Three Years Later And The Copyright Office Still Can't Build A Functioning Website For DMCA Agents, But Demands Everyone Re-Register
from the and-pay-up dept
In early 2016, we wrote about an absolutely ridiculous plan by the Copyright Office to -- without any basis in the law -- strip every site of its registered DMCA agent. In case you're not aware, one of the conditions to get the DMCA's Section 512 safe harbors as a platform for user content, is that you need to have a "Designated Agent." As per 512(c)(2), it says:
Designated agent.—The limitations on liability established in this subsection apply to a service provider only if the service provider has designated an agent to receive notifications of claimed infringement described in paragraph (3), by making available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Office, substantially the following information:
(A) the name, address, phone number, and electronic mail address of the agent.(B) other contact information which the Register of Copyrights may deem appropriate.
The Register of Copyrights shall maintain a current directory of agents available to the public for inspection, including through the Internet, and may require payment of a fee by service providers to cover the costs of maintaining the directory.
Note that this says that Register of Copyrights shall maintain such a list. However, the Copyright Office, decided back around 2016 that there were too many "old" registrations in the database, and decided to literally dump every single registration, despite the law not allowing it to do so. It then instituted a new plan that said -- again, without any legal basis -- that every site not only needed to register, but it would need to re-register every three years or it would lose the safe harbor protections, which could expose sites to massive liability.
In late 2016, this plan went into effect, and I detailed the incredibly bad computer system that the Office had put in place to handle such registrations, starting with the fact that the password requirements literally violate the federal government's own rules for passwords. Back in 2016, NIST told government agencies, among other things, to stop requiring random characters, upper and lower case, etc. and to stop expiring passwords with no reason.
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
So we were, well, not surprised back in 2016, that the Copyright Office's system ignored that rule not to include composition rules, and highlighted how they stupidly said:
Passwords must have at least 12 characters, with at least one lower case letter, upper case letter, number, and special character "!@#$%^&*()", and must not have any repeated letters, numbers, or special characters.
Not only did this violate NIST's guidelines, but it actually makes passwords significantly less secure by reducing the randomness of passwords, making them less secure.
Anyway, three years have almost passed, and as per the new rules, the Copyright Office is about to kick everyone off again. For no good reason at all. Even better, they sent an email over the Labor Day weekend to alert people that they're at risk of losing their registrations if they don't re-register -- because it's not like people miss random, poorly formatted emails that literally come from "donotreply@loc.gov" when going through emails coming back from a long weekend. Thankfully, I also saw Eric Goldman's blog post about this, though I'm guessing not everyone who owns a website that needs 512 safe harbors protection reads his blog (unfortunately).
Incredibly, it looks like the Copyright Office has done literally nothing to fix the problems of the system. Indeed, it turns out that things are even worse than before. Not only does the system still require "composition rules" that violate NIST's guidelines, it also expired everyone's passwords (which also violates the guidelines).
It actually proved significantly more difficult than expected to create a new password. Like everyone in the world should, I use a password manager to generate and store my passwords. But because of the Copyright Office's dumb rules, none of the passwords my password manager generated would work. I kept getting error message after error message, just telling me the same dumb, pointless, rules over and over again:
Even though it's literally bad practice to make your own passwords, I even tried to "edit" some of the auto-generated passwords to meet the rules, but it still didn't work, though I'm not sure why. One thing I discovered, while it says you have to use "special character" the list shown in that image is the entire set of allowed special characters. So, passwords using other special characters don't work, even though the Copyright Office's system doesn't bother to explain why it rejected your password. But special characters like "\>{]" and such don't work, even though there's no reason why they shouldn't, and most password generators will (smartly!) include them. Oh yeah, also this one stymied me for a really long time. The " mark is not allowed in a password, even though it sorta looks like it's included in that list. But it's not. It's just a pointless set of "quote marks" around the allowed symbols. This is not an intuitive system. It is not user friendly. It's is dumb, insecure, and violates NIST's rules -- as it did three years ago when I complained about it.
Then you log in... and the information given to you is sorely lacking. First, at the very top, you get a message saying that the entire website may be offline for three whole days... a month ago. What? What the hell are they doing that they need to take a site offline for three whole days? And if they had to do system upgrades for that long, how the hell have they not made anything actually work right? And, most importantly, if that shutdown happened a month ago, why are they still showing the damn warning message?
From there, you are shown a weird chart with a lot of useless information -- but it is not at all clear how you re-register. There is no indication that you need to re-register. There is just your "service provider name," "registration number," "status," "last updated" and the ever useless "Action" box.
It turns out, to re-register, you have to click that little pencil, which the tooltip tells me is to "Edit." But I'm not "editing" anything. I just want to renew so I still am protected by the DMCA's safe harbors. It then makes me review everything multiple times, before telling me I need to pay $6, and sending me to a sketchy looking payment site (which I get is not run by the Copyright Office itself, but still).
I was almost afraid to give it my credit card.
Either way, eventually it "worked," but in the most fucked up of ways. The website itself is then not exactly clear if this renewal adds on to my existing -- meaning do I get three more years from the date of my original three year registration in 2016 (which would be December 1), or if it simply starts the clock anew, as of the date I paid. It sure looks like they just started a new three year clock yesterday -- meaning they cheated me out of 3 months of coverage because I dared to renew promptly. So by being good and renewing in their stupid system nearly 3 months before I need to, they just chop off 3 months of the "service" they're providing me? How the fuck is that allowed? If you look at my original listing -- even though I'd paid up for 3 full years, they now show it as "inactive" and list the new one as "active."
And that's kinda fucked up. The current listing says "Active" for "September 3, 2019 to Present" which almost certainly means this one will expire September 3, 2022, even though it should go until December 1, 2022.
All of this is a complete mess. It's entirely unnecessary, and as Eric Goldman notes in his piece, when the Copyright Office rolled this out it "promised a smooth renewal process." This was anything but smooth -- and it's likely that plenty of sites may miss the fact that they have to do this, or get caught up in trying to get the damn system to work. While, thankfully, this hasn't impacted any sites directly that I'm aware of, it's only a matter of time until a site that thought it had a successful DMCA agent finds out it no longer does because the Copyright Office decided to change the entire process, and apparently can't build a freaking website that works or is even up to basic federal website standards.
And, sure, $6 is cheap, but it's still pretty messed up that the Copyright Office simply lopped off three months of service they owed me because their own system is too poorly implemented to know to add on another three years at the end of my existing "subscription." It seems like something that shouldn't happen -- and one hopes that someone at the Copyright Office or the Library of Congress figures their shit out before September of 2022. But I have my doubts.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: copyright, copyright office, dmca, dmca agent, library of congress
Reader Comments
The First Word
“Please enter a password: pyramid
[Error: Password must be at least 10 characters in length]
Please enter a password: mypyramids
[Error: Password must contain at least one upper case letter]
Please enter a password: Mypyramids
[Error: Password must contain at least one number]
Please enter a password: Mypyramids2
[Error: Password must contain at least one non-letter/number character]
Please enter a password: GiveMeAF*ckingBreak!
[Password accepted!]
Subscribe: RSS
View by: Time | Thread
Meanwhile the copyright office makes me change my password every two months as suggested by top network security experts...in 2005.
[ link to this | view in chronology ]
The copyright office owes you $0.50
$6/3 years =
$2/year =
$0.50/quarter
[ link to this | view in chronology ]
Re: The copyright office owes you $0.50
Except for one thing....only Congress can levy taxes either by direct legislation or by explicitly allowing an agency to charge fees.
A rogue agency charging fees for something they are not explicitly allowed does not meet that criteria.
The Copyright Office owes everyone who's paid these fees a full refund.
[ link to this | view in chronology ]
Re: Re: The copyright office owes you $0.50
Except for one thing....only Congress can levy taxes either by direct legislation or by explicitly allowing an agency to charge fees.
So which agencies are "rogue"?
[ link to this | view in chronology ]
Re: Re: Re: The copyright office owes you $0.50
Those charging fees without congressional approval
[ link to this | view in chronology ]
Re: Re: Re: The copyright office owes you $0.50
At this point I'm pretty sure the answer is 'yes'.
[ link to this | view in chronology ]
Re: Re: The copyright office owes you $0.50
The fee authority comes from the last sentence in 512(c)(2) itself:
[ link to this | view in chronology ]
Re: Re: Re: The copyright office owes you $0.50
Guess it's too hard for some people to go read the law in question.
[ link to this | view in chronology ]
Re: The copyright office owes you $0.50
"I'm sorry, we do not issue checks that total less than $0.55. The total must be a prime number, divisible by .9, and cannot include the digits 2, 3, 5, or 7. We are not authorized to issue a check exceeding $10."
[ link to this | view in chronology ]
Re: Re: The copyright office owes you $0.50
Well, those two requirements together mean that no total works. Guess that means that they do not issue checks at all, which may well be the point.
[ link to this | view in chronology ]
It's a feature
.... not a bug.
[ link to this | view in chronology ]
'Rules must be followed!... for other people, not us.'
Ignored the law not once but twice, ignored basic password guidelines, demand that people pay up on a regular basis on a site terribly designed...
At this point if it was discovered that the entire thing was a prank put together by someone with a sadistic streak it would not surprise me in the least.
[ link to this | view in chronology ]
Not surprised
I'm astonished that no one has sued over this... and then I remember that the big guys have teams of lawyers for whom this is trivial, so they don't care, while the little guy bears the brunt of the inconvenience, but is too small to afford suing. So, system working as planned.
[ link to this | view in chronology ]
Safe harbors BAD! Massive fines GOOD!
What part of, "No one should be eligible for the safe harbor," did you fail to understand?
[ link to this | view in chronology ]
What the law says
DMCA says '(2) DESIGNATED AGENT.-...by providing to the Copyright Office, substantially the following information..."
If you provided it prior to 2016 and have not changed it and continue to provide it on your website as per the law, you are in compliance.
The arbitrary decision on the part of the Copyright office to
Is their choice to violate the law requiring them to hold on to the registrations, their choice to collect a fee without Congressional approval, and their choice to willfully cheat you out of your 3 months and make you jump through hoops.
HOWEVER, should you be sued in the interim, the DMCA actual language says you've got the safe harbor protections.
Not that it ever helped Yahoo.
Or many many other organizations.
The DMCA's safe harbor protections AT THEIR BEST were never worth much.
Ehud "DMCA registered agent since 2003 and paid $0" Gavron
Tucson AZ
[ link to this | view in chronology ]
I'd be sorely tempted to send the information return-receipt-requested with a cashier's check for $6, just to make sure I had hardcopy evidence I could present in court that I did in fact have a registration as required by the law regardless of what the Registrar might say.
[ link to this | view in chronology ]
Silly peons....
Laws are meant for you, not the agencies enforcing them.
[ link to this | view in chronology ]
Please enter a password: pyramid
[Error: Password must be at least 10 characters in length]
Please enter a password: mypyramids
[Error: Password must contain at least one upper case letter]
Please enter a password: Mypyramids
[Error: Password must contain at least one number]
Please enter a password: Mypyramids2
[Error: Password must contain at least one non-letter/number character]
Please enter a password: GiveMeAF*ckingBreak!
[Password accepted!]
[ link to this | view in chronology ]
Re:
That's funny because the error on the website doesn't actually tell yo what you are doing wrong. :)
[ link to this | view in chronology ]
Re: Re:
Maybe not that web site, but I've actually had this experience on a couple sites that I've registered on. It was frustrating because at least one of them didn't tell me in advance what the requirements for the password were, but each time I entered something, it kept telling me what was wrong with it.
[ link to this | view in chronology ]
Re:
The fact that the "accepted" password doesn't have a digit in it just makes it more accurate.
[ link to this | view in chronology ]
"Three Years Later And The Copyright Office Still Can't Build A Functioning Website"
Because... Redacted
[ link to this | view in chronology ]
"The current listing says "Active" for "September 3, 2019 to Present" which almost certainly means this one will expire September 3, 2022, even though it should go until December 1, 2022."
What the hell... the entire description is bad practice, but you're expected to re-register on a regular basis and their own site won't tell you the expiration date? Wow.
I tell you what, my cat threw up when I was leaving the house this morning. I'll grab the leftovers when I get back home today and post it to the US copyright office. It's web design skills are clearly better than their existing ones...
[ link to this | view in chronology ]
Why you can't use quote marks in passwords...
https://xkcd.com/327/
With everything else wrong in the copyright registrar's office, you'd think they would at least sanitize their inputs.
But hey, you don't even touch on unicode characters or lack thereof!
[ link to this | view in chronology ]
Not that their Web site isn't amateur hour crap, and not that they should be doing that with the password rules, but SHOULD NOT is a strong recommendation, not a hard requirement. It's in the nature of "do it this way unless you can name a good reason not to", with nobody but the reader empowered to decide what constitutes a "good reason".
If NIST had intended a hard requirement, NIST would have written "MUST NOT" or "SHALL NOT". That's a nearly universal standard these days. The site design is stupid, but it's not "violating" anything.
You wouldn't go around spouting off about laws without understanding the definitions, and you shouldn't go around spouting off about technical standards without understanding the definitions either.
And those 2016 NIST recommendations, although totally correct and in accordance with the best current research, also reversed about 30 years of the conventional wisdom on passwords. I know; I was waiting to pounce and start to force some changes at my own workplace when those recommendations came out. People don't move that fast.
You also don't understand passwords and should not be writing about them. Adding on a character to a randomly generated password to satisfy a site is completely safe and not "literally a bad practice".
Also, their explanation of what special characters they accept is completely understandable if you're not looking for something to whine about. And any reasonable password generator lets you control the character set.
[ link to this | view in chronology ]
Adding on a character
YOU are the one who doesn't understand cryptography, (not "passwords") and shouldn't be writing about it (not "them").
There's nothing which "is completely safe" and yes, it's bad practice to limit an encryption key length or choice of bit patterns.
You're not just an anonymous coward, you're an anonymous know-nothing bad-information-spouting dangerous-if-anyone-paid-attention-to coward.
Thanks for playing; you are awarded no points; may God have mercy on your soul. (Thanks, Adam Sandler).
E
[ link to this | view in chronology ]
Offline
Actually, the screenshot says "DMCA may be offline". "DMCA" is a law, not a website. I hope everyone took advantage of their takedown-free weekend.
[ link to this | view in chronology ]
Who's to blame?
Do you blame the business analysts for not creating better documentation for the developers to follow?
Do you blame the developers who coded the site?
Do you blame the testers/ QA team for thinking this is acceptable quality?
Do you blame the managers for not pushing the testers and developers for not doing a better job?
Do you blame HR for not hiring better developers who will do a better job?
[ link to this | view in chronology ]
Re: Who's to blame?
I blame the manager at the low-bid contractor who hired a mediocre high school student to code the website between vaping sessions.
I blame the bureaucrat who mindlessly crapped out the contract that allowed this travesty of a website to be created.
I laugh at the idea that there were testers/QA involved.
[ link to this | view in chronology ]
let us help you
Even though it's literally bad practice to make your own passwords, I even tried to "edit" some of the auto-generated passwords to meet the rules, but it still didn't work, though I'm not sure why
Mike, why dont you just put here the different passwords you tried and the one that worked. Then we can help you figure it out, you know, crowd source the effort.
;P
[ link to this | view in chronology ]
Re: let us help you
I'm sure he wouldn't mind, since he already stated they were randomly generated and not used elsewhere!
[ link to this | view in chronology ]
Brian Krebs on passwords
This is a slightly over week-old article where security expert (a real one) talks about passwords, encryption, choices, company responsibilities, etc.
It's a good read because the above posts about "whose fault is it" really miss the point. It's not about assigning blame but about correcting the issues. If all one wants to do is figure out whom to blame, that's easy. Fixing authentication, encryption, and security is HARD.
https://krebsonsecurity.com/2019/08/forced-password-reset-check-your-assumptions/
Ehud
[ link to this | view in chronology ]
Re: Brian Krebs on passwords
The thing is, the TD article is not about trying to fix those things, it's about the shockingly poor implementation of what's been decided upon. Whether or not you agree with the required complexity, etc., there's no excuse for what's described.
[ link to this | view in chronology ]
Now I’m not saying they should get the short end for a Bad fai
Just have your lawyer in hand to “let them know” about how the laws they are supposed to follow works and pile a few legal threats on top while keeping documentation. Of everything if they ever have any issues...
[ link to this | view in chronology ]
Look, both the Copyright Office AND the DMCA are involved here.
The ship holding the chances of anything "functioning" have long since sailed, for a live-action re-enactment of the Titanic.
[ link to this | view in chronology ]
The Last Word
“Re: Re: The copyright office owes you $0.50
The fee authority comes from the last sentence in 512(c)(2) itself:
made the Last Word by Gary