Making or Helping Ransomware Payments Could Mean Federal Sanctions

The first, last, and only thing most ransomware victims want is their data. Lacking good backups, organizations suffocate until they pay a ransom for the key to decrypt their networks. But now the Treasury Department warns of possible sanctions for doing that.

The new “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” is from Treasury’s Office of Foreign Assets Control (OFAC), and the title itself is footnoted to say it “is explanatory only and does not have the force of law.” But it goes on to cite laws and regulations that could support sanctions like the Trading With the Enemy Act, 50 U.S.C. §§ 1701–06.

Sanctions come from paying the wrong kind of cyber thieves. Not run of the mill criminals, these are listed on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, or embargoed countries or regions. They include authors or distributors of Cryptolocker (200,000+ infections; Russian), WannaCry 2.0 (about 300,000 infections; North Korean), and Dridex ($100 million+ stolen; Russian).

OFAC’s warning covers both paying victims and “companies that engage with victims…cyber insurance, digital forensics and incident response, and financial services processing ransom payments.” The recommendations go to small and medium sized organizations, not just the very largest, but how to pay for complying with them is not discussed.

For example, you are told to implement a compliance program which accounts “for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.” What that program looks like is unclear, but it could mean both predicting sources and accurately identifying the origin of an attack once it happens.  

This is no small task. Experience teaches that few solutions can reliably identify the sources of attacks before they occur, and few attackers are located and identified even after data is decrypted or restored with backups.

Some free assistance services like ID Ransomware claim to identify the type of attack based on snippets like the ransom note. But forensic investigation of logs and other data is needed to have a chance to identify the actual location of attackers. Complicating matters, malware first developed by SDN’s or blocked persons is offered for purchase or even rent on the dark web. So the author of the ransomware may be listed by OFAC, but the specific perpetrator could be an ordinary cybercriminal.

This leads to an unstated subtext of the advisory:  OFAC wants you to always involve federal law enforcement agencies before you pay a ransom. No exceptions. This is good practice in my experience, but some clients fear the process of freeing their data will be slowed or even lost by involving federal law enforcement, and some hope to handle the situation without anyone knowing about it.

The advisory offers an inducement to overcome this resistance. OFAC will regard a company’s “self-initiated, timely, and complete report of a ransomware attack” and its “full and timely cooperation with law enforcement both during and after a ransomware attack” each as “a significant mitigating factor in determining an appropriate enforcement outcome” if the attacker turns out to be listed. The possibility of getting a license for the payment briefly noted, but denial is stated as the presumed outcome.

The Advisory has a good list of federal agency contacts, but ranked first are OFAC’s Sanctions Compliance and Evaluation Division ( (202) 622-2490 / (800) 540-6322 ) and its Licensing Division ( / (202) 622-2480).

How these recommendations will play out in enforcement proceedings remains to be seen, but the Advisory could be offered someday as evidence that you were warned.

Posted in Uncategorized | Tagged | Leave a comment

Maybe There’s A Ransomware Key For Free

Working with European governmental and private organizations, the FBI this summer announced release of a decryption tool that unlocks GrandCrab ransomware. The announcement and Josephine Wolff’s article “Don’t Pay Ransom for Digital Files” (NY Times, August 16) should focus attention on an option often overlooked in the fire drill after a ransomware attack denies access to your data: can we get a key without paying the criminals?

Although ransomware has been with us since the late ‘80’s, its sophistication and the financial and organizational harm it causes have increased dramatically in recent years. It is malware that denies you access to your system’s data by various means including encrypting it, locking your screens, changing your Master Boot Record (MBR), or locking your web server or mobile device.

GrandCrab is called malware-as-a-service because it was wholesaled to retail criminals. Its creators claim they made more than $2 billion and retired the “service.” But the software they sold will still be used to attack victims for some time to come.

Preventing attacks is an important subject for another day. But when they can’t access their data, people don’t want lectures on what they should have done in the past or should do in the future. They want to do something right now to get back in business.

The standard advice is never pay ransom. A more likely response by victims is trying to negotiate with the criminals, playing for time, checking what data is in backups, and figuring out how to make a ransom payment in unfamiliar and highly volatile currency like Bitcoin. Sometimes law enforcement is notified. Rarely is there an informed effort to find a key, but that is the best possible way to avoid paying ransom.

Organizations like The No More Ransom Project are trying to get all victims to look for a key before paying ransom. For three years it has stockpiled more than 80 decryption tools in a repository that can be used on more than 100 strains of ransomware. They say they helped more than 200,000 victims defeat attacks and recover their data—for free.

An initiative of the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, and McAfee, their minimalist cowboy themed website is at Since ransomware must be identified before the right key can be found, No More Ransom has the Crypto Sheriff. It can help ID the ransomware quickly with information most victims have at hand.

The GrandCrab decryption key announced by the FBI is on their website, and if you’re facing it or 100+ other kinds of ransomware checking with them might get you a key quickly, for free. There is no guarantee they can help or the tool they send will work. But it takes little time to check with them and other sources of decryption keys. It is a step each ransomware victim should at the least evaluate taking during the frantic moments after an attack.
This communication, a service of Bose McKinney & Evans LLP, exists for informational purposes only and none of its contents should be construed or used as legal advice on any specific facts or circumstances.
Your receipt or transmission of information does not create an attorney-client relationship and cannot substitute for obtaining legal counsel from an attorney admitted to practice law in your state.
Bose McKinney & Evans LLP is headquartered at 111 Monument Circle, Suite 2700, Indianapolis, Indiana 46204, with an office located at 200 East Main Street, Suite 536, Fort Wayne, Indiana 46802, and one located at 777 6th Street, N.W., Suite 510, Washington, DC 20001.
© Bose McKinney & Evans LLP. All Rights Reserved.

Posted in Uncategorized | Leave a comment

Blurred Lines Decision Endorses Traditional Copyright Law

A split decision yesterday by the Ninth Circuit federal appeals court affirmed $5+ million in damages awarded against famous artists Pharrell Williams and Robin Thicke in favor of the heirs of Marvin Gaye. A 2015 copyright trial asked a jury if Gaye’s number one hit “Got To Give It Up” was infringed by the 2013 number one hit “Blurred Lines.” They said it did and an appeals panel majority affirmed their decision. The defendants may ask the entire appeals court for a second look.

For now, this high profile decision reaffirms traditional principles of copyright law and how the courts should handle infringement cases. These include [a] appeals courts are “reluctant to reverse jury verdicts in music cases,” [b] the infringement test is “substantial similarity” not exact copying, [c] substantial similarity is shown partly by expert dissection of the musical elements of the work and partly by the subjective reaction of ordinary people to its concept and feel, and [d] appeals courts give “great deference” to jury awards of damages,

Not allowed to hear Gaye’s hit record because of the copyright laws in effect when it was made, the jury infringement verdict came after warring experts’ interpretations of Gaye’s sheet music and the “Blurred Lines” creators’ testimony candidly admitting they were inspired by the older hit.

As technology made copying sound recordings almost effortless, and musical instrument virtuosity often was replaced by software to create sound and manipulate recordings, songs made from scratch became rarer. These changes and internet distribution of music have bred many opponents of US copyright law who see it as out of sync with reality. While new music has always rested on what came before, using other people’s music now seems normal if not an absolute right to many creative people.

The decision will be grist for copyright critics. More warnings have issued in the last 24 hours that creativity will be chilled because “Blurred Lines” did not literally copy “Got To Give It Up” and only captured its musical style or groove. One warning is from yesterday’s dissenting judge.

While mostly on federal procedure, the majority decision pushes back against the critics head-on. It shows how traditional copyright principles are more than adequate to handle infringement claims. And coming from the federal appeals court with the highest number of entertainment industry cases, the decision is a strong signal that it will take legislation to make the copyright laws require more literal copying to prove infringement.

Posted in Uncategorized | 1 Comment

Can I Get Copyright Statutory Damages and Attorney’s Fees Without a Registration?

If you register fast enough. The Supreme Court might take Fourth Estate Public Benefit Corp. v. and decide that no matter where the lawsuit is filed you only need to apply for registration before suing. That could reduce the wait until an infringement suit can be filed, but it won’t change the troublesome statutory damages and fees hurdle.

Like high hurdles on a track, two legs support a cross-bar. One is “publication” ─ offering or distributing your work to the world by sale, rental, or even just displaying it publicly. Let’s say you put a new photograph on your website gallery and offer it for the first time anywhere through your paywall on February 8, 2018. That’s the publication date.

The other leg is “registration,” having a copyright registration or just applying for one in the states where allowed (which could be every state if Fourth Estate is decided by the top court).

The cross bar is three months. Publication on February 8 requires registration or application by May 8. This is sometimes called the grace period.

If you clear the hurdle, your lawsuit can ask for statutory damages and attorney’s fees. If not, they are lost for most claims. There are exceptions and complications like what happens when infringement starts before your work is published and that’s another story. But most infringement cases must jump this hurdle.

Statutory damages are prized because rights owners often can’t prove actual damages, how many dollars were actually lost. Statutory damages don’t need such proof and can be awarded for an amount “the court considers just” up to $150,000 or more in some situations.

Recovering attorney’s fees is especially good because copyright cases don’t scale well compared to the infringed work’s value and legal expense can exceed damages.

So if the Supreme Court gives everyone an easier way to get in under the three-month grace period, don’t take a nap. If you own a work deserving full protection under our copyright laws, register as soon as possible. High hurdles demand speed.

Posted in Copyright Enforcement | Leave a comment

Can I Enforce My Copyright in Court Without a Registration?

It all depends on where you file the lawsuit. The Supreme Court can end this strange situation by taking a case asking for nationwide uniformity, Fourth Estate Public Benefit Corp. v. Or it may leave us with a checkerboard of conflicting guidance.

The federal copyright act requires registration before you can file. What is “registration”? Some courts define it literally. You need a registration certificate to start the lawsuit. Others courts say it’s enough to just apply for one. Some don’t say. These differences may not sound like much, but registration data show one reason they can be huge.

Imagine you are set to release the best song on the best recording you ever made, and it’s stolen. Before the thieves can put it online and upend your plans, you race to federal court to get an injunction to stop them. You have solid evidence, but no registration.

The latest Copyright Office annual report says it takes 6 to 8 months to process online applications. Paper forms take 8 to 10 months. For $800 you may get a registration in five working days, no guarantees. Normal online applications cost $35.

In San Francisco, Austin, or New Orleans, no problem. You can apply to register and file the lawsuit the same day in most cases. If your court is in Santa Fe, Boulder, or Atlanta, you must get a registration first. It will take at least a week. The “just apply” courts save copyright owners time, money, and irreparable losses.

The rest of the country is worse. In Indianapolis, Chicago, or Madison, both sides can cite cases saying it is, or is not, enough to just apply. In Nashville, Pittsburgh, and New York City, the appeals courts are silent.

Until the Supreme Court imposes one interpretation for the whole country, or Congress changes the law, common sense says you should register any work you feel you might need to enforce in federal court. As soon as you can.


Posted in Uncategorized | Leave a comment

CISA Gives Protection For Sharing Cybersecurity Attack Information

The US Chamber’s public letter on cybersecurity last month urged businesses to take full advantage of the Cybersecurity Information Sharing Act signed into law by President Obama in December 2015. It caused renewed interest in the law, and this post outlines how small and midsized businesses can be sheltered by it when they partner with others to deal with the most common cybersecurity threat, spear phising.

Used in even the most sophisticated cyber-attacks, spear phising is nothing more than getting employees to transfer money or information by emails pretending to be from another person authorized to make the requests.

Spear phishing works when bad actors steal enough information to know who to impersonate and who to give orders to.

The information is stolen in many ways. Tracking how thieves attacked your company is vital to secure your systems and prevent future attacks. Re-creating the crime often means sharing information with financial institutions, suppliers, customers, employees, law enforcement, and others.

The thieves won’t sue you for exposing their activity, but if personal information about people is exchanged in the tracking process, lawsuits and other legal damage can and does result.

The CISA protects companies sharing information about specific individuals in connection with “cyber threat indicators” and “defensive measures” for a cybersecurity purpose. If you follow its rules, among other things your company can’t be sued for sharing the information.

To make it easier to follow the rules, the Homeland Security and Justice Departments released a CISA owner’s manual, “Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act of 2015.”

Personal information is involved in the description of a spear phishing attack by definition. The Guidance recognizes this includes information about the bad actor, the subject line, the email message content, message ID, and X-Mailer. But the identity of the individual being impersonated and his or her email address are information you must scrub because it is “not directly related to” the threat.

Also needing to be removed are such things as protected health information, HR information, consumer purchasing history or preferences, and financial information.

Liability protection for sharing with the federal government requires you to go through the process set up by the Department of Homeland Security at the National Cybersecurity and Communications Integration Center. It is a 24/7 management center where incidents can be reported through the US-CERT Incident Reporting System.

Good features of the CISA assure you that sharing threats and defensive measures does not waive privileges like the lawyer/client privilege or protections for trade secrets. Sharing can’t violate the antitrust laws or make proprietary information public. And shared information can’t be used by federal, state or local regulators.

Additional requirements include restrictions imposed by other parties sharing information with you, and having a “security control” to guard threat indicators and defensive measures from unauthorized access.

Yes, there’s a cost for CISA’s protections. But it has many benefits and compliance has benefits beyond the ones built into the law, such as providing an excellent roadmap when managing a spear phising attack. Deciding whether to share threat information or defensive measures under the CISA should ideally be part of your overall cybersecurity strategy.

Smaller and mid-sized companies may not feel they can afford the luxury of developing a cybersecurity strategy at leisure, so their strategy may have to be the result of dealing with threats as they occur.

Being aware of CISA’s protections and requirements can still be valuable if you must make decisions while under attack.

Posted in Cybersecurity, Uncategorized | Leave a comment

Encryption Choices and the Coming EU v US Privacy Showdown

Edward Snowden’s leaks from NSA and Five Eyes surveillance programs three years ago reverberate today in European Union demands for total privacy in daily communications. If they become privacy regulations which US companies doing business with Europeans must obey, compliance could violate US law. Keeping up with privacy developments on both sides of the Atlantic is challenging, but it’s the only way to make good decisions on encrypting company communications and records.

The European Data Protection Supervisor is the EU’s privacy czar for now. He issued a preliminary opinion last month on ePrivacy Directive regulations. There may not be a final opinion because the Directive will be replaced in May 2018 by the General Data Protection Regulation (GDPR). Since the privacy czar is a lame duck and the Directive will be gone before you know it, some see the preliminary opinion as lobbying out in the open for new GDPR regulations.

The privacy czar is not a lone EU voice. His encryption recommendations are supported by the Article 29 Working Party (WP29) made up of data protection representatives of every EU member state. The recommendations are rigid:

• End-to-end encryption
• No back-doors
• Encryption and communication service providers, and “all other organizations” prohibited from allowing or facilitating back-doors.
• Decryption, reverse engineering, and communication monitoring prohibited by law

End-to-end encryption allows only the communicating parties to read messages. Every other player in the communication process must be prevented from getting the keys to unlock the conversation. Encryption must be designed to be tamper-proof and surveillance-proof.

Here, courts have ordered Apple about a dozen times to unlock cryptographic protection of iPhones. The most famous case this year involved a San Bernardino terrorist’s phone. Total privacy advocates cheered when the court rebuked the government for a “far-reaching” request. But the ruling lost its purpose and the case ended a short time later when the FBI said it unlocked the phone with third party help.

The most successful US legislative proposal of the moment ignores the subject. The Email Privacy Act proposed in 2015 was approved by a House vote of 419 to 0. If it becomes law it will close a legal loophole allowing authorities to get data more than 180 days old without a court order.

The bill eliminates any question whether electronic communication devices are “effects” protected by the Fourth Amendment’s “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” It requires search warrants to obtain online communications or data stored in the cloud.

But while the bill is silent on encryption, US search warrants deal with it head-on. The Justice Department’s warrant form says “For any computer hard drive or other electronic media…(b) … encryption keys.” Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, .

The EU privacy czar and WP29 would prevent any and all searches and surveillance of encrypted communications. US law  grounded on the Fourth Amendment’s protection allows search warrants based on “probable cause.” This is qualified privacy protection, not absolute.

When the US encourages and rewards encryption such as with the HIPAA Security Rule on personal health information in place more than a decade, it also recognizes the encrypted information can be required by court order and warrants.

As the US and EU head toward a showdown, encryption is looking like the new killer app. WhatsApp launched end-to-end encryption for about a billion users in April. Viber did the same for 700 million users. Facebook knows firsthand how serious the EU is about privacy and is now beta testing “Secret Conversations.”

If you are shopping for encryption solutions, you need to know if the vendor is offering virtually warrant-proof encryption or if they have back doors or decryption software. Whatever you decide in light of the conflict between US law and EU proposals, please remember that even warrant proof encryption is no safer than the security of your company’s devices and your employee’s alertness.

Devices can be hacked and the cryptographic keys stolen. And everyday spear phishing can give wrongdoers the ability to read decrypted messages.


This communication, a service of Bose McKinney & Evans LLP, exists for informational purposes only and none of its contents should be construed or used as legal advice on any specific facts or circumstances. Your receipt or transmission of information does not create an attorney-client relationship and cannot substitute for obtaining legal counsel from an attorney admitted to practice law in your state.

Bose McKinney & Evans LLP is headquartered at 111 Monument Circle, Suite 2700, Indianapolis, Indiana 46204, with an office located at 200 East Main Street, Suite 536, Fort Wayne, Indiana 46802 and one in located at 2000 M Street, N.W., Suite 520, Washington, DC 20036. © Bose McKinney & Evans LLP 2016. All Rights Reserved

Posted in Cybersecurity, Uncategorized | Leave a comment

Smaller Businesses and the US / EU Privacy Shield Launch Today

If you have customers or employees in the European Union, you should look into signing up to operate under the US / EU Privacy Shield. Registration began this morning. It closes in two months.

Signing up means you self-certify you will be in compliance with tough privacy protection guidelines in exchange for a nine-month grace period to get ready. Then you have to recertify yearly.  If you collect information about Europeans and don’t sign up, you are subject to enforcement in fact one way or the other, with no grace period.

American overall enforcement will be the job of the US Department of Commerce. Their information on the whole process is on the Privacy Shield Framework website. Go to Requirements of Participation.

Privacy Shield negotiations went on for a while before it abruptly became a hurry up replacement for the EU Safe Harbor struck down last fall by a European court. Now Privacy Shield is under attack in Europe, but no matter what the outcome count on continual EU efforts to protect the privacy of their citizens aggressively.

Smaller manufacturers and retailers dealing directly with EU consumers will find compliance pretty challenging. One example is the complaint process.

Participating companies must have complaint forms and respond to consumer complaints in 45 days. And if the response doesn’t work, they must provide the consumer an “independent recourse mechanism” to resolve the dispute.

And the participating company must pay for everything regardless of outcome. TRUSTe, the Better Business Bureau, and the International Institute for Conflict Prevention and Resolution (CPR) are among those offering services.

Remedies and sanctions that could be imposed start with fixing the privacy issue, but go on to include public statements, loss of certification, and compensation to the consumer.

Signing up is truly a choice, and it should be informed. Staying informed about privacy protection obligations will remain an evolving process. Whether forced by legal developments or not, every company needs a privacy protection officer. Even if your size means that is a person with three or four other titles.

Posted in Uncategorized | Tagged | Leave a comment

Brexit Multiplies Uncertainty Over EU Privacy Regulations and Shield

US companies doing business in the EU face a May 25, 2018 deadline to comply with its General Data Protection Regulation [GDRP], a 200+ page law. It is so riddled with questions it requires a new European Data Protection Board [EDPB] to give answers, guidelines, and recommend best practices.

Those answers will be influenced by what is called the EU-US Privacy Shield now being angrily negotiated. And something called the Article 29 Working Party [A29WP] with members from each EU member state is supposed to issue important opinions on data protection.

Clear as crystal. And there is much more. The Irish Data Protection Commissioner, for example, may ask Ireland’s High Court to rule on whether standard EU contract clauses on data protection are valid. That could put the issue in front of the EU’s Court of Justice.

And then the UK voted to leave the EU. To the cascade of speculation underway about what happens next, you can now add an uncertainty multiplier about what rules and best practices you must follow in handling the personal and business data of European residents.

The one certainty in all this is that no one knows what will happen or when. The EDPB and A29WP may give clear direction, but it could come in waves instead of one comprehensive set of do’s and don’t’s. The UK could go it alone and adopt its own laws and regulations. Privacy Shield negotiations and court decisions could change all the above. And no matter what legislators do, technology will keep pointing to new ways to protect and new ways to compromise personal and business data.

So how do you get ready to comply with whatever may be coming? By focusing on guiding principles that must be served no matter how the legal chaos resolves.

Active consent. The GDRP wants you to get active consent to use customer, employee, or vendor data. Think of it as contracts versus implied contracts, clicking “I Agree” instead of relying on unread Terms of Use saying continued access to a website is conditioned on agreeing to the terms.

To implement active consent, you must first know all the kinds of personal and business data you are collecting or already possess. You must take inventory of your data.

Right to Be Forgotten. This is a startling idea for Americans whose use of information is shaped by the First Amendment. Our closest legal recognition of it may be the limited laws allowing expungement of juvenile or adult arrest or conviction records. The right is a recent development in European law largely driven by a desire to have the power to require information, photos, and videos deleted so search engines can’t find them.

Unlike the goal of privacy which is preventing information from becoming public, the right to be forgotten aims to eradicate forever information that is already public. It is a right to disappear into the crowd without a trace.

Exercising the right requires a request, but once you are asked there will be limited time to comply and sanctions for failing.

Your first task is to understand whether you currently can, and if not what is need to, permanently delete the personal or business data you obtain. This is not business as usual for most companies which have nothing beyond an unsubscribe capability for their mailing lists.  The technical difficulties can be substantial.

Rapid Disclosure of Data Breaches. Indiana requires notification within 45 days after discovering a data breach. The GDRP will require notification to its Data Protection Authority in 72 hours ─ 3 days.

No matter how the regulations develop, you must first understand your capabilities for identifying a data breach. If you don’t actively monitor your networks and the personal devices accessing it, start investigating what it will take.

Long Arm Jurisdiction. As Google learned many times, EU member states will exert jurisdiction over any business dealing in the personal or business information of an EU individual resident or company. The determination to exert legal authority over those outside the EU is unlikely to change no matter how the UK separation or further withdrawal votes go.

Lawyers have a way of telling people to do this and that as each new challenge comes along. But here the GDRP has value as a prod to do what’s needed for your organization now. The good thing about the self-knowledge to implement whatever final requirements are imposed by the EU is that it will help with what you’re facing from cyber threats in the next 24 hours.

Posted in Uncategorized | Leave a comment

Something Old Becomes Something New and Makes Copyright Royalties Disappear

The Old is pre-1972 recordings not covered by federal copyright law. The New is remastered versions of the Old played on broadcast radio. The disappearing royalties are the ones supposed to be paid by radio to copyright owners after Flo & Eddie’s state copyright law victories in California and New York.


With the recorded music industry preoccupied by the question “who owes me?”, another answer came from Los Angeles federal court on Memorial Day when Judge Percy Anderson ruled that CBS Radio owed nothing for its stations playing pre-1972 recordings because they were not pre-1972 recordings. ABS Entertainment, Inc. v. CBS Corporation, et al. CV 15-6257 PA (AGRx) May 30, 2016.


The Flo & Eddie litigation is on appeal while major recording companies walked away with $210 million from a settlement with SiriusXM over pre-1972 recordings as reported last year. The core question in those cases was ─ do state laws actually create enforceable rights to fill the vacuum left by the federal Copyright Act not covering sound recordings made before February 15, 1972? 17 USC §301(c).


CBS asked a different core question in the lawsuit decided Monday, the kind of question so often overlooked in copyright disputes that many commentators found it shocking ─ what recordings was CBS playing?


Aristotle shocked his colleagues in the world of ancient Greek philosophy in much the same way. He ended centuries of debate about how many teeth a horse has by saying in effect “let’s stop arguing and go look.”


When they looked in the ABS Entertainment case, they saw that CBS radio was broadcasting remastered versions of old records, not the original recordings. CBS claimed they were what the Copyright Act calls derivative works. And the since the remastered versions were made after February, 1972, CBS argued they came under the Copyright Act which says radio can play the recordings without paying royalties to rights owners.


Judge Anderson told the parties to brief the question “whether a sound engineer’s remastering of a pre-1972 sound recording – through subjectively and artistically altering the work’s timbre, spatial imagery, sound balance, and loudness range, but otherwise leaving the work unedited – is entitled to federal copyright protection.” In other words, is the New a group of derivative works?


Both sides submitted expert testimony and the answer from the court last Monday was Yes, they are. To qualify as a derivative work under the Copyright Act, the differences between Old and New can’t be trivial mechanical changes and need to be enough for people to notice.

While any artist today knows the differences you hear can be huge depending on mastering, it’s also true people hear, or fail to hear, different things. So what impressed the court were results of forensic tests of timbre, spatial imagery, sound balance, and loudness range. The Old and New were very different.


The remastered recordings in the lawsuit by artists such as the Everly Brothers, Jackie Wilson and Mahalia Jackson were all authorized by the artists in license agreements permitting remastering. That’s important because the Copyright Act gives the owner of the original work the exclusive right to authorize a derivative work based on it.


So CBS won and ABS Entertainment will undoubtedly get in line for the Ninth Circuit appeals court to review the decision. Meanwhile, radio owners are breathing easier while record labels and artists have more cause to complain about the size of their share of the shrunken recorded music revenue pie.


Aristotle, however, would approve of the court looking at the horse’s mouth instead of having the lawyers debate how many teeth were there.


Posted in Uncategorized | 3 Comments