Computer Ethics, Summer 2011

It does seem that the i4i case was based largely on the presence in Word of the "XML Data Store":

XML Data Store

In Office 12, we've introduced a new feature to the formats that we're currently calling the XML data store, and the way it works is really simple. As you should all know by now, the new format consists of a ZIP file with a bunch of XML parts (files) inside. Up until now we've talked about all the parts that we in Office have defined to create our documents. You as a developer also have the ability to add your own parts though. You can take any XML file and put it inside the ZIP package. Then all you need to do is create a relationship from the main document part to your XML part, and the Office applications will roundtrip your XML with the file, which means:

Roundtripping your data: The ability to put your XML in the ZIP package means that you now have a place to store any data your solution may need. The data will travel with the document, but will always be stored as a separate XML part in the ZIP package. This means it's really easy to get to and modify without dealing with any of the application's data....

The i4i patent was for a complete separation of structure and content. What MS was doing is to have a separate XML file that defined part of the structure of the final document, much like a style sheet. While the finding for infringement isn't quite as preposterous as determining that inline XML was still a "data structure" in the sense of i4i's patent, there is nothing in the patent that suggests 

Look at an unzipped .docx file

TJX attack and PCI DSS

An emerging standard is Payment Card Industry Data Security Standard (PCI DSS), supported by MasterCard, Visa, Discover, American Express, and others. See http://www.pcicomplianceguide.org/pcifaqs.php for some particulars; a more official site is https://www.pcisecuritystandards.org. Note that PCI DSS is not a law, but is "private regulation". Once upon a time, the most effective regulators of steam-powered ships were insurance companies [reference?]. This is similar, but MasterCard and Visa are not quite the same as insurers. From the FAQ above:

If you are a store, you can refuse to pay the fine. But then you will lose the ability to accept credit cards. This is extremely bad!

Visa's CISP program is described at http://www.visa.com/cisp.

The PCI standards do allow merchants to store the name and account-number data. However, this is strongly discouraged. Sites that keep this information are required by PCI to have it encrypted. CardSystems was keeping this data because they were having a higher-than-expected rate of problems with transactions, and they were trying to figure out why.

To some extent, PCI DSS compliance is an example of how ethical behavior is in your own long-term best interest.

Note that the MC/Visa requirements have been described as very onerous to small vendors, and MC/Visa provides little recourse once they cut you off. They appear to be easier to work with, however, than PayPal, which is notorious for terminating accounts with small vendors.

Identity Theft

what is it? What can be done?

And WHO IS RESPONSIBLE??

The most common form of identity theft is someone posing as you in order to borrow money in your name, by obtaining a loan, checking account, or credit card. When someone poses as you to empty your bank account, that's generally known as "just plain theft".

Note that most "official" explanations of identity theft describe it as something that is stolen from you; that is, something bad that has happened to you. In fact, it is probably more accurate to describe "identity theft" as a validation error made by banks and other lenders; that is, as a lender problem.

This is a good example of nontechnical people framing the discourse to make it look like your identity was stolen from you, and that you are the victim, rather than the banks for making loans without appropriate checks. And note that banks make loans without requiring a personal appearance by the borrower (which would give the bank a chance to check the drivers-license picture, if nothing else) because that way they can make more loans and thus be more profitable.

Hacking and probing

Is it ok to be "testing their security"?
What if it's a government site?

Should you be allowed to run a security scanner against other sites?

What if the security in question is APPALLINGLY BAD?

What if you have some relationship to the other host?
 
Baase, p 270:
"The Defense Information Systems Agency estimated that there were 500,000 hacker attacks on Defense Department networks in 1996, that 65% of them were successful, and that the Dept detected fewer than 1%". But 1996 was a long long time ago.

Do we as citizens have an obligation to hack into our government's computers, to help demonstrate how insecure they are?

What about hacking into Loyola's computers? Are we obligated to do that? What about Loyola's wireless network?

Ok, failing that, what is our obligation to prevent intrusions that are not likely to be directly harmful to us?

Hactivism

In 2006, Kevin Mitnick's sites were defaced by a group. There's some irony there.

Other Baase cases:
    several attacks against Chinese gov't sites, due to repressive policies
    pro-Zapatista groups defacing Mexican government sites
    US DoJ site changed to read "Department of Injustice"

Legal tools against hackers

Once upon a time, authorities debated charging a hacker for the value of electricity used; they had no other tools. The relative lack of legal tools for prosecution of computer breakins persisted for some time.

Computer Fraud & Abuse Act of 1986: made it illegal to access computers without authorization (or to commit fraud, or to get passwords)

USAP AT RIOT act:
extends CFAA, and provides that when totting up the cost of the attack, the victim may include all costs of response and recovery. Even unnecessary or irresponsible costs.
   
Trespassing?
"Trespass of Chattels": maybe. This is a legal doctrine in which one party intentionally interferes with another's chattels, essentially personal property (including computers). Often actual harm need not be proven, just that the other party interfered, and that the interference was intentional and without authorization.

In 2000 e-bay won a case against Bidder's Edge where the latter used search robots to get information on e-bay auctions. The bots used negligible computation resources. The idea was for Bidder's Edge to sell information to those participating in eBay auctions. In March 2001, Bidder's Edge settled as it went out of business.

Later court cases have often required proof of actual harm, though. In 1998 [?], Ken Hamadi used the Intel email system to contact all employees regarding Intel's allegedly abusive and discriminating employment policies. Intel sued, and won at the trial and appellate court levels. The California Supreme Court reversed in 2003, ruling that use alone was not sufficient for a trespass-of-chattels claim; there had to be "actual or threatened interference".

How do you prosecute when there is no attempt to damage anything?

Part of the problem here is that trespass-of-chattels was a doctrine originally applied to intrusions, and was quickly seized on as a tool against those who were using a website in ways unanticipated by the creator (eg Bidder's Edge). Is that illegal? Should the law discourage that? Should website owners be able to dictate binding terms of use for publicly viewable pages (ie pages where a login is not required)?

International Airport Centers v Citrin

Felony prosecutions: Kutztown 13, Randall Schwartz, Terry Childs, Julie Amero

Kutztown 13
Students were issued 600 apple ibooks in 2004
The admin password was part of school address, taped to the back! The password was changed, but the new one was cracked too. Some of the students got admin privileges and:
                bypassed browser filtering
                installed chat/IM software, maybe others
                disabled monitoring software
The students were accused of monitoring teachers or staff, but that seems unlikely.

The school's security model was hopelessly flawed. Who is responsible for that?
The school simply did not have the resources to proceed properly.
       
The offenders were warned repeatedly. But why didn't the schools simply take the iBooks away? Why were felony charges pursued? The charge was for felony computer trespass.

The school argued that the charges were filed because the students signed an "acceptable use" policy. But why should that make any difference in whether felony charges were pursued?
      
http://www.wired.com/news/technology/0,1282,68480,00.html
cutusabreak.org: now gone
Wikipedia: Kutztown_Area_high_School
       

Randall Schwarz
    http://www.lightlink.com/spacenka/fors

Oregon made it a FELONY to do anything UNAUTHORIZED.
Also, taking a file without authorization was declared to be THEFT.

Schwartz faced three counts:

1. Installation of an email backdoor at Intel (he thought he had some kind of permission)
2. Taking password file
3. Taking individual passwords

These he did as a former sysadmin, now assigned to other duties, but still concerned about password security. All he did was to run the "crack" program to guess passwords. This involved copying the public /etc/passwd file, which at that time contained the encrypted passwords, and to this day contains the username-to-userid mapping used every time you run ls -l.

The appeals court argued that although "authorization" wasn't spelled out in the law, Schwartz did things without authorization as narrowly interpreted. The appellate court also upheld the trial court's interpretation of "theft": taking anything without permission, even if the thing is essentially useless or if the taking is implicitly authorized.

The appellate court also seemed to believe that Schwartz might have been looking for flaws to take credit for them, and that such personal aggrandizement was inappropriate. But employees all the time look for problems at work and try to fix them, hoping to receive workplace recognition.

Schwartz and Kutztown 13 cases have in common the idea that sometimes the law makes rather mundane things into felonies. For Schwartz, it is very clear that he had no "criminal" intent in the usual sense, although he did "intend" to do the actions he was charged with.

Felony prosecutions: Kutztown 13, Randall Schwartz, Terry Childs, Julie Amero

Terry Childs

Childs was a Cisco-certified Internetwork Expert (CCIE) working for San Francisco; he was the only one with the router passwords for the city's fiberWAN network.

He was suspended for insubordination on July 9, 2008, apparently for refusing to turn over router passwords. There are GOOD reasons for limiting access to such passwords on a need-to-know basis, BUT refusing to turn them over might be going pretty far. Especially when this locks the owners of the system out.

However, there are some mitigating factors, including the fact that there was an open speakerphone call in progress at the time Childs was asked for the passwords. We do not know if Childs was given another chance to turn over the passwords, or told to turn them over privately to his immediate supervisor, or to create another account. There were allegations at the trial that Childs knew he was expected to turn over the passwords, after the confrontation, but did not do so. However, it seems plausible that if Childs had turned over the passwords at the initial conference, he might have been prosecuted for doing so.

At the trial, Childs claimed he was only asked (by his supervisors and by the police) for his username and password, not for access to the systems in question (which he could have granted by creating another account). Other accounts claim that Childs clearly knew what his supervisors wanted, and refused to give it to him.

Most accounts describe the July 9 meeting as a "confrontation", ultimately as much due to poor San Francisco management as Childs' behavior.

Note that the password in question was not a personal password, but rather an administrative password for a set of Cisco routers. The routers had been configured so as to be difficult to update without the password.

He was arrested by SF police on Saturday, July 12, 2008 on four counts of computer tampering. He was never granted bail, and he remained in prison through his April 27, 2010 conviction. (As of December 2010, he is still in prison.)

He refused to give the police valid passwords at his arrest (such refusal without having the opportunity to consult with a lawyer is protected by the 5th Amendment, although it is not clear whether he continued to refuse). He did give the passwords to then-mayor Gavin Newsom of SF, on July 21, 2008, while in prison.

It seems likely that Childs would have had opportunities to negotiate with his supervisors for the handover of the passwords between the July 9 confrontation and his arrest, though he was suspended.

At no point did Childs do anything to damage the network, and the network was never down at any time.

Childs had some past history: he committed a burglary at age 17 and spent 4 years in prison. This apparently has no bearing on the present case.

The city's main claim is that Childs was arrested because he placed the city systems in jeopardy. However:

1. Refusal to share passwords is complicated to see as a criminal act. After all, Childs could always quit. Or, for that matter, die.
   
2. The city knowingly created and encouraged the environment in which Childs was the only one with the passwords.
   
3. No working systems were ever at risk.

The biggest concern to computing professionals is that San Francisco then created a laundry list of criminal allegations against Childs that in fact are standard practices:

1. Childs knew several other people's passwords. (A list of 150 such was found in Child's house, and entered into evidence at his bail hearing without redacting the passwords themselves.)
   
2. He had network sniffers in place
   
3. He had "back-door" access to the routers, through several modems (three in the final criminal count). But these were pretty clearly for emergency access.
   
4. Routers were configured to resist password recovery (this is standard practice when the physical security of the device is in question).
   
5. Configurations were not written to flash memory (same as 4)
   
6. Childs' pager was sent a page by one of the routers (duh)
   

Childs seems to have been "security-conscious to the point of paranoia". But most good computer-security people are!

In opposing bail reduction for Childs, the city's attorneys wrote in July 2008:

The final four charges (pretty close to the original, but none of the tantalizing allegations of the bail-reduction motion making it in): one of "disrupting or denying computer services" (by not revealing the passwords) and three of "providing a means of accessing a computer, computer system, or computer network" (one for each of the three modems).

The latter three charges were finally dropped on August 21, 2009, over a year later. Bail remained at $5 million, even though the state's original argument against bail reduction was based on the three dropped charges and the idea that the "unauthorized" modems might mean that Childs had other backdoors into the city network. Also, San Francisco had plenty of time to tighten up security. It is possible that the three dropped "unauthorized modem" charges were dropped because of the impossibility of proving that they were in fact unauthorized, though that is to some extent exactly the defense's point.

Childs is charged with "disrupting or denying computer services". However,

• He did not disrupt any computer services
• He did eventually reveal the correct password
• He could have been charged under the same law had he revealed the password when first asked, given the full circumstances surrounding that confrontation.
  

Note that in the first "disrupting or denying computer services" charge, no computer services were actually disrupted. The only thing denied was the password.

He did configure the network in a manner that made it difficult for coworkers to reconfiguring it. Was this about prudence, or job security? He apparently did not face day-to-day clear lines of authority; he definitely was not asked to make the master passwords available to supervisors until the Dispute.

There are no charges (as filed in February 2009) of network tampering; these appeared in court documents in July and August 2008 but were dropped. ("Network tampering" appears to have been replaced by the three modem charges.)

The modems were all apparently legitimate: the first was to dial Childs' pager if there was a problem (through the What's Up Gold monitoring package), the second was to allow immediate dialin access to some SF networks (not apparently the FiberWAN), and in addition was apparently installed before Childs was hired, and the third was to provide an alternative communications paths to emergency services across the San Andreas fault. (See http://www.infoworld.com/d/data-management/could-childs-case-put-all-network-admins-in-danger-979)
If there was any additional illegitimate purpose, it does not appear to be documented anywhere in any filings to date.

The questions were, first, did the defendant know he caused a disruption or a denial of computer service. It was rather easy for us to answer, "Yes there was a denial of service." And that service was the ability to administer the routers and switches of the FiberWAN.

Is refusing to turn over a password really a denial of service? It seems more like a denial of potential service.

That was the first aspect of it, the second aspect was the denial to an authorized user. And for us that's what we really had to spend the most time on, defining who an authorized user was. Because that wasn't one of the definitions given to us.

Julie Amero case

zero-day exploits
Should they be tolerated? Encouraged?

1. Sometimes vendors ignore exploit reports without the publicity.
   
2. Sometimes users really need a script to tell them if they are vulnerable; such a script is typically tantamount to an exploit
3. Sometimes announcing a flaw gives crackers all they need to exploit it; withholding details merely gives false security.

Consensus seems to be that zero-day exploits are a bad idea, that one has some responsibility to let vendors know about an exploit so a patch can be developed.

Patch Tuesday is now followed by Exploit Wednesday.

Cisco 2005 case involving Michael Lynn: see http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html

MBTA Card

Hacking

What legal responses are appropriate?
Should we criminalize having hacking tools?
What about magnetic-stripe readers? RFID readers?
Pringles cans (for use as cantennas)?
DVD players that bypass the region code?
What about c compilers?

Note that it is in fact already illegal to possess certain things that can have illegal uses, such as automotive dent pullers (used to pull cylinders out of locks) and tools that look like they might be lock picks.

Pirate Bay verdict

Trust

With all the concern about online theft, why do we trust online merchants at all? For that matter, why do we trust people we've met on facebook, etc?

Why we trust online sites:

• we check out companies (at least some of us do)
• lack of bad experiences
• belief bad things won't happen to us
• credit card limited liability
  

   
Overall, it seems that lack of bad past experience has the most to do with why we trust. (Also, it doesn't appear to take much experience for many people to feel comfortable with something.)

What about personal sites? (Not necessarily dating, but those too.) How do we form online friendships (eg at discussion sites)? What about forming new friends on facebook? What makes us think people aren't completely deceiving us? What about in face-to-face settings? Is that any different????

Some foreign governments have apparently expressed the concern that Windows must have some sort of back-door access mechanism accessible to the CIA.

Trusting software: how do we do this? What responsibility do vendors have?

    is there an obligation for software to work on our behalf?
    a "fiduciary obligation"?
   
    Trusting your email software; trusting your browser

See http://stopbadware.org

   
What about DRM? What about Windows?

Most is spyware or viruses or some inappropriate "control" software (eg Sony's, discussed Week 13)

stopbadware.org definition
   1.  If the application acts deceptively or irreversibly.
   2. If the application engages in potentially objectionable behavior without:

• First, prominently disclosing to the user that it will engage in such behavior, in clear and non-technical language, and
• Then, obtaining the user’s affirmative consent to that aspect of the application.

See also stopbadware.org/home/guidelines

Also see http://stopbadware.org/home/alerts:
    RealPlayer had been here (Spr 2008?) (still in stopbadware.org/home/alertsarchive)

KaZaa had been here in (Spr 2008?)

Spyware Striker Pro (Spring 2009)
        (ironically, this is NOT "fake" spyware-removal software!)

  
Trust

With all the concern about online theft, why do we trust online merchants at all? For that matter, why do we trust people we've met on facebook, etc?

Technological issues & trust: can we at least trust that we're talking to the person we think we're talking to?

Old-style PGP (Pretty Good Privacy) trust:
You need to VERIFY people's public keys (that the key matches the person). Otherwise you can get a bad key, write to them using it, and be victim of a man-in-the-middle attack.

(public key crypto: each person has a public key and a private key. If someone encrypts a message to you with your public key, you can decrypt it with your private key. Similarly, if you encrypt something with your private key, anyone can decrypt it with your public key, and in the process verify that it was encrypted with your private key. That last bit means that the message can act as your DIGITAL SIGNITURE.)

How can we be able to TRUST our keys?

Alice needs Bob's key.

1. She can meet Bob at a key-signing party. Bob can give her his key hash.
2. She can ask Chuck. Chuck says Bob's online keyhash is legit.
3. She can decide NOT to trust Chuck, at least about Bob, and ask Dora instead. Dora has never met Bob, but got Bob's keyhash from Ernie, who has.
4. She can ask someone who has a large group of signed verifications of keys. Three of them are signed verifications of Bob's key.

SSL certificates (TLS certificates)
SSL = secure socket layer, old name
TLS = transport-layer security, new name

Any pair of entities can negotiate a session key:

• each gets others public key
• each chooses some bits at random, encrypts with others' public key
• exchange these; other side decrypts
• now pick one key, or xor them, or concatenate them, or whatever.

You're guaranteed a random key provided the other side does not see your bits before choosing theirs. There are protocols to enforce that (eg exchanging encrypted bits and then exchanging special keys to decrypt them)

BUT: how do you know you're not about to give your credit card to a bad guy with whom you've just created a session key?

What does this have to do with TRUST?

Do you trust the CAs listed in your browser? Huh? Have you even heard of any of them?

Edit => Preferences => Advanced => Encryption => View Certs

Of course, one of the real reasons we trust online commerce -- that we have relatively few bad experiences -- is related to all this encryption in that it makes it much harder for bad guys to eavesdrop. (The most likely location for bad guys, btw, is either in your house or on your local cable loop.)

Note this is powerless against phishing attacks
Although the new Extended Valuation SSL Certs might. Might.

Back to why we trust online vendors:

• we check out companies (at least some of us do)
• lack of bad experiences
• belief bad things won't happen to us
• credit card limited liability (not applicable to debit cards!)
• ???

   
Overall, it seems that lack of bad past experience has the most to do with why we trust. This seems to be the case with face-to-face and brick-and-mortar relationships just as much as with online situations.

What about personal sites? (Not necessarily dating, but those too.) How do we form online friendships (eg at discussion sites)? What makes us think people aren't completely deceiving us? What about in face-to-face settings? Is that any different????

Trusting software part 2: how do we do this? What responsibility do vendors have?


We've seen that people form trust relationships based on a fairly limited set of positive experiences (though a limited set of negatives, as well). Sometimes it seems that software has a lot to live up to, in that we trust it because we don't see bad experiences, but it is so easy for software to take advantage of us.

• collecting personal information
• Sony "rootkit" cd driver (below)
  

   
Email: who is responsible for keeping you safe from spam?
From embedded tags in html that reveal to the sender if you've viewed the email?

The images issue has been around for almost a decade; many email vendors (and many freemail providers) have been reluctant to support image-blocking until ~2006 or later. (There may be legitimate reasons for that: it may be perceived as a hard-to-understand option.)

Browsers: browsers do all sorts of identification of themselves when they connect. Some of that is important; some is questionable. Most browsers do not leak "private" information, though they do leak the browser and OS you are using. Furthermore, this is hard to change!

Try http://www.jms1.net/ie.shtml, with internet explorer. (Actually, go to jms1.net, and you get redirected to the linked site if you're using IE. At one point there was a page on the site that would simply make IE die.)

IE's entire ActiveX security model is broken; ActiveX is an approach to security where you trust any signed software. Java, on the other hand, trusts any source, but runs the software in a "sandbox" where it (hopefully) can't damage your machine.

What about cookies?

Many browser PLUGINS do leak some degree of private information. When you register a plugin, you connect some personal information to that plugin. Also, some plugins contact the mothership at regular intervals.

See http://spywareremove.com/remove-BrowserPlugins

SEVERAL media players (plugin or otherwise) may do some checking of licenses or with the mothership before allowing play. Perhaps most players from media companies behave this way.


What about compatibility lock-in?

To what extent should your OS be required to act on your behalf?
Palladium (aka Next-Generation Secure Computing Base):
    locks you out of lots of things.
    Trusted side: can't be reached by debuggers or viruses
    Problem: machine now is autonomous; vendor has complete control. Do you trust your vendor?
    Software updates, file compatibility,

From Windows Internals by Russinovich & Salomon:  

In the Windows security model, any process running with a token containing the debug privilege (such as an administrator’s account) can request any access right that it desires to any other process running on the machine...

This logical behavior (which helps ensure that administrators will always have full control of the running code on the system) clashes with the system behavior for digital rights management requirements imposed by the media industry on computer operating systems that need to support playback of advanced, high-quality digital content such as BluRay and HD-DVD media. To support reliable and protected playback of such content, Windows uses protected processes. These processes exist alongside normal Windows processes, but they add significant constraints to the access rights that other processes on the system (even when running with administrative privileges) can request.

Will all software vendors eventually request that their applications be protected? It would sure put a damper on reverse-engineering!

SONY case has the rights of users front and center.
Sony's 2005 "XCP" copy-protection scheme : it installed a private CD driver AND a hidden "r00tkit" (so named by Mark Russinovich, then of sysinternals.com) that conceals itself and hides some registry keys.

Is this legit?

How does it compare with Palladium (secure-computing platform)?

Users do click on a license agreement. Were they sufficiently warned? (The software was apparently installed before the EULA came up; and in any event clearly the EULA did not explain just what was going on.)

Note from Mark Russinovich, via wikipedia:

    
There is now a virus/worm out that takes advantage of the sony kit.

Sony issued an uninstall utility that didn't actually uninstall the software, but did make it visible. However, users had to supply an email address, which by Sony's privacy policy was eligible for spamming.

This or a later removal kit allegedly ADDED a bad ActiveX control.

Jurisdiction online

jurisdictional issues: where did the sale take place? This one is very important for e-commerce. Here are some legal theories that have been applied (eg in the LICRA/Yahoo case):

• the "affects" test: the court decides that the remote action affects its own local citizens. A passive website would count here.
  
• the "affects intentionally" test: the court decides that the source intended to have an effect on its local citizens
• the "targeting" test: the court feels that the action was actually directed at its local citizens, with some level of intent.
• the "primarily affects" test: the court decides that the action's primary effect is on its local citizens
• the plaintiff test: the affected party (buyer or the one defamed, for example) lives in the local jurisdiction
• purposeful availment: by choosing to engage in local commerce, the remote entity "purposefully avails" itself of the legal system of the local country.
• contract: the remote site has a contract with parties in the local jurisdiction

The following are the traditional three rules for a US court deciding iti has "personal jurisdiction" in a lawsuit:

1. Purposeful availment: did defendant receive any benefit from the laws of the jurisdiction? If you're in South Dakota and you sell to someone in California, the laws of California would protect you if the buyer tried to cheat you. Generally, this is held to be the case even if you require payment upfront in all cases. The doctrine of purposeful availment means that, in exchange here for the benefits to you of California's laws, you submit to California's jurisdiction.
   
2. Where the act was done.
3. Whether the defendant has a reasonable expectation of being subject to that jurisdiction.

eHarmony lawsuits, for alleged discrimination against homosexuals

eHarmony is headquartered in California.

New Jersey lawsuit by Eric McKinley, 2005
California lawsuit by Linda Carlson, 2007

How does jurisdiction apply? Should it have applied in New Jersey?
Is the fact that users must enter their address the deciding factor?

sales

trademarks
libel/defamation
criminal law

laws governing sales: seller can sue in his home state/country
    This is more or less universal.
   

laws governing trademarks

Trademark scope
        The Blue Note Cafe was located in NYC
        The Blue Note, St Louis (actually Columbia, MO) was a club, sued for trademark infringement by Blue Note New York because they had a web site.
        The case: Bensusan Restaurant Corp v King, 937 F. Supp. 295 (SDNY 1996)
The case was brought in federal district court, which decided there was a lack of jurisdiction. Before that, however, note that the Missouri club began using the name in 1980, and the NYC club did not register the trademark until 1985. Note that, generally speaking, in this sort of situation the Missouri club retains the right to continue to use the name locally, while non-local use is reserved to the federal trademark-holder.

The district court did look at the "long-arm statute" of the "forum state", that is, New York. The New York law provides that

The State-court interpretation of this was that the act had to be committed in New York State, and the federal court deferred to this interpretation.

Another part of the NY state law did provide for jurisdiction when the other party was outside the state. However, the law also

The second circuit decided that Blue Note Missouri did not derive revenue from interstate commerce. End of case.

Blue Note St Louis had a mostly passive web site, although they did advertise tickets online, to performances at the club itself. These tickets had to be picked up at the Missouri box office; they were never mailed. Does this matter? Does it matter that the tickets were technically not sold over the internet, but instead you had to call a phone number?

This case was decided on jurisdictional grounds: NY State did not have jurisdiction.
The second-circuit appellate decision is at http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=2nd&navby=docket&no=969344.

This was a reasonable decision, but notice that it sure doesn't offer many guarantees that your website won't infringe on a trademark far far away.
              
Domain names

zippo v zippo, 1997

See http://cyber.law.harvard.edu/metaschool/fisher/domain/dncases/zippo.htm
    zippo lighters v zippo.com
    trademark infringement filed under PA state law, but filed in federal district court.
    PA "long arm" statute
   
zippo.com was a news service. They had email customers in PA, and two ISP customers.
    (1) the defendant must have sufficient "minimum contacts" with the forum state,
    (2) the claim asserted against the defendant must arise out of those contacts, and
    (3) the exercise of jurisdiction must be reasonable.
   

     
Decided JURISDICTIONAL issue, plus others: PA did have jurisdiction

Note the gray area between a completely passive website, just an "electronic billboard", and “the knowing and repeated transmission of computer files over the Internet”. Usually the latter means subscriber-specific information.

What about google.com? Should Illinois courts have jurisdiction?

Internationally, we already looked at LICRA v Yahoo, filed in France (and won by LICRA) for Yahoo's selling of Nazi memorabilia on its auction site in the US. Yahoo had initially agreed to comply with the French order, and then later changed its mind, and filed suit in the US asking that the US court declare that the french court did not have jurisdiction. That case ended in a draw (specifically, in a declaration that the case was not "ripe").

Suppose your bank makes an error. Where do you sue them? What if their only presence in your state is online? Consider the case Soma Medical v Standard Chartered Bank. SCB is located in Hong Kong. Soma is in Utah. Soma did banking with SCB online. Some money disappeared. Soma lost their lawsuit in Utah, because the court ruled that the fact that SCB had a website accessible in Utah did not give the State of Utah personal jurisdiction. [Michael Shamos]

NTP v RIM: RIM's network hub was in Canada. RIM lost on that point, but there remain serious questions about whether US patent law extends to other countries.

Butler v Beer Across America
http://itlaw.wikia.com/wiki/Butler_v._Beer_Across_America
BAA is an Illinois company selling beer over the internet. Butler's minor son ordered beer, and it was delivered to him despite rules that required an adult signature. Butler sued BAA under an Alabama law that makes it illegal to sell alcohol to minors. In this case, Butler lost her bid to get Alabama jurisdiction, though the case was transferred by the Alabama court to Illinois.

Cybersquatting (omit?)

This is somewhat related to trademark disputes, but an essential component is the claim that one party doesn't really want the trademark, but just wants to "extort" money from the other side.

See http://www.networksolutions.com/legal/dispute-policy.jsp

    Uniform Domain Name Dispute Resolution Policy -- ICANN

Also AntiCybersquatting Consumer Protection Act.

Some form of bad faith is usually necessary. But not always, if the effect is to resemble a famous trademark and if you have good lawyers. Sometimes the only "bad faith" or "intent to profit" is the offer of the domain holder to settle the case by selling the domain to the plaintiff.

All this is really about trademarks, not about jurisdiction. But the "flat" namespace of the web makes all trademark disputes national, or even global.


vw.net: virtual works
    http://www.news.com/2100-1023-238287.html
   
Peculiarity: vw.net, a one-man company with James Anderson as principle, offered to sell the name to volkswagen in 1998, and threatened to auction the name off if volkswagen did not buy. This triggers a presumption of domain-name squatting.
   

   
See http://vwx.com. Oops, I guess not; that site is now for sale. At one point, it was about Anderson's side of the case.
   
A possibly important point was that virtual works never used the abbreviation "vw" except in the domain name.
   
They (vw.net) lost.

Is this about cybersquatting? Or is it about the (lack of) rights of the Little Guy to use their trademark in good faith?

american.com: formerly owned by cisco, now a private 'zine (the airline is aa.com)

gateway 2000 v gateway.com
    gateway.com was a computer consulting firm, run by Alan Clegg. There was absolutely no evidence that Clegg foresaw that in the year 2000 the name gateway2000.com would become obsolete, and reserved gateway.com in anticipation of a domain sale.
   
yahoo.com v yahooka.com [which see]
    Case was actually never filed
   

state-law libel and jurisdiction (omitted Fall 2010)

A state court in Clayton v. Farb, 1998 Del. Super. LEXIS 175 (Del. April 23, 1998), found that Delaware's long arm statute did NOT reach the defendant, who posted allegedly libelous and slanderous false statements about the plaintiff on his Internet site. The statute provided for jurisdiction over tortious activity outside of Delaware ONLY if defendant regularly conducted business in the state. The court found that access in Delaware to defendant's Internet posting did not constitute sufficient contact to support the exercise of personal jurisdiction.
     
This case was decided on JURISDICTIONAL grounds: Delaware did not have jurisdiction

Laws governing libel:

Truth is a defense, but can be expensive to prove. If you say something false about a public figure, they have to prove actual malice. If you say something false about anyone else, all they have to prove is that you were negligent.

We've seen Batzel v Cremers.

Cremers lost on the jurisdiction issue.

But what if the legal climate in the Netherlands was different for libel lawsuits? What if in the Netherlands the burden of proof lay with the plaintiff to prove something false, and Cremers was sued in a jurisdiction (eg England, which still has pro-plaintiff libel laws) where the burden of proof lay with the defendant?

Jurisdiction and criminal cases

International crime

Shrink-wrap and click-wrap licenses (omitted Fall 2010)

• limitations of liability for use of the product
• limitations of liability for data
• service may be terminated at any time (subject to refund if you're paying)
  
• restrictions on resale of data

• Adobe had sold the software, not licensed it, and therefore the terms of the license did not apply
• SoftMan did not run any of the software, and so the EULAs did not come up, and so did not apply

Amazon unbox movie license, version 0.2

Licenses and Jurisdiction

What about linking? (omitted Fall 2010)

 
 Is a link to a defamatory site a form of defamation?  (It probably depends on the context)
 
 Is a link to "illegal" software forbidden?
 2600 case: Universal v Reimerdes:
from wikipedia (http://en.wikipedia.org/wiki/Universal_v._Reimerdes)
In particular the Second Circuit ruled that linking on the Internet happened so fast that it could be restrained in ways that might not be constitutional for traditional media.
Also, apparently the defendants more or less admitted that they were providing links to deCSS for the purpose of making illegal DVD copies. Things might have been different had they linked for the purpose of research.

While we're at it, contemplate 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Is this a legal number?

Part of the issue with linking is that it can provide easy access to "forbidden" content such as circumvention software (deCSS) or copyrighted content (eg providing movie .torrents). For that part, providing the URL in "unlinked" form is probably also subject to regulation. 

But the other part is conventional "deep links". These can be used to view a given page out of context, or to view a given page in a border provided by another page, or to avoid advertising. Should these kinds of links be subject to prohibition?

Is linking to a site a form of using that site without authorization? Possibly leading to a claim of trespass-of-chattels?
 
What about linking to other sites:
     bandwidth
     trademark
     avoidance of advertising
    
     cussedness/control
    
 search engines do this CONSTANTLY.
    
For a while this was a serious issue, but it seems to be dying out. Lots of sites still have bizarre linking policies, though.

http://dontlink.com; alas, active site work stopped in 2002.

But see: http://www.americanexpress.com/shared/copyright/webrules.html, item 9, "Linked Internet Sites". Actually, this link is down as of Dec 2009, but it still appears on the americanexpress.com page!!

Symantec has a different approach: http://www.symantec.com/about/profile/policies/legal.jsp#linking (2009)

Rules 1-8 are entirely reasonable.

Antitrust (omitted Fall 2010)

Once upon a time, long long ago, in a previous century (1998), Microsoft was hauled into federal court on antitrust charges. The original issue was probably that in 1995 Netscape released a better browser, and then a year later Internet Explorer was bundled in with Windows. Microsoft, in fact, insisted that IE be the only browser on new machines, if a vendor wanted a bulk windows license (individual windows licenses were and are prohibitively expensive. (MS also famously insisted that to get a bulk license, you had to at least pay for Windows for all the machines you sold, even if some of them were to be sold with a non-Windows OS (what would that have been? Pre-gnome linux?).)

During the trial, MicroSoft submitted a video of a computer allegedly underfunctioning because IE had been removed. Alas for MS, the video -- presented as representing a single session -- had been spliced.

From wikipedia:

MS's strategy was universally seen as a frontal assault on Netscape, because MS apparently had the idea that it was important to achieve dominance in the "browser" market.

But if you're giving it away free, there is no market.

Once upon a time, some people at MS might have had some notion that, after Netscape was broke, they could resume charging for IE. That is the sort of behavior that antitrust law is intended to prohibit. But a more likely idea was that, if MS controlled the browser market, they would somehow "control" a crucial part of e-commerce. And, to be sure, controlling the browser would mean that they could introduce new server features and be able to guarantee that the browsers out there would support that feature.

As it turned out, controlling the browser market brought about as much control of e-commerce as controlling the cash-register paper-tape market would have brought control over traditional brick-and-mortar commerce.

MS famously lost their case, at the District Court level. For several years they had to make it possible to remove IE from windows, either by owners or resellers. This was also more or less the death knell for MS's plan to "integrate" the browser with the desktop, ie, to build IE into the desktop.

Did this make any sense?

A browser is now seen as the reason people buy computers. It needs to come with the computer, if for no other reason that you can't download anything without one. How would I install Firefox, for example, if I couldn't use IE once to download it? Would I order a CD by mail?

By 2001, the US DoJ was no longer asking for MS to separate its OS and Application divisions (ie breaking up the company). Instead, they asked for more mundane restrictions, such as fairer licensing terms.

MS is at it again, but this time not from a position of strength. They may have recently tried to get the Wall Street Journal to remove their news content from google, in exchange for payment. This is an attempt to get people to have a reason to use bing, the new MS search engine.

Does anyone use bing?

Here's a couple articles:

• http://www.businessinsider.com/microsoft-should-pay-up-for-exclusive-access-to-the-journal-2009-11
• http://industry.bnet.com/media/10005274/murdoch-and-microsoft-talk-about-ganging-up-on-google

More seriously, is this a case of antitrust? Or is this a case of exclusive content licensing?

One issue is that google's use of the WSJ is considered to be fair use. But google makes a heck of a lot of money by indexing this content, from advertising. The estimate in the articles above is that it's in the range of $10-15 million/year. This is sort of like the youtube lawsuits, where the media companies really want a piece of the advertising market that youtube gets for displaying "their" videos.

The MS antitrust case should probably be compared to the ATT and IBM antitrust cases. By the time the 1969 IBM case was dropped by the feds, after thirteen years, it no longer mattered. IBM no longer held market dominance. The ATT case led to the breakup of ATT into the main ATT, now no longer in the local phone business, and the "seven RBOCs". One of the RBOCs, SBC, has since acquired most of the others, and the parent ATT itself (and has taken on the ATT name). (I think the other separate RBOC is Qwest, formerly US West).

This is probably as good as any a place to bring up Network Neutrality. The idea there is whether ISPs should be allowed to throttle content from content providers that don't pay bribes. Is that antitrust? Or is it all about The Free Market?

A few other issues

• Employment and empowerment: Do computers take jobs away? Do they make jobs more stressful? Do they reduce worker privacy to an unacceptable or inappropriate degree?
  
• Effects of computing and blogging on the political process: does it help democracy or diminish it? The "diminish" theory comes in part from the idea that parties can now target individual hot-button issues for most voters, and that the wealth of political information on the internet is so vast that only "insiders" and professionals can comprehend it.
• Computers and risk. What is the probability of software failure? Under traditional mechanical analysis, it is either 0.0 or 1.0; it either doesn't fail, or it does. As the latter value implies complete failure every time, it was generally assumed to be 0.0. Can more plausible statistical models of failure be developed? If you understand the failure mode, why don't you just fix the software? Anyway, how do we analyze software risk? In cars? In air-traffic control systems?
• Star wars: aka The Strategic Defense Initiative. This was to be a software-engineering project of such magnitude that it was inaccessible to traditional methods. It was also untestable, as the only meaningful test would be all-out nuclear war.
• Given all that, software is much more reliable than it used to be. How do we adjust to that?
  
• Professional ethics: what are programmers called upon to do? Network admins? Database managers?
• How do we evaluate technology in the schools? What about the Kutztown 13? Do computers make kids better writers? Does mathematica make students better at math?
•