Computer Ethics, Spring 2012
CMUN 009; Mon 4:15-6:45, Week 12, Apr 16
Read
Baase Ch 5, §5.2, §5.3, §5.5, §5.6 on hacking and crime
Software Patents
i4i v Microsoft
NTP v RIM
Paul Graham
This would be a good time to take a quick look at the Paul Graham
paper. Graham is both a venture capitalist and a software engineer
(and
a Lisp programmer!). One of his first points is the following:
One thing I
do feel pretty certain of is that if you're against
software patents, you're against patents in general. Gradually our
machines consist more and more of software. Things that used to
be done with levers and cams and gears are now done with loops and
trees and closures. There's nothing special about physical embodiments
of control systems that should make them patentable, and the software
equivalent not.
Here are a few more, based largely on his experience as a venture
capitalist. Patents, he feels, don't matter much to software startups, unlike physical-machine startups.
- Third paragraph (above) on being against software patents meaning
you're against patents generally
- Amazon one-click patent
- Startups
do not in fact get sued. They don't attract any attention
until they're big enough to be acquired or to cross-license.
- Patents
do play a role
with being acquired; the suitor has to feel that it's cheaper to buy you
than to build on their own.
- "So, are you guys hiring?" and the Viaweb project
- patents: for an "armed truce" (cross-licensing) with other big
guys, or as part of being acquired
- patents play a small role
the software business.
- The Reveal startup in 2002. They made
X-ray machines, not
software.
- Design counts for more than invention, because design is what
delivers the product.
- Why
Microsoft won't sue
linux out of business (MS probably won't, but Graham's reasoning here is
perhaps wishful thinking).
Graham has three reasons why patents don't matter:
- Software is complicated; the real issue isn't the software but
developing -- and designing --
it. However, this argument also works the other way; if you
have an idea, then you are better off pursuing patent enforcement than
development, because development is hard.
But
also note Graham's point that if a big company tries to copy a little
company's patents, there will be a "thousand little things the big
company will get wrong".
- Startups seldom compete head-to-head with big companies; they
"change the paradigm". You
don't go into the word-processing business; you invent Writely (now
part of Google Apps?). And, "big companies are extremely good at
denial". They will go to great lengths to pretend that you don't exist,
to "keep you in their blind spot". Suing a startup would mean you
realized they were dangerous. He cites IBM as an example; it would have
been demeaning for them to sue microcomputer developers. Also, for
Microsoft to sue web-app developers (or smartphone developers) would be
to admit that Windows is fading.
- Hacker opinion is against big
patent lawsuits. If you're a big
high-tech company, you'll lose a lot of your best people if you're seen
"doing evil". This might be
true for Google; it's less clear at Microsoft (though the employees
there do care about principles). It's probably not true at Eolas.
What do you think of these? How does the Eolas case fit in?
The argument is sometimes made that patents have real value for
startups, so that they can cross-license if accused of violating other
patents. Is this a legitimate argument in favor of patents?
And here's a student project from Stanford, dated 2000:
http://cse.stanford.edu/class/cs201/projects-99-00/software-patents
The authors are Carr, Gray, Watkins and Yang, and the patents they
consider in depth are
- Amazon one-click shopping
- LZW compression and GIFs
- RSA
public-key encryption
- Eolas hypermedia patent
MP3 patents and lawsuits
The MP3 idea was not
obvious, and remains fairly complex. Alcatel-Lucent v Microsoft:
Alcatel-Lucent won $1.5 billion
in an infringement suit about mp3
decoders
Feb 22, 2007
MS countersued for other patents
The judge eventually set aside the damages, and the appellate
court agreed.
Aug 6, 2007: MS won new trial
MS is now suing A-L for other patents.
check out mp3licensing.com
(Thompson)
Royalty Rates:
basic mp3 decoder: $0.75/unit
MP3 was published in 1991. Did all US mp3 patents expire in 2011?
Original holder: Thompson Consumer Electronics & Fraunhofer
Institute.
These still hold the "core" mp3 patents.
MP3 Patent claimants:
- Thompson
- Fraunhofer
- Sisvel / Audio MPEG
- Texas MP3 Technologies
- Alcatel-Lucent
To date, (some) patent holders have announced that no action will be
taken
against open-source decoders.
The mp3 compression algorithm is
admittedly a deep idea. Part of it involves the use of wave
decomposition to store the information more efficiently; part of it
involves "psychoacoustics" to identify parts of a sound file that are
"unhearable" and so can be deleted.
Note that patents are for the use of an idea in a specific context:
- prime factorization for the purpose
of encryption
- xor for the purpose of
redrawing the mouse
- digital scanning for the
purpose of storing bank records (see below)
- RF links for the purpose of
email [NTP v RIM; it's not clear this is the entire issue]
Patent problems
submarine patents: you don't hear about them until too late!
prior art: hard to find, hard to document, trivial ideas
were never written down! This problem, at least, will go away with the passage of time.
non-obviousness: difficult to contest.
Many ideas go into one program!
Technology evolves extremely rapidly.
Violates settled expectations (important part of law!)
What's patented seems to be more a matter of chance than anything else.
ignorance is no defense: "submarine" patents
entire process is secret: you can be making good-faith effort
to be noninfringing and get hit with a huge verdict.
wilful: you had advance notice of infringing.
Your belief that the patent was invalid may NOT be a defense,
although it has been accepted as a defense in some cases.
Damages automatically triple.
Europe
EU Parliament voted in July 2005 648-14 AGAINST the EPO (European
Patent Office)
directive.
March 17, 2009: European Patent Office has asked the EU's "Enlarged
Board of Appeal" to decide on the exclusion of software from
patentability. The EPO has long been pushing for software
patentability, and this is seen by some as an attempt to bypass the
European Parliament.
See http://lwn.net/Articles/324022
Also http://press.ffii.org/Press_releases/EPO_seeks_to_validate_software_patents_without_the_European_Parliament.
Also http://www.ffii.org/EPOReferral.
Note especially Q3, under Questions. Under some earlier rulings
(T163/85 and T190/94), patentability required "a technical effect on a
physical entity in the real
world". However, other rules did not include this requirement.
European patent law is similar to the Diamond v Diehr standard:
machines that use software are patentable, but not software that stands
alone. However, in the US the Diehr standard evolved into software
patentability; in Europe software remains unpatentable as such.
Here's an article from FFII.org entitled, "Why are Software Patents so Trivial?", in which they suggest that this is a fundamental problem: http://eupat.ffii.org/analysis/frili.
Stakeholders
Who are the stakeholders in software patents?
Are we stakeholders? Compare pharmaceuticals.
http://www.pbs.org/cringely/pulpit/2005/pulpit_20050818_000863.html:
"Do you feel helped by patent reform?"
If the Eolas patent had succeeded earlier in the game, Firefox might
never have been started, and then Internet Explorer would still likely
lack tabs, plug-ins, and other core features.
WHY does the situation seem so
different from pharmaceuticals?
Role of "patent trolls", or patent licensing firms
("troll" as in "the troll under the bridge, demanding tolls",
not "trolling" as in fishing for "flames")
Note that the established-company-versus-established-company
defense of a "patent bank" is useless here.
Patents and standards-setting
Company A participates in creation of a standard;
they suggest solution S for a particular issue.
After the standard is widely adopted, company A announces
that they have patented S, and that they will
license it for a significant fee.
N-Data patent on ethernet speed autonegotiation:
http://arstechnica.com/news.ars/post/20080123-ftc-defends-ethernet-forces-patent-troll-back-under-bridge.html
Barriers to entry
Patent Trolls: companies that have no assets but patent claims,
and don't attempt to produce anything but simply collect.
Is this bad? Or are such companies just creating a market for
small inventors to sell their inventions?
I4i is not such a company; they did produce an XML-based product.
Patent and open source
The open-source community is a strong
proponent of eliminating
software patents.
Is the open-source community entitled to:
- an applet-aware browser?
- an mp3 player?
- a gif viewer?
- other ideas that are patented?
Is the open-source community entitled to the asterisk phone switch?
Does MS intend to destroy or hobble or marginalize linux through
patents?
It is very well documented that the patent process can have a very
NEGATIVE impact on open-source development, and on generally
accepted software adoption.
So if the purpose of software patents is to aid technological process,
and it doesn't do that, are software patents a good idea?
What happens if the software in question is made available through a
site in Europe, which (as of now) doesn't have strong software-patent
laws? Should the site warn visitors from the US?
Is this at all like thepiratebay.org?
Patents: are the right ideas being patented? Or are patents being
granted to trolls for peripheral ideas?
xor: trolls?
rsa: good
spreadsheets: trolls?
eolas: trolls?
between an invention and a business idea.
They have developed technology for storage of digital images of bank
checks. They actually did develop the whole system, although again the inevitability
issue arises here. They did not develop any of the actual root
technology: scanners, or data security, or digital storage systems with
enough capacity to hold images for negligible cost.
From their website:
The Corporation was founded in 1998 and
was granted its first two
Network architectural patents (5,910,988 and 6,032,137) in 1999
and 2000, respectively. The patents detail the important and
revolutionary aspects of DataTreasury's systems for remote image
capture, document imaging, centralized processing and electronic
storage. Our innovations were particularly noted for enhanced
security, fault tolerance and high reliability. These key elements
form the underpinnings of DataTreasury's technology.
That said, it is clear that none
of DataTreasury's ideas are revolutionary.
From politico.com/news/stories/0308/9202.html
The company had benefited from a
controversial 1998 court ruling
that broadened the definition of a patent to include business processes.
The proposed (but never passed) patent-reform act of 2007 singled out
this patent for congressional revocation.
It appears that DataTreasury is claiming a business-method patent on the
use of electronic image scanning for check processing. They are looking
for
very significant licensing fees. Again, every piece of the technology
has been around from well before the patent (scanning, secure storage,
???)
Should a new (but straightforward) application of existing technology be patentable?
The DataTreasury patent has been singled out by Congress for action,
but it is not clear what will happen.
Patent reform:
- PTO trying to learn more prior art
- Watchdog groups doing same
- Trivial prior art is harder and harder to patent,
simply due
to the passage of time and better documentation of trivial
techniques
- Still problems with patented protocols (and business
methods)
Someone tried patenting a movie storyline a few years ago.
This patent WAS rejected.
Patent Reform Act of 2007: H.R. 1908 and S. 1145 (did not pass). This was the first [?] patent-reform act proposed.
Those in bold are the most significant.
This did not pass. Here are some of the proposed changes in U.S. patent
law
- 1.1 Switch from first-to-invent to first-to-file
- 1.2 Expand prior user rights, to compensate
- 1.3 Publish patent applications
- 1.3.5 Allow corporate filers (ie inventor's employer)
- 1.4 Allow pre-issuance protests by third parties
- 1.5 Expand use of post-issuance reexamination and opposition
proceedings
- 1.6 Eliminate the "best mode" requirement (obscure)
- 1.7 Modify the patent law doctrine of willful infringement.
"willful" is a serious problem, because it vastly increases
the damages and is applied rather inconsistently.
- 1.8 Modify the patent law doctrine of inequitable
conduct
- 1.9 Allow patent applications to be submitted by an
assignee
- 1.10 Limit access to injunctions
- Damages: must be in proportion to incremental
improvement over prior art
- Bars "tax planning" patents [!] See US Pat 5206803
- Bars DataTreasury from bank extortion
Discuss:
first-to-file: who benefits? how are small inventors affected? How are
prior-art rules affected?
This has again been introduced in 2009; apparently the issues are
the damages calculation, post-issuance reexamination proceedings, and
defining inequitable conduct. At least the last provision has been
removed from the 2009 bill. A
good-faith defense for believing a patent was invalid is also included.
Also included is a definition of prior art to include anything
"available to the public"; publication no longer would have to occur.
[Note that NTP argued that RIM's conduct was held to be inequitable simply because NTP had sent them a letter
outlining its patent claims, and RIM had disagreed.]
In 2011, Congress passed the America Invents Act. This included the following features:
- switch from first-to-invent to first-to-file (though the
first-to-file inventor must be an original inventor, not someone who
got the idea from the real inventor and rushed to patent).
- prior art expanded to include any public use, or foreign offers for sale. The "publication" rule is thus relaxed.
- allows pre-patent-issuance filings by third parties, and also post-issuance review
- bars tax-planning patents
- small inventor ("micro-entity") fee reduction
- deny patent holders the right to appeal post-grant re-examination reversals to the District Courts.
The full impact of the law is not yet clear. There were no changes to
rules for willful infringement, inequitable conduct, access to
injunctions, or proportionate damages.
KSR v Teleflex, April 30, 2007
Some good patent news
This Supreme Court case altered the legal standard for disproving
"non-obviousness"
in favor of defendants. It is now slightly easier to challenge patents
on
this basis.
Teleflex had a patent on a pedal coupled to an electronic throttle
control
(basically cruise control). The question was whether that was "obvious".
The proper question to have asked was whether a pedal designer
of ordinary skill, facing the wide range of needs created by
developments in the field of endeavor, would have seen a benefit
to upgrading [a prior art patent] with a sensor
not thought of it by themselves,
and not motivated to implement
the change,
but simply saw the benefit. The
old "nonobviousness" standard often in effect
required proving that a patent was "prior art". This test was known as
the
"teaching-suggestion-motivation" test. All three pieces had to be there.
Another sentence from that decision:
[t]he combination of familiar elements according to known methods is likely to be obvious
when it does no more than yield predictable results.
Does that cover my obvious-in-context approach? Does that suggest
that not clicking the mouse is obvious?
Teaching-suggestion-motivation test: too narrow
Would this have helped RIM? Probably.
Bilski case
Federal Circuit decision released October
30, 2008
Supreme Court decision released June 28, 2010 (decision here)
This was a very significant case. It was decided at the appellate level by an en
banc sitting
of the Federal Circuit. They proposed a "machine or transformation"
test for patentability of abstract processes. The Supreme Court then
heard the case, and while they did not uphold the "machine or transformation" test, they ruled that Bilski's invention was not patentable because it was too abstract.
There had been widespread speculation that the Supreme Court would use
the Bilski case to rein in business-method patents, or at least make
the patentability rules a little clearer. They apparently did not do
either.
Bilski patent:
Claimed method of managing the risk of bad weather in commodities
trading.
He submitted a patent application seeking exclusive rights to a
method of using hedge contracts to reduce the risk that a commodity's
wholesale price might change.
Again, the technique fails under both prior-art and obviousness
standards.
But those don't apply in the same way to business-method patents.
The patent was rejected by the Patent Board of Appeals. The Board, in
rejecting
the claim, asked the fedearl circuit court for assistance in determining
patentability of non-technological method claims.
The federal circuit court did the following:
The court by its own action grants a hearing en banc. The parties
are requested
to file supplemental briefs that should address the following
questions:
-
(1) Whether claim 1 of the 08/833,892 patent application claims
patent-eligible subject matter under 35 U.S.C. §101?
(the patent-eligibility rules)
-
(2) What standard should govern in determining whether a process
is patent-eligible subject matter under section 101?
-
(3) Whether the claimed subject matter is not patent-eligible
because it constitutes an abstract idea or mental process;
when does a claim that contains both mental and physical
steps create patent-eligible subject matter?
-
(4) Whether a method or process must result in a physical
transformation of an article or be tied to a machine to be
patent-eligible subject matter under section 101?
-
(5) Whether it is appropriate to reconsider State Street Bank &
Trust Co. v. Signature Financial Group, Inc., 149 F.3d 1368 (Fed.
Cir. 1998),
and AT&T Corp. v. Excel Communications, Inc., 172 F.3d 1352
(Fed. Cir. 1999),
in this case and, if so, whether those cases should be overruled in
any respect?
The appellate court did affirm
the need for a physical transformation. Their central doctrine is
"Machine or Transformation". This would have been a problem for business patents, and perhaps software
patents.
Note that their reasoning was taken straight from the few SCOTUS
cases on record.
The following question arises whenever a patent is applied for on an abstract process:
[Is the patent] tailored narrowly enough to encompass only a
particular application of a fundamental principle rather than to
pre-empt the principle itself?
Benson: NO
Diehr: YES (one of the prior SCOTUS cases)
Bilski: NO
This part of the Federal Circuit's reasoning may still stand.
Part of the Benson ruling:
Transformation and reduction of an article
'to a different state or thing' is THE clue to the patentability
of a process claim that does not include particular machines.
The Diehr patent was for making rubber, using a computer to control
the process. It wins the "different state or thing" standard hands down.
The federal circuit dismissed the "useful, concrete, or tangible result" test:
that is NOT enough to establish patentability.
They also reject the "technological arts" test (see above) that
was once-upon-a-time part of the method-patent rules. They agree that
it is too hard to tell whether something involves the technological
arts;
however, unlike the USPTO, they end up ruling the OTHER WAY; that is,
to reject MORE broadly than the TA test.
machine-or-transformation test: emphasize the OR.
We will, however, consider some of our past cases to gain
insight into the transformation part of the test. A claimed
process is patent-eligible if it transforms
an article into
a different state or thing. This transformation must be central
to the purpose of the claimed process. But the main aspect of
the transformation test that requires clarification here is
what sorts of things constitute "articles" such that their
transformation is sufficient to impart patent-eligibility under §101.
Tanning leather
curing rubber (Diehr case)
The raw materials of many information-age processes, however, are
electronic signals and electronically-manipulated data. And some
so-called business methods, such as that claimed in the present case,
involve the manipulation of even more abstract constructs such as legal
obligations, organizational relationships, and business risks.
Which, if any, of these processes qualify as a transformation or
reduction of an article into a different state or thing constituting
patent-eligible subject matter?
Note that while the Bilski decision does not claim to reverse State Street
(the case that led to business-method patents), most commentators seem
to feel that it has that effect. It is less clear that Bilski would have had a significant effect on
software patents.
Applying the Machine-or-Tranformation test to famous cases
RSA? material transformation in "real" terms
The transformation is to a file. While it is electronic,
it is decidedly material.
MP3? material transformation in "real" terms?
An mp3 file isn't a physical thing, but it does have a certain
"thingness". People think of them as things, and buy them as things.
An mp3 file is material.
NTP? maybe no?
The argument can be made that there is no "material thing"
on the table here. Email messages are NOT it; the patent
only addresses the delivery of email.
DataTreasury?
It seems unlikely that DataTreasury's patents would stand up
to this new test.
Supreme Court
Pamela Samuelson, writing in the March 2010 CACM, noted that the Supreme Court appeared during oral arguments to believe that some
way was needed to disallow patenting of nontechnological processes.
Justice Scalia asked whether horse-training techniques should be
patentable, and techniques to "win friends and influence people".
Justice Sotomayor asked whether speed-dating methods could be
patentable, and Justice Breyer asked if a professor could patent an
improved teaching method.
However, this did not quite happen. Here are a few quotes from the decision, written by Justice Kennedy [emphasis by pld]:
Section 101 specifies four independent
categories of inventions or discoveries that are patent eligible:
“process[es],” “machin[es],” “manufactur[es],” and “composition[s] of
matter.” “In choosing such expansive terms, . . . Congress plainly
contemplated that the patent laws would be given wide scope”
This Court’s precedents provide three
specific exceptions to §101’s broad principles: “laws of nature,
physical phenomena, and abstract ideas.”
The machine-or-transformation test is
not the sole test for patent eligibility under §101. The Court’s
precedents establish that although that test may be a useful and
important clue or investigative tool, it is not the sole test for
deciding whether an invention is a patent-eligible “process” under
§101. In holding to the contrary, the Federal Circuit violated two
principles of statutory interpretation: Courts “ ‘should not read into
the patent laws limitations and conditions which the legislature has
not expressed,’ ” Diamond v. Diehr, 450 U. S. 175, 182, and, “[u]nless
otherwise defined, ‘words will be interpreted as taking their ordinary,
contemporary, common meaning,’ ”
Section 101 similarly precludes a
reading of the term “process” that would categorically exclude business
methods. The term “method” within §100(b)’s “process” definition, at
least as a textual matter and before other consulting other Patent Act
limitations and this Court’s precedents, may include at least some
methods of doing business.
Because petitioners’ patent application
can be rejected under the Court’s precedents on the unpatentability of
abstract ideas, the Court need not define further what constitutes a
patentable “process,” beyond pointing to the definition of that term
provided in §100(b) and looking to the guideposts in Benson, Flook, and
Diehr. Nothing in today’s opinion should be read as endorsing the
Federal Circuit’s past interpretations of §101. [that is, the Supreme
Court is not endorsing the State Street Bank case -- pld]
The appeals court may have thought it needed to make the
machine-or-transformation test exclusive precisely because its case law
had not adequately identified less extreme means of restricting
business method patents. In disapproving an exclusive
machine-or-transformation test, this Court by no means desires to
preclude the Federal Circuit’s development of other limiting criteria
that further the Patent Act’s purposes and are not inconsistent with
its text.
In other words,
We can kick this patent out without
resorting to a Machine or Transformation test, and while we probably
think the MoT test is too restrictive, we're not going to say anything
further.
Return to Gottschalk v Benson (which Bilski v Kappos did apparently firmly uphold)
It is easy to interpret Bilski as reinforcing the Benson decision.
It is up to the Supreme Court, however, to decide if Benson was in fact the right
approach. The idea expressed in Benson that the algorithm was "too general" and might
be used for anything seems in
hindsight rather quaint; it is clear a few decades later that this is
going to be the case with perhaps the majority of
software patents. For example RSA patented a method of encryption that
could be used for anything:
banking, personal matters, commerce, digital signatures, etc.
Mayo Labs v Prometheus Labs, Supreme Court, March 20, 2012
Prometheus Labs patented a way of measuring levels of thiopurine drugs
to maintain a consistent dosage. The set of metabolites is measured,
and from these varying levels an inference can be made as to the level
of the original drug.
Mayo Labs used the patented idea without a license. Prometheus sued.
The District Court found in favor of Mayo (more or less), but the
Federal Circuit held that Prometheus's stragegy was patentable, and,
furthermore, even met the stronger "machine or transformation" test of
patentability. The Federal Circuit's argument was that administration
of the drug "transformed" the body, and that administering the blood
test "transformed" the blood sample (my first reaction here is that it
seems that similar logic could make anything fit the "machine or transformation" logic). Following Bilski,
the Supreme Court remanded the Mayo v Prometheus case back to the
Federal Circuit for reconsideration; while the Bilski decision was often seen as expanding
the rule of patentability beyond the MoT test, what the Supreme Court
apparently had in mind was that sometimes things could be patentable
while not meeting the MoT test but other times perhaps things could
meet the MoT test and yet not be patentable. The Federal Circuit
ruled again that Prometheus's invention was patentable under the
MoT test.
The Supreme Court ruled
Because the laws of nature
recited by Prometheus’ patent claims—the relationships between
concentrations of certain metabolites in the blood and the likelihood
that a thiopurine drug dosage will prove ineffective or cause harm—are not themselves patentable, the claimed processes are not patentable unless they have additional features
that provide practical assurance that the processes are genuine
applications of those laws rather than drafting efforts designed to
monopolize the correlations.
What other patents that we've looked at might be construed as patenting
abstract principles? The eolas patent? Any patent where as standard
data structure is applied to a specific context?
Hacking
To some of you, hacking is clearly
wrong
and there shouldn't even be a question here. If you're one of them,
just pay attention to the legal-strategies-against-hackers part.
However, is using a website in a manner contrary to the provider's
intentions always hacking? A more serious case is logging on to a site,
but not changing anything and in particular not committing theft.
Baase's "three phases of hacking"
1. Early years: "hacking" meant "clever programming"
2. ~1980-~1995:
hacking as a term for break-in
largely teenagers
"trophy" hacking
phone lines, BBSs, gov't systems
lots of social engineering
to get passwords
1994 Kevin Mitnick Christmas Day attack on UCSD
(probably not carried out by Mitnick personally), launched from
apollo.it.luc.edu. [!]
3. post-1995: hacking for money
early years / trophy
Phone phreaking: see Baase, p 256
Joe "The Whistler" Engressia
was born blind in 1949, with perfect pitch. He
discovered (apparently as a child) that, once a call was connected, if
you sent a 2600 Hz tone down the line, the phone system would now let
you dial a new call, while continuing to bill you for the old one.
Typically the first call would be local and the second long-distance,
thus allowing a long-distance call for the price (often zero) of a
local call. Engressia could whistle the 2600 Hz tone.
According to the wikipedia article on John Draper,
Engressia also discovered that the free whistle in
"Cap'n Crunch" cereal could be modified to produce the tone; Engressia
shared this with Draper who popularized it. Draper took the nickname
"Cap'n Crunch".
As an adult, Engressia wanted
to be known as "Joybubbles"; he died August 2007
Draper later developed
the "blue box" that would generate the 2600 Hz trunk-line-idle tone and
also other tones necessary for dialing.
How do we judge these people today? At the time, they were folk heroes.
Everyone hated the Phone Company!
Is phone-phreaking like file sharing? Arguably, there's some public
understanding now that phone phreaking is wrong. Will there later be a
broad-based realization that file-sharing is wrong?
How wrong is what they did? Is
there a role for exposing glitches in modern technology?
From Bruce Sterling's book The Hacker
Crackdown: Law and Disorder on the Electronic Frontier, mit.edu/hacker:
What did it mean to break into a computer
without permission and
use its computational power, or look around inside its files without
hurting
anything? What were computer-intruding hackers, anyway -- how should
society, and the law, best define their actions? Were they just
browsers, harmless intellectual explorers? Were they voyeurs,
snoops, invaders of privacy? Should they be sternly treated as
potential
agents of espionage, or perhaps as industrial spies? Or
were they best
defined as trespassers, a very common teenage misdemeanor? Was
hacking theft of service? (After all, intruders were getting
someone
else's computer to carry out their orders, without permission and
without
paying). Was hacking fraud? Maybe it was best described as
impersonation. The commonest mode of computer intrusion was (and
is) to swipe or snoop somebody else's password, and then enter the
computer in the guise of another person -- who is commonly stuck with
the blame and the bills.
What about the Clifford Stoll "Cuckoo's Egg" case:
tracking down an
intruder at Berkeley & Livermore Labs; Markus Hess was a West
German citizen allegedly working for the KGB. Hess was arrested and
eventually convicted (1990). Berkeley culture at that
time was generally to tolerate such incidents.
Robert Tappan Morris (RTM) released his Internet worm in 1988; this was
the first large-scale internet exploit. Due to a software error, it
propagated much
more aggressively than had been intended, often consuming all the
available CPU. It was based on two vulnerabilities: (1) a buffer
overflow in the "finger" daemon, and (2) a feature [!] in many sendmail
versions that would give anyone connecting to port 25 a root shell if
they entered the secret password "wiz".
Were Morris's actions wrong? How wrong? Was there any part that was
legitimate? RTM was most
likely trying to gain fame for discovering a security vulnerability.
There was no financial incentive.
The jury that convicted him spent several hours discussing Morris's
argument that when a server listened on a port (eg an email server
listening on port 25), anyone was implicitly authorized to send that
port anything they wanted.
That is, it is the server's responsibility to filter out bad data.
While the jury eventually rejected this argument, they clearly took it
very seriously.
Mitnick attack: how much of a problem was that, after all? There are
reports that many Mitnick attacks were part of personal vendettas.
(Most of these reports trace back to John Markoff's book on Mitnick;
Markoff is widely believed to have at a minimum tried to put a slant on
the facts that would drive book sales.)
Stage 3: even now, not all
attacks are about money.
Baase, p 259:
"In 1998, the US Deputy defense secretary desribed a series of attacks
on US military computers as 'the most organized and systematic attack
the Pentagon has seen to date.' Two boys, aged 16 and 17, had carried
them out."
What about the London attack of about the same era on air-traffic
control?
2000: the "Love Bug" or ILOVEYOU virus, by someone named de Guzman. If
you read the subject and opened the document, an MS-word macro launched
the payload.
MS-word macros were (and are) an appallingly and obviously bad idea. Should
people be punished for demonstrating this in such a public way? Was
there a time when such a demonstration might have been legitimate?
Yahoo ddos attack & mafiaboy, aka Michael Calce
The attack was launched in February 2000. Calce got discovered by
bragging
about the attack pseudonymously on chatrooms. Alas for him, he'd
previously used his pseudonym "mafiaboy" in posts that contained
more-identifying information.
Conficker worm, April 1, 2009, apparently about creating a network of
email 'bots.
Putting a dollar value on indirect attacks
This is notoriously hard. One of Mitnick's colleagues (Phiber Optik?)
was facing damage claims from one of the Baby Bell companies in excess
of $100,000, when it was pointed out that the stolen document was in
fact for sale for under $25.
Mark Abene (Phiber Optik) was imprisoned for a year. That was rather
long for the actual charge. Mitnick himself spent
nearly five years in prison, 4.5 of which were pre-trial. That situation is similar to that of Terry
Childs in San Francisco, who is still in prison.
Calce, Abene & Mitnick now both work in computer security. Is this
appropriate?
One theory is that gaining notoriety for an exploit is the way to get a security job. Is that
appropriate?
If not, what could be done differently?
David Kernell hacked Sarah Palin's email account in 2008, at age 20. He
served his 366-day sentence at the Midway Rehabilitation Center in
Tennessee, and was allowed to continue at school. Was this an
appropriate sentence?
Legal tools against hackers
Once upon a time, authorities debated charging a hacker for the value
of electricity used; they had no other tools. The relative lack of
legal tools for prosecution of computer breakins persisted for some
time.
Computer Fraud & Abuse Act of 1986: made it illegal to access
computers without authorization (or to commit fraud, or to get
passwords)
USAP AT RIOT act:
Extends CFAA, and provides that when totting up the cost of the attack,
the victim may include all costs of response and recovery. Even
unnecessary or irresponsible costs. Even costs they should have already implemented.
Trespassing?
"Trespass of Chattels": maybe.
This is a legal doctrine in which one party intentionally interferes
with another's chattels,
essentially personal property (including computers). Often actual harm
need not be proven, just that the other party interfered, and that the
interference was intentional and without authorization.
In 2000 e-bay won a case against Bidder's
Edge where the latter used
search robots to get information on e-bay auctions. The bots used
negligible computation resources. The idea was for Bidder's Edge to
sell information to those participating in eBay auctions. In March
2001, Bidder's Edge settled as it went out of business.
Later court cases have often required proof of actual harm, though.
In 1998 [?], Ken Hamadi used the Intel email system to contact all
employees regarding Intel's allegedly abusive and discriminating
employment policies. Intel sued, and won at the trial and appellate
court levels. The California Supreme Court reversed in 2003, ruling
that use alone was not sufficient for a trespass-of-chattels claim;
there had to be "actual or threatened interference".
After reviewing the decisions analyzing unauthorized electronic contact
with computer systems as potential trespasses to chattels, we conclude
that under California law the tort does not
encompass, and should not
be extended to encompass, an electronic communication that neither
damages the recipient computer system nor impairs its functioning. Such
an electronic communication does not constitute an actionable trespass
to personal property, i.e., the computer system, because it does not
interfere with the possessor’s use or possession of, or any other
legally protected interest in, the personal property itself. [emphasis
added]
How do you prosecute when there is no attempt to damage anything?
Part of the problem here is that trespass-of-chattels was a doctrine
originally applied to intrusions,
and was quickly seized on as a tool against those who were using a
website in ways unanticipated by the creator (eg Bidder's Edge). Is
that illegal? Should the law discourage that? Should website owners be
able to dictate binding terms of use
for publicly viewable pages (ie pages where a login is not required)?
International Airport Centers v Citrin
Generally the Computer Fraud & Abuse Act (CFAA) is viewed as being
directed at "hackers" who break in to computer systems. However,
nothing in the act requires that a network breakin be involved, and it
is clear that Congress understood internal breakins to be a threat as
well. The law itself dates from the era of large mainframes.
Just when is internal access a violation of the CFAA? Internal access is
what Terry Childs is accused of.
In the 2006 Citrin case, the
defendant deleted files from his company-provided laptop before quitting
his job and going to work for himself. From http://technology.findlaw.com/articles/01033/009953.html:
Citrin ultimately decided to quit and
go into business for himself,
apparently in breach of his employment contract with the companies.
Before returning the laptop to the companies, Citrin deleted all of the
data in it, including not only the data he had collected [and had
apparently never turned over to his employer -- pld], but also data
that would have revealed to the companies improper conduct he had
engaged in before he decided to quit. He caused this deletion using a
secure-erasure program, such that it would be impossible to recover the
deleted information.
His previous employer sued under the CFAA, noting that the latter
contained a provision allowing suits against anyone who "intentionally
causes damage without authorization to a protected computer". Citrin
argued that he had
authorization to use his company-provided laptop. The District Court
agreed. The Seventh Circuit (which includes Illinois) reversed, however, arguing in essence that
once Citrin had decided to leave the company, and was not acting on the
company's behalf, his authorization ended. Or (some guesswork here),
Citrin's authorization was only for work done on behalf of his
employer; work done against the
interests of his employer was clearly not authorized.
Note that Citrin's specific act of
deleting the files was pretty clearly an act that everybody
involved understood as not what his employer wanted. This is not
a grey-area case in that regard. However, trade-secrecy laws might also
apply, as might contract law if part of Citrin's employment contract
spelled out the terms of use.
Compare this to the Terry Childs or Randall Schwartz cases, below. We
don't
have all the facts yet on Childs, but on a black-and-white scale these
cases would seem at worst to be pale eggshell (that is, almost white).
It seems very likely that Schwartz's intent was always to improve
security at Intel; it seems equally likely that at least in the three
modem-related charges against Childs there was absolutely no intent to
undermine city security.
Once again, the court looked at Citrin's actions in broad context,
rather than in narrow technological terms. However, it remains unclear
whether the court properly understood the full implications. In the
context of the Citrin case, the Seventh Circuit simply allowed a civil
lawsuit based on the CFAA to go forward. But the CFAA also criminalizes exactly the same conduct that it allows as grounds for civil suits. Specifically, §1030 states:
(a) Whoever
(1)
intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains
(c) information from any protected computer [a computer " which is used in or affecting interstate or foreign commerce or communication"; ie any computer on the Internet -- pld]
(b) ... shall be punished as provided [below]
(c) (1) (A) ...
imprisonment for not more than ten years [plus a fine].
I'm not sure if that's ten years total or ten years per offense.
There was no felony prosecution of Citrin, but consider the following unauthorized uses of a computer:
- Use of Google.com (even for searching) by a minor, prior to March 1, 2012 (when the Google ToS changed)
- Personal web browsing while at work, if the workplace prohibits such actions
- Creating a Facebook account under a pseudonym.
Should a person be subject to felony charges for any of the above?
US v Nosal
In an en banc decision handed
down April 10, 2012 by the Ninth Circuit, the court ruled that someone
who was authorized to access the data in question could not be charged
under the CFAA simply because that access was contrary to the terms of
the data owner (ie the employer). This is in more-or-less direct
conflict with the Seventh Circuit's ruling in Citrin, suggesting that the Supreme Court is likely to take up this case at some point.
Nosal, like Citrin, had worked for a company (Korn/Ferry) and left to
start his own business. Nosal did not take K/F data himself, but
persuaded some former colleagues to send him the data. The colleagues
were also charged.
Part of what is at stake is that the above phrase, "exceeds authorized
access", is used in the rather general section (a)(1), but also in
section (a)(4) dealing with fraud. Nosal was originally charged under
§(a)(4), and other courts have ruled that fraud based on unauthorized
access is indeed covered. However, the language in both sections is the
same, and a general legal principle is that you should not interpret
language differently simply because the context is different.
Judge Kosinski, in his decision, wrote
[1] The CFAA defines “exceeds
authorized access” as “to access a computer with authorization and to
use such access to obtain or alter information in the computer that the
accesser is not entitled so to obtain or alter.” 18 U.S.C. §
1030(e)(6). This language can be read either of two ways: First,
as Nosal suggests and the district court held, it could refer to
someone who’s authorized to access only certain data or files but
accesses unauthorized data or files—what is colloquially known as
“hacking.” For example, assume an employee is permitted to access only
product information on the company’s computer but accesses customer
data: He would “exceed[ ] authorized access” if he looks at the
customer lists. Second, as the
government proposes, the language could refer to someone who has
unrestricted physical access to a computer, but is limited in the use
to which he can put the information. For example, an employee may be
authorized to access customer lists in order to do his job but not to
send them to a competitor.
Kosinski then argued that the second interpretation is much too broad:
[W]e hold that the phrase “exceeds authorized access” in the CFAA does
not extend to violations of use restrictions. If Congress wants to
incorporate misappropriation liability into the CFAA, it must speak more
clearly. The rule of lenity requires “penal laws . . . to be construed
strictly.”
Ultimately, Kosinski's argument would suggest that if a site or
employer did not want you to have access to some data, they should take
measures to be sure you cannot access it routinely.
See also Volokh's blog.