In a recent decision, U.S. District Judge Susan Illston of the Northern District of California struck down the FBI’s use of National Security Letters (NSLs) as unconstitutional. Unbeknownst to most Americans, the FBI has been issuing thousands of NSLs every year. The letters demand that recipients, such as banks and telephone companies, provide customers’ information such as their transactional records, phone numbers dialed, and email addresses mailed to and from. This doesn’t involve the content of the phone calls or emails but does involve the names of addressees or participants. One reason most Americans didn’t know about these letters is because more than 95 percent of them contain gag orders, barring the recipient from disclosing their content or even their existence.
This case began nearly two years ago, in May 2011, when a nonprofit advocacy group, the Electric Frontier Foundation (EFF), filed suit on behalf of an unnamed telecom company that had received an NSL. In defense of the NSLs, the government argued that this level of secrecy is necessary to protect the nation against potential security threats. NSLs were designed in the 1970s as a means to gather information on suspected foreign spies during terrorism and espionage investigations. However, the Patriot Act greatly expanded their reach to allow the FBI to secretly compel companies to provide data on American citizens.
The constitutionality of NSLs is dubious for two distinct reasons. Not only does the nondisclosure clause infringe on their recipients’ free speech, but, unlike a standard subpoena or search warrant, the NSLs do not have to be authorized by a judge. Accordingly, Illston concluded that NSLs and their nondisclosure provisions violate the First Amendment and separation of powers principles, and she ordered the FBI to stop issuing NSLs and cease enforcing all gag provisions. That said, we are uncertain whether Illston’s order will ever go into effect. Due to the gravity of the First Amendment and national security issues at stake, Illston issued a 90-day stay, giving the government time to appeal her decision to the U.S. Court of Appeals for the 9th Circuit.
Although the lawsuit was filed anonymously, various media sources have suggested that the unnamed defendant may be Credo Mobile, a phone provider that supports progressive causes. The day after the ruling was released, Credo’s CEO Michael Kieschnick released the following statement:
“This decision is notable for its clarity and depth. From this day forward, the US government’s unconstitutional practice of using national security letters to obtain private information without court oversight and its denial of the first amendment rights of national security letter recipients have finally been stopped by our courts.”
According to Matt Zimmerman, an EFF attorney, the NSL gags “have truncated the public debate on these controversial surveillance tools,” and his unnamed client “looks forward to the day when it can publicly discuss the issue.”
As we await the higher court’s ruling, which we hope leaves Illston’s decision in place, one thing has already been accomplished of a positive nature. A federal district judge has shined some light on a little-known and highly dubious federal law enforcement technique.
Federal Criminal (Other)
The vast increase in the use of wireless data networks has led to new legal issues regarding network users’ right to privacy. A recent opinion issued by the U.S. District Court for the District of Oregon indicates that, under some circumstances, individuals on an unsecured wireless network have a reasonable expectation of privacy entitling them to Fourth Amendment protection. As a result, police officers must obtain a warrant prior to accessing files on that network.
In United States v. Ahrndt, defendant John Henry Ahrndt moved to suppress evidence that a police officer obtained by accessing Ahrndt’s wireless home network and opening files without a search warrant.
In February 2007, one of Ahrndt’s neighbors connected to Ahrndt’s unsecured wireless internet network. When she opened her iTunes program, she was able to see “shared” files from Ahrndt’s iTunes and LimeWire accounts, and saw a number of titles indicative of child pornography.
The neighbor did not open any of the files, but called the police to report what she saw. A deputy came to her house and she showed him the file names as she had seen them. The deputy asked her to open one of the files. When she did, it opened an image of child pornography.
The deputy questioned the neighbor about whom the unsecured wireless network might belong to. She indicated that the network had been available since she moved into the building, and at the time Ahrndt’s home was the only other one that was occupied. The police ran the license plate of a car parked outside of the home and identified it as belonging to Ahrndt, a convicted sex offender.
Using a general description of what the neighbor and deputy recalled seeing in the list of file names, the police applied for and received a search warrant to access the wireless network again in order to get an IP address. The police then served a summons on the Internet provider. The provider disclosed that Ahrndt was the subscriber in question.
Using that information, the police obtained a search warrant for Ahrndt’s home. They ran a forensic search of his computer and identified images of child pornography in various folders. The forensic report did not mention either iTunes or LimeWire.
In considering the motion to suppress the evidence obtained through the initial warrantless search, the court concluded that it would have been appropriate for the deputy to view the titles of the files without a warrant, since a private party (the neighbor) had already viewed those files and told the police about them. However, the court concluded that it was a violation of Ahrndt’s Fourth Amendment rights for the police to instruct the neighbor to open the file, which she had not previously done. The opened image was no longer within the purview of private search, but a government search.
The court also found that Ahrndt’s privacy expectations were not eliminated by accessing an unsecured wireless network. There was no evidence that Ahrndt had intentionally enabled sharing for those files; rather, the default setting of the LimeWire program enabled sharing. It was Ahrndt’s reasonable belief that those files were contained only on his hard drive, and not shared on a public network. The court said that “[i]n short, the government does not dispute a person has a reasonable expectation of privacy in the files on his home personal computer.”
The court concluded that, lacking specific file names and a description of images, a magistrate would not have found probable cause to issue a search warrant. The only evidence that the police viewed lawfully was the file names, which the neighbor and deputy could not remember with specificity. Since the “partial recollections and characterizations” were too general to support a warrant, all related evidence from the unlawful search must be suppressed.
The court came to the right conclusion on this one. Our reliance on the Internet has become such that what is on our computers is as personal and private as the inside of our homes. The government is no more entitled to search our computer without probable cause than to search our homes. This case does not represent a free pass to intentionally share information on wireless networks and then assert Fourth Amendment rights when the government comes knocking. Rather, it is only that information to which an user has a reasonable expectation of privacy—such as files that he is not aware are accessible to others—that is protected against the government’s unlawful search and seizure.
It’s easy to see how this has implications for potential white-collar cases: the government might try to use financial information unintentionally made available to a neighbor through an unsecured network as a basis to initiate a financial fraud investigation. We hope that the courts will rely on this case and suppress any evidence obtained as a result of this type of unlawful search.
Federal Criminal Procedure
A year ago, we wrote about the indictment in the Eastern District of Virginia of the executives and founders of Megaupload, one of the leading file-hosting sites on the Web. The charges were copyright infringement through the facilitation of piracy of copyrighted materials, money-laundering, and conspiracy. The site was shuttered after the indictment.
The case quickly got tied up in the U.S. Justice Department’s effort to extradite Kim Dotcom, Megaupload’s chief founder, from New Zealand, where he lives. After a series of setbacks, the DOJ just won a victory before a New Zealand appeals court. The extradition hearing is set for August 2013.
The issue before the appeals court was how much information the DOJ was required to turn over to Dotcom before the hearing. One of Megaupload’s defenses is that its activities were protected by the “safe harbor” provisions of the Digital Millennium Copyright Act, which protects Internet service providers from copyright liability for the activities of people who merely use their Web sites.
Dotcom wanted the DOJ to turn over, in advance of the hearing, information that it had about possible copyright infringement on the site – in other words, a good deal of the government’s evidence. Reversing a lower court, the New Zealand appeals court held that the DOJ need not turn over much of this material at this point.
“If a suspect was entitled to demand disclosure of all relevant documents on the basis that he or she wished to challenge not the reliability of the summarised evidence but rather the inferences that the requesting state seeks to draw from it,” the court wrote, then the extradition hearing process would not work properly. Rather, the suspect is entitled to a summary of the evidence but not to the government’s entire case at this juncture.
It thus appears that Dotcom will be able to get access to the DOJ’s entire case and to mount a full defense only if he is extradited to the United States and faces a criminal trial. But in order to hold such a trial, the DOJ will need to make a prima facie case at the extradition hearing, which Dotcom will be allowed to rebut, that Dotcom is guilty of the charged offenses. The appeals court said that this hearing will only involve a “limited weighing of evidence” and that the DOJ is entitled to some deference as to its reliability.
We have said before that this is a highly dubious prosecution. We are confident that despite this setback, Dotcom will get a full chance to present his case before an impartial tribunal.
We have previously reported in this space about the use of domain name seizures by American law enforcement – for example, here and here. Recent media reports show that domain name seizure has become the go-to tactic for law enforcement for other countries as well.
Canadian police made a series of arrests during an invitation-only Super Bowl party attended by 2300 people as part of Project Amethyst. A Royal Canadian Mounted Police spokesperson says this was connected with the arrest of 21 individuals related to a separate online credit betting operation in November. The more recent arrests were connected with an online sports betting operation that used the website located at www.platinumsb.com. In addition to arresting six individuals, officers also seized $2.5 million in cash as a result of the execution of nine search warrants in and around Toronto.
Police also seized the domain name associated with a Costa Rica-based website, which is registered with Washington State-based Enom, Inc. Police obtained a Canadian court order for that purpose, and then submitted a request under the Mutual Legal Assistance Treaty (MLAT) between Canada and the United States. The domain name was then transferred to the control of Canadian law enforcement authorities who, in turn, redirected it to a new landing page. Visitors to the platinumsb.com website are now greeted by a notice stating that the web site has been “restrained by court order granted to the Attorney General of Ontario.”
Media reports indicate that the website was back online as www.platinumsb.tk within hours of the shutdown. The .tk top level domain belongs to Tokelau, a non-self-governing territory off the coast of New Zealand. The .tk version of the domain name was reportedly registered in 2004, suggesting that the group operating the sports book had set up contingency plans for a seizure of its .com website.
Whatever the merits of the Canadian prosecution against individuals affiliated with PlatinumSB, the seizure of the platinumsb.com domain name certainly shows that domain name seizure is by no means a tactic used only by U.S. law enforcement. As more and more businesses move largely or exclusively to the Internet, the global use of this law enforcement tactic is sure to grow.
Facebook is quickly expanding its real money gaming platform. Net Entertainments has signed a license agreement with Bonza Gaming, which is a joint venture between gaming publisher Plumbee and online gaming operator Sportingbet. Under the agreement Net Entertainment will offer a range of casino games to Bonza Gaming, which will create an app, Bonza Slots, that will be available on Facebook to users that want to participate in real money gaming.
Facebook is now the world’s largest social media outlet, with over a billion active users. Last summer, Facebook announced that it would expand its social gaming to real money gaming, beginning initially with users in the United Kingdom. Bonza Slots becomes the third real money gaming app on Facebook, joining Gamesys and 888 Holdings; all three companies have recently reached deals with Facebook to launch their real money gaming apps. With Facebook’s massive user base, it can accomplish what other online gaming sites could likely only achieve on a much smaller scale — the ability to reach a large and constantly growing base of players.
Facebook is no stranger to online gaming. For some time now, it has offered its users the option of playing online games for Facebook credits as an alternative to real money. In 2011, Facebook changed its advertising policies, allowing online gambling companies to advertise in jurisdictions where such services are permitted. In the past, Facebook has been extremely strict when it comes to advertising online gambling business on its website. Now, Facebook’s Advertising Guidelines web page has a specific online gambling clause under the Gambling and Lotteries subsection of the Ad Content section, which reads: “Ads that promote or facilitate online gambling, games of skill or lotteries, including online casino, sports books, bingo, or poker, are only allowed in specific countries with prior authorization from Facebook.”
It is not clear how much Facebook will charge real money gaming companies to operate on its platform. In general, Facebook charges other apps 30 percent of their revenue, and there is no indication that gaming will work any differently. After reviewing Facebook’s public filings, we still have some questions about this and we will report back as we find answers.
In any case, Facebook’s new online real gaming platform will immediately give it a strong position in the real money market in the United Kingdom and a great opportunity to monetize its very large user base. With legislative efforts for real money online gaming gaining momentum across the United States, Facebook could be well positioned to be a power in the U.S. market in the future if it chooses to do so.
Rep. Zoe Lofgren (D-Calif), a senior member of the House Judiciary Committee, has indicated that she is drafting legislation that would seek to increase judicial oversight over prosecutors’ efforts to act against Internet domain names accused of copyright infringement. While the value of such legislation will depend on the details of the bill, the notion of creating greater control over prosecutorial seizure of domain names is laudable.
Lofgren is one of a small number of legislators who voted against the PRO-IP Act of 2008, which authorized the government to shut down websites accused of online piracy or copyright violations by seizing their domain names. Under the enforcement operation that followed passage of that Act – dubbed “Operation In Our Sites” – the U.S. Immigration and Customs Enforcement (ICE) has seized 1,630 domain names, of which 684 have been forfeited to the government. The increasing use of domain name seizures in this area tracks similar use of this tool in other areas of law enforcement such as internet gaming and online pharmaceutical sales.
Specifics about the contemplated legislation have not been disclosed, though Lofgren has been quoted as noting that there are “reasonable arguments” that the way in which the government has seized domain names under the PRO-IP Act violates the Constitution. Lofgren’s bill will apparently propose that the government must provide notice and an opportunity to be heard before domain names are seized or redirected.
The addition of a procedural requirement for notice and hearing prior to domain name seizure would clearly be a favorable development. There have been cases in which the government has seized a domain name and later permitted it to resume operations, under agreed-upon restrictions, pursuant to an arrangement with the affected business. To the extent that businesses may negotiate such arrangements with the government, those arrangements could be reached without the potentially devastating interruption of a seizure. By giving counsel for the affected business the opportunity to be heard, such a requirement may also chill the overuse of domain name seizure by government as a means of gaining unfair leverage in cases involving Internet-based businesses.
The devil, of course, is in the details. Lofgren has reportedly sought input from the online social media community on this bill – particularly from Reddit. Hopefully, she will also seek input from those members of the legal community who have been involved in litigation over domain name seizures as well in order to ensure that the bill presented for consideration is as effective as possible in balancing the interests of all affected parties.
A current anti-piracy case demonstrates the U.S. government’s intent to enforce its copyright laws not just beyond national borders, but beyond the extent of logic. The U.S. Department of Justice has issued an arrest warrant and extradition order for a 24-year-old college student in England who ran a website that contained links to independent websites that hosted pirated television shows and movies. By holding a mere intermediary accountable for allegedly pirated content offered on other websites, the department has set an alarming precedent with major free speech implications.
Richard O’Dwyer, who has never left the United Kingdom, is at the center of a heated debate regarding U.S. laws related to copyright, free speech, and jurisdiction. O’Dwyer ‘s website, TvShack.net, is registered in the United States, thereby giving the U.S. government a claim to exert jurisdiction over it and its owner even though the servers hosting the website are not U.S.-based. The website allowed users to search for and link to other websites; the government alleges that some of those links led to pirated movies and television shows. The government seized the domain on June 30, 2010, for “violations of federal criminal copyright infringement laws.” O’Dwyer has been charged with conspiracy to commit copyright infringement and criminal infringement of copyright.
The government’s case against O’Dwyer raises a number of important issues. First, O’Dwyer himself did not host the allegedly infringing material. His website allowed users to run searches that returned links to both legal and allegedly illegal content on external websites. If O’Dwyer can be criminally prosecuted for the dissemination of copyrighted content that he did not host, where would the chain of liability for such content end? Would search engines linking to such websites bear responsibility for their content? Would anyone sending a link to that website face criminal prosecution, even someone who actually download or view the content? There is no telling how far the DOJ intends to push this issue, but O’Dwyer’s case is a good indication that the DOJ seeks to extend the limits as far as the courts will allow.
O’Dwyer’s status as a British subject raises less novel but no less compelling questions about the United States’ jurisdiction to extradite and prosecute individuals on copyright infringement charges. O’Dwyer’s extradition has been approved by the British courts as well as the British home secretary, but many still believe that any trial should take place in Britain since O’Dwyer has never set foot in the United States and the servers hosting the website were also not on our shores.
O’Dwyer is currently appealing the extradition. Last month, Wikipedia founder Jimmy Wales, in a rare political intervention, called upon British Home Secretary Theresa May to stop the extradition efforts.
The circumstances of this case are reminiscent of the high-profile Megaupload case, in which the U.S. government issued an extradition order for Kim Dotcom in New Zealand. Dotcom ran an internet “lockbox,” in which users could upload content, including video and music, to a website and then share access with other users. Factually, these cases differ in that Megaupload hosted the content that was uploaded by users, whereas O’Dwyer only provided links to other websites. New Zealand also appears less willing to approve extradition, having pushed a hearing on the matter to March 2013, while Dotcom remains free on bail.
In instances of intermediary liability, the need to protect copyrighted works is outweighed by an individual’s interest in remaining free from criminal prosecution for the acts of another. The remedy, if one is justified, is better addressed through civil penalties rather than criminal prosecution.
Federal Criminal (Other)
In March 2012, a resolution was introduced in the U.S. House of Representatives that would urge the U.S. Permanent Representative to the United Nations to oppose any resolution that would regulate the Internet. It is unfortunate that it turns out to be necessary to forestall Internet regulation at the U.N. level, but that appears to be the case. We support this resolution.
The resolution, House Concurrent Resolution 114, was introduced by Rep. Michael McCaul (R-Tex.) and Rep. Jim Langevin (D-R.I.), co-chairs of the House Cybersecurity Caucus, in response to growing fears that some nations will seek to regulate and censor the Internet. The sponsors cited a September letter from China, Tajikistan, Russia, and Uzbekistan outlining their plan to introduce a United Nations resolution on Internet governance.
Rep. Langevin said in a statement, “The proposals by some nations to gain international approval of policies that could result in Internet censorship would be a significant setback for anyone who believes free expression is a universal right. It must be made clear that efforts to secure the Internet against malicious hacking do not need to interfere with this freedom and the United States will oppose any attempt to blur the line between the two.”
The resolution was referred to the House Committee on Foreign Affairs on March 26, 2012, and no action has occurred on it since then.
Internet freedom has been a hotly debated issue on Capitol Hill in recent months with the Senate’s Protection of Intellectual Property Act (PIPA) and the House’s Stop Online Privacy Act (SOPA) becoming the focus of protests that eventually helped defeat the bills.
The Issue of Internet privacy will soon be dealt with at the international level. The World Conference on International Telecommunications (WCIT) is scheduled for December 2012, and countries such as China and Russia are expected to try to expand the authority of the International Telecommunications Union (ITU). The ITU is the United Nations agency that is responsible for worldwide standards in telecommunications, including regulation of the Internet.
The proposals that are expected to be considered could dramatically affect the Internet. Russian Prime Minister Vladimir Putin said last June that his goal is to establish “international control over the Internet” through the ITU. Accordingly, it’s understandable that many Americans fear that other nations could employ a new regulatory scheme to censor the Internet and control access to information. One reason that some of the protesters were so strongly opposed to SOPA and PIPA was the fear that once tools exist for regulating Internet content, they can be prone to abuse.
Internet access improves the quality of life for people across the world and represents a triumph of freedom of expression. Any agreement like the ones expected to be sought at the WCIT could have dramatic chilling effects on the freedom of the Internet. We will keep you up to date on any movement in Congress or in the United Nations regarding Internet freedom.
What had been touted as a great victory for Google in particular and for “Internet freedom” in general was just dealt a major blow when the U.S. Court of Appeals for the Second Circuit Court of Appeals overturned a lower court decision in Viacom’s lawsuit against Google and Google-owned YouTube.
Viacom, along with the English Premier League and various film studios and television networks, sued YouTube in 2007 alleging copyright infringement based on YouTube’s broadcast of some 79,000 copyrighted videos. The lower court had thrown out the case, granting summary judgment to YouTube and holding that YouTube was not responsible for the infringing activities at issue. The plaintiffs appealed. The Second Circuit brought new life back to the suit — and new life to the complaints some have made against online piracy, which recently hit the headlines with the introduction of the SOPA and PIPA bills in Congress.
At the heart of the lawsuit is the application of a 1998 federal law, the Digital Millennium Copyright Act, and one of its “safe harbor” provisions. The DMCA was enacted to carry out an international copyright treaty and to protect intellectual property online through anti-circumvention rules. Essential to Internet innovation (and to the growth and success of YouTube) are the DMCA’s safe harbor provisions, which limit liability of Internet service providers (ISPs) for copyright infringement by their users.
It’s been generally understood that, provided the ISP has a notice-and-takedown system in place for receiving complaints of infringing behavior and promptly responds to those complaints by removing the infringing material, the ISP would be good to go. That general understanding gave online services a major boost. A Wired article celebrating the 10-year anniversary of the DMCA attributed the success of blogs, search engines, e-commerce sites and social networking portals to the safe harbor provisions. And the lower court’s earlier decision in the Viacom-YouTube suit appeared to be an affirmation for “Internet freedom.”
But the recent Second Circuit reversal could mean a major change in philosophy and practice. The court effectively held that a notice-and-takedown regime is not enough to shield an ISP from copyright liability for users’ infringing activities. If it appears that an ISP had knowledge or awareness of specific infringements, it may need to take action before a copyright owner provides notice of the infringing behavior. The Second Circuit asked the lower court to determine whether any specific infringements of which YouTube had knowledge or awareness (as evidenced by internal emails at YouTube) correspond to the clips at issue in these actions. It further asked the lower court to determine whether YouTube made a “deliberate effort to avoid guilty knowledge.”
This latter question of whether an ISP could be held liable for “willful blindness” has not been fleshed out before in the context of the DMCA safe harbor provisions. If the lower court ends up determining that YouTube is on the hook for willful blindness, ISPs’ current M.O. of relying on notice-and-takedown procedures will need to change. Some might argue such a move could stifle innovation and curb “Internet freedom.” But adoption of a willful blindness doctrine may end up benefitting service providers and hosting companies: It could strengthen the argument that new legislation à la SOPA or PIPA is unnecessary as the DMCA already provides sufficient protection against copyright infringement, otherwise known as online piracy.
We previously wrote about the broad protests over two bills in Congress targeting online copyright infringement – the House’s Stop Online Privacy Act (SOPA) and the Senate’s Protect Intellectual Property Act (PIPA). We were pleased that the protests and other activities were effective in ending efforts to pass those versions of the legislation.
The protests were led by Internet businesses that argued that the bills would lead to censorship of the Internet and to the cutting off of useful, legal online content. Under these bills, websites such as Facebook and YouTube could have been found liable if they hosted infringing content. As a result of the massive protests, Congressional leaders were forced to table PIPA and SOPA for the time being.
Many critics of SOPA have instead announced their support for legislation sponsored by Sen. Ron Wyden (D-Ore.) and Rep. Darrell Issa (R-Calif.) as a means of preventing online piracy without threatening free speech. The Online Protection and Enforcement of Digital Trade Act (OPEN Act) would allow people or groups that own content on the Internet to ask the International Trade Commission (ITC) to investigate whether a foreign website is dedicated to piracy. The ITC would be given power to collect fees from complainants and to hire additional personnel for investigations. The website owner would be allowed to offer evidence to rebut the claim. If the ITC ruled in favor of the content owner, it could then direct payment firms and advertising networks to stop doing business with the site and require search engines to delete links.
SOPA and PIPA had contained language that would allow for the Department of Justice to “disappear” a website, meaning that it would require Internet service providers to disable the resolution of the site’s name by the Domain Name Service to an IP address. This would effectively eliminate the web site from the Internet. The OPEN Act would not give DOJ this power.
The OPEN Act would be able to deal with a primary concern of copyright holders — that the process would not be able to catch up with the speed that pirates are stealing intellectual property. Under the OPEN Act, copyright holders could request temporary restraining orders to protect their intellectual property in the short term, a provision that would be particularly important for websites seeking to protect live broadcasts over the Internet, such as sporting events.
NetCoalition, a technology industry group that counts Google, Yahoo!, Amazon, eBay, PayPal, Expedia, Bloomberg LP, and Wikipedia among its members, has said that it supports the OPEN Act.
The Senate version of the OPEN Act has been referred to the Finance Committee, and the House bill has been referred to the Judiciary Committee.
It is good news for Internet entrepreneurs, and for free speech, that SOPA and PIPA were defeated. In addition to the chilling effect on the Internet that would have occurred under either SOPA or PIPA, it makes no sense to use scarce criminal resources to prosecute piracy cases. The OPEN Act would represent a much better approach to combating online piracy.
The dispute resolution process under the OPEN Act would provide both parties with the opportunity to present their positions before an experienced tribunal that could resolve the issues on the facts before them.