Linking Rules for "Hacking" and Other Alternative Websites |
Joe would argue that he only provides a link to the site, and that he canÆt be responsible for the illegal acts of others. The copyright owners arenÆt charging him with copyright infringement, but rather a highly controversial subsection of the DMCA, which bans the act of circumventing, the development and trafficking of tools used to circumvent, and trafficking in the tools that can infringe on the work after it has been circumvented or accessed. Joe would surely try to suggest that he is not "trafficking" in the program by making the argument that it is not illegal for a newspaper to publish the address of a store that sells obscene material. He, like the newspaper, is merely pointing to the address where the illegal contraband may be located. Unfortunately for Joe, a New York federal District Court and a Second Circuit Court of Appeal has found that under certain circumstances discussed below, the court can force Joe to delete the links to the DMCA offending material. This article will look at the courtÆs linking arguments and suggest ways that web site owners can avoid falling into the category of being a "trafficker" by following the rules set out by the court. It should be stressed that this is only the current law in the Second Circuit, which includes the states of Connecticut, New York and Vermont. However, other jurisdictions could consider these holdings "persuasive," which means that they donÆt have to follow the rules set out in the cases, but they can use them if they find the application of the law was appropriate.
The first thing to clarify is what you can have on your website, and what you can link to. If you are a US-based website, which means either a business or server presence located in a US State or territory, then you likely will fall under some US jurisdiction. Just because you are a "cyber" company with no tangible assets does not mean that you are above US jurisdiction. As the US Attorney has argued in the Elcomsoft/Sklyarov DMCA criminal case, you can fall under US personal jurisdiction even if you are a Moscow software development company with no assets, personnel, or presence in the US. In that case, the Moscow-base company offered software that potentially violated the DMCA anti-circumvention provisions on an Internet server based in Chicago and entered into a distribution agreement with a Washington state-based online software distributor and transaction processor. The US Attorney argued that the act of offering the software on the Chicago server, as well as the distribution agreement that allegedly targeted US consumers, was enough to bring criminal charges against the Russian firm. They gained personal jurisdiction over the company when one of its employees came to the US to speak at DefCon. If no one from the company ever stepped foot in the US, they had no assets in the US, and the program was legal in Russia, then the US government could not have done anything against the Russian company. In order to extradite someone from another country to the US, there must be a bilateral treaty where the act was illegal in both countries and the crime was committed in the requesting country by the defendant. Since the program was arguably legal in Russia, extradition was not an option.
The Broad Rules of Thumb: The first broad rule of thumb is that you should never store on a website any content that could subject you to a lawsuit. This goes for ISPs, discussion groups, as well as commercial and private web sites. Objectionable content can be defamatory, which can lead to civil damages if the person can show that there is defamatory language that tends to adversely affects oneÆs reputation, can be shown to be "of and concerning the plaintiff," is published on the Internet by someone who directly was responsible for writing the statement or by a secondary person knew or should have known that the statements were defamatory, and that there was damage to the plaintiffs reputation as a result. Content can also infringe on anotherÆs intellectual property, such as copyright, trademarks and patents. If you receive notice that there is infringing material on your site, it is wise to pull it immediately and then seek counsel from an attorney. Content can also be criminal if, for example, it contains obscene material or malicious code. These are some of the types of content that you should not reside on your server if you are a US resident, US company, commercially target the US or have a US-based server. The second broad rule of thumb in light of the holding in the Universal et al. v. Reimbursed et al case, is that you should be very careful when you provide a hyper link from you website to another site that might contain any "actionable" or legally objectionable content. In Reimerdes, the Motion Picture Association of America sought to prohibit Eric Corley from hosting and linking to a program that threatened the viability of their DVD access control measures. Corley was a print and electronic publisher of the well-known "hacker" magazine 2600, which provides extensive research, news and other articles on phreaking, hacking, cracking, and network security. In November 1999, Corley posted a copy of the decryption program "DeCSS" on his 2600.com website and also provided many hyperlinks to other server sites that hosted DeCSS. The District Court in New York issued a permanent injunction that barred Corley from posting DeCSS on his website or from "knowingly linking via a hyperlink to any other website containing DeCSS. Corley sought appellate review of the lower court holding, where the Second Circuit Court of the Appeals upheld the trial court link injunction. This case is a good case to discuss because Corley lost on every point in two federal courts.
What Can You Link To and Why: 1. Never Taunt the Court or the Plaintiff: In the 2600 case, there are three words that seriously impacted their defense û "electronic civil disobedience." The trial court referred to that statement three times in the ruling, each time with an increasing distaste for the defendant. When the court issued a preliminary injunction prohibiting Corley from hosting the DeCSS program on his site, he encouraged visitors to download the program from other servers via hyperlinks on his site as a sign of "electronic civil disobedience." To make matters worse, Corley wrote on the website "We have to face the possibility we may be forced into submission. For that reason itÆs especially important that as many of you as possible, all throughout the world, take a stand and mirror these files." In the plaintiffÆs brief, it was also noted that Corley defied "the authorities to shut down his site promoting the free copying of DVDs, stating that æthere is no lawyer that can prevent us,Æ and announced: "Notice: The DVD Copy Control Association are c---suckers!" The court also noted that Corley placed the hyper links to the mirrored sites only after he ensured that the other sites were in fact the posting DeCSS code. The court was not amused. Judge Kaplan wrote that the "defendants obviously hoped to frustrate plaintiffÆs recourse to the judicial system by making effective relief difficult or impossible." Those are strong words that you donÆt want to ever have a judge make about your actions. In other words, Judge Kaplan said that by encouraging others to download DeCSS on other sites as an act of disobedience, Corley was trying to get around the system to harm the plaintiffs. The judge ensured he had the last laugh. It is important to understand that Corley could have been liable for money damages. The MPAA sought damages pursuant to 17 U.S.C. Section 1203(c) and (b), which would have been statutory damages of $2,500 per offer of DeCSS! These damages could have been "incalculable," as Judge Kaplan explained. However, because the defendants had no assets to speak of, and that the damage amount was too speculative to calculate, the court held that there was an inadequate remedy at law and therefore injunctive relief was the only available remedy. The most obvious lesson to be learned from the above reaction is that you should never taunt the courtÆs ability to comprehend the technology or enforce judgements. Judges unofficially use what is called a "smell test" to size up the character and motive of the parties in an action. When there are signs that one side is acting in a cocky, arrogant, and underhanded sly manner, the courts are not going to be favorably predisposed to that party, to say the least. While CorleyÆs exasperation with the situation he found himself in with the MPAA is understandable, in the end it was counterproductive because the court saw it as evidence of his intent to violate the DMCA and recognition on his part that the program was controversial and legally questionable.
2. Write all copy and messages with careful deliberation: Whenever you are writing copy for a website, you unfortunately always have to consider how that text would look in the courtroom as "Exhibit 659." Also, with much of the Internet cached on the Way Back Machine and other archives, not only your present words, but all of your past online statements can be used against you. So the words used on a web site, even if taken down by you at a later time, could be cached somewhere on the Internet. Also, prosecutors and lawyers have become savvy at researching newsgroup archives and discussion groups for written statements that can be used against you. Whenever you submit comments on Slashdot or your favorite newsgroup, you need to think about the consequences of the statement. Is it an opinion that, if used in court, could weaken a position about actions on your website? Most laws require some form of intent, knowledge or notice, and barring some statement made on the witness stand or in a deposition, they need to prove it by bringing in other statements or actions to show you intended the consequence of your "wrongful" actions. For example, in order to prove that you developed a piece of software to duplicate copyrighted music, your argument that there are significant non-infringing uses of the program is shot down if there is a newsgroup discussion where you brag about how the program is going to bring the music monopoly to its knees. In the Napster saga, Judge Patell found that internal e-mails indicated that the Napster founders had copyright infringement as the motive for their program. A document authored by co-founder Sean Parker mentioned the need to remain ignorant of users' real names and IP addresses "since they are exchanging pirated music." The same document stated that, in bargaining with the RIAA, Napster will benefit from the fact that "we are not just making pirated music available but also pushing demand." Judge Patell found that "these admissions suggest that facilitating the unauthorized exchange of copyrighted music was a central part of Napster, Inc.'s business strategy from the inception." Like diamonds, digital messages are forever. By now you should be aware that linking to anything on another site that could get you in trouble if it was located on your own site is a dangerous activity. But it doesnÆt mean that all links to online contraband should be banned. If that were the case, then there would be a great "chilling effect" on web-based communication because hyperlinks lie at the heart of the webÆs interactivity. The courts have been concerned that such a blanket ban would be unconstitutional because it would be a form of prior restraint, or communication that is prohibited even before it is made. For example, the court in 2600 was concerned that "legitimate" news outlets, like the New York Times, would be liable for links on their website that discussed controversial subjects. The trial court in 2600 developed a simple formula to guide courts and web site owners through this potential minefield. The Court of Appeals hinted that the 2600 linking formula was even too rigid and that they would be willing to work with a more "chilling" formula.
3. The 2600 Linking Test: Judge Kaplan developed a simple linking formula to help determine when links to "contraband" should be restricted or banned and to limit the potential for a chilling effect on "legitimate" links by the media. He required that there should be clear and convincing evidence that those responsible for the link:
Finally, the court had an easier time justifying the last prong û that the link was created for the purpose of disseminating the technology. Corley stated that was his intention on his website.
4. Link to Pages that Contains A Lot of Legitimate Content The court, in a footnote, commented that "deep links to a page containing only DeCSS located on a site that contains a broad range of other content, all other things being equal, would be more likely to be found to have linked for the purpose of disseminating DeCSS." However, the court seemed to infer that a link to a "home page of the linked-to site" would be less likely to be found a dissemination.
5. DonÆt Advertise the Link as a Way to Get Around a Law: The court noted that sites "that advertise their links as a means of getting DeCSS presumably will be found to have created the links for the purpose of disseminating the program." This was the case on 2600.com, and the court came down hard on Corley as a result. Remember that the courts are going to look hard at your motivation for posting links or hosting software. The court in 2600 wanted to draw a line between "legitimate" news sources, such as the New York Times, and hacking sites, such as 2600. The court recognized that legitimate network security boards and web sites provide a significant role in promoting scientific dialog, research and development. There is nothing wrong with strongly criticizing ideas and laws. That is protected speech. However, if that critical speech is combined with links to "illegal" contraband as a way to resist the ideas or laws, then the court could view that as an intent to traffic in the contraband. But if the site seriously discusses the program and provides a link to another "serious" website that contains the program without a deep link directly to the program, then the court may view the link in a more speech-protected manner. The website should be devoid of all references to supporting hacking, cracking, etcà - check the metatags and archived versions of the website!
7. "Add Your Own Link" Scripts: There is code that allow users to automatically submit links to a site without the involvement of the website owner. This might place the website in the bulletin board status where the court will look at the extent of editorial discretion to see if and when the bulletin board operator was on notice of infringing material. If no discretion is exerted, then the operator is likely put on notice when he receives a take down notice informing him of the offending material. It is wise to pull the content immediately and then try to sort out who is wrong. It could be argued that the same applies to links automatically submitted and posted on the site without the ownerÆs involvement or awareness. However, this is not an advisable approach because the court is likely to see through this if it was developed to avoid notice. Website operators do have some responsibility for the content of their sites. It would be risky to test the courtÆs interpretation of your intent.
8. To "href" or Not to "href=": In the two 2600 opinions, the court went into extensive discussion about the Constitutional protection and status of hyperlinks. Specifically, Corley argued that the links are constitutionally protected expression and the court must apply the highest form of First Amendment scrutiny. Judge Kaplan noted that a hyperlink contains both speech and non-speech elements. A hyperlink "conveys information, the Internet address of the linked webpage, and has the functional capacity to bring the content of the linked webpage to the user's computer screen." Judge Kaplan concluded that a hyperlink is content- neutral because it is performs a function without regard to the speech component of the hyperlink. Basically, if a prohibition is content-neutral, the court applies a less rigorous test than it does against restrictions placed on the content of the speech. Content neutral means that Congress isnÆt trying to restrict speech based on a message, but rather time, place or manner of the speech and it applies to all relevant messages, regardless of what is said. One way to think about neutral content is whether the law treats a sign that is in English the same as a sign written in Swahili. If it bans all signs regardless of the message, the court will apply something called the OÆBrien test. The court will look at the regulation to see if it served a substantial governmental interest and the regulation was unrelated to the suppression of free expression. In other words, does the restriction on the neutral speech involve a substantial government interest and that the purpose of the law is not to restrict certain speech. Judge Kaplan was looking at the impact of the injunction on the hyperlink ban and determined that a hyperlink is functional more than expressive because the point of the "href" code that creates the link is meant to provide instructions to the browsers and servers to deliver a specific page located on another server. Both the trial court and the appellate court made a huge issue that hyperlinks make "the materials à available for instantaneous worldwide distribution" and that "the linked web site is just one click away." What would happen if the website merely provided the URL without a hyperlink? In reality, the court might find it two identical in purpose. But the functionality h as been taken out and perhaps the URL is more like protected speech. Some news organizations have already begun to refer to the URL without hyperlinks. However, the appellate court asked the plaintiffs whether banning the hyperlinks would permit the court to issue an injunction prohibiting a newspaper from printing addresses of bookstore locations carrying obscene materials. The concluded that there is a distinction between the two medias because the police can seize the obscene material before the newspaper publishes the address of the bookstore. However, if "obscene materials are posted on one web site and other sites post hyperlinks to the first site, the materials are available for instantaneous worldwide distribution before any preventive measures can be effectively taken." Following the courtÆs logic, merely posting the URL without the hyperlink tags would still allow near "instantaneous worldwide distribution" compared to the bookstore.
9. Using a Search Engine to Query 3rd Party Websites
There are many "hacking" and network security websites that employ search engines to locate material on other servers. This might actually trigger a very interesting area of the DMCA û the safe harbor exemptions of 512(a) for information location tools. The concept here is that the website only provides for users to chose the terms they are looking for on 3rd party websites that are beyond the control of the website. In 2600, the courtÆs hyperlink conclusions were based around the websiteÆs knowledge that the offending material is located on the 3rd party site, that it knows that the material is not lawful and the link was created for the purpose of disseminating the technology. However, a search engine that queries another site could eliminate the "knowledge" requirements and the purpose of dissemination because there is no way that the website could know in advance what the user would be looking for on a 3rd party site. Under the Information Location Tools safe harbor located in 17 USC Sec. 512, a web site can be shielded from application of the DMCA. Here is an edited version of the safe harbor.
Information Location Tools. A service provider shall not be liable à for infringement of copyright by reason of the provider referring or linking users to an online location containing infringing material or infringing activity, by using information location tools, including a directory, index, reference, pointer, or hypertext link, if the service provider û (1) (A) does not have actual knowledge that the material or activity is infringing; (B) in the absence of such actual knowledge, is not aware of facts or circumstances from which infringing activity is apparent; or (C) upon obtaining such knowledge or awareness, acts expeditiously to remove, or disable access to, the material; (2) does not receive a financial benefit directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity; and (3) upon notification of claimed infringement as described in subsection (c)(3), responds expeditiously to remove, or disable access to, the material that is claimed to be infringing or to be the subject of infringing activity, except that, for purposes of this paragraph, the information described in subsection (c)(3)(A)(iii) shall be identification of the reference or link, to material or activity claimed to be infringing, that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate that reference or link. In other words, if a website provides a search capability to a third partyÆs website and does not have actual knowledge or is not aware of infringing material, and does not directly receive a financial benefit, then it can be argued that the safe harbor applies, atleast to infringing activity. However, the anti-circumvention provisions do not concern the act of "infringement," but rather the act of circumventing and devices used to circumvent. So it is not clear whether the argument can be made, that atleast with regard to anti-circumvention, search queries to a third party site could be shielded by the Section 512 safe harbor provisions. But there is a better argument that searches to infringing material, like MP3s, cracker programs, etcà could be shielded. It goes without saying that this has not been extensively interpreted by the courts and could involve some risks. One thing appears to be certain: if you intend to apply the safe harbor provisions, you must carefully follow the "take down" provisions. If you receive a "take down" notice, immediately call your lawyer and have him advise you on the appropriate procedures to ensure that you are complying with the law. If you donÆt effectively comply with the take down provisions, you could lose the defense. One reason why the courts might be hesitant to attach liability to search engines for displaying offensive results is because search engines play such a critical role. With billions of webpages to chose from, the Internet would cease to function properly without search engines directing users to queried content. It would be unrealistic for Google.com to be responsible for search results that turned up links to legally offensive material. Likewise, the courts would be hard-pressed to punish "hacking" websites that merely provide the ability for users to query selected 3rd party websites that they have no control over, or receive any direct financial benefit. However, the courts seem to dislike rebel defendants hiding behind the larger impact precedents û i.e., that "you must apply the same standard to us as them." The 2600 court dealt with that issue in the linking of large "respectable" websites like the New York Times compared to 2600.com by requiring a that the link be created "for the purpose of disseminating the technology." The New York Times didnÆt and 2600.com did û end of story. The court could apply a similar fuzzy distinction with search engines located on "hacking" sites by strengthening the Section 512 "is not aware of facts or circumstances from which infringing activity is apparent" clause. The court would look for evidence that the website operators were "aware" of the circumstances in which the 3rd party site they offer search queries on contain infringing or other offensive material. Once again, the tone and overall purpose of the website might become a relevant issue.
Conclusion: For non-US website, first determine whether you can be brought under US jurisdiction. Next, try to determine whether the content is illegal in your own jurisdiction. If it is illegal, but it is legal in other countries, then do not host the content on your server. If you provide a link to the offending content, then you must be very careful about the context in which the link is created. If the court can infer in any manner that the link was created to disseminate the content and encourage others to disseminate it, then the court could come down heavy on you. However, if the context is scientific or serves some other legitimate, useful and responsible purpose, then the court might allow the link, even though it wouldnÆt allow you to host the content on your own server. This has not, to my knowledge, been clarified by the courts, so under these circumstances, link at your own risk, and if you receive a complaint, pull the link immediately until the status of the content is determined. It should also be noted that you could be extradited from your country to the US if the content is illegal in your country, your acts concerning the content is prohibited, there is an extradition treaty with the US that specifically includes these types of offenses, and the offense was committed in the US. However, that is a lot of "ifs". Realistically, your own jurisdiction will prosecute you for violating the law in your jurisdiction. However, if you visit the US, the authorities have the right to arrest you subject to an indictment and hold you in custody as a flight risk. If you live in an EU jurisdiction, you could be extradited to another EU country for a criminal violation of copyright laws, according to the most recent EU Cybercrime Convention. Until the court decides on the Constitutionality of the DMCA, and perhaps maybe the US Supreme Court, US websites that contain links to potentially offending content should be put on notice that the court can enjoin such links, and cost the website owners a significant amount of money in legal fees. All websites that link to obviously illegal content, such as passwords, serial numbers, copyrighted software, cracks, trojan software with little or no legitimate uses, virii, etcà should expect a visit from the Feds at some point in their career. The most important thing to keep in mind when developing your website is to honestly ask yourself how the website would look as an evidence exhibit in court to a judge? If it looks like a duck, walks like a duck, and squawks like a duck, the court is likely to find it is a duck, not matter how clever the technical ruses are used.
|
Credits: |
Bill Reilly is a California-based network security attorney, member of the California Bar and a GIAC-certified Advanced Incident Handler. Bill Reilly can be contacted at reilly@ebutik.com or US: (415) 771-3463. Copyright(c) 2002 William Reilly. All rights reserved. This article does not in any way offer legal advice of
any kind. Rather, the article is meant as a comment and analysis of a
statute and may not be taken for specific legal advice. Please seek legal
advice from an attorney in your jurisdiction for advice specific to your
situation. |
Endnotes: |
1. For more information on how non-US companies can avoid US jurisdiction, read my article Write Code û Go to Jail: A look at the DMCA criminal liability for non-US software developers. 2. The program AEBPR is supposedly legal under Russian law. In fact, Russian law supposedly requires the ability for backup copies to be made of certain media. 3. A complete discussion of copyright law and the DMCA defenses is beyond the scope of this article. 4. The actual defendants were Eric Corley, Shawn Reimerdes and Roman Kazan. For simplicity, this article will refer to all of the defendants as "Corley." 5. The Preliminary Injunction Motion also sought damages. The motion asked "For damages in such amount as may be found and requiring Defendants to account for and pay over to Plaintiffs all profits delivered from all acts of circumvention of copyright protection systems; alternatively, for statutory damages in the amount of $2,500 for each act of circumvention, device, product, component, offer, or such other amount as may be proper pursuant to 17 U.S.C. Section 1203(c); and 3. For PlaintiffsÆ attorneysÆ fees and costs pursuant to 17 U.S.C. Section 1203(b). 4. For prejudgment interest; 5. For costs incurred in this action; 6. For such other and further relief as the Court deems just and proper." The defense at one point tried to get Judge Kaplan off the case by claiming he has personal animosity to the defendantÆs counsel and had a conflict of interest due to prior relations with the plaintiffÆs counsel. 7. MattÆs Script Archive - http://worldwidemart.com/scripts/links.shtml 8. For an example, visit Astalavista at http://www.astalavista.com/ 9. Read Write Code û Go to Jail: A look at the DMCA criminal liability for non-US software developers for suggestions. |