Every Website Needs To Re-register With The Copyright Office, Who Can't Build A Functioning System
from the are-you-serious? dept
As we mentioned last month, the Copyright Office -- despite being warned this was a bad idea -- has decided to implement a brand new system for websites to register DMCA agents, and has done so in a way that will undoubtedly fuck over many websites. It's already ridiculous enough that in order to be fully protected under the DMCA's safe harbor rules (that say you're not liable if someone posts infringing material to your website), you need to register a designated "DMCA agent" with the Copyright Office. The idea behind this is that by registering an agent, copyright holders will be able to look up who to send a takedown notice to. And, sure, that makes sense, but remember that this is the same Copyright Office that supports not requiring copyright holders to register their works, meaning that there may not be any legitimate way to contact copyright holders back.The reason for the new system is that the old system was just ridiculous -- on that everyone can agree. You had to fill out a paper form, sign it, and send it in. The Copyright Office has been way behind on digitizing everything, so moving to a web based system is a good thing. Also, the old system required payment of over $100, while the new one is just $6. That's all good. The problem is twofold: first, the Copyright Office has said that it is throwing out all the old registrations, and if you want to retain your safe harbors, you need to re-register. There's a grace period through the end of next year, but plenty of sites who don't follow the Copyright Office's every move are going to miss this, and will no longer have an officially registered agent with the Copyright Office (it's possible that, should this issue go to court, a platform could reasonably argue that it still did meet the statutory requirements in the original registration, but why force site owners through that hoop in the first place). The second problem, is that this new system will toss out records every three years, so if you forget to renew, you once again can lose your legal safe harbors. This puts tons of websites at serious risk, removing key protections and opening them up to lawsuits from copyright trolls.
Either way, the Copyright Office opened the doors on the new system yesterday, and so I went ahead and re-registered Techdirt. And, let's just say, the Copyright Office has a reputation for being technically clueless, and boy, does it live up to that reputation with its new system -- though, to be fair, as the Copyright Office's General Counsel reminded me on Twitter, it's actually the Library of Congress that built the system. First off, to register a new agent, you need to first register with the Copyright Office's system. As Eric Goldman points out, the system is not designed for individuals or sole proprietorships, even though those people should be able to get DMCA safe harbor protections as well. Specifically, to register, it requires an organization name and a "second contact" name and information. I'm not sure what individuals should do, other than maybe make something up -- though, before you even get started, the system pops up a warning suggesting that you may face criminal charges under the CFAA if you do anything wrong (while it means if you try to hack the system, the wording may confuse many people not familiar with the law). Nice touch.
Oh, and then there's the password system. Like many people, I use a password manager, which also will generate strong passwords for you. I went through the process of filling out my info, and generated a strong password... and I got back an error message. It seems that the Copyright Office has taken what used to be considered best practices, and then took it to an insane extreme: First of all, the US government, in the form of NIST, recently released new guidelines for password policies for any US government websites. And the Copyright Office ignores them, because whoever designed the new DMCA system seems to not give a shit and not be even remotely aware of good security practices these days. Here's what the new rules say:
No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”So, yeah, nice job Copyright Office for ignoring what you're supposed to do. Second, even if those rules did make sense, by lumping together all of them, and then adding the absolutely ridiculous and bad security practice of saying "must not have any repeated letters, numbers, or special characters," you actually reduce randomness and make passwords less secure. This is just bad security.
Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.
To deal with this rule, I generated a much longer password, and then manually went through and removed any repeated letters, numbers or special characters, and made sure that all of the other rules were met. They were. I hit submit. The system rejected it, and gave me the exact same error message. I tried again. Same problem. I kept trying things for about 20 minutes until I figured out what the problem was. You see above, where it says "and special character "!@#$%^&*()""? Well, in my first attempt at a password I had two special characters: ? and >. I incorrectly assumed that when they say "special character" they mean any special character on the keyboard, and not just those limited to the ones above the number line on your keyboard. Once I realized that might be the issue, I still had a problem. And that's because my new password had " as a special character. I incorrectly assumed that was okay because it's in that list above, right? Except, no, it's not. It's just put around those symbols for no reason at all except to fool people. It would be nice if the error message actually told you that you could only use those characters and that the " wasn't included. Would have saved me a lot of time.
Once I finally finished that, the system sent me a confirmation/validation email (good), which I used to confirm my email and log into the system... only to discover that everything I had just done... was not actually registering a DMCA agent. It was just to register your account to use the Copyright Office's DMCA system. So I had to then go and fill out another form to register our DMCA agent (and I won't even get into the fact that once you've activated your account, the message telling you to "click here" to login to designate an agent makes it so that it's not at all where to actually click -- great design guys!).
Finally, once I'm all registered, and despite the fact that I'm very clearly registered in the United States, the system says I'm in Canada. Because, apparently, the genius IT staff thinks that the "CA", which everywhere else means California, means Canada in their own system. Because whatever, nothing matters. So, yes, I eventually paid my $6 and got registered, but lots of people won't and lots of sites are now going to expose themselves to bogus lawsuits. And for those who do get through this process, you may end up in Canada. So anyway, off we go to this new era, in which websites are much more at risk of losing their safe harbor protections, and to make it more fun, the system you need to use to register yourself is buggy as hell with a bunch of bad design practices. It's almost as if they want websites to lose their safe harbors. Considering that the key role of the Copyright Office is to register stuff (the boss of the office is literally called "The Register"), it seems fairly ridiculous that they make it so difficult to register DMCA agents, and then force renewal every three years (while at the same time insisting that any renewal requirement for copyright holders would go against the natural order of things and bring famine and pestilence upon the land).
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: copyright office, dmca, dmca 512, dmca agent, library of congress, nist, passwords, safe harbors
Reader Comments
The First Word
“Same Rules Apply...
So I have to register every 3 years for safe harbor protections... lets do the same thing for copyright!... just saying...
Subscribe: RSS
View by: Time | Thread
Same Rules Apply...
... just saying...
[ link to this | view in chronology ]
Re: Same Rules Apply...
[ link to this | view in chronology ]
Re: Re: Same Rules Apply...
So, pay up!
[ link to this | view in chronology ]
Re: Same Rules Apply...
For them, the internet is a disaster because it levels the playing field. Anyone can publish. So for example they periodically push for mandatory DRM schemes like SDMI to keep out small players who can't afford the licencing and technical costs.
Disney is known for vacuuming up off-copyright works from the Brothers Grimm to Japanese animation, republishing it as "their own" creations, AND THEN fiercely protecting them with copyright. It might work in their favor to hand the small players the hassle and cost of continual copyright re-registering.
[ link to this | view in chronology ]
Re: Re: Same Rules Apply...
Disney can afford to automate the continued re-re-registering and at scale.
[ link to this | view in chronology ]
Here is an idea...
How about you guys get the FCC to do it for ya? I mean they are doing a bang up job right now! Go for it! Wait... they might get the axe soon! whooops!
Boy unconstitutional and unnecessary regulation is so fucking awesome, is it not?
[ link to this | view in chronology ]
Re: Here is an idea...
[ link to this | view in chronology ]
Re: Re: Here is an idea...
Like the robo call bullshit they have yet to do much about, the Copyright Office does little about copyright issues. And in the case here, the Copyright Office just trashed everyone's past registrations only to force them to do them again.
I am bitching about how effective these bullshit agencies have been in the grand scheme of things.
[ link to this | view in chronology ]
Re: Here is an idea...
[ link to this | view in chronology ]
Password Requiremnts
[ link to this | view in chronology ]
Password Requirements
Why no repeated characters?
Disallowing repeated characters actually diminishes the universe of allowable passwords. Isn't the idea of the requirements of special character, number and upper/lower case to force passwords into a larger space so that they don't all fall into the small space of lower case only words from the dictionary.
[ link to this | view in chronology ]
Re: Password Requirements
[ link to this | view in chronology ]
Re: Re: Password Requirements
Actual entropy in cryptography has a well established history of research, yet like most other types of science we prefer the pseudoscience side of things and go for straight fucking theater!
[ link to this | view in chronology ]
Re: Re: Password Requirements
[ link to this | view in chronology ]
Re: Password Requirements
Amazingly, within two months, some of these sites actually changed their policies to increase security.
My next step is to send out reminders CCd to webmaster, legal and info -- I figure that way, with four different potential departments involved, someone will recognize the liability they are taking on with this style of password restriction, and Changes Will Be Made on the other sites.
I encourage others to do the same thing; linking to the new NIST guidelines would be an added bonus.
[ link to this | view in chronology ]
Re: Re: Password Requirements
My request made it to the head of IT security where I was informed they already implement two factor authentication by requiring a username, password and security questions.
The whole idea of using two of the three factors, something you have, something you are or something you know is beyond their comprehension.
[ link to this | view in chronology ]
Re: Re: Re: Password Requirements
[ link to this | view in chronology ]
*puts on tinfoil hat*
I wouldn't be surprised.
[ link to this | view in chronology ]
Re:
Just wait until this bites the right hands who can fight it.
In an effort to make a bad law worse, Hollywood may just well be instrumental in getting it overturned.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Need definition of website
This is all a ploy to get bad law codified by SCOTUS. To set precedent.
First to get sued should contact EFF.
[ link to this | view in chronology ]
Re:
This will backfire, in that sense, as all it will do is make the smaller sites shut down easier and faster, while consolidating more successful services with the likes of Google who have the resources to fight them. But, they've never been particularly good at doing things correctly.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
...which is exactly why they're not doing that.
[ link to this | view in chronology ]
That a feature, the legacy industry does not want to compete with self publishing creators, and creating extra legal risks is a tool to push them back into the arms of the gatekeepers.
/conspiracy, maybe
[ link to this | view in chronology ]
A New Reputation Managment Fraud Vector?
Or could a typical "Reputation Management" fraudster register a sock puppet as the DMCA agent if the real site owner is unable to, and use that to remove safe harbor protections? Even if the real site owner DOES register, could the fraudster then register the forum subdomain or individual pages? How does it handle SECOND person trying to register a given site, fraudster or real owner?
You might want to test this. (I'm not in the US.)
[ link to this | view in chronology ]
Re: A New Reputation Managment Fraud Vector?
It's okay, apparently Mike isn't, either!
[ link to this | view in chronology ]
Re: A New Reputation Managment Fraud Vector?
One might want to test this, but given how poorly done the site is, I wouldn't put it past their IT department to consider that kind of exploitation to be "hacking" and start pushing CFAA charges.
[ link to this | view in chronology ]
In fairness to their web designers
That awful experience actually seems pretty typical over the last couple of years. I've dealt with websites from a number of different companies where I was left with the impression that they had specific line items in their requirements document that the site should be unpleasant to use. Among the brokenness I've seen recently:
I could go on, but I have ranted enough for one post.
This does not even get into the more questionable UI choices, like trying to make websites rendered in full-screen 1920x1080 browsers lay out as if they were on tiny mobile phones.
[ link to this | view in chronology ]
Re: In fairness to their web designers
But Mike, this beef isn't with the Copyright office. This is a beef that goes back to the original HTTP and HTML RFC's.
Really there have been dozens of moments in history where this could have been unfucked universally. The failure was in putting abstraction that should have been a protocol extension, into a document standard instead. But noOOoo. We've got to all act like fucktards, because none of us ever got around to looking at the http RFC and said: "Shit... Even _I_ can do better than this."
Hey. We all get our screws torqued now and again. No harm no foul. But do me a favor Mike: Fix the adverts on your site that run outside of https. It is a little less hypocritical to bitch about somebody else's site when your is working properly.
There is plenty of blame to go around. And in the general scheme of fucktard-neering that went into the Internet, this is a rather minor issue. There is much MUCH worse stuff out there.
[ link to this | view in chronology ]
Re: Re: In fairness to their web designers
To follow up:
If plain text SQL schemas had been bound to HTML forms back in the 90's, it is likely that PHP, AJAX, and, maybe even Ruby would never have existed. AND things would be way more secure, since the security policy would be done fully server side in C, instead of the sieve that has been created by client side dynamic post formatting.
There is the right way, and there is every other way. And the WWW has been done every other way, since it's inception. But when something is broken this long, it is probably broken because somebody wants it to be broken.
So it would easier to fix it these days. But you'd have to be willing to suck Microsoft and Oracle dick for it to be portable. Otherwise they would EEE you, or just break your dependencies until you said uncle.
[ link to this | view in chronology ]
Re: Re: Re: In fairness to their web designers
[ link to this | view in chronology ]
Re: In fairness to their web designers
[ link to this | view in chronology ]
So when
I think I see were this is headed.......
[ link to this | view in chronology ]
Re: So when
I believe it's been a few years, but I seem to recall at least one court ruling that was essentially just that, where they argued that your 'right' to stay silent only applied when you actively affirmed that you were using it.
Don't say 'I am invoking my fifth amendment right against self-incrimination and staying silent' and they could use your silence against you.
[ link to this | view in chronology ]
Re: Re: So when
http://www.washingtonpost.com/wp-dyn/content/article/2010/06/01/AR2010060102114.html
[ link to this | view in chronology ]
Re: So when
I don't see how this next step would be a surprise or something people are willing to lose their jobs or comfy lifestyles over.
[ link to this | view in chronology ]
Automatic Reregistration
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I remember when it was acting like technology would make the worst of the copyright abuses and bad business models go away or be reduced to irrelevance.
Funny, that.
[ link to this | view in chronology ]
Re:
Put the crack pipe down. Easy, now, easy...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Half of nothing is still nothing.
[ link to this | view in chronology ]
Cha-Ching!
And just like that the Copyright Office turned what was a one time payment into a steady(though smaller in the short term) stream of easy income, throwing everyone under the bus in the process.
If they follow through on their idea of a site of 'unregistered sites' then you can be sure that the extortion via copyright schemes will shoot through the roof as well, also thanks to their boneheaded and/or incompetent move.
[ link to this | view in chronology ]
So you've got yourself an invalid registration now...
[ link to this | view in chronology ]
Re: So you've got yourself an invalid registration now...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]