that hyperlinks make
"the materials … available for instantaneous worldwide distribution" and
that "the linked web site is just one click away." What would happen if the
website merely provided the URL without a hyperlink? In reality, the court might find it
two identical in purpose. But the functionality h as been taken out and perhaps the URL is
more like protected speech. Some news organizations have already begun to refer to the URL
without hyperlinks. </p>
<p>However, the appellate court asked the plaintiffs whether banning the hyperlinks would
permit the court to issue an injunction prohibiting a newspaper from printing addresses of
bookstore locations carrying obscene materials. The concluded that there is a distinction
between the two medias because the police can seize the obscene material before the
newspaper publishes the address of the bookstore. However, if "obscene materials are
posted on one web site and other sites post hyperlinks to the first site, the materials
are available for instantaneous worldwide distribution before any preventive measures can
be effectively taken." Following the court’s logic, merely posting the URL
without the hyperlink tags would still allow near "instantaneous worldwide
distribution" compared to the bookstore. </p>
<p> <b></p>
<p>9. Using a Search Engine to Query 3<sup>rd</sup> Party Websites</p>
<p></b> </p>
<p>There are many "hacking" and network security websites that employ search
engines to locate material on other servers. This might actually trigger a very
interesting area of the DMCA – the safe harbor exemptions of 512(a) for information
location tools. The concept here is that the website only provides for users to chose the
terms they are looking for on 3<sup>rd</sup> party websites that are beyond the control of
the website. In <i>2600, </i>the court’s hyperlink conclusions were based around the
website’s knowledge that the offending material is located on the 3<sup>rd</sup>
party site, that it knows that the material is not lawful and the link was created for the
purpose of disseminating the technology. However, a search engine that queries another
site could eliminate the "knowledge" requirements and the purpose of
dissemination because there is no way that the website could know in advance what the user
would be looking for on a 3<sup>rd</sup> party site. </p>
<p>Under the Information Location Tools safe harbor located in 17 USC Sec. 512, a web site
can be shielded from application of the DMCA. Here is an edited version of the safe
harbor. </p>
<p> <b></p>
<p>Information Location Tools. </b></p>
<p>A service provider shall not be liable … for infringement of copyright by reason
of the provider referring or linking users to an online location containing infringing
material or infringing activity, by using information location tools, including a
directory, index, reference, pointer, or hypertext link, if the service provider – </p>
<p>(1) (A) does not have <i>actual knowledge</i> that the material or activity is
infringing; </p>
<p>(B) in the absence of such actual knowledge, is <i>not aware of facts</i> or
circumstances from which infringing activity is apparent; or </p>
<p>(C) upon obtaining such knowledge or awareness, acts expeditiously to remove, or
disable access to, the material; </p>
<p>(2) does not receive a financial benefit directly attributable to the infringing
activity, in a case in which the service provider has the right and ability to control
such activity; and </p>
<p>(3) upon notification of claimed infringement as described in subsection (c)(3),
responds expeditiously to remove, or disable access to, the material that is claimed to be
infringing or to be the subject of infringing activity, except that, for purposes of this
paragraph, the information described in subsection (c)(3)(A)(iii) shall be identification
of the reference or link, to material or activity claimed to be infringing, that is to be
removed or access to which is to be disabled, and information reasonably sufficient to
permit the service provider to locate that reference or link. </p>
<p>In other words, if a website provides a search capability to a third party’s
website and does not have <i>actual</i> knowledge or is not <i>aware</i> of infringing
material, and does not <i>directly </i>receive a financial benefit, then it can be argued
that the safe harbor applies, atleast to infringing activity. However, the
anti-circumvention provisions do not concern the act of "infringement," but
rather the act of circumventing and devices used to circumvent. So it is not clear whether
the argument can be made, that atleast with regard to anti-circumvention, search queries
to a third party site could be shielded by the Section 512 safe harbor provisions. But
there is a better argument that searches to <i>infringing</i> material, like MP3s, cracker
programs, etc… could be shielded. It goes without saying that this has not been
extensively interpreted by the courts and could involve some risks. One thing appears to
be certain: if you intend to apply the safe harbor provisions, you must carefully follow
the "take down" provisions. If you receive a "take down" notice,
immediately call your lawyer and have him advise you on the appropriate procedures to
ensure that you are complying with the law. If you don’t effectively comply with the
take down provisions, you could lose the defense.</p>
<p>One reason why the courts might be hesitant to attach liability to search engines for
displaying offensive results is because search engines play such a critical role. With
billions of webpages to chose from, the Internet would cease to function properly without
search engines directing users to queried content. It would be unrealistic for Google.com
to be responsible for search results that turned up links to legally offensive material. </p>
<p>Likewise, the courts would be hard-pressed to punish "hacking" websites that
merely provide the ability for users to query selected 3<sup>rd</sup> party websites that
they have no control over, or receive any direct financial benefit. However, the courts
seem to dislike rebel defendants hiding behind the larger impact precedents – i.e.,
that "you must apply the same standard to us as them." The <i>2600</i> court
dealt with that issue in the linking of large "respectable" websites like the <i>New
York Times</i> compared to 2600.com by requiring a that the link be created "for the
purpose of disseminating the technology." The <i>New York Times</i> didn’t and
2600.com did – end of story. The court could apply a similar fuzzy distinction with
search engines located on "hacking" sites by strengthening the Section 512
"is <i>not aware of facts</i> or circumstances from which infringing activity is
apparent" clause. The court would look for evidence that the website operators were
"aware" of the circumstances in which the 3<sup>rd</sup> party site they offer
search queries on contain infringing or other offensive material. Once again, the tone and
overall purpose of the website might become a relevant issue. </p>
<p> <b></p>
<p>Conclusion:</b></p>
<p>For non-US website, first determine whether you can be brought under US jurisdiction.
Next, try to determine whether the content is illegal in your own jurisdiction. If it is
illegal, but it is legal in other countries, then do not host the content on your server.
If you provide a link to the offending content, then you must be very careful about the
context in which the link is created. If the court can infer in any manner that the link
was created to disseminate the content and encourage others to disseminate it, then the
court could come down heavy on you. However, if the context is scientific or serves some
other legitimate, useful and responsible purpose, then the court might allow the link,
even though it wouldn’t allow you to host the content on your own server. This has
not, to my knowledge, been clarified by the courts, so under these circumstances, link at
your own risk, and if you receive a complaint, pull the link immediately until the status
of the content is determined. </p>
<p>It should also be noted that you <i>could</i> be extradited from your country to the US
if the content is illegal in your country, your acts concerning the content is prohibited,
there is an extradition treaty with the US that specifically includes these types of
offenses, and the offense was committed in the US. However, that is a lot of "<i>ifs"</i>.
Realistically, your own jurisdiction will prosecute you for violating the law in your
jurisdiction. However, if you visit the US, the authorities have the right to arrest you
subject to an indictment and hold you in custody as a flight risk. If you live in an EU
jurisdiction, you could be extradited to another EU country for a criminal violation of
copyright laws, according to the most recent EU Cybercrime Convention. </p>
<p>Until the court decides on the Constitutionality of the DMCA, and perhaps maybe the US
Supreme Court, US websites that contain links to potentially offending content should be
put on notice that the court can enjoin such links, and cost the website owners a
significant amount of money in legal fees. All websites that link to obviously illegal
content, such as passwords, serial numbers, copyrighted software, cracks, trojan software
with little or no legitimate uses, virii, etc… should expect a visit from the Feds at
some point in their career. </p>
<p>The most important thing to keep in mind when developing your website is to honestly
ask yourself how the website would look as an evidence exhibit in court to a judge? If it
looks like a duck, walks like a duck, and squawks like a duck, the court is likely to find
it is a duck, not matter how clever the technical ruses are used.</p>
<p> </p>
<p> <i></p>
<p>Bill Reilly is a California-based network security attorney, member of the California
Bar and a GIAC-certified Advanced Incident Handler. Bill Reilly can be contacted at
[email protected] or US: (415) 771-3463.</i><font SIZE="2"></p>
<p>Copyright(c) 2002 William Reilly. All rights reserved.</p>
<p>This article does not in any way offer legal advice of any kind. Rather, the article is
meant as a comment and analysis of a statute and may not be taken for specific legal
advice. Please seek legal advice from an attorney in your jurisdiction for advice specific
to your situation. </font></p>
<p> </p>
<p><u><em>Endnotes:</em></u></p>
<font SIZE="2"><sup><p></sup>1. For more information on how non-US companies can avoid US
jurisdiction, read my article <i>Write Code – Go to Jail: A look at the DMCA criminal
liability for non-US software developers.</i><sup></p>
<p></sup>2. The program AEBPR is supposedly legal under Russian law. In fact, Russian law
supposedly requires the ability for backup copies to be made of certain media. </p>
<sup><p></sup>3. A complete discussion of copyright law and the DMCA defenses is beyond
the scope of this article. </p>
<sup><p></sup>4. The actual defendants were Eric Corley, Shawn Reimerdes and Roman Kazan.
For simplicity, this article will refer to all of the defendants as "Corley."</p>
<sup><p></sup>5. The Preliminary Injunction Motion also sought damages. The motion asked
"For damages in such amount as may be found and requiring Defendants to account for
and pay over to Plaintiffs all profits delivered from all acts of circumvention of
copyright protection systems; alternatively, for statutory damages in the amount of $2,500
for each act of circumvention, device, product, component, offer, or such other amount as
may be proper pursuant to 17 U.S.C. Section 1203(c); and</p>
<p>3. For Plaintiffs’ attorneys’ fees and costs pursuant to 17 U.S.C. Section
1203(b).</p>
<p>4. For prejudgment interest;</p>
<p>5. For costs incurred in this action;</p>
<p>6. For such other and further relief as the Court deems just and proper."</p>
<sup><p></sup>The defense at one point tried to get Judge Kaplan off the case by claiming
he has personal animosity to the defendant’s counsel and had a conflict of interest
due to prior relations with the plaintiff’s counsel. </p>
<sup><p></sup>7. Matt’s Script Archive - <a
HREF="http://worldwidemart.com/scripts/links.shtml">http://worldwidemart.com/scripts/links.shtml</a>
</p>
<sup><p></sup>8. For an example, visit Astalavista at http://www.astalavista.com/</p>
<sup><p></sup>9. Read <i>Write Code – Go to Jail: A look at the DMCA criminal
liability for non-US software developers</i> for suggestions.</font></p>
<p><i> </p>
<p>Bill Reilly is a California-based network security attorney, member of the California
Bar and a GIAC-certified Advanced Incident Handler. Bill Reilly can be contacted at
[email protected] or US: (415) 771-3463.</i><font SIZE="2"></p>
<p>Copyright(c) 2002 William Reilly. All rights reserved.</p>
<p>This article does not in any way offer legal advice of any kind. Rather, the article is
meant as a comment and analysis of a statute and may not be taken for specific legal
advice. Please seek legal advice from an attorney in your jurisdiction for advice specific
to your situation. </font></p>
<p> </p>
<p> </p>
<p> </td>
<td width="9" rowspan="2" height="379" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td valign="top" align="left" bgcolor="#AEAEAE" width="125"> <p> </p>
<p> </p>
<p><small><font face="Arial" color="#6A6A6A"><strong><small> </small></strong></font></small></p>
<p> </td>
</tr>
<tr>
<td colspan="4" width="602" height="40"><p align="center"><b>Qui non est hodie cras minus
aptus erit</b><br>
(<i>He who is not prepared today will be less so tomorrow)</i></td>
</tr>
</table>
</center></div>
</body>
</html>