>>‘Security Failure Fair Use Analysis’

‘Security Failure Fair Use Analysis’

Prof. Jane C. Ginsburg, Columbia University School of Law*
January 25, 2016

The 1980s brought us market failure fair use analysis.1  Will the 20-teens bring us security failure fair use analysis, particularly in cases of mass digitization?  Regarding market failure, Professors Wendy Gordon, Rob Merges, and many others have shown that the absence of manageable markets for certain publicly beneficial uses of copyrighted works inclines courts toward a finding of fair use; and, correspondingly, the emergence of manageable markets cuts against fair use.2  Market failure fair use thus is a moving target: If the absence of a functioning licensing market justifies the fair use holding, then the development of such a market should defeat the fair use defense.  For example, the lack of a non-burdensome means of licensing photocopy rights in scientific journals underlay the Court of Claims’ 1973 fair use ruling in Williams & Wilkins Co. v. United States;3 the subsequent formation of the Copyright Clearance Center and its offer of institutional photocopy licenses for scientific journals motivated the Second Circuit’s 1994 rejection of the fair use defense in American Geophysical Society v. Texaco.4  In Cambridge University v. Patton,5 the success or failure of Georgia State University’s fair use defense largely turned on the plaintiff publishers’ offer (or lack of offer) of licenses for electronic course “reserves.”

In security failure fair use analysis, the failure leads to the opposite outcome (no fair use), but the two kinds of failure may play similar roles.  First, what is security failure fair use analysis?  In Authors Guild v. HathiTrust,6 and Authors Guild v. Google Inc.,7 plaintiff authors contended that unauthorized access to the database storing millions of in-copyright books scanned by Google would gravely harm the market for their works, were hackers to break inadequately protected copies loose from Google’s or the University of Michigan library’s control.  In both cases, the court found Google’s security measures “impressive,” and plaintiffs’ fears of a security breach “hypothetical” and “conjectural.”  “Google has made a sufficient showing of protection of its digitized copies of Plaintiffs’ works to carry its burden on this aspect of its claim of fair use and thus to shift to Plaintiffs the burden of rebutting Google’s showing.  Plaintiffs’ effort to do so falls far short.”8  Similarly, the court found that Google had successfully designed against multiple user queries that could cumulatively reassemble “snippets” into full pages from the scanned books.

Suppose, instead, the authors had rebutted Google’s showing of sufficient security.  In that event, the fourth fair use factor (effect of the use upon the potential market for or value of the work) would have weighed heavily against a fair use determination.  Proof of inadequate security would have presented the court with a confrontation of the first and fourth factors, and would have tested the proposition that a finding of “transformative use” sweeps all before it.  Recent decisions, particularly in the Second Circuit, had prompted the critique that once it deemed the use “transformative,” a court would find no cognizable market harm.  Thus, in HathiTrust, “under Factor Four, any economic ‘harm’ caused by transformative uses does not count because such uses, by definition, do not serve as substitutes for the original work.”9  If a “transformative use” fills a transformative market, which does not substitute for the work’s usual markets, then Factor Four has nothing to add.

But, even granting the significant expansion of the concept and consequences of “transformative” uses, the security issue could redeem the relevance of Factor Four.  No matter how “transformative” the use, if its implementation depends on manipulation of permanently stored copies that are inadequately secured, then the threat to the copyright owner’s market should offset the transformativeness of the use.  If the deployment of effective security assures us that the market for the work won’t be compromised by runaway copies, then ineffective security deprives us of that assurance, and undermines a fair use defense.  Thus, in Google Books, had the authors rebutted Google’s showing, the prospective economic harm from porous security should have weighted the scales more heavily against fair use even though full text retention and searchability were necessary to generate the transformative outputs.  As the court acknowledged: “Even if the purpose of the copying is for a valuably transformative purpose, such copying might nonetheless harm the value of the copyrighted original if done in a manner that results in widespread revelation of sufficiently significant portions of the original as to make available a significantly competing substitute.”

The relevance of security failure fair use analysis is not limited to book scanning.  The assemblage of databases of digital-original copyrighted works, for example, by digital image search engines that store full copies of the images, also presents security issues.  In the Ninth Circuit’s decisions in Kelly v. Arriba10 and Perfect 10 v. Amazon,11 the search engines made, stored, and displayed reduced-sized, low-resolution “thumbnail” versions of the source images.  Adopting a distinction devised by the Second Circuit in Bill Graham Archives v. Dorling Kindersley Ltd.,12 and subsequently followed in Google Books, the Ninth Circuit found the thumbnails transformative because their purpose was informational rather than aesthetic.  That court further ruled the thumbnail outputs non-economically substitutional because the images’ size and low quality did not compete with the originals (notwithstanding Perfect 10’s claim that thumbnails downloadable from Google competed with Perfect 10’s cellphone download market). If the search engine had provided higher quality images (as was the case in the outputs of the first iteration of the defendant’s search engine), the fair use defense would have been much weaker.  In these cases, limiting access to non-substitutional outputs might be seen as a kind of security measure,13 akin to the measures, endorsed by the Second Circuit, that Google took to ensure that users could not through multiple search queries string together “snippets” to form full pages.

These observations bring us to the parallels between market failure fair use analysis and security failure fair use analysis.  Just as the emergence and exercise of a licensing market may make previously fair uses unfair, the subsequent inadequacy of security measures brings prospective economic harm to the fore, and may render a previously fair use unfair.  In both kinds of failures, fair use is not static; when the facts that supported the fair use finding change, so should the legal conclusion.  Thus, for example, advances in hacking should oblige the proprietor of a database containing copyrighted works to update its security, lest a level previously sufficient, and therefore supportive of fair use, later become inadequate and therefore inconsistent with fair use.  By the same token, just as courts examine the existence and viability of plaintiffs’ asserted new licensing markets,14 so should they closely scrutinize the impermeability of a prospective fair user’s digital protections.  Google’s security may be “impressive,” and Google may have every incentive to maintain it, but not every user capable of scanning and storing in-copyright works for non-infringing, “transformative” purposes may have the resources, expertise, or inclination to safeguard the copied content.

The security issue may increase in practical importance with the broadening dissemination of digitization tools.  When Google began its book scanning program in 2004, very few enterprises other than Google possessed the means to undertake mass digitization of books, and they ultimately abandoned the field to Google.  Mass book digitization in effect meant one enterprise’s digitization of massive numbers of works both in and out of copyright.  Today, by contrast, most mass consumer printers include a scanning function, and even specialized book scanners now are readily and cheaply available, including build-it-yourself models.15  Digitization by the masses now is at hand.  Combine that capability with crowd-sourcing,16 and potentially interlinked databases to rival Google’s seem in prospect.  There are of course many copyright-free or authorized applications of crowdsourced digitization projects, but to the extent those databases contain in-copyright works without authorization, their assemblers and the webpages that carry them may need to devise adequate, and ongoing, security measures or risk liability for copyright infringement, notwithstanding the many transformative uses the databases enable.

Google Books might be read to authorize scanning and permanent storage of complete copies of any kinds of works in order to provide “information about” the works, so long as the user-visible outputs are non-infringing because they convey no expression (data mining), or too little information to substitute for the copied work (“snippets”), AND so long as the permanent copies are kept safe from more substantial user copying.  The second condition may prove increasingly determinative as scanning and other digital storage projects proliferate.

By |2018-07-03T17:42:58+00:00January 25th, 2016|Intellectual Property Issues|Comments Off on ‘Security Failure Fair Use Analysis’