WorldHostingDays / MegaUpload clarification

At WorldHostingDays I presented a statistic about the percentage of revenues MegaUpload represented to Carpathia Hosting. Although my sources were credible and corroborated, after further investigation, I believe that statistic to be wrong.

I’d received this statistic from a European host I believed had good information on the number and I’d also vetted it with another industry insider who believed it to be relatively accurate. Carpathia strongly disputes the statistic. To ensure that I’m providing accurate information, and out of respect for Carpathia, I chatted with Phil Shih at Structure Research, a person I trust as a source of unbiased information. Phil did some back of the envelope calculations based on publicly available information. His conclusion: there’s no way that MegaUpload represented nearly the percentage revenue I’d been led to believe. Rather, if anything, it is in the single digits.

Big Data – Privacy Threat or Business Model

A panel of privacy experts, ad one brave sole representing “big data” talked at South-by-Southwest about policy issues involved in the collection processing and use of the massive amounts of data corporations are collecting. The initial issue, like many privacy debates, was about whether there was legally cognizable “harm,” or any harm whatsoever. Further, is there any need to add regulation on top of what is already present with the FTC’s ability to regulate unfair and deceptive trade practices?

Berin Szoka from TechFreedom said that setting the bar at whether consumers “knew” of a use of data in a particular manner sets the bar very low. Indeed, it forces consumers to act in a way that we don’t require them to act now: you’re not required to understand how your car works, so why should you be required to know how a company is using data about you? Lillie Coney from EPIC pushed this analogy further and pointed out that regulation of automobiles didn’t occur until sometime after they came into common use, in reaction to harms that consumers couldn’t reasonably anticipate, or be expected to understand.

So is Gmail a good example of where “big data” is going? Gmail applies a relatively dumb artificial intelligence application to “read” email. While time has proven that this application has been used responsibly, it’s not hard to imagine future applications that are “smarter” that will begin to process data in ways that will violate privacy norms. Current privacy norms were created in the analog age and have been amended in a patchwork manner to try to address the digital age. However, their complexity has made it almost impossible for consumers to understand them, and difficult for companies to apply them to their new products.

The tension over privacy and data collection has gone on for at least a century. Indeed, Justice Brandeis in 1890 wrote in the Harvard Law Review that photography and journalism possibly infringed on a right to privacy. This article now appears dated and quaint. So, will the debate about the processing of personal data and privacy be seen as quaint in 112 years? Stanley from the ACLU said that that would not be the case: what the Brandeis law review illustrates is that it’s important to uphold well understood societal norms when technology challenges them.

SOPA Media Coverage Dissected

The first panel I attended during the interactive event at South-by-Southwest discussed media coverage of SOPA / PIPA. This topic is near and dear to my heart because of the allegations from Big IP that SOPA and PIPA were derailed not because they were a bad idea, but because of a vast conspiracy within the media that presented only the “anti” side of the argument.

As an initial matter, the audience was decidedly “anti” SOPA /PIPA: only one person out of thirty raised their hand as a support of the legislation. Oddly, from the perspective of someone who followed this legislation for a significant period of time, each of the panelists commented that their publications only started following the issue in mid-October, late November. Stacey Higginbotham attributed the uptick in coverage to efforts from EFF and Reddit, as well as Congressional hearings in which members of Congress made statements like, “I don’t understand how the Internet works.”

Kim Hart, from Politico talked about how the MPAA, RIAA and other pro-SOPA organizations wouldn’t return Politico’s phone calls, or issued traditional “Washington” statements. This is different from the tech community, who would return phone calls, understood the bill and could speak cogently and specifically to a reporter’s questions. Brian Stelter from the New York Times wondered whether the initial lack of coverage stemmed from the fact that most content sponsored legislation always passed, so reporting on the issue was not news. Interestingly, Stelter referred to the internet blackouts as “manipulation” of the internet audience.

Hart looks at the fight as a “coming out” of sorts for the start-up tech industry in Washginton. Stacey Higginbotham from GigaOm disagreed with this statement opining that the start-up tech industry really doesn’t want much attention from Washington.

There was substantial discussion about whether it was ethical for publications like GigaOm to actually advocate for, or against, legislation. Higginbotham stated that she remains thoughtful about the subject, and while GigaOm is not an advocacy organization, it has a different place in the journalism ecosystem as a blog so advocacy is not as troubling. This was contrasted with the New York Times, which did not advocate in print, but did advocate at the corporate level.

The SOPA debates may have changed the way organizations advocate in Washington. Hart said that members of Congress may now be tiptoeing around tech issues for fear of being “SOPA’d.” Beyond that, the advocacy shows the effectiveness of non-traditional technology, for example online bill drafting, in influencing policy. Hart says that while the jury is still out about whether the SOPA debate changed lobbying, the culture in Washington is so difficult to change, one shouldn’t necessarily assume that the game has changed.

Where to Next? Congress and Hosting

While it’s premature to say that SOPA and PIPA are officially dead, it appears that the writing is on the wall for these noxious bills.  That does not meanxx however, that there is nothing to be worried about.  Indeed, the failure of SOPA and PIPA has led some pundits to speculate that BigIP will “double down” on its legislative strategy.  Beyond the copyright wars, there are two legislative developments that hosts need to be aware of.

ACTA

All eyes are now on the Anti-Counterfeiting Trade Agreement, or ACTA.  This controversial treaty has been around since 2006, when the U.S. and Japan began to collaborate on it.  While I will discuss the text of ACTA in a subsequent post, there are a number of problems with this treaty.  The first is that it is, in essence, “policy laundering.”  Policy laundering, similar to money laundering, is the attempt to enact policies that may be difficult to enact in one area by funneling them through other forums. In this case, intellectual property protections that rights holders have been unable to secure in the legislatures of most industrialized nations.

Along these lines, the Obama administration has stated that ACTA may be brought into force in the U.S. not as a treaty, but as an executive agreement.  In doing so, ACTA may be made law without the approval of the Senate, which is required for treaties. The concern seems to be that because COICA, SOPA and PIPA were so toxic, ACTA might suffer a similar fate if debated in the Senate. Given the fact that ACTA has engendered street protests in Europe, that concern may not in fact be misplaced.

The final issue is the fact that those involved in the negotiations of ACTA only represented the viewpoints and opinions of rights holders. Particularly in the U.S. and Europe, no members of the public interest lobby were included in meaningful ways in the drafting of the treaty. This has, to a large extent, led to a treaty that seems to undermine critical societal values like free speech and transparency. Indeed, an MPAA representative to the negotiations has argued that ACTA could be used to suppress sites like Wikileaks.

Cybersecurity Act of 2012

This long awaited bill was introduced in the Senate on Valentine’s Day.  While I have not had an opportunity to review all of the text of the bill, there are a couple of key issues to watch out for.  The first of these is the definition of “breach.”  The term breach does not have a generally accepted meaning.  As a result, what is considered to be a breach can have a wide-ranging impact on compliance responsibilities.

The second issue is risk shifting.  For legislation, this generally means who has to bear the cost of a violation of the law.  Key issues will be whether the act contains a private right of action, the ability for law enforcement officials to investigate violations, or fines.  Each of these have a great deal of impact on who bears the ultimate risk of compliance, and whether insurance can be procured for a violation.

Finally, a key issue for most businesses will be whether the act preempts state security laws.  Currently, 47 states and the District of Columbia have some sort of security breach law.  Some, like Massachusetts, claim that their laws apply regardless of whether a breach occurs within the state.  This patchwork of laws has created a high compliance burden for internet infrastructure companies who may have data centers in more than one location, or process information about individuals from every state.

Another way to find out more is to join Christian Dawson and me at the Parallels Summit on Thursday, February 16 at 4:45 pm.  We’ll be discussing how Congress and the Executive branch regulate hosting, and ways we can work together through the Save Hosting Coalition to ensure that hosts’ voices are heard.

Bit lockers and the DMCA

Content owners continue to battle with technology providers regarding the scope of protection provided by the DMCA. Content lockers are the latest front in this battle.  Capitol Records v. MP3Tunes provides insight not only into the copyright implications of this new technology, but also into the continuing analysis of the safe harbor afforded to infrastructure providers as well as the obligations of content owners and their representatives. This decision analyzes almost all of the elements of the DMCA that I get questions about, and provides a great guide on how to design and implement a DMCA compliance policy.

MP3Tunes provides a locker service allowing customers to store copies of music they have purchased, as well as providing a music discovery search engine that allows users to store copies of music freely available on the Internet. The owners of the recordings sent take down notices to MP3Tunes identifying over 300 infringing works, and demanding that MP3Tunes take down all other infringing works, even if not identified in the DMCA notice.  This tactic is often used by copyright owners who state that the list of infringing works in their notice is merely a “representative list.” MP3Tunes removed links to the works contained in its music identification service, but did not remove the works from users lockers. MP3Tunes also asked the complainant to actually identify those works not set out in the initial DMCA notice.

The first element of the decision that is important to infrastructure providers is the statement that as a matter of legal doctrine, safe harbor provisions are to be narrowly construed. Quoting the Aimster decision, the court held that “[s]ervice providers must do what [they] can reasonably [be] asked to do to prevent use of its service by ‘repeat infringers.’” The three elements providers must implement in their repeat infringer polices are:

1. Having a system for responding to takedown notices;

2. Not interfering with a copyright owner’s ability to issue notices; and

3. Terminating users who repeatedly or blatantly infringe copyrights.

The court held that MP3Tunes met these criteria. Not only did MP3Tunes maintain a system for tracking content, it also terminated users who repeatedly infringed copyrights.  MP3Tunes also met the second criteria when it responded to takedown notices by removing links to infringing content from its identification service. However, the fact that it did not terminate users who shared multiple links to content identified on a notice did not remove MP3Tunes from safe harbor. The court aligned with settled precedent that DMCA notices are not, by themselves, evidence of infringement. So, in order to be a “repeat” or “blatant” infringer, a notice must identify a user and infringing content specifically.

The decision also adds clarity to how notice providers must identify the works they seek to be removed. The DMCA requires notice providers to identify those works that are the subject of the notice, and include sufficient information for the recipient of the notice to locate those works. Confusion often arises when there are multiple infringements of the same work. In these cases, notice providers may include a “representative list” of those works. Often, however, notice providers simply state, as they did in this case, “all songs” by an artist. The court held that simply providing a representative list is not sufficient if it does not include information, such as a url, that will allow the recipient to locate the allegedly infringing material. 

While the court held that those notices that simply contained a phrase like “all songs” were not valid, once the notice provider had given the recipient sufficient information that the material could be located, its obligations were satisfied. In this case, because MP3Tunes could search for the web address identified in the notice, the exact location need not be identified. I believe that the court came to this conclusion simply because given the structure of MP3Tunes’ service, there was no way the notice provider could in fact identify the location.  However, MP3Tunes kept track of this information.

The third issue addressed by the court is what constitutes a “red flag” removing a provider from safe harbor. The court concluded, as have many courts, that if the circumstances require a provider to conduct an investigation to determine whether the material, or acts, identified by the red flag are a violation of copyright law, it is not a red flag. Put another way, the circumstances must be fairly blatant to be within the definition of a red flag. In this case, the fact that content was downloaded from a file sharing site was not a red flag, since file sharing sites have legitimate uses. Further, although MP3Tunes received notices from members that its site was used for infringing purposes, these notices, taken by themselves, were not red flags.

Finally the court discussed whether the fact that MP3Tunes made money off its service, and had the ability to delete songs, removed it from safe harbor. The court held that it did not. As many courts have held, direct financial benefit means receiving actual monetary compensation from the infringing act. In this case, not only did the MP3Tunes service have non-infringing uses, the company actually removed material identified in a DMCA notice.

The fact that MP3 could delete user accounts, and controlled the servers, did not remove it from safe harbor. Again, like many courts before it, this court held that “control of the infringing activity” means actual control, and not simply “the ability to remove or block access” to the allegedly infringing material.

Operation In Our Sites Redux

On Monday, November  28th, Immigration and Customs Enforcement again seized a number of domain names that led to sites alleged to have sold goods infringing the intellectual property rights of others. Regardless of your views on the propriety of the use of Customs laws in this manner, this year’s domain name seizure offers some interesting insights into the process, and potential refinements based on prior crackdowns.

The first issue I found interesting was this statement in ICE’s press release: “Of the 350 domain names seized [in prior raids], 116 have now been forfeited to the U.S. government.” Stated another way, 234 domain names have not been forfeited. This means that fewer than fifty percent of the domain names seized have actually been forfeited. It seems to follow then, that the owners of more than fifty percent of the domain names seized have either protested the seizure or forfeiture proceedings have been abandoned by the government. This is an awful statistic for the government: more than fifty percent of the businesses it has shut down using this law may have been erroneously shut down. While the wheels of justice turn slowly, a statistic like this calls into question the essential fairness of the process. Even assuming that the seizures are appropriate, is shutting 234 businesses, some for more than a year, equitable?

Indeed, the press release issued by ICE points out that there are both administrative and judicial processes available to those whose domains were seized. However, this process, particularly as applied to domain names, stretches due process close to its breaking point. As an initial matter, it is often very difficult to provide notice to the owners of domain names. The statute used in these seizures is designed for seizure of physical property. Since the owner of a domain name doesn’t always “visit” their property, there is no way to provide physical notice. Last year, some registrars, including two very prominent registrars, failed to forward seizure notices to customers who had private registrations.

Second, the attenuated nature of the process leaves businesses shuttered while they attempt to reopen. An admittedly random sample of one of the domains seized in each of the last raids shows that none of the domains have been restored. As noted above, this means that those businesses have no source of revenue while they are seeking to preserve their rights. A fundamental question in this effort has to be whether the death penalty is appropriate for businesses alleged to engage in, or facilitate, infringement. Remember that no prior judicial review, other than what appears to be ministerial magistrate review, exists for these seizures.

Finally, no search engines were part of this raid. Last November, ICE shut down nine torrent search engines. Some of those shut down were actually offering content they were asked to distribute by the content owners. Given the outcry about that aspect of last year’s raid, it seems that ICE may have reconsidered whether search engines are an appropriate target for enforcement.

While I understand the impact piracy has on the owners of intellectual property, I believe that the judicial system is a better place for these disputes to be resolved. I continue to believe that these raids undermine the US economy by making the law enforcement process appear to be random, arbitrary, and without due process.

What or Who is Anonymous?

At the Source Conference in Barcelona, I attended a talk, “Adapting to the Age of Anonymous,” by security expert Josh Corman from Akamai. The talk deconstructed the “anonymous” movement, and various branches and similar organizations like Lulzsec.  What I found most interesting about the talk was the level of discussion and thought that goes into the efforts by these organizations, and the question of whether these activities have had an effect on the operations of other organizations. My view is that they have.

A key component of the talk was the point that the “anonymous” is essentially a brand.  While there are key individuals who direct the activities of the group, there is no real control over the use of the brand. Indeed, that type of control would be rather antithetical to the group’s underlying world view. So along with the ethical hackers, there is a subset of anonymous who are more akin to Cyndi Lauper: they just want to have fun.  Understanding this fact, and the fact that it exists in the hacker community as a whole, is a key understanding necessary to building an effective security compliance plan.

This is also important to understanding how the groups are currently being painted by pundits and organizations who have been affected by Anonymous activities. The group has been painted with the terrorist brush by some in the government, and as thieves by content providers. Simply put, because of the lack of “brand control,” any thief can leave the calling card “we are legion” after a hack and divert investigative resources towards the group. Buying into convenient labels can undermine the effectiveness of security strategies by diverting focus from malicious hackers to chasing hackers who may not likely target you. 

The tactics used by both ethical and unethical hackers are helpful in identifying hacking methods. Josh pointed out that looking at their strategies helps you prepare your network for a possible “zombie apocalypse.” So while chasing Anonymous as a potential hacker may be a red herring, looking at the way that they, and those that imitate them, do hack is an effective way of protecting your network.

One final topic that I found very interesting was how Anonymous has affected behavior.  Those looking at security strategy may well believe that the best way to avoid the anonymous zombie apocalypse is to simply run faster, or hide better, than the other targets. Those wishing to avoid becoming a target may now be policing their online behavior so that they don’t attract attention to themselves. While this tactic has raised some questions about self-editing, it’s not much different than advice I give my clients about litigation. In essence, just as you don’t want to be the company who attracts the attention of potential litigants, you also may not want to be the company who attracts the attention of Anonymous, or those who claim to be part of it. Putting aside arguments related to public speech, this tactic may be more effective than all of the others.

Join us for the Save Hosting Coalition Webinar November 1st

On November 1st at 1pm ET Christian Dawson Chief Operating Officer at ServInt and I will be presenting a webinar moderated by Liam Eagle on the efforts of the “Save Hosting” coalition. This webinar is kindly brought to you by The WHIR and HostingCon 2012.

The webinar is designed to provide information about the status of the coalition to those who have attended meetings over the past three months, as well as involve those who have been unable to attend in person.

After three months of organizing, the coalition is poised for direct action.  During the webinar, attendees will learn about the status of a letter on PIPA to the chairmen of the Senate Judiciary Committee, organizational efforts designed to ensure a solid foundation for future efforts, and information about a new “kill switch” bill pending in the House of Representatives, that appears to be more damaging than PIPA.

We encourage those interested in Save Hosting to attend, whether you’ve heard our message before, or are new to the coalition.  Now is the time to act, and we need your help.

The webinar is free to attend but space is limited so Register NOW!

Visit http://www.SaveHosting.org for more information.

More on Save Hosting

Over 50 industry executives got together at HostingCon to discuss legislative and regulatory issues facing the hosting business.  There was general agreement among those who attended the meeting that there are three or four legislative issues that pose a significant risk to the continued vitality of the industry.  The crucial issue, however, is what type of follow up will take place.  Christian Dawson and I agreed that we would continue to move the agenda forward, and convene a meeting at Hosting Transformation to update the community, and solicit more involvement.  In addition, we agreed to continue to monitor legislation and begin to lay the framework for industry activity necessary to provide input on it.

So what has happened since HostingCon?

• We have continued the dialogue on WebHostingTalk;
• With Dan Ushman and SingleHop’s help, we have created a website that will be unveiled in the next week;
• We have created a position paper on the Protect IP Act, or PIPA, that summarizes key issues that may threaten the industry;
• We have met with a Senate staff member, who provided substantial encouragement to our efforts to provide balance to the debate on Internet regulation; and
• Christian has continued to spread the word in an interview with the WHIR and in person at the WHIR’s Phoenix gathering.

Please send me an email at david.snead(at)dsnead.com.

How the big buyers look at acquisitions

Late Tuesday afternoon I attended the acquisition Q&A panel.  The panelists represented a wide range of buyers and transactional styles.  Moderator Frank Stiff presented an interesting initial question:  what do you do when you receive information about a potential acquisition.  Ditlev Bredahl of OnApp used a “mind map” that at each branch used a green, yellow or red light that would guide his decisions about whether an acquisition was feasible or not.  Endurance used Cheval Capital to run interference on deals sorting through those deals that were appropriate for Endurance and those that were not.  Since Softlayer is a technology company, Mike Jones, Softlayer’s CFO, said that the technology must be right.  So Softlayer runs all acquisitions through a technology feasibility program.  Hillary Stiff from Cheval pointed out that really at base you need to understand what your motivations are for buying, and using that understanding to only evaluate those transactions that meet your criteria.

In answering the age old question, “how do you come up with the purchase price,” Sumeet Sabharwal of Navisite pointed out that regardless of the amount of the purchase price, it’s important to set out, and provide, purchase price expectations up front.  Ditlev echoed this point in saying that it doesn’t matter how you explain the purchase price:  if it isn’t what the seller expected to get, the deal won’t move forward no matter how it’s explained.  In my opinion, discussions about a purchase price are a key way of evaluating whether a transaction will ultimately move forward.  Buyers who are cagey about a purchase price, or sellers who don’t have a realistic idea in mind, telegraph that they are not serious about a transaction.  Failure to discuss hard figures early in a transaction should throw up a red flag for either side.

Joe identified one big issue presented in any transaction:  leave your ego at the door.  All of the panelists agreed that this is a crucial aspect to any transaction.  It’s important not to get emotionally invested in a transaction, and to carry out negotiations in a friendly and respectful manner.  Of the transactions I’ve handled that have gone south, the vast majority have done so because the personalities parties have somehow begun to conflict.  As a result, small details that are generally capable of negotiation erupt into “deal breakers.”  In most cases, if the parties are able to step back, and take a moment to look at their positions in a pragmatic way, the dispute goes away.  However, if one of the parties makes the dispute into a personal issue, the transaction is typically doomed.