Monday, 22 February 2010

World, get ready for the DMCA: ACTA's Internet chapter leaks

The oddest thing about the Anti-Counterfeiting Trade Agreement (ACTA) secrecy is that, whenever we see leaked drafts of the text, there's nothing particularly "secret" about them. That was also the case with this weekend's leak of the "Internet enforcement" section of the ACTA draft; as we've noted in the past, ACTA appears to be a measure to extend the US Digital Millennium Copyright Act (DMCA) to the rest of the world, and that's exactly what the Internet section tries to do.

IDG News saw the draft text of the Internet section last week, but the actual document has now leaked. Titled "Enforcement procedures in the digital environment," the brief document quickly hits the high points: Internet filtering (not allowed to be a requirement), "three strikes" policies (encouraged but not mandatory), takedown procedures (required), and ISP safe harbors (also required).

If the bill sounds much like existing American law, it should; the US delegation drafted the Internet section of ACTA, and the entire document is being negotiated as an executive agreement, meaning that it can be adopted without Congressional consent but may not alter US law. Thus, unsurprisingly, the leaked document takes the DMCA worldwide.

ISP immunity
In the ACTA draft, ISPs are protected from copyright lawsuits so long as they have no direct responsibility for infringement. If infringement merely happens over their networks, the infringers are responsible but the ISPs are not. This provision mirrors existing US and European law.

Two key points need to be made here, however. First, the entire ISP safe harbor is conditioned on the ISP "adopting and reasonably implementing a policy to address the unauthorized storage or transmission of materials protected by copyright." A footnote provides a single example of such a policy: "providing for termination in appropriate circumstances of subscriptions and accounts in the service provider's system or network of repeat infringers." In other words, some variation of "three strikes."

Note that this is already US law. The DMCA grants safe harbor to an ISP only if it has "a policy that provides for the termination in appropriate circumstances of subscribers and account holders of the service provider's system or network who are repeat infringers." Yet no major ISP in the US has adopted a France-like "three strikes" system en masse. One reason for this is the vagueness of the statue: what are "appropriate circumstances"? How many times must someone "repeat" before this provision applies? And can an ISP know for certain that someone is an "infringer" without a court ruling?

The ACTA draft also makes clear that governments cannot mandate Internet filtering, even in the pursuit of these "repeat infringers."

Secondly, the ISP immunity is conditioned on the existence of "takedown" process. In the US, this is the famous "DMCA takedown" dance that starts with a letter from a rightsholder. Once received, an ISP or Web storage site (think YouTube) must take down the content listed in order to maintain its immunity, but may repost it if the uploader responds with a "counter-notification" asserting that no infringement has taken place. After this, if the rightsholder wants to pursue the matter, it can take the uploader to court.

Hello, DRM
While the ACTA draft would adopt the best part of the DMCA (copyright "safe harbors"), it would also adopt the worst: making it illegal to bypass DRM locks, even when the intended use is a legal one.

ACTA would ban "the unauthorized circumvention of an effective technological measure that controls access to a protected work, performance, or phonogram." It also bans circumvention devices, even those with a "limited commercially significant purpose." Countries can set limits to the ban, but only insofar as they do not "impair the adequacy of legal protection of those measures." This is ambiguous, but allowing circumvention in cases where the use is far would appear to be outlawed.

And that's pretty much the extent of the Internet section. For Americans, there's not much new here, though that's not at all true in other countries. Canadian law professor Michael Geist notes that the current draft would mean big changes for Canada. To take one example, Canada currently has no "takedown" law. Rather than "notice-and-takedown," many ISPs rely on "notice-and-notice"—they pass notices along to the subscriber in question, but take no other action. But even this is not currently required by law.

"There is currently an informal agreement to use notice-and-notice," Geist writes, "which has proven effective (the Entertainment Software Association of Canada told the Liberal copyright roundtable earlier this month that 71 percent of subscribers who receive a notice do not repost the content within a week). ACTA would trump domestic law and the current Canadian business practice." The ban on DRM circumvention would also be new, and it goes further than existing international treaties.

In places like Europe, there's also huge concern about how these American-pushed policies would interact with existing privacy law. Just today, European Data Protection Supervisor Peter Hustinx issued an extraordinary opinion (PDF) in which he "regrets that he was not consulted by the European Commission on the content" of ACTA.

He goes on to say that Internet disconnections are "disproportionate" and "highly invasive in the individuals' private sphere. They entail the generalised monitoring of Internet users' activities, including perfectly lawful ones. They affect millions of law-abiding Internet users, including many children and adolescents. They are carried out by private parties, not by law enforcement authorities."

Given that the ACTA Internet draft—one of the most speculated-about bits of the treaty—simply reflects existing US law, what possible motivation could there be for keeping it "secret" for so long? As the responses above suggest, it may just be because forcing US law on the rest of the world isn't universally popular.