Happy New Year!  It’s been a while since I posted and there’s been a lot I’ve wanted to discuss (like the recent lawsuit over PCI rules), but what seemed impossible to ignore was SOPA and PIPA.    I am particularly proud today to say that I work with Wikipedia on legal and privacy matters.  To see the impact of their black out is really awe inspiring and a testament to the contribution Wikimedia and collaborative web projects generally make to society.  In fact, the nature of the response to SOPA and PIPA even beyond Wikimedia highlights the very power and value of a distributed internet where numerous individuals, organizations (big and small), and communities around the world can both individually and collectively create, distribute, and benefit from content.  It is that “decentralized” form of internet that is threatened by these bills.

So here is my voice being added to the chorus to urge lawmakers to consider ways to leverage the internet rather than weaken it by, among other things, removing procedures and other protections to ensure that legal process isn’t abused.  I have called my lawmakers and urge you to do the same.

For a more lengthy description of my views of the value of the internet, you can check out my post from November 2010, which I submitted to the U.S. government on behalf of Mozilla.


Cinco de Mayo

I love these two quotes and how they work well together: one about respecting others and the other about respecting oneself.

“Respect for the rights of others means peace.”

–Benito Juárez,
Mexican politician

“It is better to die on your feet than to live on your knees.”

–Emiliano Zapata,
Mexican revolutionary

A Spring Quote

“Dare to be yourself.”

–André Gide,
French author

A good friend sent me this and it struck me in its powerful simplicity.  So much packed in there!  I thought it was especially apropos during spring when so much new life is blooming and opportunities for growth abound.

Today I had the pleasure of being invited to a roundtable discussion with Victoria Espinel.

Ms. Espinel is the head of IP Enforcement for the White House.  Sounds like a really interesting job:  parsing out the priorities of the US in this space and then implementing those priorities both domestically at places like the PTO and externally in our diplomatic relations with other countries.

I was one of 10 attorneys at the event able to ask any question or provide whatever input I found compelling.  That is a really cool experience for any policy wonk or law geek, especially here in the Valley, where we don’t get to rub elbows with Washington elite every day.

First off, I applaud the fact that Ms. Espinel is out seeking input and providing transparency on the efforts of her office.  I found her quite forthcoming and open, particularly for a government executive.  In response to my introduction stating that I was at Mozilla, she noted the Obama Administration’s public statement from CIO Vivek Kundra in January that IT procurement should be neutral, neither favoring nor disfavoring proprietary or open source software.    The administration clearly felt this was a big step and in the U.S. it frankly  is.  It did strike me though how in the EU (most recently in the UK) open source sometimes fares a bit better than neutrality.   Of course, some of my favorite stories about governments and open source have involved Mozilla products, like when French authorities bought USB sticks to distribute Firefox and Thunderbird to tens of thousands of French students.

As for issues of the open web and ip enforcement, I was personally encouraged to hear Ms. Espinel state that she doesn’t see a conflict between ip enforcement goals and ensuring an open web.  However, I was surprised to hear that her office isn’t getting much input that regimes like the DMCA need rebalancing to ensure that hosts and individual creators aren’t unduly disadvantaged.  So here’s hoping that those of us here in the Valley do get the chance to keep rubbing elbows with the likes of Ms. Espinel.

As discussed previously on this blog, I enjoy working on issues regarding user-generated content and, on the flip side of that coin, intermediary liability for hosting such content. For any of you like-minded folks out there, Stanford Technology Law Review is hosting a conference on intermediary liability on the web on March 3rd. http://stlr.stanford.edu/symposia/2011-secondary-liability-online/

There will be panels on intermediary liability and copyright, trademark, and privacy. Lots of smart folks will be there to discuss the latest developments on this topic that is so central to maintaining an open and collaborative web.

I’ll be on the copyright panel at my alma mater with my former professor, Paul Goldstein, moderating and former classmates Fred von Lohmann and Anthony Reese as co-panelists (among others)—it should be fun.

The conference is free to attend (but Stanford asks that you register). It would be great to see you there. Come up and introduce yourself…I would love to meet you.

One of the areas I’ve most enjoyed being involved in during my time at Mozilla concerns user-generated content (UGC).  While Mozilla products have always been fueled by the collaboration and participation of individuals worldwide, over the past few years we’ve expanded our role as a platform for UGC.  For example, our Add-ons Marketplace currently has over 12,000 Firefox extensions, almost all of them created by community members.  So far Firefox users have downloaded these extensions over 2 billion times and are actively using more than 139 million add-ons on a daily basis.  Our Personas gallery, which offers designs to customize the chrome of your browser, boasts an incredible 230,000 designs created by artists, developers, and everyday Firefox users.

In April, the U.S. Department of Commerce created an Internet Policy Task Force.  The Task Force recently asked for comments from interested stakeholders in what sorts of policies the government should pursue both domestically and in its relations with other nations with the goal of protecting copyrighted works on the web and supporting innovation on the web.

Based on Mozilla’s experience and our mission to support an open web for everyone, we felt this would be a good opportunity to advocate for the interests of the wide range of artists and developers as well as the content hosts who help them reach an audience and who together help make the web the vibrant ecosystem that it is today.

As with so many things Mozilla, this was a group effort that went beyond those of us who are employees.  So special thanks to Professors Eric Goldman, Anthony Falzone, and Jason Schultz for comments on drafts of the submission.  In particular, thanks to Professor Goldman for his suggestion of looking at threats actions as used in the UK as a model for addressing overbearing cease and desist actions.

The proposed comment is posted below.  If you have thoughts on this topic, please share here or with the Task Force directly.

Submitted by email: copyright-noi-2010@ntia.doc.gov

November 19, 2010

Office of Policy Analysis and Development
U.S. Department of Commerce
1401 Constitution Avenue, NW, Room 4725
Washington, DC 20230

Re: Docket No. 100910448–0448–01, RIN 0660–XA19, Inquiry on Copyright Policy, Creativity, and Innovation in the Internet Economy

Mozilla wishes to thank the Internet Policy Task Force for the opportunity to respond to the above-captioned inquiry.  We applaud the Task Force for its efforts to openly gather feedback from all perspectives as it considers new policy recommendations.

Mozilla’s interest in this inquiry stems from our identity. We are a global community of people working together since 1998 to build a better Internet.  Mozilla and its contributors make technologies for users and developers, including the Firefox web browser used by more than 400 million people worldwide.  As a non-profit organization, we are dedicated to promoting openness, innovation, and opportunity online.  Thus, we care deeply that the Task Force’s efforts to protect copyrighted works on the web not impede the web’s essential open platform or the widespread innovation that results from a vast range of creators.

Whether for pleasure, education, or commerce, the web’s ability to help fuel innovation has derived from its tapestry of contributions, which are the product of people, communities, and organizations around the world creating, modifying, sharing, and hosting content.  In our view, it is imperative that these quintessential qualities of the Internet be preserved without compromising the rights of content producers, whether big or small, and those that host and distribute such content.

We ask the Task Force to promote legal approaches that value and support the full spectrum of content creators as well as the content hosts.  While the NOI calls for comments from “all interested stakeholders—including rights holders, Internet service providers, and consumers,” we believe the stakeholders are broader than that and should explicitly include content creators and hosts.

One of the reasons the web is so valuable is that it leverages a participative and truly global platform resulting in worldwide access to a wealth of content on a scale never before seen.   Two critical elements of this ecosystem are the vast array of content creators and the web platforms that host their content.   The community created, open source, and free online encyclopedia Wikipedia illustrates the power of open and collaborative energy of individual contributors supported by a neutral hosting platform.

We believe innovation on the web will be supported by promoting legal frameworks that:

*Support content creators by valuing all legal forms of content creation and distribution, regardless of the size or financial resources of the creator;

*Better protect content hosts by harmonizing global responsibilities under   frameworks like the DMCA;

*Expand immunity and safe harbor frameworks to other causes of action to avoid chilling effects upon content distribution.

1. Support All Legitimate Content Creators

Given the lower costs of content creation and access to users made possible by the web, millions of musicians, authors, artists, and developers can create awesome content and more easily reach large audiences and/or commercialize their works.  But this new path toward innovation and market creation is at risk due to an imbalanced and fragmented legal system that favors large-scale rights holders and burdens content hosts.

Mozilla has received numerous threats of legal action and take-down requests for content hosted on our Add-ons Marketplace, which hosts over 12,000 browser extensions and our Personas gallery, which offers over 230,000 different designs created by individuals, political and non-profit organizations, and large, traditional “rights holders.”  We have found the current legal structure makes it easy to stifle potentially valid legal works by the ease of issuing overly broad take-down notices, combined with the significant difficulties of any effective response.

Currently, under the DMCA, filing a take-down request requires only a “good faith belief” that the use is not authorized.  In contrast, those asking for their work to be reinstated must assert “under penalty of perjury” a good faith believe that the material was removed due to mistake or misidentification AND must agree to personal jurisdiction in U.S. courts (i.e., they can be sued and judgments enforced on them in US courts even if they don’t live here or have dealings here).  The imbalance between these two standards is immense.  It has the effect of making take-down notices extremely easy to issue but difficult to combat, even for content that is legitimate.  Additionally, the consequences for those who issue overreaching take-down requests are limited and hard to enforce.

At Mozilla, we have received a number of copyright- and trademark-based take-down requests (targeted to approximately 650 individual pieces of content).  But not once have we received a put-back request, even in instances where the take-down request seemed on its face a mistake and the content creator disagreed with the take down.  For example, we recently received a take-down notice from a large Hollywood studio with a list of 170 urls to different personas it wanted taken down for allegedly infringing its trademarks to television shows, including a persona of a local soccer team.  The persona’s title included the coach’s last name, which happens to be the same as the title of one of the TV shows trademarked by the rights holder.  While the creator contacted us about the apparent overreach since the design had nothing to do with the TV show, he didn’t opt to submit a put-back request, so the content remains blocked from appearing on our sites.  These kinds of experiences suggest that the disparate impact of the DMCA process on the “rights holders” and the accused has a chilling effect on the creation and availability of content.

The web would also benefit by legal mechanisms to discourage overreaching take-down notices, including those that target the fair use of copyrighted materials.  Fair use of copyrights is an important check on the monopoly rights granted to copyright holders.  Some potential approaches include providing that any take-down recipient who defends her/his conduct successfully receive the presumption of a fee award and allowing a put-back request based on an assertion of a good faith belief of fair use.  Another possibility is to explore legal tools in use in other jurisdictions such as “threats actions” currently used in the United Kingdom to quickly and efficiently address improper cease-and-desist demands related to registered intellectual property rights, such as registered trademarks.

Given the frequent imbalance of resources between those asserting rights and individual artists, these kinds of changes could help individual artists and other new comers striving to bring their legitimate works to a market but reluctant to take on a costly litigation against a large, well funded corporation.  Thus, the current framework unintentionally places the new generation of independent and small producers are at a disadvantage.  This threatens the continued explosion of content creation, which is exactly what copyright policy is designed to promote.

2.         Harmonize Legal Frameworks relating to Content Hosts

Under the Berne Convention, copyrights are nearly global.  But the laws related to liability for those hosting copyrightable works whether in copyright or other content-related areas like defamation, privacy, trademark, or right of publicity can be varied and complex.  Clear, harmonized rules would encourage the hosting and distribution of content and other works by simplifying the legal landscape (and hence the attendant risk and/or cost of legal counsel).   For example, a consistent standard between nations as to what constitutes a proper take-down request for copyrighted or trademarked material would reduce uncertainty and inefficiencies in the marketplace.

3.         Expand Immunity and Safe Harbor Rules for Hosts

Current protective legal frameworks in place for content hosts, including both immunity (as provided under the Communications Decency Act Section 230) and safe-harbor provisions (such as the notice and take down regime under the DMCA), should be strengthened and expanded.

Ex Ante Review is Inefficient. It is massively inefficient to require organizations that host content to review all submitted content in advance and attempt to make legal determinations across the range of potential liability that exists worldwide.  Such reviews lead to varying standards and a false sense of propriety because it is virtually impossible for hosts to determine the legality of each piece of content under every legal standard worldwide before it is posted.  Legal determinations under areas of law like copyright, defamation, and privacy are very fact specific and intensive.  When an ex ante review process is required before content can be posted, the requisite fact-finding process and worldwide legal resources introduce inefficiencies that stifle content creation and distribution.

For example, whether or not content is defamatory is a contextual and content-specific inquiry (not to mention subject to standards that vary significantly depending on which jurisdictions’ rules govern).  Confirming the existence of permissions or consent likewise requires an administratively burdensome process that would be ineffective, costly, and inefficient at the scale required for the web if it must be conducted on each and every piece of content before it is hosted.

In sum, providing a worldwide legal clearinghouse for all content prior to hosting is a monumental and expensive burden.  By contrast, when an affected individual or entity feels its rights have been violated, it can identify the specific content and specific claim for the host to respond.

In essence, rights holders and affected entities are best situated to police their rights within the applicable legal frameworks.  For instance, Mozilla has found with several large rights holders that upon careful consideration they have decided not to issue take-down requests because they realize that their rights are strengthened and market increased as a result of content creators modifying and distributing art works incorporating their logos or artwork.

Immunity and Safe Harbors Inconsistently Available. While both Europe’s e-Commerce Directive and the U.S.’s CDA Section 230 and DMCA provide protections (through either immunity or safe harbor procedures) for content hosts, the last few years have seen examples of intermediaries exposed to potential liability for content on their sites.  (Scott P. v. Craigslist, Inc.,[1] Barnes v. Yahoo!, Inc.,[2] Google Italian privacy case[3]).  If immunity and safe harbors are not consistently applied across jurisdictions and claim types, the burdens and inefficiencies discussed above weigh down the web marketplace and the ability of artists and developers to reach markets.

At Mozilla, we have received trademark-related take-down demands related to user-created Personas in which the trademark holder demands Mozilla pay  1 million plus  2,000 per download in addition to the take-down remedy.  And these millions of dollars are what the mark holder demanded Mozilla pay solely for its role as a host of the user-generated content.  Mozilla asks the Task Force to consider means to harmonize (between states’ and federal law as well as between nations) and strengthen immunity so entities can be legally compliant and make content available without facing unreasonable legal liability.

We submit these recommendations to the Task Force on the belief they will help keep the web open for innovation, creativity, and commerce for all users.

Respectfully Submitted,


/s/ Julie Martin
Julie Martin, Associate General Counsel
650 Castro St., Suite 300
Mountain View, CA 94041

[1] Scott P. v. Craigslist, Inc., CGC-10-496687 (Cal. Superior Ct., filed Feb. 5, 2010).

[2] Barnes v. Yahoo!, Inc., 2009 WL 1232367 (9th Cir. May 7, 2009).

[3] “Larger Threat Is Seen in Google Case,” Rachel Donadio, New York Times, Feb. 25, 2010, page A1; available at http://www.nytimes.com/2010/02/25/technology/companies/25google.html.

As we continue to focus on privacy initiatives here at Mozilla, we have repeatedly come up against vendor form contracts that don’t protect our users’ data the way we think they should.   The need to negotiate these terms from scratch in nearly every such deal was also a topic of discussion at a recent IAPP conference I attended.  Tech trans specialists (ie, attorneys that negotiate technology and ip agreements), both in house and at law firms, shared their frustration with the fact that few providers seem to have such terms but virtually all customers require them these days.  So both customers and vendors were spending many cycles negotiating these terms for each contract.

Hoping to avoid drafting these terms from scratch for each relationship, we (with some help from outside counsel) created a contract addendum.  We wanted to share these publicly so other organizations and individuals can use them as they see fit and hopefully contribute to the addendum’s evolution over time.  So feel free to use and share these terms, but we hope you will share back your improvements so everyone can benefit.  If you want to be anonymous in your contributions, you can email improvements to me directly at jmartin at mozilla dot com.

We also welcome you to share your experiences and insights in negotiating terms with or on behalf of service providers that receive customers’ customers’ data.

I am attaching our addendum for Safe Harbor-compliant vendors and our guidelines that we provide to vendors to explain in “plain English” what we seek.  We are also happy to share our non-Safe Harbor-compliant addendum if there is interest.

Here is the basic addendum for vendors that are Safe Harbor compliant:


Protection of Mozilla Data

1.     Conflict. Notwithstanding anything to the contrary in the Agreement or elsewhere:  (a) in the event of a conflict between the terms of this Addendum including the Annex (this “Addendum”), on the one hand, and the terms of the Agreement on the other hand, the terms of this Addendum will govern; and (b) no limitation of liability or disclaimer shall apply to this Addendum.    Provider shall ensure that Provider Affiliates and any third parties assisting Provider Affiliates in providing the Services hereunder are contractually required to agree to terms in favor of Mozilla no less restrictive than the terms contained in this Addendum.  To the extent Provider uses third parties to perform the Services hereunder (“Provider Affiliates”), Provider shall be fully liable for all acts and omissions by Provider Affiliates.

2.     General.  Provider acknowledges that as result of this Agreement, Provider may obtain information relating to or potentially relating to individuals, including without limitation individuals who are users of Mozilla’s software and websites and employees and contractors of Mozilla and its subsidiaries (such information collectively referred to as “Mozilla Data”).  Provider represents and warrants that Provider shall not and shall cause Provider Affiliates not to
a.  collect, use or disclose Mozilla Data for any purpose, except as expressly permitted under this Agreement or by Mozilla in writing;
b.  correlate or aggregate any Mozilla Data with any other data obtained through other products, services, web properties or from third parties;
c.  provide Mozilla Data to any third parties without Company’s explicit prior written consent.

Provider represents and warrants that Provider and Provider Affiliates shall adhere to the most current version of any applicable Mozilla privacy policies, including without limitation those located at http://www.mozilla.com/en-US/privacy-policy, http://www.mozilla.com/en-US/legal/privacy/firefox- en.html  and http://www.mozilla.com/en-US/legal/privacy/firefox/mobile/ and shall not take any actions that will cause Mozilla to violate such privacy policies.

3.     Data Protection Requirements. Provider represents and warrants that the Services, and Provider and Provider Affiliates’ performance of the Services, will at all times during the term of this Agreement, comply with:  (a) the highest industry data security standards; (b) all applicable federal, state, local and international privacy, data protection, and security laws, rules and regulations, including without limitation, laws relating to the collection, use, reuse, processing, storage, security, protection, handling, cross-border transfer and disclosure of Mozilla Data, including without limitation Data Protection Directive (Directive 95/46/EC), the Directives on Privacy and Electronic Communications (Directive 2002/58/EC and Directive 2009/136), Canada’s Personal Information Protection and Electronic Documents Act and applicable provincial privacy legislation, New Zealand’s Privacy Act 1993, and with any other applicable national legislation relating to data protection and privacy (all such laws, rules and regulations collectively, “Data Protection Requirements”); (c) the provisions of this Agreement, including the Annex.  Provider represents and warrants that at all times during the term of this Agreement and for so long as Provider has any Mozilla Data it shall remain in compliance with and certified as compliant with the US Department of Commerce’s Safe Harbor principles and requirements.  Provider shall not and shall not permit Provider Affiliates to perform any act that will cause Mozilla to be in breach of its obligations under the Data Protection Requirements. Provider shall defend, indemnify and hold harmless Mozilla from and against all losses, damages, claims, judgments, expenses and liabilities (including without limitation attorneys fees) related to a claim of breach of this Addendum.

4.     Data Safeguards. Provider shall and shall cause each Provider Affiliate to, establish and maintain administrative, technical and physical safeguards (including without limitation software safeguards) in accordance with the highest industry standards and all Data Protection Requirements to ensure the security and confidentiality of Mozilla Data and other records and information of Mozilla, and to protect and safeguard against threats or hazards to the integrity of, and the unlawful, intentional, unauthorized or accidental destruction, loss, alteration, theft, misappropriation, disclosure or use of Mozilla Data and other Mozilla records and information that are in the possession or control of Provider or Provider’s affiliates, including without limitation where the processing involves the transmission of data over a network (the “Data Safeguards”).  Provider shall revise and maintain the Data Safeguards in accordance with all applicable laws and prevailing industry best practices.

5.     Information Security Breach and Remedial Actions. Without limiting any other provision of this Agreement, if (x) Provider or any Provider Affiliate deliberately or inadvertently collects, uses, or discloses Mozilla Data in breach of the Data Protection Requirements or this Agreement or (y) Mozilla, Provider, or a Provider Affiliate discovers, is notified of, or has reasonable awareness that an unauthorized access, acquisition, theft, disclosure or use of Mozilla Data has occurred or is likely to occur (each such event in (x) and (y), an “Information Security Breach”), Provider shall immediately notify Mozilla of such Information Security Breach.  Furthermore, at Mozilla’s option, Provider shall: (a) investigate, remediate, and mitigate the effects of the Information Security Breach; and (b) provide Mozilla with assurances satisfactory to Mozilla that such Information Security Breach will not recur. Additionally, if any Information Security Breach or other unauthorized access, acquisition or disclosure of Mozilla Data occurs or is likely to have occurred and (i) applicable laws (including without limitation Data Protection Requirements) require, in Mozilla’s sole discretion, notification of public authorities, agencies or individuals whose data were so affected or other remedial actions or (ii) Mozilla determines in its sole discretion that Mozilla remedial measures (including without limitation notice, credit monitoring services or the establishment of a call center to respond to Mozilla inquiries), are warranted (collectively, the ”Remedial Actions”), Provider will at Mozilla’s request undertake such Remedial Actions. All Remedial Actions and notifications shall be at Provider’s expense. Provider shall maintain an inventory of Mozilla Data breaches, including without limitation the facts surrounding the breach, its effects, the remedial action taken and the names, addresses and state of residence of all impacted individuals.

6.     Post Termination Activity. Upon expiration or termination of this Agreement for any reason, or upon request by Mozilla, Provider shall (and shall cause each Provider Affiliate to) immediately:  (a) stop processing Mozilla Data; and (b) destroy Mozilla Data in accordance with Mozilla’s written instructions unless Mozilla requests that Provider return all Mozilla Data to Mozilla, in which case Provider shall return all Mozilla Data to Mozilla within 15 days of termination or expiration of the Agreement.

7.     Interest in Mozilla Data. Provider acknowledges that Mozilla owns all right, title, and interest in and to Mozilla Data.  Mozilla reserves all rights not granted to Provider under this Agreement.

And here is our plain English set of guidelines that we try to provide to vendors upfront:

Mozilla’s Deal Requirements

Mozilla looks for vendors who are willing to work with us to ensure our data* is protected and kept confidential.   Specifically, we ask our vendors to commit to the following and want to ensure before moving to a contract discussion that you are willing to work with Mozilla on these points.  The actual agreement terms will go into more detail.

You should know that Safe Harbor compliant vendors receive fast track status in our contract review process.  If you are not, we need to pass on to you the Model Clauses that the EU has put out to ensure that people’s data is treated right.

-You’ll only use our data to provide the services and won’t disclose or collect it for any other purpose and you won’t correlate or aggregate it with any other data;

-You’ll comply with our privacy policies.

-You’ll agree to comply with all privacy laws that apply to us, including the EU laws around data and security.

-You’ll use industry best practices to secure our data.

-If there is a breach of our data, you will stand behind that and undertake remedial actions to correct the problem and notify and make whole all those affected.

-When our agreement ends, you will stop using and will destroy our data.

-We own all our data.

-If you break one of the promises above, you will stand behind that and compensate Mozilla and those affected without expecting Mozilla to pick up all or some of the tab.

If your company can provide these assurances, we’d like to talk to you more about working together.

*When we say “our data” we mean whatever data you are exposed to as part of our relationship, like Mozilla’s, its users’ and its employees’ data, depending on what services you provide.