Computer Ethics, Summer 2012

Corboy Law 602; Tuesdays & Thursdays, 6:00-9:00
Week 6, Class 11

Readings

Read Baase Chapter 5 on crime

Google sues Youtube-MP3.org

Google has finally announced a lawsuit against Youtube-MP3.org, one of the largest youtube-to-mp3 conversion sites. Earlier we had discussed vidtomp3.com in class. Google claims that what these sites do is a violation of the terms of service for both the site itself and the site's API.

Youtube-MP3's operators claim they do not use the Youtube API to extract the audio stream.

Youtube-MP3.org has been blocked from Youtube access.

More at http://torrentfreak.com/google-threatens-to-sue-huge-youtube-mp3-conversion-site-120619/.

MP3 patents and lawsuits

The MP3 idea was not obvious, and remains fairly complex. Alcatel-Lucent v Microsoft: Alcatel-Lucent won $1.5 billion in an infringement suit about mp3 decoders Feb 22, 2007

MS countersued for other patents

The judge eventually set aside the damages, and the appellate court agreed.

Aug 6, 2007: MS won new trial

MS is now suing A-L for other patents.

check out mp3licensing.com (Thompson) Royalty Rates: basic mp3 decoder: $0.75/unit

MP3 was published in 1991. Did all US mp3 patents expire in 2011? Original holder: Thompson Consumer Electronics & Fraunhofer Institute. These still hold the "core" mp3 patents.

MP3 Patent claimants:

Thompson
Fraunhofer
Sisvel / Audio MPEG
Texas MP3 Technologies
Alcatel-Lucent

To date, (some) patent holders have announced that no action will be taken against open-source decoders.

The mp3 compression algorithm is admittedly a deep idea. Part of it involves the use of wave decomposition to store the information more efficiently; part of it involves "psychoacoustics" to identify parts of a sound file that are "unhearable" and so can be deleted.

Note that patents are for the use of an idea in a specific context:

prime factorization for the purpose of encryption
xor for the purpose of redrawing the mouse
digital scanning for the purpose of storing bank records (see below)
RF links for the purpose of email [NTP v RIM; it's not clear this is the entire issue]

Alas for computing, the PTO has often accepted patents for the use of a very standard, well-known idea in a specific context.

Patent problems

submarine patents: you don't hear about them until too late!

prior art: hard to find, hard to document, trivial ideas were never written down! This problem, at least, will go away with the passage of time.

non-obviousness: difficult to contest.

Many ideas go into one program! Technology evolves extremely rapidly.

Violates settled expectations (important part of law!) What's patented seems to be more a matter of chance than anything else.

ignorance is no defense: "submarine" patents entire process is secret: you can be making good-faith effort to be noninfringing and get hit with a huge verdict.

wilful: you had advance notice of infringing. Your belief that the patent was invalid may NOT be a defense, although it has been accepted as a defense in some cases. Damages automatically triple.

Europe

EU Parliament voted in July 2005 648-14 AGAINST the EPO (European Patent Office) directive.

March 17, 2009: European Patent Office has asked the EU's "Enlarged Board of Appeal" to decide on the exclusion of software from patentability. The EPO has long been pushing for software patentability, and this is seen by some as an attempt to bypass the European Parliament.
See http://lwn.net/Articles/324022
Also http://press.ffii.org/Press_releases/EPO_seeks_to_validate_software_patents_without_the_European_Parliament.
Also http://www.ffii.org/EPOReferral. Note especially Q3, under Questions. Under some earlier rulings (T163/85 and T190/94), patentability required "a technical effect on a physical entity in the real world". However, other rules did not include this requirement.

European patent law is similar to the Diamond v Diehr standard: machines that use software are patentable, but not software that stands alone. However, in the US the Diehr standard evolved into software patentability; in Europe software remains unpatentable as such.

Here's an article from FFII.org entitled, "Why are Software Patents so Trivial?", in which they suggest that this is a fundamental problem: http://eupat.ffii.org/analysis/frili.

Stakeholders

Who are the stakeholders in software patents? Are we stakeholders? Compare pharmaceuticals. http://www.pbs.org/cringely/pulpit/2005/pulpit_20050818_000863.html: "Do you feel helped by patent reform?"

If the Eolas patent had succeeded earlier in the game, Firefox might never have been started, and then Internet Explorer would still likely lack tabs, plug-ins, and other core features.

WHY does the situation seem so different from pharmaceuticals?

Role of "patent trolls", or patent licensing firms
("troll" as in "the troll under the bridge, demanding tolls", not "trolling" as in fishing for "flames")

Note that the established-company-versus-established-company defense of a "patent bank" is useless here.

Patents and standards-setting

Company A participates in creation of a standard; they suggest solution S for a particular issue. After the standard is widely adopted, company A announces that they have patented S, and that they will license it for a significant fee.

N-Data patent on ethernet speed autonegotiation:

http://arstechnica.com/news.ars/post/20080123-ftc-defends-ethernet-forces-patent-troll-back-under-bridge.html

Barriers to entry

Patent Trolls: companies that have no assets but patent claims, and don't attempt to produce anything but simply collect. Is this bad? Or are such companies just creating a market for small inventors to sell their inventions?

I4i is not such a company; they did produce an XML-based product.

Patent and open source

The open-source community is a strong proponent of eliminating software patents.

Is the open-source community entitled to:

an applet-aware browser?
an mp3 player?
a gif viewer?
other ideas that are patented?

Is the open-source community entitled to the asterisk phone switch?

Does MS intend to destroy or hobble or marginalize linux through patents?

It is very well documented that the patent process can have a very NEGATIVE impact on open-source development, and on generally accepted software adoption.

So if the purpose of software patents is to aid technological process, and it doesn't do that, are software patents a good idea?

What happens if the software in question is made available through a site in Europe, which (as of now) doesn't have strong software-patent laws? Should the site warn visitors from the US?

Is this at all like thepiratebay.org?

Patents: are the right ideas being patented? Or are patents being granted to trolls for peripheral ideas?

xor:   trolls?
rsa:   good
spreadsheets:   trolls?
eolas:   trolls?

DataTreasury (datatreasury.com)

They have developed technology for storage of digital images of bank checks. They actually did develop the whole system, although again the inevitability issue arises here. They did not develop any of the actual root technology: scanners, or data security, or digital storage systems with enough capacity to hold images for negligible cost.

From their website:

The Corporation was founded in 1998 and was granted its first two Network architectural patents (5,910,988 and 6,032,137) in 1999 and 2000, respectively. The patents detail the important and revolutionary aspects of DataTreasury's systems for remote image capture, document imaging, centralized processing and electronic storage. Our innovations were particularly noted for enhanced security, fault tolerance and high reliability. These key elements form the underpinnings of DataTreasury's technology.

That said, it is clear that none of DataTreasury's ideas are revolutionary.

From politico.com/news/stories/0308/9202.html The company had benefited from a controversial 1998 court ruling that broadened the definition of a patent to include business processes.

The proposed (but never passed) patent-reform act of 2007 singled out this patent for congressional revocation.

It appears that DataTreasury is claiming a business-method patent on the use of electronic image scanning for check processing. They are looking for very significant licensing fees. Again, every piece of the technology has been around from well before the patent (scanning, secure storage, ???)

Should a new (but straightforward) application of existing technology be patentable?

The DataTreasury patent has been singled out by Congress for action, but it is not clear what will happen.

Patent reform:

PTO trying to learn more prior art
Watchdog groups doing same
Trivial prior art is harder and harder to patent, simply due to the passage of time and better documentation of trivial techniques
Still problems with patented protocols (and business methods)

Someone tried patenting a movie storyline a few years ago. This patent WAS rejected.

Patent Reform Act of 2007: H.R. 1908 and S. 1145 (did not pass). This was the first [?] patent-reform act proposed.

Those in bold are the most significant.

This did not pass. Here are some of the proposed changes in U.S. patent law

1.1 Switch from first-to-invent to first-to-file
1.2 Expand prior user rights, to compensate
1.3 Publish patent applications
1.3.5 Allow corporate filers (ie inventor's employer)
1.4 Allow pre-issuance protests by third parties
1.5 Expand use of post-issuance reexamination and opposition proceedings
1.6 Eliminate the "best mode" requirement (obscure)
1.7 Modify the patent law doctrine of willful infringement. "willful" is a serious problem, because it vastly increases the damages and is applied rather inconsistently.
1.8 Modify the patent law doctrine of inequitable conduct
1.9 Allow patent applications to be submitted by an assignee
1.10 Limit access to injunctions
Damages: must be in proportion to incremental improvement over prior art
Bars "tax planning" patents [!] See US Pat 5206803
Bars DataTreasury from bank extortion

Discuss: first-to-file: who benefits? how are small inventors affected? How are prior-art rules affected?

This has again been introduced in 2009; apparently the issues are the damages calculation, post-issuance reexamination proceedings, and defining inequitable conduct. At least the last provision has been removed from the 2009 bill. A good-faith defense for believing a patent was invalid is also included. Also included is a definition of prior art to include anything "available to the public"; publication no longer would have to occur.

[Note that NTP argued that RIM's conduct was held to be inequitable simply because NTP had sent them a letter outlining its patent claims, and RIM had disagreed.]

In 2011, Congress passed the America Invents Act. This included the following features:

switch from first-to-invent to first-to-file (though the first-to-file inventor must be an original inventor, not someone who got the idea from the real inventor and rushed to patent).
prior art expanded to include any public use, or foreign offers for sale. The "publication" rule is thus relaxed.
allows pre-patent-issuance filings by third parties, and also post-issuance review
bars tax-planning patents
small inventor ("micro-entity") fee reduction
deny patent holders the right to appeal post-grant re-examination reversals to the District Courts.

The full impact of the law is not yet clear. There were no changes to rules for willful infringement, inequitable conduct, access to injunctions, or proportionate damages.

KSR v Teleflex, Supreme Court, April 30, 2007

Some good patent news?

This Supreme Court case altered the legal standard for disproving "non-obviousness" in favor of defendants. It is now slightly easier to challenge patents on this basis.

Teleflex had a patent on a pedal coupled to an electronic throttle control (basically cruise control). The question was whether that was "obvious".

The proper question to have asked was whether a pedal designer of ordinary skill, facing the wide range of needs created by developments in the field of endeavor, would have seen a benefit to upgrading [a prior art patent] with a sensor

not thought of it by themselves, and not motivated to implement the change, but simply saw the benefit. The old "nonobviousness" standard often in effect required proving that a patent was "prior art". This test was known as the "teaching-suggestion-motivation" test. All three pieces had to be there. Another sentence from that decision:

[t]he combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results.

Does that cover my obvious-in-context approach? Does that suggest that not clicking the mouse is obvious?

Teaching-suggestion-motivation test: too narrow

Would this have helped RIM? Probably.

Bilski case

Federal Circuit decision released October 30, 2008
Supreme Court decision released June 28, 2010 (decision here)

This was a very significant case. It was decided at the appellate level by an en banc sitting of the Federal Circuit. They proposed a "machine or transformation" test for patentability of abstract processes. The Supreme Court then heard the case, and while they did not uphold the "machine or transformation" test, they ruled that Bilski's invention was not patentable because it was too abstract. There had been widespread speculation that the Supreme Court would use the Bilski case to rein in business-method patents, or at least make the patentability rules a little clearer. They apparently did not do either.

Bilski patent: Claimed method of managing the risk of bad weather in commodities trading.

He submitted a patent application seeking exclusive rights to a method of using hedge contracts to reduce the risk that a commodity's wholesale price might change.

Again, the technique fails under both prior-art and obviousness standards. But those don't apply in the same way to business-method patents.

The patent was rejected by the Patent Board of Appeals. The Board, in rejecting the claim, asked the Federal Circuit court for assistance in determining patentability of non-technological method claims.

The federal circuit court did the following:

The court by its own action grants a hearing en banc. The parties are requested to file supplemental briefs that should address the following questions:

(1) Whether claim 1 of the 08/833,892 patent application claims patent-eligible subject matter under 35 U.S.C. §101? (the patent-eligibility rules)
(2) What standard should govern in determining whether a process is patent-eligible subject matter under section 101?
(3) Whether the claimed subject matter is not patent-eligible because it constitutes an abstract idea or mental process; when does a claim that contains both mental and physical steps create patent-eligible subject matter?
(4) Whether a method or process must result in a physical transformation of an article or be tied to a machine to be patent-eligible subject matter under section 101?
(5) Whether it is appropriate to reconsider State Street Bank & Trust Co. v. Signature Financial Group, Inc., 149 F.3d 1368 (Fed. Cir. 1998), and AT&T Corp. v. Excel Communications, Inc., 172 F.3d 1352 (Fed. Cir. 1999), in this case and, if so, whether those cases should be overruled in any respect?

The appellate court did affirm the need for a physical transformation. Their central doctrine is "Machine or Transformation". This would have been a problem for business patents, and perhaps software patents.

Note that their reasoning was taken straight from the few SCOTUS cases on record.

The following question arises whenever a patent is applied for on an abstract process:

[Is the patent] tailored narrowly enough to encompass only a particular application of a fundamental principle rather than to pre-empt the principle itself?

Benson: NO
Diehr: YES (one of the prior SCOTUS cases)
Bilski: NO

This part of the Federal Circuit's reasoning may still stand.

Part of the Benson ruling:

Transformation and reduction of an article 'to a different state or thing' is THE clue to the patentability of a process claim that does not include particular machines.

The Diehr patent was for making rubber, using a computer to control the process. It wins the "different state or thing" standard hands down.

The federal circuit dismissed the "useful, concrete, or tangible result" test: that is NOT enough to establish patentability.

They also reject the "technological arts" test (see above) that was once-upon-a-time part of the method-patent rules. They agree that it is too hard to tell whether something involves the technological arts; however, unlike the USPTO, they end up ruling the OTHER WAY; that is, to reject MORE broadly than the TA test.

machine-or-transformation test: emphasize the OR.

We will, however, consider some of our past cases to gain insight into the transformation part of the test. A claimed process is patent-eligible if it transforms an article into a different state or thing. This transformation must be central to the purpose of the claimed process. But the main aspect of the transformation test that requires clarification here is what sorts of things constitute "articles" such that their transformation is sufficient to impart patent-eligibility under §101.

Tanning leather curing rubber (Diehr case)

The raw materials of many information-age processes, however, are electronic signals and electronically-manipulated data. And some so-called business methods, such as that claimed in the present case, involve the manipulation of even more abstract constructs such as legal obligations, organizational relationships, and business risks. Which, if any, of these processes qualify as a transformation or reduction of an article into a different state or thing constituting patent-eligible subject matter?

Note that while the Bilski decision does not claim to reverse State Street (the case that led to business-method patents), most commentators seem to feel that it has that effect. It is less clear that Bilski would have had a significant effect on software patents.

Applying the Machine-or-Tranformation test to famous cases

RSA? material transformation in "real" terms The transformation is to a file. While it is electronic, it is decidedly material.

MP3? material transformation in "real" terms? An mp3 file isn't a physical thing, but it does have a certain "thingness". People think of them as things, and buy them as things. An mp3 file is material.

NTP? maybe no? The argument can be made that there is no "material thing" on the table here. Email messages are NOT it; the patent only addresses the delivery of email.

DataTreasury? It seems unlikely that DataTreasury's patents would stand up to this new test.

Supreme Court

Pamela Samuelson, writing in the March 2010 CACM, noted that the Supreme Court appeared during oral arguments to believe that some way was needed to disallow patenting of nontechnological processes. Justice Scalia asked whether horse-training techniques should be patentable, and techniques to "win friends and influence people". Justice Sotomayor asked whether speed-dating methods could be patentable, and Justice Breyer asked if a professor could patent an improved teaching method.

However, this did not quite happen. Here are a few quotes from the decision, written by Justice Kennedy [emphasis by pld]:

Section 101 specifies four independent categories of inventions or discoveries that are patent eligible: “process[es],” “machin[es],” “manufactur[es],” and “composition[s] of matter.” “In choosing such expansive terms, . . . Congress plainly contemplated that the patent laws would be given wide scope”

This Court’s precedents provide three specific exceptions to §101’s broad principles: “laws of nature, physical phenomena, and abstract ideas.”

The machine-or-transformation test is not the sole test for patent eligibility under §101. The Court’s precedents establish that although that test may be a useful and important clue or investigative tool, it is not the sole test for deciding whether an invention is a patent-eligible “process” under §101. In holding to the contrary, the Federal Circuit violated two principles of statutory interpretation: Courts “ ‘should not read into the patent laws limitations and conditions which the legislature has not expressed,’ ” Diamond v. Diehr, 450 U. S. 175, 182, and, “[u]nless otherwise defined, ‘words will be interpreted as taking their ordinary, contemporary, common meaning,’ ”

Section 101 similarly precludes a reading of the term “process” that would categorically exclude business methods. The term “method” within §100(b)’s “process” definition, at least as a textual matter and before other consulting other Patent Act limitations and this Court’s precedents, may include at least some methods of doing business.

Because petitioners’ patent application can be rejected under the Court’s precedents on the unpatentability of abstract ideas, the Court need not define further what constitutes a patentable “process,” beyond pointing to the definition of that term provided in §100(b) and looking to the guideposts in Benson, Flook, and Diehr. Nothing in today’s opinion should be read as endorsing the Federal Circuit’s past interpretations of §101. [that is, the Supreme Court is not endorsing the State Street Bank case -- pld]

The appeals court may have thought it needed to make the machine-or-transformation test exclusive precisely because its case law had not adequately identified less extreme means of restricting business method patents. In disapproving an exclusive machine-or-transformation test, this Court by no means desires to preclude the Federal Circuit’s development of other limiting criteria that further the Patent Act’s purposes and are not inconsistent with its text.

In other words,

We can kick this patent out without resorting to a Machine or Transformation test, and while we probably think the MoT test is too restrictive, we're not going to say anything further.

Return to Gottschalk v Benson (which Bilski v Kappos did apparently firmly uphold)

It is easy to interpret Bilski as reinforcing the Benson decision. It is up to the Supreme Court, however, to decide if Benson was in fact the right approach. The idea expressed in Benson that the algorithm was "too general" and might be used for anything seems in hindsight rather quaint; it is clear a few decades later that this is going to be the case with perhaps the majority of software patents. For example RSA patented a method of encryption that could be used for anything: banking, personal matters, commerce, digital signatures, etc.

Mayo Labs v Prometheus Labs, Supreme Court, March 20, 2012

Prometheus Labs patented a way of measuring levels of thiopurine drugs to maintain a consistent dosage. The set of metabolites is measured, and from these varying levels an inference can be made as to the level of the original drug.

Mayo Labs used the patented idea without a license. Prometheus sued. The District Court found in favor of Mayo (more or less), but the Federal Circuit held that Prometheus's strategy was patentable, and, furthermore, even met the stronger "machine or transformation" test of patentability. The Federal Circuit's argument was that administration of the drug "transformed" the body, and that administering the blood test "transformed" the blood sample (my first reaction here is that it seems that similar logic could make anything fit the "machine or transformation" logic, thus undermining the whole purpose of the MoT test as a limitation on patentability). Following Bilski back in 2008, the Supreme Court remanded the Mayo v Prometheus case back to the Federal Circuit for reconsideration; while the Bilski decision was often seen as expanding the rule of patentability beyond the MoT test, what the Supreme Court apparently had in mind was that sometimes things could be patentable while not meeting the MoT test but other times perhaps things could meet the MoT test and yet not be patentable. The Federal Circuit ruled again that Prometheus's invention was patentable under the MoT test.

The Supreme Court ruled in 2012

Because the laws of nature recited by Prometheus’ patent claims—the relationships between concentrations of certain metabolites in the blood and the likelihood that a thiopurine drug dosage will prove ineffective or cause harm—are not themselves patentable, the claimed processes are not patentable unless they have additional features that provide practical assurance that the processes are genuine applications of those laws rather than drafting efforts designed to monopolize the correlations.

What other patents that we've looked at might be construed as patenting abstract principles? The eolas patent? Any patent where as standard data structure is applied to a specific context?

The Prometheus patent was denied on the grounds that there was nothing substantial to the invention beyond a fundamental scientific principle (relating to a blood test for the effective levels of a drug). The patent is for the idea that by measuring two metabolites of the drug the effective level can be determined.

For software patents, in many cases the anti-patent argument is that a claimed invention is nothing more than a fundamental principle, applied in a specific context.

The Supreme Court also sent back to the Federal Circuit court for reconsideration, in light of the above case, the Association for Molecular Pathology v. Myriad Genetics case. Here, Myriad Genetics had been issued a patent on two human genes, BRCA1 and BRCA2. Patenting of human genes is controversial because, well, perhaps if you had one of those genes you would have to pay a royalty? (The answer is no, of course; the patent would be for the use of the gene in a particular in vitro manner.) The Supreme Court's position appears to be that a link between the above genes and breast cancer would be a scientific principle, not patentable, and testing for the genes does not introduce new innovation.

Hacking

To some of you, hacking is clearly wrong and there shouldn't even be a question here. If you're one of them, just pay attention to the legal-strategies-against-hackers part. However, is using a website in a manner contrary to the provider's intentions always hacking? A more serious case is logging on to a site, but not changing anything and in particular not committing theft.

Baase's "three phases of hacking"

1. Early years: "hacking" meant "clever programming"

2. ~1980-~1995:
    hacking as a term for break-in
    largely teenagers
    "trophy" hacking
    phone lines, BBSs, gov't systems
    lots of social engineering to get passwords

1994 Kevin Mitnick Christmas Day attack on UCSD (probably not carried out by Mitnick personally), launched from apollo.it.luc.edu. [!]

3. post-1995: hacking for money

early years / trophy
Phone phreaking: see Baase, p 256
Joe "The Whistler" Engressia was born blind in 1949, with perfect pitch. He discovered (apparently as a child) that, once a call was connected, if you sent a 2600 Hz tone down the line, the phone system would now let you dial a new call, while continuing to bill you for the old one. Typically the first call would be local and the second long-distance, thus allowing a long-distance call for the price (often zero) of a local call. Engressia could whistle the 2600 Hz tone.

According to the wikipedia article on John Draper, Engressia also discovered that the free whistle in "Cap'n Crunch" cereal could be modified to produce the tone; Engressia shared this with Draper who popularized it. Draper took the nickname "Cap'n Crunch".

As an adult, Engressia wanted to be known as "Joybubbles"; he died August 2007

Draper later developed the "blue box" that would generate the 2600 Hz trunk-line-idle tone and also other tones necessary for dialing.

How do we judge these people today? At the time, they were folk heroes. Everyone hated the Phone Company!

Is phone-phreaking like file sharing? Arguably, there's some public understanding now that phone phreaking is wrong. Will there later be a broad-based realization that file-sharing is wrong?

How wrong is what they did? Is there a role for exposing glitches in modern technology?

From Bruce Sterling's book The Hacker Crackdown: Law and Disorder on the Electronic Frontier, mit.edu/hacker:

What did it mean to break into a computer without permission and use its computational power, or look around inside its files without hurting anything? What were computer-intruding hackers, anyway -- how should society, and the law, best define their actions? Were they just browsers, harmless intellectual explorers? Were they voyeurs, snoops, invaders of privacy? Should they be sternly treated as potential agents of espionage, or perhaps as industrial spies? Or were they best defined as trespassers, a very common teenage misdemeanor? Was hacking theft of service? (After all, intruders were getting someone else's computer to carry out their orders, without permission and without paying). Was hacking fraud? Maybe it was best described as impersonation. The commonest mode of computer intrusion was (and is) to swipe or snoop somebody else's password, and then enter the computer in the guise of another person -- who is commonly stuck with the blame and the bills.

What about the Clifford Stoll "Cuckoo's Egg" case: tracking down an intruder at Berkeley & Livermore Labs; Markus Hess was a West German citizen allegedly working for the KGB. Hess was arrested and eventually convicted (1990). Berkeley culture at that time was generally to tolerate such incidents.

Robert Tappan Morris (RTM) released his Internet worm in 1988; this was the first large-scale internet exploit. Due to a software error, it propagated much more aggressively than had been intended, often consuming all the available CPU. It was based on two vulnerabilities: (1) a buffer overflow in the "finger" daemon, and (2) a feature [!] in many sendmail versions that would give anyone connecting to port 25 a root shell if they entered the secret password "wiz".

Were Morris's actions wrong? How wrong? Was there any part that was legitimate? RTM was most likely trying to gain fame for discovering a security vulnerability. There was no financial incentive.

The jury that convicted him spent several hours discussing Morris's argument that when a server listened on a port (eg an email server listening on port 25), anyone was implicitly authorized to send that port anything they wanted. That is, it is the server's responsibility to filter out bad data. While the jury eventually rejected this argument, they clearly took it very seriously.

Mitnick attack: how much of a problem was that, after all? There are reports that many Mitnick attacks were part of personal vendettas. (Most of these reports trace back to John Markoff's book on Mitnick; Markoff is widely believed to have at a minimum tried to put a slant on the facts that would drive book sales.)

Stage 3: even now, not all attacks are about money.

Baase, p 259:
"In 1998, the US Deputy defense secretary desribed a series of attacks on US military computers as 'the most organized and systematic attack the Pentagon has seen to date.' Two boys, aged 16 and 17, had carried them out."

What about the London attack of about the same era on air-traffic control?

2000: the "Love Bug" or ILOVEYOU virus, by someone named de Guzman. If you read the subject and opened the document, an MS-word macro launched the payload.

MS-word macros were (and are) an appallingly and obviously bad idea. Should people be punished for demonstrating this in such a public way? Was there a time when such a demonstration might have been legitimate?

Yahoo ddos attack & mafiaboy, aka Michael Calce
The attack was launched in February 2000. Calce got discovered by bragging about the attack pseudonymously on chatrooms. Alas for him, he'd previously used his pseudonym "mafiaboy" in posts that contained more-identifying information.

Conficker worm, April 1, 2009, apparently about creating a network of email 'bots.

Putting a dollar value on indirect attacks

This is notoriously hard. One of Mitnick's colleagues (Phiber Optik?) was facing damage claims from one of the Baby Bell companies in excess of $100,000, when it was pointed out that the stolen document was in fact for sale for under $25.

Mark Abene (Phiber Optik) was imprisoned for a year. That was rather long for the actual charge. Mitnick himself spent nearly five years in prison, 4.5 of which were pre-trial. That situation is similar to that of Terry Childs in San Francisco, now finally out of prison.

Calce, Abene & Mitnick now both work in computer security. Is this appropriate?

One theory is that gaining notoriety for an exploit is the way to get a security job. Is that appropriate?

If not, what could be done differently?

David Kernell hacked Sarah Palin's email account in 2008, at age 20. He served his 366-day sentence at the Midway Rehabilitation Center in Tennessee, and was allowed to continue at school while in jail. Was this an appropriate sentence?

As of ~2012, most computer attacks are launched via web pages, although I still get lots of emailed virus payloads such as IRSnotice.pdf.exe or russianmodel.jpg.exe (under windows, the final ".exe" is not shown by default; why does Microsoft still do this?).

Ultimately, these attacks come down to javascript.

Legal tools against hackers

Once upon a time, authorities debated charging a hacker for the value of electricity used; they had no other tools. The relative lack of legal tools for prosecution of computer breakins persisted for some time.

Computer Fraud & Abuse Act of 1986: made it illegal to access computers without authorization (or to commit fraud, or to get passwords)

USAP AT RIOT act:
Extends CFAA, and provides that when totting up the cost of the attack, the victim may include all costs of response and recovery. Even unnecessary or irresponsible costs. Even costs they should have already implemented.

Trespassing?
"Trespass of Chattels": maybe. This is a legal doctrine in which one party intentionally interferes with another's chattels, essentially personal property (including computers). Often actual harm need not be proven, just that the other party interfered, and that the interference was intentional and without authorization.

In 2000 e-bay won a case against Bidder's Edge where the latter used search robots to get information on e-bay auctions. The bots used negligible computation resources. The idea was for Bidder's Edge to sell information to those participating in eBay auctions. In March 2001, Bidder's Edge settled as it went out of business.

Later court cases have often required proof of actual harm, though. In 1998 [?], Ken Hamidi used the Intel email system to contact all employees regarding Intel's allegedly abusive and discriminating employment policies. Intel sued, and won at the trial and appellate court levels. The California Supreme Court reversed in 2003, ruling that use alone was not sufficient for a trespass-of-chattels claim; there had to be "actual or threatened interference".

After reviewing the decisions analyzing unauthorized electronic contact with computer systems as potential trespasses to chattels, we conclude that under California law the tort does not encompass, and should not be extended to encompass, an electronic communication that neither damages the recipient computer system nor impairs its functioning. Such an electronic communication does not constitute an actionable trespass to personal property, i.e., the computer system, because it does not interfere with the possessor’s use or possession of, or any other legally protected interest in, the personal property itself. [emphasis added]

How do you prosecute when there is no attempt to damage anything?

Part of the problem here is that trespass-of-chattels was a doctrine originally applied to intrusions, and was quickly seized on as a tool against those who were using a website in ways unanticipated by the creator (eg Bidder's Edge). Is that illegal? Should the law discourage that? Should website owners be able to dictate binding terms of use for publicly viewable pages (ie pages where a login is not required)?

International Airport Centers v Citrin

Generally the Computer Fraud & Abuse Act (CFAA) is viewed as being directed at "hackers" who break in to computer systems. However, nothing in the act requires that a network breakin be involved, and it is clear that Congress understood internal breakins to be a threat as well. The law itself dates from the era of large mainframes.

Just when is internal access a violation of the CFAA? Internal access is what Terry Childs is accused of.

In the 2006 Citrin case, the defendant deleted files from his company-provided laptop before quitting his job and going to work for himself. From http://technology.findlaw.com/articles/01033/009953.html:

Citrin ultimately decided to quit and go into business for himself, apparently in breach of his employment contract with the companies. Before returning the laptop to the companies, Citrin deleted all of the data in it, including not only the data he had collected [and had apparently never turned over to his employer -- pld], but also data that would have revealed to the companies improper conduct he had engaged in before he decided to quit. He caused this deletion using a secure-erasure program, such that it would be impossible to recover the deleted information.

His previous employer sued under the CFAA, noting that the latter contained a provision allowing suits against anyone who "intentionally causes damage without authorization to a protected computer". Citrin argued that he had authorization to use his company-provided laptop. The District Court agreed. The Seventh Circuit (which includes Illinois) reversed, however, arguing in essence that once Citrin had decided to leave the company, and was not acting on the company's behalf, his authorization ended. Or (some guesswork here), Citrin's authorization was only for work done on behalf of his employer; work done against the interests of his employer was clearly not authorized.

Note that Citrin's specific act of deleting the files was pretty clearly an act that everybody involved understood as not what his employer wanted. This is not a grey-area case in that regard. However, trade-secrecy laws might also apply, as might contract law if part of Citrin's employment contract spelled out the terms of use.

Compare this to the Terry Childs or Randall Schwartz cases, below. We don't have all the facts yet on Childs, but on a black-and-white scale these cases would seem at worst to be pale eggshell (that is, almost white). It seems very likely that Schwartz's intent was always to improve security at Intel; it seems equally likely that at least in the three modem-related charges against Childs there was absolutely no intent to undermine city security.

Once again, the court looked at Citrin's actions in broad context, rather than in narrow technological terms. However, it remains unclear whether the court properly understood the full implications. In the context of the Citrin case, the Seventh Circuit simply allowed a civil lawsuit based on the CFAA to go forward. But the CFAA also criminalizes exactly the same conduct that it allows as grounds for civil suits. Specifically, §1030 states:

(a) Whoever

(1) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains

(c) information from any protected computer [a computer " which is used in or affecting interstate or foreign commerce or communication"; ie any computer on the Internet -- pld]

(b) ... shall be punished as provided [below]
(c) (1) (A) ... imprisonment for not more than ten years [plus a fine].

I'm not sure if that's ten years total or ten years per offense.

There was no felony prosecution of Citrin, but consider the following unauthorized uses of a computer:

Use of Google.com (even for searching) by a minor, prior to March 1, 2012 (when the Google ToS changed)
Personal web browsing while at work, if the workplace prohibits such actions
Creating a Facebook account under a pseudonym.

Should a person be subject to felony charges for any of the above?

US v Nosal

In an en banc decision handed down April 10, 2012 by the Ninth Circuit, the court ruled that someone who was authorized to access the data in question could not be charged under the CFAA simply because that access was contrary to the terms of the data owner (ie the employer). This is in more-or-less direct conflict with the Seventh Circuit's ruling in Citrin, suggesting that the Supreme Court is likely to take up this case at some point.

Nosal, like Citrin, had worked for a company (Korn/Ferry) and left to start his own business. Nosal did not take K/F data himself, but persuaded some former colleagues to send him the data. The colleagues were also charged.

Part of what is at stake is that the above phrase, "exceeds authorized access", is used in the rather general section (a)(1), but also in section (a)(4) dealing with fraud. Nosal was originally charged under §(a)(4), and other courts have ruled that fraud based on unauthorized access is indeed covered. However, the language in both sections is the same, and a general legal principle is that you should not interpret language differently simply because the context is different.

Judge Kosinski, in his decision, wrote

[1] The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed[ ] authorized access” if he looks at the customer lists. Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

Kosinski then argued that the second interpretation is much too broad:

[W]e hold that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly. The rule of lenity requires “penal laws . . . to be construed strictly.”

Ultimately, Kosinski's argument would suggest that if a site or employer did not want you to have access to some data, they should take measures to be sure you cannot access it routinely.

See also Volokh's blog.

Attacks Involving Money

Modern phishing attacks (also DNS attacks)

Stealing credit-card numbers from stores. (Note: stores are not supposed to retain these at all. However, many do.)

Boeing attack, Baase p 262: how much should Boeing pay to make sure no files were changed?

TJX attack: Baase p 87 and p 271

The breakin was discovered in December 2006, but may have gone back to 2005.

40 million credit-card numbers were stolen! And 400,000 SSNs, and a large number of drivers-license numbers.

Hackers apparently cracked the obsolete WEP encryption on wi-fi networks to get in, using a "cantenna" from outside the building. Once in, they accessed and downloaded files. There are some reports that they eavesdropped on data streaming in from stores, but it seems likely thatdirect downloads of files was also involved.

Six suspects were eventually arrested. I believe they have all now been convicted; there's more information in the privacyrights.org page below (which also pegs the cost to TJX at $500-1,000 million). The attacks were apparently masterminded by Albert Gonzalez, one of the six: http://www.cio.com/article/500114/Alleged_Kingpin_of_Data_Heists_Was_a_Computer_Addict_Lawyer_Says. Gonzalez was sentenced to 20 years, though part of that was for other crimes.

For a case at CardSystems Solutions, see http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html. Here the leak was not due to wi-fi problems, but lack of compliance with standards was apparently involved. Schneier does a good job explaining the purely contractual security requirements involved, and potential outcomes. Schneier also points out

Every credit card company is terrified that people will reduce their credit card usage. They're worried that all of this press about stolen personal data, as well as actual identity theft and other types of credit card fraud, will scare shoppers off the Internet. They're worried about how their brands are perceived by the public.

The TJX and CardSystems attacks were intentional, not just data gone missing.

When attacks ARE about money, often the direct dollar value is huge. And tracing what happened can be difficult. An entire bank account may be gone. Thousands of dollars may be charged against EVERY stolen credit-card number.

Here's a summary of several incidents: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP.

TJX attack and PCI DSS

An emerging standard is Payment Card Industry Data Security Standard (PCI DSS), supported by MasterCard, Visa, Discover, American Express, and others. See http://www.pcicomplianceguide.org/pcifaqs.php for some particulars; a more official site is https://www.pcisecuritystandards.org. Note that PCI DSS is not a law, but is "private regulation". Once upon a time, the most effective regulators of steam-powered ships were insurance companies [reference?]. This is similar, but MasterCard and Visa are not quite the same as insurers. From the FAQ above:

Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.

It is important to be familiar with your merchant account agreement, which should outline your exposure.

If you are a store, you can refuse to pay the fine. But then you will lose the ability to accept credit cards. This is extremely bad!

Visa's CISP program is described at http://www.visa.com/cisp.

The PCI standards do allow merchants to store the name and account-number data. However, this is strongly discouraged. Sites that keep this information are required by PCI to have it encrypted. CardSystems was keeping this data because they were having a higher-than-expected rate of problems with transactions, and they were trying to figure out why.

To some extent, PCI DSS compliance is an example of how ethical behavior is in your own long-term best interest.

Identity Theft

what is it? What can be done?

And WHO IS RESPONSIBLE??

The most common form of identity theft is someone posing as you in order to borrow money in your name, by obtaining a loan, checking account, or credit card. When someone poses as you to empty your bank account, that's generally known as "just plain theft".

Note that most "official" explanations of identity theft describe it as something that is stolen from you; that is, something bad that has happened to you. In fact, it is probably more accurate to describe "identity theft" as a validation error made by banks and other lenders; that is, as a lender problem.

This is a good example of nontechnical people framing the discourse to make it look like your identity was stolen from you, and that you are the victim, rather than the banks for making loans without appropriate checks. And note that banks make loans without requiring a personal appearance by the borrower (which would give the bank a chance to check the drivers-license picture, if nothing else) because that way they can make more loans and thus be more profitable.