By Julie E. Cohen
The New Republic Online
May 23, 2000

When a rumor began to circulate that Microsoft's copyright lawyers had contacted Slashdot, a Web-based news and discussion forum for programmers, and demanded that Slashdot remove from its website materials criticizing the specification for Microsoft's Kerberos software, it seemed too laughable to be true. Surely the copyright laws could not be used to suppress criticism and comment about copyrighted software. Surely even Microsoft must know better.

In fact, the Slashdot rumor was only half true. Microsoft didn't demand removal of all posts criticizing Microsoft Kerberos. What Microsoft did demand, however, is potentially far more troubling.

At the heart of the controversy is Microsoft Kerberos, Microsoft's implementation of the Kerberos Web security standard, an open standard adopted by the Internet Engineering Task Force (IETF) that allows Web servers to authenticate users. Critics have charged that Microsoft Kerberos modifies the standard so that non-Microsoft servers can't interact with personal computers running Windows 2000 desktop software. These critics--including many subscribers to Slashdot--invited Microsoft to answer the charges by publishing the Microsoft Kerberos specification. On April 27, Microsoft did so--but the website containing the specification requires anyone wishing access to click on an "End User License Agreement" stating that the specification is Microsoft's proprietary trade secret information and may not be used or disclosed without Microsoft's permission.

Enter Slashdot. To protest Microsoft's decidedly nonpublic "publication," several subscribers to Slashdot posted copies of the specification on Slashdot's site; others posted information, including hyperlinks, about where else unrestricted copies of the specification could be found. Still others posted information about how to view the original specification on Microsoft's website without encountering the End User License Agreement restrictions. In a letter dated May 10, 2000, Microsoft invoked the copyright laws, including a 1998 amendment called the Digital Millennium Copyright Act (DMCA), to demand removal of all of these subscriber posts.

In other words, Microsoft demanded removal of the facts that could be used to substantiate the criticism that Microsoft, once again, had destroyed the interoperability of an open standard.

But wait, you say. What about freedom of speech? And what happens to the integrity of the IETF's standards process if the public can't substantiate compliance? Microsoft can't do that, can it? Microsoft clearly thinks it can. Slashdot--which as of this writing has declined to meet Microsoft's demands--appears to have the better of the argument. But the fact that Microsoft has any argument at all reveals just how flawed--and dangerous--a piece of legislation the DMCA is.

The DMCA, passed by Congress in 1998 at the request of the copyright industries, provides legal protection for technological measures designed to restrict access to digital works--such as, for example, the decryption keys that control access to DVD movies. Among other things, the DMCA says that supplying others with tools designed to defeat such protection systems is illegal, and even criminal. Microsoft's letter indicates that it thinks "instructions on how to circumvent the End User License Agreement," which readers must click on to view the Microsoft Kerberos specification, violate this provision.

The DMCA also establishes procedures that copyright owners can use to notify online service providers of allegedly infringing material posted by subscribers and demand the material's prompt removal. These procedures also allow copyright owners to demand that online service providers remove or block links to allegedly infringing material posted elsewhere. Online service providers need not comply with such demands, but those who decline face potential civil liability for contributory copyright infringement. (Affected subscribers, meanwhile, may issue a counter-notification demanding reinstatement of the removed material or links, but they must consent to suit by the copyright owner.) Microsoft's letter to Slashdot invokes this provision of the DMCA to support its demand for removal of the offending posts.

Are Microsoft's claims legitimate? Slashdot has a strong argument that the "unauthorized reproductions" to which Microsoft refers are non-infringing fair-use copies, posted for purposes of criticism and comment. If so, links to unauthorized copies posted elsewhere also don't implicate Microsoft's copyright interests. The fact that the copies don't infringe Microsoft's copyright doesn't answer the argument that the posts contain trade secret information, but even if Microsoft Kerberos qualifies as a trade secret, the DMCA doesn't authorize demands for takedown to protect trade secrets. So far, Slashdot's lawyers appear to have reached the same conclusion. But online service providers who are less contrarian, or simply more risk-averse, might decide differently. In these cases, the DMCA's notice and takedown provisions--which don't require prior court review of takedown demands--threaten to substitute private censorship for judicial process.

Microsoft's argument that "instructions on how to circumvent the End User License Agreement" violate the DMCA is a closer question. The DMCA's language is sweeping; it prohibits distribution of "any technology, product, service, device, component, or part thereof" for avoiding access controls. At the same time, though, information about how to avoid the license restrictions is simply that: information. If mere information is a "product" or "service," that means you can't even talk about circumventing access restrictions. And under another provision of the DMCA that takes effect on October 28, 2000, the act of circumvention itself will become illegal.

If Microsoft's interpretation of the DMCA's ban on circumvention technologies is right, then it doesn't seem to matter much whether posting unauthorized copies of the Microsoft Kerberos specification would be a fair use. A publisher can prohibit fair-use commentary simply by implementing access and disclosure restrictions that bind the entire public. Anyone who discloses the information, or even tells others how to get it, is a felon.

It gets worse. Another law drafted by the copyright industries--the Uniform Computer and Information Transactions Act (UCITA)--is now being submitted to state legislatures for adoption. UCITA would ensure that a "clickwrap" restriction like the one Microsoft used to implement its End User License Agreement is valid and enforceable as long as the party agreeing to the restriction has the opportunity to review the terms first. Under UCITA, copying that is privileged by copyright's fair-use doctrine can still amount to breach of contract--even if the underlying information would not qualify for trade secret protection. UCITA also would validate "clickwrap" prohibitions on reverse engineering of software to discover trade secret information--something that both copyright and trade secret law allow.

The consequences for freedom of speech are disastrous. Copyright law has long acknowledged that restrictions on reuse of another's copyrighted expression are restrictions on speech. It has also acknowledged that some such restrictions frustrate rather than promote creative progress. For these reasons, copyright law forbids authors from controlling the uncopyrightable ideas or functional principles embodied in their work and allows others to make "fair use" even of copyrightable expression for purposes such as criticism, comment, education, and research. The Supreme Court has indicated that these limitations on copyright are required by both the Patent and Copyright Clause and the First Amendment. trade secret law, meanwhile, does not prohibit the reverse engineering of publicly distributed products to discover embodied secrets, and the Court has said that federal intellectual property law requires this result.

The DMCA and UCITA, however, contain no such limitations on the prior restraint of speech. On the contrary, both statutes seem designed for the express purpose of allowing private parties to suppress legitimate public debate about their products. The DMCA states that it does not limit fair use or other defenses to copyright infringement, but fair use is not a defense to the DMCA's provisions banning circumvention tools. UCITA contains a provision preserving courts' power to invalidate contract terms that violate "fundamental public policy," but the scope of that exception has traditionally been narrow.

The only tenable conclusion is that the DMCA cannot possibly be a constitutional exercise of Congress's authority. Similarly, UCITA, to the extent that it's used to implement prior restraints on the discussion of mass-market products, cannot possibly be a constitutional exercise of state power. The First Amendment, of course, doesn't bar enforcement of most ordinary, two-party agreements restricting speech. But deploying government power to sanction wholesale suppression of legitimate commentary on publicly available information goods would vitiate the principles underlying the First Amendment, and the copyright laws as well. Whatever the force of arguments that private enforcement of private "contracts" doesn't implicate government, the same arguments do not apply to legislation designed to authorize private information providers to opt out of constitutionally required limitations on the scope of their proprietary rights.

Constitutional arguments aside, the DMCA and UCITA take a shortsighted view of competition policy. Copyright, of course, necessarily implies a degree of government protection. But imagine--if you can--that in the 1960s the Big Three auto manufacturers had convinced Congress to pass a law allowing them to use mass-market "licenses" to insulate themselves from criticism of their products. In the short run, they might have avoided some unflattering comparisons to superior imports; in the longer run, however, the restrictions would have shielded flawed product designs from the competitive pressures of a healthy market. Together, the DMCA and UCITA will do exactly that. The DMCA and UCITA also spell disaster for open-standards processes like the IETF's. The IETF can't enforce compliance with its standards; that task historically has been left to the market. Markets, though, can't function well without accurate information. The DMCA and UCITA provide any party with the power and desire to withhold information about its compliance with the tools to do so.

The copyright industries, and the software industry in particular, have thrived under a regime of partial intellectual property protection and robust criticism and competition. Our society has thrived as well, both politically and intellectually, on the freedom of expression that the First Amendment and related restrictions on copyright have guaranteed. We should think long and hard before concluding that the DMCA and UCITA will give us the kind of information economy we want.