Access to Free Academic Publications Growing through Slow Steps

On February 22, 2012 the Office of Science and Technology Policy (OSTP) announced the goal of making all publicly financed scientific publications freely available to the public one year following publication. The policy applies to federal agencies with more than $100 million in research and development expenditures.

As the OSTP announcement recognizes, “OSTP has been looking into this issue for some time,” meaning that this has been a significant issue for years. A congressional attempt to reverse this trend was dropped last year. In the Research Works Act (RWA or HR 3699), congress introduced legislation to reverse the National Institutes of Health policy that requires all research with NIH funding to be freely accessible within twelve months of publication. A useful explanation of the NIH policy is available here.

The new OSTP policy extends this policy of public dissemination to the next category of research, that which is funded by the larger federal agencies. As such, this will be a significant step forward.

In the OSTP statement, it highlighted that “[t]he Obama Administration is committed to the proposition that citizens deserve easy access to the results of scientific research their tax dollars have paid for.” The policy was also part of a We the People petition process. Dr. Holden, director of the OSTP is here:

The policy is not inherently calling for open access. The actual plan is more complex. It calls for a multitude of considerations to be incorporated by each agency:

To the extent feasible and consistent with law; agency mission; resource constraints; U.S. national, homeland, and economic security; and the objectives listed below, the results of unclassified research that are published in peer-reviewed publications directly arising from Federal funding should be stored for long-term preservation and publicly accessible to search, retrieve, and analyze in ways that maximize the impact and accountability of the Federal research investment.

In developing their public access plans, agencies shall seek to put in place policies that enhance innovation and competitiveness by maximizing the potential to create new business opportunities and are otherwise consistent with the principles articulated in section 1. [The Policy Principles.]

Agency plans must also describe, to the extent feasible, procedures the agency will take to help prevent the unauthorized mass redistribution of scholarly publications.

To see the new policy memorandum, please visit:

This is another modest, but important step towards making publications funded with federal dollars subject to unfettered free access to the public. Giving the publishers a one-year exclusive window may make practical sense and encourage investment in peer review, but ultimately the federal funding – and university public funding – vastly outweighs that of private publishers. In the end, the public investment in this research should be matched with public access. The work of the OSTP regarding its new policy is a positive step in this direction.


Takedown Notices as Brand Management – DMCA Defenses May Still Have Some Impact

Ars Technica recently reported a disturbing attempt to remove some of the harmful information about the allegedly fraudulent scientific research by Anil Potti, who stepped down from Duke after his false reporting was uncovered. The Retraction Watch Blog covers scientific publishing, highlighting those studies which have been retracted. The reporting is part of a larger effort to maintain a record of those scientific studies that are withdrawn from publication. Absent such a repository, readers may not be sure why information once available has gone missing.

Because of the reports on Dr. Potti, WordPress received a DMCA take-down notice regarding the Retraction Watch blog posts.

Narendra Chatwal claimed to be a senior editor at NewsBulet.In, “a famous news firm in India.” Chatwal said the site only publishes work that is “individually researched by our reporters,” yet duplicates of some of the site’s material appeared on Retraction Watch. Therefore, to protect his copyright, he asked that the WordPress host pull the material. It complied.

Writing in the posts made clear the material had originated at Retraction Watch. In addition, “[a] quick look at a number of other posts on the site also shows Chatwal’s claims of original reporting are bogus. Simple Google searches show that sentences of the material appear at a variety of other outlets.” Dr. Potti has denied any role in the takedown notice requests.

In contrast to the Retraction Watch take-down notices, in the longstanding litigation involving the dancing baby to Prince’s Let’s Go Crazy, the Northern District of Northern California recently rejected both parties motions for summary judgment, but so narrowed the legal considerations that the case should soon settle or peter out.

Lenz v. Universal Music Corp. has continued for six years and the innocuous video has generated over 1.2 million views. After Universal sent a take-down notice to YouTube for the use of the Prince song in 29 seconds of a toddler’s dancing, Lenz contacted the Electronic Frontier Foundation. At issue was whether Universal made the take-down request in good faith. To do so, it had to have “a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.” Since the video was not authorized by the copyright owner or its agent, the question was whether the video was nonetheless permitted under copyright law – primarily as an example of fair use.

Well of course it was. That issue is no longer in dispute. At stake is whether the failure to assess the poster’s fair use rights constitute bad faith.

In the decision, the court reiterated that when ordering a take-down of allegedly infringing material, “a copyright owner must make at least an initial assessment as to whether the fair use doctrine applies to the use in question in order to make a good faith representation that the use is not ‘authorized by law.’”

Failure to make such an initial assessment, however, may not be enough to create liability for issuing the take-down notice under §512(f). In Rossi v. MPAA, 391 F.3d 1000 (9th Cir. 2004), the Ninth Circuit established the ‘good faith belief’ requirement in § 512(c)(3)(A)(v) encompasses a subjective standard, so that to be liable for a fraudulent take-down notice the party must either subjectively believe the notice is wrong or be willfully blind to the fair use of the work. Relying on the earlier decisions involving Viacom v. YouTube, the court recited that “[w]illful blindness is tantamount to knowledge.”

With this framing of the legal issue, the court refused summary judgment for either party.

Lenz is free to argue that a reasonable actor in Universal’s position would have understood that fair use was “self-evident,” and that this circumstance is evidence of Universal’s alleged willful blindness. Universal likewise is free to argue that whatever the alleged shortcomings of its review process might have been, it did not act with the subjective intent required by §512(f).

The court is not insisting that Ms. Lenz have substantial or economic damages to continue the suit, but the damages are limited to the pre-litigation legal expenses (an amount of $1,275 provided as pro bono service from the EFF) and “at least minimal expenses for electricity to power her computer, internet and telephone bills, and the like, that potentially could be recoverable under §512(f).”

Though the damages are trivial, this may not be the end of §512(f) litigation.

Retraction Watch was able to reinstate its posts with a DMCA counter-notice to WordPress, but under §512(f) it may also be able to seek injunctive relief. This is important since it is unlikely to have registered its blog postings with the Copyright Office and therefore have to wait to bring any claim for copyright infringement triggered by the initial copying of its work. Litigation under §512 does not have the registration requirement, so it continues to provide a vehicle for those harmed by unfounded take-down notices to respond, while limiting these claims to the willfully blind and subjectively false actions of parties misusing copyright for other purposes.

In this aspect, Lenz v. Universal was helpful in establishing the legal standards. In most others, this video has played itself out.

State of the Cyber Union: Policy Directive + Executive Order = Expansive Regulatory Efforts

In President Obama’s 2013 State of the Union Address, the president included announcement of a long-expected Executive Order as well as a Presidential Policy Directive focusing on the need for better cybersecurity coordination and defense. This comes on the heels of a classified National Intelligence Estimate reported first by The Washington Post which “identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.” The report ties directly into the focus of the Executive Order, emphasizing the risk both to critical infrastructure and to industry.

At the heart of the Executive Order are voluntary efforts on the part of industry and the role of the Federal Government in increasing coordination. “The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” NIST is authorized to create a preliminary Cybersecurity Framework within 240 days. Compliance incentives will be developed to encourage voluntary compliance. As these standards gain adoption, they will set a new reasonableness standard, pulling the more reluctant companies up because of the risk of negligence and loss.

But the real action of the Executive Order is Section 10 which provides that each regulatory agency must report if the agency has the regulatory scope to implement the Cybersecurity Framework. If it does, presumably it will use those regulatory powers to transform the voluntary program into a regulatory one; if it does not, the agency will be expected to engage in the necessary rulemaking to do so.

The Executive Order  defines critical infrastructure very broadly to mean “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Policy Directive provides specific guidance to the Office of Homeland Security and to the other federal agencies targeted with enforcing protections of critical infrastructure and regulatory compliance.

Neither order is overwhelming on its face, but the message is clear. The Federal Government will take an aggressive approach to cybersecurity and will use the broader regulatory authority at its disposal to do so. Though it has been invited to pass legislation, Congress does not need to act because every industry sector has some regulatory oversight and cybersecurity will soon be layered on top of the existing regulations. An excerpt from the Policy Directive highlights the expansionist approach:

Additional roles and responsibilities for the Secretary of Homeland Security include:

  1. Identify and prioritize critical infrastructure, considering physical and cyber threats, vulnerabilities, and consequences, in coordination with SSAs and other Federal departments and agencies;

  2. Maintain national critical infrastructure centers that shall provide a situational awareness capability that includes integrated, actionable information about emerging trends, imminent threats, and the status of incidents that may impact critical infrastructure;

  3. In coordination with SSAs and other Federal departments and agencies, provide analysis, expertise, and other technical assistance to critical infrastructure owners and operators and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure;

  4. Conduct comprehensive assessments of the vulnerabilities of the Nation’s critical infrastructure in coordination with the SSAs and in collaboration with SLTT entities and critical infrastructure owners and operators;

  5. Coordinate Federal Government responses to significant cyber or physical incidents affecting critical infrastructure consistent with statutory authorities;

  6. Support the Attorney General and law enforcement agencies with their responsibilities to investigate and prosecute threats to and attacks against critical infrastructure;

  7. Coordinate with and utilize the expertise of SSAs and other appropriate Federal departments and agencies to map geospatially, image, analyze, and sort critical infrastructure by employing commercial satellite and airborne systems, as well as existing capabilities within other departments and agencies; and

  8. Report annually on the status of national critical infrastructure efforts as required by statute.

When combined with the additional power of regulation across the spectrum of energy, finance, communications, health, agriculture, information technology and other sectors, the reach is broad enough to rewrite the regulatory landscape much as the USA Patriot Act did in the wake of 9/11.

Privacy may well be another of the casualties of this war. The Executive Order adds that “[a]gencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities,” but asks for little more than an annual report. In contrast, corporate reporting is singled out. “Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.” This has been the case with the Patriot Act and the President’s policies give little comfort.

Confidentiality, rather than privacy, is part of the new regime. Paul Rosenzweig, writing the Lawfare blog from Brookings highlights the importance of the short-list: a subset of critical infrastructure organizations within the identified industry which make up the heart of each industry and will be singled out for heightened cybersecurity engagement.

Confidential Identification – The EO has one true innovation in it – a confidential naming program that will identify the critical cyber infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  This is a subset, of course, of the earlier broader definition.

Being an identified company may bring greater security obligations or improved resources or no change at all. Only time will tell. The impact will vary tremendously depending of the existing preparedness of each company.

The National Intelligence Estimate on cybersecurity risk makes clear that the threat must be addressed.

 The report, which represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives, according to the individuals familiar with the report, who spoke on the condition of anonymity about the classified document.

–          The Washington Post

The only question is the cost of the response. China, Russia, Iran, Israel, North Korea and other countries are known for releasing global cyber-attacks, some focused on military and political topics, while others highlight corporate espionage. Moreover, as I mentioned in an earlier post, the intruders use directed attacks on employees and independent contractors who open links, photos or already infected USB devices. Already behind firewalls, these tools install malignant code to glean passwords, open files and glean information which is sent back to the intruder. Some of these attacks are directly at U.S. infrastructure, others at economic targets, while many others affect U.S. interests only as collateral damage to regional conflicts which do not involve U.S. participants.

Nonetheless, the risks are increasing. After the President’s speech one thing is clear. Using the State of the Union as the basis for the announcement of the Cybersecurity Executive Order and Policy Directive has placed this topic near the top of the national agenda.


President Barack Obama delivers the State of the Union address in the House Chamber at the U.S. Capitol in Washington, D.C., Feb. 12, 2013. (Official White House Photo by Chuck Kennedy)