Main Nav

What Should We Learn from Megaupload?


Here's how the New York Times broke the story:

In what the federal authorities on Thursday called one of the largest criminal copyright cases ever brought, the Justice Department and the Federal Bureau of Investigation seized the Web site Megaupload and charged seven people connected with it with running an international enterprise based on Internet piracy.

Since then, we've learned variously that the site's principal barricaded himself with to avoid arrest inside a "safe room" at his New Zealand mansion where police eventually arrested him as he was brandishing a shotgun, that federal authorities plan to delete all of data stored on Megaupload's servers and so harm scores of innocent cloud-storage users, and that the raid on Megaupload was just a ploy to move SOPA and PIPA ahead by demonstrating that copyright pirates were getting rich--or maybe a ploy to do the opposite by demonstrating that existing law already is sufficient to deal with them.

Tempting as it is to identify princes and villains in this story, I'm not going to do that. Rather, I think there are some useful policy and practice reminders we should take away from this incident, no matter how it turns out.

Good Cloud=Bad Cloud, and vice versa. It's tempting to say that Megaupload, by virtue of its blatant encouraging of unauthenticated file sharing, represents evil, while DropboxBoxXythos, and other services that prevent or constrain sharing represent good. But it's not that simple. Whatever its sins, Megaupload also provided very convenient, accessible cloud-based storage for digital files. Whatever their virtues, most other cloud-based storage services also enable individuals to share digital material in violation of copyright. It's not technology that's good or bad , it's what people do with it.

There Is No Technical Solution. There's only one way to clearly separate infringement-permitting sites from infringement-forbidding sites, and that's by requiring that the latter inspect every single file they store and make sure that it does not infringe upon someone's copyright. Some commentators have proposed this as the standard for whether file-sharing sites can operate. Yet if we've learned anything from the past several years of copyright wars, it's that clearly distinguishing infringing from noninfringing material by purely technical means simply doesn't work. We can identify music and maybe movies (as the amazing Shazam apps illustrate, and Audible Magic has tried to do for networks). But identifying a digital file in no way establishes whether that file is infringing. So long as cloud storage exists--indeed, so long as it is possible to make files in one place accessible from another--it will be possible for copyrighted or otherwise illegal material to be shared. To argue that because of this neither cloud storage nor file sharing should be permitted, as the entertainment industry implicitly does, is pointless and futile. The cloud--risks, benefits, ambivalence, and all--is here to stay.

Cease-and-Desist. The Digital Millennium Copyright Act has many, many failings. But its authors got one thing right: if a copyright holder believes its material is being distributed or used without permission on an Internet service, it must before taking any other action notify the offending site and request that the material be removed. The site, in turn, may take reasonable steps to confirm that the complaint is valid before causing the material to be removed--and the site may choose various ways to achieve that last. Only if a site fails to act appropriately on complaints can it be held liable (other than for its own infringements, of course). Only through legal process (albeit rather minimal process) can the copyright holder obtain the infringing individual's identity, and only by suing him or her can the copyright holder obtain redress. This is the basic fairness required by the United States's commitment to due process and checks and balances. The recent Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) proposed to trample on this basic fairness, and that is part of why they stopped moving forward. Unfortunately, the Megaupload case reminds us that even without SOPA and PIPA it is possible for law enforcement to bypass due process. Users of Megaupload should have been warned that many files had been found to infringe copyright, and users should have had the opportunity to delete and/or move their files before law enforcement seized the company and disabled access.

The Long Arm of the Law. Here I defer to others wiser than I, and confine myself to two simple observations about jurisdiction. First, it's quite clear that copyright and related laws vary dramatically from country to country. Whether they are enforced varies even more. It has thus been tempting to move questionable activities to other jurisdictions, for reasons ranging from  a copyright pirate's or a pornographer's desire to avoid prosecution to a government's desire to not have another government poking into its digital affairs. Second, however, the complex border-hopping nature of today's technology means that safe harbor is hard to find, because placing data "in" a particular country may not mean that at all--as Megaupload clearly learned when its Virginia-based servers enabled U.S. law enforcement to reach its multinational venues. So long as international variation exists, so will attempts to avoid jurisdiction, but the clear lesson of Megaupload is that the variation will have more effect on lawyers' employment than on a priori protection.

Backup, Backup, Backup. If anyone is harmed when Megaupload data is deleted, it won't because of Megaupload's crimes or law enforcement's actions. Rather, it will be because individuals or companies did not back up their data appropriately. If data are important, then they should be stored in a way that protects them from plausible failures. LOCKSS ("lots of copies keeps stuff safe") is the classic way to protect data: making sure that they exist in at least two distinct locations. It's that term "distinct locations" that requires attention. So far as backup is concerned, "distinct locations" differ from each other not only geographically, but also technologically and organizationally. Keeping one's data on two different devices in the same place is better than having only one copy, but it's less wise that having those devices two two different places--or, better still, having more than two in more than two places. Less obviously, if those devices all store data the same way (for example, magnetically), that's not as good as diverse technologies. Even less obviously--and the key lesson for users of cloud services--that a cloud provider backs up its data store isn't the same as having one's own copy. If, for example, the provider goes bankrupt, or is affected by a court order, or seized by law enforcement, all the data it holds--master copy and backups alike--may become inaccessible. LOCKSS!

I have my own Internet domain. It's hosted on a commercial service, Hostmonster.  On occasion, I use my site to make things I've written available either generally, for example a recent paper of how information technology might help transform higher education, or with restrictions, such as a collection of downloaded comic strips I keep online for my own use and entertainment. I also use it to host my personal blog. Both of these functions require that Hostmonster provide file sharing on my behalf--indeed, if you just clicked on the link to my paper, I just shared a digital copyrighted document with you (and notice that I didn't share the comic strips, which I'm not licensed to redistribute).

One early consequence of the Megaupload arrests was a move by several Internet services to eliminate or constrain file sharing. Yet file sharing is here to stay, a central building block of today's networked society and economy. The key lesson we must draw from Megaupload is not that file sharing is evil and must be stamped out, but rather that the value and cost file sharing, like everything else, depend not on what they are but rather on how we use them.


Tags from the EDUCAUSE Library