As most denizens of the Internet are well aware, one of the fiercest and most public battles over Internet freedom in the United States was fought at the beginning of the year. I am, of course, referring to the fight over the Stop Online Piracy Act, or SOPA and its Senate counterpart, PIPA. Both bills were supposedly designed to combat copyright infringement overseas, but granted broad powers that would have made it possible to censor the Internet to a greater extent than ever before. The justification for this legislation according to the MPAA, one of the major backers of these bills, is that downloading copyrighted material is theft and that loss in profits means the loss of American jobs.1
Fortunately, through the combined protests of much of the Tech Industry and countless netizens, the bills suffered a devastating defeat. The harsh and unexpected backlash to the legislation has left many in Washington shaken and unwilling to go out on a limb on any other bills that could be seen as trying to censor the Internet. While this turn is in many ways a good thing for advocates of Internet freedom, nothing in politics is ever that simple.
One of the central questions to the debate over Internet freedom and censorship is the nature of copyright infringement. Entertainment lobbyists, such as the MPAA and the RIAA, deliberately conflate the copying and distribution of copyrighted material with theft. Clearly, copying is not theft. Even the Supreme Court agrees on that point:
…interference with copyright does not easily equate with theft, conversion, or fraud. The infringer of a copyright does not assume physical control over the copyright nor wholly deprive its owner of its use. Infringement implicates a more complex set of property interests than does run-of-the-mill theft, conversion, or fraud.2
Nevertheless, distributing digital material over the Internet is most often discursively constructed as being the same as stealing physical goods. We talk about these phenomena in terms of “IP theft” and “software piracy,” often justified with the concept of the “lost sale.” While the idea that everyone who illegally downloads a song or movie over the Internet would otherwise have bought it is fairly ridiculous, it is a metaphor people understand. People are comfortable with the creation, sale and theft of physical items. It’s harder for people to make judgements based on the complex relationships between things like creative input, virtual labor, and computer code. But then again, that’s what metaphors are for – keeping things simple so that we can understand them. So, if the idea of “copying as theft” encourages people to pay for their entertainment through legitimate channels, it’s not doing any harm…right?
Two weeks ago, I had the opportunity to attend a presentation by Sean Lawson on cybersecurity discourse. Cybersecurity has become a hot topic in politics over the last decade, but particularly since the cyberattacks on Estonia in 2007 and Georgia in 2008. As Lawson pointed out, however, our motivations for pursuing cybersecurity have changed considerably over the last decade. Initially, the motivation behind developing cybersecurity was to prevent an attack on the country’s infrastructure – the “cyberdoom” scenarios where hackers are able to knock out the nation’s power grid or cause a meltdown at a nuclear plant. As time went on and no such attacks took place, the emphasis began to shift away from threats to critical infrastructure and toward the more practical problems of IP theft. In the White House’s 2009 Cyberspace Policy Review, threats to infrastructure are dealt with, but much of the focus is placed on threats to intellectual property. The report estimates the financial losses in 2008 from intellectual property and data theft to be as high as 1 trillion dollars.3 How they came to that number isn’t exactly clear, since the document that they cite estimates losses from IP theft at only $559 million and is focused on security breaches, not piracy.4
While the White House’s estimate may be a bit suspicious, more significant than its accuracy is its meaning. What does it mean to lose money to IP theft? If a million people download a movie that retails for $30, is that a $30 million loss in sales? What about people who download the file multiple times? What about people who later buy the DVD? What about people who later watch the same movie on Netflix? Did the time I watched my friend’s bootlegged copy of Lord of the Rings (complete with Korean subtitles) in high school negate the hundreds of dollars I probably spent on movie tickets, DVDs and other items? The real problem isn’t that these estimates on “informational damage” are inaccurate, it’s that they’re practically meaningless.
While trying to estimate the informational damage to the entertainment industry is very problematic, it becomes even more so when applying these same estimates to military technology. While you can argue that a teenager downloading an MP3 without paying for it takes money away from someone, a foreign agent stealing plans for a new fighter jet is a very different problem and requires a very different solution. In cybersecurity discourse, however, teenagers and spies are often lumped together in the same category.
One of the main points that Lawson brought up was that the discourse of cybersecurity has combined a number of different threats into a single “generic cyberthreat.” The concept of a generic cyberthreat combines the prevalance of IP theft and the potential impact of cyberdoom scenarios. Unfortunately, by distorting cybersecurity threats in this way, we ignore more plausible threats. We also end up with solutions that don’t fit the problem, such as the US Cyber Command, a military command whose role may or may not include policing bootlegged copies of Avatar. Additionally, in the wake of the SOPA debacle, lawmakers are now terrified of being associated with any kind of legislation that could be seen as trying to regulate the Internet. This includes cybersecurity initiatives.
So if the realm of cybersecurity is so hyped and convoluted, how should we deal with things like cyberwarfare? Lawson made two main suggestions. First, we need to disentangle the many different issues that make up “cyberthreats.” The military should be left to deal with actual threats to national security, such as attacks on critical infrastructure. Issues like copyright infringement, which are most certainly not threats to national security, should be dealt with in more appropriate ways.
His second suggestion, which caught my attention, was for the US to focus less of its resources on cybersecurity and more on basic computing research. To many, this may seem like a counterintuitive move, especially if we continue to conflate things like military research with entertainment products. For the entertainment industry, the value of movies and songs is in its ability to control them and sell them to consumers. With military R&D, the value of their work is keeping us two steps ahead of other military organizations. Losing valuable research is a setback, but as long as we still have a good lead, we’re still in good shape. Lawson’s concern is that as we focus more and more on cybersecurity, we’re not doing as much research in the basic computing fields that put us in the lead in the first place. With the job market in cybersecutiry booming, more people getting degrees in computer science are going to move into security, rather than fields that Lawson calls more “progressive.” Even with the best security around, it’s hard to win a race when you’re not moving forward.
Not surprisingly, this reminded me of a similar situation within the videogame industry, the debate over DRM. Since companies like Nintendo and Sega were among the first to attempt to control intellectual property and licensing agreements through technological means, the inclusion of DRM on a game usually goes without saying. Like many aspects of cybersecurity, however, this is often a losing battle. What do you do when the best security money can buy doesn’t stop your game from being pirated?
Why not focus your attention elsewhere?
In contrast to the mainstream videogame industry, many independent developers have taken a stand against DRM. While there are many reasons why indie developers choose not to use DRM (including many ethical and ideological reasons). one of these reasons is simply that time spent adding DRM to the game could be better spent actually working on the game and making it better. While this inevitably leads to piracy, that doesn’t prevent the game from selling. In fact, many developers like Introversion (you may have guessed that I’ve been playing a lot of their games recently) and the other Humble Bundle participants have had amazing success without any DRM at all.
This is certainly not a call to abandon cybersecurity completely. As unlikely as they may be, we should still make sure that we don’t leave ourselves open to potential cyberdoom scenarios. On the other hand, when it comes to trying to use the military to police threats that are clearly not matters of national security, I really think we have better things we could be doing.
1. Testimony of Michael O’Leary on Behalf of the MPAA.
2. Dowling v. United States.
3. The White House, Cyberspace Policy Review.
4. McAfee, Unsecured Economies: Protecting Vital Information.