Every Website Needs To Re-register With The Copyright Office, Who Can't Build A Functioning System

from the are-you-serious? dept

As we mentioned last month, the Copyright Office -- despite being warned this was a bad idea -- has decided to implement a brand new system for websites to register DMCA agents, and has done so in a way that will undoubtedly fuck over many websites. It's already ridiculous enough that in order to be fully protected under the DMCA's safe harbor rules (that say you're not liable if someone posts infringing material to your website), you need to register a designated "DMCA agent" with the Copyright Office. The idea behind this is that by registering an agent, copyright holders will be able to look up who to send a takedown notice to. And, sure, that makes sense, but remember that this is the same Copyright Office that supports not requiring copyright holders to register their works, meaning that there may not be any legitimate way to contact copyright holders back.

The reason for the new system is that the old system was just ridiculous -- on that everyone can agree. You had to fill out a paper form, sign it, and send it in. The Copyright Office has been way behind on digitizing everything, so moving to a web based system is a good thing. Also, the old system required payment of over $100, while the new one is just $6. That's all good. The problem is twofold: first, the Copyright Office has said that it is throwing out all the old registrations, and if you want to retain your safe harbors, you need to re-register. There's a grace period through the end of next year, but plenty of sites who don't follow the Copyright Office's every move are going to miss this, and will no longer have an officially registered agent with the Copyright Office (it's possible that, should this issue go to court, a platform could reasonably argue that it still did meet the statutory requirements in the original registration, but why force site owners through that hoop in the first place). The second problem, is that this new system will toss out records every three years, so if you forget to renew, you once again can lose your legal safe harbors. This puts tons of websites at serious risk, removing key protections and opening them up to lawsuits from copyright trolls.

Either way, the Copyright Office opened the doors on the new system yesterday, and so I went ahead and re-registered Techdirt. And, let's just say, the Copyright Office has a reputation for being technically clueless, and boy, does it live up to that reputation with its new system -- though, to be fair, as the Copyright Office's General Counsel reminded me on Twitter, it's actually the Library of Congress that built the system. First off, to register a new agent, you need to first register with the Copyright Office's system. As Eric Goldman points out, the system is not designed for individuals or sole proprietorships, even though those people should be able to get DMCA safe harbor protections as well. Specifically, to register, it requires an organization name and a "second contact" name and information. I'm not sure what individuals should do, other than maybe make something up -- though, before you even get started, the system pops up a warning suggesting that you may face criminal charges under the CFAA if you do anything wrong (while it means if you try to hack the system, the wording may confuse many people not familiar with the law). Nice touch.

Oh, and then there's the password system. Like many people, I use a password manager, which also will generate strong passwords for you. I went through the process of filling out my info, and generated a strong password... and I got back an error message. It seems that the Copyright Office has taken what used to be considered best practices, and then took it to an insane extreme:
First of all, the US government, in the form of NIST, recently released new guidelines for password policies for any US government websites. And the Copyright Office ignores them, because whoever designed the new DMCA system seems to not give a shit and not be even remotely aware of good security practices these days. Here's what the new rules say:
No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”

Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.
So, yeah, nice job Copyright Office for ignoring what you're supposed to do. Second, even if those rules did make sense, by lumping together all of them, and then adding the absolutely ridiculous and bad security practice of saying "must not have any repeated letters, numbers, or special characters," you actually reduce randomness and make passwords less secure. This is just bad security.

To deal with this rule, I generated a much longer password, and then manually went through and removed any repeated letters, numbers or special characters, and made sure that all of the other rules were met. They were. I hit submit. The system rejected it, and gave me the exact same error message. I tried again. Same problem. I kept trying things for about 20 minutes until I figured out what the problem was. You see above, where it says "and special character "!@#$%^&*()""? Well, in my first attempt at a password I had two special characters: ? and >. I incorrectly assumed that when they say "special character" they mean any special character on the keyboard, and not just those limited to the ones above the number line on your keyboard. Once I realized that might be the issue, I still had a problem. And that's because my new password had " as a special character. I incorrectly assumed that was okay because it's in that list above, right? Except, no, it's not. It's just put around those symbols for no reason at all except to fool people. It would be nice if the error message actually told you that you could only use those characters and that the " wasn't included. Would have saved me a lot of time.

Once I finally finished that, the system sent me a confirmation/validation email (good), which I used to confirm my email and log into the system... only to discover that everything I had just done... was not actually registering a DMCA agent. It was just to register your account to use the Copyright Office's DMCA system. So I had to then go and fill out another form to register our DMCA agent (and I won't even get into the fact that once you've activated your account, the message telling you to "click here" to login to designate an agent makes it so that it's not at all where to actually click -- great design guys!).

Finally, once I'm all registered, and despite the fact that I'm very clearly registered in the United States, the system says I'm in Canada. Because, apparently, the genius IT staff thinks that the "CA", which everywhere else means California, means Canada in their own system. Because whatever, nothing matters.
So, yes, I eventually paid my $6 and got registered, but lots of people won't and lots of sites are now going to expose themselves to bogus lawsuits. And for those who do get through this process, you may end up in Canada. So anyway, off we go to this new era, in which websites are much more at risk of losing their safe harbor protections, and to make it more fun, the system you need to use to register yourself is buggy as hell with a bunch of bad design practices. It's almost as if they want websites to lose their safe harbors. Considering that the key role of the Copyright Office is to register stuff (the boss of the office is literally called "The Register"), it seems fairly ridiculous that they make it so difficult to register DMCA agents, and then force renewal every three years (while at the same time insisting that any renewal requirement for copyright holders would go against the natural order of things and bring famine and pestilence upon the land).

Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • icon
    aerinai (profile), 2 Dec 2016 @ 10:19am

    Same Rules Apply...

    So I have to register every 3 years for safe harbor protections... lets do the same thing for copyright!

    ... just saying...

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 2 Dec 2016 @ 11:06am

      Re: Same Rules Apply...

      Yes. That. It reminds me of some saying about the goose and the gander having compatible ports without need of a special adapter, or something like that.

      reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 2 Dec 2016 @ 11:47am

      Re: Same Rules Apply...

      The major publishers might actually love this idea. They have the money and the staff for continual re-registering.

      For them, the internet is a disaster because it levels the playing field. Anyone can publish. So for example they periodically push for mandatory DRM schemes like SDMI to keep out small players who can't afford the licencing and technical costs.

      Disney is known for vacuuming up off-copyright works from the Brothers Grimm to Japanese animation, republishing it as "their own" creations, AND THEN fiercely protecting them with copyright. It might work in their favor to hand the small players the hassle and cost of continual copyright re-registering.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2016 @ 10:52am

    Here is an idea...

    "And, let's just say, the Copyright Office has a reputation for being technically clueless, and boy, does it live up to that reputation with its new system -- though, to be fair, as the Copyright Office's General Counsel reminded me on Twitter, it's actually the Library of Congress that built the system."

    How about you guys get the FCC to do it for ya? I mean they are doing a bang up job right now! Go for it! Wait... they might get the axe soon! whooops!

    Boy unconstitutional and unnecessary regulation is so fucking awesome, is it not?

    reply to this | link to this | view in chronology ]

    • icon
      Nate (profile), 2 Dec 2016 @ 11:25am

      Re: Here is an idea...

      I don't see the problem with that; the FCC website is quite usable.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 2 Dec 2016 @ 12:21pm

        Re: Re: Here is an idea...

        Usability is not really the problem, even if we can make all government websites usable by even the dumbest of assclowns, the problem is that they still do very little about things to actually resolve problems.

        Like the robo call bullshit they have yet to do much about, the Copyright Office does little about copyright issues. And in the case here, the Copyright Office just trashed everyone's past registrations only to force them to do them again.

        I am bitching about how effective these bullshit agencies have been in the grand scheme of things.

        reply to this | link to this | view in chronology ]

    • icon
      Vidiot (profile), 2 Dec 2016 @ 1:42pm

      Re: Here is an idea...

      Mandate from the new administration: No more oppressive Federal oversight... pass control to the states. How about 50 separate DMCA re-registrations? One or two have to be better-executed than the Federal version.

      reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 2 Dec 2016 @ 11:01am

    Password Requiremnts

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 2 Dec 2016 @ 11:04am

    Password Requirements

    Password must have at least 12 characters, with at least one lower case letter, upper case letter, number, and special character "!@#$%^&*()", and must not have any repeated letters, numbers, or special characters.

    Why no repeated characters?

    Disallowing repeated characters actually diminishes the universe of allowable passwords. Isn't the idea of the requirements of special character, number and upper/lower case to force passwords into a larger space so that they don't all fall into the small space of lower case only words from the dictionary.

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 2 Dec 2016 @ 11:05am

      Re: Password Requirements

      Because they are incompetent?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 2 Dec 2016 @ 11:11am

        Re: Re: Password Requirements

        By now, it should be considered willful criminal negligence.

        Actual entropy in cryptography has a well established history of research, yet like most other types of science we prefer the pseudoscience side of things and go for straight fucking theater!

        reply to this | link to this | view in chronology ]

      • icon
        DannyB (profile), 2 Dec 2016 @ 12:51pm

        Re: Re: Password Requirements

        Probably everyone has seen the joke memo that introduces company wide password requirements. Then adds more and more restrictions. Then goes over the top until it starts reducing the number of possible passwords. Finally only one possible password exists. Everyone is to start using this secure password at once. Managers will distribute it to their direct reports.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2016 @ 11:14am

      Re: Password Requirements

      I recently went on an email-writing campaign for a number of sites I use, some financial related. I sent some emails to their security departments pointing out how their password policies increased security risk, and thus legal culpability of the site in question. I explained the logic behind each of the restrictions they had in place, and then explained how their combination of rules mathematically cancelled out any perceived benefit they may have acquired by enforcing them.

      Amazingly, within two months, some of these sites actually changed their policies to increase security.

      My next step is to send out reminders CCd to webmaster, legal and info -- I figure that way, with four different potential departments involved, someone will recognize the liability they are taking on with this style of password restriction, and Changes Will Be Made on the other sites.

      I encourage others to do the same thing; linking to the new NIST guidelines would be an added bonus.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Dec 2016 @ 3:11am

        Re: Re: Password Requirements

        I mailed my credit union asking them to implement two factor authentication.

        My request made it to the head of IT security where I was informed they already implement two factor authentication by requiring a username, password and security questions.

        The whole idea of using two of the three factors, something you have, something you are or something you know is beyond their comprehension.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 3 Dec 2016 @ 5:44pm

          Re: Re: Re: Password Requirements

          Using additional factors that are non-volatile (like birthday, or name of first dog) is extremely bad security. If ever the cache of valid answers is compromised then the poor client can never change any of those facts. Their identity is potentially ruined forever. Yet a myriad of web sites insist on gleaning such data in the name of "security". The whole world has suddenly become so dumb ... I suspect some insidious undetected zika-like virus has been at work.

          reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 2 Dec 2016 @ 11:05am

    "It's almost as if they want websites to lose their safe harbors."


    *puts on tinfoil hat*

    I wouldn't be surprised.

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 2 Dec 2016 @ 12:53pm

      Re:

      The best way to get rid of a bad law is to enforce it.

      Just wait until this bites the right hands who can fight it.

      In an effort to make a bad law worse, Hollywood may just well be instrumental in getting it overturned.

      reply to this | link to this | view in chronology ]

    • identicon
      SpaceLifeForm, 2 Dec 2016 @ 1:05pm

      Need definition of website

      Is the LOC paying attention?

      This is all a ploy to get bad law codified by SCOTUS. To set precedent.

      First to get sued should contact EFF.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 6 Dec 2016 @ 1:10am

      Re:

      I'd say it's actually quite likely. It's well documented how close they are to the **AAs of the country, and it's well documented how much those people *hate* having to go after the people actually infringing rather than the nearest available scapegoat.

      This will backfire, in that sense, as all it will do is make the smaller sites shut down easier and faster, while consolidating more successful services with the likes of Google who have the resources to fight them. But, they've never been particularly good at doing things correctly.

      reply to this | link to this | view in chronology ]

  • icon
    aethercowboy (profile), 2 Dec 2016 @ 11:07am

    I'm just saying, this is total BS. There's no reason why they have to charge (even if it's just $6) for this. I'm fully capable of listing the appropriate DMCA agent on my website, which, presumably, people wanting to make a DMCA claim against, are visiting.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2016 @ 11:17am

      Re:

      This makes perfect sense; the alternative would be to use the Whois DB for this purpose. I guess the reason they don't do this is that some sites put fraudulent contact info in both places. But that, I would think, would just result in DMCA compliance failure, with no cost to the copyright office.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2016 @ 11:10am

    As Eric Goldman points out, the system is not designed for individuals or sole proprietorships,

    That a feature, the legacy industry does not want to compete with self publishing creators, and creating extra legal risks is a tool to push them back into the arms of the gatekeepers.

    /conspiracy, maybe

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 2 Dec 2016 @ 11:17am

    A New Reputation Managment Fraud Vector?

    Does the site do anything to confirm that you really are the "DMCA agent" for the site being registered?

    Or could a typical "Reputation Management" fraudster register a sock puppet as the DMCA agent if the real site owner is unable to, and use that to remove safe harbor protections? Even if the real site owner DOES register, could the fraudster then register the forum subdomain or individual pages? How does it handle SECOND person trying to register a given site, fraudster or real owner?

    You might want to test this. (I'm not in the US.)

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2016 @ 11:23am

      Re: A New Reputation Managment Fraud Vector?

      "(I'm not in the US.)"
      It's okay, apparently Mike isn't, either!

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2016 @ 12:04pm

      Re: A New Reputation Managment Fraud Vector?

      You might want to test this.

      One might want to test this, but given how poorly done the site is, I wouldn't put it past their IT department to consider that kind of exploitation to be "hacking" and start pushing CFAA charges.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2016 @ 12:38pm

    In fairness to their web designers

    That awful experience actually seems pretty typical over the last couple of years. I've dealt with websites from a number of different companies where I was left with the impression that they had specific line items in their requirements document that the site should be unpleasant to use. Among the brokenness I've seen recently:

    1. Catastrophic failure if Javascript does not load, whether due to NoScript, Policeman, RequestPolicy, or just plain unreliable servers. Such pages often are missing most or all of their content, contain no explanation of what went wrong, and some of the time aren't even reload-safe, so just refreshing the page to try again causes problems. For extra fun, some sites rely on an unreliable third party server, which relies on another third party server, and then assume that all the Javascript and CSS from both of those other domains loaded quickly and correctly. If it doesn't, then splat, the page is broken with no explanation why.
      • I even encountered one site where reloading the page would be misinterpreted as a request to log out, whether you reloaded because the page failed to come up properly the first time or just because you bumped the browser's reload button.
    2. Weird redirect paths, like trying to redirect unauthenticated requests for publicly viewable resources to a login page because I have an expired login cookie from last week still in my browser. If I wanted an authenticated page, I would have asked for it or gone to the login page. I just want to see the publicly viewable resource without typing in my password.
    3. The ever-popular "We've timed out your session and lost all your form entries. Please log in again, start over from page 1, and be faster this time." This could be fixed by including the form data as input type=hidden fields in the error page, so that it can be resubmitted after the user logs in again. Add bonus points for generating the forms in a way that defeats the browser's normal ability to remember old forms.
    4. Replacing simple pages that could easily be stored statically on the server with complicated pages that are dynamically generated by client-side Javascript; such pages usually require several large Javascript libraries, and take seconds at full CPU to render on a modern desktop. By comparison, simple static server pages render so quickly I sometimes think they came from the browser cache. Yes, some pages only make sense when generated dynamically. Others can be rendered as well, if not better, by the server. Sadly, many web developers seem to think they aren't doing their job if they don't encumber every single page with useless scripting and client-side handling.
    5. Crazy custom ways of downloading Javascript without actually using a script tag, which seems to defeat the browser's ability to cache the (usually large) script, as well as producing confusing output in analysis tools.
    6. Automatic logout driven by client-side per-tab Javascript, so if you open a new tab to view some other content on the same site, even if you keep that new tab active, the old tab will log you out for being idle in that tab. Automatic logout is not inherently bad, but it needs to be based on whether the user seems active, not whether a given tab has been reloaded recently.
    7. Assuming optional headers (e.g. HTTP Referer [sic]) are actually mandatory, with complete brokenness if that assumption is violated. For example, JPMorgan Chase Bank currently runs some content servers that, for some resources and not others, will hard abort a connection if you fail to send a Referer header. You can put whatever you want in the Referer header and it will work (even if it's not a valid URL), but if you omit the header entirely, splat. Their general use pages then hard-require those resources (see #1, above), so if you can't get the supporting resource, you can't use the site - and you don't get any sort of sane explanation telling what's wrong. Even their homepage is affected. I stumbled on that one by accident because I had a multi-year old browser preference set not to send cross-site referer headers. They broke that early this year and still either do not know it is broken or simply do not care.
      • curl 'https://www.chase.com/c/111816/etc/designs/chase-ux/css/blue-ui.min.css' -> fails with curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
      • curl -H 'Referer: -' 'https://www.chase.com/c/111816/etc/designs/chase-ux/css/blue-ui.min.css' -> works and gives a minimized CSS document; as far as I know, - is not a legal value in Referer, but their server seems happy as long as the header exists.

    I could go on, but I have ranted enough for one post.

    This does not even get into the more questionable UI choices, like trying to make websites rendered in full-screen 1920x1080 browsers lay out as if they were on tiny mobile phones.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2016 @ 6:17pm

      Re: In fairness to their web designers

      Yep. Random numbers and letters, EXCEPT apparently those used in escaping urls. This is probably caused by a limitation inherited from the API the developer selected.

      But Mike, this beef isn't with the Copyright office. This is a beef that goes back to the original HTTP and HTML RFC's.

      Really there have been dozens of moments in history where this could have been unfucked universally. The failure was in putting abstraction that should have been a protocol extension, into a document standard instead. But noOOoo. We've got to all act like fucktards, because none of us ever got around to looking at the http RFC and said: "Shit... Even _I_ can do better than this."

      Hey. We all get our screws torqued now and again. No harm no foul. But do me a favor Mike: Fix the adverts on your site that run outside of https. It is a little less hypocritical to bitch about somebody else's site when your is working properly.

      There is plenty of blame to go around. And in the general scheme of fucktard-neering that went into the Internet, this is a rather minor issue. There is much MUCH worse stuff out there.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Dec 2016 @ 7:06am

        Re: Re: In fairness to their web designers

        "The failure was in putting abstraction that should have been a protocol extension, into a document standard instead"

        To follow up:

        If plain text SQL schemas had been bound to HTML forms back in the 90's, it is likely that PHP, AJAX, and, maybe even Ruby would never have existed. AND things would be way more secure, since the security policy would be done fully server side in C, instead of the sieve that has been created by client side dynamic post formatting.

        There is the right way, and there is every other way. And the WWW has been done every other way, since it's inception. But when something is broken this long, it is probably broken because somebody wants it to be broken.

        So it would easier to fix it these days. But you'd have to be willing to suck Microsoft and Oracle dick for it to be portable. Otherwise they would EEE you, or just break your dependencies until you said uncle.

        reply to this | link to this | view in chronology ]

    • icon
      John85851 (profile), 5 Dec 2016 @ 10:15am

      Re: In fairness to their web designers

      And in all fairness, it could be worse: the site could require the use of Flash to do anything on the site. It doesn't matter if you use FlashBlock or if your browser says Flash is a security risk: you either make it active or you can't use the site... and too bad if there are no other alternative websites to use.

      reply to this | link to this | view in chronology ]

  • identicon
    Digitari, 2 Dec 2016 @ 12:55pm

    So when

    you have to register to get DMCA protections,(but not copyright) is the next step registering for Constitutional protections?

    I think I see were this is headed.......

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 2 Dec 2016 @ 1:05pm

    Automatic Reregistration

    There should be an App for that

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2016 @ 1:31pm

    Don't play by their rules. Ignore the DMCA.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2016 @ 1:32pm

    Remember back in the day when Techdirt was acting like copyright was something that was going to go away? That was funny.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 2 Dec 2016 @ 1:44pm

    Cha-Ching!

    And just like that the Copyright Office turned what was a one time payment into a steady(though smaller in the short term) stream of easy income, throwing everyone under the bus in the process.

    If they follow through on their idea of a site of 'unregistered sites' then you can be sure that the extortion via copyright schemes will shoot through the roof as well, also thanks to their boneheaded and/or incompetent move.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2016 @ 1:47pm

    So you've got yourself an invalid registration now...

    ...and may not be protected. Because it says you're in Canada and you're not. Congratulations. Just the way the copyright office (and Hollywood) wanted it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Dec 2016 @ 12:27am

    The Chinese are coming, and they have familiarized themselves with east Texas.

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 3 Dec 2016 @ 3:41pm

    We canadians welcome all of our new online brethren.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Dec 2016 @ 5:35am

    The Copyright Monopoly loves breaking the Internet.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.