You can look them up online. Follow uspto.gov -> patents ->
patft (uspto.gov/patft). Or go directly to the search-by-patent-number
page:
http://patft.uspto.gov/netahtml/PTO/srchnum.htm
uspto.gov -> patents -> patft (uspto.gov/patft)
Search by patent number:
http://patft.uspto.gov/netahtml/PTO/srchnum.htm
6198783 System for wireless serial transmission of encoded information Modulation techniques
6067451 Electronic mail
system
with RF communications to mobile processors. See the Appendix, under
Background Art, for prior art. Note that in Figure 3, some of the
underlying telecom infrastructure is shown ("closest LATA switches").
The first non-prior-art diagram is Figure 8 (page 9). (2 of 9 NTP v RIM
claims)
Diagrams, and some text pages in .bmp format, are at http://cs.luc.edu/pld/ethics/campana.
6272190
System for wireless transmission and receiving of information
and method of operation thereof
4644351: Zabarsky patent,
possible prior art. Note that this is cited in
the '592 patent. Paging is also cited there as prior art, in the
paragraph beginning, "FIG. 2 illustrates a diagram of a prior art
network"
A communications system for carrying
messages via a radio channel between
one central site of a plurality of central sites and a plurality of
two-way remote data units is disclosed. Each central site has a
radio
coverage area and each remote unit has a unique address and
association
with one of the central sites. When a message addressed to one of
the
remote units is received in a central site, a file of remote unit
addresses is searched to find the location and central site
association of
the remote unit to which the message is addressed. If an address
match is
found indicating that the remote transceiver is in the coverage
area of
the message-receiving central site, the addressed message is stored
and
transmitted in that site. If an address match is found indicating
that the
remote transceiver is in another central site, the addressed
message is
conveyed to that site for transmission.
This would seem to cover delivering text to specific end-users; eg paging.
Here are two primary claims. The "patentese" is unfortunate and confusing, but the core claim in both cases is using RF links to transmit email.
claim 248 of patent 6067 451
246. In a system comprising a communication system which transmits electronic mail containing information, with the electronic mail being inputted to the communication system from a plurality of processors, a RF system and an interface connecting the communication system to the RF system with the information contained in the electronic mail and an identification of a RF device in the RF system being transmitted from the interface to the RF system and broadcast by the RF system to an identified RF device, the identified RF device comprising:
a RF receiver, which receives the information when the identification of the device is detected in a broadcast by the RF system to the RF receiver; and
a memory, coupled to the RF receiver, which stores the information received by the RF receiver contained in the electronic mail inputted to the communication system.
247. The RF device in accordance with claim 246 further comprising:
a processor, coupled to the memory, which after the information has been outputted from the memory, processes the information.
248. The RF device in accordance with claim 247 further comprising:
at least one application program, executed by the processor,
which processes the information.
Fig. 8 is the first non-prior-art
figure. It is described under the
"BEST MODE FOR CARRYING OUT THE INVENTION" heading.
Certainly Campana appears to
be patenting the use of RF links in email.
claim 150 of patent 6317592
150. In a communication system comprising a wireless system which communication system transmits electronic mail inputted to the communication system from an originating device which executes electronic mail programming to originate the electronic mail, mobile processors which execute electronic mail programming to function as a destination of electronic mail, and a destination processor to which the electronic mail is transmitted from the originating device and after reception of the electronic mail by the destination processor, information contained in the electronic mail and an identification of a wireless device in the wireless system are transmitted by the wireless system to the wireless device and from the wireless device to one of the mobile processors, the wireless device and one mobile processor comprising:
a wireless receiver connected to the one mobile processor
with the one mobile processor receiving the information
contained in the electronic mail after the identification
of the wireless device is detected by the wireless receiver
in a broadcast by the wireless system.
Patent reexaminations (from http://en.wikipedia.org/wiki/NTP,_Inc.)
To look these up, start at http://portal.uspto.gov/external/portal/pair.
Actual documents are under the "image file wrapper" tab. Don't forget
"select new case" as appropriate!
In the '451 rejection, the patent examiner found that the "Perkins"
prior art included all features of the NTP system, at least when the
NTP system was "broadly construed". Also, NTP tried to argue that
Perkins wasn't an "electronic mail system", by construing that term very narrowly.
See also page 114, regarding "obviousness". NTP made the following
claims as to why their approach was an improvement:
They have developed technology for storage of digital images of bank
checks. They actually did develop the whole system, although again the inevitability
issue arises here. They did not develop any of the actual root
technology: scanners, or data security, or digital storage systems with
enough capacity to hold images for negligible cost.
From their website:
That said, it is clear that none
of DataTreasury's ideas are revolutionary.
From politico.com/news/stories/0308/9202.html The company had benefited from a controversial 1998 court ruling that broadened the definition of a patent to include business processes.
The proposed (but never passed) patent-reform act of 2007 singled out this patent for congressional revocation.
It appears that DataTreasury is claiming a business-method patent on the use of electronic image scanning for check processing. They are looking for very significant licensing fees. Again, EVERY piece of the technology has been around from well before the patent (scanning, secure storage, ???)
The DataTreasury patent has been singled out by Congress for action, but it is not clear what will happen.
Patent reform:
Patent Reform Act of 2007: H.R. 1908 and S. 1145 (did not pass)
Those in bold are the most significant.
did not pass (yet) Here are some of the proposed changes in U.S. patent law
Discuss: first-to-file: who benefits? how are small inventors affected? How are prior-art rules affected?
publish applications.
This has again been introduced in 2009; apparently the issues are
the damages calculation, post-issuance reexamination proceedings, and
defining inequitable conduct. At least the last provision has been
removed from the 2009 bill. A
good-faith defense for believing a patent was invalid is also included.
Also included is a definition of prior art to include anything
"available to the public"; publication no longer would have to occur.
[Note that NTP argued that RIM's conduct was held to be inequitable simply because NTP had sent them a letter
outlining its patent claims, and RIM had disagreed.]
KSR v Teleflex, April 30, 2007
Some good patent news
This Supreme Court case altered the legal standard for disproving "non-obviousness" in favor of defendants. It is now slightly easier to challenge patents on this basis.
Teleflex had a patent on a pedal coupled to an electronic throttle control (basically cruise control). The question was whether that was "obvious".
The proper question to have asked was whether a pedal designer of ordinary skill, facing the wide range of needs created by developments in the field of endeavor, would have seen a benefit to upgrading [a prior art patent] with a sensor
not thought of it by themselves,
and not motivated to implement
the change,
but simply saw the benefit. The
old "nonobviousness" standard often in effect
required proving that a patent was "prior art". This test was known as
the
"teaching-suggestion-motivation" test. All three pieces had to be there.
Another sentence from that decision:
Does that cover my obvious-in-context approach? Does that suggest
that not clicking the mouse is obvious?
Teaching-suggestion-motivation test: too narrow
Would this have helped RIM? Probably.
Federal Curcuit decision released October
30, 2008
Supreme Court decision released June 28, 2010 (decision here)
This was a very significant case, decided at the appellate level by an en bancsitting of the Federal Circuit. They proposed a "machine or transformation" test for patentability of abstract processes. The Supreme Court then heard the case, and while they did not uphold the "machine or transformation" test, they ruled that Bilski's invention was not patentable because it was too abstract. There had been widespread speculation that the Supreme Court would use the Bilski case to rein in business-method patents, or at least make the patentability rules a little clearer. They apparently did not do either.
Bilski patent: Claimed method of managing the risk of bad weather in commodities trading.
He submitted a patent application seeking exclusive rights to a method of using hedge contracts to reduce the risk that a commodity's wholesale price might change.
Again, the technique fails under both prior-art and obviousness standards. But those don't apply in the same way to business-method patents.
The patent was rejected by the Patent Board of Appeals. The Board, in rejecting the claim, asked the fedearl circuit court for assistance in determining patentability of non-technological method claims.
The federal circuit court did the following:
The court by its own action grants a hearing en banc. The parties are requested to file supplemental briefs that should address the following questions:
The appellate court did affirm the need for a physical transformation. Their central doctrine is "Machine or Transformation". This would have been a problem for business patents, and perhaps software patents.
Note that their reasoning was taken straight from the few SCOTUS cases on record.
The following question arises whenever a patent is applied for on an abstract process:
Benson: NO
Diehr: YES (one of the prior SCOTUS cases)
Bilski: NO
This part of the Federal Circuit's reasoning may still stand.
Part of the Benson ruling: Transformation and reduction of an article 'to a different state or thing' is THE clue to the patentability of a process claim that does not include particular machines.
The Diehr patent was for making rubber, using a computer to control the process. It wins the "different state or thing" standard hands down.
They also DISMISS the "useful, concrete, or tangible result" test: that is NOT enough to establish patentability.
They also reject the "technological arts" test (see above) that was once-upon-a-time part of the method-patent rules. They agree that it is too hard to tell whether something involves the technological arts; however, unlike the USPTO, they end up ruling the OTHER WAY; that is, to reject MORE broadly than the TA test.
machine-or-transformation test: emphasize the OR.
We will, however, consider some of our past cases to gain insight into the transformation part of the test. A claimed process is patent-eligible if it transforms an article into a different state or thing. This transformation must be central to the purpose of the claimed process. But the main aspect of the transformation test that requires clarification here is what sorts of things constitute "articles" such that their transformation is sufficient to impart patent-eligibility under §101.
Tanning leather curing rubber (Diehr case)
The raw materials of many information-age processes, however, are electronic signals and electronically-manipulated data. And some so-called business methods, such as that claimed in the present case, involve the manipulation of even more abstract constructs such as legal obligations, organizational relationships, and business risks. Which, if any, of these processes qualify as a transformation or reduction of an article into a different state or thing constituting patent-eligible subject matter?
Note that while the Bilski decision does not claim to reverse State Street
(the case that led to business-method patents), most commentators seem
to feel that it has that effect. It is less clear that Bilski means
software patents no longer stand.
Applying the Machine-or-Tranformation test to famous cases
RSA? material transformation in "real" terms The transformation is to a file. While it is electronic, it is decidedly material.
MP3? material transformation in "real" terms? An mp3 file isn't a physical thing, but it does have a certain "thingness". People think of them as things, and buy them as things. An mp3 file is material.
NTP? maybe no? The argument can be made that there is no "material thing" on the table here. Email messages are NOT it; the patent only addresses the delivery of email.
DataTreasury? It seems unlikely that DataTreasury's patents would stand up to this new test.
To some of you, hacking is clearly
wrong
and there shouldn't even be a question here. If you're one of them,
just pay attention to the legal-strategies-against-hackers part.
However, is using a website in a manner contrary to the provider's
intentions always hacking? A more serious case is logging on to a site,
but not changing anything and in particular not committing theft.
Baase's "three phases of hacking"
1. Early years: "hacking" meant "clever programming"
2. ~1980-~1995:
hacking as a term for break-in
largely teenagers
"trophy" hacking
phone lines, BBSs, gov't systems
lots of social engineering
to get passwords
1994 Kevin Mitnick Christmas Day attack on UCSD
(probably not carried out by Mitnick personally), launched from
apollo.it.luc.edu. [!]
3. post-1995: hacking for money
early years / trophy
Phone phreaking: see Baase, p 256
Joe "The Whistler" Engressia
was born blind in 1949, with perfect pitch. He
discovered (apparently as a child) that, once a call was connected, if
you sent a 2600 Hz tone down the line, the phone system would now let
you dial a new call, while continuing to bill you for the old one.
Typically the first call would be local and the second long-distance,
thus allowing a long-distance call for the price (often zero) of a
local call. Engressia could whistle the 2600 Hz tone.
According to the wikipedia article on John Draper,
Engressia also discovered that the free whistle in
"Cap'n Crunch" cereal could be modified to produce the tone; Engressia
shared this with Draper who popularized it. Draper took the nickname
"Cap'n Crunch".
As an adult, Engressia wanted
to be known as "Joybubbles"; he died August 2007
Draper later developed
the "blue box" that would generate the 2600 Hz trunk-line-idle tone and
also other tones necessary for dialing.
How do we judge these people today? At the time, they were folk heroes.
Everyone hated the Phone Company!
Is phone-phreaking like file sharing? Arguably, there's some public
understanding now that phone phreaking is wrong. Will there later be a
broad-based realization that file-sharing is wrong?
How wrong is what they did? Is
there a role for exposing glitches in modern technology?
From Bruce Sterling's book The Hacker
Crackdown: Law and Disorder on the Electronic Frontier, mit.edu/hacker:
What did it mean to break into a computer
without permission and
use its computational power, or look around inside its files without
hurting
anything? What were computer-intruding hackers, anyway -- how should
society, and the law, best define their actions? Were they just
browsers, harmless intellectual explorers? Were they voyeurs,
snoops, invaders of privacy? Should they be sternly treated as
potential
agents of espionage, or perhaps as industrial spies? Or
were they best
defined as trespassers, a very common teenage misdemeanor? Was
hacking theft of service? (After all, intruders were getting
someone
else's computer to carry out their orders, without permission and
without
paying). Was hacking fraud? Maybe it was best described as
impersonation. The commonest mode of computer intrusion was (and
is) to swipe or snoop somebody else's password, and then enter the
computer in the guise of another person -- who is commonly stuck with
the blame and the bills.
What about the Clifford Stoll "Cuckoo's Egg" case:
tracking down an
intruder at Berkeley & Livermore Labs; Markus Hess was a West
German citizen allegedly working for the KGB. Hess was arrested and
eventually convicted (1990). Berkeley culture at that
time was generally to tolerate such incidents.
Robert Tappan Morris (RTM) released his Internet worm in 1988; this was
the first large-scale internet exploit. Due to a software error, it
propagated much
more aggressively than had been intended, often consuming all the
available CPU. It was based on two vulnerabilities: (1) a buffer
overflow in the "finger" daemon, and (2) a feature [!] in many sendmail
versions that would give anyone connecting to port 25 a root shell if
they entered the secret password "wiz".
Were Morris's actions wrong? How wrong? Was there any part that was legitimate? RTM was most likely trying to gain fame for discovering a security vulnerability. There was no financial incentive.
The jury that convicted him spent several hours discussing Morris's
argument that when a server listened on a port (eg an email server
listening on port 25), anyone was implicitly authorized to send that
port anything they wanted.
That is, it is the server's responsibility to filter out bad data.
While the jury eventually rejected this argument, they clearly took it
very seriously.
Mitnick attack: how much of a problem was that, after all? There are
reports that many Mitnick attacks were part of personal vendettas.
(Most of these reports trace back to John Markoff's book on Mitnick;
Markoff is widely believed to have at a minimum tried to put a slant on
the facts that would drive book sales.)
Mark Abene (Phiber Optik) was imprisoned for a year. That was rather
long for the actual charge. Mitnick himself spent
nearly five years in prison, 4.5 of which were pre-trial. That situation is similar to that of Terry
Childs in San Francisco, who is still in prison.
Calce, Abene & Mitnick now both work in computer security. Is this
appropriate?
One theory is that gaining notoriety for an exploit is the way to get a security job. Is that
appropriate?
If not, what could be done differently?
Modern phishing attacks (also DNS attacks)
Stealing credit-card numbers from stores. (Note: stores are not supposed
to retain these at all.
However, many do.)
Boeing attack, Baase p 262: how much should
Boeing pay to make sure no files were changed?
TJX attack: Baase p 87 and p 271
The breakin was discovered in December 2006, but may have gone back
to 2005.
40 million credit-card numbers were stolen! And 400,000 SSNs, and a
large number of drivers-license numbers.
Hackers apparently cracked the obsolete WEP encryption on wi-fi
networks to get in, using a "cantenna" from outside the building. Once
in, they accessed and downloaded files. There are some reports that
they eavesdropped on data streaming in from stores, but it seems likely
thatdirect downloads of files was also involved.
Six suspects were eventually arrested. I believe they have all now
been convicted; there's more information in the privacyrights.org page
below (which also pegs the cost to TJX at $500-1,000 million).
For a case at CardSystems Solutions,
see
http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html.
Here the leak was
not due to wi-fi problems, but lack of compliance with standards was
apparently involved. Schneier does a good job explaining the
purely contractual security requirements involved, and potential
outcomes. Schneier also points out
The TJX and CardSystems attacks were intentional, not just data gone missing.
When attacks ARE about money, often the direct dollar value is huge. And tracing what happened can be difficult. An entire bank account may be gone. Thousands of dollars may be charged against EVERY stolen credit-card number.
Here's a summary of several incidents: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP.
An emerging standard is Payment
Card Industry Data Security Standard (PCI DSS), supported by
MasterCard, Visa, Discover, American Express, and others. See http://www.pcicomplianceguide.org/pcifaqs.php
for some particulars; a more official site is https://www.pcisecuritystandards.org.
Note that PCI DSS is not a law, but is "private regulation". Once upon
a time, the most effective regulators of steam-powered ships were
insurance companies [reference?]. This is similar, but MasterCard and
Visa are not quite the same as insurers. From the FAQ above:
It is important to be familiar with your merchant account agreement, which should outline your exposure.
If you are a store, you can refuse to pay the fine. But then you
will lose the ability to accept credit cards. This is extremely bad!
Visa's CISP program is described at http://www.visa.com/cisp.
The PCI standards do allow merchants to store the name and
account-number data. However, this is strongly
discouraged. Sites that
keep this information are required by PCI to have it encrypted.
CardSystems
was keeping this data because they were having a higher-than-expected
rate of problems with transactions, and they were trying to figure out
why.
To some extent, PCI DSS compliance is an example of how ethical
behavior is in your own long-term best interest.
what is it? What can be done?
And WHO IS RESPONSIBLE??
The most common form of identity theft is someone posing as you in
order to borrow money in your name, by obtaining a loan, checking
account, or credit card. When someone poses as you to empty your bank
account, that's generally known as "just plain theft".
Note that most "official" explanations of identity theft describe it
as something that is stolen from you; that is, something bad that has
happened to you. In fact, it is probably more accurate to describe
"identity theft" as a validation error made by banks and other lenders;
that is, as a lender problem.
This is a good example of nontechnical people framing the discourse to make it look
like your identity was stolen from you,
and that you are the victim, rather than the banks for making loans
without appropriate checks. And note that banks make loans without
requiring a personal appearance by the borrower (which would give the
bank a chance to check the drivers-license picture, if nothing else)
because that way they can make more
loans and thus be more profitable.
Is it ok to be "testing their security"?
What if it's a government site?
Should you be allowed to run a security scanner against other sites?
What if the security in question is APPALLINGLY BAD?
What if you have some
relationship to the other host?
Baase, p 270:
"The Defense Information Systems Agency estimated that there were
500,000 hacker attacks on Defense Department networks in 1996, that 65%
of them were successful, and
that the Dept detected fewer than 1%". But 1996 was a long long time
ago.
Do we as citizens have an obligation
to hack into our government's
computers, to help demonstrate how insecure they are?
What about hacking into Loyola's computers? Are we obligated to do that? What about
Loyola's wireless network?
Ok, failing that, what is our obligation to prevent intrusions that are not likely to be directly
harmful to us?
In 2006, Kevin Mitnick's sites were defaced by a group. There's some
irony there.
Other Baase cases:
several attacks against Chinese gov't sites, due to repressive
policies
pro-Zapatista groups defacing Mexican government sites
US DoJ site changed to read "Department of Injustice"
Legal tools against hackers
Once upon a time, authorities debated charging a hacker for the value
of electricity used; they had no other tools. The relative lack of
legal tools for prosecution of computer breakins persisted for some
time.
Computer Fraud & Abuse Act of 1986: made it illegal to access
computers without authorization (or to commit fraud, or to get
passwords)
USAP AT RIOT act:
extends CFAA, and provides that when totting up the cost of the attack,
the victim may include all costs of response and recovery. Even
unnecessary or irresponsible costs.
Trespassing?
"Trespass of Chattels": maybe.
This is a legal doctrine in which one party intentionally interferes
with another's chattels,
essentially personal property (including computers). Often actual harm
need not be proven, just that the other party interfered, and that the
interference was intentional and without authorization.
In 2000 e-bay won a case against Bidder's
Edge where the latter used
search robots to get information on e-bay auctions. The bots used
negligible computation resources. The idea was for Bidder's Edge to
sell information to those participating in eBay auctions. In March
2001, Bidder's Edge settled as it went out of business.
Later court cases have often required proof of actual harm, though.
In 1998 [?], Ken Hamadi used the Intel email system to contact all
employees regarding Intel's allegedly abusive and discriminating
employment policies. Intel sued, and won at the trial and appellate
court levels. The California Supreme Court reversed in 2003, ruling
that use alone was not sufficient for a trespass-of-chattels claim;
there had to be "actual or threatened interference".
How do you prosecute when there is no attempt to damage anything?
Part of the problem here is that trespass-of-chattels was a doctrine
originally applied to intrusions,
and was quickly seized on as a tool against those who were using a
website in ways unanticipated by the creator (eg Bidder's Edge). Is
that illegal? Should the law discourage that? Should website owners be
able to dictate binding terms of use
for publicly viewable pages (ie pages where a login is not required)?
Kutztown 13
Students were issued 600 apple ibooks in 2004
The
admin password was part of school address, taped to the back! The
password was changed, but the new one was cracked too. Some of the
students got admin privileges and:
bypassed browser filtering
installed chat/IM software, maybe others
disabled monitoring software
The students were accused of
monitoring teachers or staff, but that seems unlikely.
The school's security model was hopelessly flawed. Who is responsible for that?
The
school simply did not have the resources to proceed properly.
The offenders were warned repeatedly.
But why didn't the schools simply take the iBooks away? Why were felony charges pursued? The charge was
for felony computer trespass.
The school argued that the charges were filed because the students
signed an "acceptable use"
policy. But why should that make any difference in whether felony
charges were pursued?
http://www.wired.com/news/technology/0,1282,68480,00.html
cutusabreak.org:
now gone
Wikipedia:
Kutztown_Area_high_School
Randall Schwarz
http://www.lightlink.com/spacenka/fors
Oregon made it a FELONY to do anything UNAUTHORIZED.
Also, taking
a file without authorization was declared to be THEFT.
Schwartz faced three counts:
These he did as a former sysadmin, now assigned to other duties, but
still concerned about password security. All he did was to run the
"crack" program to guess passwords. This involved copying the public
/etc/passwd file, which at that time contained the encrypted passwords,
and to this day contains the username-to-userid mapping used every time
you run ls -l.
The appeals court argued that although "authorization" wasn't
spelled out
in the law, Schwartz did things without authorization as narrowly
interpreted. The appellate court also upheld the trial court's
interpretation of "theft": taking anything without permission, even if
the thing is essentially useless or if the taking is implicitly
authorized.
The appellate court also seemed to believe that Schwartz might have
been looking for flaws to take credit for them, and that such personal
aggrandizement was inappropriate. But employees all the time look for problems at work
and try to fix them, hoping to receive workplace recognition.
Schwartz and Kutztown 13 cases have in common the idea that sometimes
the law makes rather mundane things into felonies. For Schwartz, it is
very clear that he had no "criminal" intent in the usual sense,
although he did "intend" to do the actions he was charged with.
