DMCA Abuse?

After someone electronically lifted embarrassing e-mails from Diebold Inc. and posted them online, the company responded with a tactic that more and more companies are using to put a lid on Internet distribution of sensitive information: Diebold sent cease-and-desist notices to organizations hosting Web sites and forums that had published, or even linked, to the e-mails. The messages portrayed participants in Diebold's electronic voting business confirming their critics' worst nightmares about security vulnerabilities.

Information may want to be free. But specialists ' such as partner Russell Frackman of Los Angeles's Mitchell Silverberg & Knupp, one of Hollywood's leading copyright counsel ' say that sending such notices under the 5-year-old Digital Millennium Copyright Act (DMCA) succeeds, in the vast majority of cases, in promptly curtailing online distribution. The technique is so effective, critics contend, that it is often abused in situations where no copyright protection applies or ' as with the Diebold case ' there would be a strong fair use defense.

But Diebold's move blew up in its face. The company's enforcement efforts brought more attention to Diebold's security vulnerabilities, not less. If state election officials who will soon decide whether to use Diebold's technology in 2004 and beyond didn't already know about these vulnerabilities, they almost certainly do now.

Diebold quickly retreated and withdrew its demand letters to Internet hosts. Diebold Election Systems president Robert Urosevich didn't take a very hard line on copyright infringement, writing only that the Internet circulation “may not qualify as 'fair use' under the law.”

That, however, wasn't the end of the matter. Activists also sued Diebold in federal court in San Jose seeking damages and a declaration that the company's DMCA threats were unlawful. The litigation puts the company on the front lines of a backlash against the use of the DMCA to suppress arguably protected material.

The other front in this war was a lawsuit against national retailers. In 2002, and again in 2003, retailers tried to suppress Web circulation of leaked plans for their post-Thanksgiving “Black Friday” sale events. This information seemed much less entitled to copyright protection than Diebold's e-mails. Listings of sale items and their prices look like mere facts, not subject to copyright. Now, Best Buy Company, Kohl's Corporation and Target Corporation are in the same pickle as Diebold after FatWallet.com, a Web site for bargain shoppers, filed a declaratory judgment action against them.

The DMCA was enacted after Hollywood and the music industry lobbied heavily for greater protection of their works in the digital realms. Internet service providers like America Online also lobbied for relief when their customers commit bad acts, such as making unlawful copies, that they cannot control. That relief came in the form of section 512, which spells out a procedure commonly known as “notice and takedown.” The section creates a safe harbor for Internet hosts, immunizing them from liability if they remove material posted by customers after receiving notice. This gives the typically risk-averse host a great incentive for notice compliance, critics complain, and companies a devastating extrajudicial weapon for censoring embarrassing content without the costs, sanctions, and risks of litigation. “Oftentimes the legal efforts to stuff the genie back in the bottle work, so it can be entirely rational for a company to push the boundaries of the law to bottle up something embarrassing,” says Jonathan Zittrain, an associate professor at Harvard Law School.

Nonsense, reply others. If the poster formally challenges the infringement claim, the host must restore the removed information after a grace period, leaving the poster ' not the host ' with liability. “The checks and balances may not be perfect, but they work,” says partner Bruce Keller of New York's Debevoise & Plimpton.

While written largely for Hollywood, the DMCA is an equal opportunity law increasingly invoked far afield from entertainment piracy. “DMCA takedowns are the new black,” says Electronic Frontier Foundation lawyer Wendy Seltzer. She founded ChillingEffects.org, which collects and posts Internet-related demand letters.

“The DMCA is such a powerful tool to shut down potentially infringing material that everyone wants to fall under that protection” regardless of how good their copyright claim is, says Megan Gray, a Washington, DC, solo practitioner who previously worked at Cleveland's Baker & Hostetler. She represents parties on both sides of such disputes.

Diebold's takedown efforts, however, took down the sender. An unidentified hacker broke into a private Diebold computer site and discovered the e-mails. The messages then began to circulate. When the company last fall sent Swarthmore College a cease-and-desist letter concerning two students' links to an off-campus site that had posted the e-mails, the college grumbled but pulled the plug. That's when the matter got out of hand. A flash mob of computer scientists, libertarians, and others ' many already aroused against DMCA and what they considered Diebold's shoddy voting security ' swung into action. They swiftly spread the company's e-mails around the Internet, like a host of SoBig worms.

The viral spread of the e-mails threw Diebold's enforcement efforts into a virtual hall of mirrors. Diebold's attorneys at Medina, OH's Walker & Jocke cranked out cease-and-desists that opponents say numbered in the dozens. But even with routine compliance by nearly all of the hosts, the lawyers couldn't keep up with the information's spread. Bloggers brought the messages to the attention of untold thousands who never would have heard of them. Peer-to-peer networks, such as KaZaA ' where one user reported seeing the e-mails offered by more than 100 sources ' compounded the problem.

Diebold was playing a losing game of Whack-A-Mole, an arcade amusement game in which the player bashes with a mallet faux rodents that keep popping up out of holes. The mass media jumped on the story, transforming what had been a geek flap into a civics cause celebre.

Then came the lawsuit, filed by Seltzer's EFF and Stanford Law School's cyberlaw clinic on behalf of the two Swarthmore students and the Online Policy Group, a nonprofit that hosted a Web site linking to the e-mails. Shortly after, FatWallet.com filed its suit against the retailers in the Northern District of Illinois.

In retreat, Diebold withdrew its notices in December and struggled to extricate itself from the lawsuit. “Although we believe our legal position was and continues to be correct, we recognize that our DMCA efforts have become the story, and may be influencing the debate on how America's votes can be recorded and tallied most accurately,” Diebold's Urosevich wrote to the hosts his company had threatened. “To help refocus the public debate on that central issue, and recognizing that a significant amount of the stolen e-mail archive is now readily available on the Internet, Diebold has decided not to sue ISPs [hosts] or their subscribers for the noncommercial use of the materials.”

The moral? Diebold and the retailers group serve as alarms that companies with questionable copyright claims may find themselves called on the carpet for invoking the DMCA notice-and-takedown procedure. Attorneys should advise even irate executives with valid grievances to consider letting disclosure go rather than drawing vastly greater attention to it by escalating through enforcement, says partner Ian Ballon of Los Angeles's Manatt, Phelps & Phillips.

The Black Friday sale leaks present a good argument for holding off, says partner Jonathan Band of the Washington, DC, office of San Francisco's Morrison & Foerster. The information had a short shelf life by definition, and retailers, of all companies, should be sensitive to the risk of portrayal as old-world Goliaths beating up on digital Davids.

If a company does start sending out cease-and-desist notices, lawyers advise that it should think twice about continuing if the material starts hopping from site to site. “Once the efforts begin, it can be hard to know when to stop them,” Zittrain says. “Lawyers can keep on going like Energizer bunnies even after it's clear that the leaks have spread to secondary sources and the cover-up attempt itself is becoming the story.”

After someone electronically lifted embarrassing e-mails from Diebold Inc. and posted them online, the company responded with a tactic that more and more companies are using to put a lid on Internet distribution of sensitive information: Diebold sent cease-and-desist notices to organizations hosting Web sites and forums that had published, or even linked, to the e-mails. The messages portrayed participants in Diebold's electronic voting business confirming their critics' worst nightmares about security vulnerabilities.

Information may want to be free. But specialists ' such as partner Russell Frackman of Los Angeles's Mitchell Silverberg & Knupp, one of Hollywood's leading copyright counsel ' say that sending such notices under the 5-year-old Digital Millennium Copyright Act (DMCA) succeeds, in the vast majority of cases, in promptly curtailing online distribution. The technique is so effective, critics contend, that it is often abused in situations where no copyright protection applies or ' as with the Diebold case ' there would be a strong fair use defense.

But Diebold's move blew up in its face. The company's enforcement efforts brought more attention to Diebold's security vulnerabilities, not less. If state election officials who will soon decide whether to use Diebold's technology in 2004 and beyond didn't already know about these vulnerabilities, they almost certainly do now.

Diebold quickly retreated and withdrew its demand letters to Internet hosts. Diebold Election Systems president Robert Urosevich didn't take a very hard line on copyright infringement, writing only that the Internet circulation “may not qualify as 'fair use' under the law.”

That, however, wasn't the end of the matter. Activists also sued Diebold in federal court in San Jose seeking damages and a declaration that the company's DMCA threats were unlawful. The litigation puts the company on the front lines of a backlash against the use of the DMCA to suppress arguably protected material.

The other front in this war was a lawsuit against national retailers. In 2002, and again in 2003, retailers tried to suppress Web circulation of leaked plans for their post-Thanksgiving “Black Friday” sale events. This information seemed much less entitled to copyright protection than Diebold's e-mails. Listings of sale items and their prices look like mere facts, not subject to copyright. Now, Best Buy Company, Kohl's Corporation and Target Corporation are in the same pickle as Diebold after FatWallet.com, a Web site for bargain shoppers, filed a declaratory judgment action against them.

The DMCA was enacted after Hollywood and the music industry lobbied heavily for greater protection of their works in the digital realms. Internet service providers like America Online also lobbied for relief when their customers commit bad acts, such as making unlawful copies, that they cannot control. That relief came in the form of section 512, which spells out a procedure commonly known as “notice and takedown.” The section creates a safe harbor for Internet hosts, immunizing them from liability if they remove material posted by customers after receiving notice. This gives the typically risk-averse host a great incentive for notice compliance, critics complain, and companies a devastating extrajudicial weapon for censoring embarrassing content without the costs, sanctions, and risks of litigation. “Oftentimes the legal efforts to stuff the genie back in the bottle work, so it can be entirely rational for a company to push the boundaries of the law to bottle up something embarrassing,” says Jonathan Zittrain, an associate professor at Harvard Law School.

Nonsense, reply others. If the poster formally challenges the infringement claim, the host must restore the removed information after a grace period, leaving the poster ' not the host ' with liability. “The checks and balances may not be perfect, but they work,” says partner Bruce Keller of New York's Debevoise & Plimpton.

While written largely for Hollywood, the DMCA is an equal opportunity law increasingly invoked far afield from entertainment piracy. “DMCA takedowns are the new black,” says Electronic Frontier Foundation lawyer Wendy Seltzer. She founded ChillingEffects.org, which collects and posts Internet-related demand letters.

“The DMCA is such a powerful tool to shut down potentially infringing material that everyone wants to fall under that protection” regardless of how good their copyright claim is, says Megan Gray, a Washington, DC, solo practitioner who previously worked at Cleveland's Baker & Hostetler. She represents parties on both sides of such disputes.

Diebold's takedown efforts, however, took down the sender. An unidentified hacker broke into a private Diebold computer site and discovered the e-mails. The messages then began to circulate. When the company last fall sent Swarthmore College a cease-and-desist letter concerning two students' links to an off-campus site that had posted the e-mails, the college grumbled but pulled the plug. That's when the matter got out of hand. A flash mob of computer scientists, libertarians, and others ' many already aroused against DMCA and what they considered Diebold's shoddy voting security ' swung into action. They swiftly spread the company's e-mails around the Internet, like a host of SoBig worms.

The viral spread of the e-mails threw Diebold's enforcement efforts into a virtual hall of mirrors. Diebold's attorneys at Medina, OH's Walker & Jocke cranked out cease-and-desists that opponents say numbered in the dozens. But even with routine compliance by nearly all of the hosts, the lawyers couldn't keep up with the information's spread. Bloggers brought the messages to the attention of untold thousands who never would have heard of them. Peer-to-peer networks, such as KaZaA ' where one user reported seeing the e-mails offered by more than 100 sources ' compounded the problem.

Diebold was playing a losing game of Whack-A-Mole, an arcade amusement game in which the player bashes with a mallet faux rodents that keep popping up out of holes. The mass media jumped on the story, transforming what had been a geek flap into a civics cause celebre.

Then came the lawsuit, filed by Seltzer's EFF and Stanford Law School's cyberlaw clinic on behalf of the two Swarthmore students and the Online Policy Group, a nonprofit that hosted a Web site linking to the e-mails. Shortly after, FatWallet.com filed its suit against the retailers in the Northern District of Illinois.

In retreat, Diebold withdrew its notices in December and struggled to extricate itself from the lawsuit. “Although we believe our legal position was and continues to be correct, we recognize that our DMCA efforts have become the story, and may be influencing the debate on how America's votes can be recorded and tallied most accurately,” Diebold's Urosevich wrote to the hosts his company had threatened. “To help refocus the public debate on that central issue, and recognizing that a significant amount of the stolen e-mail archive is now readily available on the Internet, Diebold has decided not to sue ISPs [hosts] or their subscribers for the noncommercial use of the materials.”

The moral? Diebold and the retailers group serve as alarms that companies with questionable copyright claims may find themselves called on the carpet for invoking the DMCA notice-and-takedown procedure. Attorneys should advise even irate executives with valid grievances to consider letting disclosure go rather than drawing vastly greater attention to it by escalating through enforcement, says partner Ian Ballon of Los Angeles's Manatt, Phelps & Phillips.

The Black Friday sale leaks present a good argument for holding off, says partner Jonathan Band of the Washington, DC, office of San Francisco's Morrison & Foerster. The information had a short shelf life by definition, and retailers, of all companies, should be sensitive to the risk of portrayal as old-world Goliaths beating up on digital Davids.

If a company does start sending out cease-and-desist notices, lawyers advise that it should think twice about continuing if the material starts hopping from site to site. “Once the efforts begin, it can be hard to know when to stop them,” Zittrain says. “Lawyers can keep on going like Energizer bunnies even after it's clear that the leaks have spread to secondary sources and the cover-up attempt itself is becoming the story.”