DMCA 1201 Exemption Transcript, April 11 - Censorware

                         UNITED STATES OF AMERICA

                                 + + + + +

                            LIBRARY OF CONGRESS

                                 + + + + +

                              COPYRIGHT OFFICE

                                 + + + + +

                            RULEMAKING HEARING

                                 + + + + +


                               APRIL 11, 2003

                                 + + + + +

                  The hearing was held at 9:30 a.m. in the Mumford

Room      (LM-649) of   the    Library    of      Congress'   James   Madison

Building,     101 Independence   Avenue,    SE,    Washington, DC,  Marybeth

Peters, Register of Copyrights, presiding.


MARYBETH PETERS                 Register of Copyrights

DAVID CARSON                    Copyright Office General Counsel

CHARLOTTE DOUGLASS              Principal Legal Advisor

ROBERT KASUNIC                  Senior Attorney

STEVEN TEPP                     Policy Planning Advisor




                              NEAL R. GROSS

                         1323 RHODE ISLAND AVE., N.W.

(202) 234-4433           WASHINGTON, D.C. 20005-3701            (202) 234-4433

[HTML'ization by Seth Finkelstein, along with certain technical corrections.]

Page 2


PANEL      I  - Compilations   of    lists    of     websites blocked      by
censorware ("filtering software") applications

Seth Finkelstein, supporting the exemption . . . . . . . . . . . . .       6

Jonathan Band, American Association of Law . . . . . . . . . . . .         15
Libraries, American Library Association,
Association of Research Libraries,
Medical Library Association, and
Special Libraries Association, supporting the exemption

David Burt, N2H2, Inc., opposing the exemption . . . . . . . . . .         18

Question-and-Answer Period . . . . . . . . . . . . . . . . . . . .         25

PANEL II - Copy-protected Red Book Audio Format compact discs

Seth Greenstein, Digital Media Association . . . . . . . . . . . . 108

Thomas Leavens, Full Audio Corporation . . . . . . . . . . . . . . 124

Steve Englund, Recording Industry Association . . . . . . . . . . . 134

of America

Question-and-Answer Period . . . . . . . . . . . . . . . . . . . . 142

Page 3


10:02 a.m.

MS. PETERS: Good morning. I'm Marybeth Peters, the Register of Copyrights. I would like to welcome everyone to the first of our four days of hearings in Washington in the second anticircumvention rulemaking.

The agenda for the next three hearings, which will take place at the Postal Commission in early May are May 1st, May 2nd, May 9th. Then there's two days in Los Angeles. That's being finalized, and all of the information will be on our website next week.

Before going further, I would like to introduce the people from the Copyright Office who are here with me. To my immediate left is David Carson, the General Counsel of the Copyright Office. To my immediate right is Rob Kasunic. We call him "Mr. 1201." He's kind of been our ongoing person from the beginning. So he's probably the one who has been contacting the various witnesses.

To David's left is Steve Tepp, who is a Policy Planning Advisor in the Office of Policy and International Affairs. To Rob's right is Charlotte Douglass, who is a Principal Legal Advisor to the General Counsel.

This hearing is part of the ongoing rulemaking process that, as most of you know, was mandated by Congress under Section 1201 of the Digital Millennium Copyright Act.

Page 4

Section 1201 provides that the Librarian of Congress, not the Register, thank you, may exempt certain classes of works from the prohibition against circumvention of technological measures that control access to copyrighted works.

The purpose of the rulemaking proceeding is to determine whether or not there are any particular classes of works as to which uses are, or are likely to be, adversely affected in their ability to make non-infringing uses if they are prohibited from circumventing the technological access control measures.

Pursuit to the Copyright Office's Notice of Inquiry which was published in The Federal Register on February 15th of 2002, we received 51 initial comments proposing exemptions to the prohibition, 138 reply comments. All of these are available for viewing and downloading on our website.

We intend to post the transcripts of all hearings approximately one week after each hearing. These transcripts will be posted on the websites as originally transcribed, but, of course, the Office will give persons testifying an opportunity to correct any errors in these transcripts.

The comments, the reply comments, the hearing testimony will form the basis of the evidence in this rulemaking, which, in consultation with the Assistant Secretary for Communications and Information of the Department of Commerce, will result in my recommendation to the Librarian of

Page 5

Congress. The Librarian will make a determination by October 28th, hopefully, this time a little bit earlier than October 27th, on whether or not exemptions to the prohibition should be instituted during the following three-year period, from October 2003 to October 27th, 2006.

The format of each hearing will be divided into three parts. First, each of the witnesses will present their testimony. This is your chance to tell us why we should believe you, and especially I'll look at you, Mr. Finkelstein, because you're the one who is the proponent of the exemption on this particular exemption.

The statements of the witnesses will be followed by questions from us, the Panel. I hope that we ask tough questions that you will have to think about, and all the questions are going to be the same for everybody. We hope that everybody gets tough questions.

This is an ongoing proceedings. I want you know that no decisions have been made about anything. I put in my notes "about critical issues." I can tell you it's not only the critical ones, it's no issues.

The purpose of the hearings is to further refine the issues and evidence presented by both sides in an effort to fully obtain the relevant information. The Copyright Office does reserve the right to ask questions of any of the participants after the close of the hearings. Any such

Page 6

questions asked and answers received will be posted on our website.

After the Panel has asked its questions, we intend to give the witnesses an opportunity to ask questions of each other. We have not managed to come up with all of the questions that should be asked. I'm confident that your fellow panelists will make sure that all the questions get asked.

With that, I am going to turn the program over to you.


MR. FINKELSTEIN: I would like to thank the Committee for inviting me here. I would also like to beg your indulgence if I make any procedural or cultural errors. I am not a lawyer. I am not a public relations -- sorry, shall I start over again?

Okay, as I say, I would again like to beg the Committee's indulgence if I make any procedural or cultural errors because I am not a lawyer; I am not a public relations person. I did have a better shirt, but I am literally straight off the plane this morning to come here.

This is not my job. I am a professional programmer by trade. I have no training or experience in Washington politics. If I make any mistakes in how I present myself or how I answer, I ask you to indulge me in that.

I am here, basically, to try to explain why this

Page 7

is important, and I will try to do my best in educating the Committee as to why censorware is an important topic and why you should grant the exemption.

Let me begin by trying to put some things in context. censorware is usually discussed in terms of parents and children, but that is, in fact, not the way I got into this and not the way that I think about it.

I am a 38-year-old professional programmer with an interest in civil liberties. I am not a professional activist nor am I a professional lobbyist. I got into this because I was one of the very early users of the Internet. I was at MIT. I am an MIT graduate, degrees in physics and mathematics. I really do have two degrees from MIT, and got to use the Internet in its very early, very formative stage, and I loved it.

I loved the information exchange. I loved the ability to talk to people literally across the world. You could talk to someone in Russia. You could talk to someone in Iraq. It was a fascinating exchange of ideas.

For a decade, from around 1985 to 1995, there was wonderful, free-flowing exchange where there were no constraints on what you could you say or what you could read whatsoever, and it was fascinating for an intellectual.

Then, in the mid-nineties or so, it began to become "popular," and this was a problem. In the early days, it is very hard to convey the spirit of those times, where there's

Page 8

the idea that you could not censor the Internet, that it was created to survive a nuclear war.

There's a very famous saying by John Gilmore, one of the founders of the Electronic Frontier Foundation. He said, "The Net considers censorship as damage and routes around it."

When I heard that, I was never convinced by it. I always wondered, well, what if censorship is in the router? Could you control the Internet by finding the choke points and cutting off that ability, that ability to exchange information?

Now when there became a reaction as to what to do about all the information being exchanged on the Internet, I loved this freedom of exchange and I wanted to preserve it. How can I convey what it was like in the early days, when now you take it for granted that you can cross the world, but this was thought to be a precious thing at the time, and I thought that it should be preserved.

Now I have to explain a bit about the politics of censorware. This will, in fact, refer to a bit of David Burt's comments.

When the Internet started to become popular, there was almost universal reaction to people who discovered it who were not part of the original cognoscenti. The reaction went like this:

"Oh, my God, there's too much information there. We have to somehow control it." And I was wondering about this

Page 9

because we were told that the Internet could not be censored, but yet there were people who were saying it was important to control what was on the Internet. How could both be true? One of these people had to be wrong.

So when we had this problem at the time to figure out what to do with the desire to control the Internet, then there was the issue of, could we, basically, put the U.S. interests in a private program, a company such as N2H2, and would that be a good thing?

This is a complicated issue to try to explain, but what happened was the idea was that civil libertarians should advocate private companies because that would avoid the means of Congress having to censor the Internet. I thought this was a horrible idea.

The reason I thought it was a horrible idea was because it was turning over the Internet to private blacklisters. I thought this was an absolutely disastrous idea from the civil libertarian point of view.

So this is where I come into the picture. As a technically-skilled person with the ability to do mathematics and decryption programming, I set out to figure out what was actually in the secret blacklists, and this is where I succeeded.

In 1995, I first decrypted CyberPatrol, and it was fascinating. I found, for example, the feminist discussion

Page 10

newsgroup at the time thought that feminism was considered pornography, technically sexual acts, for example. I found that gay rights and youth support were considered pornography, sexual acts.

And this pattern was repeated all throughout every program I examined. Feminism was considered pornography or sexual. Gay rights was considered pornography or sexual, on and on and on.

This led to the expose', "The Keys to the Kingdom." Now that has been criticized as being anecdotal. "Anecdotal" is usually used as a synonym for unverified or inaccurate, but, no, it was absolutely accurate.

What it was, it was not a statistical study. It was to counter the propaganda that the Internet could be easily censored.

Now the reason that it was published in that sort of -- how can I put it? -- sensational fashion was, one, well, because of the way the writer did it, and, two, this decryption that I was doing was extremely legally risky at the time. In fact, there were lawsuits threats from the publication of that article. There's a whole story involved with that, and that was not the end of it.

Every time there was a game of this sort, I called it "the not on the list" game, that you would expose something as being blacklisted as sexual or pornography, or some feminist

Page 11

site, or some youth rights sites, and the censorware companies would then say, "It's not on the list," by which they meant they had immediately taken it off and the new version of their program was perfect. This went on and on and on.

There would be fantastic marketing claims. This moves into the Loudoun County case, where the proponent, the president of the company which made the censorware there, X-Stop, went out and actually said on record that the program only blocked sites which met a legal criteria.

This is an absolutely absurd thing to say because these legal criteria, as you may know, are very hard to do. They require judicial training. There is much argument, and the president of the company was saying that the program could do it. Humans can't even agree on what's artistic merit. How could a program do it?

So I went and did a great deal of work exposing what this program had blocked. But, again, this wasn't my job. I've never gotten any money for this. It's stressful and legally risky. When the censorware companies get their blacklists exposed, they don't just laugh at you; they do everything from make threatening noises to, in some cases, actually filing lawsuits.

When the DMCA came, I said, this is it; this is too much. It's too much legal risk. I just stopped doing this work.

Page 12

Then came the exemption and some other things, and I started doing it again. In this case, I changed some of my approaches. The idea of just finding specific examples is not so much an issue now because it's embedded into people's understanding. Even the censorware companies now say that their programs aren't perfect. They actually didn't say that before, because they are moving their marketing claims in response to the exposures of people like me, and that's very gratifying.

In fact, one of the comments in Mr. Burt's reply comment about listing the loophole sites, I believe that is in direct response to my report about it. In fact, I'm sorry I didn't submit the actual report, but there's a comment where I track when they actually started making the claims and said, "I'm glad they're reading it."

So what I have been trying to do now is to try to explain some more properties of the programs which aren't obvious. It is very easy to say these programs block pornography. That's a phrase that easily falls off the top, but there are implications in that statement which are very important.

For example, image search engines are blocked in N2H2's program as pornography. Why? Obviously, because you can use them to search any images, and some of those images might be sexual.

Now if you ask somebody, "Would you like to block

Page 13

pornography," of course, they are going to answer, "Yes," except for a very few people. But if you ask them, "Well, do you want to prevent people in public libraries from searching for images because some of the images might be pornographic," you get a different answer.

I'm trying to explore those aspects of these programs now, and that requires circumvention in order to be able to do it very effectively. I think I will leave my opening statement there.

MS. PETERS: Okay. Thank you very much.

Mr. Band?


MR. BAND: Thank you for the opportunity to testify today on behalf of the five library associations.

The reasons given by the Copyright Office in 2000 for a 1201 exemption with respect to filters applies with equal force today. As N2H2 notes in its comments, filters are becoming more prevalent and, indeed, they may become even more prevalent if the Supreme Court reverses the lower court in the CIPA decision in the CIPA case. Thus, the need to know exactly which websites are filtered and which are not is becoming more compelling.

I would like to spend the balance of my time focusing and responding to the comments filed by N2H2 and the other filter companies. The issue today is not whether filters

Page 14

are a good thing. It is whether the members of the public should have the ability to find out which websites are blocked by Internet filters. We think they should be able to find this out, particularly so that institutions and individuals can decide whether to use a filter and which filter to use.

First, as N2H2's comments emphasize, the use of filters has increased dramatically since the Copyright Office and then the Librarian of Congress granted an exemption in 2000. Thus, the existing exemptions have no adverse impact that we can tell on the filtering companies.

Second, N2H2's comments seem to assume that a 1201 exemption is the equivalent of authorizing the publication of the database of the prohibited websites, but this is absolutely not the case. Copyright still protects the database. Circumvention would simply put someone in the position to make a fair use of the database. But his use would still have to qualify under Section 107. A 1201 exemption will not change that in any way.

Third, from the erroneous assumption that a 1201 exemption would authorize publication of the database, N2H2 suggests that publication of these databases would provide children with unprotected computers a road map to pornographic materials. With all due respect, I think N2H2 grossly underestimates the resourcefulness of teenage boys. If they have access to an unprotected computer, they don't need a road

Page 15


Fourth, the reference to the Microsystems case is completely besides the point. That case involved the development of a bypass code that disabled the filter. It had nothing to do with accessing the database for fair use purposes.

Finally, the N2H2 comments discussed the alternative of making queries. I'm not qualified to speak to the effectiveness of the sampling made possible by such queries, and I am sure Mr. Finkelstein is far more qualified to comment on that, but it is clear to me, as a matter of common sense, that sampling can never give you the complete set of the blocked websites. By definition, you only get a sample, so you obviously will miss what could be important information. You will never know what you don't know.

Also, the filter companies can reconfigure their software to prevent automated querying, so this option may disappear in the future.

In sum, the Copyright Office and the Librarian of Congress got it right the first time: The filter companies haven't presented any evidence of the harm this exemption has caused them. It continues to enable an important form of fair use. Accordingly, the Copyright Office and the Librarian of Congress should renew the exemption relating to Internet filters.

Thank you very much.

Page 16

MS. PETERS: Thank you.

Mr. Burt?


MR. BURT: Thank you. My name is David Burt, and I am from N2H2, Incorporated, an Internet filtering software company. I am here also representing two other Internet filtering companies, that being 8e6 Technologies and Bsafe Online.

To give you a little bit about my background, I am a former librarian. I have been involved in the study and promotion of filtering software for about six years, since 1997.

I provided testimony in, as well as being a consultant in, the Loudoun County case. I testified before the COPA Commission about filtering effectiveness. I testified before the National Commission on Library and Information Science on filters, and I also testified before the Pennsylvania and California State Legislatures. I have been with N2H2 for three years. My current role there is as PR Manager.

We are pleased to be able to come here and offer comments. As I made clear in my written comments, filtering companies were not aware of procedure last time, so we did not submit comments at that time, and we are certainly pleased to be able to offer a response to some of the claims that are made about filtering software.

What I think is most germane here about evaluating

Page 17

filtering software is the fact that there is this very rich, very extensive literature that has been published of filtering software evaluations that does not involve the decryption of, and the disabling of, copyright control mechanisms. Most recently, there was a study published in the Journal of the American Medical Association that was conducted by the Kaiser Family Foundation that used a very extensive sampling and testing, and it was conducted by a panel of experts and included a professor of information science at the University of Michigan, and was, in fact, peer-reviewed. I think that studies like that really speak to the points, some that Mr. Finkelstein raised, about concerns about what viewpoint might possibly be affected or what uneven standards might be used. The Kaiser study is an example of a study that seeks to answer a question like that. That seeks to answer the question, do filters affect the ability of minors to access health information? Does it very effectively, using a querying method, create a sample using a querying method? So to the point that there are concerns like that, these can be addressed with sampling. To the other concerns that Mr. Finkelstein raised about obvious architectural features, the single example -- in fact, the only example -- Mr. Finkelstein gives during the comment period from October 28th, 2000 to the present has to do with our product, N2H2, with the loophole category in our

Page 18

product. By his own submission, he admits that that information was publicly available.

It was publicly available on our own website at the time that he did that. So there really was no need for him to do that because that information was not just publicly available through our URL checker. It was also publicly available in our support pages, and it was also publicly available in the logs that anyone who is a N2H2 customer could check.

Speaking to some of the points that Mr. Band raised, he talks about the need to know. Filtering companies have been extremely responsive to people who say, "I want to know what's in your filter." I give some screenshots and some descriptions in my written testimony about our URL checker database. That is a web interface, and many of the other filtering companies have them, too. SurfControl has one. Websense has one. Smart Filter has one.

Anybody anywhere in the world can go to our website at, look up any site, see if it's categorized, how it's categorized, and if they don't like the way that it is categorized, they can submit a request to have that changed.

So I think we have been very upfront about making our database available to people for researchers, quite a bit more upfront than a lot of other database publishers. Many

Page 19

other database publishers, in fact, do not provide any kind of a free query interface to test the database, but we do. So I think we really even go further than the typical database publisher does in doing that.

As to the other comment that Mr. Band made about protecting children, I just can't agree with a comment that, gee, because there's so much porn on the Internet, what's the harm of making 300,000 porn sites available to children? That's not the business we want to be in. We don't want to be known as the world's biggest provider of pornography to children.

That's not why this company was founded in 1995 by two educators, and we initially started in schools in order to protect children. We didn't build this brand that we have called Bess that's well known -- we provide filtering to 40 percent of the public schools in the United States -- in order to be known as the biggest provider to children of pornography.

I don't have really much to add to my written comments. I think I have explained it pretty thoroughly, and I really haven't heard anything in either the written replies or today that refutes what I have in here.

As to the CyberPatrol comment, in that case I think the judge was quite clear about the potential harms. In his Finding of Facts it says -- and this is on page 38 of my testimony; I'm quoting from the judge's decisions: "By their own admission, Mr. Jansson and Skala created this bypass code to

Page 20

break CyberPatrol software, explicitly designed to make CyberPatrol ineffective, and its intended use can do nothing more than adversely affect the potential market for the copyrighted work. In contrast, Microsystems as well as the public, will continue to suffer irreparable harm unless the individual defendants are prohibited from distributing the bypass code."

I think some of that sentiment is really echoed in a case that I submitted -- the decision to just came down this week, versus N2H2. That involves a DMCA case about wanting to access our database.

I'll point you to page 3 of the judge's decision where the judge says, quote, "There is no plausible protected constitutional interest that Edelman can assert that outweighs N2H2's right to protect its copyrighted property from an invasive and destructive trespass," unquote.

So here we have had two judges look at this issue about whether or not it should be permissible to decrypt filtering software, and both have really come to very similar conclusions about the potential harm that would be done by doing that, and really a lack, frankly, of any benefits to society.

As I point out in my comments, there are really enormous social benefits that are derived from filtering software. That, in fact, Mr. Band spoke to the popularity of filtering software. That is what is driving the popularity of

Page 21

filtering software, is the fact that it does have such great social benefits to people, to parents who want to protect children, to teachers who want to protect students at schools, to corporations that want to protect from liability from sexual harassment claims, that want to preserve their bandwidth, that want to enhance employee productivity. There are all kinds of social benefits to filtering software.

In fact, that's what Congress really said in 1996, when they passed the Telecommunications Reform Act of 1996. In fact, it's quite clear that Congress was trying to encourage the development of filtering software when they passed that law, when they passed the Good Samaritan exemption for that.

In fact, I'm quoting from the text of the 1996 Telecommunications Act. It says, "It is the policy of the United States to remove disincentives for the development and utilization of blocking and filtering technologies and empower parents to restrict their children's access to objectionable or inappropriate material," unquote. That's what Congress had to say about that.

As I go into my testimony, one testing facility after another -- we have JAMA; we have PC World; we have Consumer Reports did a test on filters -- they didn't need to decrypt the filtering software in order to analyze filtering products, come to conclusions about their effectiveness. There really is no need to do that.

Page 22

The record is very clear on that, that there is this rich literature that has been published of tests that have been done on filtering software to answer the kinds of questions that Mr. Band and Mr. Finkelstein have that can be done without an exemption.

Thank you.


MS. PETERS: Let's start the questions with the General Counsel. David?

MR. CARSON: Thank you.

Mr. Burt, can you just perhaps put in a nutshell for us -- let me start by saying, you did just state that your company and companies like yours do have mechanisms whereby members of the public can find out what sites are blocked by the filtering software. Can you tell us, just in a nutshell, what is the harm in letting researchers such as Mr. Finkelstein decrypt those lists, so they can get access to the entire list?

MR. BURT: The biggest harm, No. 1, is intellectual property, because, as I go into my written comments, we spent literally tens of millions of dollars developing our database. It is extremely labor-intensive to do that.

There are editorial judgments that are made about different sites, how to categorize them. We have 4 million entries in our database, and we had to build the infrastructure

Page 23

and train the staff, the people, in order to populate that database. So we don't want to just give that away to somebody. If we were to publish our database, make it publicly available, a start-up company or a competitor could just take our database and then start using it without having to pay the start-up cost. That would put us at a huge competitive disadvantage. That is one reason. The other reason, as I mentioned before, is to protect children. We just simply do not want to make this gigantic list of pornography available to children. And I gave an example of what happened when a company did that in my testimony. A company called Net Nanny gave away a children's CD-ROM at Burger King in the United Kingdom that had -- they published their list, and it had 2,000 pornography sites on it. The parents in the UK were so angered about this that they forced Burger King to recall this CD-ROM. That's a really concrete example of what happens when databases like this are published.

MR. CARSON: Okay. Now we have had this exemption in place since October of 2000. Are you aware of any instances since then when someone, taking advantage of this exemption, has, in fact, either intentionally or inadvertently, publicized an entire list, or a substantial portion of a list, of the sites that are blocked by your software or any similar software?

MR. BURT: I'm not aware of anyone taking

Page 24

advantage of this exemption, period, to do anything during the comment period. Mr. Finkelstein says he does, but he doesn't document how he did that. He doesn't provide any kind of documentation about decryption or any publication. The only proof he cites of that, information that was publicly available at times, by his own admission. So I am not aware of anybody, period, using this exemption in the last three years.

MR. CARSON: So it's probably fair to say, then, that you're not aware of any problems that have arisen in the last three years by virtue of the exemption?

MR. BURT: There are certainly some serious potential problems that could arise, but I think the problems have not arisen because nobody has decrypted any filtering software that I'm aware of in the last three years.

MR. CARSON: Okay. Now you mentioned that the main part of the harm is the intellectual property, and intellectual property is a pretty broad term. Let's just explore that.

You're not a lawyer, I gather?

MR. BURT: No, I'm not.

MR. CARSON: So maybe this is not a fair question. But when you are concerned about the harm to your intellectual property, it sounds like you're talking about something like trade secrets, proprietary information, and so on. Am I on the right line there?

Page 25

MR. BURT: Well, we are talking about, No. 1, trade secrets, how we construct our -- there are techniques that we use to construct our database that are proprietary, but just the information itself, we want to protect that information itself.

The categorization that we apply to the URLs on the Internet, when we create the database, there is original effort that goes into creating that database. That's what we really want to protect. That's what gives the database its value, is that value that we add to it by those editorial judgments that we make.

MR. CARSON: Okay. Now I don't want to sound callous about trade secrets or proprietary rights of that nature; I'm not. But this is a rulemaking about copyright. It's a rulemaking about Section 1201, which is designed to address measures that copyright owners take to protect their copyrighted works.

Typically, copyright isn't concerned with secrecy of information. So I am trying to understand -- and maybe you can help me; maybe you can't -- as to why we should care about that in the context of this particular rulemaking, which is looking at exemptions to a provision of law that is designed to protect copyrighted works and access to copyrighted works.

MR. BURT: Well, our work has copyright protection to it. Databases do have copyright protection, and they can be

Page 26

copyrighted. We want to protect that investment that we have of our database. We want to protect that intellectual property, that editorial judgments that we make in this database that we have created.

I think you should care about that because, once you open the door for that, for some databases, there are a lot of other databases that could be vulnerable, too. Once you start going down that road of creating exemptions for databases like that, I think the other database publishers certainly would and should be concerned about that.

Because, as this body found in its ruling in 2000, it's essential that database publishers have copyright protections to protect their investment, to protect their intellectual property. Otherwise, it's going to greatly harm the database industry. There will be much less databases available.

And the same thing applies equally, and I think probably more so, to filtering software. These valuable tools that parents need, that schools need, I think the availability of them will be drastically reduced if we cannot control our copyrighted databases, if we cannot control our intellectual property.

MR. CARSON: All right. Mr. Finkelstein, Mr. Burt just said that he's not aware of anyone, including you, who has taken advantage of this exemption in the last three years.

Page 27

Let's start with you. Have you? And if you have, tell us how.

MR. FINKELSTEIN: Oh, I have a wonderful reply to his comment there. Mr. Burt, you say that I have not published information on my decryption? Well --

MR. CARSON: Mr. Finkelstein, I'm sorry, but we do need the microphone in front of you, so the court reporter can hear. I think you had better start over.

MR. FINKELSTEIN: I'm sorry. This is just such a wonderful reply.

You say, you criticized me for not publishing details of decryption? Well, the last people who published details of their decryption for the world to see got a $75,000 lawsuit for their trouble, and that $75,000 lawsuit took place right downtown from me. So there were no fancy Internet jurisdiction issues even, when you consider that case.

Therefore, could you consider perhaps why I might be a little hesitant to publish details, given that the last people who did it got a lawsuit for it? In fact, the only reason I came out and said that I had decrypted the database was in order to try to preserve this exemption.

I keep trying to convey, this isn't my job. Nobody is paying me to come here. I took the money out of my own pocket to actually pay the plane fare back here.

David Burt is paid by the company to do this. Win or lose, he goes home after this and he gets paid and he gets a

Page 28

salary. If I am looking at a massive lawsuit, $75,000 -- I looked at the amount -- for publishing something versus keeping my mouth shut about how I acquired it, I think the incentive there is to keep my mouth shut about it.

MR. CARSON: Well, short of what you're willing to say or what you're willing to publish, give us a sense, first of all, in the last three years have you, in fact, engaged --


MR. CARSON: -- in the conduct covered by this exemption?


MR. CARSON: Okay. Can you describe for us what you have done?


MR. CARSON: This is your chance to tell us why it's important to let people like you continue to do that for the next three years.

MR. FINKELSTEIN: There are two different senses of the words "what you've done." I can describe to you the way I decrypted the database, but perhaps I shouldn't, or I can describe what I've done with the decrypted database, which is important. I assume you're asking that second question: Why is it important that I decrypt -- or am I mistaken?

MR. CARSON: Well, I would like to have them both.

MR. FINKELSTEIN: This is where I asked you

Page 29

earlier about immunity. (Laughter.)

MR. CARSON: Well, whatever you feel comfortable telling us, again, understanding that we need to be persuaded that there is a reason for this exemption to be granted for the next three years.

MR. BAND: Focus on the second question.

MR. CARSON: It would assist us in determining that --

MS. PETERS: That's your lawyer. (Laughter.)

MR. FINKELSTEIN: I know this isn't literally true, but I would like to plead the Fifth Amendment for grounds of incrimination on answering the first question on how I did it. I could certainly prove it to you by bringing you a CD of their database, if you can use that.

MR. CARSON: All right. So you are concerned that conduct you have done under an exemption of the law might lead to some kind of criminal liability?

MR. FINKELSTEIN: Ah, no, you see, this is unique. I've got an answer for you there. The exemption that you have given me is an exemption for the DMCA, but it is not an exemption for copyright, trade secret, or violation of the shrink-wrap licensing.

In fact, I am going to go on. The CyberPatrol

Page 30

case was not a DMCA case. The actions in the CyberPatrol case were traditional copyright, trade secrets, violation of shrink wrap licenses, and a couple of other things which I called the "kitchen sink" charges. Every single one of those charges could be brought against me, even with this exemption.

MR. CARSON: So you're telling us this exemption is pretty worthless?

MR. FINKELSTEIN: No, it's not worthless. It's important in the sense that it goes to doing the act. If I said here, "I have done the circumvention," without this exemption, that would be a crime. That would be admitting or that would be violation. That would be admitting to a violation.

Because of that exemption, I can tell you that I have done it, but if you ask me to give you cold-level details where I start getting into the area which got two people sued for copyright, trade secrets, and violation of license, I think that's increasing liability. It is a hierarchy of liability.

Why this exemption is important is this exemption goes to the actual action of doing the investigation itself. It says, even if you publish just one fair use result, if you admit in that paper that you did the investigation by circumvention, you have liability because you have confessed to circumvention, and fair use is not a defense to circumvention. It is very clear in the Reimerdes case. That's why the exemption is important.

Page 31

In fact, this also answers David Burt's question in a way he doesn't like. The exemption does not remove all the protections that the censorware companies have already. We're not talking about putting this on a CD in Burger King and distributing it to little children. I've not done that. Nobody has done that.

MR. CARSON: All right, so what good has the exemption done?

MR. FINKELSTEIN: Now what the exemption has done has allowed me to do these architectural investigations. Let me try to explain these.

In fact, if I can take a couple of minutes, let me, in the course of explaining this, rebut Mr. Burt on the utility, or lack of, of querying. It's not an issue of quantity; it's an issue of quality.

All these studies that he cites are in some sense the same study repeated over and over again. It's take a couple of sites, see what's blocked, see what isn't blocked, and so forth. That's not the question I'm asking. It's like saying that you don't need to have college because you have so many high school essays. It is a bit like that.

Where circumvention is important is what I call looking for the land mines here. It's like trying to locate land mines in a mine field. In theory, one can examine every bit of territory, but it's qualitatively different to have a map

Page 32

of where the mines are. Now Mr. Burt's product, N2H2, bears a semi-secret category called "loophole." Loophole category is a category which cannot be deactivated where things are blocked by installation as mine fields, little mines, but you suddenly find them blocked, and you have no idea why. Trying to figure out what these loopholes are that will be blocked in libraries, that will be blocked in government sites where they are mandated to use censorware, is something which cannot effectively be done by sampling because it's not a statistical property. It's a property where the site is somehow thought to be a threat to the operation of the program. Maybe I should back up for a moment, if you will indulge me, and try to explain where I'm approaching this from. I'm not approaching it from a statistical point of view. Statistical studies are well and good, but statistics are not the be-all-and-end-all of investigations. There are other types of investigations which can be done. Now you'll note throughout the entire proceedings I have talked of censorware, not filtering software. That is not merely partisan politics. That is a very important difference in how I think about this issue. When somebody talks of a filter, that conjures up the image of this ugly, yucky, horrible, toxic stuff that you're taking away and leaving a clean and purified result, like a

Page 33

coffee filter or a dirt filter. You just want to throw the ugly stuff away.

But that's not what these products do. What these products do is they control what people are allowed to read, and that's a profoundly different issue. Because when you try to control what people are allowed to read, and you try to put them in a blinder box, you can't ever let them out.

For example, a loophole is a language translation site because a language translation site makes the information coming from the other site look like it's coming from the language translation site. So you can use the language translation site to get to the site that's been banned in a sort of routing fashion, that you route around the banned site through the language translation site.

You can use a site that checks to see if your web page has the appropriate structure to it. You know what HTML is, HTML formatting. There are programs which you can take and will say, well, your HTML formatting has this problem or it displays this way, but those are actually considered loopholes because they allow you to display a banned site, because you can say, oh, I want to check its formatting.

This is a very important part of the debate, trying to get people to understand that what these programs are doing are not banning pornography or banning whatever. They are controlling what people are allowed to read. In order to do

Page 34

that, for example, what I did in my loophole paper was to go through affirmatively -- I was not querying, not sampling things, but trying to say, what are these things that Bess considers a loophole? It was a fascinating revelation to find out that language translation sites are considered a loophole. Well, that's interesting when you think of that, but then you find out that HTML-checking sites are considered a loophole. Then, this is the really interesting thing: The Google cache -- you know what the Google cache is? -- that's considered a loophole because you can get to any web page by using the cached version. So when you tell people, well, you're not banning pornography, you're not letting people use the Google cache because they could use the Google cache to get something forbidden, that changes the debate. I have been trying to get this into the thinking process of people. I may not have been very success at it, but it's something I have been doing with this research.

MR. CARSON: Mr. Burt, anything to say in response to any of that?

MR. BURT: Yes, I do. I would just like to -- and I have already said this a couple of times, but I will say it again now that Mr. Finkelstein has had a chance to explain. When he was asked specifically to describe specific examples

Page 35

where he had used this exemption, the only example he came up with was for N2H2 to find this loophole category that, by his own admission, was already publicly available in other sources. I think that's not a sufficient record to justify this exemption, if that's the only example that can be come up with.

MR. FINKELSTEIN: May I respond to that? First of all, Mr. Burt is inaccurate to say that it was publicly available. He has made it publicly available, I believe in response to my paper. But the reason I am very certain that it was not publicly available -- and perhaps I can answer some of your earlier questions about how this is done -- is because I did not know what this loophole thing was when I saw it in the database.

Maybe I can give you some better examples by telling you what I saw. For example, when I decrypted the database, it's very hard to figure out what these things are sometimes. Decryption is only one step. There's the encryption, and on top of the encryption, there's often a database structure. I don't know if I'm getting too technical, but there's often binary codes and special flags, and so forth, and it's very hard to figure out what these are sometimes.

In the N2H2 blacklist there's a whole list of things. As I tried to figure out -- first, there was a list, and then there was a list of flags which correspond to the codes, to the entries of the list. This isn't getting across.

Page 36

There's a header of things that say that pornography, violence, and there's also other internal things that said things like, "loophole."

By the way, David, can you tell me what "UNMOD" is? I'll catch up with you there.

My joke about this is I can't call up technical support and ask them to tell me what it means. So when I saw this entry "loophole," I'm thinking, what is this thing? So I searched throughout the web and there was no documentation for it whatsoever. The only thing that was there was the log entry that was a two-letter code, "LH," from the site.

So what you saw, if you ran a loophole site through the program itself, was a set of two-letter codes that correspond to the categories, but there's no documentation for this secret category. And I searched very, very thoroughly to find any documentation for it, but it wasn't there.

When I put one of the sites which was listed into the query database that said it was a loophole and it came back and said, "loophole sites," it didn't tell me what a loophole was. It was only by -- and this is where statistical sampling is not important, is not answering the question -- by collecting all the other sites in the database which were loophole sites and asking, "What property do all these sites have; why are they like one another," that I realized that what they considered a loophole site was something that they deemed a threat to the

Page 37

control of the program. The question was basically, I have this database in front of me. I have these strange-looking sites that say, "loophole." I have no documentation whatsoever for what is a loophole. I go through the database and I extract all sites which have the flag "loophole" on them. They're privacy sites, language translation sites. Oh, what's this? It's an HTML validation site. That's odd. And what's this other thing? It's a site that makes things sound like Elmer Fudd. Why do they have that thing there? Oh, it's a language translation site, but it's just a weird language. Oh, there's Google cache in here. Now what property does the Google cache, a language translation site, an anonymizing side, an HTML validator site all have in common? Aha, they're all sites where they retrieve other sites and display them to you. Bingo. I think this is a very important fact to get out in the debate, and that's how I also did it.

MR. CARSON: Mr. Burt, I may have been misreading your body language, but I got an impression I saw an urge to respond. Is that true or not?

MR. BURT: Yes, I'll go ahead. It is in my written comments, but in Mr. Finkelstein's own report, "Bess's Secret LOOPHOLE," he just referenced the website at

Page 38 He says, quote, "The loophole category can be verified by using N2H2's single site blacklist checking form. Just test it into"

So, I mean, right there he says that this information is publicly available on our website.

MR. CARSON: Well, I think the question is, which came first, your revelation or his detection? I don't think that's something we're going to resolve here.

MR. FINKELSTEIN: No, no, what I'm saying is the query says it's a loophole site, but there's no documentation for what loophole is.

MR. BAND: Right, and his point is that, yes, now that you know, now that he's told you to look, that the Google cache won't be available, you can go to their website and, sure enough, you'll find, you type in "google cache," and you won't get it.

But the only way that he was able to figure that out was by the circumvention, finding this category, trying to figure out what it meant, figuring out what the common property is, figuring out why it was doing this. And now you can verify that on your own through their site. But for his encryption or his decryption work, we wouldn't know that. That's his point.

MR. CARSON: I think we've got disagreement on whether that's true or not, but we at least understand the proposition.

Page 39

MR. FINKELSTEIN: Verification is not the same as investigation.

MR. CARSON: Understood. Okay.

MS. DOUGLASS: There's also in our tech support pages, there's references to the whole category --

MR. CARSON: Okay. I want to get back to what I was asking before, and I understand you have expressed your reluctance to give us much in terms of concrete terms about what you've done because of your fear that we are not dealing with just 1201 and copyright, but perhaps other things.

MR. FINKELSTEIN: David, will you pledge never to sue me if I tell for this?

MR. BURT: I'm not authorized to make a statement like that. (Laughter.)

In order to make a statement like that, I would have to consult with management, and they would have to consult with our attorneys when we get back. As a PR person, I'm not empowered to do things like that.

MR. CARSON: Let me ask this, then, either Mr. Band or Mr. Finkelstein, any help you can give us in terms of letting us know not necessarily what you personally, but other folks who have taken advantage of this exemption, what they have done and why it is to the advantage of society to let them do that. In terms of concrete terms of what people actually are

Page 40

doing and have done, that would be of great benefit to us in evaluating the need for this exemption. So if either of you can help us out in that respect, that would be useful.

MR. FINKELSTEIN: Well, I could talk about some of the things that have gotten people sued for. That's an easy one.

If you want me to talk about how decryption is done or how circumvention is done, it's a very --

MR. CARSON: No, not so much how circumvention is done, but help us understand why we should care. How have people used the ability they have had under this exemption to society's benefit? How have they taken advantage of this exemption --


MR. CARSON: -- in a way that, if you could explain it to us, we would say, "Yes, of course, people have a right to do that and they should have a right to do that, and we understand. We get it."?

MR. FINKELSTEIN: First off, I can explain to you that the work that I did was cited in the expert witness reports for the CIPA decision. Mr. Burt's comment is very interesting in the way he walks around that, in that he says that it's not cited in the actual description.

But if you look in my comments, you see the expert witness reports themselves cite my own work. They cite the

Page 41

specific paper that I'm talking about here. That's his secret loophole.

Some of the things which may not have specifically my name attached to them do seem to have come from me. I have talked about the Bess's loophole example because it is the strongest example or circumvention, but there are many other things that I have done which have been helpful towards explaining what the process is, what is actually banned, and what is actually a problem in these architectural terms that I haven't actually gone out and said, "I got this information by circumvention," again, because of the legal liability here.

To back up for a moment, when we talk about sampling, nobody is going to sample the Google cache. It simply wouldn't occur from the list of things that you would use to test a program, at least not until this had been publicized. Once it has been publicized, then, of course, it's become an issue. But if you're trying to do an investigation, that isn't something that's obvious to you.

And one of the other things where I got the information from circumvention was the investigation of the image search engines. For example, to figure out that image - what I did was I went through the program and started looking at the database for what some of the other Google sites were. It was vastly easier to do this by having the list in front of me, asking the question: If it blocks the Google cache, what other

Page 42

sites from Google would it block?

That question is a very hard question to answer accurately by sampling, because it's not a question of just taking the list of sites and running it through the verifier tool, because the way that the entry can be done can be done in a way that you can fool the verifier tool. You have to know the exact path to put into the verifier tool.

In fact, I put that in my paper for verifying the Google cache blocking. If you just type in the Google cache itself, you get back the answer that it's not blocked because the actual site isn't blocked, but the way that you would do the lookup, the actual string itself, is where they have the blacklist entry.

So in order to do the image investigation, it was vastly easier to have the database in front of me and try to see which image sites had been blocked than fumbling around in this mine field and here are the mines. This, too, is cited in the expert witness reports and in the CIPA decision.

In the future, I expect that there's going to be more of an issue where what is blocked in these terms is going to be a factor in the Supreme Court. Whatever the Supreme Court decision is, there will probably be intense interest in investigating censorware.

Without this exemption, you're basically saying that people are constrained to do that exemption blindfolded.

Page 43

They cannot actually look at the database. They have to go through the mine field, poking and probing every single bit of territory.

MR. CARSON: I want to get back to that issue in a minute, particularly with you, Mr. Burt. But, first of all, can either of you, just so we've got as much of a record as we can, I want to make sure I've got from either of the two of you any examples you can give us of cases where people either have been taking advantage of the exemption or are in the process of taking advantage of that exemption. So that we, again, can understand that we're not just dealing with something theoretical here, but in concrete terms this is something that has been of benefit and will continue to be of benefit.

MR. BAND: Well, again, as Mr. Finkelstein has explained, his loophole research is a very strong example. My understanding is one of the witnesses in the California hearing is also going to be specifically addressing it.

I don't work directly in this area, typically, but my understanding from conversations with people in this area is that, as Mr. Finkelstein explained, that the expert witnesses do rely on the work that he did and that others like him have done within the past three years. But I believe that in the Los Angeles hearing you will be able to get more concrete examples besides what Mr. Finkelstein has specifically alluded to.

MR. FINKELSTEIN: Let me answer that also.

Page 44

There's something of a Catch-22 in your request because, in order to come here and plead for the exemption, what I have to do is actually confess to violating other laws. I have to come and say, "I have violated the shrink-wrap license. I have possibly violated classical copyrights. I may have violated trade secrets." There aren't many people who actually want to do that.

I mean, I think, for myself, that I am sort of a fool for doing this. I'm not getting any money for it. I'm not likely to benefit. Why am I poking my head on this?

In fact, if I knew somebody who was doing this, and they had trusted me that they would do this, I certainly wouldn't be blabbing that in a public hearing with Mr. Burt here ready to take anything back to his company. This is literally a case where anything I say can, and maybe will, be used against me in court.

So, again, I am going to have to ask you to be a little bit understanding that I can't give you a list of other people who are doing it right now because that would be, at best, violating trust and, at worst, getting them sued.

MR. CARSON: Okay, I get your point.

Mr. Burt, going back to something Mr. Finkelstein just mentioned, my reaction, when I read your comment -- and your comment made a very strong pitch that all sorts of studies had been done --

Page 45

MR. BURT: Uh-hum.

MR. CARSON: -- of filtering software, and almost all of those studies use what you call a query approach, which, if I understand it correctly -- and correct me if I'm wrong - the person who is doing the study has a list, and I don't know how big it is, of sites they want to check to see whether those sites are, in fact, filtered out and runs that test with a number of different filtering software and then comes up and reports their results. Is that basically how it is?

MR. BURT: That's basically how it is, yes. There are a number of different ways to get a sample. As the Kaiser study points out, they used a random-sampling technique. Or other people have done a purposeful sample because they want to answer a particular question. They want to get a big list of, you know, gay sites or sexual health sites and see what the results are, but that's correct.

MR. CARSON: Okay. All right, now I'm a layperson. Lord knows I know nothing about how to run such a study, but it does strike me that when you're doing that, when you're taking that approach, you're necessarily limited by the list that you, the researcher, come up with of sites that you want to check on. It also strikes me as a layperson that there is a lot to be said for, and a lot more that can be gained perhaps, from a study in which you simply say, "I want to see the list of sites that are blocked because then I can go down

Page 46

that list and I can make a determination in each case whether that is or isn't a site that I believe should be blocked.

Now we can then have a nice debate over whether of those individual sites, in fact, should or shouldn't be blocked, but at least the only way I can know everything you're blocking is by knowing everything you're blocking. The only way I can know what you're not blocking that perhaps should be blocked is by getting that list and then figuring it out.

Now what's wrong with that? What am I missing?

MR. BURT: Well, again, there are intellectual property concerns in exposing our database to somebody to examine. I think you seem to be kind of getting at a hypothetical question.

For example, where somebody such as the National Research Committee or Consumer Reports could come to us and say, "We want to take a sample of your entire database. We'll do it in our laboratory. You can be there. We'll sign NDAs. We'll ensure that it's protected," somebody that was like a reputable third party that wanted to do that, I can't say for sure that we would do that, but I know that we have had internal discussions about that, and we would very seriously consider doing something like that, if there were absolute guarantees that our intellectual property would be protected and it were a reputable kind of testing facility that was doing that.

We would not necessarily be opposed to something

Page 47

like that, but nobody has ever asked us that question, nobody, not even the people who do research that are opposed to filters, such as Mr. Finkelstein. None of these people have ever approached the filtering companies. At least -- I can't speak for all of them at all times that I'm aware of -- certainly not my company, asked to do this kind of an approach.

So, yes, that is something we would consider, if somebody absolutely felt they needed to do that, but we don't see that need being expressed by the research community. The people who did the JAMA study didn't express that need. The people who have done the other studies, such as the Consumer Reports study, that was rather critical of filters, did not express that need; neither do any of the other professional testing labs.

ZDNet Labs and InfoWorld test labs have not come to us and said, "We can't evaluate without being able to get at your entire database." They're perfectly satisfied with the results that they get and with the research that is published using a query method.

MR. CARSON: Does anyone else have a reaction on that particular question?

MR. FINKELSTEIN: Oh, plenty. (Laughter.)

David, do you have the e-mail where the representative for N2H2 said that I wouldn't get a demo because,

Page 48

as I quote, "working with you would be like working for the opposition."?

I like his comments about reputable, too, because you tend to find out that people who are the most critical and who know the most about the flaws are also regarded as the least reputable, at least in the company's regard.

Further, the last time I tried to get the demo from N2H2, straightforwardly get it filling out my name, I was outright refused. I was worse than outright refused. I was led on, and then I got a really obnoxious e-mail from their salesperson telling -- I'm just not going to quote it; it was so obnoxious.

He didn't care. The company's going to back him up for doing it, and he probably gets a bonus for it or a pat on the back for it. Mr. Burt thought that was great.

David, will you give me a demo? I would love one.

MR. BURT: If I could respond to that, what Mr. Finkelstein is referring to is a request for a free trial of our database, or not our database, our software, which we do offer to anybody. We give people free trials, a 30-day trial of our software, as do most filtering companies.

However, Mr. Finkelstein had conducted at least three previous 30-day trials before that, and it is not our business practice, nor is it of most software companies, to give an endless series of free trials to somebody. At some point you

Page 49

have to cut them off, if they are not going to pay for the product. So that was simply a standard business decision. It had nothing to do with Mr. Finkelstein.

MR. BAND: If I may respond, I think, Mr. Carson, you're exactly right about the fundamental problem with sampling, that obviously it tells you something, that it can be very useful at a macro level, but at a specific micro level it doesn't work, meaning it doesn't tell you whether a specific site that you don't know to look at, you have no idea whether or not it's blocked.

With respect to the assertion that no one has ever asked, well, typically, when people do want to do independent verification, they do it independently. I imagine in a Consumer Reports I would just be shocked if, when they want to do any kind of testing of General Motors' products, that they enter into a negotiation and then agree to do the testing at a General Motors' facility, under the supervision of a General Motors' engineer. It is not going to happen. That would compromise the independence of the survey.

MR. BURT: That's typically how product tests are done. The Kaiser Foundation, they did ask for a copy of our software when they evaluated it and did tell us what they were doing.

The other point I would like to make is that this issue of testing databases that have copyright protection, you

Page 50

could make the same argument about other copyright-protected databases, about Lexis/Nexis or about Dialog or some of the other ones that don't allow people to go in and access -- you can't request from Lexis/Nexis and get every single thing in the Lexis/Nexis database, complete, total, free, unlimited access to do that. Yet, there's a very rich testing literature of Nexis using querying methods to do that.

MR. BAND: Right, but it's a completely different situation. I mean, the whole point of the testing of the filter software is basically to get a sense of what kinds of sites it blocks. It poses very specific and very significant public policy issues. I mean, what's on the Lexis/Nexis database, I mean that's a commercial issue. If I don't like what's on the Lexis/Nexis, if I don't like what access I get, I will go to someone else. It has no public policy implication whatsoever, what is or is not available through Lexis/Nexis.

But if we're talking about government-mandated filters in public libraries and public schools, there is a huge public interest in knowing what is or is not censored. It is a completely different situation.

MR. BURT: I don't agree. I think simply because the government mandates the use of a product, that doesn't mean that that company loses all its intellectual property rights, just because it is government mandated.

MR. BAND: But, again, you're not losing your

Page 51

intellectual property rights. If Mr. Finkelstein, after doing his research, if he were to publish the database and make it publicly available, he would clearly be liable for copyright infringement because he is violating the copyright in the database. But if he, instead, makes a fair use and simply publishes, let's say, says you know, the N2H2 product blocks out these 10 sites, that would be a fair use and that does not in any way compromise your intellectual property rights. You're mixing two different categories.

MR. BURT: Well, Mr. Finkelstein, as I pointed out before, does not need to get access to our entire database to publish his list of 10 sites. He can do that with sampling.

MR. BAND: Not if he doesn't know which 10 sites to ask for. (Laughter.)

MR. FINKELSTEIN: This is again saying that you do not need to have a list of the land mines. You can go and prod every single bit of territory. I suppose that is true in theory, but in practice it is not supportive of the sort of investigations that I am trying to do. I want to, again, point out that, given this work that I have been doing, this decryption, this circumvention, it is immensely difficult. It has legal liability. It requires a great deal of programming skill. It requires certain advanced

Page 52

server tools and software sometimes which are not available to -- which are theoretically available, but not usually found with journalists and writers.

So the fact that when they do a simple sampling study doesn't mean that better research is being done. It's like saying that, if somebody does a slapdash job by walking down the street, you shouldn't let them go to the Library of Congress because they can already do something by walking down the street.

MR. CARSON: One final question: The reply comments filed by American Film Marketing Association had a number of other copyright owners, the reply comments. It made one point on this subject, which is that -- well, it made a number of points, but one of the points they made was that, if this exemption were continued for the next three years, it should not include network security software.

Now I don't pretend to be an expert on just what that means, but, first of all, I guess I was just wondering, is there anyone at this table who disagrees with that statement and, if so, can you explain to us why?

MR. FINKELSTEIN: I haven't reviewed it, so I can't say at the moment.

MR. BAND: No, I haven't studied that issue. So I have no position.

MR. CARSON: All right, thanks.

Page 53

MS. PETERS: David was pretty exhaustive in his questioning, but let's see if Rob has any.

MR. KASUNIC: Well, I'm going to have to sort through and see what's left after that, but I have a number of things to try to clarify a little bit.

First of all, just, I guess, addressing Seth first, in using the term "censorware," as opposed to "filtering software," why use that term, and is there a distinction? In your view, is filtering something broader?

MR. FINKELSTEIN: Oh, yes. I think the best public relations that the censorware companies ever did was to get the word "filter" attached to their products. When you think of a spam filter, for example, you think of something that you do not want to see.

But, again, as I said earlier, censorware is not like a spam filter. What censorware is, is an authority wants to prevent a subject under their control from viewing material that the authority has forbidden to them. This description is general. It does not apply just to parents or children. That is simply one instance of the general property. It could be the Government of China applying to citizens or it could be corporations applying to employees.

We can go back and forth as to who is right in what cases, but the general architectural properties are the same. In fact, one of the issues here is that, if censorware

Page 54

works for parents on children, then it's also going to work for the Government of China on its citizens. And, inversely, of course, if it doesn't work for the Government of China on its citizens, then it's probably not going to work for parents on children. This is one of the deep structural issues of the debate.

But putting that aside, a spam filter, for example, is something that you do not want to see and someone else wants to force on you for their own benefit. This leads to a different way of thinking about it.

For example, you can take something that's probably spam and shunt it off into another folder that you look at later on to see if that program has made a mistake. So you're allowed to see the decisions of the program and you're allowed to look through what it's done in order to see if it's incorrect or not.

They don't think that you have to be forbidden from reading the spam. I have never seen a spam filter that actually made it impossible for you to shut it off because there is something dangerous that might happen to you if you actually saw one of these spams.

That's the difference between the issue of something you don't want to see, which is filtering, and something somebody else does not want you to see, which is censorware.

Page 55

MR. KASUNIC: Okay, thanks.

MR. FINKELSTEIN: And this leads directly into the loophole sites that I have been talking about.

MR. KASUNIC: Well, in following up on that with the loophole site -- and, again, this is just sort of to clarify -- are you saying, then, would you have been able, Mr. Burt or David -- I have talked to all of you so many times in setting up these hearings I'm going to be informal.

MR. BAND: We're all old friends. (Laughter.)

MR. KASUNIC: David had said that you could have discovered the loophole category, even without circumvention, but is what you're saying that it's the scope? You could have identified that this existed, but you could have never identified what the scope of that category was?

MR. FINKELSTEIN: The extent of it would never have been found by sampling. How in the world was I going to sample HTML validation sites? It's not a statistical matter. You could say that you could sample land mines, but they're not statistical properties either.

The idea, what I was trying to do was to go through and figure out what things does Bess consider to be threats. That's not a question of, in this huge list of sites, is there anything here that Bess considers a threat. That's a different question.

Page 56

How would I ever have found that a site for testing how HTML is formatted was considered a loophole by sampling? It would be almost impossible. The language translation sites would probably not have been found by sampling even then, because of the specific way that the entry is listed, because it's not just the sites.

The way people usually do sampling is to get a list, a long list, of sites or a long list of URLs within the sites and just run it through the program. But the blacklist itself can have the entries on the blacklist in ways which are very hard to find out. Things like the Google cache, the actual entry is something like "?q=cache," for example, and that's just not going to be found in a sampling system.

MR. KASUNIC: What about systems or methods either than sampling, like, for instance, David had mentioned the log files? Would that get you any further?

MR. FINKELSTEIN: Well, the only reason he mentions log files is because log files have the two-letter code "LH" for "loophole," and when I was looking through the log files, I was trying to match up the little codes that they had for the actual categories in the database.

But the log files don't tell you anything more than the verifier tool does that they have there. It's just a big version of the verifier tool or a local version of the verifier tool. It is a sampling response which can be used for

Page 57

a sampling study, but it still has all the flaws of sampling and all the limitations of sampling.

MR. KASUNIC: Okay. Then, too, in terms of the other side of this, of the harm involved here -- and I'll put this more generally to the Panel -- but in your comments that you cite a report, N2H2 report, that states that, quote, "N2H2 does not believe that the final rule will affect the value of its lists of blocked websites," meaning the previous exemption, the rule under the previous exemption.

So has there, to your knowledge, first of all, been any harm to the industry in general because of -- and focusing this on the exemption on the prohibition for circumvention because I do want to get to some of the other aspects that David has been raising that maybe are broader than that of just the prohibition on the act of circumvention?

MR. FINKELSTEIN: I have not seen any evidence whatsoever that they have suffered in any way. In fact, the only thing that I had seen is they probably have to pay David Burt to go here. I mean, that's the only money that they have been out.

MR. BAND: And, also, obviously, indeed, the N2H2 comments reflect that the industry has grown significantly since the exemption was granted. So that would seem to refute any notion that the exemption has caused any harm whatsoever.

MR. KASUNIC: Well, David, I think that you

Page 58

deserve a chance to talk about that. It does note, we'll note on page 11 in the report that it has a bar graph, in your comment is a bar graph of the growth of the industry, and it looks like a steady growth even up through 2001, which would have been after the exemption went into effect.

MR. BURT: And the growth is continuing, too.

Again, I'll say that the only reason this exemption hasn't harmed filtering is because nobody has done any exemptions during the exemption period. The only circumvention that we've -- we have heard that question asked three or four different times, and the only example that has been presented is Mr. Finkelstein's example of the loophole category. So that's why we think no harm has been done to the industry during this three-year period because no one has taken advantage of it.

If you look before that three-year period, if you look at the experience of CyberPatrol, it is quite clear, looking at the judge's decision, that there was harm done to CyberPatrol by the decryption that was done to them. So that's where we stand on that.

We look at the example of what happened at CyberPatrol, and we look at what happened to Net Nanny and the bad publicity that they got, as the examples of what sort of harms can be done. That's why we look at that.

MR. KASUNIC: Well, specifically, then, you do mention some of these other cases and the specific harm that has

Page 59

been done. But in looking at some of those, it wasn't clear to me that the harm had anything to do with the act of circumvention. So that's what I was talking about wanting to get to.

The cases that you cite and quote talk about publication and dissemination of the tools, which would still be protected by the anti-trafficking provision and there's other areas. But what specifically related to -- what harm has been, or is likely to occur, as a result of the limited exemption based on the act of circumvention?

MR. BURT: Well, I can speak for my company in particular, because we are so heavily used in public schools. If our software is shown to be easily disabled, our database easily disabled, that really undercuts the trust that we have with schools in the United States, with teachers, to provide a safe, secure Internet experience for them.

And that was the problem that CyberPatrol had, too. That was their biggest concern, talking to the people there, at the time of the CP hack, the CyberPatrol decryption, was that all the millions of parents that trusted CyberPatrol to protect their children were suddenly rendered insecure, and the judge goes into some detail about that in his decision.

MR. KASUNIC: But we're talking about, you're saying, "if it's disabled." We're talking about circumvention for a list of websites within; we are not talking about

Page 60

disabling the entire program.

So if someone is able to circumvent to find the list, they may be able to find URLs to different sites, but how will that help someone who still has the software program functioning on the site? Even if you have the URLs, if all the school children in the world have URLs to all of these, as long as they have a protected computer, won't they still be prevented from viewing any of those sites?

MR. BURT: Well, as long as the software is functioning correctly, that's correct, they would still be protected there. But what that would do to our market, you know, to our customers, the trust they have in us, if it's widely publicized that your software has been compromised, that it has been hacked into, that the security systems that protect that software that's used to protect millions of children can be easily compromised and disabled and hacked into, that damages our product severely. It damages our ability to sell our product.

MR. KASUNIC: But, again, isn't that apples and oranges? Aren't we talking about --


MR. KASUNIC: -- the product being disabled?

MR. BURT: It is in a sense apples and oranges because, on the one hand, you're talking about disabling the product altogether; on the other hand, you're talking about

Page 61

disabling the database. But that's part of the product. That code that protects the database is part of the product. If they have compromised the code that is used to protect the database, they have compromised the whole product. They have compromised the whole software --

MR. BAND: They haven't compromised it; they have researched it. But, again, if they disseminate that beyond the narrow purposes permitted under the exemption, you know, as he said, that would be a trafficking violation. It, again, has nothing to do with the basic issue of circumventing for the purpose of seeing what the database is.

MR. BURT: It certainly does. Again, it violates the integrity of our code, and that violates the integrity of our product. Just the fact that that's public that people can do that violates the integrity and the marketability of our products.

MR. KASUNIC: Okay, well, let's --

MR. FINKELSTEIN: May I respond to that, by the way?

MR. KASUNIC: Yes, please.

MR. FINKELSTEIN: First of all, I think he is conflating two different aspects. One is researching the database, and the other is the operation of the program in use.

I had a comment about this in my submission, by the way, that the definition of harm does not encompass being

Page 62

shown to be a bad product in terms of parody, for example. I'm not going to find the quote, but the idea that, if you have a biting review of a play and this causes the play to shut down, that is not a copyright infringement, even though it causes economic harm. That is not a cognizable harm to be shown to be insecure.

Let me segue into some comments that he made just earlier about the CyberPatrol case, when they said they wanted to break CyberPatrol. "Break" is a technical term in cryptography. To break something is to figure out how it doesn't work, but it is not necessarily a bragging term, in the same way as copyright infringement also has a term of art where -- what do they call it? -- irreparable harm. That doesn't mean immeasurable harm; it means you get an injunction, as I understand it.

So it is simply a legal standard, whereas to people who hear these terms "break" and "irreparable harm," they may think it far more physically harmful than it is.

I would also like to say that, for all this talk of the pornography sites, since they were blacklists, they are really bad collections of pornography sites. (Laughter.)

I want to go into this because I get this -- no, let me go into this. People are always asking me this question: "Oh, boy, have you gotten any good porn sites?" And I tell

Page 63

them, "It's really, if you want to get some good sites, don't look in this censored blacklist."

In fact, I can demonstrate that -- (laughter) -- because when the CyberPatrol blacklist went out, nobody ever said that it was such a great collection. The reason why - this is important -- I know this is funny, but the reason why that they're such bad lists is because there's so much junk in them.

If you wanted a list of sex sites, would you want to go through somebody else's tastes, sites which didn't work, sites which had changed ownership, or so forth? No, you would want a good collection from somebody who had actually made a collection which would appeal to you, and there are people who sell them. There are people who make them for free. They have absolutely no impact on the research that I am doing.

It is something of a red herring. I know it's a, quote/unquote, "sexy" topic to say that they have these huge lists of pornography sites, but nobody has ever tried, except in a sort of snickering fashion, to use these lists as actual lists of pornography sites because they don't work well that way.

MR. BURT: If I could just follow up quickly with your question of irreparable harm, in addition to the harm to the security of our product, once our list is available to someone such as Mr. Finkelstein, who has it, are we at that point supposed to just simply assume that he's going to use it

Page 64


We have ceded all control over our copyrighted material, over our database, to somebody else, just on the assumption, without any kind of NDA, without any kind of contract, without any agreement, that he is not going to misuse that property; he's not going to sell it to somebody else; he's not going to profit from it. We have no guarantees of that.

That's the other part of the harm, is that we have lost complete control over our database, over the content that we worked so hard and invested so much money in, and simply trusting with nothing other than the man's good intentions to show that this is going to be used properly.

MR. BAND: But, of course, that is exactly what happens in 99 percent of the times with most works that are distributed to the public, that you rely on the copyright laws to enforce them. This is an important point because it really goes to, what is the DMCA all about and why did Congress enact it?

Congress enacted it to facilitate the development of an online marketplace in the kinds of works that are distributed to the public. What it was really trying to do is to say, "Look, we realize that there are, because of the Internet and because of digital technology, that users, once they get their hands on this stuff, are going to be able to widely distribute it."

Page 65

So the DMCA was necessary, not to protect a corporate owner against a competitor, but it was to protect the corporate owner against infringements made by the user. Okay? It was a different paradigm from the typical one, where you are worried about a competing publisher or a competing author. Here you're worried about what the users would do.

In this context, however, what you are concerned about is what a competitor will do. You are concerned, mainly, you say, about someone else who gets your database and gets into business, or you are worried about what Mr. Finkelstein will do. Well, you know what, you know who he is and you know where he is, and you also know where the competitor is. Therefore, the existing copyright laws are perfectly adequate to deal with this situation.

It is not the situation where, you don't have the kind of product where people are going to be interested in disseminating it widely on the Internet. It's not that kind of product. It's not like the latest Britney Spears song, for good or for bad, but it's just not like that.

Because of the different quality, you really, to the extent you are worried about the infringement that a competitor might make of it, the copyright laws provide you with a complete solution.

MR. BURT: Well, again, I think the other database, you could say certainly the same thing about other

Page 66

databases, that you could say they should rely on that, and no exemption has been granted for other databases, for published databases like Lexis/Nexis and Dialog.

I'm not here to get into a broader discussion about the DMCA because, first of all, I'm not qualified for what the legislative history of the DMCA was about, but we're not only concerned about competitors, but others as well.

You bring up the examples of Britney Spears and CD-ROMs, and I think the rise of peer-to-peer networks, nothing could make the dangers of allowing these copyright protections to be disabled more clear than the rise of peer-to-peer networks and the very quick and very easy way in which this material can be distributed through those networks.

MR. KASUNIC: But one thing here, I wanted to get back to that, because I know that you are not here to talk about the broader issue, but you have referenced all the other database discussion that was in the previous rule and related the filtering companies' databases to, for instance, Lexis/Nexis or Westlaw and other ones.

But in terms of the studies as well involved in those other databases, isn't there a difference in quantifying those between when you're talking about, for instance, retrieval outcomes, when you're doing testing of those databases? I guess this goes back partially to the sampling issue and how effective; that that was one of the reasons justifying sampling.

Page 67

But here, where we are talking about what's going to be excluded and what you'll never see, isn't there a distinction between using sampling for receiving positive results as opposed to receiving unseen results?

MR. BURT: I don't really think there is that big of a distinction. I'll tell you why. It's because, if you're using the querying to access a database such as Dialog and you don't find the record, you'll never know it's there. You have to search for it in order to find it and know it's there. So you really have the same issue because you have a copyright protected database that you're querying and finding things in it. If you miss some of those things, you're never going to know they're there.

You're saying about a filtering database. So I think the same reasoning should apply. The same objections and flaws that these gentlemen raise about sampling apply equally to databases, is that you're not accessing the entire database all at once, but you are taking a sample of it with any kind of a sampling technique.

But, again, if you look at the published literature, that is not seen as a limitation. I think it's really important to repeat that nobody in the research community that I'm aware of that is publishing professional software, testing research, is saying this about filtering databases, that you can't test them adequately using these querying methods.

Page 68

MR. BAND: Yes, but I guess, again, you're mixing categories. There is absolutely no public policy consequence of what is or is not in the Lexis/Nexis database. That is a commercial product, and if I want to buy it, I buy it. If I don't want to buy it, I don't buy it. It has no implication on any broader issues of censorship and the ability of the public to access information.

Whereas, here you are talking about something - you know, with Lexis/Nexis, that is the product. That is what you're trying to access. Whereas, in this whole filtering context, you're talking about what you can't access. Here we are simply trying to figure out, how do we figure out what are we not seeing? It's a completely different situation.

MR. BURT: Well, I think, as a librarian, and I think most librarians would agree with me, that there certainly are public policy implications to fee databases, how they're used, how they're distributed, who has access to them.

In fact, this Panel heard quite a bit of testimony about the public policy implications of Lexis/Nexis databases and other databases of that sort. So, again, I don't think that's much of a meaningful distinction anyway, but you could say there are public policy implications for other databases as well.

MR. KASUNIC: I have a lot of questions, but I am going to limit it to just a couple more, to give other people a

Page 69

chance to ask questions.

But since I have you here to ask some technical questions in terms of how these filters work, I see in your comment it lists, for instance, it looks like IP addresses as well as domains or URLs. Is this mixed in the filtering software? Is some of this IP addresses and URLs, and individual pages or whole domains?

MR. BURT: The answer is all three, and it depends on the filtering database. There are some filters that rely exclusively on numeric IPs. There are some that rely exclusively on URLs, and there are those that use a combination of both.

Some filters tend to block more at a page level. Some block exclusively at a domain level, and some offer a mixer. So your answer is complex because filtering is complex.

MR. KASUNIC: So once something enters the database, does it stay there? I noticed something in here that refers to the fact that there is a review of these, but, clearly, URLs or IP addresses aren't static. These are dynamic addresses that are constantly changing. So once something enters the database, how often is it reviewed to see whether it still should be in the database?

MR. BURT: Filtering companies do review their databases periodically, because, exactly as you pointed out, the Net changes and your entries in your database become stale after

Page 70

a while because the content changes, the site owner changes, the address disappears, and so forth.

I can't give you an exact figures on how often we check every site in the database, but we do periodically go through and check the sites. We particularly check to see, obviously, ones that are dead. That's a relatively easy thing to check for.

Then we check to see if content has changed. Typically, we don't go through manually each and every site to check if the content has changed, but if there's some kind of indication about the site, using our artificial intelligence, that there's been a change to it, we will go back and take a look at it and re-rate it, if need be.

MR. KASUNIC: So if you find there's a problem through some technical means, you'll go back and look at it --

MR. BURT: Uh-hum.

MR. KASUNIC: -- but not necessarily go through the entire list and recheck them at some periodic intervals?

MR. BURT: At some point, they all do get rechecked, but it may be quite a while before each site gets checked.

What's really important is the user feedback, too. Through our database, the URL checker is where people can enter sites and ask that they be categorized or ask that the categorization be changed, too. So that is an important source

Page 71

of input for us as well, what the users do.

MR. KASUNIC: Wouldn't the input, then, from people who have had access to the entire database and who were able to find maybe more specific and broader problems with particular categories, wouldn't that input then also be helpful in that same way, that rather than the sort of hunt and peck, you would have more profound input into potential problems?

MR. BURT: We really haven't seen that to be true because what publications we've seen criticizing filtering software that used decryption -- and there haven't been any of those for quite a while, not during the period -- typically, only cited, you know, a dozen or two dozen or so examples and say, "Hey, look, here are problems with the database. This is why there's problems with it," and don't really tell very much about it.

So any of the decryption research that I have seen, I have not seen anything particularly useful out of that that we would have a use as filtering company.

MR. FINKELSTEIN: May I reply to that? First off, Mr. Burt has just articulated a wonderful reason why decryption is important: because he is a marketing representative. That is his title. He can come to you and tell you anything, and you have no way of knowing if it is true or not, and he has an incentive -- let me put this gently -- to tell you things that put his company in the best possible light.

Page 72

If researchers are forbidden by law to actually check on what he is telling you, that has profound public policy implications. He has just articulated a very interesting study which would almost absolutely require decryption to be done. Take a list of things that you know are improper and see how often they get checked just day by day. You can't do this very well with using the validator because there will be too many, and if you start hitting the validator every single day, they'll get suspicious or they could get suspicious. Again, this comes back to the Consumer Reports testing idea. Consumer Reports does not do their testing by going into the labs of the company which they are testing. So then see how often the errors are corrected. I haven't done this, true, because I am volunteer. If someone gave me $200,000, like the Kaiser Foundation gave to the people who did the JAMA study, I could do more studies. But I just do what I can.

MR. KASUNIC: Okay. I want to move to just the last couple of questions to, I think, primarily Jon about some comments that were made about the burdens in the rulemaking for this exemption, a couple of things that were raised in Steve Metalitz's comment, and see what your response to some of that is, since we'll be hearing from him later in California on this issue. Regarding the burden for continued exemption,

Page 73

which the library associations support here, in your view, must a proponent prove how many will be able to accomplish or have actually accomplished the circumvention during a given period in order to sustain their burden?

MR. BAND: I think certainly whether it has been used at all is a relevant consideration, but, by definition, if the circumvention is permitted, if it's lawful, I think that a lot of things will be happening that no one is going to know about, because it's lawful. There's a lot of lawful activities going on that you don't know about. You find out more about the unlawful activity than the lawful activity.

So I think it's always going to be hard to get the full sense of what the lawful activity is, but I think it is a relevant issue. I think certainly in this instance we have Mr. Finkelstein right here who has given a very convincing example of an important discovery he made using the exemption during the relevant period.

MR. KASUNIC: Okay, and one last point is or question: Do you have any thoughts about Mr. Metalitz's suggestion that, if we do recommend an exemption in this particular rulemaking, unlike the last time, that it should be more narrowly tailored? For instance, he expresses the recommendation perhaps that the scope should be narrowed to include, for instance, requesting permission, as is used in some of the other statutory exemptions, requesting permission first

Page 74

of the filtering company's software.

Do you think that --

MR. BAND: No, I think that that -- I, unfortunately, was involved with the negotiations of those other exemptions. We very reluctantly agreed to the issue of asking permission, but that was the only way we were able to get anything at all.

I think, again, that is a bad precedent, and I don't think it's a precedent that should be followed here, especially in this context, because it is so easy for the filtering company to adjust what's on its blacklist or not. If it knows someone is going to look at it, if I have to go and ask for permission, then they might say, "Okay, sure, we'll give you permission," but in the back and forth, the conditions, and when they're going to give permission, and so forth.

In that month period that might go on, who knows what they might do with their database, and they might themselves decide to scrub the database. That's exactly one of the problems of having to ask for permission, that it, in essence, sort of compromises the whole investigative process.

MR. KASUNIC: Well, I guess just in followup, part of what I was asking, do you think that's within our scope, in order to create an exemption that would include this affirmative act by someone seeking to avail themselves to this exemption?

MR. BAND: I haven't thought about that. I will

Page 75

have to go back and see whether it's -- it's probably not specifically within the statutory authority granted by Congress, but I guess, from a policy point of view, my personal gut reaction is, I would prefer to see -- if the issue is, if the question is, no exemption or an exemption with a request, it is better to have the exemption with the request than no exemption. But I think it's better to have an exemption without any strings attached.

MR. FINKELSTEIN: I have a comment on that. I agree with what Mr. Band just said, but I also want to say that affirmatively asking permission is like carrying a big target on yourself and saying, "Attack me. I want to do something against you. Marshall all your forces and do everything you can to make sure that my research will be hindered."

I refer to Mr. Burt sometimes as my most dedicated reader because he watches me like a hawk. (Laughter.)

And this is his job. It sort of comes with the territory. But to make it a requirement for someone to do this is putting immense amounts of grief on them.

Again, let me just respond to some earlier comments here about something that didn't get published, precisely because of this amount of grief. When you talk about doing a study with circumvention, I just have a hard time conveying how difficult it is. This is why you don't see so

Page 76

many of them. It is a great deal of effort and risk.

First, you have to actually get the software. This is not necessarily an easy thing. If you come and tell the company that you want their software in order to criticize it, when they look you up and see your record, they don't happily turn it over if they know that you're going to do this necessarily.

Then you have to do the work and consult with lawyers or do it entirely without legal counsel. Then you have to worry about what's going to happen when you actually publish it.

I had a paper that I was going to publish during the CIPA trial, and for various reasons having to do with legal things that happened right then, I just decided it's not worth doing this. It's not worth taking the risk of a lawsuit that's going to go on for years and years to publish this material. The more you increase that risk, the more you discourage people from actually doing the work.

MR. KASUNIC: Thank you.

MS. PETERS: Steve?

MR. TEPP: Thanks. I've only got a few questions left along two basic threads.

The first one is on this, as you put it, the architecture approach versus the sampling approach. I find it interesting that Mr. Burt has been able to cite to a number of

Page 77

studies and examinations of filtering software that employ the sampling approach.

So I guess my question to the proponents is, why is it that they seem satisfied with that and they think a reasonably sufficient study, an examination of filtering software, can be done using that method? But you don't?

MR. FINKELSTEIN: Because I am asking a different question. Sampling is easy. It answers one statistical question. If you need a publication, if you need a review, if you're a person who has to write something up for the research journal or for a computer magazine, it is the obvious thing to do.

But if you want to do a deep study, if you want to actually try to figure out, what are the requirements, that is a very difficult thing to do. It's like saying, why are people satisfied with McDonald's hamburgers when there are so many of them, when there are gourmet restaurants? And the answer is because McDonald's hamburgers are cheap and gourmet restaurants are expensive.

When something is expensive and difficult and risky versus cheap and easy and readily available, you get what's cheap and easy and readily available. But this doesn't mean the expensive and difficult thing is somehow less worthy for being rare.

MR. TEPP: I understand your point. I guess what

Page 78

I'm curious about is, why no one else is interested -- I mean, those sound like interesting questions. Why isn't anybody else looking at this? Why aren't these institutions that conduct these studies interested in the architecture of the filtering software?

MR. FINKELSTEIN: Because there's no money in it and it is legally risky. There is a quote from Ben Edelman, who is part of the Edelman v. N2H2 case, a widely-reported quote: "I want to go to law school. I don't want to go to jail."

When I look at what I spent on this -- "spent" is even the wrong word -- when I look at the effort I put into this, when I could have been building a business during the IPO gold rush, there's times I really wonder if I made the right decision.

Nobody who is looking at a research project is going to say, "Well, gee, let me put my research into something which might get me sued, which might get me unending legal hassles, which might get me into trouble with the dean, which might get me bad press, which will certainly get me enmity of these powerful companies, or I could do something cheap and easy." What are they going to take?

Look at what happened to Ed Felten with the threats from the Secure Music Digital Initiative case. People get scared.

MR. TEPP: Okay, that's segues, actually, nicely

Page 79

into the second thread I wanted to pursue. You have been quite articulate about the concerns you have about the legal consequences of revealing the full scope of all the actions you have taken and the chilling effect that the law may have on others who may be doing similar sorts of things. But I think that puts back on us an interesting consideration. What is the justification for allowing an exception to the anticircumvention provisions in 1201(a)(1) for allowing activity that, as you have described it, may very well violate copyright licensing agreements, trade secrets, et cetera?

MR. FINKELSTEIN: Because that's not within the purview of the Panel. The Panel is charged with figuring out whether the circumvention itself should be forbidden or not. You can't leverage it. It's a circular argument. The courts have the ability, the courts have the job of judging those other items. But I think that you have to proceed, assuming that they judge it lawful, should the Panel itself make it unlawful? What I am telling you is that the cost of going to court to find out if it is lawful is enormous and ruinous. This often intimidates people from even trying. That is the risk that I am taking. But when you do your determination, you should assume that it is lawful because the court has not decided otherwise.

Page 80

MR. BAND: Also, if I may, there's a couple of other possible responses to your question. One is the availability of all these other protections calls into question why Congress enacted the DMCA in the first place, but that's also beyond the purview of this body. But I just wanted to mention that.

I think also, and relatedly, it would seem to me that in this situation, if someone did a very close legal analysis, the most likely legal risk would be breach of contract, but I don't think there would be a copyright violation because any dissemination of the information would probably be a fair use, because you would typically review sites out of the 4 million, and that would almost certainly be a fair use.

So I think that the issue in trade secret, of course, you are allowed to reverse engineer. That is not a breach, that is not a trade secret violation unless, again, you get to the contract, if you're somehow violating the contract.

So that would be the issue, and I think at that point you could say, well, maybe there's preemption. So you would have to do a very close, lengthy, legal analysis. It could be that at the end of the day you would conclude that to engage in this activity would not be a breach of contract; it would not be unlawful to do that.

But it would require a legal analysis and probably at the end of the day you would say, well, maybe; maybe not, or

Page 81

the risks are -- you know, you will probably be sued, but you might prevail, and so forth. But I don't think it's a foregone conclusion that to engage in the circumvention, if an exemption is granted, would clearly be unlawful. It's just there would be -- it would be a gray area.

MR. TEPP: Okay. Just so we're clear, I am not stating any legal conclusions about what any activity conducted under the existing, or possibly future, exemption may or may not result in, but to the extent that concerns have been raised by the proponents of an exception, that they may face liability under some of the various areas we have discussed, I think it is a relevant consideration. Certainly, at the very outset, the rulemaking is not to determine whether or not an exception generally is a good thing, but whether or not an exception for the purpose of non infringing uses is the core question. So copyright is clearly implicated. To the extent that the Librarian has the opportunity to take into consideration other factors, it doesn't seem to be irrelevant, as a public policy matter, to consider whether or not an exception that's being pursued may be exception for activity that violates other laws.

MR. BAND: No, I agree that it's a relevant consideration, but, again, everything here cuts both ways. I

Page 82

could say that, given the gray -- you know, given the fact that there are other legal issues involved would lead to the result that, were you to grant an exception to the circumvention, that the exemption would be taken advantage of rarely by people who would be going in with their eyes open, would receive advice of counsel, and to minimize their risk, and, therefore, would occur rarely, and the likelihood of having any adverse impact to the copyright owner would be minimal.

MR. TEPP: Okay. Well, let me turn this on its head then and come over to Mr. Burt and ask: You have cited a number of cases and instances where filtering software companies have defended their legal rights against those who sought to do various sorts of things with their software, and specifically the database that's the heart of the software.

So my question to you is: Don't those also demonstrate that, even without the protection under 1201(a)(1) prohibiting circumvention, you do have adequate legal measures to protect the industry, and that, as a result, an exemption, if a new one is granted going forward, has relatively little likelihood of adverse effect?

MR. BURT: Well, we would like to get this exemption, too, just as all the other database publishers do as well, just because we think we do need this extra added layer of protection, and that is, in fact, why the law was passed in the first place, to provide that -- Congress wouldn't have passed

Page 83

the law if they didn't think that there was a need for greater protection.

I think, as I mentioned earlier, the rise of peer to-peer networks and the very rapid, widespread ability to distribute large files, large database files such as ours, makes the need for this extra protection really clear.

MR. TEPP: Well, I don't want to start a debate over the adequacy of protection. Obviously, we have, for example, the Napster case, which shows that copyright on peer to-peer networks can be addressed through the courts in the United States.

What is it that you have seen or that you think is likely to occur that isn't protected in some other way and then that shouldn't be allowed?

MR. BURT: The circumvention of our copyright protection for our database, just to get in there. You're asking me really to talk about how specifically different aspects on copyright apply to us as a company, and I'm really kind of reluctant to go down that path because I'm not a copyright attorney. I'm not familiar with how each individual law applies to us. So I guess I have to defer that question a little bit just because of lack of legal knowledge.

MR. FINKELSTEIN: Let me just make a remark. As you say, the exemption is for non-infringing uses. The problem is, though the use may in theory, if argued out in a four-year

Page 84

legal case, be determined to be non-infringing, it is very difficult to be the person who goes through that court case for four years to establish it.

I would like to quote from the CyberPatrol case, from one of the programmers who wrote about this, and what he wrote has been very affecting to me. He wrote, "What I found out was that those organizations, through no fault of their own, were able to give me a lot of sympathy and not enough of anything else, particularly money, to bring my personal risk of tragic consequences down to an acceptable level, despite, incredibly, the fact that what I had done was legal. Ultimately, I couldn't rely on anybody to deal with my problems but myself. Some people learn that lesson a bit less impressively than I had to." I'm trying not to learn that lesson impressively either. (Laughter.)

And I would also like to quote from the CyberPatrol case, which Mr. Burt brings up. One of the initial statements says, "The defendants don't have a fair use defense because they haven't submitted one." So he's using the case where there was no defense, and the reason there was no defense to establish that this was a non-infringing use was this personal risk of tragic consequence to the person who did it. Do you see my problem?

MR. TEPP: Well, I do. Let me turn it around on

Page 85

you, I guess, and say, if there are so many chilling effects from other aspects of the law, does that not limit the potential utility of an exception to 1201(a)(1) because that's only one of the myriad of possible darts that could be thrown at you?

MR. FINKELSTEIN: What it says is that this is not the be-all-and-end-all of the investigations. This is just one part of the risk. As I said, it's a hierarchy. In this case, what we're talking about is the ability just to do it, to say that you have done it. It may not be the case -- let me make sure this doesn't get too convoluted. If you have this prohibition in place, then you can't even do the work. You can't even say that you've done it by decryption, and if they ever find out that you have done it by decryption, you are liable. It is not necessarily true that, if you have the ability to do it, that you will do it. But if you don't have the ability to do it in the first place, then you will never do it at all. Is that clear?

MR. TEPP: I follow you. All right, thank you.

MS. PETERS: Charlotte?

MS. DOUGLASS: I just have a few quick checking questions, actually. I would like to know what is the -- if you could just give me a general idea of the decrypting community? How large is the group of people who are likely to need to

Page 86

decrypt over the next three years? Or what is the community like?

MR. FINKELSTEIN: There aren't that many people doing it because, as I say, it's risky and not a lot of money. So you either find people like me, who are extremely dedicated to civil liberties, or you find other people who have no idea of what they are getting into. (Laughter.) I, in fact, do know of some people who have done this work and not revealed it. I haven't asked them why they have not revealed it, but it is again the case, if they are not going to tell me why they are doing it, I can't tell you that they exist.

MS. DOUGLASS: So it's not a community of one or two, or whatever?

MR. FINKELSTEIN: It's maybe six people or so, but who knows who else is out there that may someday suddenly get the idea to do this either for dedication or ignorance.


MR. BAND: But I would just make two points. One is, obviously, this is a subset of a much larger community that is engaged in encryption research and security testing generally. I mean, so this is a subset of a larger group. I also think that if the Supreme Court reverses the lower court in the CIPA decision, and then you start having

Page 87

-- and then schools and libraries are required by law to use the filters, if they receive federal funding, I suspect at that point the public interest in the issue will rise significantly, and at that point the group of six might become twelve.

MR. FINKELSTEIN: It might become a growth industry.

MR. BAND: Yes. (Laughter.)

But I suspect at that point, once people start seeing that it has more and more of an impact, and also as I think more and more businesses start using it, but especially once the public schools and the public libraries across the country are all required, if that unfortunate day comes where the Supreme Court reverses the lower court, then I think you will see -- and that would happen sort of within the next three years, you know, probably within the next three months that they will make their decision.

At that point you'll see, you could see a potential growth, but still it's not going to be an exponential growth because you're talking about something that's very hard to do. Again, you do have the sampling option, which is a simpler, less-refined approach, which tells you something but it doesn't tell you everything.

So the group of people who are going to sort of pursue that, dig down to really get all the details, to really

Page 88

understand completely what is or is not blocked, is always going to be a relatively small group of people.


MR. FINKELSTEIN: I would like to say it's not like Napster. (Laughter.)

MS. DOUGLASS: Okay. I would like to ask you, Mr. Finkelstein, how many different types -- or is this something that can't be grasped by just a layperson -- how many different types of research methods are there in terms of, you know, there is decryption; there is maybe log filtering; there's querying? How many particular categories are there in order to do research on filtering websites?

MR. FINKELSTEIN: Oh, you've basically covered the main ones: sampling, log investigation, and decryption.

MS. DOUGLASS: Oh, okay. Thank you.

I have a question for you, Mr. Burt. That is about harm. Do you believe that any of the companies that are now in business would be harmed to the extent that they might not be in business; they might decide, "Well, there's all of this encryption going on; we might as well close up."? Is that the kind of harm that's taking place?

MR. BURT: I think if the decryption were to become widespread and the publication of the lists and availability of the lists were to become widespread, that would

Page 89

drive some companies out of business because they would lose all of their investment, because other people would be taking it.

MS. DOUGLASS: But the publication of the lists might be a copyright infringement. So just the decryption itself, would people -- I'm thinking back to your comment on, I think someone cited to us, saying that the 2000 exemption did not have any harmful effect on your industry.

So I'm just trying to get a grip on particularly the exemption's harm to your industry.

MR. BURT: Well, again, as I said earlier, it didn't have any harm because nobody has used the exemption that we know of.

MR. BAND: But Mr. Finkelstein has --

MR. BURT: Excuse me. I'm being censored here. I've got to talk. (Laughter.)

I'm a librarian; I can say that.

As far as I know, no one has used this exemption to do this kind of research. That's why there hasn't been any harm that I'm aware of. But, again, as I said, the harm could be quite bad. If the exemption were heavily used and people were trafficking these lists quite widely, the harm could be quite widespread.

MR. FINKELSTEIN: David, will you authorize me to send to the members of the Panel the complete N2H2 blacklist to

Page 90

prove that I have, indeed, circumvented the encryption?

MR. BURT: Again, as I said earlier, I can't make legal decisions like that for my company. I'm not empowered to do that.

MR. FINKELSTEIN: Well, then, will you reserve your characterization because of the fact that I have offered to prove it?

MR. BAND: I also, not to belabor the point, but this is a little bit like the Iraqi Information Minister saying, "No, there are no American troops in Baghdad," when, you know, the American troops were right there. You keep on saying, "No, no circumvention has occurred," when right next to you there's a guy who has said a dozen times, "I circumvented it and this is what I did." I am a little surprised. That's all I can say. (Laughter.)

MR. BURT: Well, I think it's certainly illustrative that you have compared the filtering industry to the Baath Party, what you think of it. (Laughter.) I think Mr. Finkelstein would probably agree with you. (Laughter.)

MR. FINKELSTEIN: I think more like China.

MR. BURT: But Mr. Finkelstein has, as you said,

Page 91

he said, that is the only evidence he has presented, the only --

MR. FINKELSTEIN: I have offered more evidence. You just won't let me present it.

MR. BURT: Well, you guys won't let me talk or I would finish.

The only evidence he has presented is this inference, based on inference, about this loophole category that, by his own admission, that information was publicly available. So I don't consider that proof.

So I'm curious, what exactly proof? Are you offering to mail my company a copy of our database?

MR. FINKELSTEIN: No, I'm offering to e-mail it to all the members of the Panel. I'll cc you if you want.

MR. BURT: Why don't you just simply send it to our company?

MR. FINKELSTEIN: Why would I do that? (Laughter.)

MR. BURT: Well, okay, you're saying you want to prove that you did this. So why don't you send it to our company instead of the Panel?

MR. FINKELSTEIN: I think that the Panel might make better use of it.

MS. DOUGLASS: I actually think that I am finished with my questions. (Laughter.)

Page 92


MR. FINKELSTEIN: One more legalistic comment: Again, in N2H2's own documents -- I want to stress this -- they say, "N2H2 does not believe that the final rule will affect the value of its lists of blocked websites." That is them saying it, not me.

MS. PETERS: I hear you. Actually, there was a lot of interaction between the panelists, which was very helpful. However, I want to make sure that, if any one of you has a question to ask anyone else, now is the time. Jonathan says no.

MR. FINKELSTEIN: No questions at this time.

MR. BURT: No questions at this time.

MS. PETERS: All right, then I want to thank our three witnesses: Mr. Band, Mr. Finkelstein, and Mr. Burt. It was very helpful.


MS. PETERS: And we'll be back this afternoon. You won't, but we will. (Laughter.)

(Whereupon, the foregoing matter went off the record for lunch at 12:12 p.m. and went back on the record at 1:33 p.m.)

Page 93