Editors' note: Correction, March 3, 12:46 p.m. PST: This post, which originally carried the headline "White House ditches YouTube after privacy complaints," significantly misconstrued the White House's policy on and use of YouTube. In the interests of disclosure and transparency, we are leaving the contents as originally posted, with two subsequent update notes and with the exception of the headline change. See also our follow-up story, "No, the White House hasn't ditched YouTube."
* * * * * * * * * * * * * Original story follows * * * * * * * * * * * * *
Updated at 5:50 p.m. PST March 2: The New York Times is reporting that the White House has denied any change in online video policy. While the White House spokesperson admitted to using an in-house flash based solution for the latest of the president's weekly video messages, he said the White House is just "experimenting" with different solutions.
Updated at 2:59 a.m. PST March 3: Late Monday, Google posted on its Public Policy Blog a rebuttal to this report: "White House videos on YouTube."
Responding to complaints by privacy activists, the White House has quietly abandoned YouTube as the provider of the embedded videos on the president's official home page.
With the release of the latest weekly video address, the White House has shifted to a Flash-based video solution using Akamai's content delivery network.
The White House's decision to move away from the Google-owned video-sharing site will likely be met with praise by privacy activists and could mark the beginning of a real backlash in response to Google's insatiable thirst for detailed data on the browsing habits of Web surfers.
Ironically, the decision by the White House comes days after YouTube began to roll out new policies to better protect the privacy of visitors who view videos embedded into federal government Web sites. The move by YouTube may prove to be too little, too late.
This is the new embedded video tool used by the White House.
(Credit: Whitehouse.gov)The White House's decision to embed YouTube videos in the president's official home page drew instant criticism from privacy activists. In addition to several critical posts on my blog, by the Electronic Frontier Foundation (here and here), the Center for Democracy and Technology and the Center for Digital Democracy blasted the choice of video providers.
The focus of the criticism was on the use of long-term tracking cookies by the Google-owned video-sharing site. When the new White House site first went live in January, every visitor to the president's blog would be issued a tracking cookie, even those who did not click the "play" button to watch the video.
The White House acted quickly, and soon deployed a technical fix to the cookie issue, which protected Web surfers who did not click the play button. However, the tens of thousand of people who clicked play were still issued a cookie, and thus tracked by YouTube.
In an unannounced change over the weekend, the White House appears to have solved the remaining cookie privacy issue for those Web site visitors who wish to watch the president's weekly video message.
Out with YouTube, in with Akamai
As of Saturday, the White House seems to have ditched YouTube as its video provider. Visitors to the White House blog can now click play to view a Flash-based video that loads directly from the White House's own Web servers. This solution, which appears to use Akamai's content delivery network, does not make use of tracking cookies.
The president's tech team seems to have finally hit on an optimal solution--one which protects the privacy of the visitors to the White House site, while still permitting the president to spread his message.
The White House is still posting copies of the videos to its official YouTube channel. However, the president no longer provides free advertising to YouTube by embedding those videos on a taxpayer-funded site.
Furthermore, the White House has copied one of the coolest of YouTube's social features: the ability for users to easily share and embed videos on their own sites. Each of the White House-hosted videos includes an "embed" link under it that can be copied and pasted onto any other Web site or blog.
It is unclear whether this switch away from YouTube marks a permanent shift in policy for the White House, or whether the Oval Office geek squad is merely testing an alternate video provider. While the latest video is served using Akamai's servers, the older videos remain as embedded YouTube files.
YouTube's new cookie rules
The timing of the White House's decision to switch to Akamai is rather strange, given the recent moves by YouTube to offer a more privacy-preserving solution for videos used on federal government sites.
Within the last couple weeks, YouTube has silently rolled out its own updates in response to the cookie-related criticism. People wishing to embed a YouTube video can now select a delayed cookies option when copying the embed URL.
This is the new delayed cookies option for YouTube embeds.
(Credit: Screenshot of YouTube)That choice will cause the embedded videos to be served from an alternate domain, www.youtube-nocookie.com, which registrar records reveal was first registered on January 23 2009, just one day after this blog first mentioned the White House/YouTube cookie issue.
New documentation on the YouTube site reveals:
Enabling delayed cookies means that the YouTube video player will not set any non-session cookies on the computer of a visitor (viewing the page on which the YouTube video is embedded). The YouTube video player may set non-session cookies on the visitor's computer once the visitor clicks on the YouTube video player.
This option is rather similar (yet still inferior) to the technical fix that was previously used (and since disabled) by the White House, as well as the open source MyTube tool developed by the Electronic Frontier Foundation.
A prominent privacy policy
In another new move by YouTube, the site now appears to be directly embedding a link to its privacy policy in all videos that are played from government sites.
This is the new privacy policy link in .gov-hosted YouTube videos.
(Credit: Whitehouse.gov)When those same videos are viewed at YouTube.com, or when embedded in a blog or other non-.gov site, the clickable link to the privacy policy is gone.
Webmasters for various state agencies seemed to notice the new policy last week and initially complained to YouTube, thinking that the new youtube-nocookie.com was a phishing site.
A representative from YouTube told the Webmasters:
The privacy policy link you see on your embed player is in response to federal regulations regarding privacy on embed players. We're working to remove it from state and local .gov sites as soon as possible.
Still not perfect
While the decision by the White House to ditch YouTube is a good one, unresolved issues remain.
First, as previously noted by the Electronic Frontier Foundation, the White House Web site makes use of an "invisible pixel" style Web bug/tracker on every page on the site, hosted by WebTrends.com.
Ideally, the White House should take its Web analytics technology in-house and abandon the use of this third party tracking technology. Otherwise, at the very least, the White House privacy policy should be updated to note the tracking cookies used by WebTrends.
Second, the White House still has not published the waivers it issued to YouTube (and potentially other third parties), which permitted the sites to use long-term tracking cookies. The Electronic Frontier Foundation has repeatedly asked for these documents-- requests that the White House has ignored.
Given the president's much-publicized commitment to transparency, it is time that the White House publishes these documents.
Third, in its recent move to include privacy policy links in videos embedded at .gov Web sites, YouTube has clearly demonstrated that it has the ability to modify the services it provides depending on the referrer information associated with incoming requests. YouTube should build on this and adopt a policy of not logging any data associated with .gov-referred requests.
That is, the site would be free to keep logs on the videos viewed by visitors to its own site as well as those embedded on blogs, but it would opt to immediately forget all identifying information associated with requests from government sites.
While the White House seems to understand the cookie privacy issue, it is unlikely that members of the House and Senate are equally as tech savvy. After all, some of them can barely figure out Twitter.
YouTube videos are heavily used on the Web sites of those in the House and Senate. YouTube should adopt sane logging policies for visitors who view these videos, so that we don't have to wait for the House and Senate to fix the problem themselves.
YouTube did not return a request for comment, while a representative for the White House Web team declined to speak on the record.
(Credit:
Recovery.gov)
Update: As of 8 a.m. PST, within three hours of this story first going live, it appears that President Obama's Web team has (silently) pulled the robots.txt file from the Recovery.gov Web site. The site is now open to Web crawlers of all kinds.
The Obama administration has apparently opted to forbid Google and other search engines from indexing any content on the newly launched Recovery.gov.
Is this even more evidence that the administration's much-publicized commitment to transparency is simply hype?
Recovery.gov, which went live Tuesday, is set to act as a central clearinghouse for information related to the newly signed American Recovery and Reinvestment Act. The legislation is designed to stimulate the flagging U.S. economy.
In a video message, available on YouTube and embedded into the new site, President Obama states that the "size and scale of (the stimulus) plan demands unprecedented efforts to root out waste, inefficiency, and unnecessary spending. Recovery.gov will be the online portal for these efforts." He adds that the new site will be used to publish information on how the stimulus funds will be spent in a "timely, targeted, and transparent manner."
Although the site is advertised as proof of the president's commitment to transparency, its technical design seems to betray that spirit. Most importantly, the site currently blocks all requests by search engines, which would ordinarily download and index each page to make the information more accessible to the Web-searching public.
The site's robots.txt file has just a few lines of text:
# Deny all search bots, web spiders
User-agent: *
Disallow: /
Although the White House Web team did not immediately respond to a request for comment, the single-line comment at the top of the file indicates that the blocking of search engines is no accident but rather a statement of policy.
Many sites use a robots.txt file to communicate, in machine-readable terms, the Web pages that they do and don't wish to be indexed by search engines. While the files don't carry much, if any, legal weight, most search engines act as good Internet citizens and honor the requests.
Luckily for the millions of Americans who might wish to find out how their money is going to be spent, it seems that Google has opted to ignore the administration's restrictive robots.txt on the stimulus-related site. It is unclear if this is due to an error or a manual override by someone at Google, but a quick search turns up more than 60 Web pages on Recovery.gov that have been indexed by the search engine's Web crawlers in just the past three days.
Also, the stimulus bill requires that the site be run by the new Recovery Accountability and Transparency Board, but it seems to currently be under the control of the White House Web team--the same folks who revamped Whitehouse.gov and whose use of the robots.txt search engine-blocking code was expanded after the site initially was praised by bloggers for its openness.
It is this blogger's hope that with a bit of gentle prodding by members of the pro-transparency community, Recovery.gov's administrators will correct the "unintentional oversight" that was made in launching the site with such an restrictive robots.txt file.
The White House has silently tripled the number of Web pages that it forbids Google and other search engines from accessing. Is this a bad omen or much ado about nothing?
Within hours of Barack Obama being sworn in as president, bloggers and tech journalists began to closely examine the new White House Web site for hidden indicators as to how he would shape future tech policy.
While I focused my efforts on the White House privacy policy, others looked to the new administration's robots.txt file, which lays out boundaries that search engines like Google should follow when scraping the site.
When the new Obama geek team posted its sparse robots.txt to the Web, tech pundits soon hailed it as a sign of the President's commitment to openness, transparency, and proof that someone tech-savvy was finally running the show.
Blogger Jason Kottke hailed the move, writing that it was "a small and nerdy measure of the huge change in the executive branch of the U.S. government today." Another blogger, Ben Orenstein, compared the new Obama robots.txt file to the 2,400-line file used by the Bush White House, "I think you've got a lovely little microcosm; one that points to a hopeful and open future."
The big fuss?
These digerati were excited by the fact that the new White House robots.txt file contained just two lines:
User-agent: *
Disallow: /includes/
Fast-forward one week, and the White House has silently started to expand its use of the robots.txt search engine-blocking mechanism. As of Friday morning, the file now contains the following text:
User-agent: *
Disallow: /includes/
Disallow: /search/
Disallow: /omb/search/
While it would be accurate to state that the White House has in one day tripled the number of sites it excludes from Google crawling, it is also important to note that this is not a big deal--in fact, it doesn't matter at all.
For the most part, the Bush White House's use of robots.txt was totally legitimate, something that Kevin Fox, an engineer at Friendfeed told the folks at Google Blogoscoped:
This is a bit silly. The old robots.txt excludes internal search result pages and redundant text versions of HTML pages. This is exactly what robots.txt is for. Google's Webmaster Guidelines state "Use robots.txt to prevent crawling of search results pages or other auto-generated pages that don't add much value for users coming from search engines."
It's understandable that the robots.txt of an 8-year-old site is longer than that of a 1-day-old site, and it's not as if '/secrets/top' or '/katrina/response/' were put in the robots file.
Fun as it may be, this is a nonstory.
Those bloggers drunk on hope who desperately wanted to see proof of Obama's commitment to his campaign promises of transparency and Google Government now find themselves with a difficult choice: they can either accept and acknowledge that robots.txt files are not a set of digital tea leaves through which you can read the new administration, or, if robots.txt does carry weight, they can try to come up with a way of explaining a 200 percent increase in the number of directories blocked by Obama's Web team as anything but Cheney-esque secrecy.
Simply put, the robots.txt file was created and managed by engineers, not lawyers or policy makers. It is not the place to judge the president on tech policy issues.
The president's tech policy should instead be judged on real issues: how many former RIAA and MPAA lawyers will be given positions of power in the administration, who ends up working at the FTC and FCC, and who will be named the new cybersecurity czar.
As for the president's commitment to transparency, he has already violated his pledge to post all nonemergency bills on the Whitehouse.gov Web site for five days before signing them. The text of the Lilly Ledbetter Fair Pay Act of 2009, which was signed into law yesterday, was certainly not posted to Whitehouse.gov for anywhere near five days.
Obama's broken commitment to transparency remains advertised on the White House blog:
One significant addition to WhiteHouse.gov reflects a campaign promise from the president: we will publish all nonemergency legislation to the Web site for five days, and allow the public to review and comment before the president signs it.
It is by looking to these kinds of concrete issues by which we can judge the president, not robots.txt
As President Obama's $825+ billion financial stimulus package works its way through Congress, a number of groups have started to call for increased transparency in the way that data on the proposed spending will be shared with citizens.
Most noteworthy are demands from public-interest groups and academics that the the data be provided in a format conducive to user-generated mashups and remixes.
The American Recovery and Reinvestment Act of 2009 passed through the House Appropriations Committee a couple weeks ago, and it is expected to come up for a full House vote in the coming weeks.
In addition to authorizing the spending of an obscene amount of money, the act also mandates the creation of a Web site to "foster greater accountability and transparency" in the use of those funds.
While the bill does a great job in mandating the kinds of information that will be put online (contracts, audits, inspector general reports, etc.), it is rather vague with regard to details on how the information will be provided.
The only hints include language mandating that the information be "easy to understand" and "regularly updated," and include a "database of findings from audits," "printable reports," and "user-friendly visual presentations to enhance public awareness of the use of funds."
Such statements bring to mind the possibility of yet another boring and difficult-to-navigate federal government Web site, perhaps similar to the Federal Communications Commission's antiquated and ineffective home page, or the Federal Elections Commission's slothlike campaign donation search engine.
Faced with the possibility of another Web 1.0 Web site designed by the federal bureaucracy, a number of pro-transparency activists and tech policy academics have started to weigh in on the issue, all of them demanding the same thing: full, easy, and free access to the complete data set powering the Recovery.gov Web site.
For example, while the FEC's donation search engine was often slow and unresponsive during last year's presidential campaign, a number of third parties were able to create fantastic mashups of the campaign donation data--the most notable of these being the Hufington Post's FundRace tool, which provides users with a Google map view of each donation to the presidential campaigns.
The numerous independent sites allowing for the easy navigation of campaign donation data was possible because of the legal requirement that all FEC data be made available in full to the public. As a result, public-interest groups and media organizations were able to create their own innovative mashups and remixes of the data, providing faster and more responsive Web interfaces than the FEC's overwhelmed servers, as well as creating innovative visualization methods for navigating the data set.
John Wonderlich, program director at the nonpartisan Sunlight Foundation, outlined the general problem:
We'd like the site to serve not just the amateur information consumer, but also the programmers that can skillfully remix the information. The citizen observer's role seems well-addressed by the legislation that mandated the site (with requirements for "printable reports," feedback, and to be "easy to understand"), while the needs of the programmer are largely unaddressed. The data should be available in formats that facilitate more advanced use by programmers and analysts alike.
Certainly, the data should be made available following the 8 Principles of Open Data: (1) complete, (2) primary (as it is collected at the source), (3) timely, (4) accessible, (5) machine-processable, (6) nondiscriminatory, (7) nonproprietary, and (8) and license-free. XML and CSV are a minimum.
Search is great, if you are looking to find information about any one thing. But original analysis and visualization require access to data in bulk. If the goal of putting the data online is to increase accountability and transparency, then it is necessary (to) provide bulk data access.
Echoing this last point, David Robinson, the associate director of the Center for Information Technology Policy at Princeton University, told me that "(no) one person or organization could possibly anticipate all the ways that Americans will want to analyze, reuse, or cross-reference the information that Recovery.gov will offer. And no one person or organization needs to do so, as long as the data itself is readily available."
In 2008, Robinson and his colleagues at Princeton published a paper calling for the government to provide open access to the raw data used by all federal Web sites. The highly influential paper has been widely circulated among technology policy circles in recent months.
Jim Harper, the director of information policy studies at the Cato Institute, feels that the entire back-end database should be made available.
"This is a little tricky, because people have to settle on a format, and then require submissions in that format from contractors and state and local entities, etc.," Harper told me. "But if the administration wants to be transparent, a little forcing will go a long way. States and contractors will learn how to deal with standardized data quickly, if it makes the difference on getting federal dollars."
A month ago, Harper moderated a one-day forum at Cato, in which a number of policy experts called for open access to government data. A video and podcast of that event can be found here.
Given that this bill has largely been written and shaped behind closed doors, it remains unclear how much of an impact these pro-transparency activists will have on the legislation that will create the Recovery.gov Web site. As of press time, calls for comment left with the House and Senate Appropriations Committees had yet to be returned.
Someone at the White House appears to be listening to those of us in the privacy community.
For the third time in just six days, the Obama administration has modified the White House Web site privacy policy in response to criticism from the blogosphere.
When the site launched on January 20, it exempted YouTube from federal anticookie tracking rules that would have otherwise cast a legal shadow over the use of embedded videos on the White House blog.
Reacting to criticism from the blogosphere, the White House first modified its Web site on Friday to limit the cookie exposure to only those users who clicked on videos. Then, on Sunday, the White House again tinkered with its privacy policy to scrub YouTube's name from the cookie exemption.
The original YouTube-specific exemption stated:
For videos that are visible on WhiteHouse.gov, a "persistent cookie" is set by third-party providers when you click to play the video.
This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie.
However, by Sunday evening, the exemption had been edited to remove all mention of YouTube:
For videos that are visible on WhiteHouse.gov, a "persistent cookie" is set by third-party providers when you click to play the video.
This persistent cookie is used by some third-party providers to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie.
The decision by the White House to revisit the cookie exemption does not come as a complete shock. The YouTube rule had in just a few short days generated both bad press and direct criticism from several public-interest groups.
It should be noted that this change is, for the most part, cosmetic. YouTube continues to be the only company whose video content is embedded within the White House Web site. Furthermore, the Google-owned video-sharing site is the only one that has received both official legal clearance from the White House Counsel and direct assistance by the White House tech staff (who embed the YouTube content) in planting tracking cookies within the Web browsers of millions of Americans.
Google CEO Eric Schmidt, who has advised President Obama and who personally donated $25,000 to the president's inauguration celebration (out of a total of $150,000 by six Google executives) must be rather pleased.
Still no transparency
In spite of Obama's much-publicized commitment to transparency, the White House has yet to actually provide a copy of the waiver (something this blogger has requested from White House officials informally, as well as via the Freedom of Information Act).
The text of the original privacy policy implied that a specific waiver had been issued for the cookies forced upon end users who intentionally viewed YouTube videos embedded within the White House Web site. The text now implies a far broader waiver for multiple video-sharing Web sites. However, it remains unclear if a new waiver has been issued, or if the old waiver was broad enough to cover multiple sites.
When I first wrote about the privacy policy text last week, I criticized the White House for providing YouTube with a specific exemption. At the time, I noted that no other company had received such special treatment.
The motivation of my criticism was to try to shame the White House staff into doing away with the exemption--as cookies are in no way required in order to serve online video. Instead of recognizing the need to protect consumer privacy, White House officials reacted by expanding the exemption to other companies.
In many ways, the current policy is actually worse than before: non-tech-savvy consumers now have no idea how many companies might be forcing their Web browser to accept tracking cookies. At least up until last week, visitors could take some comfort in the knowledge that only one company might be invading their privacy when they visited the White House Web site (and then only by a firm that had pledged to "do no evil"). Now, at least according to the White House's wide exemption, there could be many.
Last week, I said we should be reasonable and give the White House Web team a bit of time--after all, it is in a brand-new office, managing a new computer network, and scrambling to meet the demands of a very busy boss. However, if the team has had enough time to tinker with the privacy policy at least three times in the past six days, then it has more than enough time to post a copy of the waiver.
Should members of the public be able to pay for Web advertisements detailing which companies have donated to politicians? While this seems like a great way to promote transparency in politics, Google forbids the practice--we are free to name the politicians who take money but cannot name the companies that give it.
With Google's domination of the search engine market, and the eyeballs that go along with it, the company's AdWords text ads have become a key way for activists, politicians, and corporations to reach the general public. However, over the past year, Google's excessively restrictive policies have resulted in the censorship of lawful advertisements that educated and informed the public.
In one the cases involving religious groups placing anti-abortion ads, Google backed down. As this post will explore, Google's rather absurd, and little known, trademark policy seriously harms the ability of citizens to highlight the donations made to politicians by large corporations.
Trademarks and AdWords
Over the past few years, Google has waged numerous legal battles in order to allow its advertising customers to purchase keyword ads for trademarked phrases. Thus, for example, Nike can make sure that ads for its shoes show up when a Web surfer searches Google.com for Reebok.
Under Google's current trademark policy, Nike can purchase advertisements that will display information for the company's own shoes, such as "Visit Nike.com to get great deals on shoes," but Google forbids anyone but a trademark owner from using a trademarked phrase in an ad. Thus an ad stating that "Nike shoes are worn by Barack Obama, not Reebok" would be forbidden, even if Nike could prove it were true.
This example with two large corporations battling it out doesn't really tug the heart strings. But what about the following few examples of ads, all of which are currently forbidden as per Google's trademark policy?
- A labor rights group that wished to place an ad stating that "Wal-Mart forbids its employees from unionizing," whenever someone searched for the phrase "minimum wage."
- A public-interest group that wished to place an ad stating that "The RIAA has filed over 30,000 lawsuits against Internet users, many of whom were children, elderly, or even dead," whenever a Google user searched for the words "file sharing."
- An activist who wished to place an advertisement stating that "AT&T has given $7,500 since 2004. Who else has donated to the senator?" The ad would be displayed when Internet users searched for the name of a particular politician.
While these first two examples are hypothetical, the final one has actually been censored by Google. I know, because a few weeks ago, Google informed me that an ad campaign that I had run for the last 5 months was being terminated due to a trademark complaint by AT&T.
No sunshine allowed
As regular readers of this blog will know, I dabbled in a bit of tech policy activism in the state of Indiana earlier this year, working on a data breach bill that eventually became law. During the process of getting that bill through committee, I had a nasty run-in with a state senator who didn't take too kindly to my blogging and was willing to hold up my bill as a way to force me to censor my criticism of his colleagues.
Once I left Indiana in May, I promptly registered multiple domain names for Republican State Senate whip Brandt Hershman, www.Brandt-Hershman.com and www.BrandtHershman.com. Both domains point to a single Web page that lists every campaign donation that Sen. Hershman has received, from all corporations, for the history of his political career.
In addition to setting up this Web site, I also placed a Google ad campaign so that anyone searching for "brandt hershman", "senator hershman," or a few other similar keywords would see an advertisement pointing to my site:
What does money buy?
AT&T has given $7,500 since 2004.
Who else has donated to the senator?
www.Brandt-Hershman.com
From June until December of this year, the ad ran without any complaints. However, on December 5, Google notified me that it had suspended my advertisement, based on a trademark complaint:
Thank you for advertising with Google AdWords. After reviewing your account, we've found that one or more of your ads or keywords does not meet our guidelines.
Ad Issue(s): Trademark in Ad Content
SUGGESTIONS:
-> Ad Content: Please remove the following trademark from your ad: AT&T.
When I appealed the suspension of the ad, Google replied with a bit more information, informing me that AT&T had complained about my use of the company's trademark:
Thank you for your email. I understand you're concerned that the term(s) AT&T has been disapproved in your account as a trademark.
Please note that we received a complaint from the trademark owner of AT&T. In their complaint, the trademark owner stated that they are the owner of the mark and that its use in certain advertisements is not authorized. Therefore, your ad was disapproved.
Google's policies, in depth
Google's official policy confirms its zero-tolerance stance toward trademarks in advertisements:
When we receive a complaint from a trademark owner, we only investigate the use of the trademark in ad text. If the advertiser is using the trademark in ad text, we will require the advertiser to remove the trademark and prevent them from using it in ad text in the future.
Google permits trademark owners to submit blanket complaints regarding the use of their mark in advertisements. This means that with just one request, a company can force the removal of every single advertisement that contains the trademark, even if the use is legitimate and lawful.
It's useful to compare Google's trademark and copyright policies. If a copyright owner (say, the Church Of Scientology or Viacom) wishes to force the removal of a link from the Google search index or videos from YouTube, that company must send an individual request for each file or Web site.
If Viacom wants to have 100 episodes of The Daily Show removed from YouTube, it takes 100 requests. However, if Viacom wants to force the takedown of 100 different advertisements that mention The Daily Show, it only takes a single request.
The requirement that copyright owners send individual takedown requests is an important speed bump that protects the fair-use rights of end users, who might be incorrectly accused of violating copyright. No such protection currently exists for Google AdWords customers who wish to lawfully comment on or critique companies whose names are trademarked.
Legal analysis
To make that I wasn't making a fuss out of nothing, I spoke to a number of prominent legal experts, all of whom shared my concern regarding the impact on free speech and transparency in politics.
First, I spoke with Wendy Seltzer, a fellow at Harvard's Berkman Center (disclosure: I am also a fellow at Berkman) and founder of the Chilling Effects Clearinghouse. She told me that:
Google should be concerned that its actions here may actually hurt its (and its users') ability to use trademarks for comparative and search purposes later. Google is now a large enough part of our Internet experience that its concessions to trademark bullies in AdWords could condition readers to think--incorrectly--that all uses of a trademark must be authorized by the trademark holder...
We need to resist this chipping-away at our rights to use brands to speak about the products they promote and things their owners do, and Google, as a major beneficiary of our prodigious use of language, should help us to do so.
Jim Harper, director of information policy studies at the Cato Institute also shared similar concerns:
What (Google) seems to be doing is accepting any complaint as conclusive proof that a trademark violation is occurring. This is a very poor practice, and it grants trademark owners power well beyond their legal rights. On a platform as important as Google's, that will result in a significant diminution of communication about corporations and, in this case, politicians too.
While he was concerned about the impact on free speech, Eric Goldman, a professor at the Santa Clara University School of Law, expressed some sympathy for Google, due to the risk of litigation by trademark owners:
Presumably, AT&T has requested Google not to let any advertisers display "AT&T" in the ad copy--whether the advertisers are competitors, pirates or political speakers. Google is within its legal rights to do so, and there is some legal support for Google's position.
However, unquestionably, Google's policy precludes legitimate trademark references such as yours.
This is not a good situation, but before we criticize Google too harshly, note that they face legal risks whatever they do, and they have tried to find a compromise solution...
Trademark law is so ridiculously expansive that Google feels compelled to implement illogical and chilling policies, so (in my opinion), the real villain is trademark law, not Google.
As both Goldman and Harper told me, Google is perfectly within its rights to refuse to display my advertisement, just as a newspaper or TV stations can refuse to air an ad. However, just as newspapers routinely publish advertisements that criticize companies, so, too, could Google, if it wished to.
The only recourse available to activists wishing to change Google's policies is thus shame--a tactic that has worked pretty well in other similar situations.
Freedom of Speech and Abortion
Earlier this year, a British anti-abortion organization sued Google, after the search engine refused to display an advertisement that the group had sought. The text of the ad was:
U.K. Abortion law
Key views and news on abortion law from The Christian Institute
www.christian.org.uk
Before the lawsuit, Google's policy did not permit the ads promoting Web sites that contained abortion and religion-related content. After a significant amount of bad press, and the settlement of the suit (brought under the United Kingdom's Equality Act), Google reversed itself.
Google's new policy allows religious associations to place ads "in a factual and campaigning way," a Google spokesperson told the British media. She went on to describe the policy in more detail:
This means that their ads need to aim to educate and inform, not to shock. The ads can refer to government legislation, and existing law, and the alternatives to abortion. But, they cannot link to Web sites which show graphic images that aim to shock people into changing their minds.
Outside of the online-advertising space, U.S. telecommunications giant Verizon Communications caused a huge media firestorm in 2007, when it blocked short text message alerts by NARAL, a pro-choice group.
Within days of its anti-free-speech blunder, Verizon quickly backtracked. However, by then, the damage to its reputation was done. Both Congress and the FCC took an interest in the incident, leading to threats of oversight and investigation.
Obviously, abortion is a hot-potato issue that no Fortune 500 company wishes to get caught in the middle of. However, the issue for both Google and Verizon was the same--the companies sell products that enable people to communicate with each other. When they start deciding which kinds of information is appropriate to send, they risk a significant public outcry, as well as the attention of both regulators and Congress.
With any luck, Google will realize that its flawed AdWords trademark policy is hurting free speech and efforts to promote transparency in government. If it doesn't, we all suffer.
With the recent news of the ham-fisted filtering of Wikipedia for over 95 percent of British Internet users by an unelected and unaccountable industry/government hybrid body, it seems like a good time to turn our attention to the issue of the fight against child pornography here in the U.S., and in particular, the freedoms we are willing to hand over along the way.
In this blog post, I will argue that the the time has come for President-elect Barack Obama to appoint a child pornography czar, whose office can take over the tasks currently performed by the powerful yet oversight-free organization: The National Center for Missing and Exploited Children (NCMEC).
However, before we begin, let me state that I, along with the rest of the civilized world, believe that child pornography is a Bad Thing (TM), and those who create or traffic in it are evil people. However, just as one can still support the troops while criticizing the war, I too have an objection to the way we're fighting this war. Actually, to be more accurate, I support the war on child porn, but object to the fact that it's been outsourced to Blackwater NCMEC. But in any case, I'm getting ahead of myself.
The National Center for Missing and Exploited Children
NCMEC was created by a congressional mandate in 1984, and coordinates the the efforts of law enforcement personnel, social service agency staff, elected officials, judges, prosecutors, educators, and elements of both the public and private sector to fight against all forms of child exploitation.
While NCMEC was created by Congress, is mostly funded by the U.S. government (and in particular, the Department of Justice), and plays a key role in assisting the FBI in its fight against child pornography, the organization isn't part of the U.S. government. It is, instead, a nonprofit, and thus not subject to the Freedom of Information Act, the Privacy Act, or limited by constitutional protections guaranteeing free speech, due process, and freedom from unreasonable search and seizure.
NCMEC's power
The National Center for Missing and Exploited Children already wields significant power as an unofficial Internet regulator, some of it granted by Congress, but most of it achieved through "consensual" agreements with Internet service providers. Consider these examples:
NCMEC acts as a clearing house for information and reports on child pornography. Thanks to the Protect Our Children Act of 2008, which was signed into law by the president in October, Internet service providers are now obligated to provide NCMEC with reports on any suspected child pornography that they detect on their networks. Failure to report such information to NCMEC is a crime.
As a result of a quasi-secret deal signed between NCMEC and the major cable companies earlier this year, NCMEC now provides these Internet providers with regularly updated lists of objectionable Web sites run by those cable customers. Upon receipt of a suspect URL, the ISPs immediately remove the files from the Web, with no appeal process for the owners of the Web sites. Oh, and as an added bonus, the ISPs are forbidden from mentioning NCMEC's name when notifying their customers of the takedown.
In June 2008, New York Attorney General Andrew Cuomo and NCMEC strong-armed several major ISPs into terminating their customers' access to Usenet news groups--due to the fact that a few hundred (of the tens of thousands of total Usenet groups) contained child pornography.
Likewise, just a few weeks ago, Craigslist was forced into a deal with 40 state attorneys general and NCMEC in which the site agreed to take steps to root out certain sexually themed or "erotic services" listings. Why NCMEC was concerned about consenting adults selling sex-related services via Craigslist remains unclear.
No oversight, no problems?
The sad truth is that no company can say no to NCMEC. Faced with the possibility of a press conference (perhaps even with an AG or two standing nearby) held in order to criticize the company's noncompliance with an anti-child porn project, any rational company would buckle. The bad PR from not doing so is simply too great.
NCMEC performs an extremely important task, one that has no doubt saved hundreds of children, and I'm glad that I don't have to do it. However, it is also rather strange to entrust this job to a private organization. If this is such an important task, why not give it to the FBI?
The answer to this might be the benefits that come from not being a federal agency: the complete lack of oversight or any requirement for transparency. NCMEC is able to sign secret deals with ISPs and strong-arm companies into cooperating without fear that a FOIA wielding public-interest lawyer or activist will unearth any information on the group's tactics or methods.
Criticism and fear
Over the past several weeks, I've spoken to a number of experts in the field of Internet law and policy. Many of those have strong feelings about NCMEC, but due to the extremely sensitive nature of the child pornography issue, few would go on record to voice their criticism.
Adam Thierer, a senior fellow at the libertarian Progress and Freedom Foundation told me that:
"Despite having the best of intentions, NCMEC has attained a level of authority over the Internet that should now qualify it for closer government scrutiny. The organization should either be covered by the Freedom of Information Act and other relevant government oversight laws and processes, or it should be converted entirely into a federal agency so that it is accountable for its actions as an Internet regulator."
John Morris, senior counsel for the Center for Democracy and Technology voiced similar concerns, telling me:
"We have very significant concerns about the outsourcing of prosecutorial and investigative functions to a non-government entity. And we believe that those functions should only be done (by those subject to) the First and Fourth Amendments, the Privacy Act, and The Freedom Of Information Act."
Other than these two gentlemen, no one else would go on the record.
Reform via a czar
Given its status as a sacred cow, we cannot expect any politician pay heed to calls to overhaul NCMEC or subject it to oversight. However, what we can do, is call for the nationalization of the National Center for Missing and Exploited Children.
Think of it this way: We have a drug czar, a war czar, a copyright czar, and will likely have a cybersecurity czar and car czar under the next administration. Why not throw a child porn czar into the mix? Nationalize NCMEC, make all of its workers federal employees, with good health care and job security, and perhaps even expand its budget--after all, it does good work, right?
NCMEC's job is simply too important to be entrusted to a nonprofit group--such a task can only be performed by a fully trained and funded law enforcement agency (one, which conveniently enough, is subject to the Freedom of Information Act, congressional oversight, and constitutional requirements for due process.)
Best of all, if anyone criticizes this call for a child exploitation czar, we can turn the trump card against them, and accuse them of not caring about the children.
See my full write-up of all of the other DMCA requests here.
When a digital rights management-based music, video, or software product shuts down, as has happened in the past with Microsoft, Google, Yahoo and Wal-Mart Stores, one thing is guaranteed: customers lose legal access to works for which they paid.
Existing copyright law makes it a crime to attempt to circumvent DRM protections, even on legally purchased music, and so consumers are generally dependent upon the failing media store to provide some remedy--perhaps a refund, or a temporary delay of a few months in the death of the DRM-authenticating servers that are necessary for full use of the music. However, the store instead may simply choose to say "bah humbug," shut down, and leave consumers high and dry.
What if, instead, consumers had a legal right to circumvent the DRM protecting those legally obtained but now useless songs, videos, software, and video games? If this blogger and a legal team from Harvard University are successful, this just might be possible.
The Digital Millennium Copyright Act makes it illegal for users to break or reverse-engineer the DRM that protects music, video, software, and consumer electronics. However, every three years, the Copyright Office asks the public to submit requests for new exemptions to the law.
In years past, consumers were given the right to hack region-locked mobile phones, and security researchers were allowed to circumvent the DRM protecting malware-infected music CDs (such as in the famous Sony rootkit fiasco).
The deadline for this year's requests was Tuesday afternoon.
A team from Harvard's Berkman Center for Internet and Society has requested an exemption that, in the event that a central server-based DRM scheme fails in the future, would permit consumers to circumvent and evade the DRM protecting the music, movies, software, and games that they have previously purchased, in order to maintain their existing lawful right to access those works.
The team is made up of myself, Phil Malone, a clinical professor of law at Harvard Law School and director of the Cyberlaw Clinic, and Arjun Mehra, a law student in the clinic. Our full submission can be downloaded here.
In just the past few years, a number of DRM-based music and video stores have gone kaput, leaving their customers without a lawful way to access works for which they paid good money. These include Microsoft's MSN Music Store, Google's Video store, Yahoo Music, and Wal-Mart.
In some cases, consumers could keep listening to media on the same computer, after the shuttering of the authentication server, but they were unable to transfer the songs and videos to new MP3 players or other computers, or even to reactivate them on their original devices, in cases where they had a hard drive crash or needed to reinstall the operating system.
While we're not aware of examples so far of shutdowns or failures of similar DRM systems protecting software and games, this sort of consumer harm is likely in the next few years. For example, were Electronic Arts to go bankrupt, the millions of customers who had purchased a copy of the game Spore would be unable to reinstall that lawfully purchased copy after a hard-disk crash or virus infection.
Under a plan floated by Electronic Arts this past May, some of its games would need to contact a DRM server every 10 days to continue functioning. Such a regime would lead to the instant orphaning of every installed copy of the game, if the company later shut its doors or shut down its authenticating servers.
Luckily for angry EA fans, the company abandoned the 10-day authentication plan after massive consumer backlash, but the likelihood that other game or software vendors will use similar measures in the near future is high.
A researcher exception too
If researchers have to wait until the central authenticating DRM servers have been switched off before they can begin the reverse-engineering process, they might never be able to learn how the DRM works and how it might be lawfully evaded, if a DMCA exemption permitted it.
To understand how to effectively circumvent a DRM system, researchers need to be able to watch authentication messages flowing back and forth between a legitimate client and the master DRM server. Once the server has been turned off, there are no authentication messages being transmitted that the researchers can observe and study.
As a simplistic example, consider that Ali Baba needed to sit outside the 40 thieves' cave in order to overhear the correct password ("open sesame"). Had the thieves vanished, and Ali Baba been left outside the cave, trying random passwords, it is likely that he never would have been able to get inside.
To solve this problem, we have asked the Copyright Office for a second exemption to the DMCA's anticircumvention provisions. We have asked that technologists and researchers be allowed to circumvent such DRM stores in the course of good-faith research before the death of the server, for the purpose of documenting the inner workings of the DRM system.
This way, for example, researchers would be able to legally circumvent the DRM in iTunes or Spore, even while the services are still functioning, in order to understand and document how the DRM software functions.
This would give legitimate researchers (both professional and amateur) the legal protections necessary in order to safely tinker with and take apart existing DRM systems so that, should the services ever be shut down, it wouldn't be too late to gather vital circumvention information.
Of course, it would still be illegal for the general public to use that information to circumvent a DRM store, until the service was shut down and the DRM servers stopped functioning.
Thanks
I'd like to thank Phil Malone and Arjun Mehra, who donated their time to work on and draft this request with me. I'd also like to thank Ed Felten, Tim Lee, Nicole Ozer, Chris Riley, Pam Samuelson, Wendy Seltzer, and Fred von Lohmann, all of whom provided us with valuable feedback during the drafting process.
For copyright activists, Christmas comes but once every three years: a chance to ask Santa for a new exemption to the much-hated Digital Millennium Copyright Act's prohibitions against hacking, reverse engineering, and evasion of digital rights management (DRM) schemes protecting all kinds of digital works and electronic items.
Judging from the list of 19 exemptions requested this year, some in the cyberlaw community are thinking big. (Disclosure: One of the DMCA exemption requests was submitted on behalf of this blogger by Harvard University's Cyberlaw Clinic.)The requests include the right to legally jailbreak iPhones to use third-party software, university professors wishing to rip clips from DVDs for classroom use, YouTube users wishing to rip DVDs to make video mashups, a request to allow users to hack DRM protecting content from stores that have gone bankrupt or shut down, and a request to allow security researchers to reverse-engineer video games with security flaws that put end users at risk.
Electronic Frontier Foundation uber-lawyer Fred von Lohmann told Wired News earlier this week that the government "has repeatedly dismissed any consumer-oriented fair uses, such as making backup copies of DVDs or video games, as well as requests for exemptions to enable copying DVDs to laptops and portable devices." He also told them that the DMCA exemption process is "hopelessly broken."
That depressing outlook doesn't seem to have stopped Lohmann from co-authoring two significant requests (PDF) to the copyright office for exemptions squarely targeted at members of the public.
The highlights
The 19 requests are too lengthy to blog, and so only the most noteworthy (to this blogger) have been presented here. Those wishing to read through the others can find all of the submitted exemption requests at the Copyright Office's Web site.
First, the EFF has asked that consumers be allowed to jailbreak or hack smartphones to run lawfully obtained third-party software on the devices. Such an exemption, if granted, would be great news for the estimated 1 million users who have hacked their iPhone, and risked the wrath of Steve Jobs as his engineers played cat-and-mouse to stop the jailbreaking. Such an exemption would also be fantastic news for Mozilla, which is currently prohibited by Apple's terms of service from bringing the popular Firefox browser to iPhone.
In the EFF's second request, the group has asked the Copyright Office to permit end users to circumvent the DRM protecting DVDs, for the purpose of creating noncommercial videos that fall squarely within the protections of fair use. While such circumvention is already trivially easy to do with tools such as Handbreak, it is technically illegal to do so. For the millions of YouTube users who remix and mash up snippets of copyrighted works (including Sen. John McCain), such an exemption would mean digital freedom.
In complementary filings, representatives from Duke University (PDF), the University at California at Berkeley (PDF), Middle Tennessee State University (PDF) and the Library Copyright Alliance (PDF) asked for a similar exemption for DVD ripping, but solely for professors who wish to create compilations of digital film clips for classroom use. A more limited professor exemption was granted back in 2006, but only for those teaching film studies. Both groups would like to see that exemption expanded to professors and K-12 teachers from all fields.
The Cyberlaw Clinic at Harvard University, representing this blogger, has asked (PDF) the Copyright Office to allow end users to circumvent the DRM protecting music, video, software, and games in the event that a central authenticating server is shut down. This has happened several times in the past few years, including Microsoft's MSN Music Store, Google's Video store, Yahoo Music, and Wal-Mart. The team also asked that researchers be permitted to reverse engineer functioning DRM stores (such as Apple's iTunes) before any shuttering is announced, for good-faith documentation purposes.
Finally, Professor J. Alex Halderman has expanded his successful "Sony Rootkit" 2006 request, and has asked (PDF) that security researchers be allowed to circumvent the DRM in digital works, software or games that create or exploit security vulnerabilities on the computers of end users. While his request is broad, the main focus is on DRM schemes such as SafeDisc and SecuROM, which are widely used in the video game industry (such as in Electronic Arts' Spore).
Next steps
During the next few months, the Copyright Office will allow members of the public to submit comments on the exemptions requested during this cycle. Later, in March, two public hearings will be held, in Washington, D.C., and California. There will likely be appearances by several public-interest groups and law school clinics speaking in support for their exemptions requests, while representatives from the recording, motion picture, and software industries are likely to show up to fight against such efforts to weaken the DMCA. At the very least, the hearings promise to be quite a spectacle.
The MySpace suicide case concluded last week, with the jury finding Lori Drew guilty of three misdemeanor counts of gaining unauthorized access to the popular social-networking site.
While most of the press attention has been focused on the specifics of the case, the more important issue is the potential impact this could have on the Internet in general.
Web site terms of service, which end users universally ignore, suddenly have teeth: violating them is a federal hacking offense, punishable with jail time. The days of being able to freely lie on the Web could be coming to an end. This could mean serious trouble for people who lie about their age, weight, or marital status in their online dating profiles.
Bad cases and bad laws
The specifics of the Lori Drew case are messy and emotional. The important fact is that there is no federal cyberbullying statute, so the U.S. attorney in Los Angeles turned to a novel interpretation of existing computer hacking laws to try to punish the woman. The general idea is that in creating terms of service, a Web site owner specifies the rules of admission to the site. If someone violates any of those contractual terms, the "access" to the Web site is done without authorization, and is thus hacking.
Unfortunately for Internet users everywhere, a jury bought the theory last week and found Lori Drew guilty of three misdemeanor violations of the Computer Fraud and Abuse Act, punishable with up to one year in a federal prison and a $100,000 fine for each of the three counts.
Horrible terms of service
Until the Drew case is overturned, terms of service would appear to have the power of federal hacking laws to back them up, at least in cases where an ambitious federal prosecutor is interested in making a name for himself.
Back in March, I wrote about Google's insane terms of service--which forbid the use of the site's search engine, free e-mail service, or any of its other offerings by people under the age of 18. The site's terms state:
"You may not use...Google's products, software, services and Web sites...and may not accept the Terms if...you are not of legal age to form a binding contract with Google.
Under the Department of Justice's current interpretation of hacking laws, every high schooler who uses Google to do homework is in theory a criminal.
However, it gets even better than that. As the Electronic Frontier Foundation noted in its amicus brief to the court, the dating site Match.com prohibits married persons from using the Web site to cheat on their spouses:
"You must be at least eighteen (18) years of age and single or separated from your spouse to register as a member of Match.com or use the Website."
Dating site eHarmony takes this even further, forbidding its users from lying in their online profiles:
"You will not provide inaccurate, misleading or false information to eHarmony or to any other user. If information provided to eHarmony or another user subsequently becomes inaccurate, misleading or false, you will promptly notify eHarmony of such change.
All those people who have lied about their age or weight in an eHarmony profile would now appear to be computer hackers. Oh, and if you gain 30 pounds after posting your profile and don't promptly update your profile--yep, jail for you.
Silver lining...a weapon against RIAA
Back in the early days of the Digital Millennium Copyright Act, activists discussed the creative use of terms of service to keep agents of the RIAA and MPAA from visiting their sites, and collecting evidence for later trials. In a few minutes of searching, I was able to find at least one Web site whose terms of service still forbid such activity.
Notice to RIAA & MPAA and affiliated contractors: Pursuant to DMCA statutes, you are forbidden from accessing or reproducing any content on this site, due to a violation of our terms of service. This is not a matter for discussion. You must exit this Website now.
These amateur click-wrap agreements didn't seem to hold much weight back then. Could the precedent set by the Lori Drew case provide ammunition to pirates, activists, and the thousands of other Internet users who have an anti-RIAA ax to grind?
Parry Aftab, a lawyer and executive director of an anti-cyberbullying group hailed the court case as a victory, telling the Associated Press that the "verdict has made it very clear if you use the Internet as a weapon to hurt others, especially young, vulnerable teens, you're going to have to answer to a jury. This is not acceptable."
For those of us who see the over 30,000 lawsuits filed by the RIAA as an abuse of the legal system and an organized shakedown of vulnerable high school and college students who know little about the law, perhaps this warning will hold true.
