The Authors Guild, Inc. et al v. Hathitrust et al

Filing 137

DECLARATION of (REDACTED) Cory Snavely in Opposition re: 81 MOTION for Summary Judgment.. Document filed by Hathitrust. (Petersen, Joseph)

Download PDF
KILPATRICK TOWNSEND & STOCKTON L L P Joseph Petersen (JP 9071) Robert Potter (RP 5757) 1114 Avenue of the Americas New York, N Y 10036 Telephone: (212) 775-8700 Facsimile: (212) 775-8800 Email: jpetersen@kilpatricktownsend.com Joseph M . Beck (admitted pro hac vice) W. Andrew Pequignot (admitted pro hac vice) Allison Scott Roach (admitted pro hac vice) 1100 Peachtree Street, Suite 2800 Atlanta, Georgia 30309-4530 Telephone: (404) 815-6500 Facsimile: (404) 815-6555 Email: jbeck@kilpatricktownsend.com Attorneys for Defendants UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK THE AUTHORS GUILD, INC., E T A L . , Plaintiffs, Case No. 11 Civ. 6351 (HB) v. HATHITRUST,ETAL., Defendants. DECLARATION OF CORY SNAVELY IN OPPOSITION TO PLAINTIFFS' MOTION FOR SUMMARY JUDGMENT I , Cory Snavely, pursuant to 28 U.S.C. ยง 1746, hereby declare as follows: 1. I am the Manager of Library IT Core Services at the University of Michigan Library. I submit this declaration in opposition to Plaintiffs' motion for summary judgment. Unless otherwise noted, I make this declaration based upon my own personal knowledge. 2. As Manager of Library IT Core Services at the University of Michigan ("Michigan"), I am responsible for, among other things, the continued development and maintenance of the HathiTmst Digital Library ("HDL") server and storage infrastmcture, which is where HDL content is stored and HDL services operate. 3. I have served as Manager of Library IT Core Services at Michigan for more than thirteen (13) years. During my tenure at Michigan, I have designed and overseen the development of the library's technology infrastmcture. I n or about December 2004,1 began to oversee the development of the infrastmcture that would ultimately underlie H D L when it laimched in 2008. 4. M y duties include ensuring the security of the works within the HDL. This entails, among other things, ongoing attention to a rigorous security program for the entire Michigan library's technology environment. I manage a team of five in connection with this work. 5. I have a degree in Systems Analysis which I received from Miami University in 1992.1 have participated in numerous groups on campus to help guide Michigan's strategies for security and storage. For example, I am currently serving on the Information and Infrastmcture Assurance Council, a key oversight and decision-making body, which provides guidance to the campus on security initiatives, programs, and policy relating to computer security. A. The Unblemished Security Record of the HDL 6. I have reviewed the declaration of Dr. Benjamin Edelman, which the Plaintiffs have submitted in connection with their motion for summary judgment. In that declaration, Dr. Edelman provides a list of generalized threats to the security of the HDL, but without regard to the steps already taken by the library defendants (the "Libraries") to minimize i f not elimmate 2 US200S 3674177 altogether the threats he identifies. His approach is akin to assessing the safety of commercial air travel by sximmarizing the ways in which a plane may fall from the sky without taking note of all of the steps taken by the aviation industry to guard against such calamity. 7. In fact, Dr. Edelman apparently had no choice but to limit his report to generalities. This is because he never attempted to stady the specific security measures taken by Michigan to protect the HDL and admits that he would not be qualified to conduct such a risk assessment in any event. 8. Dr. Edelman, who has degrees in economics, not computer science, sat for a . deposition ia the Google lawsuit two weeks before submitting his declaration in this action. He confessed during that deposition that " I don't know about all of the security systems that [the Libraries] have." (Edehnan Tr. at 248:11-12). He also conceded that apart from information contained in a risk assessment conducted by Michigan to improve the security of the HDL, " I don't think I have knowledge o f [Michigan's] current security." (Edelman Tr. at 268:12-18). He testified that i f a company asked him to conduct an evaluation of its security measures, " I don't think I would be the best person to evaluate their security systems, but I think I would be able to assist them in selecting an appropriate person." (Edelman Tr. at 288:15-18). Tme and correct copies of relevant excerpts of Dr. Edelman's deposition testimony are attached hereto as Exhibit A. 3 US2008 3674177 10. Based upon my experience in securing computer systems and first-hand knowledge of the security controls used to protect the HDL, I believe that the generalized risks identified by Dr. Edelman, which are customary and typical risks faced by the operators o f any large service accessible through the Intemet (including services demanding a high level of security such as Intemet banking), do not render the works within the HDL corpus insecure. B. The Security Measures Protecting the HDL From the General Risks Dr. Edelman Identifies. 12. Dr. Edelman, in paragraphs 16 through 26 of his declaration, sets out a number o f generalized security risks associated with maintaining a digital library such as the HDL. The risks he identifies are, in fact, well known to experts in computer security and my team has taken a number of precautions to minimize them, i f not eliminate them altogether. 13. Specifically, in paragraph 16, Dr. Edehnan claims that "pirates could extract book copies through defects in the security of a provider's system." Dr. Edelman continues by ' Additional background on the security measures taken to protect the HDL is found in the June 28, 2012 declaration o f the HathiTrust's Executive Dkector, John Wilkin, submitted m support of the Libraries' motion for summary judgment. 4 US2008 3674177 claiming that unauthorized individuals could gain access to digital copies of works through defects in the physical or virtual access controls guarding the servers housing the digital copies. Dr. Edelman also claims in this paragraph that "[d]efects could also arise through flaws in the operating system, database server, web server, or other software run on a provider's servers; such flaws have been widespread in even the most popular server software" and claims that "defects could arise through the provider's custom software." 14. These are all well-knovra, common risks. The H D L uses industry best practices to greatly reduce the possibility of unauthorized access of the type discussed in paragraph 16 of Dr. Edelman's declaration: ^ Frequently, commercial enterprises do not apply updates because their business requirements demand that running systems be unchanged and xmtouched; this type o f approach to security can, in fact, expose systems to some of the security risks identified by Dr. Edelman. HDL systems, in contrast, are designed to be maintained regularly and continuously kept up-to-date and secure. 5 US2008 3674177 16. The security controls identified above (see paragraph 14), particularly the double perimeter firewalls, greatly minimize the risk of access through exploitation of errors in security configurations. Further, Dr. Edelman's selective use of Mr. Wilkin's testimony falsely suggests that the HDL experiences disproportionately frequent, targeted attacks as compared to similar 17. In paragraph 18 of his declaration, Dr. Edelman cites the risk of a "rogue employee" that "intentionally redistributes[s] book copies." In fact, employee access to incopyright materials is far more restricted than Dr. Edelman suggests: 6 US2O08 3674177 20. Dr. Edelman, in paragraph 20 of his declaration, speculates that "any error made by an employer could create a security breach allowing hackers to access book copies and 8 US2008 3674177 23. Dr. Edelman, in paragraph 22 of his declaration, asserts that "[e]ven i f Defendants attempt to implement security controls and other limitations on users' ability to download book copies, experience suggests that users will exceed those limitations." He juxtaposes this claim 26. Dr. Edelman asserts in paragraph 23 of his declaration that the Libraries permit "non-consumptive research" aimed at analyzing patterns in the texts found in the HDL and he 9 US2O08 3674177 claims that this fimctionality increases the risk of a security breach. The entire premise underlying this assertion is incorrect however. The HDL only permits research on material determined to be in the public domain. If, in the fliture, the Libraries permit non-consumptive research over in-copyright text, security measured would be adopted to negate the security risks identified by Dr. Edelman, as well as other risks he did not. 27. In sum. Dr. Edelman's report offers the Court nothing more than a collection of hypothetical risks without any countervailmg assessment of the ways hi which the HDL is protected against such risks. A detailed assessment of the HDL's security protocols in fact establishes that the risk of a security breach is exceedingly low, well within the guidelines for a tmstworthy repository o f digital information. I declare under penalty of perjury that the foregoing is tme and correct. Executed: M y 20, 2012 10 U.S2008 3674177 EXHIBIT A Page 1 Page 3 INDEX 1 2 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK ------------------------THE AUTHORS GUILD, INC., ) ASSOCIATIONAL PLAINTIFF, ) BETTY MILES, JOSEPH ) GOULDEN, AND JIM BOUTON, ) INDIVIDUALLY AND ON ) BEHALF OF ALL OTHERS ) SIMILARLY SITUATED, ) C.A. 05 CV 8136-DC Plaintiffs ) Volume: I vs. ) GOOGLE, INC. ) Defendant ) ------------------------- WITNESS DIRECT CROSS REDIRECT RECROSS 3 BENJAMIN G. EDELMAN 4 BY MR. GRATZ 6 5 6 7 8 EXHIBITS NUMBER PAGE 9 Exhibit 1 Expert Report of Benjamin Edelman 17 Exhibit 2 Whenu.com Emergency Motion 98 10 11 12 13 14 15 DEPOSITION OF EXPERT WITNESS, BENJAMIN G. EDELMAN, before Avis P. Barber, a Notary Public and Registered Professional Reporter, in and for the Commonwealth of Massachusetts, at the Harvard Business School, Baker Library, 25 Harvard Way, Boston, Massachusetts, on Thursday, June 14, 2012, commencing at 10:03 a.m. 16 17 Exhibit 3 Initial Expert Report of Doctor Benjamin Edelman Concerning Industry Practices and Activities of Valueclick 101 Exhibit 4 Expert Report of Benjamin Edelman 112 Exhibit 5 Document entitled "Google Toolbar Tracks Browsing even after User Choose Disable" 129 Exhibit 6 Search Engine Land, Blog Post, 131 1/26/10 18 19 20 Exhibit 7 Document entitled "Privacy Lapse at Google JotSpot" 137 Exhibit 8 Document entitled "Google's JotSpot Exposes User Data" 139 21 Exhibit 9 Declaration of Benjamin Edelman 143 22 Job No. 148413 PAGES 1 - 312 23 24 25 Exhibit 10 Supplemental Declaration of Benjamin Edelman 143 Page 2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Page 4 1 2 APPEARANCES: On behalf of the Plaintiffs: BONI & ZACK, LLC 15 St. Asaphs Road Bala Cynwyd, Pennsylvania 19004 By: Michael J. Boni, Esquire Tel: 610-822-0201 Fax: 610-822-0206 mboni@bonizack.com On behalf of the Defendant DURIE TANGRI 217 Leidesdorff Street San Francisco, California 94111 By: Joseph C. Gratz, Esquire Tel: 415-362-6666 Fax: 415-236-6300 jgratz@durietangri.com ALSO PRESENT: Jody Urbati, Videographer NO. 3 4 5 6 7 E X H I B I T S (Continued) PAGE Exhibit 11 Document entitled "The Online Economy: Strategy and Entrepreneurship" 156 Exhibit 12 Declaration of Benjamin G. Edelman 161 Exhibit 13 Document entitled "Advertisers Using WhenU" 164 8 Exhibit 14 Exhibit 1 171 9 10 Exhibit 15 Document entitled "Google Books Partner Program Standard Terms and Conditions" 213 11 Exhibit 16 Search Inside, Publisher Sign-Up 221 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Exhibit 17 Participating Authors' Reprint Agreement v2.0 228 Exhibit 18 Cooperative Agreement 267 Exhibit 19 Document entitled "NDA Never Existed" 270 Exhibit 20 Benjamin Edelman's Thesis 306 EXHIBITS RETAINED BY THE COURT REPORTER 1 (Pages 1 to 4) Veritext National Deposition & Litigation Services 866 299-5127 Page 5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 PROCEEDINGS THE VIDEOGRAPHER: Good morning. We are on the record at 10:03 A.M. on June 14th, 2012. This is the videotaped deposition of Benjamin Edelman. My name is Jody Urbati, here with our court reporter Barbara Avis. We are here from Veritext National Deposition and Litigation Services at the request of counsel. This deposition is being held at Harvard Business School in the city of Boston, Massachusetts. The caption of this case is the Authors Guild versus Google, Inc. Please note that the audio and video recording will take place unless all parties agree to go off the record. Microphones are sensitive and may pick up whispers, private conversations and cellular interference. At this time will counsel and all present identify themselves for the record. MR. GRATZ: Joseph Gratz from Durie Tangri, LLP in San Francisco for defendant Google. MR. BONI: Michael Boni from Boni & Zach, Bala Cynwyd, Pennsylvania for plaintiffs. THE WITNESS: Benjamin -- Page 7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Q. You have an undergraduate degree and a Ph.D. in economics; is that right? A. Yes. Q. Do any of the opinions stated in your report apply economic analysis? A. I think they do broadly understood, yes. Q. How so? A. The report considers the incentives of various parties, the factors motivating them to act or not to act and the likely consequences of those incentives. Q. Are there any specific economic methods that are applied in your report? MR. BONI: Object to form. A. I'm not sure I understand what you mean. Q. What economic methods are applied in your report? MR. BONI: Same objection. A. My training and economics teaches me to understand and analyze incentives in considering the actions of any rational actor. That method of analysis of considering and applying incentives is applied throughout the Page 6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 MR. BONI: I'm sorry, and here representing the witness. THE VIDEOGRAPHER: Thank you. The witness will be sworn in and we can proceed. BENJAMIN G. EDELMAN, A witness called for examination, having been duly sworn, testified as follows: DIRECT EXAMINATION BY MR. GRATZ: Q. Good morning. A. Good morning. Q. Could you state your name for the record, please. A. Benjamin Edelman. Q. And you're an assistant professor at Harvard Business School; is that right? A. Yes. Q. Do you have tenure? A. No. Q. You have a number of degrees from Harvard; is that right? A. Yes. Q. Are any of those degrees in computer science? A. No. Page 8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 report. Q. Can you tell me more about that method? MR. BONI: Objection to form. A. Well, you know I think it's pretty intuitive. It can be structured in a formal algebraic model when a particular situation calls for that approach. It can be studied empirically through large sample or small sample data when the context calls for that approach. It can also inform understanding and analysis without specific application of modeling or of large sample data analysis. Q. Did you apply any algebraic modeling in preparing your report? A. No. Q. Did you apply any empirical large sample data analysis in preparing your report? A. I wouldn't call it large sample data analysis. There are sections that draw on specific examples considered individually which probably is a better example of small sample data analysis. Q. And those are the particular anecdotes that you set forth in your report? 2 (Pages 5 to 8) Veritext National Deposition & Litigation Services 866 299-5127 Page 245 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 it's pretty straightforward that if you have more limited resources, your ability to expand those resources on any given project is going to be correspondently limited. Q. In your view is it necessarily the case that smaller and less sophisticated entities have worse security than larger and more sophisticated entities? MR. BONI: Object to form. A. Not always. Sometimes with simpler systems or with less valuable contents to safeguard, the security of a smaller entity can be more than satisfactory. On the other hand, when one flips around those conditions, a small entity guarding a very large gem, one could quickly get into trouble. Q. Are your statements in Paragraph 18 of your report based on a survey of companies of various sizes considering their security measures? A. No. Q. Can you provide an example of one of the smaller and less sophisticated companies to which you refer? A. For example, in the context of domain Page 247 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 report, you say that attackers can take advantage of even a brief period when a single book provider is insecure. You see that? A. Yes. Q. Is that true today? A. Today there aren't so many book providers. We've discussed only two today. Both of them large, sophisticated companies with impressive information security defenses; whereas, the premise of this section, Paragraph 13, is that there might be significantly more in the future, and they might look quite different. Q. In the event of a fair use ruling? A. Correct, which has been the premise of the entire section where we've been here. Q. Have you -- so it's your view that today's book providers like Google and Amazon have a different and higher level of security than tomorrow's book providers might in event of a fair use ruling, such that smaller entities would enter the market and present the risks discussed in this section; is that right? A. That's right. Q. Turning to Paragraph 20, you say, "I Page 246 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 names, there used to be one company, VeriSign Network Solutions that was the sole vendor of .com domain names. When that market was opened up to competition, there were a variety of benefits, but there have also been some downsides, including that some of the smaller guys have been hacked in various ways, have allowed their servers to be taken down by something as routine as a power outage and have otherwise failed to lived up to their contractual commitments. In contrast, the larger vendors in that space have largely succeeded in living up to their contractual commitments. Q. Are you aware of any in The Book Space? MR. BONI: Do you understand the question? A. I do, but I think it's a little bit speculative at this point that there aren't that many smaller sites holding digital copies of books and presenting them in snippet form. If there are any small such companies, I guess I don't know about them. Q. Turning to Paragraph 19 of your Page 248 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 understand that the Google Library Project includes providing to the library partners a full digital copy of the books the libraries allowed Google to scan. Breaches at the security systems at these libraries" -- excuse me -- "breaches in the security systems at these libraries, could facilitate book piracy." Do you know what security systems the libraries who store books such as the University of Michigan have in place? A. I don't know about all of the security systems that they have. Q. How do they compare to the security systems that, for example, iUniverse which is the party to the agreement in Exhibit 17 has in place? MR. BONI: Object to form. He just said he's not sure what the security systems are in the libraries. A. I'm also not sure what the security systems are at iUniverse, so I really don't think I can make a comparison. Q. You, likewise, couldn't make a comparison to the security systems that Google or Amazon has in place? 62 (Pages 245 to 248) Veritext National Deposition & Litigation Services 866 299-5127 Page 249 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 A. I don't know everything that I'd want to know in order to make that comparison. In general, I think there's good reason to suspect that the libraries will have significantly lower levels of security. Q. But you don't know one way or the other? A. I don't know one way or the other, and furthermore, I'm not sure the answer is knowable just yet. We need to think about what level of security libraries will have several years from now. It's hard to say, sitting here today what they'll do in several years. Q. Are you aware of any books being pirated or stolen from a research library archived with scans made by Google? A. No. Q. Turning to Paragraph 21, you say, "I've not been informed of all the ways that libraries intend to use the book contents data they receive from Google, nor have I been informed how libraries intend to secure that data. But the information currently available indicates that libraries' actions present a risk of book piracy." You see that? Page 251 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Q. Did any of your work on the Multnomah County case or the interviews with librarians and other librarian staff members in that case form a basis for any of the opinions you render in your report in this case? A. It's not a basis. It's part of my overall professional background consistent with expert service. Q. Do you know whether the University of Michigan is storing book scans in its normal library information systems or in a separate system? MR. BONI: Object to form. A. I don't know one way or the other. Q. What information, additional to the information you have about the library's security measures, would permit you to better assess the risks? MR. BONI: What risks? Q. The risks you discussed in Paragraphs 20 and 21. A. Understanding both what they do now and what they will do in the future, what they commit in some sort of a binding contractual sense to do or not to do. I need to understand Page 250 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 A. Yes. Q. You don't know what security measures the libraries have in place today; is that right? A. I don't know all of what they have in place. Q. What do you mean by "information currently available" as you use it in Paragraph 21? A. Yes, in Exhibit C, I cite the Hathitrust materials which I did review. That gives some information about some of the libraries' security systems. I actually have quite a bit of experience with library information systems from the Multnomah County Public Library case that we discussed previously. I've spent time interviewing librarians. I've spent time with the CIOs of libraries. I've spent time in the library computer systems, understanding how they work and how they interoperate and have come to have a general understanding of the overall culture and approach to information sharing that's common in libraries. Page 252 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 the servers on which the data is to be stored, the physical security, the network security, the logical security, software level, user accounts, credentialing. This sounds like a full security audit. I'm not sure I'm the best person to do it, but in any event, it requires understanding quite a bit about their practices, both in the present and their future practices, which is a little bit harder to investigate in anticipation. Q. Turning to Paragraph 22, you refer to a student who used MIT library access to download 4.8 million articles and other documents. You see that? A. Yes. Q. Is that man named Aaron Swartz? A. Yes. Q. Aaron Swartz is being charged criminally for that activity; is that right? A. Yes. Q. And those charges are currently pending; is that right? A. That's my understanding. Q. What was the effect on the value of 63 (Pages 249 to 252) Veritext National Deposition & Litigation Services 866 299-5127 Page 265 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 A. Yes. Q. Do you consider that to be in violation of intellectual property rights? A. I think it's an infringement of the trademark, and the question is whether a fair use defense applies. There is a doctrine of fair use for trademarks and stylized images. I think it's a plausible fair use defense. There, I'd really have to apply the factors and read the cases. I'm much less familiar with the Fair Use Doctrine as it applies to stylized images and logos. Q. The Apple prank which you refer occurred in October of 2011; is that right? A. I don't recall. Q. Did it occur shortly after the death of Steve Jobs? A. If you say so. Q. Did students display the Apple logo in the clock tower of Maseeh Hall at MIT in honor of Steve Jobs in the prank you referred to in Paragraph 25? A. Now, that could be. I don't recall. Q. Do you think that that prank is relevant to the issues in this case? Page 267 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 of 2004? A. I don't know. Q. Did it occur when the Red Sox made it to the World Series? A. I don't know. Q. Were the -- do you think that the students celebrating the Red Sox making it to the World Series by displaying the logo on the dome of the university building was intellectual property infringement? A. The law is what it is, and it's not for me to rewrite trademark law. I wouldn't be surprised if that is infringement as a matter of law, and fair use defense might or might not apply. It wouldn't shock me if you said that to do that a license must be paid to the Red Sox, and if you don't pay it, then you're in violation of the law. MR. GRATZ: Mark as Exhibit 19, this document. I want to note for the record before I hand it to the witness that despite the confidential legend at the bottom of this document, this is not a confidential document. (Document marked as Exhibit No. 18 for identification.) Page 266 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 A. I can certainly see how it would seem peripheral. On the other hand, the fact that students are well known to disregard intellectual property is anything but peripheral. It's well known that Napster was most used on college campuses. There were distinctive trends. You could see the number of users signed into Napster decrease when major schools went onto spring break. So the relationship between students, university libraries and piracy is not peripheral. Q. Could you tell me about the Red Sox logo prank you referred to in Paragraph 25? A. I don't recall. I went through the site, looked at the distinctive images memorializing the pranks, but I didn't note them in great specificity. Q. Do you consider that an instance of piracy? A. I'm not sure. I do think it's probably an instance of trademark infringement, and it might be subject to a fair use defense. Q. The prank you referred to in Paragraph 25 with respect to the logo of the Boston Red Sox, did that prank occur in October Page 268 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Q. You have before you what's been marked as Exhibit 18. Do you recognize this document? A. Yes. Q. Is this the document to which you refer in Paragraph 26 of your report? A. I think so. Q. Do you know what security measures the University of Michigan has in place? A. That's discussed in part in this document. Q. Aside from this document, do you have any knowledge other than what is in this document of security measures that the University of Michigan has in place? A. Aside from what's discussed in this document, I don't think I have knowledge of their current security. Q. Is it your opinion that an author would not agree to have his work stored by the University of Michigan without greater security terms than those set forth in Exhibit 18? MR. BONI: Object to form. A. I'm not sure. It all depends on what the author gets in exchange. If they get zero, 67 (Pages 265 to 268) Veritext National Deposition & Litigation Services 866 299-5127 Page 285 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 to pass in the event of a fair use ruling in favor of Google? MR. BONI: Object to form. You want a mathematical response to that question? MR. GRATZ: Whatever the response the witness has for me. MR. BONI: Object to form. A. I don't know. It would be easier to say once that fair ruling resulted, if it did result, once we see who comes along and scans which books and stores them in what ways, until then, it's just a little bit too speculative for me to want to put a number on it, but it certainly is a serious concern. Q. What's the magnitude of the harm in dollars? The harm here, I mean the harm that you were discussing in Paragraph 38. MR. BONI: Object to form. A. I'm not sure. It's difficult to put a dollar value on it, but I do think it's significant. If you asked a publisher what would they be willing to pay to have a complete protection against piracy, to be able to print their books on uncopyable paper or with magical ink, I think you'd find publishers would be Page 287 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 MR. BONI: Objection. You know he's not a damages expert, Joe. Q. You can answer. A. I have not. I'm not a damages expert. Q. Has a company ever come to you and asked you to evaluate the risk of intrusion into their computer systems which protects books? A. No. Q. Has a company ever come to you and asked you to evaluate the risk of intrusion into their computer systems at all? A. That seems like the kind of thing someone would have asked me to do at some point. I just need to take a moment to think about it. Certainly I've thought about that question for the organizations which -- with which I've had long-term relationships. So, for example, when I was running the Berkman Center server, that was a question I thought about. I thought about it with ICANN. I've thought about it as to portions of Harvard Business School. I've thought about it with Wesley as to the servers that we operate together, as to paying clients that come specifically for that. Page 286 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 willing to pay a significant portion of their enterprise values in order to get that magical technology. Q. And you consider that to be the measure of the magnitude of the harm set forth in Exhibit -- in Paragraph 38? MR. BONI: Object to form. A. It's not that that's how you'd measure it, but that's the sort of thought experiment one would do. Q. How would you measure it? A. On thinking about the way that other large harms are measured, how do we assess the value of a life when a life is taken away from a person? How do we assess the value of a plane crash or a nuclear disaster? It's really not my area of expertise. It's not something I've opined on here. But here I consider the totality of future lost profits. So I do my best to figure out what profits would have been and then what they will be as a result of the loss, and I subtract those two numbers, and that would be the starting point for the harm. Q. Have you done that in preparing your report? Page 288 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 I think it would be unusual for anyone to seek my assistance for that solely and specifically, but if they already knew me from something else, I can think of a couple of clients who have sought assistance with problems generally in that vein based on prior relationships. Q. If a company came to you and asked you to evaluate the risk of intrusion into its computer systems which protect books, would you accept the assignment? MR. BONI: Object to form. That's the entire hypothetical? MR. GRATZ: That's the question. A. I don't think I would be the best person to evaluate their security systems, but I think I would be able to assist them in selecting an appropriate person. I would be able to guide that person towards the areas of greatest concern, perhaps review their initial report, and suggest areas for extension and further inquiry. Q. What process would you recommend be undertaken to evaluate the risk of intrusion into those computer systems that protect books? 72 (Pages 285 to 288) Veritext National Deposition & Litigation Services 866 299-5127 Page 289 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 A. I suppose it would all depend on what books I was trying to protect, what I was trying to protect them from, what access I needed to allow. The easiest thing to do to prevent unauthorized access is to prevent all access by destroying the digital records, but I imagine that wouldn't be what someone hired me to tell them. They'd want some way to use it for some purposes while disallowing use for other purposes. Q. If a company came to you and asked you to evaluate the risk of an intrusion into their computer systems which protect books and which host books for the purpose of making snippets available in response to searches, what process would you take to under -- to make that evaluation? A. Well, I think I would -- I would consider the sorts of security systems that we've discussed a couple times today in different parts of our time together as to physical security, network security, software security, application level security, human resources and internal controls. I'd consider each of those. Each would be significant. Each Page 291 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 at Google. I'd look at my organizations's experience or the client's organization's experience with rogue employees. When we have a thousand engineers, how many of them turn out to be bad apples, how many bad ones do you get out of a thousand? Is there any way to prevent two of them from acting together in concert? Could we have an audit trail that prevents this kind of copying and that kind of copying? Is it possible to make an audit trail that's so robust that even a senior engineer can't turn it off? Because we know some of the problems occur from senior engineers who can bypass the ordinary control. So that's the kind of question I'd be asking as to that facet, but to be sure, each of the facets would require a different type of analysis. Q. Did you do any of that in preparing your report in this case? A. I considered those kinds of approaches. The data and information required aren't available to me and weren't necessary in order to reach the conclusions set out in my report. Page 290 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 would have multiple facets within it. And then my analysis would be informed, importantly, by the material that I was holding. If it was unique and one of a kind and highly sought after, then I would be particularly concerned about the skills of my intruders. And if I needed to allow massive, high-volume access by a large number of different users, potentially some of them fake or automated or robotic, I would be even more concerned, and I would need to be open to the possibility, the very real possibility that I couldn't do this with the required level of quality and would need to revisit my plans. Q. What information would you need to evaluate the risk of intrusion into such a system which stores books for the purpose of making snippets available in response to searches, for example? A. One would need to think about each of the aspects of security just discussed. So for example, as to human resources security, making sure that there isn't a rogue employee who takes the data in the way that other rogue employees have done other untoward things, including even Page 292 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Q. Why weren't they necessary? Would having them have aided you in reaching your conclusions? A. Perhaps I could have reached additional conclusions. I imagine that with enough study, I might get to the point where I was prepared to put a number on some of the probabilities. There's this probability per year of this kind of bad thing happening if you use these controls. I think that is an estimatable number. One can estimate even these very small probabilities with enough analysis and enough review, but it's quite difficult, and I didn't consider it necessary or appropriate, given what I was asked to do in this report at this time. Q. Did you run any bargaining experiments in connection with your report? A. No. Q. Did you perform any statistical analysis in connection with your report? A. No. Q. In signing your own consulting agreements, have you performed market checks regarding terms? 73 (Pages 289 to 292) Veritext National Deposition & Litigation Services 866 299-5127 Page 309 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Q. Turning to the references cited page of your senior thesis on page 77, under G, do you see a citation to a book by A. Greco called The Book Publishing Industry? A. Yes. Q. And turning to page 33 of your senior thesis, you see the bottom of page 33 it says, "I further add two promotion-specific variables to investigate market trends noted by Greco (1997) in discussing clumping of book sales over time"? A. Yes. Q. Is that a citation to the Greco work titled The Book Publishing Industry cited in your references cited section? A. Seems to be. Q. Do you have an opinion as to Albert Greco's expertise regarding The Book Publishing Industry? A. Not really. MR. BONI: Are you done with this, Joe? MR. GRATZ: Yes. Nothing further. MR. BONI: I have nothing. THE VIDEOGRAPHER: Here ends this Page 311 1 2 CERTIFICATE COMMONWEALTH OF MASSACHUSETTS. MIDDLESEX, SS. 3 4 5 6 7 8 9 I, Avis Barber, Registered Professional Reporter and Notary Public, in and for the Commonwealth of Massachusetts, do hereby certify that: BENJAMIN G. EDELMAN, the witness whose deposition is hereinbefore set forth, was duly sworn by me, that I saw a picture identification for him in the form of his Harvard College Identification card, and that the foregoing transcript is a true and accurate transcription of my stenotype notes to the best of my knowledge, skill and ability. 10 11 12 13 14 15 16 I further certify that I am not related to any of the parties in this matter by blood or marriage and that I am in no way interested in the outcome of this matter. IN WITNESS WHEREOF, I have hereunto set my hand and notarial seal this 20th day of June 2012. --------------------------Avis Barber, RPR Notary Public My commission expires: July 30, 2015 17 18 19 20 21 22 23 24 25 Page 310 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 deposition. Off the record, 6:18 p.m. (Whereupon, the deposition was concluded at 6:18 p.m.) Page 312 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 I declare under penalty of perjury under the laws that the foregoing is true and correct. Executed on _________________ , 20___, at _____________, ___________________________. __________________________ BENJAMIN G. EDELMAN 78 (Pages 309 to 312) Veritext National Deposition & Litigation Services 866 299-5127