One day last summer, a person using Verizon to access the Internet logged on to Kazaa, a popular peer-to-peer music-swapping service, and started downloading MP3s. It was the sort of thing that millions of people do every day; the only difference this time was that an analyst at the Recording Industry Association of America was monitoring the action.
The RIAA's efforts to obtain this single Verizon subscriber's identity has ballooned into a major courtroom battle over the scope of the Digital Millennium Copyright Act, the 1998 law that outlines protections for online content. The litigation has split the ranks of Internet service providers and content companies: ISPs, who say they worry about their subscribers' privacy, have generally sided with Verizon, while copyright holders have supported the RIAA.
But stuck in the middle of this fight is a firm that is both a huge copyright holder as well as a huge Internet company -- in fact, it is the leading company in each industry. This is AOL Time Warner, a neither-fish-nor-fowl hybrid of copyright and consumer interests, a combination that has left the company pretty much speechless on a case that could determine the privacy rights of its more than 30 million subscribers, not to mention the rest of us. While other ISPs are running scared, AOL, the biggest ISP of all, is keeping mum.
In January, after months of legal back-and-forth in the Verizon-RIAA case, U.S. District Judge John Bates ruled in the recording industry's favor, ordering Verizon to hand over the Kazaa user's name and address. Internet service providers, privacy advocates, and people critical of the growing influence of copyright owners were devastated by the Bates opinion. The ISPs are worried that they'll be flooded with requests for their subscribers' information, and that they'll have no way to determine the accuracy of these claims.
"You could simply walk into a courthouse, sign a form, and send us a subpoena," says Les Seagraves, the chief privacy officer of EarthLink. "We would have to turn over the name and address of that user. And of course that could get abused -- and there's really nothing we could do about it. The volume of these things would increase, and we'd find ourselves in the subpoena-compliance business, not the Internet business."
Verizon plans to appeal the ruling, and dozens of ISPs have supported its position. But AOL Time Warner has said nothing about the case. The company's online unit has declined to explain what it thinks of the legality of the type of DMCA subpoenas the RIAA seeks, or whether, like other ISPs, it fears being inundated with requests for its users' private info.
Ordinarily, AOL's silence might not mean much. Giant corporations tend not to comment on ongoing litigation, and MSN, the huge ISP owned by Microsoft, has also refused to say anything. But AOL's silence is conspicuous given its unique position as a troubled sister-company to the world's largest media firm. Its silence may also have important practical effects. "They're the biggest ISP, and if they said, 'Wait a minute, we think there's a problem here,' that would be taken very seriously by the courts," says Cindy Cohn, the legal director of the Electronic Frontier Foundation. "I think there's no question that would be a tremendous voice."
But will that voice speak out -- or will it be muffled by the media interests that now appear to control AOL Time Warner's future? It's not really an exaggeration to suggest that the privacy of your actions on the Internet could depend on what this single company does next.
The RIAA analyst who logged in to Kazaa last July 15 discovered that the Verizon subscriber had 666 music files available for others to download, including songs by "Billie Holiday, the Beatles, the Who, Pete Seeger, James Taylor, Bob Marley, Johnny Cash, Stevie Wonder, Billy Joel, Barry White, Aerosmith, Janet Jackson, Madonna, U2, Jennifer Lopez, 'N Sync, Britney Spears, and countless others," the RIAA says.
The person was obviously a music lover and may have been one of the record industry's best customers. But the RIAA considered this person a significant threat to its business, guilty of "theft ... on a massive scale." To make matters worse, the crook was anonymous; the person's age, sex, phone number and address were unknown to everyone outside Verizon's billing department. All that the record industry had on the alleged thief was an eleven-digit Internet protocol address, 18.104.22.168.
When the RIAA asked Verizon for the identity of the user at that IP address, Verizon declined to release it. The trade group filed suit against Verizon, citing the provisions of Section 512h of the DMCA.
Section 512h of the DMCA is just a bit more than 500 words in length and about as easy to decipher as an ancient hieroglyphic scroll. Legal experts are fond of saying that the DMCA was conceived as a grand bargain between ISPs and copyright holders -- the law freed the ISPs from liability for their users' copyright violations as long as the companies cooperated with media firms' anti-piracy efforts. Section 512h reflects the muddle of that grand bargain, and everyone seems to have a different idea of what the passage means.
The recording industry says that Section 512h allows copyright holders to obtain a subpoena ordering an ISP to identify a subscriber accused of infringing upon a copyright. To be granted such a subpoena, a media firm must draw up a list identifying the works in question, must provide "a statement of good faith" testifying that it believes infringement has taken place, and must swear "under penalty of perjury" that it wants the information only to protect its copyright. The copyright owner would present these documents to the clerk of the court, not to a judge; the clerk would check to see that the documents are in order and then issue the subpoena. Neither the clerk nor the ISP would initiate any investigation to determine the accuracy of the claims made by the copyright owner.
Since last July, the RIAA has served other ISPs besides Verizon with 512h subpoenas, and some of them, including EarthLink, have also rejected the requests. But according to Nicholas Graham, a spokesman for AOL, the RIAA has not recently sent such a subpoena to AOL -- a company whose member base is at least 10 times the size of Verizon's and probably includes at least one or two, if not 1 or 2 million, peer-to-peer file traders. Asked what AOL would do if the company received a 512h request for member information right now, Graham declined to answer, saying that it would require him to comment on a hypothetical situation closely related to an ongoing legal case.
Did the recording industry purposefully not serve AOL with a 512h subpoena because of its ties to content companies? The RIAA says no -- in fact, the group says, AOL has been served with such requests for subscriber information in the past, and it has complied. "We have sent AOL these subpoenas and they have responded," said Matthew Oppenheim, the RIAA's vice president of business and legal affairs. (AOL's Graham did not confirm or deny this charge.)
Determining exactly what AOL is really doing with RIAA subpoenas -- if it has actually been on the receiving end of them -- is critical, because other ISPs, including Verizon, read section 512h very differently from the RIAA. Verizon says that the law requires ISPs to turn over a subscriber's name and address only under one condition -- if the subscriber has stored copyright-infringing material on the ISP's computers. For example, if a Verizon subscriber saves an illegal copy of an 'N Sync song on a Web site hosted by Verizon, the company would have to tell the record labels how to contact that subscriber; but if the material is just on the user's computer, as it is for people who use peer-to-peer services, Verizon says it has no obligation to disclose any information at all.
"I was one of the 10 industry representatives who was there to draw up this law," said Sarah Deutsch, associate general counsel for Verizon. "There were five people from the telecom sector and five from the content sector -- and it was clearly our interpretation that the content would have to be on our network. We agreed to a process called 'notice and takedown' for material that was on the network." Deutsch says that the use of the word "takedown" in the DMCA is important, as it implies that the content in question must be on an ISP's system to trigger the law -- if the material is beyond the ISP's control, she argues, how can the company take it down?
The RIAA says Verizon's position is illogical. "There are so many ways it doesn't make sense," Oppenheim says. Why, he asks, would Congress have decided to protect online content in one location -- on the ISP's network -- and not in another? And how did Congress expect the copyright holder to determine where the content was being hosted?
The DMCA doesn't care where the content is being hosted, Oppenheim says. Whenever a copyright holder sees media of its own that appears to have been illegally copied, whether on the Web, on a peer-to-peer service, an e-mail message or some other digital form, the DMCA allows the content company to find out who did it. Oppenheim says that the law is straightforward, and he rejects the idea that the RIAA's case against Verizon is a "test" of any kind. Since the passage of the DMCA, the RIAA has obtained 96 such subpoenas, Oppenheim said, and Verizon was the first ISP to reject one. "Before that, nobody ever objected," he said, "and the only reason it's now a test case is because Verizon thought there was a question."
In documents filed in the case, the RIAA points out that Verizon may have only recently come to that position. On several occasions in 2000, the RIAA asked Verizon to take down infringing material from its network -- and nine times, the company said that the content in question was not on Verizon's network, but that the company would be happy to provide the RIAA with subscriber information if the RIAA obtained a subpoena under the DMCA's 512h.
"And that's not surprising," says Oppenheim, "because everybody knew 512h allowed that. So you have to ask: Why would Verizon suddenly change their view? And, well, I have my answers. They've got an enormous base of infringers. Their view is there would be an economic hit if they started to allow this."
Nobody has a larger number of subscribers than AOL, or would be likely to take a bigger hit if suddenly forced to crack down against every instance of file-trading that an AOL subscriber engages in. But, at the same time, no company has more media properties at risk from file-trading than AOL Time Warner.
Oppenheim points out that the only interpretation of the DMCA's Section 512h that counts, so far, is that of Judge Bates -- and Bates' decision is not even a close call. He sided fully with the recording industry. "The Court disagrees with Verizon's strained reading of the act, which disregards entirely the clear definitional language of subsection h," Bates wrote in his 37-page ruling. (PDF file here.) Verizon's position, Bates said, "makes little sense from a policy standpoint. Verizon has provided no sound reason why Congress would enable a copyright owner to obtain identifying information from a service provider storing the infringing material on its system, but would not enable a copyright owner to obtain identifying information from a service provider transmitting the material over its system ... It is unlikely, the Court concludes, that Congress would seek to protect copyright owners in only some of the settings addressed in the DMCA, but not in others."
Verizon says it will appeal the decision. The stakes are enormous. If you accept that Congress really meant to say what Bates and the RIAA say it meant -- that anyone who suspects a copyright violation can obtain the alleged infringer's identity rather easily and without judicial review -- then the DMCA would seem to be much more unreasonable, and much scarier, than even critics of copyright owners have previously said. According to ISPs, consumer groups, and legal experts, the practical effects of this ruling would be terrifying -- and AOL's silence on the issue despite these consequences "is deafening," says one person in the industry.
"The scope of copyright is infinite in the Internet era," says Peter Swire, a law professor at Ohio State University and the nation's first (and last) chief counselor for privacy at the Office of Management and Budget in the Clinton administration. "Every time you send an e-mail you could say it's copyrighted." The 512h subpoenas, he notes, are "automatic -- no judge is involved. So you will have all these automatic subpoenas where the underlying facts may never have been checked by any human being. You have bots that search for files," and the findings of those bots will simply be passed along to a court clerk, who will order up a subpoena.
These copyright-sleuthing bots -- software programs that scan the Internet for files that "seem" like illegal copies, a determination that can be made on as little evidence as a filename that appears fishy, like "MetallicaSong.mp3" -- are already in use today. They are run by copyright-enforcing firms hired by media companies; everyday, these firms bombard ISPs with requests to pull from their network material that appears to be illegally copied.
Documents Verizon presented in the case show that these bots can sometimes be wrong. For example, the company produced a letter sent to UUNet by MediaForce, a "DMCA enforcement" firm that represents Warner Bros. -- an AOL Time Warner company and a member of the RIAA. The letter demanded that the ISP take down a file that MediaForce said was an infringement of the "Harry Potter" series of books. You can see how the bot might have made that mistake -- the file, which was tiny, was called "harry potter book report.rtf."
"The ISPs get thousands of these things, and they get a not insignificant percent that are not just wrong but are spectacularly wrong," says Cohn of the Electronic Frontier Foundation. "And if the Verizon decision under 512h is upheld, we'll start seeing the same thing for people's identities, and they're going to be wrong in the same percentage that they're wrong now." That's because a key problem with the DMCA, critics of the law say, is that it provides little incentive for copyright owners to make sure that they're providing the court with accurate claims. "They may as well make these things as broad as possible," Cohn says. "There's nothing in the system to make them do otherwise. It's just takedown, takedown, takedown."
Critics of the Bates ruling also worry about intentionally fraudulent copyright claims making it through the system. If you have an entire legal apparatus devoted to "expeditiously" divulging people's private information, there's a chance that the system will become a target of people with something much more sinister than copyright enforcement in mind. "We have seen copyright laws abused by people who have other agendas," Cohn says. "This is a method by which an angry ex-husband can locate an ex-wife, or a process by which stalkers can locate people."
The RIAA's Oppenheim rejects such horror stories. He notes that the DMCA requires people filing for 512h subpoenas to attest to their "good faith" intentions under "penalty of perjury" -- which he says is a strong standard and punishment. Moreover, the judge, Oppenheim says, found the DMCA 512h subpoena process more protective of consumer rights than the process Verizon suggested: that copyright companies file "John Doe" lawsuits against alleged infringers, a scenario that would allow a judge to decide the merits of the case before any personal data was revealed.
One attorney that the RIAA said would back up its view is Douglas Lichtman, a professor of intellectual property law at the University of Chicago Law School. "The cases we should be worried about [with 512h] is where the accusations are not true," Lichtman said. "A case where there's a false accusation, or even worse where there's someone who's using anonymity in an important way -- say where I have a site where I'm making political comments. So the core question is: Does the system as interpreted by [Judge Bates] protect the system enough from false accusations. Verizon says no, the music industry says yes, because the statement is a sworn statement.
"And I have to tell you, I've been torn," Lichtman said. "I've gone back and forth. And I think that the right answer is that a sworn statement under penalty of perjury provides a strong protection." But Lichtman also said that he felt "reasonable minds" could disagree about the consequences of the ruling.
Although AOL Time Warner has refused to say much about its position on this case, the company hasn't, really, been officially silent. Rather, it has held two diametrically opposite views that, taken together, signify a deeply split identity. On one side are many of the company's media subsidiaries -- its record labels and movie studios -- which are part of the RIAA. On the other side is the company's online division, AOL, which is part of the U.S. Internet Service Provider Association, an ISP trade group that filed a legal brief in support of Verizon, and therefore against the RIAA in this case. Through two trade groups, then, AOL has technically told the court that it's on both sides of this issue. Talk about a tough merger!
Those are cases in which the company is served with a criminal or a civil subpoena. In the case of a criminal subpoena, one obtained by law enforcement in the course of a criminal investigation, AOL will "absolutely" turn over a user's identity, Graham said. In the case of a civil subpoena, "there is careful legal scrutiny, and we have a right to review or contest it, which is what happens in many cases. We check to see whether the subpoena has any merit whatsoever, or whether the subpoena asks information that we do not have and do not keep." If a member's identity is requested through a civil subpoena, Graham said, AOL would first get in touch with the user and let the person know of "their right to contest it. And we'd give them a certain period of time in which they can answer us."
The process set by AOL to comply with ordinary civil subpoenas would seem to be protective of a user's identity; but the scheme wouldn't work with the sort of DMCA 512h subpoenas that AOL's media siblings are seeking. If AOL received a 512h subpoena, it would not have the opportunity to check whether such a request had any merit. And the subpoenas -- which Bates said were designed to be "expeditiously" processed -- would not give the company and users a few days to think over the request.
This will be made all the clearer if ISPs are served with hundreds or thousands of such subpoenas at one time, a scenario some people fear. Dave McClure, the president of the U.S. Internet Industry Association, an ISP industry group that does not include AOL, says: "If an ISP receives 60 boxes containing 10,000 IP addresses for which the RIAA wants you to cut off their access and give up their information, the ISP has no way of knowing whether these people were guilty of infringement or not."
Does AOL recognize, or share, these fears? That's impossible to tell. If you ask people in the ISP industry what they believe AOL's position on this case to be, many say that they couldn't guess but that they suspect the company's silence so far means it has taken a back seat to Time Warner. Others in the industry will tell you of rumors, whispers -- unconfirmed, and denied by the company -- that AOL Time Warner has told lawmakers it's pleased with the Bates decision.
One person conjectured that the RIAA met with AOL before serving other ISPs with 512h subpoenas, but the RIAA's Oppenheim said that the story was absolutely false. "That's just one of those myths you hear," he said.
What if, deep in its corporate heart, AOL Time Warner really, truly, has no position on this case, if only for the reason that neither side presents a very good option?
If AOL Time Warner sides with Verizon -- and therefore its own online subscribers and their privacy rights -- it faces a clear cost: the wrath of its media divisions and of others in that business, companies who believe that file trading will be the death of them. And what benefit would it get from protecting consumers' privacy? Perhaps not a whole lot; the subscribers would likely be oblivious to the whole matter anyway. (The sort of people who care about how their ISP interprets obscure sections of the DMCA aren't likely to be on AOL in the first place.)
How would AOL TW do if it took the RIAA's side? If 512h subpoenas become a frequently used tool of media companies, and if RIAA applies them fairly across ISPs, AOL would probably face a hurricane of such requests. It might very well have to kick off many of its own users for the sin of file trading -- which would be terrible for its image, and help depress already stagnant subscriber growth rates.
Perhaps, in the end, silence is AOL's only rational option, at least until its internal politics are solved.
"AOL's problem is they're just a two-headed monster," Mark Cooper, of the Consumer Federation of America, likes to say.
The important question now is, which monster is bigger?