Three Years Later And The Copyright Office Still Can't Build A Functioning Website For DMCA Agents, But Demands Everyone Re-Register

from the and-pay-up dept

In early 2016, we wrote about an absolutely ridiculous plan by the Copyright Office to — without any basis in the law — strip every site of its registered DMCA agent. In case you’re not aware, one of the conditions to get the DMCA’s Section 512 safe harbors as a platform for user content, is that you need to have a “Designated Agent.” As per 512(c)(2), it says:

Designated agent.?The limitations on liability established in this subsection apply to a service provider only if the service provider has designated an agent to receive notifications of claimed infringement described in paragraph (3), by making available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Office, substantially the following information:

(A) the name, address, phone number, and electronic mail address of the agent.

(B) other contact information which the Register of Copyrights may deem appropriate.

The Register of Copyrights shall maintain a current directory of agents available to the public for inspection, including through the Internet, and may require payment of a fee by service providers to cover the costs of maintaining the directory.

Note that this says that Register of Copyrights shall maintain such a list. However, the Copyright Office, decided back around 2016 that there were too many “old” registrations in the database, and decided to literally dump every single registration, despite the law not allowing it to do so. It then instituted a new plan that said — again, without any legal basis — that every site not only needed to register, but it would need to re-register every three years or it would lose the safe harbor protections, which could expose sites to massive liability.

In late 2016, this plan went into effect, and I detailed the incredibly bad computer system that the Office had put in place to handle such registrations, starting with the fact that the password requirements literally violate the federal government’s own rules for passwords. Back in 2016, NIST told government agencies, among other things, to stop requiring random characters, upper and lower case, etc. and to stop expiring passwords with no reason.

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

So we were, well, not surprised back in 2016, that the Copyright Office’s system ignored that rule not to include composition rules, and highlighted how they stupidly said:

Passwords must have at least 12 characters, with at least one lower case letter, upper case letter, number, and special character “!@#$%^&*()”, and must not have any repeated letters, numbers, or special characters.

Not only did this violate NIST’s guidelines, but it actually makes passwords significantly less secure by reducing the randomness of passwords, making them less secure.

Anyway, three years have almost passed, and as per the new rules, the Copyright Office is about to kick everyone off again. For no good reason at all. Even better, they sent an email over the Labor Day weekend to alert people that they’re at risk of losing their registrations if they don’t re-register — because it’s not like people miss random, poorly formatted emails that literally come from “donotreply@loc.gov” when going through emails coming back from a long weekend. Thankfully, I also saw Eric Goldman’s blog post about this, though I’m guessing not everyone who owns a website that needs 512 safe harbors protection reads his blog (unfortunately).

Incredibly, it looks like the Copyright Office has done literally nothing to fix the problems of the system. Indeed, it turns out that things are even worse than before. Not only does the system still require “composition rules” that violate NIST’s guidelines, it also expired everyone’s passwords (which also violates the guidelines).

It actually proved significantly more difficult than expected to create a new password. Like everyone in the world should, I use a password manager to generate and store my passwords. But because of the Copyright Office’s dumb rules, none of the passwords my password manager generated would work. I kept getting error message after error message, just telling me the same dumb, pointless, rules over and over again:

Even though it’s literally bad practice to make your own passwords, I even tried to “edit” some of the auto-generated passwords to meet the rules, but it still didn’t work, though I’m not sure why. One thing I discovered, while it says you have to use “special character” the list shown in that image is the entire set of allowed special characters. So, passwords using other special characters don’t work, even though the Copyright Office’s system doesn’t bother to explain why it rejected your password. But special characters like “>{]” and such don’t work, even though there’s no reason why they shouldn’t, and most password generators will (smartly!) include them. Oh yeah, also this one stymied me for a really long time. The ” mark is not allowed in a password, even though it sorta looks like it’s included in that list. But it’s not. It’s just a pointless set of “quote marks” around the allowed symbols. This is not an intuitive system. It is not user friendly. It’s is dumb, insecure, and violates NIST’s rules — as it did three years ago when I complained about it.

Then you log in… and the information given to you is sorely lacking. First, at the very top, you get a message saying that the entire website may be offline for three whole days… a month ago. What? What the hell are they doing that they need to take a site offline for three whole days? And if they had to do system upgrades for that long, how the hell have they not made anything actually work right? And, most importantly, if that shutdown happened a month ago, why are they still showing the damn warning message?

From there, you are shown a weird chart with a lot of useless information — but it is not at all clear how you re-register. There is no indication that you need to re-register. There is just your “service provider name,” “registration number,” “status,” “last updated” and the ever useless “Action” box.

It turns out, to re-register, you have to click that little pencil, which the tooltip tells me is to “Edit.” But I’m not “editing” anything. I just want to renew so I still am protected by the DMCA’s safe harbors. It then makes me review everything multiple times, before telling me I need to pay $6, and sending me to a sketchy looking payment site (which I get is not run by the Copyright Office itself, but still).

I was almost afraid to give it my credit card.

Either way, eventually it “worked,” but in the most fucked up of ways. The website itself is then not exactly clear if this renewal adds on to my existing — meaning do I get three more years from the date of my original three year registration in 2016 (which would be December 1), or if it simply starts the clock anew, as of the date I paid. It sure looks like they just started a new three year clock yesterday — meaning they cheated me out of 3 months of coverage because I dared to renew promptly. So by being good and renewing in their stupid system nearly 3 months before I need to, they just chop off 3 months of the “service” they’re providing me? How the fuck is that allowed? If you look at my original listing — even though I’d paid up for 3 full years, they now show it as “inactive” and list the new one as “active.”

And that’s kinda fucked up. The current listing says “Active” for “September 3, 2019 to Present” which almost certainly means this one will expire September 3, 2022, even though it should go until December 1, 2022.

All of this is a complete mess. It’s entirely unnecessary, and as Eric Goldman notes in his piece, when the Copyright Office rolled this out it “promised a smooth renewal process.” This was anything but smooth — and it’s likely that plenty of sites may miss the fact that they have to do this, or get caught up in trying to get the damn system to work. While, thankfully, this hasn’t impacted any sites directly that I’m aware of, it’s only a matter of time until a site that thought it had a successful DMCA agent finds out it no longer does because the Copyright Office decided to change the entire process, and apparently can’t build a freaking website that works or is even up to basic federal website standards.

And, sure, $6 is cheap, but it’s still pretty messed up that the Copyright Office simply lopped off three months of service they owed me because their own system is too poorly implemented to know to add on another three years at the end of my existing “subscription.” It seems like something that shouldn’t happen — and one hopes that someone at the Copyright Office or the Library of Congress figures their shit out before September of 2022. But I have my doubts.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Three Years Later And The Copyright Office Still Can't Build A Functioning Website For DMCA Agents, But Demands Everyone Re-Register”

Subscribe: RSS Leave a comment
36 Comments
Anonymous Coward says:

Re: The copyright office owes you $0.50

Except for one thing….only Congress can levy taxes either by direct legislation or by explicitly allowing an agency to charge fees.

A rogue agency charging fees for something they are not explicitly allowed does not meet that criteria.

The Copyright Office owes everyone who’s paid these fees a full refund.

Anonymous Coward says:

Re: Re: The copyright office owes you $0.50

The fee authority comes from the last sentence in 512(c)(2) itself:

The Register of Copyrights shall maintain a current directory of agents available to the public for inspection, including through the Internet, and may require payment of a fee by service providers to cover the costs of maintaining the directory.

That One Guy (profile) says:

'Rules must be followed!... for other people, not us.'

Ignored the law not once but twice, ignored basic password guidelines, demand that people pay up on a regular basis on a site terribly designed…

At this point if it was discovered that the entire thing was a prank put together by someone with a sadistic streak it would not surprise me in the least.

Ehud Gavron (profile) says:

What the law says

DMCA says ‘(2) DESIGNATED AGENT.-…by providing to the Copyright Office, substantially the following information…"

If you provided it prior to 2016 and have not changed it and continue to provide it on your website as per the law, you are in compliance.

The arbitrary decision on the part of the Copyright office to

  • change the process
  • add a fee
  • remove registrations already submitted
    Is their choice to violate the law requiring them to hold on to the registrations, their choice to collect a fee without Congressional approval, and their choice to willfully cheat you out of your 3 months and make you jump through hoops.

HOWEVER, should you be sued in the interim, the DMCA actual language says you’ve got the safe harbor protections.

Not that it ever helped Yahoo.
Or many many other organizations.

The DMCA’s safe harbor protections AT THEIR BEST were never worth much.

Ehud "DMCA registered agent since 2003 and paid $0" Gavron
Tucson AZ

Rekrul says:

Please enter a password: pyramid

[Error: Password must be at least 10 characters in length]

Please enter a password: mypyramids

[Error: Password must contain at least one upper case letter]

Please enter a password: Mypyramids

[Error: Password must contain at least one number]

Please enter a password: Mypyramids2

[Error: Password must contain at least one non-letter/number character]

Please enter a password: GiveMeAF*ckingBreak!

[Password accepted!]

Rekrul says:

Re: Re: Re:

That’s funny because the error on the website doesn’t actually tell yo what you are doing wrong. 🙂

Maybe not that web site, but I’ve actually had this experience on a couple sites that I’ve registered on. It was frustrating because at least one of them didn’t tell me in advance what the requirements for the password were, but each time I entered something, it kept telling me what was wrong with it.

PaulT (profile) says:

"The current listing says "Active" for "September 3, 2019 to Present" which almost certainly means this one will expire September 3, 2022, even though it should go until December 1, 2022."

What the hell… the entire description is bad practice, but you’re expected to re-register on a regular basis and their own site won’t tell you the expiration date? Wow.

I tell you what, my cat threw up when I was leaving the house this morning. I’ll grab the leftovers when I get back home today and post it to the US copyright office. It’s web design skills are clearly better than their existing ones…

Anonymous Coward says:

Not that their Web site isn’t amateur hour crap, and not that they should be doing that with the password rules, but SHOULD NOT is a strong recommendation, not a hard requirement. It’s in the nature of "do it this way unless you can name a good reason not to", with nobody but the reader empowered to decide what constitutes a "good reason".

If NIST had intended a hard requirement, NIST would have written "MUST NOT" or "SHALL NOT". That’s a nearly universal standard these days. The site design is stupid, but it’s not "violating" anything.

You wouldn’t go around spouting off about laws without understanding the definitions, and you shouldn’t go around spouting off about technical standards without understanding the definitions either.

And those 2016 NIST recommendations, although totally correct and in accordance with the best current research, also reversed about 30 years of the conventional wisdom on passwords. I know; I was waiting to pounce and start to force some changes at my own workplace when those recommendations came out. People don’t move that fast.

You also don’t understand passwords and should not be writing about them. Adding on a character to a randomly generated password to satisfy a site is completely safe and not "literally a bad practice".

Also, their explanation of what special characters they accept is completely understandable if you’re not looking for something to whine about. And any reasonable password generator lets you control the character set.

Ehud Gavron (profile) says:

Re: Adding on a character

You also don’t understand passwords and should not be writing about them. Adding on a character to a randomly generated password to satisfy a site is completely safe and not "literally a bad practice".

YOU are the one who doesn’t understand cryptography, (not "passwords") and shouldn’t be writing about it (not "them").

There’s nothing which "is completely safe" and yes, it’s bad practice to limit an encryption key length or choice of bit patterns.

You’re not just an anonymous coward, you’re an anonymous know-nothing bad-information-spouting dangerous-if-anyone-paid-attention-to coward.

Thanks for playing; you are awarded no points; may God have mercy on your soul. (Thanks, Adam Sandler).

E

John85851 (profile) says:

Who's to blame?

Do you blame the business analysts for not creating better documentation for the developers to follow?
Do you blame the developers who coded the site?
Do you blame the testers/ QA team for thinking this is acceptable quality?
Do you blame the managers for not pushing the testers and developers for not doing a better job?
Do you blame HR for not hiring better developers who will do a better job?

bob says:

let us help you

Even though it’s literally bad practice to make your own passwords, I even tried to "edit" some of the auto-generated passwords to meet the rules, but it still didn’t work, though I’m not sure why

Mike, why dont you just put here the different passwords you tried and the one that worked. Then we can help you figure it out, you know, crowd source the effort.

;P

Ehud Gavron (profile) says:

Brian Krebs on passwords

This is a slightly over week-old article where security expert (a real one) talks about passwords, encryption, choices, company responsibilities, etc.

It’s a good read because the above posts about "whose fault is it" really miss the point. It’s not about assigning blame but about correcting the issues. If all one wants to do is figure out whom to blame, that’s easy. Fixing authentication, encryption, and security is HARD.

https://krebsonsecurity.com/2019/08/forced-password-reset-check-your-assumptions/

Ehud

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...