from the and-pay-up dept
In early 2016, we wrote about an absolutely ridiculous plan by the Copyright Office to -- without any basis in the law -- strip every site of its registered DMCA agent. In case you're not aware, one of the conditions to get the DMCA's Section 512 safe harbors as a platform for user content, is that you need to have a "Designated Agent." As per 512(c)(2), it says:
Designated agent.—The limitations on liability established in this subsection apply to a service provider only if the service provider has designated an agent to receive notifications of claimed infringement described in paragraph (3), by making available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Office, substantially the following information:
(A) the name, address, phone number, and electronic mail address of the agent.
(B) other contact information which the Register of Copyrights may deem appropriate.
The Register of Copyrights shall maintain a current directory of agents available to the public for inspection, including through the Internet, and may require payment of a fee by service providers to cover the costs of maintaining the directory.
Note that this says that Register of Copyrights shall maintain such a list. However, the Copyright Office, decided back around 2016 that there were too many "old" registrations in the database, and decided to literally dump every single registration, despite the law not allowing it to do so. It then instituted a new plan that said -- again, without any legal basis -- that every site not only needed to register, but it would need to re-register every three years or it would lose the safe harbor protections, which could expose sites to massive liability.
In late 2016, this plan went into effect, and I detailed the incredibly bad computer system that the Office had put in place to handle such registrations, starting with the fact that the password requirements literally violate the federal government's own rules for passwords. Back in 2016, NIST told government agencies, among other things, to stop requiring random characters, upper and lower case, etc. and to stop expiring passwords with no reason.
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
So we were, well, not surprised back in 2016, that the Copyright Office's system ignored that rule not to include composition rules, and highlighted how they stupidly said:
Passwords must have at least 12 characters, with at least one lower case letter, upper case letter, number, and special character "!@#$%^&*()", and must not have any repeated letters, numbers, or special characters.
Not only did this violate NIST's guidelines, but it actually makes passwords significantly less secure by reducing the randomness of passwords, making them less secure.
Anyway, three years have almost passed, and as per the new rules, the Copyright Office is about to kick everyone off again. For no good reason at all. Even better, they sent an email over the Labor Day weekend to alert people that they're at risk of losing their registrations if they don't re-register -- because it's not like people miss random, poorly formatted emails that literally come from "donotreply@loc.gov" when going through emails coming back from a long weekend. Thankfully, I also saw Eric Goldman's blog post about this, though I'm guessing not everyone who owns a website that needs 512 safe harbors protection reads his blog (unfortunately).
Incredibly, it looks like the Copyright Office has done literally nothing to fix the problems of the system. Indeed, it turns out that things are even worse than before. Not only does the system still require "composition rules" that violate NIST's guidelines, it also expired everyone's passwords (which also violates the guidelines).
It actually proved significantly more difficult than expected to create a new password. Like everyone in the world should, I use a password manager to generate and store my passwords. But because of the Copyright Office's dumb rules, none of the passwords my password manager generated would work. I kept getting error message after error message, just telling me the same dumb, pointless, rules over and over again:
Even though it's literally bad practice to make your own passwords, I even tried to "edit" some of the auto-generated passwords to meet the rules, but it still didn't work, though I'm not sure why. One thing I discovered, while it says you have to use "special character" the list shown in that image is the entire set of allowed special characters. So, passwords using other special characters don't work, even though the Copyright Office's system doesn't bother to explain why it rejected your password. But special characters like "\>{]" and such don't work, even though there's no reason why they shouldn't, and most password generators will (smartly!) include them. Oh yeah, also this one stymied me for a really long time. The " mark is not allowed in a password, even though it sorta looks like it's included in that list. But it's not. It's just a pointless set of "quote marks" around the allowed symbols. This is not an intuitive system. It is not user friendly. It's is dumb, insecure, and violates NIST's rules -- as it did three years ago when I complained about it.
Then you log in... and the information given to you is sorely lacking. First, at the very top, you get a message saying that the entire website may be offline for three whole days... a month ago. What? What the hell are they doing that they need to take a site offline for three whole days? And if they had to do system upgrades for that long, how the hell have they not made anything actually work right? And, most importantly, if that shutdown happened a month ago, why are they still showing the damn warning message?
From there, you are shown a weird chart with a lot of useless information -- but it is not at all clear how you re-register. There is no indication that you need to re-register. There is just your "service provider name," "registration number," "status," "last updated" and the ever useless "Action" box.
It turns out, to re-register, you have to click that little pencil, which the tooltip tells me is to "Edit." But I'm not "editing" anything. I just want to renew so I still am protected by the DMCA's safe harbors. It then makes me review everything multiple times, before telling me I need to pay $6, and sending me to a sketchy looking payment site (which I get is not run by the Copyright Office itself, but still).
I was almost afraid to give it my credit card.
Either way, eventually it "worked," but in the most fucked up of ways. The website itself is then not exactly clear if this renewal adds on to my existing -- meaning do I get three more years from the date of my original three year registration in 2016 (which would be December 1), or if it simply starts the clock anew, as of the date I paid. It sure looks like they just started a new three year clock yesterday -- meaning they cheated me out of 3 months of coverage because I dared to renew promptly. So by being good and renewing in their stupid system nearly 3 months before I need to, they just chop off 3 months of the "service" they're providing me? How the fuck is that allowed? If you look at my original listing -- even though I'd paid up for 3 full years, they now show it as "inactive" and list the new one as "active."
And that's kinda fucked up. The current listing says "Active" for "September 3, 2019 to Present" which almost certainly means this one will expire September 3, 2022, even though it should go until December 1, 2022.
All of this is a complete mess. It's entirely unnecessary, and as Eric Goldman notes in his piece, when the Copyright Office rolled this out it "promised a smooth renewal process." This was anything but smooth -- and it's likely that plenty of sites may miss the fact that they have to do this, or get caught up in trying to get the damn system to work. While, thankfully, this hasn't impacted any sites directly that I'm aware of, it's only a matter of time until a site that thought it had a successful DMCA agent finds out it no longer does because the Copyright Office decided to change the entire process, and apparently can't build a freaking website that works or is even up to basic federal website standards.
And, sure, $6 is cheap, but it's still pretty messed up that the Copyright Office simply lopped off three months of service they owed me because their own system is too poorly implemented to know to add on another three years at the end of my existing "subscription." It seems like something that shouldn't happen -- and one hopes that someone at the Copyright Office or the Library of Congress figures their shit out before September of 2022. But I have my doubts.
Filed Under: copyright, copyright office, dmca, dmca agent, library of congress