Three Years Later And The Copyright Office Still Can't Build A Functioning Website For DMCA Agents, But Demands Everyone Re-Register

from the and-pay-up dept

In early 2016, we wrote about an absolutely ridiculous plan by the Copyright Office to -- without any basis in the law -- strip every site of its registered DMCA agent. In case you're not aware, one of the conditions to get the DMCA's Section 512 safe harbors as a platform for user content, is that you need to have a "Designated Agent." As per 512(c)(2), it says:

Designated agent.—The limitations on liability established in this subsection apply to a service provider only if the service provider has designated an agent to receive notifications of claimed infringement described in paragraph (3), by making available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Office, substantially the following information:

(A) the name, address, phone number, and electronic mail address of the agent.

(B) other contact information which the Register of Copyrights may deem appropriate.

The Register of Copyrights shall maintain a current directory of agents available to the public for inspection, including through the Internet, and may require payment of a fee by service providers to cover the costs of maintaining the directory.

Note that this says that Register of Copyrights shall maintain such a list. However, the Copyright Office, decided back around 2016 that there were too many "old" registrations in the database, and decided to literally dump every single registration, despite the law not allowing it to do so. It then instituted a new plan that said -- again, without any legal basis -- that every site not only needed to register, but it would need to re-register every three years or it would lose the safe harbor protections, which could expose sites to massive liability.

In late 2016, this plan went into effect, and I detailed the incredibly bad computer system that the Office had put in place to handle such registrations, starting with the fact that the password requirements literally violate the federal government's own rules for passwords. Back in 2016, NIST told government agencies, among other things, to stop requiring random characters, upper and lower case, etc. and to stop expiring passwords with no reason.

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

So we were, well, not surprised back in 2016, that the Copyright Office's system ignored that rule not to include composition rules, and highlighted how they stupidly said:

Passwords must have at least 12 characters, with at least one lower case letter, upper case letter, number, and special character "!@#$%^&*()", and must not have any repeated letters, numbers, or special characters.

Not only did this violate NIST's guidelines, but it actually makes passwords significantly less secure by reducing the randomness of passwords, making them less secure.

Anyway, three years have almost passed, and as per the new rules, the Copyright Office is about to kick everyone off again. For no good reason at all. Even better, they sent an email over the Labor Day weekend to alert people that they're at risk of losing their registrations if they don't re-register -- because it's not like people miss random, poorly formatted emails that literally come from "donotreply@loc.gov" when going through emails coming back from a long weekend. Thankfully, I also saw Eric Goldman's blog post about this, though I'm guessing not everyone who owns a website that needs 512 safe harbors protection reads his blog (unfortunately).

Incredibly, it looks like the Copyright Office has done literally nothing to fix the problems of the system. Indeed, it turns out that things are even worse than before. Not only does the system still require "composition rules" that violate NIST's guidelines, it also expired everyone's passwords (which also violates the guidelines).

It actually proved significantly more difficult than expected to create a new password. Like everyone in the world should, I use a password manager to generate and store my passwords. But because of the Copyright Office's dumb rules, none of the passwords my password manager generated would work. I kept getting error message after error message, just telling me the same dumb, pointless, rules over and over again:

Even though it's literally bad practice to make your own passwords, I even tried to "edit" some of the auto-generated passwords to meet the rules, but it still didn't work, though I'm not sure why. One thing I discovered, while it says you have to use "special character" the list shown in that image is the entire set of allowed special characters. So, passwords using other special characters don't work, even though the Copyright Office's system doesn't bother to explain why it rejected your password. But special characters like "\>{]" and such don't work, even though there's no reason why they shouldn't, and most password generators will (smartly!) include them. Oh yeah, also this one stymied me for a really long time. The " mark is not allowed in a password, even though it sorta looks like it's included in that list. But it's not. It's just a pointless set of "quote marks" around the allowed symbols. This is not an intuitive system. It is not user friendly. It's is dumb, insecure, and violates NIST's rules -- as it did three years ago when I complained about it.

Then you log in... and the information given to you is sorely lacking. First, at the very top, you get a message saying that the entire website may be offline for three whole days... a month ago. What? What the hell are they doing that they need to take a site offline for three whole days? And if they had to do system upgrades for that long, how the hell have they not made anything actually work right? And, most importantly, if that shutdown happened a month ago, why are they still showing the damn warning message?

From there, you are shown a weird chart with a lot of useless information -- but it is not at all clear how you re-register. There is no indication that you need to re-register. There is just your "service provider name," "registration number," "status," "last updated" and the ever useless "Action" box.

It turns out, to re-register, you have to click that little pencil, which the tooltip tells me is to "Edit." But I'm not "editing" anything. I just want to renew so I still am protected by the DMCA's safe harbors. It then makes me review everything multiple times, before telling me I need to pay $6, and sending me to a sketchy looking payment site (which I get is not run by the Copyright Office itself, but still).

I was almost afraid to give it my credit card.

Either way, eventually it "worked," but in the most fucked up of ways. The website itself is then not exactly clear if this renewal adds on to my existing -- meaning do I get three more years from the date of my original three year registration in 2016 (which would be December 1), or if it simply starts the clock anew, as of the date I paid. It sure looks like they just started a new three year clock yesterday -- meaning they cheated me out of 3 months of coverage because I dared to renew promptly. So by being good and renewing in their stupid system nearly 3 months before I need to, they just chop off 3 months of the "service" they're providing me? How the fuck is that allowed? If you look at my original listing -- even though I'd paid up for 3 full years, they now show it as "inactive" and list the new one as "active."

And that's kinda fucked up. The current listing says "Active" for "September 3, 2019 to Present" which almost certainly means this one will expire September 3, 2022, even though it should go until December 1, 2022.

All of this is a complete mess. It's entirely unnecessary, and as Eric Goldman notes in his piece, when the Copyright Office rolled this out it "promised a smooth renewal process." This was anything but smooth -- and it's likely that plenty of sites may miss the fact that they have to do this, or get caught up in trying to get the damn system to work. While, thankfully, this hasn't impacted any sites directly that I'm aware of, it's only a matter of time until a site that thought it had a successful DMCA agent finds out it no longer does because the Copyright Office decided to change the entire process, and apparently can't build a freaking website that works or is even up to basic federal website standards.

And, sure, $6 is cheap, but it's still pretty messed up that the Copyright Office simply lopped off three months of service they owed me because their own system is too poorly implemented to know to add on another three years at the end of my existing "subscription." It seems like something that shouldn't happen -- and one hopes that someone at the Copyright Office or the Library of Congress figures their shit out before September of 2022. But I have my doubts.

Filed Under: copyright, copyright office, dmca, dmca agent, library of congress


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 4 Sep 2019 @ 3:56pm

    Meanwhile the copyright office makes me change my password every two months as suggested by top network security experts...in 2005.

    reply to this | link to this | view in chronology ]

  • icon
    DeComposer (profile), 4 Sep 2019 @ 4:01pm

    The copyright office owes you $0.50

    $6/3 years =
    $2/year =
    $0.50/quarter

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Sep 2019 @ 5:28pm

      Re: The copyright office owes you $0.50

      Except for one thing....only Congress can levy taxes either by direct legislation or by explicitly allowing an agency to charge fees.

      A rogue agency charging fees for something they are not explicitly allowed does not meet that criteria.

      The Copyright Office owes everyone who's paid these fees a full refund.

      reply to this | link to this | view in chronology ]

      • icon
        Gary (profile), 4 Sep 2019 @ 6:00pm

        Re: Re: The copyright office owes you $0.50

        Except for one thing....only Congress can levy taxes either by direct legislation or by explicitly allowing an agency to charge fees.

        So which agencies are "rogue"?

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Sep 2019 @ 6:25am

        Re: Re: The copyright office owes you $0.50

        The fee authority comes from the last sentence in 512(c)(2) itself:

        The Register of Copyrights shall maintain a current directory of agents available to the public for inspection, including through the Internet, and may require payment of a fee by service providers to cover the costs of maintaining the directory.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Sep 2019 @ 12:08am

      Re: The copyright office owes you $0.50

      "I'm sorry, we do not issue checks that total less than $0.55. The total must be a prime number, divisible by .9, and cannot include the digits 2, 3, 5, or 7. We are not authorized to issue a check exceeding $10."

      reply to this | link to this | view in chronology ]

      • icon
        bhull242 (profile), 17 Sep 2019 @ 2:12pm

        Re: Re: The copyright office owes you $0.50

        The total must be a prime number, divisible by .9…

        Well, those two requirements together mean that no total works. Guess that means that they do not issue checks at all, which may well be the point.

        reply to this | link to this | view in chronology ]

  • icon
    techie1 (profile), 4 Sep 2019 @ 4:04pm

    It's a feature

    .... not a bug.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 4 Sep 2019 @ 4:04pm

    'Rules must be followed!... for other people, not us.'

    Ignored the law not once but twice, ignored basic password guidelines, demand that people pay up on a regular basis on a site terribly designed...

    At this point if it was discovered that the entire thing was a prank put together by someone with a sadistic streak it would not surprise me in the least.

    reply to this | link to this | view in chronology ]

  • icon
    JoeCool (profile), 4 Sep 2019 @ 4:29pm

    Not surprised

    I'm astonished that no one has sued over this... and then I remember that the big guys have teams of lawyers for whom this is trivial, so they don't care, while the little guy bears the brunt of the inconvenience, but is too small to afford suing. So, system working as planned.

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 4 Sep 2019 @ 4:54pm

    Safe harbors BAD! Massive fines GOOD!

    What part of, "No one should be eligible for the safe harbor," did you fail to understand?

    reply to this | link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 4 Sep 2019 @ 5:05pm

    What the law says

    DMCA says '(2) DESIGNATED AGENT.-...by providing to the Copyright Office, substantially the following information..."

    If you provided it prior to 2016 and have not changed it and continue to provide it on your website as per the law, you are in compliance.

    The arbitrary decision on the part of the Copyright office to

    • change the process
    • add a fee
    • remove registrations already submitted
      Is their choice to violate the law requiring them to hold on to the registrations, their choice to collect a fee without Congressional approval, and their choice to willfully cheat you out of your 3 months and make you jump through hoops.

    HOWEVER, should you be sued in the interim, the DMCA actual language says you've got the safe harbor protections.

    Not that it ever helped Yahoo.
    Or many many other organizations.

    The DMCA's safe harbor protections AT THEIR BEST were never worth much.

    Ehud "DMCA registered agent since 2003 and paid $0" Gavron
    Tucson AZ

    reply to this | link to this | view in chronology ]

  • icon
    TKnarr (profile), 4 Sep 2019 @ 5:10pm

    I'd be sorely tempted to send the information return-receipt-requested with a cashier's check for $6, just to make sure I had hardcopy evidence I could present in court that I did in fact have a registration as required by the law regardless of what the Registrar might say.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Sep 2019 @ 5:16pm

    Silly peons....

    Laws are meant for you, not the agencies enforcing them.

    reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 4 Sep 2019 @ 6:53pm

    Please enter a password: pyramid

    [Error: Password must be at least 10 characters in length]

    Please enter a password: mypyramids

    [Error: Password must contain at least one upper case letter]

    Please enter a password: Mypyramids

    [Error: Password must contain at least one number]

    Please enter a password: Mypyramids2

    [Error: Password must contain at least one non-letter/number character]

    Please enter a password: GiveMeAF*ckingBreak!

    [Password accepted!]

    reply to this | link to this | view in chronology ]

    • icon
      Gary (profile), 5 Sep 2019 @ 5:51am

      Re:

      That's funny because the error on the website doesn't actually tell yo what you are doing wrong. :)

      reply to this | link to this | view in chronology ]

      • identicon
        Rekrul, 5 Sep 2019 @ 1:54pm

        Re: Re:

        That's funny because the error on the website doesn't actually tell yo what you are doing wrong. :)

        Maybe not that web site, but I've actually had this experience on a couple sites that I've registered on. It was frustrating because at least one of them didn't tell me in advance what the requirements for the password were, but each time I entered something, it kept telling me what was wrong with it.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Sep 2019 @ 6:33am

      Re:

      The fact that the "accepted" password doesn't have a digit in it just makes it more accurate.

      reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 4 Sep 2019 @ 8:21pm

    "Three Years Later And The Copyright Office Still Can't Build A Functioning Website"

    Because... Redacted

    reply to this | link to this | view in chronology ]

  • icon
    PaulT (profile), 5 Sep 2019 @ 12:50am

    "The current listing says "Active" for "September 3, 2019 to Present" which almost certainly means this one will expire September 3, 2022, even though it should go until December 1, 2022."

    What the hell... the entire description is bad practice, but you're expected to re-register on a regular basis and their own site won't tell you the expiration date? Wow.

    I tell you what, my cat threw up when I was leaving the house this morning. I'll grab the leftovers when I get back home today and post it to the US copyright office. It's web design skills are clearly better than their existing ones...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Sep 2019 @ 6:25am

    Why you can't use quote marks in passwords...

    https://xkcd.com/327/

    With everything else wrong in the copyright registrar's office, you'd think they would at least sanitize their inputs.

    But hey, you don't even touch on unicode characters or lack thereof!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Sep 2019 @ 7:07am

    Not that their Web site isn't amateur hour crap, and not that they should be doing that with the password rules, but SHOULD NOT is a strong recommendation, not a hard requirement. It's in the nature of "do it this way unless you can name a good reason not to", with nobody but the reader empowered to decide what constitutes a "good reason".

    If NIST had intended a hard requirement, NIST would have written "MUST NOT" or "SHALL NOT". That's a nearly universal standard these days. The site design is stupid, but it's not "violating" anything.

    You wouldn't go around spouting off about laws without understanding the definitions, and you shouldn't go around spouting off about technical standards without understanding the definitions either.

    And those 2016 NIST recommendations, although totally correct and in accordance with the best current research, also reversed about 30 years of the conventional wisdom on passwords. I know; I was waiting to pounce and start to force some changes at my own workplace when those recommendations came out. People don't move that fast.

    You also don't understand passwords and should not be writing about them. Adding on a character to a randomly generated password to satisfy a site is completely safe and not "literally a bad practice".

    Also, their explanation of what special characters they accept is completely understandable if you're not looking for something to whine about. And any reasonable password generator lets you control the character set.

    reply to this | link to this | view in chronology ]

    • icon
      Ehud Gavron (profile), 5 Sep 2019 @ 9:08am

      Adding on a character

      You also don't understand passwords and should not be writing about them. Adding on a character to a randomly generated password to satisfy a site is completely safe and not "literally a bad practice".

      YOU are the one who doesn't understand cryptography, (not "passwords") and shouldn't be writing about it (not "them").

      There's nothing which "is completely safe" and yes, it's bad practice to limit an encryption key length or choice of bit patterns.

      You're not just an anonymous coward, you're an anonymous know-nothing bad-information-spouting dangerous-if-anyone-paid-attention-to coward.

      Thanks for playing; you are awarded no points; may God have mercy on your soul. (Thanks, Adam Sandler).

      E

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Sep 2019 @ 8:05am

    Offline

    First, at the very top, you get a message saying that the entire website may be offline for three whole days...

    Actually, the screenshot says "DMCA may be offline". "DMCA" is a law, not a website. I hope everyone took advantage of their takedown-free weekend.

    reply to this | link to this | view in chronology ]

  • icon
    John85851 (profile), 5 Sep 2019 @ 10:16am

    Who's to blame?

    Do you blame the business analysts for not creating better documentation for the developers to follow?
    Do you blame the developers who coded the site?
    Do you blame the testers/ QA team for thinking this is acceptable quality?
    Do you blame the managers for not pushing the testers and developers for not doing a better job?
    Do you blame HR for not hiring better developers who will do a better job?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Sep 2019 @ 10:45am

      Re: Who's to blame?

      I blame the manager at the low-bid contractor who hired a mediocre high school student to code the website between vaping sessions.

      I blame the bureaucrat who mindlessly crapped out the contract that allowed this travesty of a website to be created.

      I laugh at the idea that there were testers/QA involved.

      reply to this | link to this | view in chronology ]

  • identicon
    bob, 5 Sep 2019 @ 1:35pm

    let us help you

    Even though it's literally bad practice to make your own passwords, I even tried to "edit" some of the auto-generated passwords to meet the rules, but it still didn't work, though I'm not sure why

    Mike, why dont you just put here the different passwords you tried and the one that worked. Then we can help you figure it out, you know, crowd source the effort.

    ;P

    reply to this | link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 5 Sep 2019 @ 1:50pm

    Brian Krebs on passwords

    This is a slightly over week-old article where security expert (a real one) talks about passwords, encryption, choices, company responsibilities, etc.

    It's a good read because the above posts about "whose fault is it" really miss the point. It's not about assigning blame but about correcting the issues. If all one wants to do is figure out whom to blame, that's easy. Fixing authentication, encryption, and security is HARD.

    https://krebsonsecurity.com/2019/08/forced-password-reset-check-your-assumptions/

    Ehud

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 6 Sep 2019 @ 12:16am

      Re: Brian Krebs on passwords

      The thing is, the TD article is not about trying to fix those things, it's about the shockingly poor implementation of what's been decided upon. Whether or not you agree with the required complexity, etc., there's no excuse for what's described.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Sep 2019 @ 3:40pm

    Now I’m not saying they should get the short end for a Bad fai

    Just have your lawyer in hand to “let them know” about how the laws they are supposed to follow works and pile a few legal threats on top while keeping documentation. Of everything if they ever have any issues...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Sep 2019 @ 2:37am

    Look, both the Copyright Office AND the DMCA are involved here.

    The ship holding the chances of anything "functioning" have long since sailed, for a live-action re-enactment of the Titanic.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.