Slashdot Mirror

The hacker with perhaps the most famous first name around, Kevin Mitnick, has gone from computer hacking of the sort that gets one on the FBI's Most Wanted list (and into years of solitary confinement) to respected security consultant and author, helping people minimize the sort of security holes he once exploited for fun. His new book is called Ghost in the Wires: My Adventures as the World's Most Wanted Hacker; it's his first since the expiration of an agreement that he could not profit from books written about his criminal activity. Kevin's agreed to answer your questions; we'll pass the best ones on to him, and print his answers when they're ready. Note: Kevin also answered Slashdot questions most of a decade ago; that's a good place to start. Please observe the Slashdot interview guidelines: ask as many questions as you want, but please keep them to one per comment.

itwbennett writes "Neil Felahy of Newport Coast, California, has pleaded guilty to conspiracy and counterfeit-goods trafficking for his role in a chip-counterfeiting scam. Felahy, along with his wife and her brother, operated several microchip brokerage companies under a variety of names, including MVP Micro, Red Hat Distributors, Force-One Electronics and Pentagon Components. 'They would buy counterfeit chips from China or else take legitimate chips, sand off the brand markings and melt the plastic casings with acid to make them appear to be of higher quality or a different brand,' the US Department of Justice said in a press release. The chips were then sold to Naval Sea Systems Command, the Washington, DC group responsible for maintaining the US Navy's ships and systems, as well as to an unnamed vacuum-cleaner manufacturer in the Midwest."

These answers are from the lawyers in the U.S. DoJ's Computer Crime and Intellectual Property Section (CCIPS) -- the people who prosecute criminal file-sharing cases. Michael O'Leary, Deputy Chief for Intellectual Property at the DoJ, submitted the answers, but other lawyers in the section worked with him to write them, all under the ground rules laid out in our 'Meet the DoJ's 'Anti-Piracy' Lawyers post last week.

INTRODUCTORY COMMENTS

Thank you all for posing such interesting questions. We have answered nine of the ten submitted questions below, but we are not in a position to answer number ten because it is specifically related to a civil case (that does not involve the Department of Justice). However, in an effort to give you your money's worth, we have answered two additional questions which you posed in the comments accompanying the original interview, but were not submitted to us by the Slashdot moderators.

1) What services for an open source copyright holder - by bwt
First, thank you doing this interview. Most people here take IP very seriously and want laws and law enforcement that do what the Constitution intended.

Contrary to what many lay-people believe, open source software relies (heavily) on copyright and the legal system that assures those rights. In fact, among Slashdot readers are a large number of people who own copyrights to open source software. My question is what services your organization offers in practice to "real people". Our community creates software whose quality competes with that of multi-billion dollar corporations, so we clearly have a significant interest in having our own rights as authors protected. We all have no doubt that if Jack Valenti finds a website selling pirated versions of his movies that law enforcement will descend upon the infringer with a fury comparable to that wielded against drug smugglers and violent criminals.

Few among us would really object to enforcing the law against such a clear violation, however, I cannot help but wonder if there is equity in the system. I wonder whether an individual author's rights as a copyright owner would be similary protected? For example, if substantial quantities of code that one of us has written ends up in a company's product in a way that clearly violates the terms of an open source licence, how would the infringed copyright holder go about seeking your services?

What policy governs your decision whether or not to act on behalf of a copyright owner when a complaint is raised? What assures that the heavy hand of the law protects an individual's rights with the same fury that it defends those of the RIAA or a major software corporation?

O'Leary:
Thanks for your question. The issues you raise are ones that we confront from time to time and we welcome the chance to address them here on Slashdot. In reviewing your question, and many that follow, it appears that some Slashdot readers feel that the Department of Justice only protects the IP rights of big corporations. That simply isn t the case. There is no doubt that large multi-national corporations are often victimized by piracy due in some measure to the popularity and pervasiveness of their products. But at the same time, there are also many others who are victimized, such as small mom and pop operations, and young developers trying to break into a crowded and competitive market. I imagine many Slashdot regulars fall into these categories.

In deciding whether or not to prosecute an intellectual property case, we undertake a thorough examination of a number of factors. These include the nature and seriousness of the offense, the deterrent effect of the prosecution, the potential defendant s culpability, the potential defendant s history with respect to criminal activity, the likelihood of the prosecution leading to additional investigations of others, and the possible sentence or other consequences. Factors such as these, and not the identity of the victim, are the basis for prosecutorial decisions. We have made strong intellectual property rights enforcement a priority and we will continue to do so without regard to the size or market share of the victim(s).

The prosecutions we undertake do in fact benefit real people. If you look at the people and organizations who have been victimized by the defendants we prosecute, you will see that we enforce the law without regard to who the victims may be and we have protected the rights of victim companies of all sizes.

In one recent case, for example, we prosecuted individuals for pirating a significant amount of high-end application software. There were literally hundreds of victim companies, the vast majority of which were not large corporations. One victim company was a small software manufacturer located in the Midwest. They had one or two viable programs that sustained their entire operation of about ten employees, many of whom were family members of the owner. The company had spent many years developing its software, so the owner, of course, was devastated to find that his product had been pirated and was available for free on the Internet. His livelihood depended on the legitimate sale of only one or two software programs. If anyone thinks that piracy does not affect everyday people trying to succeed in business, they need look no further. The earnings of small operations like this are all put back into the business, to defray research and development costs and support further development. They do not have the resources to employ investigators to track pirates or lawyers to vindicate their rights civilly. They simply have an idea and a product a product which was, in this case, pirated and distributed around the world.

In regard to open source products, depending upon the facts, open source developers may seek to enforce their legal rights civilly, or, in cases where there has been willful infringement and certain criminal thresholds have been met, criminal prosecution may also be warranted. At this time, we are unaware of any referrals to law enforcement for open source license violations. As for reporting potential criminal infringement to law enforcement, the best way to do that is to contact your local FBI office.

2) This won't be taken seriously, but... - by Maul
.... I find it extremely hard to believe that your division truthfully represents the "people" of this country. It seems that your job is to help mega-corporations make "examples" out of college students and others who are too poor to defend themselves.

Yes, sharing copyrighted music and films is a crime. However, I see no justification for the insane penalties associated with file sharing and priacy. It seems that companies can make up some absurd figure in the billions, claiming it to be actual damages, without any sort of proof they have really lost that much at all from file sharing.

Can you please enlighten me as to why software and media "pirates" as well as other "computer criminals" are in many cases treated worse than rapists and violent criminals who use weapons?

O'Leary:
Before answering your underlying question, which we do take seriously, let me address what has become a common misconception. The recent cases involving college students were civil suits brought by private parties, such as the Recording Industry Association of America (RIAA). The Department of Justice is not a party to these suits. We enforce our federal intellectual property laws through criminal prosecution, not through civil suits.

Your question argues that the current sentencing structure for criminal intellectual property crimes is too severe and is based upon damage amounts that cannot be supported. First, note that the federal sentencing structure is established by Congress and the United States Sentencing Commission. As federal prosecutors, we work within these guidelines. Second, the sentencing guidelines reflect the serious harm that is caused by piracy. In our answer to the first question above, we gave just one example of a small developer who has been harmed by piracy. That situation is not unique. The amount of pirated material available online today is staggering. In the course of prosecuting piracy we have found servers containing over 20,000 titles of pirated software, movies, music and games. The value of the copyrighted material on servers like this is frequently in the millions of dollars. Factor in the number of times those titles are distributed over the Internet, and the damage amounts skyrocket. The sentencing structure reflects this harm.

Further, deterrence is a significant element in criminal sentencing not just in IP crimes, but in all crimes. Until recently, many people believed that piracy was a consequence-free activity and that it did not harm anyone. The sentences that have been handed down in recent prosecutions have begun to change that impression, and will deter others from engaging in similar conduct.

By statute, a person convicted of one felony count of copyright infringement faces up to 5 years in prison (or 3 years, if convicted under the NET Act when the piracy was not done for commercial advantage or private financial gain). However, there are a number of factors that determine the actual criminal sentence a defendant receives, including the volume and retail value of pirated material involved, whether the defendant uploaded material to the Internet, and whether the defendant had a leadership role in a larger criminal organization. Also, a defendant's sentence may be reduced if, for example, he had a minor role in the criminal operation, or he accepts responsibility for his illegal conduct.

The single biggest factor in determining a sentence under the U.S. Sentencing Guidelines is the infringement amount attributable to the defendant. While your question correctly notes this, please understand that neither industry nor the government has the ability to dictate this amount. In determining the amount of damage, the United States must provide evidence of the number and value of the copyrighted works infringed by the defendant to the Probation Office and the court prior to sentencing. The United States must provide evidence to support its position such as evidence of the value of the pirated works infringed by the defendant, the number of times the pirated works were reproduced or distributed, or, in some instances, the amount of money the defendant earned from his illegal activity. At the same time, the defendant may introduce evidence to establish what he believes is the appropriate valuation for sentencing purposes. Neither the U.S. Probation Office, which ultimately recommends a sentencing range to the court in what is known as a pre-sentence report, nor the sentencing judge is bound by the government's claimed damage amount. The government's recommendation for a particular sentence is subject to multiple checks and balances. It is not simply the by-product of numbers offered by industry. We have to support and defend our position in a court of law which is the way it should be.

Finally, while people convicted of intellectual property crimes do face serious consequences for their actions, they are not treated more severely than violent criminals such as rapists. The vast majority of prosecutions of violent criminals take place at the state and local level, not the federal level, which is where DOJ s jurisdiction lies. However, in those instances where there are federal violent crimes, the penalties are more severe than those imposed for copyright infringement. For example, as mentioned, the *maximum* sentence you can receive for one count of copyright infringement is 60 months, while the *minimum* for someone convicted federally of aggravated sexual assault is generally between 70 to 87 months.

3) Question regarding the DMCA and copyright terms - by rhadamanthus
If DRM-included hardware does become the law via the CBDTPA (SSSCA) or any other legislation, how does this interact with regards to copyright expiration? The DMCA makes it illegal to circumvent such DRM, thereby basically enforcing perpetual protection of the work. If the work is perpetually protected via this combination of law and technology, how can it be copyrighted legitimately, since the work will never *really* be able to join the public domain? This is analogous to trade secrets vs. patents, unless measures are taken to ensure the DRM encryption is removed once the copyright term is over. Or would that be illegal through the DMCA as well? The DMCA states, "No person shall circumvent a technological measure that effectively controls access to a work protected under this title." The title referred to is title 17 of the US Code, which covers copyright. I can therefore assume that removing copyright protections on expired copyrights would not be against the law. However, the DMCA also forbids the selling of tools to circumvent the very same DRM. I find it hard to believe that the RIAA/MPAA would let these tools become available regardless of the user's intent and/or rights under copyright expiration rules. Any comments about this apparent paradox?

O'Leary:
I don t believe that the CBDTPA is under consideration in the current Congress, nor are we aware of other pending bills that would mandate the use of digital rights management systems. However, your question seems more focused on the DMCA, specifically the portions of the DMCA that govern anti-circumvention technologies, i.e. Section 1201 of Title 18. For purposes of answering this question, the term DMCA refers specifically to Section 1201.

The DMCA prohibits trafficking (which includes manufacture, sale, distribution, importation, etc.) in tools (i.e., technologies, products, services, devices, etc.) that:

(a) are primarily designed to circumvent,

(b) are primarily marketed for use in circumventing, or

(c) have limited commercially significant purpose or use other than circumventing,

either one of the following:

(1) a technological measure that effectively controls access to a work protected under this title [i.e., the Copyright Act] (see 18 U.S.C. Section) 1201(a)(2); or

(2) a technological measure that effectively protects a right of a copyright holder under this title (see Section 1201(b(1)).

The first type of control above will be referred to as an access control, the second as a copy control. In addition to the restrictions on trafficking, the DMCA also prohibits actual circumvention of access controls (see Sec. 1201(a)).

The DMCA s main purpose is to help protect the rights of copyright holders. However, the DMCA was also designed in part to protect and preserve the rights of people who use copyrighted works. First, the DMCA expressly states that it is not intended to affect limitations on copyright or defenses to infringement such as fair use. Second, the DMCA contains a number of exceptions and exemptions that, for example, allow in some circumstances reverse engineering, encryption research, and certain actions by libraries and certain educational institutions. Third, while the DMCA prohibits the actual circumvention of access controls, it does not prohibit the actual circumvention of copy controls. As the district court in the Elcom case noted, Congress omitted a prohibition against circumventing copy controls specifically so that users could engage in fair use (and, presumably, to use works that enter the public domain). (See U.S. v. Elcom, Ltd., 203 F.Supp.2d 1111, 1020 (N.D.Cal. 2002)).

Your question deals with how the DMCA might affect works that have entered the public domain. As you know, copyright law grants copyright holders certain exclusive rights, such as the right to copy and distribute their work for a period of time. Currently, the length of the copyright term is the life of the author plus 70 years; for works made for hire, it is 95 years from first publication or 120 years from creation of the work (whichever comes first). After this term expires, works enter the public domain and are presumably available in some form that can be read, viewed, heard, etc., by the public.

While a court could find that the DMCA allows the circumvention of protections on works in the public domain, the statute nonetheless prohibits trafficking in tools intended for use in circumventing controls on protected works. While those same tools could potentially be used to remove access or copy controls on works in the public domain, it may still be unlawful under the DMCA to traffic in them.

We have not encountered any criminal case that involved this specific issue. Indeed, we are not aware of a court case either civil or criminal that has addressed this issue directly (although the district court in the Remeirdes case - the 2600 magazine case - acknowledged this issue, but because it was not central to the case before it, the court declined to elaborate).

It is possible that the interplay between the DMCA and access to public domain works will be addressed through rule-making or legislation. The DMCA provides for a periodic review process by the Librarian of Congress, and the issue of circumvention of technological protections on public domain works was one of the issues raised in the most recent review session earlier this spring (See http://www.copyright.gov/1201/).

4) Going Native? - by Andy_R
Here in Britain, we recently shut down the governemental body that regulated our train services because they were tending to take the side of the small number of contact personnel at the train companies that they dealt with on a day to day basis rather than the side of the faceless multitiude of passengers who they only knew through a few angry mails.

Given that your department will (in the vast majority on cases) be working on behalf of a very very small number of copyright-holding organisations against potentially millions of nearly anonymous file sharers, how will you prevent this 'going native' phenomenon biasing your investigations in favour of people you having a close working relationship with, and how will you defend yourselves against the inevitable accusations that you have 'gone native' and are a 'private police force' for the copyright holders?

O'Leary:
You ask an excellent question: how do we, as federal prosecutors, ensure that we retain independent judgment throughout the prosecutorial process? The decision to bring any criminal prosecution is significant and has serious consequences. For this reason, although we work with victims frequently, we work diligently to preserve our independent prosecutorial decision-making authority.

As attorneys for the Department of Justice, our mission is to enforce the laws fully and fairly on behalf of the people of the United States. This is a responsibility we take very seriously. While we work with a wide range of victims, from large multi-national corporations to small mom and pop businesses, the ultimate responsibility for making prosecutorial decisions remains solely with us.

Throughout the criminal justice process, there are checks on how we exercise our authority, including the citizens of the grand jury (who can reject our allegations), judges (who can dismiss charges or rule evidence inadmissible), and ultimately the citizens on the trial jury (who can acquit the defendant). However, even though these checks and balances are in place, from our perspective, it is still our responsibility to maintain appropriate boundaries at all times.

As a result, we try always to exercise independent, unbiased prosecutorial judgment when reviewing cases referred to our office for prosecution. Although you may not hear about it, we frequently decide not to move forward with criminal charges even in instances where the victim wants us to do so. The public doesn't hear about the prosecutions that are declined, only those that go forward. The decision to prosecute or not is a decision based upon a full and independent evaluation of the facts, the evidence, and the law. By maintaining this standard, we work to preserve the integrity of the criminal justice process.

5) Background - by TrekkieGod
Given that as IP lawyers at CCIPS part of your responsibilities is not only enforcing current laws, but also "reviewing new policy proposals, legislation, or international agreements related to IP", I'd like to know something about your overall technical background.

A frequent gripe with the geeks here at Slashdot, myself included, is that apparently legislators are not sufficiently well informed to create IP laws, frequently proposing and enacting laws which either constrain individual rights in favor of protecting those of big corporations (like the DMCA), or are simply not effective, because they can never patch the frequently referred to "analog hole" which is always a required step for humans to get to the information.

Given that for ethical reasons, you may not give your honest opinion on said legislation since you are required to enforce them, I'd simply like to know if I can trust that you are sufficiently well-informed to give council on these ever emerging new IP legislations. Do you feel that you truly have sufficient technical experience as opposed to your obvious legal ones? Can you elaborate on what type of experience you feel helps to qualify you to truly understand the ramification of these legislations?

O'Leary:
Interesting question. While we are all lawyers at CCIPS, we come to our current positions from a wide range of backgrounds. We have attorneys who have policy and legislative experience. Other attorneys are former Assistant United States Attorneys with years of criminal trial experience. Others came from civil practice before joining the Criminal Division, and a number of us represented technology companies in private practice. Still others have substantial technical backgrounds apart from being lawyers. As a general rule, however, almost everyone in CCIPS is curious about technology and how it intersects with the law. Our interest in technology explains why so many of us are frequent Slashdot readers, and why working at CCIPS sparked our interest in the first place.

One of the biggest misconceptions we confront regularly is that because we are law enforcement we must be opposed to technological innovation. This is simply not the case. The benefits of technology are numerous. We support and enjoy them. Yet, just as law enforcement must conduct itself so as not to unduly limit innovation, so too must we respond when technology is misused for illegal purposes.

Because of our interest in technology and its effect on the laws we prosecute, the attorneys assigned to prosecute IP crimes spend time learning about new technologies as they are developed. This helps us not only keep pace with the latest innovations, but enhances our investigative and prosecutorial skills as well. As your question suggests, you can t determine how (or if) the law applies to technology unless you understand how the technology works. We learn a great deal about technology in the course of online investigations, many of which involve extremely sophisticated technology. We are also trained on an ongoing basis on various aspects of networks and technology in order to continue to develop and refine our skills. Finally, we draw upon the knowledge and perspective of technical experts from the investigative agencies as well as from the private sector.

All of these factors combine to give us a better perspective on the relationship between law and technology. We are frequently called upon to review and consider various legislative proposals. In instances where we are asked to comment on a proposal, we have the requisite technical and legal background necessary to provide a detailed and comprehensive analysis of the proposed legislation. We view providing this type of input as one of our core responsibilities, and we work very hard to stay in touch with emerging technologies for this very reason. Thanks for your question.

6) Terminology and newspeak - by kafka93
Given that from a legal standpoint (and, many would argue, an ethical one) there is a distinction between "copyright infringement"/IP violation and "theft", what views do you have on the regular and incorrect/misleading application of the latter term by such people as the RIAA and law enforcement? Such misuse of language seems disingenuous, and taints the arguments of those who might otherwise have valid points to make about the morality of misuse of intellectual property rights.

It seems that if there are ethical arguments against piracy and other forms of copyright misuse, those arguments can and should be made on their own merits without the introduction of psychological wordplay apparently designed to confuse the public and cloud the debate. Accordingly, what steps are being taken to clarify the correct terminology and to avoid jingoistic use of words like 'theft', 'thieves' and 'stealing' amongst law enforcement and elsewhere?

O'Leary:
You're correct that words are important, in particular as they apply to characterizations of specific conduct. As you suggest, people with differing views on intellectual property enforcement should be careful not to overstate their case, nor should they do the opposite in an effort to minimize the effects of their conduct.

Traditionally, theft involves taking something from another person without their permission. In short, you deprive that person of their property and they can no longer enjoy its use. Some have argued, particularly in the context of online or digital piracy, that infringement or misappropriation really doesn't deprive the victim of their product because it is merely being copied, so infringement or misappropriation is not truly theft.

As criminal prosecutors, we focus on the conduct, regardless of the label that might be applied. That said, in the cases we prosecute, we believe that using the term theft is not misleading. While there may be technical differences between certain types of infringing activity, conduct that triggers the criminal statutes is analogous to theft.

In some instances, piracy can actually be more damaging than traditional theft. Unlike traditional theft, where a person steals a specific number of tangible objects, one product in digital format can alone be used to generate hundreds of thousands of near-perfect digital copies within hours. In the case of software piracy, for example, the developer has not been deprived of his product in the traditional sense it has merely been copied. Yet, he faces the grim reality that his product is now available around the world, often for free, to anyone with a computer and an Internet connection. In very real terms, even though he retains his property, the digital victim is in a much worse position than the victim of a more traditional theft. To him, the theft is clear and the harm couldn t be more real.

7) Fair Use - by El_Smack
I hear the term "Fair Use" bandied about all the time in these discussions. From a legal standpoint, does it exist? Do I have a right, that will stand up in a court of law, to make a copy of software/music/data for my own personal use? If I do, does making an "uncopy-able" product violate that right?

O'Leary:
Great question. The term fair use is frequently misunderstood, and with good reason. The short answer to your question is that fair use does exist. It is an important and longstanding aspect of our intellectual property rights regime. Fair use is a doctrine that holds that although copyright laws grant the creators of copyrighted works certain exclusive rights in their works, the law must simultaneously allow citizens to engage in a degree of copying (or other conduct that would otherwise be infringing in the absence of a fair use doctrine) to allow for such things as comment, criticism, scholarship, and news reporting.

The doctrine of fair use was originally adopted by judges ruling in early copyright cases. Ultimately, Congress incorporated the doctrine into the Copyright Act of 1976, where fair use is now codified at Section 107 of Title 17 of the U.S. Code. In creating section 107, Congress listed four factors to be considered in determining whether a use is fair or not:

(1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes;

(2) the nature of the copyrighted work;

(3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and

(4) the effect of the use upon the potential market for or value of the copyrighted work.

These factors are essentially the same factors that had been used over the years by judges, and Congress's stated intent was to preserve the fair use doctrine as it had evolved. However, as many courts have pointed out over the years, whether something constitutes fair use is very fact-specific. It is difficult to craft a clear, bright-line rule that explains which particular uses of a work are fair use and which are infringement. In short, the exact parameters of fair use are often determined based on the facts of specific cases.

So yes, fair use does exist. Does it allow for some uses of copyrighted works that would otherwise be infringing in the absence of a fair use doctrine? Yes. Does fair use give a user a blanket license to infringe copyrighted works with impunity? No.

Fair use is among the many factors that prosecutors consider when determining whether or not to bring criminal charges. Having said that, however, fair use is not typically at issue in the cases we decide to bring as criminal prosecutions. Rarely do the facts that we would consider for prosecution give rise to a (sustainable) fair use argument by the defendant or defendants although we certainly hear them from time to time. As to your final question, while there certainly is a right to fair use, it is not a violation of that right to make products that cannot be copied. Although such features may prove unpopular to some, ultimately it is for the marketplace to decide the viability of those products.

8) distinctions - by newsdee
Is a distinction made between different levels of IP infringement?

I imagine that, from a legal standpoint, there should be a different point of view between a student that copies one software for personal use and a blatant thief who makes money out of selling the same copied software.

However, this question has two assumptions:

- The student would not use the software if it was not available (i.e. it is not a lost sale)

- Both activities are infringing (i.e. this question is not seeking to justify the first case)

I think this question is especially relevant since there are reports that the RIAA is now prosecuting students for "infringements" that are mostly gray areas (i.e. the infringement does not seem proven beyond a reasonable doubt, at least to the public).

O'Leary:
Yes, there are distinctions made between different levels of infringement. Perhaps the most significant distinction is the difference between civil and criminal infringement. Historically, the vast majority of disputes about intellectual property rights enforcement have been dealt with in civil lawsuits, with the criminal law dealing with only a narrow subset of activity. Although there has been increased emphasis on criminal prosecution in recent years, it is still the case that most intellectual property enforcement is civil. The criminal copyright statutes don't allow anyone to be prosecuted unless he infringed a copy willfully, which is the most difficult type of intent to prove. The civil statutes, on the other hand, address infringement even if it was negligent or unintentional. Because we focus on the criminal IP laws, I will answer your question from that perspective.

There are two levels of criminal violations within the criminal copyright code. There are misdemeanors, which carry a prison term of one year or less. And there are felonies, which carry prison sentences of over one year (more on this below).

In general terms, infringement becomes a criminal matter (as opposed to civil) when it reaches a certain magnitude and when the conduct is willful. Within the criminal copyright statutes (17 U.S.C. sec. 506 and 18 U.S.C. sec. 2319) there are thresholds which must be met to trigger potential criminal sanctions. Simply put, these thresholds deal with the quantity and value of the works that are infringed.

Your question talks about the blatant thief who makes money out of selling copied software. This highlights another important area within the criminal law. The criminal statutes make a distinction between for-profit and not-for-profit piracy. Someone who is convicted of piracy for commercial advantage or private financial gain is subject to a felony penalty of up to 5 years in prison. By contrast, someone who infringes for reasons other than commercial advantage or private financial gain faces a maximum penalty of 3 years in prison (under the NET Act). Be aware, however, that the term private financial gain can encompass situations where pirated products are distributed or reproduced for anything of value, including other pirated products. In those instances, defendants will be subject to the 5 year penalty.

As we discussed earlier, there are a number of variables that determine a defendant s sentence in any particular case. However, these are the general distinctions made among various types of conduct which would be considered criminal in nature.

Finally, your question references cases being brought by the RIAA. As we've noted above, the cases filed by the RIAA are private civil actions which do not involve the Department of Justice. Also, you referenced the "beyond a reasonable doubt" standard within your question. In a criminal trial, the government must prove the defendant's guilt beyond a reasonable doubt to every member of a jury of twelve citizens. However, this standard is applicable only in criminal cases, not to civil actions like those brought by private industry. Civil actions are governed by a lower standard of proof.

9) "... under penalty of perjury ..." - by OWJones
In copyright law, 17 USC Section 512(c)(3)(vi) states that all notifications of copyright violations sent to ISPs must contain

A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

(emphasis mine).

Do you know of any cases in which the sender of an invalid takedown notice -- such as the RIAA claiming Penn State University Emeritus Professor Peter Usher's lecture on radio-selected quasars was, in fact, an mp3 from the musician Usher -- has been successfully charged with perjury? Or do you allow copyright holders some "fudge factor" with the perjury aspect, since

1. It was an mp3.
2. It did have the name of an RIAA-represented artist in the title, and
3. It was at a university.

If copyright holders are allowed leeway, can we expect to see similarly loose definitions of perjury creep into the legal system? If the police are looking for a "Caucasian male, age 50-60, bald, 200-225 pounds," can I testify in a court of law that the 18 year-old caucasian male with a ponytail, weighing 140-150 pounds, is in fact the suspect since he is, after all, a caucasian male?

I realize that's more than one question and that they're slightly loaded, but I'd appreciate any comments on how seriously the DoJ takes the perjury clause of the takedown notices.

O'Leary:
Your question raises an important point. We feel strongly that everyone should comply with the requirements of all laws. Legal process under the DMCA or any other provision of law should be undertaken with the utmost care and good faith. Failure to do so undermines the credibility and effectiveness of our legal system.

Having said that, it appears your interpretation of the language in 512 (c)(3)(vi) is in error. The phrase "under penalty of perjury," applies to the representation that the complaining party is authorized to act on behalf of the copyright owner. It does not apply to the accuracy of the information about the alleged infringement. Quoting federal district Judge Bates in Verizon v. RIAA, The DMCA also requires a person seeking a subpoena to state, under penalty of perjury, that he is authorized to act on behalf of the copyright owner, 257 F. Supp.2d 244, at 262. In other words, the perjury clause may be violated if you seek a DMCA subpoena without the authorization of the copyright owner.

We are unaware of any prosecutions for violating this provision of the DMCA at this time.

10) Daniel Peng's "MiniNapster" - by Pxtl
What is your opinion on the case of Daniel Peng? The internet at large is angry at the treatment of Peng by the courts - many consider sites like the one Peng created to be "common carriers" - that is, all Peng's site did was list the files other users had chosen to put on the academic network to be freely downloaded. Was it his responsibility to ensure that all the files listed on the academic network (which, unlike Napster, was a network he did not operate or design) were legitamate? While he may have been personally involved in pirating files (that is, he may have personally downloaded files to his computer) that was not the focus of the lawsuit. Peng was placed into a legal battle where he had no chance at victory, and as such had to settle out of court. What is your opinion on this case, and ones like it?

O'Leary:
The litigation involving Daniel Peng was a civil matter between private parties. I don't know any more about the case than what has appeared in the public press and other media. Therefore, as I mentioned at the outset, we simply cannot comment. However, as promised, we answered two additional questions which were not submitted to us by Slashdot moderators to make up for not answering this one.

11) Copy protection? - By Jucius Maximus
I am aware that companies spend large sums of money on holograms, authenticity cards, product activation schemes, anti-CD-copying schemes, serial numbers and so on. When investigating alleged copyright infringement, do you find that these anti-IP-infringement techniques have a real effect on preventing such things from happenning? Does copyright infringement go down when companies put up roadblocks like these or do the infringers get away with it nontheless?

O'Leary:
Copyright owners have indeed implemented a variety of methods for deterring unauthorized copying or counterfeiting of their works. Software makers in particular often apply very elaborate authentication features to the packaging and media for their software in order to distinguish genuine copies from counterfeits.

In our experience, it appears that many of these methods have been effective at discouraging infringement and counterfeiting. For example, the use of unique authentication codes or serial numbers seems to have helped discourage some copying of software. The copy protection system used on DVDs seems to have been effective in discouraging many people from copying DVDs. And the advanced authentication methods used on software packaging (like holograms, watermarks, and edge-to-edge printing) have made the task of manufacturing counterfeits more difficult. In fact, some counterfeiters appear to have given up trying to beat the software makers at the authentication game, and instead now simply try to steal genuine packaging materials to package their counterfeit discs.
Have these copy-protection or authentication features eliminated infringement and counterfeiting? No, but they have had a deterrent effect.

12) Foreign Agencies - By mitd
As a Canadian I am curious as to the co-operation you receive (if any) from agencies outside the US? Specifically Canada but also internationally in general.

O'Leary:
Great question. For too long, people have believed that geographic boundaries shield them from the consequences of piracy. Over the past few years, we have been working to change that belief. The Department recognizes that in order to deal with piracy effectively, we must respond globally. This is true regarding both online piracy and traditional hard goods piracy cases.

CCIPS has made international enforcement a priority. We have a number of tools, both formal and informal, for working internationally, including Mutual Legal Assistance Treaty Requests and Letters Rogatory. We are also able to employ the network of legal attaches stationed at U.S. Embassies around the world to help strengthen relationships with our foreign law enforcement counterparts and help build strong international cases. In general, international cooperation on intellectual property cases is becoming more effective each year. We do work on intellectual property cases with Canada and will continue to do so in the future. We are also currently working on cases in over a half a dozen other foreign nations. Over the past two years we have worked closely with investigators and prosecutors overseas in order to strengthen our own domestic prosecutions as well as support foreign prosecutions. We have traveled overseas to assist our foreign counter-parts and have welcomed foreign agents to the U.S. to learn more about evidence we might have to support their prosecutions.

Our office is currently working with the United States Attorney for the Eastern District of Virginia on the extradition from Australia of Hew Raymond Griffiths, a.k.a. bandido, the former leader of various warez groups, including DrinkOrDie and RiSC. In March 2003, a Federal Grand Jury sitting in the Eastern District of Virginia indicted Griffiths on charges of conspiracy to violate U.S. copyright laws; his extradition is being sought to face these charges. This is the first extradition of a foreign national for online copyright piracy.

Although working internationally is time and resource intensive, it is essential to effective enforcement of intellectual property rights, and we are committed to addressing piracy wherever it occurs.

Addendum:

Thanks again to everyone for submitting your questions. There were some great ones, and we regret that we cannot answer all of them. Thanks also to Slashdot for the opportunity to discuss these important issues. We look forward to additional opportunities to work with members of the online community to ensure that intellectual property rights are sufficiently protected.

This week's Slashdot interview guests are the 'point people' for Federal criminal actions against online file-traders and software misapproprators. They know some Slashdot readers may have little sympathy for what they do all day. Be that as it may, this is a great chance to understand what it's like on the enforcement side of the intellectual property coin. We have a special set of 'ground rules' for this interview (below) supplied by the Department of Justice that we must ask you to read before submitting questions. From the DoJ (verbatim):

Answering your questions will be the attorneys assigned to prosecute intellectual property crimes in the Department of Justice's Computer Crime and Intellectual Property Section (CCIPS). Spearheading this group will be Michael O'Leary, Deputy Chief for Intellectual Property who oversees the day-to-day intellectual property enforcement operations. Here is some background on CCIPS and their intellectual property efforts:

CCIPS began as a small group within DOJ in 1991, with a focus on network crimes (e.g. hacking into machines, destructive worms and viruses, denial of service attacks), intellectual property crimes (e.g. software piracy and counterfeiting), and electronic evidence issues. CCIPS is part of the Criminal Division of DOJ (which, as its name suggests, is primarily responsible for enforcement of federal criminal laws). Today, the section has grown to almost 40 lawyers, of whom about a dozen focus on IP issues. (Please keep in mind that it will be the IP prosecutors answering questions here, so save your non-IP-related hacking or electronic evidence issues for another time.)

What do the attorneys assigned to IP at CCIPS do? The IP prosecutors in the Section are responsible for establishing and enforcing the Department's overall intellectual property rights enforcement program, including the prosecution of federal intellectual property crimes. In some instances, CCIPS handles the prosecution of intellectual property cases. More frequently they work closely with prosecutors in the U.S. Attorneys' Offices around the country who handle the vast majority of federal criminal prosecutions, both IP and non-IP. They also provide training on IP issues for prosecutors and law enforcement, both domestically and internationally. Other responsibilities include reviewing new policy proposals, legislation, or international agreements related to IP, and providing advice to other government agencies or components of DOJ. The prosecutors also work closely with foreign law enforcement counterparts to coordinate IP enforcement activities around the globe.

While they are committed to fully answering your questions, as Department of Justice attorneys, they are subject to various Federal laws, Department of Justice rules, and ethics rules. They are not permitted to provide legal advice to individual private citizens. This means that there is no attorney-client relationship between CCIPS and Slashdot readers, users, or moderators (and answering questions on Slashdot should not be interpreted as creating one). Therefore, they will not answer questions seeking legal advice. Finally, they cannot discuss ongoing cases, investigations or related hypotheticals.

To learn more about the Department of Justice or the Computer Crime and Intellectual Property Section, visit the following web sites, www.usdoj.gov and www.cybercrime.gov.

According to Yahoo News and also Cyber Crime The longest running news site for Piracy has been turned over to the Department of Justice. Stating David Rocci AKA krazy8, has recently plead guilty to selling modchips via his website http://www.isonews.com with profit of $48,000. Now the domain has been linked to the Cybercrime Site warning all pirates all there that modchipping is not a game. [chrisd] In case you needed a reminder...you don't own your hardware. Eff? That said, this is not 100% positive, and there are rumors of the old site floating around on other ip addresses out there. In related DOJ web hijinks..joemite writes "Cannabis News released this article about how the DEA is seeking to redirect indicted businesses that sell glass bongs and pipes to the DEA's website. "If the court orders the sites to be redirected, Ashcroft said, they will point to a DEA.gov Web page that says: "By application of the United States Drug Enforcement Administration, the Web site you are attempting to visit has been restrained by the United States District Court for the Western District of Pennsylvania pursuant to Title 21, United States Code, Section 853 (e)(1)(a)."" Also check out an analysis of the entire situation by Richard Cowan"

Okay, former DrinkOrDie member and convicted warez dude Chris Tresco got his answers to your questions back to us, so here they are. (Note: Chris does not advise you to follow in his footsteps.)

1) How clueful are they?
by jeffy124
In your opinion, how did the each party (prosecution, your lawyer, and most important - the judge) look when it came to their understanding of technology? Did they know every nook and cranny, or seem lost in a maze of confusion? Do you think an understanding of the issues in question was a significant factor in court proceedings?

Chris:
That is a tough question to answer considering the organizational structure of the government's side of things. The prosecution works very closely with other units of law enforcement when it comes to technically challenging cases like mine. In my situation, the government prosecutors were very well briefed about how the technical aspect of the warez scene work. They are briefed by law enforcement agents who are very technically savvy and able to sift through all of the data that they are presented with at the time a warrant is carried out. With this data, the agents build a packet of evidence that the procecutors can look through and easily understand. They had a plethora of evidence on which to build a case against me and it boiled down that all the ones and zeros that the agents were able to pick through added up to copyright infringement in the prosecution's eyes.

The judge doesn't really see the technical aspect of the case. He sees a report of the evidence, which is written in clean English, and makes his decision based on that.

My lawyer isn't very technically adept, but lawyers are pretty bright. He was able to grasp the concepts of everything, if he wasn't able to, he wouldn't be my lawyer. :) Besides, I was able to coach him through most of it.

2) "The Bust", WarGames or Matrix?
by msheppard
What was "The Bust" like? Was it like _WarGames_ where they showed up in black vans and confiscated your computers and rifled through your trash? Or was it more like _Matrix_ where they called you in and presented all sorts of evidence they collected online etc.?

Chris:
I would say that it was a cross between the two. I will lay out exactly what happened to me:

I was sitting at my computer chatting with a fellow DOD member on IRC. All of a sudden I noticed my net connection died. When I went to walk out the door, a U.S. Customs agent met me. "Mr. Tresco, My name is XXXXX, I am with the U.S. Customs Department. Would you mind coming with me?" As I turned the corner, there were about 20 law enforcement officials combing the halls of my workplace. We proceeded to a conference room where I answered questions for the better part of the day while the agents proceeded to carry out their warrant. They were looking for specific systems that were on the warrant. They had IP addresses. Technically, they had the authority to take everything on the network that the computers identified on the warrant were on, however they followed the warrant pretty strictly, taking only the stuff on it. It was really the hardest day of my life. I had no idea what was going on most of the time. I felt like I was in a dream.

3) Was there a feeling that DoD was too big?
by crunnluadh
The incredibly large volume of warez DoD was trading must have been staggering. At any point in time did you or anyone else in DoD ever think that the whole ring was getting way out of hand? If so, what ever came from that or those discussions?

Chris:
In terms of percentages of releases put out by DOD in relation to the scene, we weren't doing all that many. We did, however, have quite a large number of ftp sites that were being heavily utilized. One of our private leech sites was larger than a terrabyte of games and movies. It was constantly being uploaded to and downloaded from. This should give you an idea of the amount of trading that was going on.

To answer your other question... I felt on a daily basis that things were getting out of control. There were times that I did actually quit, but only for a day or so. IRC always brought me back online. That was my biggest mistake. DOD was a warez group, yes... but imagine a bunch of guys/gals sitting around talking all day and suddenly you stop showing up... You start to miss that type of interaction.

4) Feelings?
by Sebastopol
Are you scared about going to prison? Do they prepare you in any way before you enter the facility, or do they just throw you in and that's it?

Just typing these questions make me uncomfortable.

Chris:
I am very scared to go to prison. I have never been in any sort of jail in my life. They prepare you in the sense that they tell you where and when to go, what you can bring, and what type of facility it is. The rest is done through books and my lawyer, who has been really great through this whole ordeal. I am fortunate enough to be assigned to a minimum security facility close to my home.

5) If it wasn't about the money, what was it about?
by wackybrit
You were a sysadmin at MIT, so were probably pulling in a pretty good wage.. at least, probably better than 50% of the Slashdot readership anyway.

So if it wasn't about the money, what was it about? Prestige is one option, but people in these groups need to keep hidden, so that doesn't fit. Was it for the ideals? If so, what ideals are there in ripping off software?

I can understand why people who can't afford software rip it off.. they have stuff to do, and can't afford $500 for Photoshop or whatever.. but tell me why someone with a decent salary will work in secret to beat the software companies.. what is the motivation?

Chris:
My motivation had absolutely nothing to do with the software, the prestige, the civil disobedience, or the mysteriousness of it all. My motivation was purely and simply putting technology to work. I have always been a curious cat, like most of you that read Slashdot. I was basically the Sysadmin of DrinkOrDie. I love to make computers work together, build up networks, install services, lockdown boxes... you guys know the drill. I got very carried away with what I was doing and forgot to confide in my moral self. I knew I was doing wrong, and yes... to clear anything up... it is absolutely wrong to steal software from a company. Whether it is ones or zeros or bags of money, it is stealing. If for no other reason, it is wrong because of the license agreement. If you don't agree with the license, don't use the software.

6) questions from a fellow cracker
by Anonymous Coward
I am a cracker from a fairly well known group, living in the US. We take normal precautions (encrypted email/irc), but there are clear vulnerabilities that cant easily be eliminated (topsite accounts and the possibility of trojaned supplied software, etc.). The dod bust stunned all of us with the lengths of the sentences, which seem out of proproportion to the crime. I find myself asking more and more whether the risk is worth the fun. We are all in it for the commaraderie and the friends (and the access to files); of course none of us are making any money from it. My question is, if you had it to do over again, would you stay out of a group, and of the scene? Were there risks you took that you sholdn't have? What were they? Any advice to someone still in the scene who wants to stay but worries about being caught?

Chris:
If I had to do it over again, I would absolutely not get involved with the scene. The scene is technically organized crime... that is it. Mobsters have friends too, but would you want to go to prison for what you and your fellow comrades are doing on the net? Isn't it better to pay for the occasional piece of software you might want than to pay with 33 months in federal prison? I think so... And you say here:

"I find myself asking more and more whether the risk is worth the fun."

That is the wrong way to think about it. You are asking yourself if it is worth something to commit a crime. What you should be asking yourself is, if what you are doing is fundamentally wrong. If it is (and I would say that it is) then stop doing it.

To answer the rest of your question... The only pertinent risk was getting involved with the scene in the first place. You will get caught sooner or later if you continue doing what you are doing. My advice to you is to get out while you still can. Any precautions you take are easily circumvented. For example, email encrypted via PGP is only as strong as the people who get the email. If the government busts 20 people in your group, the odds of one of the people giving up their passphrase is pretty good. from that point, all the mail is readable. Encrypted IRC is not going to do it either. What if one of the people you are chatting with is an informant? Encryption becomes meaningless.

My advice: get out of the scene.

7) Plans for your stay?
by zbuffered
One of the things about jail is that you have nothing but free time. So what do you plan to do? Study for a new career? Work out constantly? Plan your escape? Learn to speak Sanskrit?

When you get out, you will have had 33 months of basically no real responsibilities. If you find a nice, cushy prison, you can get some real work done. Are you going to use this time to make your life when you get out of jail better?

Also, when you get out, what do you plan to do? Something in the computer field, or do you plan to change your path when you get out? If I were in your place, I think I'd just get fed up with computers and become a florist or something.

Chris:
During the time I am in prison, I will educate myself. I will hopefully be able to take some classes towards a degree. Since I love working with systems, I will hopefully be able to school myself in the art of business and compliment my technical skills. My passion lies with IT, I would love to take the education I get from prison (formal or not) and use it to better my career and make me a better person.

8) Rise of P2P?
by Rayonic
How do you feel about the rise of P2P and its affects on the Warez community? Do you think it makes it safer (safety in numbers?) or do you think that it'll bring down the fist of the law even harder?

Which P2P networks did you prefer, if any?

Chris:
In the context of the warez scene, P2P networks don't play any part. They are essentially mutually exclusive members. I think that people in the warez scene used P2P networks just as frequently and for the same purposes as the majority of P2P users. P2P and the warez scene do, however, relate in one fashion. Both networks utilize the internet as a means to illegally distribute copyrighted works. This will affect both entities in that the more illegal activity that goes on in general, the more law enforcement will be trying to put an end to it. This puts more heat on both services. Technology crimes are also a hot topic as of late. So popular that there are many organizations, like the Software and Information Industry Association (SIIA) at www.siia.net and the Computer Crime and Intellectual Property Section (CCIPS) of the Department of Justice at www.cybercrime.gov, whose sole purpose is to stop them from happening. Software companies really do lose money from piracy, why else would they support these types of organizations?

Oh. and I preferred ftp.

9) What is your opinion of free software?
by Billly Gates
If you plan not to pirate software again would you chose to pay for commercial apps or would you use free software?

Has your opinion changed about free software vs commercial software because of your unfortunate experience?

Do you think strong armed tactics by the BSA and upcoming drm will actually help spread free software?

Chris:
I generally try to run linux on the desktop where ever possible. That being said, I love free software, I used it when I was pirating and I use it now. I am composing this in OpenOffice btw. :)

I think both free and commercial software have their place in the industry. I also think that DRM and the BSA won't really have any effect on free software. People and businesses who pay for software don't have to worry about these features because what they are doing is legitimate. In my mind, I would think that companies who are completely compliant who are targeted by the BSA would be happy about it. They would clear their name and be finally exonerated. With respect to DRM, I think this technology is mainly targeted at media right now. That being said, I don't think it will help spread free software. except for maybe free Ogg codecs and players. and a lot more Ogg-files.

10) Prove me wrong.
by _xeno_
I want you to explain if you disagree with the following and if so, why.

My understanding of this is that you were involved with the illegal distribution of copyrighted works, depriving the potential owners of money for the works (possibly - the reality may be "probably not," but...). You then received 33 months of jail time (or just under 3 years) which seems to me to be rather fair.

Based on the Operation Buccaneer information, you received counts of felony (criminal copyright infringement, probably), and conspiracy (to commit criminal copyright infringement, probably). (Both probablies are guesses based on the document.) This seems to be in line with what one would expect for charges against a ring of people whose sole goal is to steal massive quantities of software and redistribute them to as many people as want them at no charge. (The fact that there was no charge probably reduces the sentence to a degree, but the fact that it required specialized skills and involved a large collective of people acting together to commit criminal copyright infringement probably both outweigh that.)

So... why should I feel sorry for you? You got what you deserved. You stole from people and gave copies to as many people as you could. Based on the MIT press release, you illegal utilized systems you were supposed to be administrating for the purposes of illegally distributing software. As far as I can see, you got exactly what you deserved.

So - prove me wrong. Demonstrate that my understanding is flawed or that I am misunderstanding the crime. Demonstrate that it should not be a crime. Or - accept my view. Explain if you feel sorry for your actions and believe that you did indeed commit the crimes. Or come up with another response that does not fall directly between agree and disagree.

Chris:
Is this flamebait for the interviewee or what? :) I won't bite. Your question seems to start halfway through your rant, so I will start there.

You shouldn't feel sorry for me. I committed crimes that I shouldn't have committed. I stole from innocent companies and now I am feeling the repercussions. I am not asking for pity nor am I looking to be put up on a pedestal for what I have done. I am simply here to tell people what happened and that it can happen to anyone who takes part in this type of thing.

Addendum:

My nickname wasn't mentioned when the call for questions was posted, I guess I forgot to tell Robin. I was known as bigrar, BiGrAr on irc. If anyone wants to ask any questions besides the ones I have answered, you can send me email at nospam@rarcom.com. Actually you can take a look at my website as well, at www.rarcom.com (my hosting company is going to kill me). I am setting up a service there called the "Free Software Mirror Project". Through this site, I hope to start a huge mirror system for free software. When these questions are posted to slashdot, I am going to make the URL all text, so as to not completely slashdot my hosters. The mirror system is unique because it will work the same way the warez scene works. with couriers, suppliers, etc. Drop me a line if you possibly want to help me out with this.

Thanks,

- Chris

Chris Tresco is one of those evil "software pirates" cybermoms warn you about. He was a sysadmin at MIT, and also a member of "the secretive Internet software trading ring known as 'DrinkOrDie'" who got caught by the DoJ's Operation Buccaneer, got convicted, and was sentenced to 33 months in prison on August 16. Chris has a little time left on the outside before he goes away and has agreed to spend some of it answering your questions, so ask away. (Usual Slashdot interview rules.)