CDT Testimony

Consumer Privacy and Government Technology Mandates in the Digital Media Marketplace

Prepared Statement of Alan B. Davidson
Associate Director, Center for Democracy & Technology

before the

Senate Committee on Commerce, Science, and Transportation

September 17, 2003

Mr. Chairman and members of the Committee, the Center for Democracy & Technology (CDT) is pleased to have this opportunity to speak to you about the difficult questions surrounding the expedited subpoena provision of the Digital Millennium Copyright Act (DMCA) and the enforcement of copyright online. CDT is a non-profit, public interest organization that is dedicated to promoting civil liberties and democratic values on the Internet. CDT is pleased to be part of today's hearing, both because of our long history of involvement in online privacy issues and our current efforts to craft a balanced consumer perspective on digital copyright.

We are at a critical moment in the evolution of digital copyright. Facing extensive unauthorized redistribution of their copyrighted material, recording companies have, for the first time, begun a large-scale campaign against individuals who the companies believe are infringing their copyrights online. While enforcement is unpopular, it is likely necessary. The question for this hearing is how to give copyright holders the tools they need to enforce their rights in the unique landscape of the digital world, while at the same time protecting the due process rights and privacy interests of individuals.

The expedited subpoena authority of the DMCA provides an important tool for copyright enforcement, but one that raises real privacy concerns for Internet users. We believe that with added safeguards a balance can be struck that gives users reasonable protections while ensuring that copyright owners are able to proceed against online infringers.

I wish to emphasize four key points in my testimony:

The 512(h) issue is, of course, just one part of the much broader question of how best to protect copyright while protecting reasonable uses and encouraging innovation.

We note that there are many privacy issues raised by file trading and digital rights management beyond 512(h). For example, studies show that many peer-to-peer users inadvertently share personal information on their computers and that so-called spyware within some peer-to-peer applications creates serious privacy concerns. While this hearing is focused on 512(h) subpoenas, members of this Committee have been among the leaders in Congress on privacy issues, and we look forward to working with you to address these broader privacy concerns.

Mr. Chairman, CDT commends the efforts that you and this committee have made to address the important privacy questions raised by the use of Section 512(h) subpoenas. CDT believes a balanced approach is possible, and that Congress is the appropriate place for that balance to be struck.

I. The Need for Copyright Enforcement Online

Copyright holders face serious challenges in the online, digital world. With peer-to-peer file sharing networks and other powerful communications technologies at their disposal, Internet users are able to share content to a greater extent than ever before. While these technologies hold the potential to advance social discourse, transform content delivery, encourage creative production, and promote economic growth, they have, at the same time, allowed rampant copyright infringement that threatens the businesses of many content producers.[1]

Widespread use of the current generation of peer-to-peer programs, which do not include centralized servers, has forced copyright holders to go after infringing users themselves. In the last several months, the recording industry has started to do just that.

CDT supports copyright holders' ability to enforce their rights online, consistent with due process. It is important for consumers to have a copyright system that rewards authors and encourages the production of quality music, video, and other information goods. Determining the proper level and means of protection represents a delicate balancing act, but enforcement of existing statutes is necessary to ensure that legal balancing is translated into practice. It is essential that consumers and computer users understand the consequences of their actions online.

This summer's actions did not come without warning. We are encouraged by the RIAA's assurance that it is pursuing only egregious violators of copyrights. In its continuing legal efforts, we urge the RIAA to maintain a commitment to focus not on de minimis traders, but rather on those individuals who most clearly appear to have engaged in substantial violations of copyright law.

We believe the RIAA's continued legal offensive could have a rapid and significant effect in reducing the amount of infringement online, especially if it is coupled with attractive legal sources of digital music for consumers. These suits will send a clear, and unfortunately probably necessary, message that the content industry is serious about protecting its copyrights.

We believe that enforcement will be most effective if accompanied by legal, affordable alternatives and coupled with consumer education efforts. In the long run, cracking down on music piracy without providing attractive legal alternatives will only alienate consumers. And while the RIAA has done much to educate consumers already, the early reactions to the lawsuits filed last week demonstrate that many consumers still do not understand their rights and responsibilities under copyright law. The RIAA must share some of the responsibility in addressing this problem.

It is important that the music industry's enforcement efforts be viewed in the context of the ongoing policy debate about potential legal mandates for copy protection technology. Technology mandates raise extremely difficult issues regarding innovation and reasonable uses of copyrighted works. We note that the RIAA itself has chosen to pursue enforcement and new delivery models rather than call for new laws. CDT believes it makes sense to pursue enforcement of existing powerful copyright laws before pursuing controversial and difficult new technology mandates.

II. The Importance of an Expedited Subpoena Process

Technology has changed the target of copyright enforcement. On the Internet, millions of people are publishers. Because current peer-to-peer file-sharing networks do not include any centralized storage facility, the music industry cannot cut off the flow of copyrighted material by suing a single centralized defendant. In order to address infringement occurring on these file-sharing networks, the industry is forced to go after individual consumers.

For this reason, it is easy to see why an expedited subpoena process could be an important tool for enforcement. Copyright enforcement ultimately relies on identifying end users thought to be in violation of copyright, even when the users are not storing any infringing material on an ISP's hardware. The number of actions required to effectively enforce copyright on peer-to-peer networks could be substantial. An expedited subpoena process allows copyright holders to contact suspected infringers without filing a federal lawsuit, a less costly approach for those enforcing copyright.

512(h) subpoenas do raise privacy and due process concerns for users, as we note below. For that reason many parties have argued that subscriber identity should only be revealed in the context of a federal John Doe lawsuit that provides additional judicial oversight for a third-party subpoena to get subscriber identity.

Provided appropriate safeguards are added to 512(h), it is not clear to us that suspected users would, in fact, be better off as defendants and targets of discovery actions in a federal lawsuit than as subjects of the much more limited disclosure allowed by the 512(h) subpoena. Even though they occur with judicial oversight, disclosures under a John Doe suit can be much more invasive, including financial data and surfing habits. An expedited subpoena process at least makes it possible for copyright holders to contact users � to notify them of suspected behavior, demand redress, or seek settlement � without setting in motion the machinery of filing a federal lawsuit against them.

III. Privacy Concerns Raised by 512(h) Subpoenas

While 512(h) subpoenas are a valuable element of enforcement, they also raise real privacy concerns. The 512(h) process allows the disclosure of private information with few protections against abuse or misuse. The efforts of Verizon and Pacific Bell to challenge Section 512(h) subpoenas have been instrumental in raising these issues.

Subscriber privacy is a cornerstone of commerce and communications online. People reasonably expect that their activities online can be anonymous or pseudonymous when they visit health information sites, make political statements, visit chat rooms, or become online whistleblowers. Revealing the identity of a person online can mean revealing that person's health status or political beliefs, what they read online or whom they socialize with. For that reason our law has strongly protected subscriber identity - placing, for example, serious restrictions on when ISPs can be forced to turn that information over to the government.

512(h) allows a broad category of private parties to avail themselves of the awesome power of the federal courts to compel ISPs to divulge this private and sensitive piece of information. Among the privacy concerns raised by 512(h) are:

512(h) is unique in that it allows a broad category of private actors to obtain sensitive information from third parties, outside of the context of litigation. Private use of the courts in this way almost always takes place in the context of litigation or pending litigation, and under the supervision of a judge able to assess facts and to balance the interests at stake.

Many provisions exist for government access to information - but in the context of its executive powers, and in almost all cases with additional and constitutionally mandated privacy protections. For example, the Right to Financial Privacy Act allows the federal government to access financial records through an administrative subpoena process only if notice is given to consumers and no motion to quash is filed within the next fourteen days.[3] And both the Cable Communications Policy Act and the Video Privacy Protection Act require that notice be provided to consumers before a court issues any order requiring cable providers or video rental services to provide consumer information to the government.[4]

These concerns have formed the basis of ongoing legal challenges to 512(h). CDT is sympathetic to many of the Constitutional concerns raised in those lawsuits, but we also believe this issue is a classic instance of balancing interests and - consistent with Constitutional requirements - is ultimately best resolved by Congress.

IV. Protecting Privacy, Preserving Enforcement in the 512(h) Process

We believe that many of the privacy shortcomings of 512(h) can be remedied with relatively minor changes that do not impede - and may in fact promote - enforcement goals. Existing privacy laws suggest a number of legislative tools that could enhance privacy and due process without sacrificing 512(h) enforcement benefits. We highlight five areas for improvement, the first of which - notice - we believe is most essential, but which may not be sufficient alone.

All five of these approaches represent places where important protections for users can be introduced without burdening enforcement.

V. Conclusion

We believe enforcement of existing copyright law, with appropriate safeguards, is a sensible and necessary part of dealing with the problems posed by digital piracy. Enforcement is also preferable - if it can be made effective - to undertaking the difficult task of crafting new legislation on the issues of technology mandates. For this reason we think it is important that copyright holders have the information necessary for meaningful enforcement, subject to adequate safeguards.

At the same time, Section 512(h) raises serious privacy concerns for users, particularly as interpreted by the courts to date. We believe that with relatively minor additional safeguards, many of these privacy concerns can be addressed while preserving � and in some ways enhancing � legitimate enforcement efforts.

We commend the Chairman and members of this committee for raising awareness of the real privacy issues that are raised by Section 512(h) subpoenas. We look forward to working with this committee, the industry, and others in the public interest community to craft a more balanced approach to the 512(h) subpoena issue.

Notes

1. While there is some debate about the exact contours of illegal infringement in the context of copying music on a computer, it seems clear that the behavior of many file-traders today violates the law.

2. Nothing in 512(h) expressly precludes ISPs from giving their subscribers notice. However, from a user perspective, many ISPs do not give such notice, the cost for providing notice could be high in large numbers, and notice might not be given in a timely fashion - all making a notice requirement attractive.

3. 12 U.S.C. § 3405(2), 3407(2).

4. 47 U.S.C. § 551(h)(2); 18 U.S.C. § 2710(b)(3).

5. 8.01 Va.C. § 407(1).

6. Deferred notice - providing notice after identity has been released - might minimize impacts on enforcement but is a second-best solution for users who would have no opportunity to challenge a mistaken or wrongful subpoena. Alternatively, deferred notice could be granted under special circumstances after review by a judge.

7. Internet Communications Protection Act of 2003, Cal. AB 1143 (2003).