Ethics Week 13

Paper 3 (on main web page)
Felonies
Pirate Bay verdict, and ensuing crankiness
CFAA and the Citrin decision
Trust and SSL
Jurisdiction
Software trust
Voting
Linking


Legal tools against hackers

Trespassing?
"Trespass of Chattels": maybe. This is a legal doctrine in which one party intentionally interferes with another's chattels, essentially personal property (including computers). Often actual harm need not be proven, just that the other party interfered, and that the interference was intentional and without authorization.

In 2000 e-bay won a case against Bidder's Edge where the latter used search robots to get information on e-bay auctions. The bots used negligible computation resources. The idea was for Bidder's Edge to sell information to those participating in eBay auctions. In March 2001, Bidder's Edge settled as it went out of business.

Later court cases have often required proof of actual harm, though. In 1998 [?], Ken Hamadi used the Intel email system to contact all employees regarding Intel's allegedly abusive and discriminating employment policies. Intel sued, and won at the trial and appellate court levels. The California Supreme Courts reversed in 2003, ruling that use alone was not sufficient for a trespass-of-chattels claim; there had to be "actual or threatened interference".

How do you prosecute when there is no attempt to damage anything?

Part of the problem here is that trespass-of-chattels was a doctrine originally applied to intrusions, and was quickly seized on as a tool against those who were using a website in ways unanticipated by the creator (eg Bidder's Edge). Is that illegal? Should the law discourage that? Should website owners be able to dicate binding terms of use for publicly viewable pages (ie pages where a login is not required)?

Felony prosecutions: Kutztown 13, Randall Schwartz, Terry Childs

Kutztown 13
Students were issued 600 apple ibooks in 2004
The admin password was part of school address, taped to the back! The password was changed, but the new one was cracked too. Some of the students got admin privileges and:
                bypassed browser filtering
                installed chat/IM software, maybe others
                disabled monitoring software
The students were accused of monitoring teachers or staff, but that seems unlikely.

The school's security model was hopelessly flawed. Who is responsible for that?
The school simply did not have the resources to proceed properly.
       
The offenders were warned repeatedly. But why didn't the schools simply take the iBooks away? Why were felony charges pursued? The charge was for felony computer trespass.

The school argued that the charges were filed because the students signed an "acceptable use" policy. But why should that make any difference in whether felonly charges were pursued?
      
http://www.wired.com/news/technology/0,1282,68480,00.html
cutusabreak.org: now gone
Wikipedia: Kutztown_Area_high_School
       


randall schwarz
    http://www.lightlink.com/spacenka/fors

Oregon made it a FELONY to do anything UNAUTHORIZED.
Also, taking a file without authorization was declared to be THEFT.

Schwartz faced three counts:

  1. Installation of an email backdoor at Intel (he thought he had some kind of permission)
  2. Taking password file
  3. Taking individual passwords

These he did as a former sysadmin, now assigned to other duties, but still concerned about password security. All he did was to run the "crack" program to guess passwords. This involved copying the public /etc/passwd file, which at that time contained the encrypted passwords, and to this day contains the username-to-userid mapping used every time you run ls -l.

The appeals court argued that although "authorization" wasn't spelled out in the law, Schwartz did things without authorization as narrowly interpreted. The appellate court also upheld the trial court's interpretation of "theft": taking anything without permission, even if the thing is essentially useless or if the taking is implicitly authorized.

The appellate court also seemed to believe that Schwartz might have been looking for flaws to take credit for them, and that such personal aggrandizement was inappropriate. But employees all the time look for problems at work and try to fix them, hoping to receive workplace recognition.


Schwartz and Kutztown 13 cases have in common the idea that sometimes the law makes rather mundane things into felonies. For Schwartz, it is very clear that he had no "criminal" intent in the usual sense, although he did "intend" to do the actions he was charged with.

Terry Childs

Childs was a Cisco-certified Internetwork engineer (CCIE) working for San Francisco; he was the only one with the router passwords for the city's fiberWAN network.

He was suspended for insubordination on July 9, 2008, apparently for refusing to turn over router passwords. There are GOOD reasons for limiting access to such passwords on a need-to-know basis, BUT refusing to turn them over might be going pretty far. (However, there are some mitigating factors, including the fact that there was an open speakerphone call in progress at the time Childs was asked for the passwords). There is reasonable basis for believing that dismissal is the only resort an employer should have when dealing with an uncooperative employee.

Childs did nothing to damage the network, and the network was never down at any time.

 He was arrested by SF police on Saturday, July 12, 2008 on four counts of computer tampering. He is still [April 2009]in prison. He refused to give the police valid passwords at his arrest (such refusal is protected by the 5th Amendment). He did give the passwords to the mayor of SF, on July 21, 2008, while in prisoin.

Childs had some past history: he committed a burglary at age 17 and spent 4 years in prison. This apparently has no bearing on the present case.

The city's main claim is that Childs was arrested because he placed the city systems in jeapordy. However:

  1. Refusal to share passwords is hard to see as a criminal act. After all, Childs could always quit.
  2. The city knowingly created and encouraged the environment in which Childs was the only one with the passwords.
  3. No working systems were ever at risk.

The biggest concern to computing professionals is that San Francisco then created a laundry list of criminal allegations against Childs that in fact are standard practices:

  1. Childs knew several other people's passwords. (A list of 150 such was found in Child's house, and entered into evidence at his bail hearing without redacting the passwords themselves.)
  2. He had network sniffers in place
  3. He had "back-door" access to the routers, through several modems (three in the final criminal count). But these were pretty clearly for emergency access.
  4. Routers were configured to resist password recovery (this is standard practice when the physical security of the device is in question).
  5. Configurations were not written to flash memory (same as 4)
  6. Childs' pager was sent a page by one of the routers (duh)

Childs seems to have been "security-conscious to the point of paranoia". But most good computer-security people are!

In opposing bail reduction for Childs, the city's attorneys wrote in July 2008:

In the training room locked by the Defendant, they discovered two modems that allowed access to the City's network from unauthorized locations. A further analysis of the network by Principle Security Consultant Anthony Maupin determined that the Defendant had configured multiple Cisco network devices with a command that erases all configurations and data in the event somone tried to recover the password. Further, the Defendant had created his own private network that bypassed all City monitoring and security systems. He had programs that monitored and detected any intrusions and notified the Defendant if others were monitoring or trying to access his information. The Defendant had implemented his own email server and had multiple remote access systems, some which [sic] were hidden in locked storage cabinets and connected to modems. This permitted the Defendant to access the City's network infrastructure undetected. An additional modem was discovered in a locked cabinet near his cubicle that was connected to a phone line and had access to the network.

... There are over 1100 different devices, routers, switches, modems, etc, scattered throughout the  city's offices that the Defendant may have configured and even locked with his own passwords.  ... there is a serious threat to the City's network system if the Defendant was out of custody without the City having full control over all the 1100 devices as the Defendant may have access any of these devices [sic].

The final four charges (pretty close to the original, but none of the tantalizing allegations of the bail-reduction motion making it in): one of "disrupting or denying computer services" (by not revealing the passwords) and three of "providing a means of accessing a computer, computer system, or computer network" (one for each of the three modems).

The latter three charges were finally dropped on August 21, 2009, over a year later; as of this writing Childs is still in prison. Bail is still set at $5 million, even though the state's original argument against bail reduction was based on the three dropped charges and the idea that the "unauthorized" modems might mean that Childs had other backdoors into the city network. Also, San Francisco has had a year to tighten up security.

Childs is charged with "disrupting or denying computer services". However,

Note that in the first "disrupting or denying computer services" charge, no computer services were actually disrupted. The only thing denied was the password.

He did configure the network in a manner that made it difficult for coworkers to reconfiguring it. Was this about prudence, or job security? He apparently did not face day-to-day clear lines of authority; he definitely was not asked to make the master passwords available to supervisors until the Dispute.

There are no charges (as filed in February 2009) of network tampering; these appeared in court documents in July and August 2008 but were dropped. ("Network tampering" appears to have been replaced by the three modem charges.)

The modems were all apparently legitimate: the first was to dial Childs' pager if there was a problem (through the What's Up Gold monitoring package), the second was to allow immediate dialin access to some SF networks (not apparently the FiberWAN), and in addition was apparently installed before Childs was hired, and the third was to provide an alternative communications paths to emergency services across the San Andreas fault. (See http://www.infoworld.com/d/data-management/could-childs-case-put-all-network-admins-in-danger-979)
If there was any additional illegitimate purpose, it does not appear to be documented anywhere in any filings to date.

It is indeed possible that Childs decided not to have configurations written to flash memory for "job security"; ie so that, if there was a problem, he would be irreplaceable. Alternatively, it could have been because Childs was having conflicts with management and wanted them to know they couldn't work without him. There is no hard evidence, though, of this.

Childs has been in jail since July 2008. Bail is $5 million. There remains no clear-cut charge that makes sense technically. The formal allegations against Childs do not spell out any specific evidence of intent to disrupt the network (though they do not have to).

One possible reason Childs has been denied bail is the fact that a search of his residence just before his arrest turned up some 9mm ammunition, and Childs had in 1985 been convicted of a felony: armed robbery (with a knife). Possession of ammunition by a convicted felon is illegal in California (and many other states). Also, the fact that Childs had $10,000 in cash in his house was interpreted by the police as evidence that he was a flight risk. Finally, Childs lied to his supervisors when he said he had no past felony convictions, and lied again on the day of his management confrontation when he said his fiberWAN password no longer worked. Both of these are perhaps understandable, and in principle they shouldn't matter, but one doesn't know.

The most plausible charge against Childs is the allegation that he configured the routers not to store their configurations, and that this was done in order that if the network crashed, only he could ressurect it. (Failure to release a critical password to those who are not trained to appreciate it and possibly not authorized to have it is not exactly a plausible charge here.) From the arrest-warrant affidavit of police officer James Ramsay:

Mr Maupin [the city's security consultant] was also able to determine and validate that Mr Childs had, in fact, intentionally configured multiple Cisco network devices with a command that erases all configuration and data in the event that someone tries to restore administrative access or tries to perform disaster recovery. This command was created for military applications that require the deployment of network devices in areas that may have the possibility of hostile forces that could get physical access to network devices.

Officer Ramsay also was the one to tell Childs initially that failure to divulge the passwords was "a denial of service as defined under Penal Code violation Section 502(c)(5)". This claim remains farfetched, at face value, given the lack of clear authority within DTIS, although it might apply if Childs had withheld the password with malicious intent.

Note that the quoted line "this command was created for military applications ..." is both misleading and a bit of a stretch. It seems likelier that the command was suggested for military applications, but even if it was created for that, so was GPS.

As for the configuration-to-erase claim, Childs' attorneys claimed in his bail-reduction motion that one of his colleagues, Carl Sian, intentionally kept (as for study) computer viruses, and later spread one to Childs (possibly accidentally). Somewhat later, Childs' supervisor Herb Tong made some technically inappropriate changes to the fiberWAN system. In light of those events, Childs may very well have felt that the "hardened" configuration of the routers was appropriate.

The case documents are back online at http://www.infoworld.com/d/data-management/terry-childs-case-in-its-own-words-928.


zero-day exploits
    Should they be tolerated? Encouraged?

  1. Sometimes vendors ignore exploit reports without the publicity.
  2. Sometimes users really need a script to tell them if they are vulnerable; such a script is typically tantamount to an exploit
  3. Sometimes announcing a flaw gives crackers all they need to exploit it; withholding details merely gives false security.


Consensus seems to be that zero-day exploits are still a bad idea; that one has some responsibility to let vendors know about an exploit so a patch can be developed.

Patch Tuesday is now followed by Exploit Wednesday.

Cisco 2005 case involving Michael Lynn: see http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html

Cisco threatened legal action to stop the [July 2005 Black Hat] conference's organizers from allowing a 24-year-old researcher for a rival tech firm to discuss how he says hackers could seize control of Cisco's Internet routers, which dominate the market.

Cisco called the disclosure "premature" and claimed Lynn had "illegally obtained" the information by reverse-engineering. Lynn acknowledged that he had disassembled some Cisco code, based on an announced Cisco patch, but found an additional problem that could allow an outsider to take over the router. Note that a patch had already been released by Cisco, but many customers had not installed it because Cisco had not indicated it was important.

Lynn demoed his findings to Cisco in June 2005. Initially there had been talk about a joint security presentation, but these broke down. The Black Hat conference was in late July 2005.

At the 2006 Black Hat conference, Cisco was a sponsor. Lynn was invited to the party the company sponsored.


MBTA Card

In 2008, three MIT students, Russell Ryan, Zack Anderson, and Alessandro Chiesa, developed Anatomy of a Subway Hack (see http://cs.luc.edu/pld/ethics/charlie_defcon.pdf (especially pages 5, 8, 11/12, 24ff, 41, 49, and 51)). One of the methods of attack was to take advantage of a vulnerability in the Mifare Classic RFID chip used by the MBTA's "Charlie Card". They intended to present their findings at the 2008 Defcon.

US District Judge George O'Toole granted a 10-day preliminary restraining order against the group, but then let it expire without granting the five-month injunction requested by the MBTA. The MBTA's legal argument was that the paper violated the Computer Fraud and Abuse Act, but the problem is that the CFAA normally applies to worms and viruses themselves, and not to publishing information about them.

Much of the information in the report is highly embarrassing to the MBTA, such as the photographs of gates left unlocked. Should they be allowed to block that?

The MIT group apparently asked their professor, Ron Rivest (the R of RSA), to give the MBTA an advance heads-up, but it apparently did not happen immediately as Rivest was traveling at the time, and in any event would have amounted to just a week or so. The MBTA was eventually informed, and quickly pushed for an FBI investigation.

The MIT group's RFID hack was based on the work of Gans, Hoepman, and Garcia in finding flaws in the Mifare Classic chipset; see http://cs.luc.edu/pld/ethics/mifare-classic.pdf. This is a serious academic paper, as you can tell by the font. Their work is based on earlier work by Nohl and Plötz, which they cite. On page 4 of my copy the authors state

We would like to stress that we notified NXP of our findings before publishing our results. Moreover, we gave them the opportunity to discuss with us how to publish our results without damaging their (and their customers) immediate interests. They did not take advantage of this offer.

Note also that the attack is somewhat theoretical, but it does allow them to eavesdrop on the encrypted card-to-reader communications, and to read all of data-block 0 stored on the card (and other blocks, if the data is partially known).

Nohl has said, "It has been known for years that magnetic stripe cards can easily be tampered with and MBTA should not have relied on the obscurity of their data-format as a security measure".


Hacking

What legal responses are appropriate?
Should we criminalize having hacking tools?
What about c compilers?

Identity Theft

what is it? What can be done?

And WHO IS RESPONSIBLE??

The most common form of identity theft is someone posing as you in order to borrow money in your name, by obtaining a loan, checking account, or credit card. When someone poses as you to empty your bank account, that's generally known as "just plain theft".

Note that most "official" explanations of identity theft describe it as something that is stolen from you; that is, something bad that has happened to you. In fact, it is probably more accurate to describe "identity theft" as a validation error made by banks and other lenders; that is, as a lender problem.

This is a good example of nontechnical people framing the discourse to make it look like your identity was stolen from you, and that you are the victim, rather than the banks for making loans without appropriate checks. And note that banks make loans without requiring a personal appearance by the borrower (which would give the bank a chance to check the drivers-license picture, if nothing else) because that way they can make more loans and thus be more profitable.

Trust

With all the concern about online theft, why do we trust online merchants at all? For that matter, why do we trust people we've met on facebook, etc?

Why we trust online sites:

   
Overall, it seems that lack of bad past experience has the most to do with why we trust.

What about personal sites? (Not necessarily dating, but those too.) How do we form online friendships (eg at discussion sites)? What about forming new friends on facebook? What makes us think people aren't completely deceiving us? What about in face-to-face settings? Is that any different????


Trusting software: how do we do this? What responsibility do vendors have?

    is there an obligation for software to work on our behalf?
    a "fiduciary obligation"?
   
    Trusting your email software; trusting your browser

See http://stopbadware.org

Badware is software that fundamentally disregards a user’s choice regarding how his or her computer will be used. You may have heard of some types of badware, such as spyware, malware, or deceptive adware. Common examples of badware include free screensavers that surreptitiously generate advertisements, malicious web browser toolbars that take your browser to different pages than the ones you expect, or keylogger programs that can transmit your personal data to malicious parties. [stopbadware.org/home/badware]

   
What about DRM? What about Windows?

Most is spyware or viruses or some inappropriate "control" software (eg Sony's, discussed Week 13)

stopbadware.org definition
   1.  If the application acts deceptively or irreversibly.
   2. If the application engages in potentially objectionable behavior without:


See also stopbadware.org/home/guidelines

Also see http://stopbadware.org/home/alerts:
    RealPlayer had been here (Spr 2008?) (still in stopbadware.org/home/alertsarchive)

We find that RealPlayer 10.5 is badware because it fails to accurately and completely disclose the fact that it installs advertising software on the user's computer. We additionally find that RealPlayer 11 is badware because it does not disclose the fact that it installs Rhapsody Player Engine software, and fails to remove this software when RealPlayer is uninstalled.

KaZaa had been here in (Spr 2008?)

We find that Kazaa is badware because it misleadingly advertises itself as spywarefree, does not completely remove all components during the uninstall process, interferes with computer use, and makes undisclosed modifications to other software.

Spyware Striker Pro (Spring 2009)
        (ironically, this is NOT "fake" spyware-removal software!)


Trusting information


Do you trust wikipedia? Why or why not?

Are you familiar with citizendium.org? Why or why not? It was created to be a more trustworthy version of wikipedia. Do we need it?

Pirate Bay verdict

See http://thepiratebay.org. Yes, it's still up, though as of November 2009 the pirate-ship logo has been replaced.

The four accused Pirates were convicted in Swedish court of having "assisted in making copyrighted files accessible". As in the United States, the standard for providing criminal assistance is relatively modest. And, on the face of it, the Pirates provided considerable assistance to file-sharers. The trickiest part is intent, and here the pirate logo is, well, strongly suggestive of intent. And the rest of the movies-want-to-be-free manifesto on the site is even more so.

Each defendant was fined ~$US 800,000, and sentenced to a year in jail. (Though Swedish prisons are relatively comfortable.) Of the four defendants, three are broke and wouldn't pay even if they could.

Why do so many commentators point out that the pirate bay doesn't actually host any of the content itself?

See:
http://torrentfreak.com/the-pirate-bay-trial-the-verdict-090417 (a few hours after the announcement)
http://news.cnet.com/8301-1023_3-10224201-93.html (a few days of reflection later)

Swedish Pirate Party doubles in size after the verdict -- Wired
What are these people thinking? I mean that seriously.

See also: http://oneswarm.cs.washington.edu. But note that, once you limit your file-sharing to within a trusted community, the pool is likely to be vastly smaller.


International Airport Centers v Citrin

Generally the Computer Fraud & Abuse Act (CFAA) is viewed as being directed at "hackers" who break in to computer systems. However, nothing in the act requires that a network breakin be involved, and it is clear that Congress understood internal breakins to be a threat as well.

Just when is internal access a violation of the CFAA? Internal access is what Terry Childs is accused of.

In the 2006 Citrin case, the defendant deleted files from his laptop before going to work for himself. From http://technology.findlaw.com/articles/01033/009953.html:

Citrin ultimately decided to quit and go into business for himself, apparently in breach of his employment contract with the companies. Before returning the laptop to the companies, Citrin deleted all of the data in it, including not only the data he had collected [and had apparently never turned over to his employer -- pld], but also data that would have revealed to the companies improper conduct he had engaged in before he decided to quit. He caused this deletion using a secure-erasure program, such that it would be impossible to recover the deleted information.

His previous employer sued under the CFAA, noting that the latter contained a provision allowing suits against anyone who "intentionally causes damage without authorization to a protected computer". Citrin argued that he had authorization to use his company-provided laptop. The District Court agreed. The Seventh Circuit reversed, however, arguing in essence that once Citrin had decided to leave the company, and was not acting on the company's behalf, his authorization ended. Or (some guesswork here), Citrin's authorization was only for work done on behalf of his employer; work done against the interests of his employer was clearly not authorized.

Once again, the court looked at Citrin's actions in broad context, rather than in narrow technological terms.

Note that Citrin's specific act of deleting the files was pretty clearly an act that everybody involved understood as not what his employer wanted. This is not a grey-area case.

Compare this to the Terry Childs or Randall Schwartz cases. We don't have all the facts yet on Childs, but on a black-and-white scale these cases would seem at worst to be pale eggshell (that is, almost white). It seems very likely that Schwartz's intent was always to improve security at Intel; it seems equally likely that at least in the three modem-related charges against Childs there was absolutely no intent to undermine city security, or to act in any way contrary to what the city would have wanted if it had in fact any clue.


  
Trust

With all the concern about online theft, why do we trust online merchants at all? For that matter, why do we trust people we've met on facebook, etc?

Technological issues & trust: can we at least trust that we're talking to the person we think we're talking to?

Old-style PGP (Pretty Good Privacy) trust:
You need to VERIFY people's public keys (that the key matches the person). Otherwise you can get a bad key, write to them using it, and be victim of a man-in-the-middle attack.

(public key crypto: each person has a public key and a private key. If someone encrypts a message to you with your public key, you can decrypt it with your private key. Similarly, if you encrypt something with your private key, anyone can decrypt it with your public key, and in the process verify that it was encrypted with your private key. That last bit means that the message can act as your DIGITAL SIGNITURE.)

How can we be able to TRUST our keys?

Alice needs Bob's key.

  1. She can meet Bob at a key-signing party. Bob can give her his key hash.
  2. She can ask Chuck. Chuck says Bob's online keyhash is legit.
  3. She can decide NOT to trust Chuck, at least about Bob, and ask Dora instead. Dora has never met Bob, but got Bob's keyhash from Ernie, who has.
  4. She can ask someone who has a large group of signed verifications of keys. Three of them are signed verifications of Bob's key.


SSL certificates (TLS certificates)
SSL = secure socket layer, old name
TLS = transport-layer security, new name

Any pair of entities can negotiate a session key:

You're guaranteed a random key provided the other side does not see your bits before choosing theirs. There are protocols to enforce that (eg exchanging encrypted bits and then exchanging special keys to decrypt them)

BUT: how do you know you're not about to give your credit card to a bad guy with whom you've just created a session key?

Ask landsend.com for their SSL certificate. Receive it. It includes digital signatures by well-known Certificate Authorities, or CAs. It also includes DNS name.
       
CHECK it by using known public key from one of the CAs. These keys are preinstalled in your browser.
This prevents man-in-the-middle attacks, but won't help if router or DNS is hacked

their SSL server uses public-key encryption to sign something with the current date/time; replay isn't feasible either.


What does this have to do with TRUST?

Do you trust the CAs listed in your browser? Huh? Have you even heard of any of them?

Edit => Preferences => Advanced => Encryption => View Certs


Note this is powerless against phishing attacks
Although the new Extended Valuation SSL Certs might. Might.


Back to why we trust online vendors:

   
Overall, it seems that lack of bad past experience has the most to do with why we trust. This seems to be the case with face-to-face and brick-and-mortar relationships just as much as with online situations.

What about personal sites? (Not necessarily dating, but those too.) How do we form online friendships (eg at discussion sites)? What makes us think people aren't completely deceiving us? What about in face-to-face settings? Is that any different????


Jurisdiction online

jurisdictional issues: where did the sale take place? This one is very important for e-commerce.

Traditional three rules for lawsuit jurisdiction:

  1. Purposeful availment: did defendant receive any benefit from the laws of the jurisdiction? If you're in South Dakota and you sell to someone in California, the laws of California would protect you if the buyer tried to cheat you. Generally, this is held to be the case even if you require payment upfront in all cases. The doctrine of purposeful availment means that, in exchange here for the benefits to you of California's laws, you submit to California's jurisdiction.
  2. Where the act was done.
  3. Whether the defendant has a reasonable expectation of being subject to that jurisdiction.


eHarmony lawsuits, for alleged discrimination against homosexuals

eHarmony is headquartered in California

New Jersey lawsuit by Eric McKinley, 2005
California lawsuit by Linda Carlson, 2007

How does jurisdiction apply? Should it have applied in New Jersey?
Is the fact that users must enter their address the deciding factor?

Would it have mattered if eHarmony was a free service?

sales

trademarks
libel/defamation
criminal law


laws governing sales: seller can sue in his home state/country
    This is more or less universal.
   

laws governing trademarks

Trademark scope
        The Blue Note Cafe was located in NYC
        The Blue Note, St Louis (actually Columbia, MO) was a club, sued for trademark infringement by Blue Note New York because they had a web site.
        The case: Bensusan Restaurant Corp v King, 937 F. Supp. 295 (SDNY 1996)
The case was brought in federal district court, which decided there was a lack of jurisdiction. Before that, however, note that the Missouri club began using the name in 1980, and the NYC club did not register the trademark until 1985. Note that, generally speaking, in this sort of situation the Missouri club retains the right to continue to use the name locally, while non-local use is reserved to the federal trademark-holder.

The district court did look at the "long-arm statute" of the "forum state", that is, New York. The New York law provides that

a New York court may exercise personal jurisdiction over a non-domiciliary who "in person or though an agent" commits a tortious act within the state.

The State-court interpretation of this was that the act had to be committed in New York State, and the federal court deferred to this interpretation.

Another part of the NY state law did provide for jurisdiction when the other party was outside the state. However, the law also

... restricted the exercise of jurisdiction under sub-paragraph (a)(3) to persons who expect or should reasonably expect the tortious act to have consequences in the state and in addition derive substantial revenue from interstate commerce

The second circuit decided that Blue Note Missouri did not derive revenue from interstate commerce. End of case.

Blue Note St Louis had a mostly passive web site, although they did advertise tickets online, to performances at the club itself. These tickets had to be picked up at the Missouri box office; they were never mailed. Does this matter? Does it matter that the tickets were technically not sold over the internet, but instead you had to call a phone number?

This case was decided on jurisdictional grounds: NY State did not have jurisdiction.
The second-circuit appellate decision is at http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=2nd&navby=docket&no=969344.

This was a reasonable decision, but notice that it sure doesn't offer many guarantees that your website won't infringe on a trademark far far away.
              
Domain names

zippo v zippo, 1997

See http://cyber.law.harvard.edu/metaschool/fisher/domain/dncases/zippo.htm
    zippo lighters v zippo.com
    trademark infringement filed under PA state law, but filed in federal district court.
    PA "long arm" statute
   
zippo.com was a news service. They had email customers in PA, and two ISP customers.
    (1) the defendant must have sufficient "minimum contacts" with the forum state,
    (2) the claim asserted against the defendant must arise out of those contacts, and
    (3) the exercise of jurisdiction must be reasonable.
   

We find Dot Com's efforts to characterize its conduct as falling short of purposeful availment of doing business in Pennsylvania wholly unpersuasive. At oral argument, Defendant repeatedly characterized its actions as merely "operating a Web site" or "advertising." Dot Com also cites to a number of cases from this Circuit which, it claims, stand for the proposition that merely advertising in a forum, without more, is not a sufficient minimal contact. [FN7] This argument is misplaced. Dot Com has done more than advertise on the Internet in Pennsylvania. Defendant has sold passwords to approximately 3,000 subscribers in Pennsylvania and entered into seven contracts with Internet access providers to furnish its services to their customers in Pennsylvania. [emphasis added]

     
Decided JURISDICTIONAL issue, plus others: PA did have jurisdiction


Note the gray area between a completely passive website, just an "electronic billboard", and “the knowing and repeated transmission of computer files over the Internet”. Usually the latter means subscriber-specific information.

What about google.com? Should Illinois courts have jurisdiction?

Internationally, we already looked at LICRA v Yahoo, filed in France (and won by LICRA) for Yahoo's selling of Nazi memorabilia on its auction site in the US. Yahoo had initially agreed to comply with the French order, and then later changed its mind, and filed suit in the US asking that the US court declare that the french court did not have jurisdiction. That case ended in a draw (specifically, in a declaration that the case was not "ripe").


Suppose your bank makes an error. Where do you sue them? What if their only presence in your state is online? Consider the case Soma Medical v Standard Chartered Bank. SCB is located in Hong Kong. Soma is in Utah. Soma did banking with SCB online. Some money disappeared. Soma lost their lawsuit in Utah, because the court ruled that the fact that SCB had a website accessible in Utah did not give the State of Utah personal jurisdiction. [Michael Shamos]

NTP v RIM: RIM's network hub was in Canada. RIM lost on that point, but there remain serious questions about whether US patent law extends to other countries.

Butler v Beer Across America
http://itlaw.wikia.com/wiki/Butler_v._Beer_Across_America
BAA is an Illinois company selling beer over the internet. Butler's minor son ordered beer, and it was delivered to him despite rules that required an adult signature. Butler sued BAA under an Alabama law that makes it illegal to sell alcohol to minors. In this case, Butler lost her bid to get Alabama jurisdiction, though the case was transferred by the Alabama court to Illinois.

Deciding that the sale of beer by Illinois defendants to an Alabama minor on the Internet occurred in Illinois, the federal court held that a single sale was insufficient minimum contacts to establish personal jurisdiction over the defendants in Alabama.



Cybersquatting:

This is somewhat related to trademark disputes, but an essential component is the claim that one party doesn't really want the trademark, but just wants to "extort" money from the other side.

See http://www.networksolutions.com/legal/dispute-policy.jsp

    Uniform Domain Name Dispute Resolution Policy -- ICANN

4(b). Evidence of Registration and Use in Bad Faith. For the purposes of Paragraph 4(a)(iii), the following circumstances, in particular but without limitation, if found by the Panel to be present, shall be evidence of the registration and use of a domain name in bad faith:

(i) circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the complainant who is the owner of the trademark or service mark or to a competitor of that complainant, for valuable consideration in excess of your documented out-of-pocket costs directly related to the domain name; or

(ii) you have registered the domain name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that you have engaged in a pattern of such conduct; or

(iii) you have registered the domain name primarily for the purpose of disrupting the business of a competitor; or

(iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other on-line location, by creating a likelihood of confusion with the complainant's mark as to the source, sponsorship, affiliation, or endorsement of your web site or location or of a product or service on your web site or location.



========

Also AntiCybersquatting Consumer Protection Act.

Some form of bad faith is usually necessary. But not always, if the effect is to resemble a famous trademark and if you have good lawyers. Sometimes the only "bad faith" or "intent to profit" is the offer of the domain holder to settle the case by selling the domain to the plaintiff.

All this is really about trademarks, not about jurisdiction. But the "flat" namespace of the web makes all trademark disputes national, or even global.


vw.net: virtual works
    http://www.news.com/2100-1023-238287.html
   
Peculiarity: vw.net, a one-man company with James Anderson as principle, offered to sell the name to volkswagen in 1998, and threatened to auction the name off if volkswagen did not buy. This triggers a presumption of domain-name squatting.
   

"A federal appeals court in Virginia [2001] affirmed a lower court's ruling that online service provider Virtual Works Inc. violated the 1999 Anticybersquatting Consumer Protection Act when it registered the domain vw.net with the intent to sell it to Volkswagen of America."

   

"Grimes' [Anderson's early partner] deposition reveals that when registering vw.net, he and Anderson specifically acknowledged that vw.net might be confused with Volkswagen by some Internet users," Wilkinson wrote. "They nevertheless decided to register the address for their own use, but left open the possibility of one day selling the site to Volkswagen 'for a lot of money'."

   
See http://vwx.com. Oops, I guess not; that site is now for sale. At one point, it was about Anderson's side of the case.
   
A possibly important point was that virtual works never used the abbreviation "vw" except in the domain name.
   
They (vw.net) lost.

Is this about cybersquatting? Or is it about the (lack of) rights of the Little Guy to use their trademark in good faith?


american.com: formerly owned by cisco, now a private 'zine (the airline is aa.com)

gateway 2000 v gateway.com
    gateway.com was a computer consulting firm, run by Alan Clegg. There was absolutely no evidence that Clegg foresaw that in the year 2000 the name gateway2000.com would become obsolete, and reserved gateway.com in anticipation of a domain sale.
   
yahoo.com v yahooka.com [which see]
    Case was actually never filed
   


state-law libel and jurisdiction

A state court in Clayton v. Farb, 1998 Del. Super. LEXIS 175 (Del. April 23, 1998), found that Delaware's long arm statute did NOT reach the defendant, who posted allegedly libelous and slanderous false statements about the plaintiff on his Internet site. The statute provided for jurisdiction over tortious activity outside of Delaware ONLY if defendant regularly conducted business in the state. The court found that access in Delaware to defendant's Internet posting did not constitute sufficient contact to support the exercise of personal jurisdiction.
     
This case was decided on JURISDICTIONAL grounds: Delaware did not have jurisdiction

Laws governing libel:

Truth is a defense, but can be expensive to prove. If you say something false about a public figure, they have to prove actual malice. If you say something false about anyone else, all they have to prove is that you were negligent.

We've seen Batzel v Cremers.

Cremers lost on the jurisdiction issue.

But what if the legal climate in the Netherlands was different for libel lawsuits? What if in the Netherlands the burden of proof lay with the plaintiff to prove something false, and Cremers was sued in a jurisdiction (eg England, which still has pro-plaintiff libel laws) where the burden of proof lay with the defendant?


Trusting software: how do we do this? What responsibility do vendors have?


We've seen that people form trust relationships based on a fairly limited set of positive experiences (though a limited set of negatives, as well). Sometimes it seems that software has a lot to live up to, in that we trust it because we don't see bad experiences, but it is so easy for software to take advantage of us.

   
Email: who is responsible for keeping you safe from spam?
From embedded tags in html that reveal to the sender if you've viewed the email?

The images issue has been around for almost a decade; many email vendors (and many freemail providers) have been reluctant to support image-blocking until ~2006 or later. (There may be legitimate reasons for that: it may be perceived as a hard-to-understand option.)

Browsers: browsers do all sorts of identification of themselves when they connect. Some of that is important; some is questionable. Most browsers do not leak "private" information, though they do leak the browser and OS you are using. Furthermore, this is hard to change!

Try http://www.jms1.net/ie.shtml, with internet explorer. (Actually, go to jms1.net, and you get redirected to the linked site if you're using IE. At one point there was a page on the site that would simply make IE die.)

IE's entire ActiveX security model is broken; ActiveX is an approach to security where you trust any signed software. Java, on the other hand, trusts any source, but runs the software in a "sandbox" where it (hopefully) can't damage your machine.


What about cookies?

Many browser PLUGINS do leak some degree of private information. When you register a plugin, you connect some personal information to that plugin. Also, some plugins contact the mothership at regular intervals.

See spywareremove.com/remove-BrowserPlugins

SEVERAL media players (plugin or otherwise) may do some checking of licenses or with mothership before allowing play. Perhaps most players from media companies behave this way.


What about compatibility lock-in?


To what extent should your OS be required to act on your behalf?
Palladium (aka Next-Generation Secure Computing Base):
    locks you out of lots of things.
    Trusted side: can't be reached by debuggers or viruses
    Problem: machine now is autonomous; vendor has complete control. Do you trust your vendor?
    Software updates, file compatibility,
   


SONY case has the rights of users front and center.
Sony's 2005 copy-protection scheme : that installs a private CD driver AND a hidden "r00tkit" (so named by Mark Russinovitch, then of sysinternals.com) that conceals itself and hides some registry keys.

Is this legit?

How does it compare with Palladium (secure-computing platform)?

Users do click on a license agreement. Were they sufficiently warned?
(Software was apparently installed before the EULA came up; and in any event clearly the EULA did not explain just what was going on.)

Note from Mark Russinovich, via wikipedia:

He also mentioned that the XCP software installed silently before the EULA appeared, that the EULA does not mention the XCP software, and that there was no uninstaller, all of which are illegal in various ways in various jurisdictions. Several comments to the entry recommended a lawsuit against Sony BMG.

    
There is now a virus/worm out that takes advantage of the sony kit.

Sony issued an uninstall utility that didn't actually uninstall the software, but did make it visible. However, users had to supply an email address, which by Sony's privacy policy was eligible for spamming.

This or a later removal kit allegedly ADDED a bad ActiveX control.


While we're on the subject of Sony, there was a recent report (in print, which I can't find now) that a significant breakin at US Government sites was precipitated by flaws in the LimeWire file-sharing package. As in, under some circumstances LimeWire would share everything.


Trusting voting machines

If we trust our phones and calculators, why on earth shouldn't we trust voting machines?

Because nobody will gain from secretly having our phones and calculators give incorrect results. We would find out almost immediately, after all.

(And there are now phone viruses)

     
Look at the video at http://itpolicy.princeton.edu/voting/videos.html
Question to think about and for discussion: 
 
    Who are we trusting when we use these machines in an election?
    How is this trust different with paper ballots?
    Why did they make the video (versus just writing a paper)?
 
Notes: just booting with a clean memory card does NOT necessarily clear the machine! The bootloader in flash memory may have been corrupted. The machine loads a new bootloader from every card with a file fboot.nb0
 
Seals (which Diebold recommends) are often ignored, and if not then breaking them constitutes an effective DoS attack.  
 


What about linking?
 
 Is a link to a defamatory site a form of defamation?
 (It probably depends on the context)
 
 Is a link to "illegal" software forbidden?
 2600 case: Universal v Reimerdes:
from wikipedia (http://en.wikipedia.org/wiki/Universal_v._Reimerdes)
In particular the Second Circuit ruled that linking on the Internet happened so fast that it could be restrained in ways that might not be constitutional for traditional media.
Also, apparently the defendants more or less admitted that they were providing links to deCSS for the purpose of making illegal DVD copies. Things might have been different had they linked for the purpose of research.

While we're at it, contemplate 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Is this a legal number?

Part of the issue with linking is that it can provide easy access to "forbidden" content such as circumvention software (deCSS) or copyrighted content (eg providing movie .torrents). For that part, providing the URL in "unlinked" form is probably also subject to regulation. 

But the other part is conventional "deep links". These can be used to view a given page out of context, or to view a given page in a border provided by another page, or to avoid advertising. Should these kinds of links be subject to prohibition?

Is linking to a site a form of using that site without authorization? Possibly leading to a claim of trespass-of-chattels?
 
What about linking to other sites:
     bandwidth
     trademark
     avoidance of advertising
    
     cussedness/control
    
 search engines do this CONSTANTLY.
    
For a while this was a serious issue, but it seems to be flaming out. Lots of sites still have bizarre linking policies, though.

http://dontlink.com; alas, active site work stopped in 2002.


But see: http://www.americanexpress.com/shared/copyright/webrules.html, item 9, "Linked Internet Sites"

Symantec has a different approach: http://www.symantec.com/about/profile/policies/legal.jsp#linking (2009)

Linking to Symantec's Web Site

Symantec permits anyone to link to Symantec's web site subject to the linker's compliance with the following terms and conditions:
A site that links to Symantec's web site:

  1. May link to, but not replicate, content contained in Symantec's site;
  2. Must not create a border environment or browser around content contained in Symantec's site;
  3. Must not present misleading or false information about Symantec's services or products;
  4. Must not misrepresent Symantec's relationship with the linker;
  5. Must not imply that Symantec is endorsing or sponsoring the linker or the linker's services or products;
  6. Must not use Symantec's logos or trade dress without prior written permission from Symantec;
  7. Must not contain content that could be construed as obscene, libelous, defamatory, pornographic, or inappropriate for all ages;
  8. Must not contain materials that would violate any laws;
  9. Must agree that the link may be removed at any time upon Symantec's request pursuant to Symantec's reserved rights to rescind its consent to allow the link.

Rules 1-8 are entirely reasonable.

A few other issues