If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
What if there was a way for a business to transform any conduct it disliked into a felony, harnessing the power of the state to threaten anyone who acted in a way that displeased the company with a long prison sentence and six-figure fines?
Surprise! That actually exists! It's called Section 1201 of the Digital Millennium Copyright Act, the "anticircumvention" clause, which establishes five-year sentences and $500k fines for anyone who bypasses an "effective access control" for a copyrighted work.
Let's unpack that: every digital product has a "copyrighted work" at its core, because software is copyrighted. Digital systems are intrinsically very flexible: just overwrite, augment, or delete part of the software that powers the device or product, and you change how the product works. You can alter your browser to block ads; or alter your Android phone to run a privacy-respecting OS like Graphene; or alter your printer to accept generic ink, rather than checking each cartridge to confirm that it's the original manufacturer's product.
However, if the device is designed to prevent this – if it has an "access control" that restricts your ability to change the software – then DMCA 1201 makes those modifications into crimes. The act of providing someone with a tool to change how their own property works ("trafficking in circumvention devices") is a felony.
But there's a tiny saving grace here: for DMCA 1201 to kick in, the "access control" must be "effective." What's "effective?" There's the rub: no one knows.
The penalties for getting crosswise with DMCA 1201 are so grotendous that very few people have tried to litigate any of its contours. Whenever the issue comes up, defendants settle, or fold, or disappear. Despite the fact that DMCA 1201 has been with us for more than a quarter of a century, and despite the fact that the activities it restricts are so far-reaching, there's precious little case law clarifying Congress's vague statutory language.
When it comes to "effectiveness" in access controls, the jurisprudence is especially thin. As far as I know, there's just one case that addressed the issue, and boy was it a weird one. Back in 2000, a "colorful" guy named Johnny Deep founded a Napster-alike service that piggybacked on the AOL Instant Messenger network. He called his service "Aimster." When AOL threatened him with a trademark suit, he claimed that Aimster was his daughter Amiee's AOL handle, and that the service was named for her. Then he changed the service's name to Madster, claiming that it was also named after his daughter. At the time, a lot of people assumed he was BSing, but I just found his obituary and it turns out his daughter's name was, indeed, "Amiee (Madeline) Deep":
Aimster was one of the many services that the record industry tried to shut down, both by filing suit against the company and by flooding it with takedown notices demanding that individual tracks be removed. Deep responded by "encoding" all of the track names on his network in pig-Latin. Then he claimed that by "decoding" the files (by moving the last letter of the track name to the first position), the record industry was "bypassing an effective access control for a copyrighted work" and thus violating DMCA 1201:
The court didn't buy this. The judge ruled that pig Latin isn't an "effective access control." Since then, we've known that at least some access controls aren't "effective" but we haven't had any clarity on where "effectiveness" starts. After all, there's a certain circularity to the whole idea of "effective" access controls: if a rival engineer can figure out how to get around an access control, can we really call it "effective?" Surely, the fact that someone figured out how to circumvent your access control is proof that it's not effective (at least when it comes to that person).
All this may strike you as weird inside baseball, and that's not entirely wrong, but there's one unresolved "effectiveness" question that has some very high stakes indeed: is Youtube's javascript-based obfuscation an "effective access control?"
Youtube, of course, is the internet's monopoly video platform, with a commanding majority of video streams. It was acquired by Google in 2006 for $1.65b. At the time, the service was hemorrhaging money and mired in brutal litigation, but it had one virtue that made it worth nine figures: people liked it. Specifically, people liked it in a way they didn't like Google Video, which was one of the many, many, many failed internally developed Google products that tanked, and was replaced by a product developed by a company that Google bought, because Google sucks at developing products. They're not Willy Wonka's idea factory – they're Rich Uncle Pennybags, buying up other kids' toys:
Google operationalized Youtube and built it up to the world's most structurally important video platform. Along the way, Google added some javascript that was intended to block people from "downloading" its videos. I put "downloading" in scare-quotes because "streaming" is a consensus hallucination: there is no way for your computer to display a video that resides on a distant server without downloading it – the internet is not made up of a cunning series of paper-towel rolls and mirrors that convey photons to your screen without sending you the bits that make up the file. "Streaming" is just "downloading" with the "save file" button removed.
In this case, the "save file" button is removed by some javascript on every Youtube page. This isn't hard to bypass: there are dozens of "stream-ripping" sites that let you save any video that's accessible on Youtube. I use these all the time – indeed, I used one last week to gank the video of my speech in Ottawa so I could upload it to my own Youtube channel:
Now, all of this violates Youtube's terms of service, which means that someone who downloads a stream for an otherwise lawful purpose (like I did) is still hypothetically at risk of being punished by Google. We're relying on Google to be reasonable about all this, which, admittedly, isn't the best bet, historically. But at least the field of people who can attack us is limited to this one company.
That's good, because there's zillions of people who rely on stream-rippers, and many of them are Youtube's most popular creators. Youtube singlehandedly revived the form of the "video essay," popularizing it in many guises, from "reaction videos" to full-fledged, in-depth documentaries that make extensive use of clips to illuminate, dispute, and expand on the messages of other Youtube videos.
These kinds of videos are allowed under US copyright law. American copyright law has a broad set of limitation and exceptions, which include "fair use," an expansive set of affirmative rights to access and use copyrighted works, even against the wishes of the copyright's proprietor. As the Supreme Court stated in Eldred, the only way copyright (a government-backed restriction on who can say certain words) can be reconciled with the First Amendment (a ban on government restrictions on speech) is through fair use, the "escape valve" for free expression embedded in copyright:
https://en.wikipedia.org/wiki/Eldred_v._Ashcroft
Which is to say that including clips from a video you're criticizing in your own video is canonical fair use. What else is fair use? Well, it's "fact intensive," which is a lawyer's way of saying, "it depends." One thing that is 100% true, though, is that fair use is not limited to the "four factors" enumerated in the statute and anyone who claims otherwise has no idea what they're talking about and can be safely ignored:
Now, fair use or not, there are plenty of people who get angry about their videos being clipped for critical treatment in other videos, because lots of people hate being criticized. This is precisely why fair use exists: if you had to secure someone's permission before you were allowed to criticize them, critical speech would be limited to takedowns of stoics and masochists.
This means that the subjects of video essays can't rely on copyright to silence their critics. They also can't use the fact that those critics violated Youtube's terms of service by clipping their videos, because only Youtube has standing to ask a court to uphold its terms of service, and Youtube has (wisely) steered clear of embroiling itself in fights between critics and the people they criticize.
But that hasn't stopped the subjects of criticism from seeking legal avenues to silence their critics. In a case called Cordova v. Huneault, the proprietor of "Denver Metro Audits" is suing the proprietor of "Frauditor Troll Channel" for clipping the former's videos for "reaction videos."
One of the plaintiff's claims here is that the defendant violated Section 1201 of the DMCA by saving videos from Youtube. They argue that Youtube's javascript obfuscator (a "rolling cipher") is an "effective access control" under the statute. Magistrate Judge Virginia K DeMarchi (Northern District of California) agreed with the plaintiff:
Remember, DMCA 1201 applies whether or not you infringe someone's copyright. It is a blanket prohibition on the circumvention of any "effective access control" for any copyrighted work, even when no one's rights are being violated. It's a way to transform otherwise lawful conduct into a felony. It's what Jay Freeman calls "Felony contempt of business model."
If the higher court upholds this magistrate judge's ruling, then all clipping becomes a crime, and the subjects of criticism will have a ready tool to silence any critic. This obliterates fair use, wipes it off the statute-book. It welds shut copyright's escape valve for free expression.
Now, it's true that the US Copyright Office holds hearings every three years where it grants exemptions to DMCA 1201, and it has indeed granted an exemption for ripping video for critical and educational purposes. But this process is deceptive! The exemptions that the Copyright Office grants are "use exemptions" – they allow you to "make the use." However, they are not "tools exemptions" – they do not give you permission to acquire or share the tool needed to make the use:
Which means that you are allowed to rip a stream, but you're not allowed to use a stream-ripping service. If Youtube's rolling cipher is an "effective access control" then all of those stream-ripping services are wildly illegal, felonies carrying a five-year sentence and a $500k fine for a first offense under DMCA 1201.
Under the US Copyright Office's exemption process, if you want to make a reaction video, then you, personally must create your own stream-ripper. You are not allowed to discuss how to do this with anyone else, and you can't share your stream-ripper with anyone else, and if you do, you've committed a felony.
So this is a catastrophic ruling. If it stands, it will make the production of video essays, reaction videos, and other critical videos into a legal minefield, by giving everyone whose video is clipped and criticized a means to threaten their critics with long prison sentences, fair use be damned. The only people who will safely be able to make this kind of critical video are skilled programmers who can personally defeat Youtube's "rolling cipher." And unlike claims about stream-ripping violating Youtube's terms of service – which can only be brought by Youtube – DMCA 1201 claims can be brought by anyone whose videos get clipped and criticized.
Is Youtube's rolling cipher an "effective access control?" Well, I don't know how to bypass it, but there are dozens of services that have independently figured out how to get around it. That seems like good evidence that the access control is not "effective."
When the DMCA was enacted in 1998, this is exactly the kind of thing experts warned would happen:
And here we are, more than a quarter-century later, living in the prison of lawmakers' reckless disregard for evidence and expertise, a world where criticism can be converted into a felony. It's long past time we get rid of this stupid, stupid law:
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality
Anya is LIVE right now
FREE
Free to watch • No registration required • HD streaming
Governments can — and should — have rules about interoperability in their procurement policies. They should require companies hoping to receive public money to supply the schematics, error codes, keys and other technical matter needed to maintain and improve the things they sell and provide to our public institutions.
Día 5 "Un personaje de videojuego"
Terra Branford de Final Fantasy VI, o como me gusta llamarla, "LA WAIFU", me gusta el diseño y el desarrollo que tiene en su historia, ademas de ser de mis personajes favoritos en el juego xD
Es lo mejor que pude hacer, en serio me siento mal :'v una persona normal no debería de tener tanto medicamento en su sistema xD
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality
Anya is LIVE right now
FREE
Free to watch • No registration required • HD streaming
I'm on a 20+ city book tour for my new novel PICKS AND SHOVELS. Catch me in PITTSBURGH in TOMORROW (May 15) at WHITE WHALE BOOKS, and in PDX on Jun 20 at BARNES AND NOBLE with BUNNIE HUANG. More tour dates (London, Manchester) here.
Something's very different in tech. Once upon a time, every bad choice by tech companies – taking away features, locking out mods or plugins, nerfing the API – was countered, nearly instantaneously, by someone writing a program that overrode that choice.
Bad clients would be muscled aside by third-party clients. Locked bootloaders would be hacked and replaced. Code that confirmed you were using OEM parts, consumables or adapters would be found and nuked from orbit. Weak APIs would be replaced with muscular, unofficial APIs built out of unstoppable scrapers running on headless machines in some data-center. Every time some tech company erected a 10-foot enshittifying fence, someone would show up with an 11-foot disenshittifying ladder.
Those 11-foot ladders represented the power of interoperability, the inescapable bounty of the Turing-complete, universal von Neumann machine, which, by definition, is capable of running every valid program. Specifically, they represented the power of adversarial interoperability – when someone modifies a technology against its manufacturer's wishes. Adversarial interoperability is the origin story of today's tech giants, from Microsoft to Apple to Google:
But adversarial interop has been in steady decline for the past quarter-century. These big companies moved fast and broke things, but no one is returning the favor. If you ask the companies what changed, they'll just smirk and say that they're better at security than the incumbents they disrupted. The reason no one's hacked up a third-party iOS App Store is that Apple's security team is just so fucking 1337 that no one can break their shit.
I think this is nonsense. I think that what's really going on is that we've made it possible for companies to design their technologies in such a way that any attempt at adversarial interop is illegal.
"Anticircumvention" laws like Section 1201 of the 1998 Digital Millennium Copyright Act make bypassing any kind of digital lock (AKA "Digital Rights Management" or "DRM") very illegal. Under DMCA, just talking about how to remove a digital lock can land you in prison for 5 years. I tell the story of this law's passage in "Understood: Who Broke the Internet," my new podcast series for the CBC:
For a quarter century, tech companies have aggressively lobbied and litigated to expand the scope of anticircumvention laws. At the same time, companies have come up with a million ways to wrap their products in digital locks that are a crime to break.
Digital locks let Chamberlain, a garage-door opener monopolist block all third-party garage-door apps. Then, Chamberlain stuck ads in its app, so you have to watch an ad to open your garage-door:
These companies built 11-foot ladders to get over their competitors' 10-foot walls, and then they kicked the ladder away. Once they were secure atop their walls, they committed enshittifying sins their fallen adversaries could only dream of.
I've been campaigning to abolish anticircumvention laws for the past quarter-century, and I've noticed a curious pattern. Whenever these companies stand to lose their legal protections, they freak out and spend vast fortunes to keep those protections intact. That's weird, because it strongly implies that their locks don't work. A lock that works works, whether or not it's illegal to break that lock. The reason Signal encryption works is that it's working encryption. The legal status of breaking Signal's encryption has nothing to do with whether it works. If Signal's encryption was full of technical flaws but it was illegal to point those flaws out, you'd be crazy to trust Signal.
Signal does get involved in legal fights, of course, but the fights it gets into are ones that require Signal to introduce defects in its encryption – not fights over whether it is legal to disclose flaws in Signal or exploit them:
But tech companies that rely on digital locks manifestly act like their locks don't work and they know it. When the tech and content giants bullied the W3C into building DRM into 2 billion users' browsers, they categorically rejected any proposal to limit their ability to destroy the lives of people who broke that DRM, even if it was only to add accessibility or privacy to video:
The thing is, if the lock works, you don't need the legal right to destroy the lives of people who find its flaws, because it works.
Do digital locks work? Can they work? I think the answer to both questions is a resounding no. The design theory of a digital lock is that I can provide you with an encrypted file that your computer has the keys to. Your computer will access those keys to decrypt or sign a file, but only under the circumstances that I have specified. Like, you can install an app when it comes from my app store, but not when it comes from a third party. Or you can play back a video in one kind of browser window, but not in another one. For this to work, your computer has to hide a cryptographic key from you, inside a device you own and control. As I pointed out more than a decade ago, this is a fool's errand:
After all, you or I might not have the knowledge and resources to uncover the keys' hiding place, but someone does. Maybe that someone is a person looking to go into business selling your customers the disenshittifying plugin that unfucks the thing you deliberately broke. Maybe it's a hacker-tinkerer, pursuing an intellectual challenge. Maybe it's a bored grad student with a free weekend, an electron-tunneling microscope, and a seminar full of undergrads looking for a project.
The point is that hiding secrets in devices that belong to your adversaries is very bad security practice. No matter how good a bank safe is, the bank keeps it in its vault – not in the bank-robber's basement workshop.
For a hiding-secrets-in-your-adversaries'-device plan to work, the manufacturer has to make zero mistakes. The adversary – a competitor, a tinkerer, a grad student – only has to find one mistake and exploit it. This is a bedrock of security theory: attackers have an inescapable advantage.
So I think that DRM doesn't work. I think DRM is a legal construct, not a technical one. I think DRM is a kind of magic Saran Wrap that manufacturers can wrap around their products, and, in so doing, make it a literal jailable offense to use those products in otherwise legal ways that their shareholders don't like. As Jay Freeman put it, using DRM creates a new law called "Felony Contempt of Business Model." It's a law that has never been passed by any legislature, but is nevertheless enforceable.
In the 25 years I've been fighting anticircumvention laws, I've spoken to many government officials from all over the world about the opportunity that repealing their anticircumvention laws represents. After all, Apple makes $100b/year by gouging app makers for 30 cents on ever dollar. Allow your domestic tech sector to sell the tools to jailbreak iPhones and install third party app stores, and you can convert Apple's $100b/year to a $100m/year business for one of your own companies, and the other $999,900,000,000 will be returned to the world's iPhone owners as a consumer surplus.
But every time I pitched this, I got the same answer: "The US Trade Representative forced us to pass this law, and threatened us with tariffs if we didn't pass it." Happy Liberation Day, people – every country in the world is now liberated from the only reason to keep this stupid-ass law on their books:
One of the questions I've been getting repeatedly from policy wonks, activists and officials is, "Is it even possible to jailbreak modern devices?" They want to know if companies like Apple, Tesla, Google, Microsoft, and John Deere have created unbreakable digital locks. Obviously, this is an important question, because if these locks are impregnable, then getting rid of the law won't deliver the promised benefits.
It's true that there aren't as many jailbreaks as we used to see. When a big project like Nextcloud – which is staffed up with extremely accomplished and skilled engineers – gets screwed over by Google's app store, they issue a press-release, not a patch:
These hacks are incredibly ambitious! How ambitious? How about a class break for every version of iOS as well as an unpatchable hardware attack on 8 years' worth of Apple bootloaders?
Now, maybe it's the case at all the world's best hackers are posting free code under pseudonyms. Maybe all the code wizards working for venture backed tech companies that stand to make millions through clever reverse engineering are just not as mad skilled as teenagers who want an ad-free Insta and that's why they've never replicated the feat.
Or maybe it's because teenagers and anonymous hackers are just about the only people willing to risk a $500,000 fine and 5-year prison sentence. In other words, maybe the thing that protects DRM is law, not code. After all, when Polish security researchers revealed the existence of secret digital locks that the train manufacturer Newag used to rip off train operators for millions of euros, Newag dragged them into court:
Tech companies are the most self-mythologizing industry on the planet, beating out even the pharma sector in boasting about their prowess and good corporate citizenship. They swear that they've made a functional digital lock…but they sure act like the only thing those locks do is let them sue people who reveal their workings.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
I'm on a tour with my new book Enshittification: catch me next in Los Angeles, Calgary and San Francisco! Full schedule here.
Even though he's the darkest of clouds, Trump has some deeply weird silver linings, formed out of a combination of his self-owning isolationism and blunt aggression.
In my quarter-century as a digital activist, I've had cause to work in more than 30 countries. Wherever I went, I'd meet with policymakers about the rules they should be thinking about in order to make their technology work better for their countries. Every single time, they'd agree politely with me, but insist that making any kind of tech-improving rules was impossible, because the US trade representative would kick their teeth in if they tried.
For all of this century, the USTR has been one of the greatest global impediments to a better world, hopping from country to country, demanding policies that would protect American tech firms from foreign competitors – especially the kind of competitor who would improve on American tech products by protecting users' privacy, consumer rights or labor rights while they used them.
The most glaring example of this are "anticircumvention laws." Under these laws, it's illegal to modify any technology that has any kind of anti-modification defenses. In other words, if the manufacturer draws a kind of virtual dotted line around part of the product's software and labels it, "Do not look inside this box," then it becomes illegal to do so, even if you're trying to do something that's otherwise legal.
That means that if your printer is designed to reject generic ink, you can't change the code that verifies the ink cartridge. There's no law that says, "You have to buy your ink from the same company that sold you your printer," but if HP adds any kind of anti-modification measure to its ink-checking code, then disabling that code becomes a serious crime.
Now, these laws are obviously an invitation to mischief. They are used to prevent independent repair of everything from tractors to cars to phones to games consoles to ventilators. They're used to stop you from blocking ads or surveillance on your phone or "smart" TV. They keep you locked into manufacturers' app stores, payment systems and other add-ons, which means that you are constantly being ripped off with junk fees, and you can't install the software of your choosing, including software that will help you avoid being kidnapped by masked thugs and sent to a secret torture prison:
The US passed the first of these laws in 1998, when Bill Clinton signed the Digital Millennium Copyright Act. As the ink was still drying on Clinton's signature, the US trade rep started racing around the world, demanding that America's trading partners adopt their own version of the law:
As these laws were adopted around the world, US tech giants were given carte blanche to extract more money and data from their global users. American users were getting ripped off too, of course (they were the first victims of Big Tech), but at least the US stock market reaped the benefit of Big Tech's incredibly lucrative scams. But for America's trading partners, anticircumvention was an entirely losing proposition: their people got ripped off for their data and their money, and their tech companies couldn't go into business selling products to disenshittify America's cash-and-data extraction machines.
So why did America's trading partners agree to anticircumvention law? Well, that was down to the tender ministrations of the US trade rep. Countries that didn't pass anticircumvention were threatened with US tariffs.
I used to occasionally guest-lecture at an international relations grad program at the Central European University in Budapest, and one summer, I had a student who had served as the information minister to a Central American country while the US was negotiating the Central American Free Trade Agreement (CAFTA). This student described getting a phone call from their country's chief negotiator who said, "I know you told me not to budge on anticircumvention, but the USTR tells me that if we don't give them this, they will block our agricultural exports. I'm sorry." Country by country, the world fell into line.
When someone tells you, "You'd better do what I say or I'm going to burn your house down," and then they burn your house down, you'd be an absolute sucker if you kept up your part of the bargain.
I find it absolutely bizarre that the USTR spent decades racing around the world, getting every country on earth to sign up to "America First" policies by threatening them with tariffs, and then Trump actually imposed the tariffs anyway, which has opened up the space for every country to get rid of those America First policies.
Of course, that's not all Trump has done. He's also made it abundantly clear that he considers America's (former) allies to be geopolitical and economic competitors, and that US tech is one of the primary weapons he will use to wage war on the world. He got Canadian Prime Minister Mark Carney to cave on taxing Big Tech, which means that they'll be able to go on cheating on their taxes, while Canadian companies won't be able to, which means Canada's tech sector will never be able to compete:
https://www.bbc.com/news/articles/cd0vv2pe7ydo
Trump has also ordered the EU to scrap its new tech antitrust laws, the Digital Markets Act and the Digital Services Act, which aim to open up space for European competitors to US tech:
But more than that, Trump and US tech have teamed up to attack and deplatform public officials that Trump has beef with. Take Karim Khan, chief prosecutor of the International Criminal Court in the Hague. Khan swore out a criminal complaint and arrest warrant for the génocidaire Benjamin Netanyahu, and Trump sanctioned Khan. Then, Microsoft cut off Khan's access to his account, nuking his email, calendar, address book and files:
For officials all over the world, the message couldn't be clearer: Trump sees you as the enemy, and he will use American tech companies to cut you off at the knees if you don't roll over for him.
Enter the Eurostack. This is an initiative from the EU that seeks to fund and deploy open source equivalents to the platforms that the European public, its businesses and its governments are currently locked into:
Thus far, Eurostack's focus has been on building those Made-in-the-EU alternatives to the US tech stack, and on financing data-center rollout. But very shortly, Eurostack advocates are going to hit a wall.
Escaping from US Big Tech isn't merely a matter of having another service to move your data and interactions to. You also have to have a way to transition from the old, US service to the new Eurostack equivalent.
No government ministry, no business, no individual is going to manually copy-and-paste thousands (or millions) of documents out of Microsoft, Apple or Google's cloud into the Eurostack. No one is going to individually move all the edit histories, email chains, and file permissions over. These files and data-structures are essential to the people who created them, and they often contain sensitive information and compliance data that is illegal to delete.
Sure, the EU could try to order American Big Tech companies to create export tools so that Europeans can easily retrieve their data in formats that can be faithfully imported into Eurostack services, but we can already see how that will play out.
Last year's Digital Markets Act contains a modest set of "interoperability" requirements that require big US companies like Apple to open up their platforms to rival app stores and payment processors. Apple's monopoly over iPhone apps is a big deal – it lets the company structure the market for software in Europe, without any accountability or limits, and Apple extracts a 30% tax on every euro that changes hands via an iOS app. Globally, Apple makes more than $100b/year from this "app tax."
When the EU passed a law aimed at halting this racket, Apple lost its mind. First, they proposed a "solution" to this that was so onerous and tortured that it was a kind of sick joke:
Now, Apple has filed 18 legal challenges to any interoperability mandate under the DMA:
https://eur-lex.europa.eu/eli/C/2025/5213/oj/eng
If this is how an American tech company responds to a small-potatoes order to give Europeans more choice over how they use their own devices and data, imagine what these US giants will do if the EU orders them to open up their platforms so people can leave altogether!
The only plausible path from US Big Tech to the Eurostack runs straight through anticircumvention. The EU needs to repeal Article 6 of the Copyright Directive, a law it passed at the behest of the US Trade Representative, to protect the rent-extraction tactics of American tech companies. We need to make it legal for European technologists to reverse-engineer the American tech platforms' websites and apps so that Europeans can get their data out of America's tech silos and into open, sovereign, privacy-respecting, consumer rights-preserving, worker-protecting Eurostack versions.
Building the Eurostack without thinking about migration tools is a recipe for disappointment. It's like building housing for East Germans…in West Berlin, without sparing a thought for how those East Germans are going to get to the new apartment blocks.
The good news is, there's no reason to keep Article 6 of the Copyright Directive on the books. The law has always been a wreck. It's one of the primary barriers to Right to Repair: companies now build devices with "access controls" on their parts. Even after you install a new part into a device, it won't start working until the manufacturer's representative unlocks it (for a hefty fee). Under anticircumvention laws like EUCD Article 6, it's illegal to bypass these locks.
What's more, the digital locks that EUCD 6 protects are almost all to be found in American products. Only a handful of EU manufacturers rely on these, and they use them to in terrible ways. Volkswagen used the fact that it was illegal to reverse-engineer its engines to disguise the fact that it was cheating on its emissions tests, and the resulting "Dieselgate" scandal killed thousands of Europeans:
Newag, a Polish train manufacturer, boobytraps the trains they sell. When these trains sense that they have been taken to a competitor's train-yard for maintenance, they render themselves inoperable. Newag then charges thousands of euros to remotely "repair" their own sabotage. When this was revealed by a team of independent security researchers, Newag used claims under EUCD 6 in an attempt to intimidate them into silence:
Mercedes won't let you unlock your new car's full acceleration capability unless you pay them a monthly subscription fee, and any mechanic who tries to bypass this and give you your whole engine's capability violates EUCD 6. BMW won't let you use the feature that auto-dims your high-beams when there's oncoming traffic, and once again, that can't be fixed by another company because of EUCD 6:
Any business that relies on EUCD 6 is garbage and should be killed with fire. The global champions of this legal sabotage are all American, but the EU companies that copied their business models are also trash and the EU should be terminating them with extreme prejudice.
It's pretty remarkable that we've forgotten about the kind of reverse-engineering that EUCD 6 bans. This used to be totally normal. Providing tools to move data from one system to another – without permission from your old vendor – is a completely legitimate business.
The only reason we forgot that this stuff existed is that the US trade rep spent 25 years lobotomizing us all, threatening us with tariffs if we dared to do anything that disrupted American Big Tech. With those companies, it's always "disruption for thee, never for me."
In a few short months, Trump has sown the seeds of the destruction of one of the most world's pernicious "America First" systems. Now, it's in the EU's power to send it to a long-overdue grave.
"Mr Cook, Mr Nadella, Mr Ellison, Mr Pichai – tear down that wall!"
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Antiusurpation and the road to disenshittification
THIS WEEKEND (November 8-10), I'll be in TUCSON, AZ: I'm the GUEST OF HONOR at the TUSCON SCIENCE FICTION CONVENTION.
Nineties kids had a good reason to be excited about the internet's promise of disintermediation: the gatekeepers who controlled our access to culture, politics, and opportunity were crooked as hell, and besides, they sucked.
For a second there, we really did get a lot of disintermediation, which created a big, weird, diverse pluralistic space for all kinds of voices, ideas, identities, hobbies, businesses and movements. Lots of these were either deeply objectionable or really stupid, or both, but there was also so much cool stuff on the old, good internet.
Then, after about ten seconds of sheer joy, we got all-new gatekeepers, who were at least as bad, and even more powerful, than the old ones. The net became Tom Eastman's "Five giant websites, each filled with screenshots of the other four." Culture, politics, finance, news, and especially power have been gathered into the hands of unaccountable, greedy, and often cruel intermediaries.
Oh, also, we had an election.
This isn't an election post. I have many thoughts about the election, but they're still these big, unformed blobs of anger, fear and sorrow. Experience teaches me that the only way to get past this is to just let all that bad stuff sit for a while and offgas its most noxious compounds, so that I can handle it safely and figure out what to do with it.
While I wait that out, I'm just getting the job done. Chop wood, carry water. I've got a book to write, Enshittification, for Farar, Straus, Giroux's MCD Books, and it's very nearly done:
Compartmentalizing my anxieties and plowing that energy into productive work isn't necessarily the healthiest coping strategy, but it's not the worst, either. It's how I wrote nine books during the covid lockdowns.
And sometimes, when you're not staring directly at something, you get past the tunnel vision that makes it impossible to see its edges, fracture lines, and weak points.
So I'm working on the book. It's a book about platforms, because enshittification is a phenomenon that is most visible and toxic on platforms. Platforms are intermediaries, who connect buyers and sellers, creators and audiences, workers and employers, politicians and voters, activists and crowds, as well as families, communities, and would-be romantic partners.
There's a reason we keep reinventing these intermediaries: they're useful. Like, it's technically possible for a writer to also be their own editor, printer, distributor, promoter and sales-force:
But without middlemen, those are the only writers we'll get. The set of all writers who have something to say that I want to read is much larger than the set of all writers who are capable of running their own publishing operation.
The problem isn't middlemen: the problem is powerful middlemen. When an intermediary gets powerful enough to usurp the relationship between the parties on either side of the transaction, everything turns to shit:
A dating service that faces pressure from competition, regulation, interoperability and a committed workforce will try as hard as it can to help you find Your Person. A dating service that buys up all its competitors, cows its workforce, captures its regulators and harnesses IP law to block interoperators will redesign its service so that you keep paying forever, and never find love:
Multiply this a millionfold, in every sector of our complex, high-tech world where we necessarily rely on skilled intermediaries to handle technical aspects of our lives that we can't – or shouldn't – manage ourselves. That world is beholden to predators who screw us and screw us and screw us, jacking up our rents:
(Maybe this is a post about the election after all?)
The difference between a helpmeet and a parasite is power. If we want to enjoy the benefits of intermediaries without the risks, we need policies that keep middlemen weak. That's the opposite of the system we have now.
Take interoperability and IP law. Interoperability (basically, plugging new things into existing things) is a really powerful check against powerful middlemen. If you rely on an ad-exchange to fund your newsgathering and they start ripping you off, then an interoperable system that lets you use a different exchange will not only end the rip off – it'll make it less likely to happen in the first place because the ad-tech platform will be afraid of losing your business:
Interoperability means that when Amazon rips off audiobook authors to the tune of $100m, those authors can pull their books from Amazon and sell them elsewhere and know that their listeners can move their libraries over to a different app:
But interoperability has been in retreat for 40 years, as IP law has expanded to criminalize otherwise normal activities, so that middlemen can use IP rights to protect themselves from their end-users and business customers:
https://locusmag.com/2020/09/cory-doctorow-ip/
That's what I mean when I say that "IP" is "any law that lets a business reach beyond its own walls and control the actions of its customers, competitors and critics."
For example, there's a pernicious law 1998 US law that I write about all the time, Section 1201 of the Digital Millennium Copyright Act, the "anticircumvention law." This is a law that felonizes tampering with copyright locks, even if you are the creator of the undelying work.
So Amazon – the owner of the monopoly audiobook platform Audible – puts a mandatory copyright lock around every audiobook they sell. I, as an author who writes, finances and narrates the audiobook, can't provide you, my customer, with a tool to remove that lock. If I do so, I face criminal sanctions: a five year prison sentence and a $500,000 fine for a first offense:
In other words: if I let you take my own copyrighted work out of Amazon's app, I commit a felony, with penalties that are far stiffer than the penalties you would face if you were to simply pirate that audiobook. The penalties for you shoplifting the audiobook on CD at a truck-stop are lower than the penalties the author and publisher of the book would face if they simply gave you a tool to de-Amazon the file. Indeed, even if you hijacked the truck that delivered the CDs, you'd probably be looking at a shorter sentence.
This is a law that is purpose-built to encourage intermediaries to usurp the relationship between buyers and sellers, creators and audiences. It's a charter for parasitism and predation.
But as bad as that is, there's another aspect of DMCA 1201 that's even worse: the exemptions process.
You might have read recently about the Copyright Office "freeing the McFlurry" by granting a DMCA 1201 exemption for companies that want to reverse-engineer the error-codes from McDonald's finicky, unreliable frozen custard machines:
Under DMCA 1201, the Copyright Office hears petitions for these exemptions every three years. If they judge that anticircumvention law is interfering with some legitimate activity, the statute empowers them to grant an exemption.
When the DMCA passed in 1998 (and when the US Trade Rep pressured other world governments into passing nearly identical laws in the decades that followed), this exemptions process was billed as a "pressure valve" that would prevent abuses of anticircumvention law.
But this was a cynical trick. The way the law is structured, the Copyright Office can only grant "use" exemptions, but not "tools" exemptions. So if you are granted the right to move Audible audiobooks into a third-party app, you are personally required to figure out how to do that. You have to dump the machine code of the Audible app, decompile it, scan it for vulnerabilities, and bootstrap your own jailbreaking program to take Audible wrapper off the file.
No one is allowed to help you with this. You aren't allowed to discuss any of this publicly, or share a tool that you make with anyone else. Doing any of this is a potential felony.
In other words, DMCA 1201 gives intermediaries power over you, but bans you from asking an intermediary to help you escape another abusive middleman.
This is the exact opposite of how intermediary law should work. We should have rules that ban intermediaries from exercising undue power over the parties they serve, and we should have rules empowering intermediaries to erode the advantage of powerful intermediaries.
The fact that the Copyright Office grants you an exemption to anticircumvention law means nothing unless you can delegate that right to an intermediary who can exercise it on your behalf.
A world without publishing intermediaries is one in which the only writers who thrive are the ones capable of being publishers, too, and that's a tiny fraction of all the writers with something to say.
A world without interoperability intermediaries is one in which the only platform users who thrive are also skilled reverse-engineering ninja hackers – and that's an infinitesimal fraction of the platform users who would benefit from interoperabilty.
Let this be your north star in evaluating platform regulation proposals. Platform regulation should weaken intermediaries' powers over their users, and strengthen their power over other middlemen.
Put in this light, it's easy to see why the ill-informed calls to abolish Section 230 of the Communications Decency Act (which makes platform users, not platforms, responsible for most unlawful speech) are so misguided:
If we require platforms to surveil all user speech and block anything that might violate any law, we give the largest, most powerful platforms a permanent advantage over smaller, better platforms, run by co-ops, hobbyists, nonprofits local governments, and startups. The big platforms have the capital to rig up massive, automated surveillance and censorship systems, and the only alternatives that can spring up have to be just as big and powerful as the Big Tech platforms we're so desperate to escape:
This is especially grave given the current political current, where fascist politicians are threatening platforms with brutal punishments for failing to censor disfavored political views.
Anyone who tells you that "it's only censorship when the government does it" is badly confused. It's only a First Amendment violation when the government does it, sure – but censorship has always relied on intermediaries. From the Inquisition to the Comics Code, government censors were only able to do their jobs because powerful middlemen, fearing state punishments, blocked anything that might cross the line, censoring far beyond the material actually prohibited by the law:
We live in a world of powerful, corrupt middlemen. From payments to real-estate, from job-search to romance, there's a legion of parasites masquerading as helpmeets, burying their greedy mouthparts into our tender flesh:
But intermediaries aren't the problem. You shouldn't have to stand up your own payment processor, or learn the ins and outs of real-estate law, or start your own single's bar. The problem is power, not intermediation.
As we set out to build a new, good internet (with a lot less help from the US government than seemed likely as recently as last week), let's remember that lesson: the point isn't disintermediation, it's weak intermediation.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
