Technology & Law

The law follows the technology...

Topics

Copyrights

TAKING DOWN WEBSITES HOSTING INFRINGING CONTENT

First posted on spicyip.com on 30.05.2014
Last week, popular torrent tracking website torrentz[dot]eu was in news after the UK Police Intellectual Property Crime Unit (PIPCU) got the domain name suspended.  Surely, to the disappointment of the right holders, the site was back online the next day.  The site’s Polish registrar restored the domain name’s server (“DNS”) entries after Torrentz’ legal team pointed out that the suspension was unlawful.  This post analyzes the legal issues behind such actions and provides a contextual background for the same.  In conclusion, because domain names providers are accredited by the ICANN, the resolution of disputes is governed by the ICANN rules and procedure which are also applicable to India.

Late fall last year, there was a collaboration between City of London Police and the content owners to stop or at least thwart online piracy.  This collaboration resulted in multiple file-sharing sites shutting down as the domain name registrars simply suspended the domain names.  This process was challenged by EasyDNS, a DNS and domain name provider, by way of mandatory arbitration proceedings against the Public Domain Registry arguing that due process was not followed, and that the action of the UK Police directing the DNS registrar to suspend the registration of the site was in violation of ICANN Registration Accreditation Agreement (“RAA”).  

The grounds on which the UK Police had sent the notices to EasyDNS were (entire notice can be seen here):

“The owners of the aforementioned domains are suspected to be involved in the criminal distribution of copyrighted material either directly or indirectly and are liable to prosecution under UK law for the following offences:
Conspiracy to Defraud; Offences under the Fraud Act 2006; Copyright, Design & Patents Act 1988

Should a conviction be brought for the above offences, UK courts may impose sentences of imprisonment and/or fines. PIPCU has criminal and civil powers in UK law to seize money, belongings and any property in connection with these offences.”

(Emphasis added – After reading the grounds, I am wondering whether this is the UK police or take-your-pick local thana)

EasyDNS was requested to:

Suspension of the domain(s) is intended to prevent further crime. Where possible we request that domain suspension(s) are made within 48 hours of receipt of this Alert. In respect of the information provided by us, we respectfully ask you to consider your liability and the wider public interest should those services be allowed to continue.We reserve the right to refer the matter to overseas counterparts/governmental organisations, and/or to ICANN.  (Emphasis added).

The arbitration proceedings resulted in EasyDNS’ favour with the Arbitrator finding (complete order available here):

No court order has been issued which would prohibit the transfer of the domain names at issue from the Registrar of Record to the Gaining Registrar. Therefore, there is nothing in the Transfer Policy which authorizes the Registrar of Record to refuse to transfer the domain names.

Specifically, the Arbitrator noticed:

To permit a registrar of record to withhold the transfer of a domain based on the suspicion of a law enforcement agency, without the intervention of a judicial body, opens the possibility for abuse by agencies far less reputable than the City of London Police. Presumably, the provision in the Transfer Policy requiring a court order is based on the reasonable assumption that the intervention of a court and judicial decree ensures that the restriction on the transfer of a domain name has some basis of “due process” associated with it.

Conclusion:  The primary reason why the torrent site was back up again so quickly is that there was no proper approval for the take down.  Courts usually are circumspect when confronted with the issue to take down an entire site, when the site may contain both legal / non-legal content.  For torrent sites, one issue that will always be in their favour, is that they are mere conduits for the final content and cannot distinguish between legal and illegal content based on the link.  Judges however have been known to grant take down notices for entire sites, including torrent tracking sites, when it is shown that most of the site contains illegal content.

Accordingly, it is advisable for right holders to obtain proper court approval based on evidence that the “entire or almost the entire site is for hosting (or providing a feed to) unauthorized content” to take down websites.  The burden of this showing is on the right holder who must discharge it for the relief claimed.

DATA EXTRACTION: INTERSECTION OF COPYRIGHT AND INFORMATION TECHNOLOGY LAWS IN INDIA

First posted on spicyip.com on October 9, 2013

Web-Crawling.jpg 31.3 KB


The rise of the Internet has led to the creation of vast repository of data residing in across servers and domains.  This vast repository contains a large datasets that includes “publicly available information.”  This publicly available information includes – time sensitive information – news, financial information and data, reviews, auction information, and in multiple other categories. Because the information is public, and because current information technology tools that gave rise to the internet in the first place, it has become extremely convenient to extract as required – this publicly available information.

The process of automatic content extraction from publicly available servers is usually referred to as data extraction / scraping / harvesting.  The only cost to extract the data is the cost of the computer system and time required to program it to extract data.  Hence this content extraction at times becomes extremely lucrative to deal with data sets and their resale, usually for time sensitive information. Some data security service providers estimate that up to 40% of a websites traffic comprises data extractors.  The same data security service providers also suggest that websites actively try to stop data extraction because of the heavy toll it takes on their computational resources – Servers can be slowed down and bandwidth soaked up by the extractors scouring every webpage for data.

The data extraction process creates legal issues and concerns for both sides of this issue−those who want to extract data, and those who want to protect against extraction of data.  This post provides a basic background on the laws applicable in the case of data extraction in India, and provides an overview of remedies available to both the content creator and content extractor. 

Consider the following hypothetical scenarios except where indicated (images):  In all of these scenarios, freely available content could be taken from the site of a content provider, and then used for re-sale.  In the first scenario, freely available financial data is taken from a major content provider, and re-packaged for sale with a fee.  The second scenario involved an actual dispute between Craigslist and Padmapper – Padmapper created an interface that took data from Craigslist and then provided the same on its interface (see link).  The third scenario may involve getting data from various betting sites, and repacking it, and then selling to consumers.  The fourth (again an actual scenario) involved getting fare data from a travel website, and then re-selling it.

 
APPLICABLE LAWS:

Copyright laws: Copyright Act, 1957 Data extraction involves copying, and hence copyright laws are first ones that are analysed.  Under Section 2 (o) of the Copyright Act, 1957, defines data compilation (or a data set) as a “literary work”.  Section 14 of the Copyright Act, 1957 further grants several exclusive rights in favour of the copyright holder (content creator) as the first owner of such copyrighted works (the data compilation / data set) namely:  a. Right to reproduce data including storing it by any electronic means;  b. Make copies of data;  c.  Adapt data;  d.  Communicate data to the public; and e. Translation of data

Section 51 of the Copyright Act further provides that a copyright is “deemed to be infringed” if any of the above enumerated rights under Section 14 are contravened without the permission of the copyright holder in the course of trade.

However, there are two areas that should be ascertained before determining infringement.  Ownership, and no fair use exception.  It is only the copyright holder / content owner can raise a claim.  Hence in the case of a content aggregator – for various users, it is the users who own the copyright and not the content aggregator.  This scenario occurs for websites where users generate the content – and the website is merely organizing the display / formatting of the content.  Section 52 of the Copyright Act lists various exceptions to copyright and care should be taken that the content extracted has not been used under the purposes outlined for fair dealing.

Information Technology Act, 2002, as amended (“IT Act”):  Section 10A of the IT Act provides for Validity of contracts formed through electronic means – Where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances, as the case may be, are expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose.

Accordingly clickwrap, browsewrap and other means of contract formation on the internet are covered under this clause.  And most websites provide services to consumers under either of these means for contract formation.  For example, if a person has to accept the terms of service, by clicking “I Agree” or typing in “I Agree” – it is commonly known as a clickwrap agreement.  Under a browsewrap agreement, a user may continue to use / browse a content owners website and consent of the user to the terms of the website are implied because the user continues to browse the website.  In India, there are no judicial precedents involving a browsewrap or clickwrap agreement / contract.

Section 43 of the IT Act provides for a penalty in case a computer system is damages.  Section 43 also provides the relevant definitions to assess damage.  The parts relevant to data extraction are reproduced and highlighted below:

43. Penalty for damage to computer, computer system, etc.- If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,  (a) accesses or secures access to such computer, computer system or computer network; (b) downloads, copies or extracts any data, computer data base information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;  (c) Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; (d) damages or causes to be damaged and computer, computer system or computer network, data, computer database or any other programmes residing in such computer, computer system or computer network; (e) disrupts or causes disruption of any computer, computer system or computer network; (f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;  (g, h)….

Explanation. For the purposes of this section: (i) “computer contaminant” means any set of computer instructions that are designed – (a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, compute system, or computer network; (ii) “computer database” means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepare in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;  (iii) “computer virus” means any computer instruction, information, data or programme that destroys, damages, degrades adversely affects the performance of a computer resources or attaches itself to another itself to another computer resources and operates when a programme, date or instruction is executed or some other even takes place in that computer resource;  (iv) “damage” means to destroy, alter, delete, add, modify or re-arrange any computer resource by any means.

Section 66 of the act provides a punishment for a term extending to three years, or a fine of Rupees Five Lacs, or both for the acts referred to in Section 43.  

In a case where data is extracted, there are, according to the provisions of Section 43, the following infractions:  (a) Accessing or securing access to:  computers, computer systems or computer networks; (b) Downloading from, copying or extracting data, data base information from computers, computer systems or computer networks;

However, what is problematic is clause (c) as in the absence of any guideline, an argument could be made that repeated access from a computer system to a content owners database / databases overloads the content owner’s database system and computer systems hosting that database.  This repeated access could be defined as a computer contaminant or computer virus.  In addition, if a content owner has to separately provision additional server space, or devote additional severs / resources to cater to the content extractor, then the content extractor could be considered to be a computer contaminant / virus as the actions of the content extractor degrade the performance of the servers of the content owner.

There are no precedents under the Indian Information Technology Act that provide guidance as what constitutes permissible data extraction.  Hence terms of use of a website should be followed / adopted before attempting data extraction.  And in the case of doubt, prior permission from a content owner should be taken before extracting data.

It is expected that once Indian Courts are seized of such a matter involving data extraction, they may issue certain guideposts that help in determining whether servers are overburdened, or whether performance of content server is degraded.  In issuing such guideposts, Courts may consider what other jurisdictions are doing.  For example, the United States under the Computer Fraud and Abuse Act, provides a minimum amount of damages of at least $ Five thousand ($5,000) over a one-year period.  18 U.S.C. §1030(a)(4).

A technological measure to thwart would be data extractors could be to alter the Robots file disallowing automated bots to crawl the content owners website.  Another could be to use the CAPTCHA technology to distinguish between individual access and bot based access for data extraction.

recaptcha-example.gif 10.4 KB

PART II: IS DECOMPILATION OF SOFTWARE LEGAL UNDER THE INDIAN COPYRIGHT ACT

First posted on spicyip.com on 26.01.2013

The previous post discussed the development of the US and European laws as applicable to reverse engineering.  This post compares the Indian provisions with the European and US counterpart legislation.  

One important aspect is the growing number of application developers in India for the Android, iOS, Blackberry, Windows platforms.    Usually application developers do not start development of applications from scratch.  A mish-mash of existing and new code is used.  For example, all four of the platforms discussed above provide tutorials and common libraries for their platform.  Developers then add to the existing libraries and build their unique applications.  However, developers also like to see, if possible, existing  best selling applications and their code, and apply the teachings of the best selling applications to their application development.  A recent study by Flurry analytics showed  that India is a major adopter of the new platforms and there are quite a large number of application developers in India.   


INDIAN LAW in view of US / European provision:
Section 52 of the Indian Copyright Act follows the European Directive (or more appropriately, the development of the European directive before its formal adoption).  Certain provisions are verbatim to the Directive, while there is marked difference in some.  The provision relevant to reverse engineering are highlighted below and compared with the Articles in the directive / and US law:

52. Certain acts not to be infringement of copyright. (1) The following acts shall not constitute an infringement of copyright, namely:
…"(ab) the doing of any act necessary to obtain information essential for operating inter-operability of an independently created computer programme with other programmes by a lawful possessor of a computer programme provided that such information is not otherwise readily available;
(ac) the observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underline any elements of the programme while performing such acts necessary for the functions for which the computer programme was supplied; 
  
image.png 81.2 KB

image.png 65.5 KB
Based upon the above comparison between EU, US and Indian laws, the following conclusion may be drawn:  Indian law is much broader than counterpart EU legislation and allows for reverse engineering (both black box and active decompilation) without major restrictions on the reasons for decompilation.  The actual implementation / interpretation by courts remains to be seen.



PART I: IS DECOMPILATION OF SOFTWARE LEGAL UNDER THE INDIAN COPYRIGHT ACT

First posted on spicyip.com on 26.01.2013

In discussions with a few of my colleagues in software development related to mobile applications for Android, Windows, and iOS platforms, a question arose whether studying an existing application (already developed and available for a device) and using the existing application as a study tool is legal under the Indian Copyright Act?  At first glance the relevant provision (Section 52) under the Indian Copyright Act prescribes that studying software is legal.   

However, there are many practical issues that come up while analyzing the statute: As developers know, one cannot study software without first decompiling it.  Decompilation, ‘inter-operability’, are words that are not defined in the Act.  Decompilation may be equated to reverse engineering of a product – whether software or hardware.

This post analyzes Section 52 of the statute and in particular sub-sections 52(ab) and (ac), and find whether reverse engineering / decompilation of software applications is legal.  The answer to the question is not exactly clear – For Indian, maybe it is  – given  the way in which other jurisdictions have applied the similar statutes.  This post is divided into two parts.  Part I deals with the background information as relates to the development of decompilation / reverse engineering laws in US and Europe. Part II deals with the application of these laws to the Indian context.  Long post follows.

Because European law on copyright protection of computer programs is based on the counterpart American experience, American jurisprudence is discussed first.

REVERSE ENGINEERING IN US:
Under American law, until recently, there were no explicit provisions about decompilation or reverse engineering. The basic copyright law, that has been amended from time-to-time just provides fair use exceptions and courts are left free to interpret fair use.

In 2010, the Library of Congress with the US Register of Copyrights, provided six additional classes, that would not be considered infringement. See link.  Relevant to the issue of reverse engineering are the classes:
“..(2) Computer programs that enable wireless telephone handsets to execute software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset.
…Emphasis added.

Case law sets out guidelines about reverse engineering.  And it was under the provisions of section 107 (fair use) that reverse engineering was addressed.

The first case to be taken up by US Courts on the issue of reverse engineering was: Sega Enterprises Ltd. v. Accolade, Inc.: In Sega, Sega manufactured a video game console under a brand name Genesis.  The console contained a lock-out device (microchip) which looked for a particular code sequence in a game cartridge. This code sequence was provided only on Sega manufactured cartridges and no other.  Cartridges manufactured by other manufacturer did not have this code sequence, and could not function with the Sega console.
Accolado, a game maker, also provided games on cartridges.  To be able to use a game cartridge from Accolado with the Genesis console, Accolade disassembled the Genesis console and found the chip containing the code reader, and found out the specific code sequence which Sega put in their cartridges.  This made it possible for Accolade to manufacture cartridges compatible with the Genesis console.  During the process of reverse engineering Accolado made several copies of Sega’s micro code and thereby infringing Sega’s copyright.

Sega suited for this infringement of their copyright to the specific microcode system and Accolado claimed fair use.  The District court in the Northern District of California found for Sega, that an infringement had taken place and it “could not be seen as a fair use because of the commercial nature of the reverse engineering.”  The Court of Appeal found otherwise and reversed the district court.  Decompilation was an infringement of Sega’s copyright but was found to be fair use. The court stated that if “disassembly provides the only means of access to those elements of the code not protected by copyright and the copier has a legitimate reason for seeking such access” is a fair use of the copyrighted work.

The court stated that reverse engineering is a fair use if the purpose is to achieve compatibilitybetween an original (i.e. not copied from another) computer program, and a device for using this program.

The second case taken up by US Courts about reverse engineering also involved video game consoles, and was Atari Games corp. v. Nintendo of America, Inc.  In Atari, the consoles were manufactured by Nintendo.  However, Nintendo also had a patent on the security lock-out device.
Atari had tried to reverse engineer the microchip but failed.  However, Atari obtained the information related to the microchip from the US Copyright Office (Library of Congress), claiming they needed this information in a litigation with Nintendo.

Atari thereafter created a program that emulated the Nintendo lock-out microchip, and this made it possible for Atari’s game cartridges to be used on Nintendo consoles.  The district court specifically ruled that Atari had, when creating the compatible program used more than necessary to get compatibility.
Nintendo filed for copyright and patent infringement and was successful at the district court − Atari’s claim for fair use was not accepted.  The Court of Appeal for the Federal Circuit (CAFC) came to the same conclusion and ruled, “reverse engineering was fair use only when the original product had been purchased legally.”  Getting the information from the US Copyright Office on false grounds destroyed any possibility for Atari to successfully claim fair use.  However, before these questions were tested the case was settled.

This case showed that copying a program to understand and copy unprotected underlying ideas would have been probably been alright if Atari had achieved information legally.

In a third case, in Vault Corp. v. Quaid Software Ltd., the court decided that a Louisiana Software License Enforcement Act clause permitting a copyright holder to prohibit software decompilation or disassembly was preempted by the Copyright Act, and was therefore unenforceable.


REVERSE ENGINEERING IN Europe:

In EU copyright protection of computer programs is an outcome of computer program Directive.  See link.

The concept of reverse engineering was not unique to EU law. Before it, Art. 15 of the EC semiconductor chip protection Directive permitted reverse engineering of the layout of a semiconductor microchip.  This semiconductor related directive was similar to that of the US Semiconductor Chip Act of 1980 where provisions relating to decompilation were explicitly provided.

The computer programs Directive (hereafter Directive) contains two different provisions relating access to interface information. Article 5(3) deals with reverse analysis techniques other than decompilation, (also known as black box method).  Article 6 deals with decompilation methods themselves. 

Black Box Method (or passive monitoring method):
An engineer starting to develop a product with a particular standard may start work from published documentation about the interface information with that standard.  Usually because source code is not published, and available documentation is often incomplete or out dated, it is necessary to conduct reverse analysis to ascertain the interface information required to provide an interoperable product.

Generally, this information may be learned from “black box” reverse engineering  techniques. These techniques merely involve monitoring the activity of an existing product and are passive in nature – i.e. there is no active monitoring of do not involve translation of the analyzed program’s object code into the original source code.  Examples of information that may be obtained through black box techniques are test runs, line traces, storage data dumps and screen rendering.

Article 5(3) of the Directive provides
3. The person having a right to use a copy of a computer program shall be entitled, without the authorisation of the right­holder, to observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do.  Emphasis added.

There are multiple aspects to this article in the Directive: First the person invoking the Article must have a right to use a copy of a computer program.  Hence this is the first hurdle that is passed by legitimate software licensees or owners (no pirates please).

Most developers who intend to develop interoperable products would be licensed users of the original product for which the new product is being developed.  As an example, consider various tools created by different third party developers for Adobe™ Photoshop™ software.   All such developers are usually licensed users for the Photoshop™ software.  Hence it is permissible for them to analyze a copy legitimately.

Second, Article 5(3) permits a developer to observe study or test the functioning of the program.  This is what a developer does when conducting black box analysis.

Third and most importantly, Article 5(3) permits the developer to determine the “ideas and principles” underlying any element of the computer program. This includes determining interface specifications which being the rules and methods by which a program interacts with other products, constitutes “ideas and principles”.

Fourth, Article 5(3) permits the developer to observe, study and test the functioning of the program while “loading, displaying, running, transmitting or storing” the program.

Finally, Article 5(3) provides that for the analysis to be allowed, one must be “entitled to do” the underlying operation involved.  Accordingly, this is tied to the first part in the article, and is a second tier protection against use of this article illegitimately to expand permitted use of a program.

Decompilation:

In some cases techniques permitted by Article 5(3) do not yield enough interface information required. It then becomes necessary to decompile a program –i.e. active monitoring is required.  Article 6 of computer program Directive provides the required freedom for decompilation.


Article 6 of the Directive:
Decompilation
1. The authorisation of the rightholder shall not be required where reproduction of the code and translation of its form within the meaning of points (a) and (b) of Article 4(1) are indispensable to obtain the information necessary to achieve the interoperability of an independently created computer program with other programs, provided that the following conditions are met:
(a) those acts are performed by the licensee or by another person having a right to use a copy of a program, or on their behalf by a person authorised to do so;
(b) the information necessary to achieve interoperability has not previously been readily available to the persons referred to in point (a); and
(c) those acts are confined to the parts of the original program which are necessary in order to achieve interoperability.
2. The provisions of paragraph 1 shall not permit the information obtained through its application:
(a) to be used for goals other than to achieve the interoper­ability of the independently created computer program;
(b) to be given to others, except when necessary for the inter­operability of the independently created computer program; or
(c) to be used for the development, production or marketing of a computer program substantially similar in its expression, or for any other act which infringes copyright.

From Article 6, it seems that decompilation of a program may not be done solely to research its underlying ideas unrelated to interoperability and then implement those ideas in a program that competes with the decompiled program.

The word indispensable has been used in Article 6.  This word suggests that it is not a mere wish but rather is required (grammatical construct: Air is required for breathing).

In practice, because decompilation requires great sophistication, time and expense and will not be conducted lightly: accordingly if a developer decompiles software then the reasons for decompilation would play a great role, most probably in the developer’s favor.  This then becomes an economic standard for indispensability.  * Hence the usage of reports, and the initial pilot study to confirm data theft – are economically justified and decompilation is indispensable.

Under Article 6(a), the act of decompilation is done by a legitimate user.  Compare this provision to the Ataricase discussed above – where Atari lost on both grounds and fair use exception under US law was not available to it.


Under Article 6(b), necessary interface information must not have been previously been readily available to the developer.  This provision should be interpreted according to the the economic hardship theory – i.e. economically justified and indispensable.


Under Article 6(c), decompilation must be confined to the parts of a program that are necessary to ensure interoperability.   This seems to be a grey area: it is not entirely clear how only a specific part of a program can be decompiled, leaving the rest untouched.  In software, either a program is decompiled or not – there are no mid-level choices available. In addition, software code is not written as a text book that has a page number to start and end with.  Software is written in parts – where one part may invoke another and vice-versa.


Article 6, paragraph 2 limits the scope of Article 6 – and accordingly limits what may be done with the decompilation.  The limitation is with regard to interoperability : information gained through decompilation may be used only to achieve the interoperability of the independently created program.


Article 5(3) therefore, is very different from Article 6, and has no such restriction.
Article 6, paragraph (2)(c) provides that information obtained through decompilation may not be used for the development production or marketing of a computer program substantially similar in its expression, or for any other act which infringes copyright. * Here it may be argued that an employee is restricted from decompiling a program created for his employer’s purpose, AND cannot use a decompiled program to create a competing program as that of his employer.