Legal Archive
Ars Technica: Antitrust enforcers released a draft update outlining new rules today that officials say will make it easier to crack down on mergers and acquisitions that could substantially lessen competition in the US. Now the public has 60 days to review the draft guidelines and submit comments to the Federal Trade Commission (FTC) and the Department of Justice (DOJ) before the agencies’ September 18 deadline. A fierce debate has already started between those in support and those who oppose the draft guidelines. Any corporation should be serving the democratically elected government of a country – not the other way around. If a merger or acquisition is deemed harmful to the competitive landscape, and thus to consumers, a government should be able to just stop it. The same applies to corporations who grow too large, too rich, too powerful – if a company’s actions start to dictate significant parts of the market or even economy, they are a threat to the stability and functioning of the society it’s claiming to be a part of, and as such, they should be able to be split up or their actions otherwise remedied to protect society. In other words, any steps the Us FTC and DOJ take to take control over runaway corporations are positive.
Together with the open source software community, GitHub has been working to support EU policymakers to craft the Cyber Resilience Act (CRA). The CRA seeks to improve the cybersecurity of digital products (including the 96 percent that contain open source) in the EU by imposing strict requirements for vendors supplying products in the single market, backed by fines of up to €15 million or 2.5% of global revenue. This goal is welcome: security is too often an afterthought when shipping a product. But as written it threatens open source without bolstering resilience. Even though the CRA, as part of a long-standing line of EU ‘open’ strategy, has an exemption for open source software developed or supplied outside the course of a commercial activity, challenges in defining the scope have been the focus of considerable community activity. Three serious problems remain with the Parliament text set for the industry (‘ITRE’) committee vote on July 19. These three problems are set out below. Absent dissent, this may become the final position without further deliberation or a full Parliament plenary vote. We encourage you to share your thoughts with your elected officials today. The three problems are substantial for open source projects. First, if an open source project receives donations and/or has corporate developers working on it, it would be regulated by the CRA and thus face a huge amount of new administrative rules and regulations to follow that would no doubt be far too big a burden for especially smaller projects or individual developers. On top of that, the CRA, as it currently stands, also intends to mess with the disclosure process for vulnerabilities in a way that doesn’t seem to actually help. These three problems are big, and could have far-reaching consequences for open source.
The Interactive Advertising Bureau, one of the biggest names in online advertising, held some sort of corporate event or whatever in January of this year, and the IAB CEO, David Cohen, held a speech there to rally the troops. Apparently, those of us who are fighting back against the online advertising industry? We’re “extremists”. Extremists are winning the battle for hearts and minds in Washington D.C. and beyond. We cannot let that happen. These extremists are political opportunists who’ve made it their mission to cripple the advertising industry and eliminate it from the American economy and culture. This guy, who uses double spaces after a period and hence is already on my shitlist, just gave us an amazing creed.
As you may have noticed, I used the word copyrighted for the title of this story. And it’s not without reason. I think this story could have been fairly decent even without the copyright part, so before we get to the nitty gritty stuff – I can 100% confirm that Brave lets you ingest copyrighted material through their Brave Search API, to which they also assign you “rights”. Time and time again, Brave gets caught doing slimy things. Just don’t use Brave. There are far, far better and more ethical alternatives.
Today, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards. In 2020, European Union courts struck down the previous agreement between the EU and the US, the Privacy Shield, as the court stated it did not sufficiently protect EU user data from US government surveillance. This was obviously a big problem for companies like Facebook and Google, and ever since, the two blocks have been trying to come up with a replacement that would allow these companies to continue to operate relatively unscathed. In the meantime, though, several European countries handed out large fines to Amazon and Facebook for not taking proper care of EU user data. So, what makes this new agreement stricter than the previous one? The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to. I’m obviously no legal expert so take this with a grain of salt, but this kind of feels like yes, there are additional protections and safeguards, but if (let’s be real here: when) companies like Facebook violate these, don’t worry, EU citizen! You can undertake costly, complex, and long legal proceedings in misty business courts so Facebook or whatever can get fined for an amount that Zuckerberg spends on his interior decorator every week. The courts struck down the Safe Harbor agreement in 2015, and the aforementioned Privacy Shield in 2020, so we’ll see if this new agreement stands the test of the courts.
Ars Technica: This weekend saw an exception to that rule, though, as Nintendo’s lawyers formally asked Valve to cut off the planned Steam release of Wii and Gamecube emulator Dolphin. In a letter addressed to the Valve Legal Department (a copy of which was provided to Ars by the Dolphin Team), an attorney representing Nintendo of America requests that Valve take down Dolphin’s “coming soon” Steam store page (which originally went up in March) and “ensure the emulator does not release on the Steam store moving forward.” The letter exerts the company’s “rights under the Digital Millennium Copyright Act (DMCA)’s Anti-Circumvention and Anti-Trafficking provisions,” even though it doesn’t take the form of a formal DMCA takedown request. In fighting a decision like this, an emulator maker would usually be able to point to some robust legal precedents that protect emulation software as a general concept. But legal experts that spoke to Ars said that Nintendo’s argument here might actually get around those precedents and present some legitimate legal problems for the Dolphin Team. This silly cat and mouse game between Nintendo and emulators is childish. The only people getting rich off this are lawyers.
With United States v. Smith (S.D.N.Y. May 11, 2023), a district court judge in New York made history by being the first court to rule that a warrant is required for a cell phone search at the border, “absent exigent circumstances” (although other district courts have wanted to do so). EFF is thrilled about this decision, given that we have been advocating for a warrant for border searches of electronic devices in the courts and Congress for nearly a decade. If the case is appealed to the Second Circuit, we urge the appellate court to affirm this landmark decision. Of course, a decision like this can go through quite a few more courts, but it’s a good precedent.
Apple Inc. failed to fully revive a long-running copyright lawsuit against cybersecurity firm Corellium Inc. over its software that simulates the iPhone’s iOS operating systems, letting security researchers identify flaws in the software. The US Court of Appeals for the Eleventh Circuit on Monday ruled that Corellium’s CORSEC simulator is protected by copyright law’s fair use doctrine, which allows the duplication of copyrighted work under certain circumstances. CORSEC “furthers scientific progress by allowing security research into important operating systems,” a three-judge panel for the appeals court said, adding that iOS “is functional operating software that falls outside copyright’s core.” Good.
Before you read this article – note that Codeium offers a competitor to GitHub Copilot. This means they have something to sell, and something to gain by making Copilot look bad. That being said – their findings are things we already kind of knew, and further illustrate that Copilot is quite possibly one of the largest, if not the largest, GPL violations in history. To prove that GitHub Copilot trains on non permissive licenses, we just disable any post-generation filters and see what GPL code we can generate with minimal context. We can very quickly generate the GPL license for a popular GPL-protected repo, such as ffmpeg, from a couple lines of a header comment. Codeium claims it does not use GPL code for its training data, but the fact it uses code licensed more permissively still raises questions. While the BSD and MIT-like licenses are more permissive and lack copyleft, they still require the inclusion of the terms of the license and a copyright notice to be included whenever the covered code is used. I’m not entirely sure if using just permissively licensed code as training data is any better, since unless you’re adding the licensing terms and copyright notice with every autocompleted piece of code, you’re still violating the license. If Microsoft or whoever else wants to train a coding “AI” or whatever, they should either be using code they own the copyright to, get explicit permission from the rightsholders for “AI” training use (difficult for code from larger projects), or properly comply with the terms of the licenses and automatically add the terms and copyright notices during autocomplete and/or properly apply copyleft to the newly generated code. Anything else is a massive copyright violation and a direct assault on open source. Let me put it this way – the code to various versions of Windows has leaked numerous times. What if we train an “AI” on that leaked code and let everyone use it? Do you honestly think Microsoft would not sue you into the stone age?
While ChatGPT has become what seems like a household name, the AI model’s method of data collection is somewhat concerning and has some clear negative connotations. With that being the case, Italy is moving forward with legal action to stop ChatGPT from operating for the time being. Good. These corporate, for-pay tools are built upon the backs of untold numbers of writers and other artists who have not been asked if they want their works to be used. For instance Microsoft will stomp any misuse of its codes or trademarks into the ground, but at the same time, it’s building entire profit streams on the backs of others. This is wrong.
A federal judge has ruled against the Internet Archive in Hachette v. Internet Archive, a lawsuit brought against it by four book publishers, deciding that the website does not have the right to scan books and lend them out like a library. Judge John G. Koeltl decided that the Internet Archive had done nothing more than create “derivative works,” and so would have needed authorization from the books’ copyright holders — the publishers — before lending them out through its National Emergency Library program. As much as we all want the Internet Archive to be right – and morally, they are – copyright law, as outdated, dumb, and counterproductive as it is, was pretty clear in this case. Sadly.
Google has lost its latest battle with European Union regulators. This morning, the EU General Court upheld Google’s record fine for bundling Google Search and Chrome with Android. The initial ruling was reached in July 2018 with a 4.34 billion euro fine attached, and while that number has been knocked down to 4.125 billion euro ($4.13 billion), it’s still the EU’s biggest fine ever. The EU takes issue with the way Google licenses Android and associated Google apps like the Play Store to manufacturers. The Play Store and Google Play Services are needed to build a competitive smartphone, but getting them from Google requires signing a number of contracts that the EU says stifles competition. Google breakin’ rocks in the hot sun.
The most notable proposed fix (listed in Annex II) is for phone makers and sellers to make “professional repairers” available for five years after the date a phone is removed from the market. Those repairers would have access to parts including the battery, display, cameras, charging ports, mechanical buttons, microphones, speakers, and hinge assemblies (including for folding phones and tablets). Phone companies also get a choice: either make replacement batteries and back-covers available to phone owners or design batteries that meet minimum standards. Those include still having 83 percent of its rated capacity after 500 full charging cycles, then 80 percent after 1,000 full charging cycles. Apple, for example, currently claims that its iPhones are designed to retain 80 percent capacity after 500 charge cycles. Good. I’ve been saying it for years: if the automotive industry can be legally obligated to provide spare parts, repair information, and more to third parties, so can the technology industry.
CNet decided to ask makers of home security cameras about their policies when it comes to dealing with requests from United States law enforcement: Ring, the Amazon-owned video doorbell and home security company, came under renewed criticism from privacy activists this month after disclosing it gave video footage to police in more than 10 cases without users’ consent thus far in 2022 in what it described as “emergency situations.” That includes instances where the police didn’t have a warrant. While Ring stands alone for its extensive history of police partnerships, it isn’t the only name I found with a carve-out clause for sharing user footage with police during emergencies. Google, which makes and sells smart home cameras and video doorbells under the Nest brand, makes as much clear in its terms of service. Other manufacturers of home security cameras, such as Wyze and Arlo, only provide footage after a valid warrant, while devices that use Apple’s HomeKit Secure Video are end-to-end encrypted, so footage cannot be shared at all. In other words, if you live in the United States, it’s best to avoid Amazon’s and Google’s offerings – especially if you’re a member of a minority or are a woman seeking essential healthcare – and stick to Apple’s offerings instead.
The Dutch Ministry of Education has decided to impose some restrictions on the use of the Chrome OS and Chrome web browser until August 2023 over concerns about data privacy. The officials worry that Google services collect student data and make it available to large advertising networks, who use it for purposes beyond helping education. Since the national watchdog doesn’t know where or how the students’ personal data is stored and processed, there are concerns about violating European Union’s GDPR (General Data Protection Regulation). It always irritates me to no end when people claim all the GDPR ever did was create cookie prompts (it didn’t – those prompts aren’t even GDPR compliant), when in fact, it’s been leading to things like this, where governments and advocacy groups now have the legal means to fight companies that violate the privacy rights of those of us in the EU. In this particular case, Google is being forced to change its privacy systems for the better. It’s a sign of things to come now that the DMA has been fully passed.
The Council today gave its final approval on new rules for a fair and competitive digital sector through the Digital Markets Act (DMA). The DMA ensures a digital level playing field that establishes clear rights and rules for large online platforms (‘gatekeepers’) and makes sure that none of them abuses their position. Regulating the digital market at EU level will create a fair and competitive digital environment, allowing companies and consumers to benefit from digital opportunities. This final approval was a formality, but you never know with corporations.
The US Justice Department is gearing up for a possible antitrust lawsuit against Google’s ad business, and a new report from The Wall Street Journal outlines a “concession” Google is proposing in response to the investigation. Google might split up some of its ad business and move it to Google’s parent company, Alphabet. The meat of the WSJ report says: “As part of one offer, Google has proposed splitting parts of its business that auctions and places ads on websites and apps into a separate company under the Alphabet umbrella, some of the people said. That entity could potentially be valued at tens of billions of dollars, depending on what assets it contained.” If the DoJ takes them up on this offer, all hope for any serious antitrust action in the US is gone.
Europeans risk seeing social media services Facebook and Instagram shut down this summer, as Ireland’s privacy regulator doubled down on its order to stop the firm’s data flows to the United States. The Irish Data Protection Commission on Thursday informed its counterparts in Europe that it will block Facebook-owner Meta from sending user data from Europe to the U.S. The Irish regulator’s draft decision cracks down on Meta’s last legal resort to transfer large chunks of data to the U.S., after years of fierce court battles between the U.S. tech giant and European privacy activists. Meta has repeatedly warned that such a decision would shutter many of its services in Europe, including Facebook and Instagram. Don’t threaten us with a good time, Zuck.
On Tuesday, Parliament held the final vote on the new Digital Services Act (DSA) and Digital Markets Act (DMA), following a deal reached between Parliament and Council on 23 April and 24 March respectively. The two bills aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values. The Digital Services Act was adopted with 539 votes in favour, 54 votes against and 30 abstentions. The Digital Markets Act – with 588 in favour, 11 votes against and 31 abstentions. The DSA and DMA will fundamentally change the way big technology companies operate, and as consumers we’ll enjoy the fruits of far less lock-in and more competition. Things like alternative application stores and sideloading on iOS, or interoperability between messaging services, are going to be amazing.
A commissioner with the U.S. communications regulator is asking Apple and Google to consider banning TikTok from their app stores over data security concerns related to the Chinese-owned company. Brendan Carr, a commissioner with the Federal Communications Commission (FCC), has written a letter to the CEOs of both companies, alerting them that the wildly popular video-sharing app does not comply with the requirements of their app store policies. I wonder just how big the outcry will be among TikTok users if they did this. TikTok is incredibly popular – far more so than people my age even realise – so it certainly wouldn’t go down unnoticed.
