digital rights management Archives - IPOsgoode /osgoode/iposgoode/tag/digital-rights-management/ An Authoritive Leader in IP Wed, 04 Dec 2019 19:51:50 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Breaking the Lock: A Proposed ‘Bug Hunt’ Exception for TPMs /osgoode/iposgoode/2019/12/04/breaking-the-lock-a-proposed-bug-hunt-exception-for-tpms/ Wed, 04 Dec 2019 19:51:50 +0000 https://www.iposgoode.ca/?p=34602 The post Breaking the Lock: A Proposed ‘Bug Hunt’ Exception for TPMs appeared first on IPOsgoode.

]]>
Introduction

In 2012, Parliament amended the and updated it to address the realities of the new internet environment and new technologies. Among the changes was the introduction of technological protection measures (TPMs), sometimes known as digital rights management (DRMs). The defines TPMs as “any effective technology, device or component that, in the ordinary course of its operation… controls access…or…restricts access.”[1] In some instances, TPMs may be a copyright-protected work itself – a computer program, which is the focus of this post. I argue that the ’s narrow exceptions for TPM circumvention are detrimental for both privacy and copyright and propose a new “bug hunt” exception.

 The Act’s TPM Exceptions

The recognizes for circumventing TPMs:

(1) to permit law enforcement to circumvent TPMs if related to the “enforcement of any Act of Parliament.”[2] This carves out a wide scope for the state in the context of criminal investigations to access information on electronic devices, such as phones or computers, and also raises significant privacy concerns.[3]

(2) to permit the interoperability of computer programs, where the user has a licence.[4]

(3) to allow for encryption research, where the copyright owner has consented.[5]

(4) to prevent the collection or dissemination of personal information.[6]

(5) to allow for security testing on a computer or a network, where the hardware owner has provided consent.[7]

The last three exceptions discuss the importance of research, privacy, and security but offer imperfect protections for parties who wish to research security matters without the owner’s consent.

Hacking & Bug Bounties

Despite the bad publicity surrounding hacking, it is not always a cloak and dagger endeavour done for personal gain or out of malice. Some hackers (called white hat hackers) engage in security testing, often unbeknownst to the developers they test, and notify organizations of security flaws that they identify. Technology organizations like Google and Facebook, and even the Pentagon, recognize the valuable work that white hat hackers do and reward them through .[8] A bug bounty is a cash bounty awarded to individuals who bypass TPMs or DRMs and alert organizations of their security flaws – effectively crowdsourcing security testing. In addition to cash, hackers receive notoriety in the community and sometimes recognition by the organizations they test. Many organizations benefit from white hat hackers, who may have the consent of the organizations they hack; however, not all organizations may offer their consent. White hat hackers may be discouraged from hacking these organizations or alerting them of security flaws because they fear legal reprisal.

The Bug Hunt Exception

The existing TPM specific exceptions are of little use to white hat hackers who hack without authorization. Unauthorized hacks may be more advantageous than authorized ones; a thief rarely tells their victims that they will steal from them in advance. A bug hunt exception would mitigate some of the uneasiness that white hat hackers may have with hacking organizations and protect them from liability. Reliance on broad defences of fair dealing and public interest may produce uncertain results. An Ontario court perplexingly found that circumventing a TPM (a paywall) to rectify factual errors in a news article and sharing it did not fall within an education fair dealing exception. Conversely, the Federal Court found that a similar scenario would fall within the research exception.[9] Bug hunting, at its core, is about rectifying factual issues – faulty computer code. A bug hunt exception would also accord with the Act’s other exceptions for TPM circumvention with research, privacy, and security. Of course, a necessary precondition for immunity would be the hacker’s lack of criminal intent to abuse or withhold security vulnerabilities.

Conclusion

A bug hunt exception for hacking TPMs is advantageous for everyone. From a copyright perspective, it alerts owners to vulnerabilities in their program and gives them a chance to improve their work without consequence. For users, it improves the end product that they licence from programmers. In a privacy sense, bug hunts improve privacy because it creates an option for white hat hackers to inform owners of security flaws before they are taken advantage of by hackers with more nefarious intent (black hat hackers). One can wonder whether the , and others like it, could have been avoided if there was a bug bounty program (like it has now) or a bug hunt exception that insulated and incentivized white hat hackers to come forward with security flaws.[10]

Written by Christopher Tsuji, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2019/2020 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.

[1] Copyright Act, RSC 1985, c C-42, s.41 [Act].  

[2] Ibid, s.41.11.  

[3] See general evidentiary rules of admissibility concerning seized and accessed cell phones during criminal investigations with R. v. Artis, 2016 ONSC 2050; R v. Marakah, 2017 SCC 59. See also jurisprudence surrounding s.8 of the Charter, unreasonable search and seizure.  

[4] Act, supra note 1 s.41.12.  

[5] Ibid s.41.13.  

[6] Ibid s.41.14.  

[7] Ibid s.41.15.  

[8] See Google “Google Vulnerability Reward Program Rules” online at: https://www.google.com/about/appsecurity/reward-program/; see also Facebook “Facebook White Hat Information” online at: https://www.facebook.com/whitehat; see also the Department of Defense “Department of Defense Expands ‘Hack the Pentagon ‘ Crowdsourced Digital Defence Program” published October 24 2018, online at: https://www.defense.gov/Newsroom/Releases/Release/Article/1671231/department-of-defense-expands-hack-the-pentagon-crowdsourced-digital-defense-pr/  

[9] Compare the unsuccessful facts of fair dealing in 1395804 Ontario Limited (Blacklock’s Reporter) v Canadian Vintners Association, 2015 CanLII 65885 (ON SCSM) with the successful facts of 1395804 Ontario Ltd. (Blacklock's Reporter) v. Canada (Attorney General), [2017] 2 FCR 256, 2016 FC 1255 (CanLII).  

[10] See Braga, Matthew “100,000 Canadian Victims: What We Know About the Equifax Breach – and What We Don’t” CBC News, published September 19, 2017 online at: https://www.cbc.ca/news/technology/equifax-canada-breach-sin-cybersecurity-what-we-know-1.4297532 and HackerOne, “Equifax Vulnerability Disclosure Program Policy” published July 9, 2019 online at: https://hackerone.com/equifax/  

The post Breaking the Lock: A Proposed ‘Bug Hunt’ Exception for TPMs appeared first on IPOsgoode.

]]>
Authors’ Groups File Complaint Against Google For Mass Copyright Infringement /osgoode/iposgoode/2011/10/03/authors-groups-file-complaint-against-google-for-mass-copyright-infringement/ Mon, 03 Oct 2011 19:24:45 +0000 http://www.iposgoode.ca/?p=14058 Mekhala Chaubal is a JD candidate at Osgoode Hall Law School. The dust over Google’s 6-year long litigation with the Authors Guild has not even begun to settle, when already the next copyright infringement dispute between the two parties seems to be looming. For more information regarding the now-infamous Google Books Lawsuit, see the article […]

The post Authors’ Groups File Complaint Against Google For Mass Copyright Infringement appeared first on IPOsgoode.

]]>
Mekhala Chaubal is a JD candidate at Osgoode Hall Law School.

The dust over Google’s has not even begun to settle, when already the next copyright infringement dispute between the two parties seems to be looming. For more information regarding the now-infamous Google Books Lawsuit, see the article by fellow IPilogue Editor, Matt Lonsdale,

The latest complaint, was filed on September 12, 2011, by a combination of organizations and individuals, all of whom have the common interest of protecting authors’ copyright over their works. The document alleges, in no uncertain terms, that Google has been involved (with the help of HathiTrust and by partnering with certain educational institutions) in the “systematic, concerted, widespread and unauthorized reproduction and distribution of millions of copyrighted books and other works,” and that this infringement quite clearly goes against sections 106, 107 and 108 of the . The plaintiffs are the , , and (UNEQ), while the individual authors include Pat Cummings, André Roy and James Shapiro, among others. The defendants, on the other hand, are all organizations— (a digital library and preservation database), Google Inc. and the libraries of the Universities of Michigan, California, Wisconsin, Indiana, and Cornell University.

The major issues outlined in the complaint are centred around Google and the universities’ disregard for authorship rights of writers whose names are attached with their works, as well as for the purported “orphans” of global literature, i.e. “copyrighted works whose authors may be impossible to identify and locate,” as per provided by the . Google’s main partner in this (alleged) digital thievery, HathiTrust, provides the infrastructure for the storage and preservation of works once they have been copied into bytes. The works themselves are provided to Google through a “cooperative” agreement with the university libraries, and the actual physical process of digitization is conducted by Google, with its own software and tools. Because of the nature of these agreements, the plaintiffs state that every work is ultimately made into 12 separate copies, with the various defendants keeping these for their own use— whether for commercial or non-profit. The plaintiffs also mention that in no case do either Google or the other defendants seek permission for the reproduction of authors’ works, even when the materials in question are written by well-known and much-awarded authors.

As a defence, the defendants allege that the reproductions are for the public good, namely for the “tremendous societal value provided by [the] nation’s libraries and archives in preserving and securing works of art, literature and science.” The defendants are pointing to the “library exemption” provision under of the US Copyright Act that allows for the selected reproduction of materials by libraries, in order to ensure greater public access. However, the plaintiffs then point to , which specifically prevents almost all of the activity that the defendants have been carrying out, namely, the justified reproduction and preservation of documents, without any direct or indirect commercial advantage. While HathiTrust says that it is a medium for storage and access alone, the degrees of access are controlled by the HathiTrust Rights Database, which may very well charge a fee to the public or even release “full” versions of the works for free.

Additionally, the creation of the HathiTrust Orphan Works Project, a plan devised to weed out  “authorless” works, has the plaintiffs up in arms. The Project has been formulated to find out if works without identified authors are available for commercial use, by determining the nature of their copyright. Interestingly, the “multistep due diligence process” is devised and carried out by HathiWorks itself, which tries to contact an author (if such a person is found) and, failing that, lists a work on its website to be claimed within 90 days of posting. After this time, the work is deemed freely accessible to the public in full and may be eligible for future commercial copyright by Google.

On reading the complaint, the reasons for the plaintiffs’ wrath becomes quite clear. As the document mentions, Google’s actions seem intent on dismissing the authors’ rights by involving educational institutions in what is fast-becoming one the biggest copyright infringement actions in history. Additionally, Google’s hasty scheme to digitize as much as possible, as fast as possible, leads one to think that the universities themselves have not placed much thought into the Project. The University of Michigan’s due to errors in the “pilot process” shows that the educational institution may have been carried away by the venture.

The Authors Guild website has enlisted the help of millions of readers worldwide to .” Considering this endeavour is only a couple of weeks old, the remarkable success rate shows the public’s desire to keep information open, but not at the cost of authors. shows Google’s unwillingness to compromise, but it seems that the universities involved are attempting to work out a legal solution to the issue.

Barry Sookman and Dan Glover also talk about , where fair dealing and lending without reproduction exist, but within reasonable limits. This is a special responsibility for universities, which provide access to information to millions of readers worldwide. Educational institutions are already both the sources and the propagators of original thought and creativity, as well as media for dissemination of knowledge to the public.  Academics themselves might be subject to unauthorized reproduction if the HathiTrust projects are allowed to go on. The mass release of scholarship to the general public through private parties could affect the quality of education offered in institutions of higher learning, with the universities ultimately having no one but themselves to blame for going googly-eyed over Google’s ceaseless .

The post Authors’ Groups File Complaint Against Google For Mass Copyright Infringement appeared first on IPOsgoode.

]]>
IP Colloquium Podcast asks: Can Content Survive Online? /osgoode/iposgoode/2009/10/30/ip-colloquium-podcast-asks-can-content-survive-online/ Fri, 30 Oct 2009 10:52:21 +0000 http://www.iposgoode.ca/?p=6348 Stuart Freen is a JD candidate at Osgoode Hall Law School. Good news for IP lovers who want to get their fix of policy debate at the gym or in the car: The Intellectual Property Colloquium podcast is for you. Based out of UCLA, the monthly downloadable program is hosted by law professor Doug Lichtman […]

The post IP Colloquium Podcast asks: Can Content Survive Online? appeared first on IPOsgoode.

]]>
Stuart Freen is a JD candidate at Osgoode Hall Law School.

Good news for IP lovers who want to get their fix of policy debate at the gym or in the car: The podcast is for you. Based out of UCLA, the monthly downloadable program is hosted by law professor Doug Lichtman and has been broadcasting for a little over a year. Every month the program assembles a panel of guests for an hour long talk-radio style conversation. This month’s episode features a lively talk between Brad Smith (General Counsel, Microsoft), Scott Martin (Executive VP, Paramount Pictures) and Dan Cooper (VP of Business and Legal Affairs, Myspace) and asks one of the most important questions in IP today: Can content survive online?

The conversation touches on many of the hot-button issues in tech and entertainment law, including Google books, Hulu, digital rights management, and targeted advertising. Despite their big-business connections the guests talk frankly about the challenges created by the internet and are not shy of discussing their industries’ failings.

Regarding Google books, the panel is fairly unanimous: On the one hand, what Google is trying to do in its effort to digitize a vast library of books and host them online is undoubtedly in the public interest and there is a huge demand for it. However, the guests agree that Google was downright arrogant in the way they went about it. A class action lawsuit, they argue, was not the right vehicle for negotiating what is really a forward-reaching publishing agreement. Furthermore, the settlement puts the onus on authors to opt out of the system, something which might be unfair in many cases.

The conversation then turns to business models for content. Professor Lichtman starts out by criticizing the model. With Hulu, TV networks have captured a huge share of the streaming television market which was previously dominated by pirate websites by offering essentially the same service at a higher quality with a few very short ads. In some circles Hulu has been heralded as a success, yet at what cost? The site gets millions of visitors but provides almost no revenue to the television networks. Lichtman asks whether this is really a viable business model moving forward that will support the creation of high quality new shows. The panel mostly agrees that Hulu is not sustainable, with Scott Martin noting that the real casualties of the youtube revolution will be independent films that rely on DVD sales and can’t afford to enforce their intellectual property rights.

The program ends off discussing targeted advertising and DRM. Lichtman asks the panel what the problem is with getting users to accept these technologies, suggesting that it is not so much a legal problem as it is cultural. Tellingly, the panel responds that DRM has not been abandoned but will be employed in different ways. Says Scott Martin: “It’s all about transparency and disclosure. The way you screw yourself [as a content provider] is when the consumer buys a copy they think they’re going to have forever and two weeks later it’s locked up.” Brad Smith agrees, saying it’s too soon to give up on DRM just because it has failed so far.

The program brings up a number of interesting points and is worth a download if you’re into podcasts. It plays like a CBC radio or NPR talk show and the speakers are all very engaging. Ultimately they raise more questions than answers, but it’s likely that they’re the right questions.

The post IP Colloquium Podcast asks: Can Content Survive Online? appeared first on IPOsgoode.

]]>