ARTICLE

Some Reflections on Copyright Management Systems and Laws Designed to Protect Them

JULIE E. COHEN

table of contents

I. INTRODUCTION

II. LEGISLATIVE AND TREATY DEVELOPMENTS

A. The National Information Infrastructure Copyright Protection Act

B. The Geneva Connection: The WIPO Treaty

C. The 105th Congress: WIPO or "WIPO Plus"?

III. OVERBREADTH CONCERNS

A. Knowledge, Purpose, and Effect

B. "Or Permitted By Law:" Fair Use and Other Authorized Uses

C. Remedial Overkill

IV. BROADER IMPLICATIONS OF PRIVATE COPYRIGHT MANAGEMENT REGIMES

A. Copyright, Contract, and "Private Legislation"

B. Reader Privacy and Anonymity

V. CONCLUSION

I. Introduction

Copyright management systems (CMS)-technologies that enable copyright owners to regulate reliably and charge automatically for access to digital works-are the wave of the very near future. The advent of digital networks, which make copying and distribution of digital content quick, easy, and undetectable, has provided the impetus for CMS research and development.1 CMS are premised on the concept of "trusted systems" or "secure digital envelopes" that protect copyrighted content and allow access and subsequent copying only to the extent authorized by the copyright owner.2 Software developers are testing prototype systems designed to detect, prevent, count, and levy precise charges for uses that range from downloading to excerpting to simply viewing or listening to digital works.3 In a few years, for example, an individual seeking online access to a collection of short fiction might be greeted with a menu of options including:

$0.50, or $0.40 for students doing assigned reading (verified based on roster submitted by instructor)

$0.80, or $0.70 for students

$1.35

CMS also loom large on the legislative horizon. Copyright owners have argued that technological protection alone will not deter unauthorized copying unless the law provides penalties for circumventing the technology.4 Although a bill to protect CMS against tampering failed to reach a vote in Congress last year, the World Intellectual Property Organization's recent adoption of treaty provisions requiring protection means that Congress must revisit the question soon. Part II describes these developments.

The seemingly inexorable trend toward a digital CMS regime raises two questions, which I address in parts III and IV, respectively. First, broadly drawn protection for CMS has the potential to proscribe technologies that have indisputably lawful uses and also to foreclose, as a practical matter, uses of copyrighted works that copyright law expressly permits. How may protection for CMS be drafted to avoid disrupting the current copyright balance? Second, and equally fundamental, CMS may enable both pervasive monitoring of individual reading activity and comprehensive "private legislation" designed to augment-and possibly alter beyond recognition-the default rules that define and delimit copyright owners' rights. Given the unprecedented capabilities of these technologies, is it also desirable to set limits on their reach?

II. Legislative and Treaty Developments

Emerging schemes for legislative protection of CMS have two components. First, they prohibit tampering with protective technologies adopted by copyright owners. Second, they prohibit the unauthorized removal or alteration of so-called "rights management information" (RMI) attached to copies of copyrighted works. Because RMI is defined to include the terms and conditions for use of the work, tampering with CMS (which enforce terms and conditions) may constitute an RMI violation, and vice versa.

The following three subsections lay out the various legislative proposals and treaty provisions that are likely to shape the domestic debate over CMS and RMI.

A. The National Information Infrastructure Copyright Protection Act

In 1995, the Clinton Administration's Information Infrastructure Task Force released a "White Paper" on "Intellectual Property and the National Information Infrastructure," which included recommended changes to the Copyright Act to address perceived difficulties concerning the Act's application to digital works.5 The National Information Infrastructure Copyright Protection Act (NIICPA), a verbatim rendering of the White Paper's proposals, was introduced in Congress in the fall of 1995.6 However, the NIICPA's provisions engendered strong opposition from a variety of groups, including educators, librarians, Internet service providers, and manufacturers of consumer electronic equipment.7 As a result, the bill remained stalled in committee when the 104th Congress adjourned. Of particular importance for this discussion, the NIICPA includes a proposed Chapter 12 for the Copyright Act, which was designed to protect CMS.

1. Technological Protection

The anti-circumvention provision, proposed section 1201 of the Copyright Act, reads as follows:

Section 1201. Circumvention of copyright protection systems.

No person shall import, manufacture, or distribute any device, product, or component incorporated into a device or product, or offer or perform any service, the primary purpose or effect of which is to avoid, bypass, remove, deactivate, or otherwise circumvent, without the authority of the copyright owner or the law, any process, treatment, mechanism, or system which prevents or inhibits the violation of any of the exclusive rights of the copyright owner under section 106.8

2. Rights Management Information

Proposed section 1202 of the Copyright Act would provide protection for RMI:

Section 1202. Integrity of copyright management information.

(a) False Copyright Management Information-No person shall knowingly provide copyright management information that is false, or knowingly publicly distribute or import for public distribution copyright management information that is false.

(b) Removal or Alteration of Copyright Management Information-No person shall, without authority of the copyright owner or the law, (i) knowingly remove or alter any copyright management information, (ii) knowingly distribute or import for distribution copyright management information that has been altered without authority of the copyright owner or the law, or (iii) knowingly distribute or import for distribution copies or phonorecords from which copyright management information has been removed without authority of the copyright owner or the law.

(c) Definition-As used in this chapter, 'copyright management information' means the name and other identifying information of the author of a work, the name and other identifying information of the copyright owner, terms and conditions for uses of the work, and such other information as the Register of Copyrights may prescribe by regulation.9

3. Remedies and Defenses

The NIICPA would authorize a panoply of civil remedies for violation of sections 1201 and/or 1202. Monetary remedies available to the copyright owner include "damages suffered . . . as a result of the violation, and any profits of the violator that are attributable to the violation and are not taken into account in computing the actual damages,"10 statutory damages up to $2,500 per violation of section 1201 and $25,000 per violation of section 1202,11 treble damages for repeated violations,12 and costs and attorneys' fees.13

In addition, the remedial provisions would allow courts to impound "any device or product that is in the custody or control of the alleged violator and that the court has reasonable cause to believe was involved in a violation."14 After final judgment, the court could order the device or product destroyed.15

Finally, the NIICPA would authorize criminal penalties against persons violating section 1202 "with intent to defraud."16

B. The Geneva Connection: The WIPO Treaty

In December 1996, delegates to the World Intellectual Property Organization (WIPO) met in Geneva to craft a protocol to the Berne Convention regarding copyright in digital works. Notwithstanding the Clinton Administration's failure to generate domestic consensus behind the NIICPA, the United States proposal to WIPO substantially tracked the language of the NIICPA.17 With respect to CMS, however, the treaty provisions ultimately adopted differ considerably from those initially urged by the United States government.

1. Technological Protection

The anti-tampering provision originally proposed by Jukka Liedes, Chairman of the Committees of Experts (proposed Article 13) reads as follows:

Article 13: Obligations concerning Technological Measures

(1) Contracting Parties shall make unlawful the importation, manufacture or distribution of protection-defeating devices, or the offer or performance of any service having the same effect, by any person knowing or having reasonable grounds to know that the device or service will be used for, or in the course of, the exercise of rights provided under this Treaty that is not authorized by the rightholder or the law.

(2) Contracting Parties shall provide for appropriate and effective remedies against the unlawful acts referred to in paragraph (1).

(3) As used in this Article, "protection-defeating device" means any device, product or component incorporated into a device or product, the primary purpose or primary effect of which is to circumvent any process, treatment, mechanism or system that prevents or inhibits any of the acts covered by the rights under this Treaty.18

In accompanying comments, Chairman Liedes conceded that the proposed requirements were "more akin to public law obligations . . . than to provisions granting 'intellectual property rights.'"19 He indicated that in implementing the proposal, parties should consider "the need to avoid legislation that would impede lawful practices and the lawful use of subject matter that is in the public domain."20 However, he maintained that a primary-purpose-or-effect standard for identifying unlawful devices, rather than a narrower focus on devices "specifically designed or adapted to circumvent" technological protection, was the only way "[t]o achieve the necessary coverage."21

The primary-purpose-or-effect language met with considerable resistance. Many delegates expressed concern that the provision might restrict access to public domain materials and frustrate lawful uses of copyrighted works, such as fair use.22 Several delegates also expressed concern that the provision as worded would reach a variety of devices capable of substantial and valuable noninfringing uses.23 As finally approved by the delegates, the provision (now Article 11), is substantially altered:

Article 11: Obligations concerning Technological Measures

Contracting Parties shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restrict acts, in respect of their works, which are not authorized by the authors concerned or permitted by law.24

The new language focuses on the need for protection against the act of circumventing CMS, rather than the nature of the device used to accomplish circumvention.

2. Rights Management Information

Initially, the proposed treaty provision regarding RMI (proposed Article 14) read as follows:

Article 14: Obligations concerning Rights Management Information

(1) Contracting Parties shall make it unlawful for any person knowingly to perform any of the following acts:

(i) to remove or alter any electronic rights management information without authority;

(ii) to distribute, import for distribution or communicate to the public, without authority, copies of works from which electronic rights management information has been removed or altered without authority.

(2) As used in this Article, "rights management information" means information which identifies the work, the author of the work, the owner of any right in the work, and any numbers or codes that represent such information, when any of these items of information are attached to a copy of a work or appear in connection with the communication of a work to the public.25

Once again, the comments of Chairman Liedes stressed "the need to avoid legislation that would impede lawful practices,"26 or that would impose "technically non-feasible requirements" on broadcasters and other authorized users.27

After many delegates requested that the RMI provision be modified to require some connection to infringing purpose,28 the provision (now Article 12) was redrafted as follows (changes underlined):

Article 12: Obligations concerning Rights Management Information

(1) Contracting Parties shall provide adequate and effective legal remedies against any person knowingly performing any of the following acts knowing or, with respect to civil remedies having reasonable grounds to know, that it will induce, enable, facilitate or conceal an infringement of any right covered by this Treaty or the Berne Convention:

(i) to remove or alter any electronic rights management information without authority;

(ii) to distribute, import for distribution, broadcast or communicate to the public, without authority, works or copies of works knowing that electronic rights management information has been removed or altered without authority.

(2) As used in this Article, "rights management information" means information which identifies the work, the author of the work, the owner of any right in the work, or information about the terms and conditions of use of the work, and any numbers or codes that represent such information, when any of these items of information is attached to a copy of a work or appears in connection with the communication of a work to the public.29

As revised, this provision requires not only knowing performance of a prohibited act, but also knowledge (or at least reasonable basis for knowledge) that the act will facilitate an act of copyright infringement. In addition, liability for distribution of altered works is imposed only if the distributor also knows that RMI was removed without authority.

However, the scope of Article 12 was broadened in one crucial respect. The definition of RMI was expanded to include information about the terms and conditions set by the owner for use of the work, as well as "numbers or codes that represent such information." As noted above, because CMS necessarily incorporate this information, a single act of tampering may implicate both Article 12 and Article 11.

C. The 105th Congress: WIPO or "WIPO Plus"?

As of this writing, no bill implementing the provisions of the new WIPO copyright treaty has been introduced in either house of Congress. Many of the new treaty provisions would require little or no change to existing United States law.30 However, at least some of the provisions concerning CMS will require implementing legislation if Congress ratifies the treaty.31

Articles 11 and 12 of the WIPO copyright treaty leave substantial room for variation in the implementing legislation crafted by member states. Of particular significance for the United States, the provisions require merely a threshold level of protection and do not prohibit member states from adopting stricter laws, such as the anti-tampering provisions of the NIICPA. In a recent briefing, PTO Commissioner Bruce Lehman indicated that the Administration will attempt to seek passage of the NIICPA in the 105th Congress.32 However, it is unclear whether the Administration will stand firm behind the precise language that failed to generate consensus last year in Congress and again in Geneva. One possible source for new language is a draft committee print of revisions to the NIICPA that was circulated before Congress adjourned last summer.33

1. Technological Protection

Although arguably less draconian than the original proposal, the draft language would impose significantly higher levels of protection for CMS than the treaty language requires (changes to the original NIICPA language are underlined):

Section 1201. Circumvention of copyright protection systems.

(a) Prohibitions-No person shall import, manufacture, or distribute any device, product, or component incorporated into a device or product, or offer or perform any service, an effect of which is to avoid, bypass, remove, deactivate or otherwise circumvent [ . . . ] any process, treatment, mechanism, or system which prevents or inhibits the infringement of any of the exclusive rights of the copyright owner under section 106, with reckless disregard for facts demonstrating that the device, product, component, or service primarily enables such infringement, or with the intent to primarily enable such infringement.

(b) Limitation-Liability under this section shall not be based solely upon the failure of a device, product, or service to accommodate, facilitate, or enable the operation of any process, treatment, mechanism, or system described in subsection (a).34

2. Rights Management Information

Section 1202 of the draft committee print is very similar to the final WIPO treaty provision on RMI (changes to the original NIICPA language are underlined):

Section 1202. Integrity of copyright management information.

(a) False Copyright Management Information-No person shall knowingly provide copyright management information that is false, or knowingly publicly distribute or import for public distribution copyright management information that is false, with intent to mislead or to induce or facilitate infringement.

(b) Removal or Alteration of Copyright Management Information-No person shall, without authority of the copyright owner or other lawful authority, knowingly and with intent to mislead or to induce or facilitate infringement-

(1) remove or alter any copyright management information,

(2) distribute or import for distribution copyright management information that has been altered without authority of the copyright owner or other lawful authority, or

(3) distribute or import for distribution copies or phonorecords from which copyright management information has been removed without authority of the copyright owner or other lawful authority.

(c) Definition-As used in this chapter, the term 'copyright management information' means the following information that appears in connection with copies or phonorecords of a work or performances or displays of a work, including in digital form:

(1) The title and other information identifying the work, including the information set forth in a notice of copyright.

(2) The name and other identifying information of the author of the work.

(3) The name and other identifying information of the copyright owner of the work, including the information set forth in a notice of copyright.

(4) Terms and conditions for uses of the work.

(5) Identifying numbers or symbols referring to such information.

(4) [sic] Such other information as the Register of Copyrights may prescribe by regulation.35

3. Remedies and Defenses

In the draft committee print of the NIICPA, the civil remedial provision is modified to afford a defense where the offending device, product, or component "was generally available in the relevant market prior to the introduction into that market of the process, treatment, mechanism, or system circumvented."36

The provision creating criminal liability, however, is enlarged to reach violations of section 1201 "with intent to infringe upon any of the exclusive rights of the copyright owner under section 106," as well as violations of section 1202 "with intent to defraud."37 This language is substantially broader than required by the WIPO treaty. On its face, the treaty does not require criminal penalties at all, but only "adequate and effective legal remedies" for the copyright owner.38

III. Overbreadth Concerns

Legislating permissible developments in computer technology is a dangerous project. Invariably, technologies that might be used for indisputably unlawful purposes are the same technologies that are useful for achieving many lawful and socially valuable ones. Devices or services that might be used to defeat CMS are a case in point.

Article 11 of the WIPO copyright treaty is scrupulously attentive to this problem. It focuses on conduct in particular cases-circumvention of CMS designed to restrict unauthorized, infringing acts-and does not attempt to define a class of technologies that should be prohibited. In contrast, the NIICPA and its proponents have at best ignored, and at worst denied, the undeniable fact that "effects" legislation threatens lawful and socially valuable conduct.

A. Knowledge, Purpose, and Effect

Under the NIICPA, a finding of liability for tampering hinges on two factors. First, the accused technology is classified according to its effect in general, rather than its use to achieve infringement in a specific case. As originally worded, section 1201 of the NIICPA targets any technology or service with the "primary purpose or effect" of defeating CMS.39 The draft committee version goes even farther, extending liability to any technology or service "an effect of which" is to defeat CMS.40 Second, the defendant's conduct must be knowing-but sections 1201 and 1202 of the NIICPA, as originally worded, require knowledge only as to the acts that constitute tampering, not as to any ultimate act of infringement.41

The primary-purpose-or-effect test is a radical departure from existing copyright law, in two distinct ways. First, copyright law treats with suspicion blanket prohibitions on technologies that are merely capable of facilitating infringement. Thus, a claim for contributory copyright infringement fails as a matter of law if the accused device is capable of substantial noninfringing use.42 In Sony Corp. of America v. Universal City Studios, Inc., the Supreme Court noted that in the context of patent law, "a finding of contributory infringement is normally the functional equivalent of holding that the disputed article is within the monopoly granted to the patentee."43 The Court reasoned that in copyright law, a "substantial noninfringing use" standard would similarly "strike a balance between a copyright holder's legitimate demand for effective-not merely symbolic-protection . . . and the rights of others freely to engage in substantially unrelated areas of commerce."44 This reasoning applies equally to technologies that might potentially play a role in defeating CMS. Such technologies include encryption and decryption tools, which are considered crucial to the development of Internet-based commerce;45 tools for software reverse engineering, which have widespread lawful application and are protected by the fair use doctrine;46 and possibly even that most ubiquitous hacking tool, the personal computer.47 Giving copyright owners control over this broad spectrum of technological capability is bad policy, and likely to prove unworkable in practice.

Congress has historically dealt with perceived technological threats to copyright owners' rights by enacting narrow, targeted pieces of legislation. Thus, the Audio Home Recording Act requires digital recording devices to incorporate serial copy management technology,48 and the Communications Act regulates devices for decrypting satellite broadcasts.49 As Thomas Vinje has pointed out, both pieces of legislation address specific technologies that have few other markets and are unlikely to be deployed unintentionally.50 Along similar lines, some commentators (including a number of delegates to the WIPO convention) have proposed that anti-tampering laws ban only devices designed with the "sole intended purpose" of defeating CMS.51 Like the contributory infringement standard, a "sole intended purpose" test would help to minimize the NIICPA's effect on technologies capable of a diverse range of application. Neither standard, however, addresses the second major problem that the NIICPA would create for existing copyright law.

The second way in which the NIICPA departs from existing copyright law is in its failure to recognize that some instances of tampering with CMS may be necessary to preserve the public's current rights. For example, readers may wish to make fair use of copyrighted works, or to copy works that are in the public domain. As a practical matter, both the "no substantial noninfringing use" and "sole intended purpose" tests would hinder such efforts. If a device or service satisfied either standard, it could be banned outright-even though it might also be used to facilitate "lawful tampering." Alternatively, lawful tampering might be defined as a substantial noninfringing use-with the result that the sale or importation of a circumvention device would never, or hardly ever, trigger liability. This result is appealing, but unlikely to be what the drafters of the NIICPA had in mind.

The concept of "lawful tampering" is considered more fully below. I raise it here only to show that the delegates to the WIPO convention were correct in concluding that liability under an anti-tampering statute should hinge on something more than a technology's capabilities. For example, the statute might focus on the tamperer's (as opposed to the technology's) purposes. The knowledge requirements in proposed sections 1201 and 1202 of the NIICPA, however, merely contribute to the likelihood that the anti-tampering provisions might be used to suppress valuable technologies and lawful uses. As originally worded, both sections would require only knowing use of the challenged technology, not knowing infringement.

There is, of course, strict liability for copyright infringement.52 As Chairman Liedes noted in his comments to the draft WIPO treaty, however, anti-tampering provisions do not establish intellectual property rights, but merely create a general class of obligations toward copyright owners who adopt technological measures to protect their works.53 Given the need to preserve existing public rights of access, importing strict liability into these ancillary enforcement provisions would be unwise. Consider, for example, an individual who tampers with CMS to enable a use that she believes is fair. Her acts of tampering are knowing, but she lacks intent to infringe; indeed, she affirmatively intends not to infringe. If her beliefs regarding fair use prove mistaken, she will be held liable for infringement. Subjecting her to liability for tampering as well seems both unfair and unnecessary. The scope of the fair use doctrine is uncertain enough to force would-be fair users to think carefully. Strict liability seems advisable only if one believes that the law should provide additional disincentives to those wishing to exercise fair use rights.

The draft revisions to section 1202 of the NIICPA are a step in the right direction. The new language would require both that the conduct be knowing and that the defendant possess "intent to mislead or to induce or facilitate infringement."54 The revisions to section 1201 are less satisfactory; they require either "intent to primarily enable . . . infringement" or "reckless disregard" for facts showing that the device "primarily enables" infringement.55 The latter requirement is simply a nonspecific "effects" test restated in terms of the evidence needed to meet it. Instead, section 1201 should be redrafted to eliminate the "effects" test and to include the same strict knowledge standard contained in the revised section 1202.

B. "Or Permitted By Law:" Fair Use and Other Authorized Uses

As noted above, the task of drafting effective, appropriately tailored anti-tampering legislation is complicated by the fact that unauthorized use of a copyrighted work is not always infringement. In consequence, CMS that prevent (for example) all copying, or all free copying, will almost certainly frustrate some actions that the Copyright Act would permit. Lawmakers should therefore consider whether and to what extent an anti-tampering law should protect CMS that have this effect.

The Copyright Act does not entitle copyright owners to control all uses of their copyrighted works. Instead, it gives them the exclusive right to perform or authorize the six acts listed in section 106: reproduction, preparation of derivative works, distribution, performance, display, and (for sound recordings) digital performance.56 In addition, the Act provides a number of exceptions to these exclusive rights for particular uses and/or users. The most well known is section 107, which codifies the fair use doctrine.57 Others include the provision allowing libraries to reproduce and distribute single copies of works for research and archival purposes,58 and the provision allowing certain types of nonprofit performances and displays.59

Moreover, many works that might be made available in digital form are wholly unprotected by copyright. In some cases, the term of copyright protection has expired and the work has entered the public domain. Other works are ineligible for copyright protection in the first place, because they fail to satisfy the originality requirement set forth in Feist Publications, Inc. v. Rural Telephone Service Co.60

Article 11 of the WIPO treaty requires member nations to protect against the circumvention of CMS "that restrict acts . . . which are not authorized by the authors concerned or permitted by law."61 Section 1201 of the NIICPA similarly prohibits technologies that operate to circumvent CMS "without the authority of the copyright owner or the law."62 According to the Clinton Administration's White Paper, this language is sufficient to preserve fair use and access to public domain materials.63 However, the White Paper does not indicate how this preservation is to be accomplished. In fact, the problem is quite difficult, because works placed under technological protection are materially less accessible than before.

Taken literally, the language of Article 11 could be read to suggest no obligation to protect systems that restrict lawful acts. Thus, one solution might be to require that to be eligible for protection, CMS be designed to allow any uses of the underlying works that would be lawful. Realistically, however, this is unlikely to happen. First, copyright owners and other content providers welcome digital CMS precisely because of their capacity to define and enforce "usage rights" in digital works by electronic contract.64 The White Paper expressly approves this possibility.65 For noncopyrightable factual compilations, contract is currently the only way of ensuring that vendors can recoup their development costs.66 Whether an anti-tampering law would or should shield the use of contract as a supplement to copyright is considered further in part IV.A, infra. Second, and more important, even if copyright owners were willing (or required) to design their systems to allow for fair use, library copying, and the like, designing around the fair use doctrine may be a near-impossible task. Automated CMS are inherently ill-equipped to handle the equitable, fact-specific inquiry required in fair use cases.67

Mark Stefik's work belies my skepticism-but only to a degree.68 For example, Stefik has suggested that CMS could be designed to preserve the "transfer right" afforded members of the public by the first sale doctrine.69 His counterparts in the publishing industry, however, appear concerned solely with maximizing their control over digital content. A report commissioned by the Association of American Publishers discusses Stefik's proposal without even considering the possibility that consumers might be given the free transfer rights they enjoy in print media-and then criticizes even a fee-based system of transfer rights on the ground that "[r]ights and prices cannot be reconsidered and the publisher loses the opportunity to review the context and usage of the material proposed."70 Moreover, even Stefik appears to envision replacing the current system of fair use and library copying with a wholly fee-based regime.71

In short, even on the unlikely assumption that copyright owners will design their CMS with the public interest in mind, it is virtually certain that CMS adopted to protect digital works will prevent some actions that copyright law allows. Members of the public will be able to take these allowable actions only to the extent that they can defeat the system of technological protection surrounding the work. Thus, we come to the question of "lawful tampering."

Lawful tampering seems to be the solution contemplated by the drafters of the NII White Paper-yet here the White Paper is disingenuous. As discussed above, technologies for defeating CMS do not differentiate among the various lawful and unlawful uses. Thus, banning technologies that have the "effect" of circumventing CMS would leave the public free to exercise its rights of access in principle only.72 If the public is to have these rights in practice, circumvention technologies may not be banned based on their capabilities alone. The law must then decide how to treat individuals who break into CMS with innocent intent.

Can tampering with CMS be made unlawful even if the act the tampering enables is lawful? Certainly. (Arguably, existing general-purpose federal statutes that prohibit tampering with information stored on someone else's computer would apply in cases of "lawful tampering"-another result that a better-designed NIICPA would prevent.73) Should it? Of course not. Copyright owners cannot be prohibited from making access to their works more difficult, but they should not be allowed to prevent others from hacking around their technological barriers. Otherwise, the mere act of encoding a work within CMS would magically confer upon vendors greater rights against the general public than copyright allows.74

C. Remedial Overkill

The NIICPA's substantive provisions are equaled in overbreadth by its civil remedial provisions. Subsections 1203(b)(2) and (b)(6), which authorize the seizure and eventual destruction of devices used to defeat CMS, are broad enough to extend to the computers used to accomplish the violations, regardless of the fact that the computers might be used for many other lawful activities.75

Other remedial provisions are disturbingly vague. Subsection 1203(c)(2), which allows the copyright owner to recover damages and profits attributable to the violation, appears to operate as a penalty over and above damages and profits attributable to the act of copyright infringement.76 The NIICPA does not specify how such damages might be measured, and it is difficult to think of any reliable measure. Similarly, section 1204(a) tells us that criminal penalties will attach to a violation of 1202 "with intent to defraud."77 Since the law already provides criminal penalties for willful copyright infringement, it is unclear what the tamperer must have intended to defraud the copyright owner of in order to trigger liability under the proposed statute.78

IV. Broader Implications of Private Copyright Management Regimes

Although the potential reach of the proposed anti-tampering provisions is troubling, even more troubling is the fact that the capabilities of CMS themselves have received so little public scrutiny.79 As the discussion above suggests, CMS could enable private content-control regimes in which contract entirely supplants copyright as the means of mediating public access to and use of creative and informational works. In addition, because the concept of "copyright management" is predicated on the ability to generate and maintain records of the "usage rights" granted to readers, viewers, and listeners of digital works, CMS pose an enormous threat to the privacy of individual reading, viewing, and listening habits.

A. Copyright, Contract, and "Private Legislation"

The discussion of "lawful tampering" raised, but did not pursue, the question whether anti-tampering laws may be deployed in the service of copyright owners who seek to supplement their rights under the Copyright Act by enforcing contractual restrictions on the use of copyrighted works. In fact, this is the direction in which CMS are most likely headed. Even the term "copyright management" is becoming obsolete. CMS developers prefer the term "rights management," which reflects a conception of allowable authors' rights that extends beyond copyright.80

If the "authority of . . . the law" mentioned in 1201 and 1202 of the NIICPA includes contract law as well as copyright law, fewer instances of tampering may be excused as lawful.81 (The NII White Paper's deliberate lack of concern for the practical difficulties that attend unauthorized but lawful uses of works under a CMS regime suggests that this may be precisely the result its drafters had in mind.) The significance of that interpretation for the reading, viewing, and listening public bears closer examination.

Thus far, much of the debate over the validity of contractual restrictions on the use of copyrighted works has focused on the voluntariness, or lack thereof, of so-called "shrinkwrap" licenses.82 Until recently, that question, although important, had largely distracted courts and commentators from the more fundamental, and far more difficult, question of copyright preemption.83 Two recent high-profile cases and a number of thoughtful articles suggest that the issue of copyright preemption may be moving to the forefront.84 Representatives of various copyright-related industries are now working to reshape the law of contract voluntariness, via a new Article 2B for the Uniform Commercial Code, in a way that validates shrinkwrap or "click-through" licenses.85 Section 2B-319 of the most recent draft effectively validates CMS; it expressly allows use of "a program, code or an electronic or other device that restricts use" of digital information to "prevent[] use of the information in a manner inconsistent with the license."86 Yet even assuming a click-through digital license that is (or has been defined to be) entirely voluntary, the question remains whether the restrictions that the license seeks to impose are legitimate.

If digital copyright management systems become widespread, the courts and Congress will need to confront the preemption issue. Here are some factors that should be considered.

First, although the Copyright Act does not preempt state contract law, it may preempt particular contract terms that have the effect of creating rights equivalent to those afforded under copyright law.87 The rationale for finding that a contract does not have this effect-employed most recently by the Seventh Circuit in ProCD, Inc. v. Zeidenberg,88-is that any contract binds only its parties, and thus cannot establish rights against the world.89 Assuming the truth of this reasoning, it is not at all clear that it applies to mass-market "licenses" establishing universal conditions of access. Excluding mass-marketed software, the typical copyright license agreement imposes restrictive terms on a small population of customers to prevent the loss of trade-secret information. The license establishes a confidential relationship between the copyright owner and its customers, who otherwise would be free to reverse engineer the product and/or to sell or give away their individual copies.90 The argument that the copyright owner of a mass-marketed work can create a confidential relationship with the entire world is, quite simply, ridiculous. A restriction applied to the entire public amounts to private legislation.91 At the very least, such a "license" should be subjected to a preemption analysis entirely different from that applicable to negotiated, non-mass-market contracts.

Second, even if standard-form, "click-through" licenses for access to intellectual property are pronounced voluntary and enforceable, the voluntariness inquiry should not stop there. Conventional wisdom is that such licenses preserve consumers' ability to affect vendors' terms and conditions by "voting with their feet" and purchasing from competitors whose terms are more favorable.92 CMS should cause us to rethink neoclassical assumptions about market responsiveness to consumer likes and dislikes. They are inexorable, technologically enforced gateways that can be imposed unilaterally, whether consumers like them or not.93 In addition, the number of consumers with strong incentives to object to the new CMS regimes may be small. Most simply want to read, listen, and view, not to reverse engineer or parody, and most will be able to afford the fractional fees levied under a "usage rights" regime. And to the extent that copyrighted works are not fungible-i.e., to the extent that consumers want Nimmer on Copyright rather than the copyright summary prepared by a local law firm, or Toni Morrison rather than John Grisham, or Pearl Jam rather than the Cranberries-many consumers may be reluctant to take their business elsewhere.

Finally, if copyright owners prove determined to implement CMS that comprehensively augment the rights afforded them under the Copyright Act, perhaps Congress should consider whether these individuals and entities should be required to elect only contract remedies, and to abandon their claims to copyright protection.94 After all, copyright was created to correct market failures arising from the public good characteristic of original expression. If CMS provide a more reliable method of correcting market failure, who needs copyright? I hope that most readers will think this suggestion absurd-and will react that way because they recognize that the semi-permeable barrier of copyright promotes the public interest.95 But if the copyright system is necessary, then allowing unlimited numbers of copyright owners to opt out of the system as it suits them is bad law and bad policy. At the very least, a CMS regime should be subject to an analogous set of restrictions designed to balance the affected interests.96

B. Reader Privacy and Anonymity

Leading recent surveys of developments in the field of "rights management" describe the capabilities of an ideal system as follows:

"detecting, preventing, and counting a wide range of operations, including open, print, export, copying, modifying, excerpting, and so on;"97

maintaining "records indicating which permissions ha[ve] actually been granted and to whom;"98

"captur[ing] a record of what the user actually looked at, copied or printed;"99 and

sending "this usage record . . . to the clearinghouse when the user seeks additional access, at the end of a billing period or whenever the user runs out of credit."100

In addition, the system operator could manipulate this acquired data to generate predictive profiles of particular consumers for use in future marketing activities, or for sale to other vendors.101 These capabilities, if realized, threaten individual privacy to an unprecedented degree. Although credit-reporting agencies and credit card providers capture various facets of one's commercial life, CMS raise the possibility that someone might capture a fairly complete picture of one's intellectual life.

Reading, listening, and viewing habits reveal an enormous amount about individual opinions, beliefs, and tastes, and may also reveal an individual's association with particular causes and organizations. Equally important, reading, listening, and viewing contribute to an ongoing process of intellectual evolution. Individuals do not arrive in the world with their beliefs and opinions fully-formed; rather, beliefs and opinions are formed and modified over time, through exposure to information and other external stimuli.102 Thus, technologies that monitor reading, listening, and viewing habits represent a giant leap-whether forward or backward the reader may decide-toward monitoring human thought. The closest analogue, the library check-out record, is primitive by comparison. (And library check-out records are subject to stringent privacy laws in most states.103)

I have argued elsewhere that the freedom to read, listen, and view selected materials anonymously should be considered a right protected by the First Amendment, and that if it is so protected, the NIICPA's civil and criminal penalty provisions are vulnerable to constitutional challenge.104 I will not revisit that argument here. Whether or not the NIICPA presents a First Amendment question, its privacy implications are clear and disturbing.

Designing CMS that are less invasive than the "ideal" technologies described above is of course possible. For example, a system might simply prohibit access or copying/printing without some initial payment, or incorporate serial-copy-management technology similar to that required under the Audio Home Recording Act.105 It might preserve privacy by preventing the extraction of personal identifying data or accepting payments in anonymous "digital cash."106 For the most part, however, at least in this country, those involved in the development of CMS appear enthusiastic about the prospect of generating individual usage records, and relatively unconcerned with reader privacy.107

After enough time and consumer outcry, the copyright management industry will likely decide to regulate its own privacy practices in some fashion.108 The Information Infrastructure Task Force's Working Group on Privacy Rights recommended a series of principles to serve as the basis for voluntary, private-sector privacy policies, and the National Telecommunications and Information Administration has followed up with a more concrete proposal based on principles of informed consent.109 This disclosure-based proposal, however, falls well short of vesting readers with an entitlement to prevent the collection of personal information and to control the uses to which it is put. And, as noted above, there is reason to doubt that information consumers will be able to effect substantial changes in the structure of private CMS regimes. Accordingly, legislation seems a more reliable way of guaranteeing a baseline level of reader privacy that is acceptable to consumers.

Although many other nations and the European Union have enacted general-purpose privacy laws, the United States has not done so.110 Instead, it has relied on narrow context-specific legislation, such as the "Bork bill" concerning privacy of video rental records, to address perceived threats to privacy.111 The most recent example of such legislation is the recently introduced Consumer Internet Privacy Protection Act of 1997, which is intended to impose restrictions on the use of personal identifying data collected by an "interactive computer service."112 Although this language arguably is broad enough to cover operators of on-line CMS, the definition of "interactive computer service" suggests that the bill is intended to apply only to on-line service providers.113 If that is the case, then there is no current or pending legislation that might serve to safeguard reader privacy in cyberspace.

Elsewhere, I have suggested the form that reader privacy legislation should take and some of the elements it should contain.114 Here, I wish only to argue that some Congressional response to the privacy threat posed by CMS is necessary. This is so whether or not Congress adopts implementing legislation to protect CMS against unlawful tampering. If, as seems overwhelmingly likely, some anti-tampering legislation is enacted, Congress should consider the possibility that individuals might wish to tamper with CMS to preserve their privacy, and should make an express, considered decision whether and to what extent the provisions of an anti-tampering law should apply to such conduct.

V. Conclusion

I do not intend to suggest that CMS should receive no protection whatsoever. As this article makes evident, however, both CMS and laws designed to protect them warrant far closer public scrutiny than they have been given. Also evident from the vigorous opposition to the NIICPA, and to the United States' proposals for the WIPO copyright treaty, is that many disagree with the Clinton Administration regarding the scope of protection that is necessary and desirable. The upcoming treaty ratification and implementation process should include careful consideration of the implications of CMS, so that the public understands the exact bargain it is making in enacting laws for their protection.