2025-07-02 17:00:08
:::tip ANDREA BARTZ, CHARLES GRAEBER, and KIRK WALLACE JOHNSON v. ANTHROPIC PBC, retrieved on June 25, 2025, is part of HackerNoon’s Legal PDF Series. You can jump to any part in this filing here. This is part 7 of 10.
:::
The second fair use factor is “the nature of the copyrighted work.” 17 U.S.C. § 107(2). This factor “calls for recognition that some works are closer to the core of intended copyright protection than others, with the consequence that fair use is more difficult to establish when the former works are copied.” Campbell, 510 U.S. at 586. For one thing, less protection is due published works than unpublished ones. For another, less protection is due “factual works than works of fiction or fantasy.” Harper & Row, 471 U.S. at 563. But less protection is not no protection. Even the arrangement of otherwise unprotectable facts surpasses the low bar for a protectable original work of authorship. Google, 804 F.3d at 220.
Here, Anthropic accepts that all of Authors’ books — all published, whether non-fiction or fiction — contained expressive elements (Reply 9). And, as set out above, this order accepts Authors’ view of the evidence that their works were chosen for their expressive qualities in building a central library and then in training specific LLMs (Opp. 11, 17 (citing, e.g., Opp. Exh. 3 at -03433)).
The main function of the second factor is to help assess the other factors: to reveal differences between the nature of the works at issue and the nature of their secondary use (above), and to reveal any relation between the amount and substantiality of each work taken and the secondary use (next). E.g., Campbell, 510 U.S. at 586; Kelly, 336 F.3d at 820; Google, 804 F.3d at 220; HathiTrust, 755 F.3d at 98; Bill Graham Archives v. Dorling Kindersley Ltd., 448 F.3d 605, 612–13 (2d Cir. 2006).
The second factor points against fair use for all copies alike.
:::tip Continue reading HERE.
:::
:::info About HackerNoon Legal PDF Series: We bring you the most important technical and insightful public domain court case filings.
\ This court case retrieved on June 25, 2025, from storage.courtlistener.com, is part of the public domain. The court-created documents are works of the federal government, and under copyright law, are automatically placed in the public domain and may be shared without legal restriction.
:::
\
2025-07-02 17:00:02
Preliminaries
Selfish Mining Attack
Key features. The key features of our selfish mining attack and formal analysis are as follows:
\ (1) Fully automated analysis. Manual (i.e. non-automated) analysis of optimal selfish mining attacks is already challenging and technically involved for PoW blockchains, where the adversary only grows a single private fork [11]. Hence, it would be even more difficult and potentially intractable in blockchains based on efficient proof systems. By modelling our selfish mining attack as an MDP and reducing the analysis to solving mean-payoff MDPs, we leverage existing methods for formal analysis of MDPs to obtain a fully automated analysis procedure, thus avoiding the necessity for tedious manual analyses.
\ (2) Formal guarantees on correctness. Our analysis provides formal guarantees on the correctness of its output. Again, this is achieved by formally reducing our problem to solving mean-payoff MDPs for which exact algorithms with formal correctness guarantees are available [18, 20].
\ (3) Flexibility of the analysis. Our analysis is agnostic to the values of system model and attack parameters and it is flexible to their changes. Hence, it allows us to tweak the parameter values and study their impact on the optimal expected relative revenue, while preserving formal guarantees on the correctness. To illustrate the flexibility, observe that:
\ • If the attack depth 𝑑, forking number 𝑓 or maximal fork length 𝑙 of the attack change, then both the state space and the action space of the MDP change.
\ • If the relative resource of the adversary 𝑝 or the switching probability 𝛾 change, then the transition function of the MDP changes.
\ • As we show in our experiments in Section 4, a change in any of these parameter values results in a change in the optimal expected relative revenue that the adversary can achieve.
\ The flexibility of our analysis is thus a significant feature, since it again avoids the need for tedious manual analyses for different parameter values that give rise to different MDPs.
\ Limitations. While our formal analysis computes an optimal selfish mining strategy in the MDP up to a desired precision, note that there still exist selfish mining attacks that do not correspond to any strategy in our MDP model. Hence, the strategy computed by our method is optimal only with respect to the subclass of strategies captured by the MDP model. There are two key reasons behind the incompleteness of our MDP model:
\ (1) Bounded forks. In order to ensure finiteness of our MDP model, we impose an upper bound 𝑙 on the maximal length of each private fork. This means that the adversary cannot grow arbitrarily long private forks. Since the probability of the adversary being able to grow extremely long private forks is low, we believe that this limitation does not significantly impact the expected relative revenue of selfish mining strategy under this restriction.
\ (2) Disjoint forks vs fork trees. Our attack grows private forks on different blocks in the main chain. However, rather than growing multiple disjoint private forks, a more general class of selfish mining attacks would be to allow growing private trees. We stick to disjoint private forks in order to preserve computational efficiency of our analysis, since allowing the adversary to grow private trees would result in our MDP states needing to store information about each private tree topology, which would lead to a huge blow-up in the size of the MDP. In contrast, storing disjoint private forks only requires storing fork lengths, resulting in smaller MDP models.
\ We conclude by noting that, while our formal analysis is incomplete due to considering a subclass of selfish mining attacks, the formal guarantees provided by our analysis still ensure that we compute a true lower bound on the expected relative revenue that a selfish mining attack achieves.
\
:::info Authors:
(1) Krishnendu Chatterjee, IST Austria, Austria ([email protected]);
(2) Amirali Ebrahimzadeh, Sharif University of Technology, Iran ([email protected]);
(3) Mehrdad Karrabi, IST Austria, Austria ([email protected]);
(4) Krzysztof Pietrzak, IST Austria, Austria ([email protected]);
(5) Michelle Yeo, National University of Singapore, Singapore ([email protected]);
(6) Ðorđe Žikelić, Singapore Management University, Singapore ([email protected]).
:::
:::info This paper is available on arxiv under CC BY 4.0 DEED license.
:::
\
2025-07-02 16:00:08
:::tip ANDREA BARTZ, CHARLES GRAEBER, and KIRK WALLACE JOHNSON v. ANTHROPIC PBC, retrieved on June 25, 2025, is part of HackerNoon’s Legal PDF Series. You can jump to any part in this filing here. This is part 6 of 10.
:::
Before buying books for its central library, Anthropic downloaded over seven million pirated copies of books, paid nothing, and kept these pirated copies in its library even after deciding it would not use them to train its AI (at all or ever again). Authors argue Anthropic should have paid for these pirated library copies (e.g., Tr. 24–25, 65; Opp. 7, 12–13). This order agrees.
The basic problem here was well-stated by Anthropic at oral argument: “You can’t just bless yourself by saying I have a research purpose and, therefore, go and take any textbook you want. That would destroy the academic publishing market if that were the case” (Tr. 53). Of course, the person who purchases the textbook owes no further accounting for keeping the copy. But the person who copies the textbook from a pirate site has infringed already, full stop.
This order further rejects Anthropic’s assumption that the use of the copies for a central library can be excused as fair use merely because some will eventually be used to train LLMs. This order doubts that any accused infringer could ever meet its burden of explaining why downloading source copies from pirate sites that it could have purchased or otherwise accessed lawfully was itself reasonably necessary to any subsequent fair use. There is no decision holding or requiring that pirating a book that could have been bought at a bookstore was reasonably necessary to writing a book review, conducting research on facts in the book, or creating an LLM. Such piracy of otherwise available copies is inherently, irredeemably infringing even if the pirated copies are immediately used for the transformative use and immediately discarded.
But this order need not decide this case on that rule. Anthropic did not use these copies only for training its LLM. Indeed, it retained pirated copies even after deciding it would not use them or copies from them for training its LLMs ever again. They were acquired and retained, as a central library of all the books in the world.
Building a central library of works to be available for any number of further uses was itself the use for which Anthropic acquired these copies. One further use was making further copies for training LLMs. But not every book Anthropic pirated was used to train LLMs. And, every pirated library copy was retained even if it was determined it would not be so used. Pirating copies to build a research library without paying for it, and to retain copies should they prove useful for one thing or another, was its own use — and not a transformative one (see Tr. 24–25, 35, 65; Opp. 4–10, 12 n.6; CC Br. Exh. 12 at -0144509 (“everything forever”)). Napster, 239 F.3d at 1015; BMG Music v. Gonzalez, 430 F.3d 888, 890 (7th Cir. 2005).
Anthropic’s briefing contains other reasons why it believes its pirated library copies are irrelevant to our fair use analysis, notwithstanding its own statements at our oral argument.
First, Anthropic accepts in this posture that it acted in bad faith but argues that its bad faith in pirating copies cannot “somehow short-circuit[ ]” the fair use analysis (Reply 6 (downplaying Atari Games Corp. v. Nintendo of Am., Inc., 975 F.2d 832, 843 (Fed. Cir. 1992) (applying law of Ninth Circuit))). But its bad faith is not the basis for this decision. Each use of a work must be analyzed objectively. Warhol, 598 U.S. at 544–45. The objective analysis here shows the initial copies were pirated to create a central, general-purpose library, as a substitute for paid copies to do the same thing. (Of course, if infringement is found, bad faith would matter for determining willfulness. 17 U.S.C. § 504(c)(2).)
Second, Anthropic argues that its goal to put the copies eventually “to a highly transformative use” requires that each copy and use along the way be justified as having a transformative use, too (Reply 14). But now Anthropic seeks to take the shortcut Anthropic just said cannot be taken. Again, the Supreme Court tasks us with looking past the “subjective intent of the user” to the objective use made of each copy. Warhol, 598 U.S. at 544–45 (emphasis added). Put another way, what a copyist says or thinks or feels matters only to the extent it shows what a copyist in fact does with the work. Indeed, the same copy can be used one way, then another, each with a different result. Id. at 533. Here, what Anthropic said about its acquisitions at the time — that they were made to “build[ ] a research library” while avoiding a “huge legal/practice/business slog” — are relevant in this regard. And, Anthropic’s actual use of these pirated copies was to create its central library of texts that, like any university or corporate library, stored the works’ well-organized facts, analyses, and expressive examples for various contingent uses, one being training. (5).
Third, Anthropic argues that Texaco — the case involving copies used in a central library, copies used in desk libraries, and copies used in the laboratory — is inapposite. Anthropic argues that the disputed copies in Texaco were never used in the laboratory but instead in personal desk libraries for a use “identical to the original purpose and use” of the central library copies, and so not for a transformative use (Reply 8 (summarizing 60 F.3d at 922–23)). By contrast, says Anthropic, here it did use copies in the laboratory to train LLMs — a very transformative use. But this is a fast glide over thin ice. Like Texaco, Anthropic possessed copies it did not put into use in the laboratory and it kept those copies in a central library even after its transformative use had been completed. But, unlike Texaco, which bought those copies, Anthropic never paid for the central library copies stolen off the internet. Texaco also shows why Anthropic is wrong to suppose that so long as you create an exciting end product, every “back-end step, invisible to the public,” is excused (Br. 10).
Notably, this is not a case where source copies were unavailable for separate purchase or loan. See, e.g., NXIVM Corp. v. Ross Inst., 364 F.3d 471, 475–76, 478–79 (2d Cir. 2004) (using selections of training manual — otherwise available only to cult’s trainees subject to NDAs — to expose cult in critical review); Time Inc. v. Bernard Geis Assocs., 293 F. Supp. 130, 135–36, 138, 146 (S.D.N.Y. 1968) (Judge Inzer Bass Wyatt) (making charcoal drawings of photographs taken of originals otherwise not on sale or loan out to illustrate a history book). (6).
Nor were the copies made only incidentally and necessarily from pirated copies. See, e.g., Perfect 10, 508 F.3d at 1164 n.8 (copies of images that had been pirated by third-party websites were used to index those same websites while indexing the entire web). Here, piracy was the point: To build a central library that one could have paid for, just as Anthropic later did, but without paying for it.
Nor were the initial copies made immediately transformed into a significantly altered form. In Perfect 10, images were copied by the search engine in thumbnail form only and deployed immediately into the transformative use of identifying the full-sized images and the pages from which they came. 508 F.3d at 1160, 1165, 1167. And, in Kelly v. Arriba Software Corp., images were copied at full size and then into thumbnails for immediate use in building a search engine, after which the full-sized copies were immediately deleted. 336 F.3d 811, 815 (9th Cir. 2003). Not here. The full-text copies of books were downloaded and maintained “forever.”
Nor does the initial copying here even resemble the full-text copying in the Google Books cases. There, libraries of authorized copies already had been assembled, and all copies therefrom were made for direct employment in a one-to-one further fair use — whether the transformative use of pointing to the works themselves, the use of providing the works in formats for print-disabled patrons, or the use of insuring against going out of print, getting lost, and becoming otherwise unavailable. HathiTrust, 755 F.3d at 97, 101, 103; Google, 804 F.3d at 206, 216–18, 228 (further distinguishing search and snippet uses, which “test[ed] the boundaries of fair use”). Not so here concerning the pirated copies. No authorized copies existed from which Anthropic made its first copies. No full-text copy therefrom was put immediately into use training LLMs. Not every copy was even necessary nor used for training LLMs. No initial copy was ever deleted, even if never used or no longer used. (7)
The university libraries and Google went to exceedingly great lengths to ensure that all copies were secured against unauthorized uses — both through technical measures and through legal agreements among all participants. Not so here. The library copies lacked internal controls limiting access and use.
Nor do the decisions on intermediate copying require anything less than the analysis applied here. Anthropic argues that our court of appeals in Sega Enterprises Ltd. v. Accolade, Inc. looked only at the “ultimate use” and “did not analyze a series of atomized acts of ‘infringement’ distinct from that overall purpose” (Reply 3). To the contrary, the appeals court examined the initial, intermediate, and ultimate copies used by the copyist. The court explained that the copyist initially purchased commercially available copies of game cartridges and then made further copies necessarily and “solely in order to discover the functional requirements for compatibility.” 977 F.2d 1510, 1522 (9th Cir. 1992). Thus, it reached only one result because on those facts there was only one “overall purpose” for the unauthorized copies. Indeed, the court reaffirmed prior caselaw holding that “intermediate copying of [a work] may infringe the exclusive rights granted to the copyright owner in [S]ection 106 of the Copyright Act regardless of whether the end product of the copying also infringes those rights.” Id. at 1518–19 (reaffirming Walker v. Univ. Books, 602 F.2d 859, 864 (9th Cir. 1979)).
Similarly, in Sony Computer Entertainment, Inc. v. Connectix Corp., our appeals court applied the same law to similarly focused conduct. Another copyist allegedly had purchased an authorized copy and then made further copies solely and necessarily to reverse-engineer compatibility requirements. 203 F.3d 596, 601, 602–03 (9th Cir. 2000).
Both Sega and Sony avoided imposing an “artificial hurdle” to fair use by generously construing the intermediate copying necessary to the fair use. As one example, Sega stated that an engineer should be permitted to reboot her computer while undertaking to reverseengineer software loaded onto it — even if doing so creates another digital copy of the software and is not strictly necessary to reverse-engineering. Id. at 605. But neither Sega nor Sony fathomed gifting an “artificial head start” to a fair user, either, by treating even the initial copy as an intermediate one.
And, yes, some courts have “not inquire[d]” into intermediate or initial copying at all (Reply 2 (citing Campbell as not inquiring into surplus copies in the studio)). But if a “close reading of those cases [ ] reveals that in none of them was the legality of the [initial or] intermediate copying at issue,” then it was not raised and not necessarily decided. Sega, 977 F.2d at 1519; see Webster v. Fall, 266 U.S. 507, 511 (1925). It was expressly decided elsewhere: Our analysis must attend to different uses of different copies, and even to different uses of the same copies. Warhol, 598 U.S. at 533.
Finally, Anthropic argues that even if the initial copies served a different use than the intermediate and ultimate copies, it was not a use for which Anthropic necessarily would have needed to pay Authors for a copy. In theory, argues Anthropic, it could have done as Google did in Google Books — find an existing reference library willing to loan its copies for free as source copies. Or, in theory, it could have done as Anthropic did later — go buy used copies without having to pay Authors at all. See 17 U.S.C. § 109(a). But Anthropic did not do those things — instead it stole the works for its central library by downloading them from pirated libraries.
In sum, the first factor points against fair use for the central library copies made from pirated sources — and no damages from pirating copies could be undone by later paying for copies of the same works.
\
(5) Our court of appeals has not yet reappraised how bad faith (or good faith) figures in fair use after Warhol. Its prior appraisal applied the Supreme Court’s statement that “[f]air use presupposes good faith and fair dealing,” Harper & Row, 471 U.S. at 562 (cleaned up). See Perfect 10, 508 F.3d at1164 n.8. Since then, the Supreme Court has renewed its “skepticism about whether bad faith has any role.” Oracle, 593 U.S. at 32–33 (reiterating doubts of Campbell, 510 U.S. at 585 n.18). And, recently, the Supreme Court has held squarely that it is not the “subjective intent” of a copyist that counts, but the “objective . . . use” of the copy. Warhol, 598 U.S. at 544– 45. This order applies this most recent analysis. Miller v. Gammie, 335 F.3d 889, 900 (9th Cir. 2003) (en banc).
(6) Anthropic repeats the misleading characterization of the copyright holder in Oracle that the initial copies were there purloined (Reply 5). Not so. “All agree[d] that Google was and remain[ed] free to use the Java language itself. All agree[d] that Google’s virtual machine [wa]s free of any copyright issues. All agree[d] that the six-thousand-plus method implementations by Google [we]re free of copyright issues. The copyright issue, rather,” was the use of Java for purposes of creating competing software having the same familiar, functional schema. Oracle Am., Inc. v. Google Inc., 872 F. Supp. 2d 974, 978 (N.D. Cal. 2012), aff’d and rev’d in part, 750 F.3d 1339 (Fed. Cir. 2014).
(7) Training LLMs was not a use where perpetually maintaining a library copy was intrinsic to the proffered fair use (e.g., for a plagiarism-checker service). Nor is this an instance where retaining at least one copy was authorized by contract with the copyright owners (e.g., by agreement to express terms upon submission to a plagiarism-checker service, notwithstanding proposed terms scrawled on a paper prior to submission). A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 635–36 & n.5, 645 n.8 (4th Cir. 2009), aff’g in relevant parts 544 F. Supp. 2d 473, 480 (E.D. Va. 2008) (Judge Claude Hilton). Anthropic mischaracterizes this case.
:::tip Continue reading HERE.
:::
:::info About HackerNoon Legal PDF Series: We bring you the most important technical and insightful public domain court case filings.
\ This court case retrieved on June 25, 2025, from storage.courtlistener.com, is part of the public domain. The court-created documents are works of the federal government, and under copyright law, are automatically placed in the public domain and may be shared without legal restriction.
:::
\
2025-07-02 16:00:03
III. Systematization Methodology
VIII. Concluding Remarks and References
Appendix B. Anonymity and Confidentiality
Appendix D. A TCSC-Based Voting Protocol
\
A variety of different keys are used in the life cycle of TCSC. For simplicity, we use Intel SGX as the instance. We classify these keys into two types, namely, service keys (top half) and SGX internal keys (bottom half).
\
\ SGX internal keys. The MEE key is generated at boot, and is placed in special registers, and destroyed at system reset. The MEE key is used for memory encryption and decryption, which plays a crucial role in protecting the confidentiality and integrity of enclaves. At the same time, different enclaves in the same TEE platform share one function key, such as the report key and the attestation key [88].
Anonymity refers to the privacy that relates to real entities, especially for users’ identities. In a blockchain system, anonymity indicates that users’ transaction activities will not expose any personal information about them. Alternatively, an attack cannot obtain the correct links between real users and their corresponding account/address that sends the transaction [98]. Bitcoin and Ethereum only provide a very early version of anonymity, using the pseudonym-based address mechanism to protect identities. However, this cannot guarantee anonymity because attackers can effortlessly map virtual addresses to physical entities through the relationship analysis.
\ Confidentiality in a blockchain system mainly refers to the privacy of data and contents recorded on-chain [99], [9]. Classic blockchain systems expose all transactions (includes amount information, addresses, amount, etc.) plainly where anyone can read and access. Sensitive information might unconsciously be leaked to malicious analyzers. For instance, ERC20 tokens in the Ethereum system do not provide confidentiality, since anyone can observe every amount’s balance. Adversaries can keep tracing the accounts that have a huge amount of tokens and launch attacks such as using the phishing website or cheating through offline activities.
\
:::info Authors:
(1) Rujia Li, Southern University of Science and Technology, China, University of Birmingham, United Kingdom and this author contributed equally to this work;
(2) Qin Wang, CSIRO Data61, Australia and this author contributed equally to this work;
(3) Qi Wang, Southern University of Science and Technology, China;
(4) David Galindo, University of Birmingham, United Kingdom;
(5) Mark Ryan, University of Birmingham, United Kingdom.
:::
:::info This paper is available on arxiv under CC BY 4.0 DEED license.
:::
\
2025-07-02 15:00:37
:::tip ANDREA BARTZ, CHARLES GRAEBER, and KIRK WALLACE JOHNSON v. ANTHROPIC PBC, retrieved on June 25, 2025, is part of HackerNoon’s Legal PDF Series. You can jump to any part in this filing here. This is part 5 of 10.
:::
Recall that Anthropic purchased millions of print books for its central library and pirated millions of digital books for its central library, too. It used specific sets and subsets of books for training specific LLMs. And, it then retained all the copies in its central library for other uses that might arise even after deciding it would not use them to train any LLM (at all or ever again). Anthropic seems to believe that because some of the works it copied were sometimes used in training LLMs, Anthropic was entitled to take for free all the works in the world and keep them forever with no further accounting. There is no carveout, however, from the Copyright Act for AI companies.
Because the legal issues differ between the library copies Anthropic purchased and pirated, this order takes them in turn.
Anthropic purchased millions of print copies to “build a research library” (Opp. Exh. 22 at 145, 148). It destroyed each print copy while replacing it with a digital copy for use in its library (not for sharing nor sale outside the company). As to these copies, Authors do not complain that Anthropic failed to pay to acquire a library copy. Authors only complain that Anthropic changed each copy’s format from print to digital (see Opp. 15, 25 & n.14). On the facts here, that format change itself added no new copies, eased storage and enabled searchability, and was not done for purposes trenching upon the copyright owner’s rightful interests — it was transformative.
Anthropic purchased its print copies fair and square. With each purchase came entitlement for Anthropic to “dispose[ ]” each copy as it saw fit. 17 U.S.C. § 109(a). So, Anthropic was entitled to keep the copies in its central library for all the ordinary uses. Yes, Anthropic changed the format of these library copies from print to digital — giving rise to the issue here.
All agree on the facts of the format change. Anthropic “destructively scan[ned]” the print copies to create the digital ones. Anthropic or its vendors stripped the bindings from the print books, cut the pages to workable dimensions, and scanned those pages — discarding each print copy while creating a digital one in its place. The digital copy was then housed in the “research library” or “generalized data area” in place of the print copy (Opp. Exh. 22 at 145– 46, 193–94). Authors do not allege and our record does not show that Anthropic provided its converted digital copies of print books to anyone outside Anthropic.
The parties disagree about the legal consequences of the format change. Was scanning the print copies to create digital replacements transformative? Anthropic argues it was because it was reasonably necessary to training LLMs. Authors argue it was a distinguishable step requiring independent justification.
Here, for reasons narrower than Anthropic offers, the mere format change was a fair use.
Storage and searchability are not creative properties of the copyrighted work itself but physical properties of the frame around the work or informational properties about the work. See Texaco, 802 F. Supp. at 14 (physical), aff’d, 60 F.3d at 919; Google, 804 F.3d at 225 (informational); Sony Corp. of Am. v. Universal City Studios, Inc. (“Sony Betamax”), 464 U.S. 417, 447 (1984) (rightful interests). In Texaco, the court reasoned that if a purchased scientific journal article had been copied “onto microfilm to conserve space, this might [have been] a persuasive transformative use.” 802 F. Supp. at 14 (Judge Pierre Leval), aff’d, 60 F.3d at 919 (reducing “bulk[ ]” “might suffice to tilt the first fair use factor in favor of Texaco if these purposes were dominant“). In Google Books, the court reasoned that a print-to-digital change to expose information about the work was transformative. Google, 804 F.3d at 225 (Judge Pierre Leval). And, in Sony Betamax, the Supreme Court held that making a recording of a television show in order to instead watch it at a later time was copying but did not usurp any rightful interest of the copyright owner. 464 U.S. at 447, 455. Important to the Supreme Court’s reasoning was the expectation that most such copiers would not distribute the permanent copies of the work. Finally, in A&M Records, Inc. v. Napster, Inc., our court of appeals recognized the reasoning just explained, and therefore rejected by contrast a digitization effort that was touted as space-shifting but in fact resulted in the multiplication of copies shared with outsiders through a file-sharing service. 239 F.3d 1004, 1019 (9th Cir. 2001), aff’g in this part 114 F. Supp. 2d 896, 912–13, 915–16 (N.D. Cal. 2000) (Judge Marilyn Hall Patel) (citing Sony Betamax and Texaco).
Here, every purchased print copy was copied in order to save storage space and to enable searchability as a digital copy. The print original was destroyed. One replaced the other. And, there is no evidence that the new, digital copy was shown, shared, or sold outside the company. This use was even more clearly transformative than those in Texaco, Google, and Sony Betamax (where the number of copies went up by at least one), and, of course, more transformative than those uses rejected in Napster (where the number went up by “millions” of copies shared for free with others).
Yes, Anthropic is a commercial outfit. And, this order takes for granted that Anthropic in fact benefited from the print-to-digital format change — or it would not have gone to all the trouble. But the crux of the first fair use factor’s concern for “commercial” use is in protecting the copyright owners and their entitlements to exploit their copyright as they see fit (or not). See, e.g., Harper & Row, Publishers, Inc. v. Nation Enters., 471 U.S. 539, 562 (1985). That the accused is a commercial entity is indicative, not dispositive. That the accused stands to benefit is likewise indicative. But what matters most is whether the format change exploits anything the Copyright Act reserves to the copyright owner. Anthropic already had purchased permanent library copies (print ones). It did not create new copies to share or sell outside.
Yes, Authors also might have wished to charge Anthropic more for digital than for print copies. And, this order takes for granted that Authors could have succeeded if Anthropic had been barred from the format change. “But the Constitution’s language [in Clause 8] nowhere suggests that [the copyright owner’s] limited exclusive right should include a right to divide markets or a concomitant right to charge different purchasers different prices for the same book, [merely] say to increase or to maximize gain.” See Kirtsaeng v. John Wiley & Sons, Inc., 568 U.S. 519, 552 (2013); see also U.S. CONST. art. I., § 8, cl. 8. Nor does the Copyright Act itself. Section 106 sets out exclusive rights that fair uses under Section 107 abridge. Section 106(1) reserves to the copyright owner the right to make reproductions. But on our facts we face the unusual situation where one copy entirely replaced the another. And, Section 106(2) reserves to the copyright owner the right to make derivative works that add or subtract creative material — as occurs in a “translation, musical arrangement, dramatization, fictionalization, motion picture version, sound recording, art reproduction, abridgment, [or] condensation” of a book, 17 U.S.C. § 101 (definitions). For some “other modification[ ]” of a book to constitute a “derivative work,” it must itself “represent an original work of authorship.” Ibid. But on our facts the format was changed but no content was added or subtracted. See Mirage Editions, Inc. v. Albuquerque A.R.T. Co., 856 F.2d 1341, 1342, 1343– 44 (9th Cir. 1988) (yes where elements added to create new decorative ceramic) (4).
Section 106(3) further reserves to the copyright owner the right to distribute copies. But again, the replacement copy here was kept in the central library, not distributed. Cf. Fox News Network, LLC v. TVEyes, Inc., 883 F.3d 169, 176–78 (2d Cir. 2018) (enabling searching for “information about the material” can be transformative use, even if some distribution results); Lewis Galoob Toys, Inc. v. Nintendo of Am., Inc., 964 F.2d 965, 968, 971 (9th Cir. 1992) (using nifty converter to “merely enhance[ ]” audiovisual displays emitted from purchased videogame cartridge was fair use of those displays partly because no surplus copies of cartridge or displays were ever created).
As a result, Anthropic’s format-change from print library copies to digital library copies was transformative under fair use factor one. Anthropic was entitled to retain a copy of these works in a print format. It retained them instead in a digital format, easing storage and searchability. And, the further copies made therefrom for purposes of training LLMs were themselves transformative for that further reason, as above.
To be clear, this print-to-digital conversion involved a different and narrower form of transformative use than the broader one advanced by Anthropic. Anthropic argues that the central library use was part and parcel of the LLM training use and therefore transformative. This order disagrees. However, this order holds that the mere conversion of a print book to a digital file to save space and enable searchability was transformative for that reason alone. Therefore, the digital copy should be treated just as if the purchased print copy had been placed in the central library.
In sum, the first fair use factor favors fair use for the digital library copies converted from purchased print library copies — but these do not excuse the pirated library copies.
\
(4) Even if print-to-digital format change did infringe the right to prepare derivative works, Authors have conceded that “Plaintiffs’ infringement claims are predicated on Anthropic’s unauthorized reproduction (17 U.S.C. § 106(1)); Plaintiffs are not alleging infringement by Anthropic of any right to prepare derivative works (id. at § 106(2))” (Dkt. No. 203 at 2 (citations original)). Whether this concession had consequence for copies tokenized and used for training or “compressed” into the trained LLMs is not reached by this order because Anthropic does not rely on Authors’ concession and those copies were here used transformatively.
:::tip Continue reading HERE.
:::
:::info About HackerNoon Legal PDF Series: We bring you the most important technical and insightful public domain court case filings.
\ This court case retrieved on June 25, 2025, from storage.courtlistener.com, is part of the public domain. The court-created documents are works of the federal government, and under copyright law, are automatically placed in the public domain and may be shared without legal restriction.
:::
\
2025-07-02 15:00:32
III. Systematization Methodology
VIII. Concluding Remarks and References
Appendix B. Anonymity and Confidentiality
Appendix D. A TCSC-Based Voting Protocol
\
This section compares layer-one and layer-two solutions, and discusses the hardware’s options and impacts.
\ A. L1 and L2 Comparison
\ Which solution is more secure? Even if we have built clear security metrics based on threat models and give concise security analyses in the context of layered architectures, it is still inadequate for answering this question: Which solution is more secure, layer-one solution or layer-two solution? This is because system security is a multidimensional topic, and measuring all security aspects is impractical. The security flaws may happen in any phase in a system [87]. Despite some projects performing well in our evaluation, we cannot roughly say that they are more secure. As hybrid technologies, both layer-one and layer-two systems have unsatisfactory security vulnerabilities in existing systems, and they must be carefully treated when applying them to real applications. Frankly speaking, there is a long road to achieving such a practically secure and confidential system. Our aim is not to argue which solution is more secure. Instead, we focus on helping developers and communities to establish a security measurement and avoid potential pitfalls in designing TCSC.
\ Which solution is more efficient? The layer-one solutions require the contract to be confidentially executed in a distributed TEE network, which is time-consuming and hard to scale out. In contrast, layer-two systems only upload final calculated results from offline TEEs to online blockchains. Local TEE hosts can execute complicated computations with high scalability and short execution time. Assuming that the on-chain processing time remains stable, the overall performance gets improved by enabling parallel off-chain executions. Thus, from the view of performance and scalability, the layer-two solution is our recommendation.
\ Which solution is more adoptable? From the aforementioned discussion, we can observe that the layer-one and layertwo solutions fit different scenarios. The layer-one solution is more adoptable in consortium blockchain systems, while the layer-two solution well fits the existing public blockchain systems. Layer-one systems require each blockchain node to equip a TEE, which is difficult to be fulfilled in a public blockchain while already in use. In a consortium blockchain, the nodes are controllable and manageable, and the committee can require each node to equip a TEE when joining the network. On the flip side, the layer-two solution does not change the original blockchain trust assumption. Instead, it creates an independent layer for executing the smart contract, and thus allows developers to seamlessly integrate the TEE into existing public blockchains without significant modifications.
\ B. Hardware-anchored TEE Options
\ Securing smart contracts with TEEs is challenging because we have to assume a strong attacker model, in which the attacker has physical possession of the hardware running the smart contract and can interfere with it in powerful ways. This part discusses the security impact of choosing different TEE architectures. In particular, we select Intel SGX [88], Arm TrustZone [89] and dedicated chip [90] as examples.
\ Intel SGX is a system allowing one to set up protected enclaves running on an Intel processor. Such enclaves are protected from malware running outside the enclave, including in the operating system. Enclaves can attest their software and computations using a signing key ultimately certified by Intel. Intel SGX has been marketed for desktop machines and servers alike; Microsoft Azure [91] is a commercial cloud offering that allows cloud customers to set up SGX enclaves in the cloud. Many attacks on SGX have been published in the eight years since its release. They may be categorised as side-channel attacks [92], fault attacks [93], [94] and software attacks [95]. While some of these attacks can be solved by improvements of SGX, it is unclear that it will ever be possible to have a completely secure version, because the attack surface is large, in the case of smart contracts, one has to assume that attackers have physical possession of the hardware.
\ ARM TrustZone [89] is a technology widely used in mobile phones to protect secrets, such as secrets used in banking apps. Its ubiquity makes it an attractive option. However, it has been attacked even more than Intel SGX, and doesn’t offer a suitable attestation framework. Future hardware-anchored security products from ARM may address this problem.
\ Dedicated chips such as the Open Titan [90] family of chips offer a better solution. Open Titan is an open-source design inspired by Google Titan, a chip used on Google servers and in Google mobile phones. The fact that the smart contract runs on a dedicated chip not shared with attacker code means that the attack surface is much smaller. Attestation frameworks exist for such chips, and the attestation keys can be rooted in a manufacturer’s certificate. The kind of attacks mentioned for SGX become much harder to mount. Nevertheless, even dedicated chips may succumb to a dedicated and resourceful attacker. Researchers have succeeded in mounting attacks based on power side-channels and electromagnetic (EM) radiation side channels. Defences against such attacks include masking, which consists of randomly splitting every sensitive intermediate variable into multiple shares. Even if the adversary is able to learn a share of the secret via side-channel, it would need all of them in order to recover the secret. Fault attacks such as EM and voltage glitching are also possible, but again, there are known defences [96] at both a software and hardware level. Software defences include making secret-dependent computations twice (in general n times) and then comparing results before producing any output. Countermeasures in hardware involve having internal voltage monitoring circuitry, which makes sure that the input voltage remains within a safe operation range and resets the device otherwise.
\
:::info Authors:
(1) Rujia Li, Southern University of Science and Technology, China, University of Birmingham, United Kingdom and this author contributed equally to this work;
(2) Qin Wang, CSIRO Data61, Australia and this author contributed equally to this work;
(3) Qi Wang, Southern University of Science and Technology, China;
(4) David Galindo, University of Birmingham, United Kingdom;
(5) Mark Ryan, University of Birmingham, United Kingdom.
:::
:::info This paper is available on arxiv under CC BY 4.0 DEED license.
:::
\