Adam Thierer's Blog, page 70

There is renewed interest in unlicensed spectrum as the FCC approaches the TV white space issue (again). Tim B. Lee reports on some of the unlicensed supporters,

Activists at the South by Southwest Interactive festival in Austin, TX, built a free wireless network to help publicize the power of unlicensed “white spaces” technology. The project is part of a broader campaign to persuade the FCC not to auction off this spectrum for the exclusive use of wireless carriers.

Unlicensed spectrum for high-powered devices has been called Super Wifi (“wifi” in this context is used loosely; Super Wifi is a PR term and has nothing to do with the wifi technical standard). Frankly, there are many reasons to be cautious about assigning more unlicensed spectrum, especially given the confusing information out there about the technology. (For instance, despite a popular rumor, Super Wifi would not provide free Internet access to everyone with a device, as Matt Yglesias and Jon Brodkin point out.)

The unlicensed/licensed debate is several years old and often technical. I won’t rehash the old issues here, but there is a point I’d like to highlight about the nature of unlicensed spectrum: In spectrum assignments, you generally want to create “apartments, not condos.” Like most, I favor unlicensed spectrum under certain circumstances. However, we should be aware of the rigidity unlicensed spectrum imposes on future reassignments.

If you’re a property developer in a city and you want to raze and build on property occupied by a residential high-rise, you want that high-rise to be an apartment complex, not a condominium building. With apartments, you can bargain with the property management company and, with time, all tenants can be cleared out. Not so with condos, many urban developers are finding. Even if most condo owners in a building are contacted and compensated for leaving, the remaining owners have an effective veto over the new development.

Similarly, unlicensed device users can veto the future reassignment or transfer of the spectrum they occupy. Smartphone and satellite radio users, for example, have no veto ability–they are “apartments,” essentially leasing space from a spectrum “owner.” Like real property, you really need small-numbers bargaining to transfer and lease spectrum for its highest-valued use. Many unlicensed “owners” in a band creates a tragedy of the anticommons. Control over devices drives most unlicensed spectrum advocates mad, but it is also what permits technology upgrades and relatively fast spectrum transfers. (Mobile phones with 1G (analog) are long gone. Not so with old baby monitors, cordless phones, and garage door openers, which are all unlicensed. There’s no spectrum manager to clear these old devices out.) Once unlicensed devices populate a band, the spectrum almost certainly cannot be transferred and used for other technologies.

The time will come when–not if–a brand new social need arises that requires substantial amounts of spectrum as an input. If the FCC wanted to reassign spectrum in the future for, say, driverless car technology, Super Wifi bands are out of the question. It’s simply impractical to locate all the (mobile and transient) high-powered Super Wifi devices that will be using the band, install a new radio, and move them to another band. Even if you could identify most of them, people who buy or sell devices–many of whom will be powerful institutions like public safety, transportation, and tech companies–will have built business models based on the unlicensed spectrum. Entrenched users will not relinquish their spectrum easily after making substantial investments in the technology.

Ideally, you want a spectrum manager that can be compensated to discontinue services or move their users to another band when better uses come along. This is not to say we should not have “Super Wifi” or other unlicensed bands. But we should hesitate before creating these spectrum condos, particularly in the valuable bandwidth under 1 GHz. By permitting unlicensed operators, future spectrum reassignment of unlicensed bands moves from the marketplace to lengthy administrative resolution* by the FCC and NTIA because of the fragmented and numerous users–which is what the Congress and the FCC have tried to avoid for the past 20 years with auctions and secondary markets. Instead of negotiation and compensation, the reassignment becomes a shouting match between interested parties and their lobbyists. In the end, consumers typically lose.

*Recent history is illuminating. Just look at LightSquared’s dealings with Inmarsat (apartments) versus GPS users (condos). Conflicts with GPS users killed LightSquared’s new nationwide LTE network because there were too many GPS parties to bargain with. For another example, observe how NextNav is running into interference problems with WISPs (condos).

In anticipation of a hearing in the House Judiciary Committee Wednesday afternoon, Sandra Aistars, executive director of the Copyright Alliance, writes in The Hill about the principles that should guide copyright reform, calling for debate “based in reality rather than rhetoric.”

Chief among these principles is that protecting authors is in the public interest. Ensuring that all creators retain the freedom of choice in determining how their creative work is used, disseminated and monetized is vital to protecting freedom of expression.

Arguing for authors in terms of freedom of choice and expression is good rhetoric, but it’s quite unlike what I expect you’ll hear during Cato’s noon Wednesday forum on copyright and the book Laws of Creation: Property Rights in the World of Ideas.

Authors Ron Cass and Keith Hylton methodically go through each intellectual property doctrine and explore its economic function, giving few words to authors’ “choice” or their “freedom of expression.” They certainly don’t denigrate authors or their role, but Cass and Hylton don’t vaunt them the way Aistars does either.

Recent events in the copyright area are providing much grist for the discussion. You can still register for the book forum, treating it as a warm-up for Wednesday afternoon’s hearing, if your freedom of choice and expression so dictate.

Susan W. Brenner, associate dean and professor of law at the University of Dayton School of Law,  discusses her new paper published in the Minnesota Journal of Law, Science & Technology entitled “Cyber-threats and the Limits of Bureaucratic Control.”

Brenner argues that the approach the United States, like other countries, uses to control threats in real-space is ill-suited for controlling cyberthreats. She explains that because this approach evolved to deal with threat activity in a physical environment, it is predicated on a bureaucratic organizations. This is not an effective way of approaching cyber-threat control, she argues. 

Brenner also explains why congressional efforts at cybersecurity legislation are flawed and why U.S. authorities persist in pursuing antiquated strategies that cannot provide an effective cyberthreats defense system. She outlines an alternative approach to the task of protecting the country from cyberthreats, and approach that is predicated on older, more fluid threat control strategies.

Download

Related Links


Cyber-Threats and the Limits of Bureaucratic Control, Brenner
Cybercrime and the Law, Brenner
Cyberwar: you lack imagination, Brenner
Approaches to Cybercrime Jurisdiction, Brenner

Benjamin Lennett and Danielle Kehl have an article in the Chronicle of Higher Education that is representative of a genre: worrying about the adverse consequences of mobile data “caps.” In this installment, Lennett and Kehl argue that pricing structures imposed by wireless carriers will limit the future of online education. “As a nation, we should embrace the potential benefits of online education. But we must not ignore the disparities that may keep many from taking advantage of those innovations,” they warn.

But are mobile data caps really what is holding back online education? Let’s take a look.

Lennett and Kehl are mistaken about the nature and pricing of mobile data caps

As any teenager understands, mobile data is not “capped.” Rather, it is priced in “tiers.” Customers can select different tiers of data allowances based on how much data they think they will use. When you overshoot your data allowance, carriers will send you a text and/or email letting you know. You can then choose to keep using data at a higher rate ($15/GB), or you can retroactively upgrade to a higher data allowance, which is more affordable.

Let’s see how these facts comport with the example given by Lennett and Kehl:

Both Verizon and AT&T offer “low cost” plans that bundle unlimited voice and texting with a gigabyte of data consumption for $40 or $50 per month. However, if you tried to stream video lectures on that connection, you’d reach the data cap after about three hours and then face fees of $15 per gigabyte. If you tried to complete a course with 15 hours of video a month, your phone bill could arrive with as much as $70 in extra fees.

In reality, using Lennett and Kehl’s implicit estimate of 3 hours of video per GB, a user would only need to subscribe to a plan that offers 5GB of data rather than 1GB. Instead of spending an extra $70, they could spend an extra $30 to get on a 6 GB plan (using Verizon’s pricing), and have 1 GB to spare to use for browsing the web.

Alternatively, if a user wanted to get as much data as she could for an extra $70/month, she could subscribe to Verizon’s 14GB plan. And in addition to the unlimited voice and texting that Lennett and Kehl note these plans offer, the plans offer free tethering. So when Lennett and Kehl write, “trying to use mobile broadband on your laptop…could be even more expensive,” they are stretching. Free tethering means that using data on a laptop is not more expensive than on a mobile phone.

Lennett and Kehl are mistaken about the nature of competition in the mobile sector

Lennett and Kehl place the blame for the (erroneously construed) high price of mobile data squarely on the lack of competition in the mobile industry:

The high cost of Internet access in the United States and the rise of capped data plans on mobile broadband have a lot to do with limits on competition in the marketplace. The two largest mobile providers, AT&T Wireless and Verizon Wireless, control two-thirds of the mobile market in the U.S.; they have little financial incentive to offer more-affordable plans or bring back unlimited ones when the new capped plans have become so profitable.

Nearly every claim in this paragraph is factually incorrect. The rise of capped data plans has little to do with competition and everything to do with the fact that, for the first time, mobile broadband is fast enough that people can conveniently use a lot of it in a month. A 3G connection can use a lot of data in a month, but it is slow enough that people mostly use it as a supplement to home Internet service. This makes it cost-effective to offer an “unlimited” plan. But LTE, when used 24/7, can consume 6.5 terabytes per month, at speeds that are about as good as most consumers have at home. An unlimited LTE plan, therefore, is much more expensive for carriers to offer, so expensive that they don’t offer them.

It may be true that AT&T and Verizon serve most of the customers in the mobile market, but they compete so fiercely with each other that it seems inapt to use the word “control” to describe their position in the market. Modern economists do not primarily look at the number of firms in the market in order to gauge how much competition there is. A market with as little as two firms can be perfectly competitive depending on the kind of competition in which the firms engage. It all depends on whether firms set quantities or prices. When a firm first sets the quantity of output that it will produce, it has an incentive to restrain output, because it receives whatever fraction of the market that its competitor leaves it. This is known as Cournot competition. But when firms compete on the basis of price first, letting customers select whichever seller offers a cheaper product or service, prices will fall to the competitive level. This is known as Bertrand competition. The mobile market clearly behaves more like a Bertrand market—the maximum number of customers that each firm can handle is not a binding constraint in the competition between the dominant firms—which means that the market behaves competitively, even though there are only two dominant firms.

Finally, it is demonstrably false that AT&T and Verizon “have little financial incentive to offer more-affordable plans.” How do we know it is false? Because plans have become so much more affordable in the past few years. Suppose that you want a plan that offers:

Two phone lines, each with unlimited voice and texting
10 GB of shared data
Access to shared data on one tablet
Unlimited laptop tethering

Today, such a plan costs (on Verizon) $190 per month. While that may seem like a lot, consider what that would have cost as little as 5 years ago. Actually, it’s a trick question, because such a plan was not available 5 years ago, but even the unlimited voice and text for two lines would have pushed $200 per month. Throw in unshared data and tethering charges, and the charges might have been twice as much as we pay today.

So an admittedly rough, back-of-the-envelope calculation shows that mobile prices are falling at a rate of 50 percent per 5 years! How can Lennett and Kehl explain this fall in price? Is it because AT&T and Verizon’s CEOs woke up one morning and decided to be more generous? No, it is because they are competing fiercely to be the first to bring the cost of services down.

Lennett and Kehl are mistaken about the challenges facing online education

Of all of the challenges facing online education, the fact that it remains expensive to pursue an entire college education on a phone does not seem like a serious one. For one, relative to the price of a traditional college education, paying even an absurd amount like $300 in overage charges a month for 48 months would be a bargain. That amounts to $14400, which is less than four years of tuition even at state universities. And of course, for $50 a month or less, users can purchase fixed broadband plans like normal people, for a total cost of $2400 for four years.

Rather than financial, the challenges facing online education are primarily institutional—despite the availability of tons of free online classes, we haven’t yet worked out good labor market practices to reward students who pursue learning online. We also have entrenched interests at both the secondary and post-secondary levels that are resistant to the changes necessary to maximize the gains from moving education online.

By pretending that the cost of mobile broadband is a major challenge for online education, Lennett and Kehl come across as the ultimate concern trolls. The are opportunistically using interest in online ed to pursue their real agenda, increasing federal regulation on the mobile industry. But the case for such regulation is undercut by their clearly mistaken arguments about mobile data caps.

I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

The new Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.

If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. A so-called “3-E” solution that combines consumer education, user empowerment, and selective enforcement of existing targeted laws and other legal standards (torts, anti-fraud laws, contract law, and so on), has helped society achieve a reasonable balance in terms of addressing online safety while also safeguarding other important values, especially freedom of expression.  That does not mean perfect online safety exists, not only because the term means very different things to different people, but because it would be impossible to achieve in the first instance as a result of information control complications. But the “3-E” approach has the advantage of enhancing online safety without sweeping regulations being imposed that could undermine the many benefits information networks and online services offer individuals and society.  This same framework can guide online privacy decisions—both at the individual household level and the public policy level.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and it should be available on the HJLPP website shortly. In coming weeks, I hope to do some blogging that builds on the themes and arguments I develop in this article.

The Pursuit of Privacy in a World Where Information Control is Failing

Register here now for next Wednesday’s Cato book forum on Laws of Creation: Property Rights in the World of Ideas.

In the book, Ronald A. Cass and Keith Hylton reject the idea that changing technology undermines the case for intellectual property rights. They argue that making the work of inventors and creators free would be a costly mistake.

That cuts against the bulk of academic opinion today, which is critical of the broad scope and length of intellectual property protections today. The book has qualities that many libertarians will enjoy because it starts with first principles: the theoretical underpinnings and practical benefits of property rights.

By no means does the book answer all the questions, and we’ll have TLF’s own Jerry Brito, the editor of Copyright Unbalanced, on hand to provide commentary.

That’s Wednesday (3/20) at noon in the Cato Institute’s F.A. Hayek auditorium. There’s no such thing as a free lunch, but the sandwiches provided afterwards come at the low cost of learning more dimensions of the intellectual property debate. Register now!

In the past couple weeks, three bills addressing the legality of cell phone unlocking have been introduced in the Senate:

Sens. Leahy, Grassley, Franken, and Hatch’s “Unlocking Consumer Choice and Wireless Competition Act” (S.517)
Sen. Ron Wyden’s “Wireless Device Independence Act” (S.467);
Sen. Amy Klobuchar’s “Wireless Consumer Choice Act” (S.481).

This essay will explain how these bills would affect users’ ability to lawfully unlock their cell phones.

Background

If you buy a new cell phone from a U.S. wireless carrier and sign a multi-year service contract, chances are your phone is “locked” to your carrier. This means if you want to switch carriers, you’ll first need to unlock your phone. Your original carrier may well be happy to lend you a helping hand—but, if not, unlocking your phone may violate federal law.

The last few months have seen an explosion of public outcry over this issue, with a recent White House “We the People” petition calling for the legalization of cell phone unlocking garnering over 114,000 signatures—and a favorable response from the Obama administration. The controversy was sparked in October 2012, when a governmental ruling (PDF) announced that unlocking cell phones purchased after January 26, 2013 would violate a 1998 federal law known as the Digital Millennium Copyright Act (the “DMCA”).

Under this law’s “anti-circumvention” provisions (17 U.S.C. §§ 1201-05), it is generally illegal to “circumvent a technological measure” that protects a copyrighted work. Violators are subject to civil penalties and, in serious cases, criminal prosecution.

However, the law includes an escape valve: it empowers the Librarian of Congress, in consultation with the Register of Copyrights, to periodically determine if any users’ “ability to make noninfringing uses . . . of a particular class of copyrighted works” is adversely affected by the DMCA’s prohibition of tools that circumvent access controls. Based on these determinations, the Librarian may promulgate rules exempting categories of circumvention tools from the DMCA’s ban.

One such exemption, originally granted in 2006 and renewed in 2010, permits users to unlock their cell phones without their carrier’s permission. (You may be wondering why phone unlocking is considered an access control circumvention—it’s because unlocking requires the circumvention of limits on user access to a mobile phone’s bootloader or operating system, both of which are usually copyrighted.)

But late last year (2012), when the phone unlocking exemption came up for its triennial review, the landscape had evolved regarding a crucial legal question: do cell phone owners own a copy of the operating system software installed on their phone, or are they merely licensees of the software?

Until a few years ago, the leading authority on what it means to own a copy of a computer program was the 2nd Circuit’s 2005 opinion in Krause v. Titleserv, Inc., 402 F.3d 119. There, the court held that a person owns a copy of software if he “exercises sufficient incidents of ownership over a copy of the program to be sensibly considered the owner of the copy . . . .” As the Copyright Office noted in its 2012 recommendation to the Librarian of Congress, the 2006 and 2010 rules exempting cell phone unlocking from the DMCA reflected an understanding, based in part on the holding in Krause, that a typical cell phone owner exercises a level of dominion over her device (and its digital contents) more akin to traditional property ownership than the licensed use of property owned by another.

But in 2010, the 9th Circuit took a very different approach in Vernor v. Autodesk, Inc., 621 F.3d 1102, in which the court held that a “software user is a licensee rather than an owner of a copy where the copyright owner (1) specifies that the user is granted a license; (2) significantly restricts the user’s ability to transfer the software; and (3) imposes notable use restrictions.” Because a typical cell phone owner is bound by a “click-wrap” agreement that significantly restricts her ownership rights in her phone’s operating system, she’s arguably a licensee of the software—not an owner of a copy—according to Vernor.

In light of the Vernor-Krause circuit split, combined with pronounced trend toward more permissive carrier unlocking policies in recent years, the Librarian of Congress substantially curtailed the exemption for cell phone unlocking for all new phones purchased after January 26, 2013. Today, an owner of a new phone may unlock it only if “the operator of the wireless communications network to which the handset is locked has failed to unlock it within a reasonable period of time following a request by the owner of the wireless telephone handset, and when circumvention is initiated by the owner, an individual consumer, who is also the owner of the copy of the computer program in such wireless telephone handset . . . .”

So it is that cell phone unlocking is now in many cases a violation of federal law. (For more background, check out the writings of Timothy Lee at Ars Technica, Derek Khanna at The  Atlantic, and Mike Masnick at Techdirt.)

How would the bills recently introduced in Congress address the cell phone unlocking issue? Let’s take a look at each bill.

The Unlocking Consumer Choice and Wireless Competition Act

To begin with the simplest of the cell phone unlocking bills, Sens. Leahy, Grassley, Franken, and Hatch’s Unlocking Consumer Choice and Wireless Competition Act (S.517) would simply amend the Code of Federal Regulations, replacing the paragraph from the Librarian of Congress’s 2012 rulemaking (37 C.F.R. § 201.40) with its more permissive 2010 analogue. The bill also tasks the Librarian of Congress with determining whether to extend the unlocking exemption to other wireless devices (e.g., mobile broadband-enabled tablets), based on the DMCA’s usual rulemaking criteria.

By restoring the broad DMCA exemption for phone unlocking in force from 2006 to 2010, S.517 addresses the problem at hand without going too far. It neither forces carriers to help users unlock their phones, nor limits carriers’ ability to recover damages from subscribers who breach their contracts. Rather, the bill would simply shield users who unlock their cell phones from the DMCA’s harsh penalties. In striking this balance, S.517 deserves credit for aiming to solve a problem with a narrowly-tailored solution.

But would S.517′s fix last? Given that “[n]othing in [the] Act alters . . . the authority of the Librarian of Congress under [the DMCA],” S.517 would presumably leave unchanged the substantial deference enjoyed by the Librarian regarding his decisions about which circumvention tools to exempt—including cell phone unlocking tools. If, three years from now, the Librarian boldly decides that his 2012 decision to curtail the phone unlocking exemption was correct, and thus restores the language currently in force, Congress will be back at square one.

Congressional Review Act (“CRA”) to pass a resolution expressing its disapproval of the Librarian’s 2012 rule. If both houses of Congress were to pass such a resolution, and the President were to sign it, the rule would be nullified—permanently. And the Librarian couldn’t simply reissue the rule, as a rule nullified under the CRA “may not be reissued in substantially the same form.”

Granted, this would be a novel use of the CRA. Congress has historically used the law’s disapproval procedure to review rules promulgated by “ordinary” federal agencies (i.e., agencies that are entirely within the Executive Branch). Nevertheless, the Library of Congress is arguably an “agency” for purposes of the CRA insofar as it promulgates rules of general applicability. As the D.C. Circuit recently held in Intercollegiate Broad. Sys., Inc. v. Copyright Royalty Bd., when the Library of Congress exercises its “powers . . . to promulgate copyright regulations . . . the Library is undoubtedly a ‘component of the Executive Branch.’” 684 F.3d 1332, 1341-42 (D.C. Cir. 2012) (citing Free Enterprise Fund v. Public Company Accounting Oversight Bd., 130 S.Ct. 3138, 3163 (2010)).

The Wireless Device Independence Act

Sen. Ron Wyden’s Wireless Device Independence Act (S.467) is the only cell phone unlocking bill that actually amends the DMCA. It would add to section 1201 a clause specifying that modifying software on a mobile device so that it operates on a different network is exempt from the law. While his colleagues dance around the underlying problem—i.e., the DMCA itself—Sen. Wyden tackles it head-on. To his credit, this approach embodies Congress exercising its proper constitutional role. If the legislative branch is dissatisfied with how an agency has exercised its statutorily delegated authority, the legislature ought to respond by amending the agency’s enabling statute.

However, S.467 contains a potentially massive loophole: it only exempts from DMCA liability “user[s] [who] legally own[] a copy of the computer program” installed on their mobile phone. In other words, the bill would do nothing for users who are mere licensees of the software installed on their phone. This may not matter for residents of the three states under the jurisdiction of the Second Circuit, where Krause controls—but for cell phone owners in the Ninth Circuit, where Vernor controls, S.467 is unlikely to offer much relief. Because most mobile operating systems are accompanied by click-wrap contracts that impose significant use and transfer restrictions on users, under Vernor these users are considered licensees, rather than owners of a copy of the operating system.

The Wireless Consumer Choice Act

Sen. Amy Klobuchar, along with Sens. Mike Lee and Richard Blumenthal, take a very different approach from their colleagues in their Wireless Consumer Choice Act (S.481). The bill’s full text is worth posting (PDF):

Pursuant to its authorities under title III of the Communications Act of 1934 . . . the [FCC], not later than 180 days after the date of enactment of this Act, shall direct providers of commercial mobile services and commercial mobile data services to permit the subscribers of such services, or the agent of such subscribers, to unlock any type of wireless device used to access such services. Nothing in this Act alters, or shall be construed to alter, the terms of any valid contract between a provider and a subscriber.

Note the absence of any explicit amendments to the DMCA or related regulations, or any mention circumvention technologies. Instead, the bill empowers the FCC to regulate carriers’ unlocking policies, yet leaves the DMCA intact. This drafting decision has led some commentators to pan the legislation, questioning its effectiveness and scope.

While I too have serious concerns about S.481, I think Sina Khanifar (who started the White House petition about cell phone unlocking) may be incorrect to suggest the bill “doesn’t do anything at all.” It seems to me that S.481 could alter the DMCA’s unwritten contours, albeit in narrow ways.

How can a law that doesn’t even mention the DMCA effectively “rewrite” its anti-circumvention provisions? Consider that S.481 and the DMCA’s section 1201 both purport to deal with the subject of cell phone unlocking. To borrow a term from legal Latin, the two laws are in pari materia (“upon the same subject”). While section 1201 focuses on the general issue of circumvention of copyright access controls without mentioning cell phone unlocking, S.481 specifically and exclusively addresses cell phone unlocking.

So how would a court reconcile S.481 with section 1201 if a mobile subscriber were sued for unlocking his cell phone despite his full compliance with the carrier’s service contract? Here’s an excerpt from the leading treatise on statutory interpretation, Sutherland Statutory Construction, summarizing how courts tend to reconcile incompatible statutes:

Where one statute deals with a subject in general terms and another deals with a part of the same subject in a more detailed way, the two should be harmonized if possible. But if two statutes conflict, the general statute must yield to the specific statute involving the same subject . . . .

2B Sutherland Statutory Construction § 51:5 (7th ed.) (internal citations omitted).

So it seems the DMCA must yield to S.481, at least as far as contractually-authorized cell phone unlocking is concerned. That is, under S.481, carriers would lose their existing ability under the DMCA (17 U.S.C. §1203) to sue a subscriber who has unlocked his phone without breaching his service contract. Similarly, the law might deny the DMCA’s civil remedies to other rights holders—say, mobile operating system creators—against consumers who unlock their phones without breaching any contractual provisions. S.481 also purports to eliminate criminal liability in such situations; as Sen. Mike Lee explained in a joint statement announcing the bill, “[c]onsumers shouldn’t have to fear criminal charges if they want to unlock their cell phones and switch carriers.”

But courts could just as well construe S.481 to effect none of these changes. There is no such thing as stare decisis when it comes to statutory construction. If Congress wanted to alter the DMCA, courts might reason, Congress would have done just that. S.481 simply requires that carriers help off-contract subscribers unlock their phones, so why read into the statute a meaning that conflicts with other laws?

Perhaps there are persuasive reasons for trying to tweak the DMCA without actually amending the law, but I’m not aware of any. Given how widely courts vary in interpreting vague statutes, it’s awfully risky to gamble on judges who review S.481 correctly divining Congress’s intent if it enacts the law.

Another worrisome aspect of S.481 is its expansion of the FCC’s regulatory authority to encompass cell phone unlocking. While this grant of authority may seem innocuous, Congress should think twice before involving the FCC in mobile carriers’ decisions about when to permit subscribers to unlock their phones. If the FCC is tasked with policing carriers’ policies regarding cell phone unlocking, the agency might interpret this narrow grant of jurisdiction as a grant of  ”ancillary authority” to dictate the contours of mobile service contracts (not that the FCC isn’t already eager to regulate this space). The FCC is notorious for taking an extremely broad view of its own powers; as the Electronic Frontier Foundation has warned, the FCC’s willingness to overreach “raises the specter of discretionary FCC regulation of the Internet not just in the area of net neutrality, but also in a host of other areas.”

Given the FCC’s historically limited understanding of how markets work, unleashing it on the wireless industry is especially unwise. This isn’t a market in need of regulation; in fact, consumers enjoy plenty of choices among devices, carriers, and payment plans. If you want to buy the latest smartphone sans carrier lock, chances are you can order it today and have it on your doorstep tomorrow. If anything, Congress should be exploring ways to shrink the FCC’s role in the mobile communications space, among others.

Conclusion

Like co-liberator Jerry Brito, I think the ideal public policy approach to cell phone unlocking is fairly straightforward. If I own a cell phone, I should be free to modify its software (or hardware) so that it works on any carrier’s network—unless I’ve agreed in contract not to unlock my phone. If I go ahead and unlock my phone anyway, I owe my carrier compensation for its damages resulting from my breach—which are typically specified in advance in the form of an early termination fee. If the contract doesn’t specify an early termination fee, I owe my carrier damages equal to the amount necessary to put the carrier in the same position it would have ended up had I held up my end of the bargain. This is the common law in action, simple yet elegant.

Notice that the approach I’ve outlined makes no mention of the Copyright Act. That a particular type of wrongful conduct happens to involve a copyrighted work doesn’t necessarily make it proper to invoke the copyright laws. While I support robust copyright protection, tweaking the operating software installed on a phone I own so that it will operate on my preferred mobile carrier is a far cry from actionable copyright infringement. The potential market for Apple’s iOS, Google’s Android, or Windows Phone 8 suffers no adverse effect if a user unlocks her iPhone so she can switch carriers. As the Copyright Office explained in 2006:

[T]he access controls do not appear to actually be deployed in order to protect the interests of the copyright owner or the value or integrity of the copyrighted work; rather, they are used by wireless carriers to limit the ability of subscribers to switch to other carriers, a business decision that has nothing whatsoever to do with the interests protected by copyright.

This is not to say that carriers are wrong to limit some subscribers’ ability to switch networks. To the contrary, American consumers enjoy substantial benefits thanks to the availability of carrier-subsidized, locked cell phones, as George Ford, Thomas Koutsky, and Larry Spiwak argue in A Policy and Economic Exploration of Wireless Carterfone Regulation, 25 Santa Clara Computer & High Tech. L.J. 647 (2009). The question is thus not whether consumers should be permitted to unlock their cell phones, but what legal regime(s) should deter wrongful unlocking. As Jerry rightly argues, contract law affords mobile carriers a far more appropriate set of remedies for wrongful unlocking than the Copyright Act does.

Cell phone unlocking may be a fairly clear-cut issue, but the broader debate over whether, and to what extent, federal laws should ban tools that circumvent technological measures protecting copyrighted works is anything but straightforward. Critics of the DMCA’s anti-circumvention provisions offer powerful arguments why Congress shouldn’t be in the business of banning technologies, but there remains a fine line between selling lock picking tools and helping people unlawfully pick locks. In a forthcoming essay, I’ll explore the anti-circumvention debate in greater detail.

For a scholarly treatment of the interplay between the DMCA and cell phone unlocking, check out Daniel J. Corbett’s article, Would You Like That iPhone Locked or Unlocked?: Reconciling Apple’s Anticircumvention Measures with the DMCA, 8 U. Pitt. J. Tech. L. Pol’y 8 (2008).

A market has developed in which specialized firms discover new vulnerabilities in software and sell that knowledge for tens or hundreds of thousands of dollars. These vulnerabilities are known as “zero day exploits” because there is no advance knowledge of them before they are used. In this blog post, we recognize that this market may require some kind of action, but reject simplistic calls for “regulation” of suppliers. We recommend focusing on the demand side of the market.

Although there is surprisingly little hard evidence of its scope and scale, the market for vulnerabilities is considered troublesome or dangerous by many. While the bounties paid may stimulate additional research into security, it is the exclusive and secret possession of this knowledge by a single buyer that raises concerns. It is clear that when a someone other than the software vendor pays $100,000 for a zero-day they are probably not paying for defense, but rather for an opportunity to take advantage of someone else’s vulnerability. Thus, the vulnerabilities remain unpatched. (Secrecy also makes the market rather inefficient; it may be possible to sell the same “secret” to several buyers.)

The supply side of the market consists of small firms and individuals with specialized knowledge. They compete to be the first to identify new vulnerabilities in software or information systems and then bring them to buyers. Many buyers are reputed to be government intelligence, law enforcement or military agencies using tax dollars to finance purchases. But we know less about the demand side than we should. The point, however, is that buyers are empowered to initiate an attack, a power that even legitimate organizations could easily abuse.

Insofar as the market for exploits shifts incentives away from publicizing and fixing vulnerabilities toward competitive efforts to gain private, exclusive knowledge of them so they can be held in reserve for possible use, the market has important implications for global security. It puts a premium on dangerous vulnerabilities, and thus may put the social and economic benefits of the Internet at risk. While the US might think it has an advantage in this competition, as a leader in the Internet economy and one of the most cyber-dependent countries, it also has the most to lose.

Unfortunately, so far the only policy response proposed has been vague calls for “regulation.” Chris Soghoian in particular has made “regulation” the basis of his response, calling suppliers “modern-day merchants of death” and claiming that “Security researchers should not be selling zero-days to middle man firms…These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain.”

Such responses, however, are too long on moral outrage and too short on hard-headed analysis and practical proposals. The idea that “regulation” can solve the problem overlooks major constraints:

The market is transnational and thus regulation of supply would require agreement among contending nation-states. National security interests are implicated, making agreement among states difficult.
Disclosure and enforcement would be challenging. Unlike physical weapons systems, exploits are invisible and traded digitally. Buyers and sellers have strong incentives not to disclose deals. James Lewis of CSIS, who worked on a project to restrict access to or exports of software claims it “was impossible to control – there were so many ways to beat any restrictions, so many people who could write the code.”
The line between legitimate security services/research and the market for zero-day exploits is thin and blurry. Regulating exploit supply may translate into regulating all security software development, which would be costly and economically stifling;
It would be relatively easy for this type of market to go underground if regulation chafed. Governments could bring such R&D in-house instead of using an external market. Sales to terrorist or criminal groups are unlikely to be affected by any national or international system of regulation.

Despite these constraints, we do need to seriously consider ways to redirect incentives away from the discovery and possible exploitation of vulnerabilities towards discovering, publicizing and fixing them for the public benefit.

We suggest focusing policy responses on the demand side rather than the supply side. The zero-day market is largely a product of buyers, with sellers responding to that demand. And if it is true that much of the demand comes from the US Government itself, we should have a civilian agency such as DHS compile information about the scope and scale of our participation in the exploits market. We should also ask friendly nations to assess and quantify their own efforts as buyers, and share information about the scope of their purchases with us. If U.S. agencies and allies are key drivers of this market, we may have the leverage we need to bring the situation under control.

One idea that should be explored is a new federal program to purchase zero-day exploits at remunerative prices and then publicly disclose the vulnerabilities (using ‘responsible disclosure’ procedures that permit directly affected parties to patch them first). The program could systematically assess the nature and danger of the vulnerability and pay commensurate prices. It would need to be coupled with strong laws barring all government agencies – including military and intelligence agencies – from failing to disclose exploits with the potential to undermine the security of public infrastructure. If other, friendly governments joined the program, the costs could be shared along with the information.

In other words, instead of engaging in a futile effort to suppress the market, the US would attempt to create a near-monopsony that would pre-empt it and steer it toward beneficial ends. Funds for this purchase-to-disclose program could replace current funding for exploit purchases.

Obviously, terrorists, criminals or hostile states bent on destruction or break-ins would not be turned away from developing zero-days by the prospect of getting well-paid for their exploits. But most of the known supply side of the market does not seem to be composed of terrorists or criminals, but rather profit-motivated security specialists. And it’s likely that legitimate, well-paid talent will discover more flaws than “the dark side” in the long run.

Obviously the details regarding the design, procedures and oversight of this program would need to be developed. But on its face, a demand-side approach seems much more promising than railing against the morality of so-called cyber arms dealers.

While there is evidence that patents encourage investment in industries like pharmaceuticals and materials science, their effect on many other industries is markedly negative. In the computing, software, and Internet space, patents represent a serious barrier to innovation, as companies who need to assemble a huge number of licenses are subject to the holdout problem, and as incumbent or has-been firms use patents as weapons against more innovative upstarts. In some cases, these firms deliberately transfer patents to entities known as “trolls,” who exist solely for the purpose of suing the competition.

In theory, it is possible for firms to contract around these problems on a bilateral basis—as a basic reading of Coase suggests, because patents are inefficient in the tech industry, there exists in principle a bargain in which any two firms could agree to ignore patent law. The problem, of course, is the transaction costs. Transaction costs don’t merely add up in the tech industry; they multiply, because of holdout considerations and all the strategic maneuvering associated with firms competing on multiple margins.

I was thrilled, therefore, to see that Google is taking steps to solve this problem. They are proposing to set up a pool which would cross-license their patents to any other firms willing to reciprocate. All members of the pool would receive licenses to all of the patents in the pool. Unlike other existing patent pools, they seem to be interested in achieving the broadest possible participation, and it is being created purely for defensive purposes, not to receive a competitive advantage over firms excluded from the pool.

The proposal is still in a relatively early stage—they are still seeking feedback about which of four licenses the pool should use, which have different features such as permanence of licenses (“sticky” vs. “non-sticky”) and whether firms would be required to license their entire portfolio. For what it’s worth, I hope they choose the Sticky DPL, which seems like the most aggressive of the licenses in terms of taking weapons off the table.

An excellent feature of the pool, particularly if the participants decide to go with the Sticky DPL, is that it would feature very strong network effects. If several firms license their entire patent portfolios to the pool, then that strongly increases the incentive of other firms to join the pool. There is an intriguing tension here between the stated aim of the pool and the incentives pool members have to force other firms to join—by suing non-pool members who infringe on the pool’s patents, they can increase the membership of the pool. I do not strongly oppose this, but I imagine that there will be some philosophical discussion about whether such actions would be right.

Another wrinkle is that firms might transfer several crucial patents to trolls right before they join the pool (keeping a license for themselves, of course). More generally, they may look for legal ways to reap the benefits of the pool while continuing to use trolls to skirmish with their competitors.

But nevertheless, this is an encouraging development that I hope succeeds. If, as I strongly suspect, we are on the wrong side of the Tabarrok curve, the creation of a large cross-licensing pool could increase further the dynamism of our most dynamic industry.

I hope that you’ve all been watching the terrific videos on “Economics of the Media” that Tyler Cowen and Alex Tabarrok have put together as part of their Marginal Revolution University online courses.  They divide their media economics lessons into four groupings: (1) Basic economics of media; (2) Media bias; (3) Media and government; and (4) Media and economic development.  Tyler and Alex asked Jerry Brito and me to contribute two videos on Net neutrality for the project. Jerry’s course offers an overview of Net neutrality as a general engineering principle. My video explores Net neutrality as a regulatory proposal and couches it in a broader discussion of network economics. Each video lasts approximately 6-7 minutes. Here they are: