The MP3 idea was not obvious, and remains fairly complex. Alcatel-Lucent v Microsoft: Alcatel-Lucent won $1.5 billion in an infringement suit about mp3 decoders Feb 22, 2007
MS countersued for other patents
The judge eventually set aside the damages, and the appellate court agreed.
Aug 6, 2007: MS won new trial
MS is now suing A-L for other patents.
check out mp3licensing.com (Thompson) Royalty Rates: basic mp3 decoder: $0.75/unit
MP3 was published in 1991. Did all US mp3 patents expire in 2011? Original holder: Thompson Consumer Electronics & Fraunhofer Institute. These still hold the "core" mp3 patents.
MP3 Patent claimants:
The mp3 compression algorithm is admittedly a deep idea. Part of it involves the use of wave decomposition to store the information more efficiently; part of it involves "psychoacoustics" to identify parts of a sound file that are "unhearable" and so can be deleted.
Note that patents are for the use of an idea in a specific context:
Patent problems
submarine patents: you don't hear about them until too late!
prior art: hard to find, hard to document, trivial ideas were never written down! This problem, at least, will go away with the passage of time.
non-obviousness: difficult to contest.
Many ideas go into one program!
Technology evolves extremely rapidly.
Violates settled expectations (important part of law!) What's patented seems to be more a matter of chance than anything else.
ignorance is no defense: "submarine" patents entire process is secret: you can be making good-faith effort to be noninfringing and get hit with a huge verdict.
wilful: you had advance notice of infringing. Your belief that the patent was invalid may NOT be a defense, although it has been accepted as a defense in some cases. Damages automatically triple.
Who are the stakeholders in software patents?
Are we stakeholders? Compare pharmaceuticals.
http://www.pbs.org/cringely/pulpit/2005/pulpit_20050818_000863.html:
"Do you feel helped by patent reform?"
If the Eolas patent had succeeded earlier in the game, Firefox might
never have been started, and then Internet Explorer would still likely
lack tabs, plug-ins, and other core features.
WHY does the situation seem so
different from pharmaceuticals?
Note that the established-company-versus-established-company defense of a "patent bank" is useless here.
Company A participates in creation of a standard; they suggest solution S for a particular issue. After the standard is widely adopted, company A announces that they have patented S, and that they will license it for a significant fee.
N-Data patent on ethernet speed autonegotiation:
Patent Trolls: companies that have no assets but patent claims,
and don't attempt to produce anything but simply collect.
Is this bad? Or are such companies just creating a market for
small inventors to sell their inventions?
I4i is not such a company; they did produce an XML-based product.
The open-source community is a strong
proponent of eliminating
software patents.
Is the open-source community entitled to:
Is the open-source community entitled to the asterisk phone switch?
Does MS intend to destroy or hobble or marginalize linux through patents?
It is very well documented that the patent process can have a very NEGATIVE impact on open-source development, and on generally accepted software adoption.
So if the purpose of software patents is to aid technological process,
and it doesn't do that, are software patents a good idea?
What happens if the software in question is made available through a
site in Europe, which (as of now) doesn't have strong software-patent
laws? Should the site warn visitors from the US?
Is this at all like thepiratebay.org?
Patents: are the right ideas being patented? Or are patents being granted to trolls for peripheral ideas?
They have developed technology for storage of digital images of bank
checks. They actually did develop the whole system, although again the inevitability
issue arises here. They did not develop any of the actual root
technology: scanners, or data security, or digital storage systems with
enough capacity to hold images for negligible cost.
From their website:
That said, it is clear that none
of DataTreasury's ideas are revolutionary.
From politico.com/news/stories/0308/9202.html The company had benefited from a controversial 1998 court ruling that broadened the definition of a patent to include business processes.
The proposed (but never passed) patent-reform act of 2007 singled out this patent for congressional revocation.
It appears that DataTreasury is claiming a business-method patent on the
use of electronic image scanning for check processing. They are looking
for
very significant licensing fees. Again, every piece of the technology
has been around from well before the patent (scanning, secure storage,
???)
Should a new (but straightforward) application of existing technology be patentable?
The DataTreasury patent has been singled out by Congress for action, but it is not clear what will happen.
Patent reform:
Patent Reform Act of 2007: H.R. 1908 and S. 1145 (did not pass). This was the first [?] patent-reform act proposed.
Those in bold are the most significant.
This did not pass. Here are some of the proposed changes in U.S. patent law
Discuss: first-to-file: who benefits? how are small inventors affected? How are prior-art rules affected?
This has again been introduced in 2009; apparently the issues are
the damages calculation, post-issuance reexamination proceedings, and
defining inequitable conduct. At least the last provision has been
removed from the 2009 bill. A
good-faith defense for believing a patent was invalid is also included.
Also included is a definition of prior art to include anything
"available to the public"; publication no longer would have to occur.
[Note that NTP argued that RIM's conduct was held to be inequitable simply because NTP had sent them a letter
outlining its patent claims, and RIM had disagreed.]
In 2011, Congress passed the America Invents Act. This included the following features:
KSR v Teleflex, Supreme Court, April 30, 2007
Some good patent news?
This Supreme Court case altered the legal standard for disproving "non-obviousness" in favor of defendants. It is now slightly easier to challenge patents on this basis.
Teleflex had a patent on a pedal coupled to an electronic throttle control (basically cruise control). The question was whether that was "obvious".
The proper question to have asked was whether a pedal designer of ordinary skill, facing the wide range of needs created by developments in the field of endeavor, would have seen a benefit to upgrading [a prior art patent] with a sensor
not thought of it by themselves,
and not motivated to implement
the change,
but simply saw the benefit. The
old "nonobviousness" standard often in effect
required proving that a patent was "prior art". This test was known as
the
"teaching-suggestion-motivation" test. All three pieces had to be there.
Another sentence from that decision:
Does that cover my obvious-in-context approach? Does that suggest
that not clicking the mouse is obvious?
Teaching-suggestion-motivation test: too narrow
Would this have helped RIM? Probably.
Federal Circuit decision released October
30, 2008
Supreme Court decision released June 28, 2010 (decision here)
This was a very significant case. It was decided at the appellate level by an en banc sitting of the Federal Circuit. They proposed a "machine or transformation" test for patentability of abstract processes. The Supreme Court then heard the case, and while they did not uphold the "machine or transformation" test, they ruled that Bilski's invention was not patentable because it was too abstract. There had been widespread speculation that the Supreme Court would use the Bilski case to rein in business-method patents, or at least make the patentability rules a little clearer. They apparently did not do either.
Bilski patent: Claimed method of managing the risk of bad weather in commodities trading.
He submitted a patent application seeking exclusive rights to a method of using hedge contracts to reduce the risk that a commodity's wholesale price might change.
Again, the technique fails under both prior-art and obviousness standards. But those don't apply in the same way to business-method patents.
The patent was rejected by the Patent Board of Appeals. The Board, in rejecting the claim, asked the Federal Circuit court for assistance in determining patentability of non-technological method claims.
The federal circuit court did the following:
The court by its own action grants a hearing en banc. The parties are requested to file supplemental briefs that should address the following questions:
The appellate court did affirm the need for a physical transformation. Their central doctrine is "Machine or Transformation". This would have been a problem for business patents, and perhaps software patents.
Note that their reasoning was taken straight from the few SCOTUS cases on record.
The following question arises whenever a patent is applied for on an abstract process:
Benson: NO
Diehr: YES (one of the prior SCOTUS cases)
Bilski: NO
This part of the Federal Circuit's reasoning may still stand.
Part of the Benson ruling:
Transformation and reduction of an article 'to a different state or thing' is THE clue to the patentability of a process claim that does not include particular machines.
The Diehr patent was for making rubber, using a computer to control the process. It wins the "different state or thing" standard hands down.
The federal circuit dismissed the "useful, concrete, or tangible result" test: that is NOT enough to establish patentability.
They also reject the "technological arts" test (see above) that was once-upon-a-time part of the method-patent rules. They agree that it is too hard to tell whether something involves the technological arts; however, unlike the USPTO, they end up ruling the OTHER WAY; that is, to reject MORE broadly than the TA test.
machine-or-transformation test: emphasize the OR.
We will, however, consider some of our past cases to gain insight into the transformation part of the test. A claimed process is patent-eligible if it transforms an article into a different state or thing. This transformation must be central to the purpose of the claimed process. But the main aspect of the transformation test that requires clarification here is what sorts of things constitute "articles" such that their transformation is sufficient to impart patent-eligibility under §101.
Tanning leather curing rubber (Diehr case)
The raw materials of many information-age processes, however, are electronic signals and electronically-manipulated data. And some so-called business methods, such as that claimed in the present case, involve the manipulation of even more abstract constructs such as legal obligations, organizational relationships, and business risks. Which, if any, of these processes qualify as a transformation or reduction of an article into a different state or thing constituting patent-eligible subject matter?
Note that while the Bilski decision does not claim to reverse State Street
(the case that led to business-method patents), most commentators seem
to feel that it has that effect. It is less clear that Bilski would have had a significant effect on
software patents.
Applying the Machine-or-Tranformation test to famous cases
RSA? material transformation in "real" terms The transformation is to a file. While it is electronic, it is decidedly material.
MP3? material transformation in "real" terms? An mp3 file isn't a physical thing, but it does have a certain "thingness". People think of them as things, and buy them as things. An mp3 file is material.
NTP? maybe no? The argument can be made that there is no "material thing" on the table here. Email messages are NOT it; the patent only addresses the delivery of email.
DataTreasury? It seems unlikely that DataTreasury's patents would stand up to this new test.
To some of you, hacking is clearly
wrong
and there shouldn't even be a question here. If you're one of them,
just pay attention to the legal-strategies-against-hackers part.
However, is using a website in a manner contrary to the provider's
intentions always hacking? A more serious case is logging on to a site,
but not changing anything and in particular not committing theft.
Baase's "three phases of hacking"
1. Early years: "hacking" meant "clever programming"
2. ~1980-~1995:
hacking as a term for break-in
largely teenagers
"trophy" hacking
phone lines, BBSs, gov't systems
lots of social engineering
to get passwords
1994 Kevin Mitnick Christmas Day attack on UCSD
(probably not carried out by Mitnick personally), launched from
apollo.it.luc.edu. [!]
3. post-1995: hacking for money
early years / trophy
Phone phreaking: see Baase, p 256
Joe "The Whistler" Engressia
was born blind in 1949, with perfect pitch. He
discovered (apparently as a child) that, once a call was connected, if
you sent a 2600 Hz tone down the line, the phone system would now let
you dial a new call, while continuing to bill you for the old one.
Typically the first call would be local and the second long-distance,
thus allowing a long-distance call for the price (often zero) of a
local call. Engressia could whistle the 2600 Hz tone.
According to the wikipedia article on John Draper,
Engressia also discovered that the free whistle in
"Cap'n Crunch" cereal could be modified to produce the tone; Engressia
shared this with Draper who popularized it. Draper took the nickname
"Cap'n Crunch".
As an adult, Engressia wanted
to be known as "Joybubbles"; he died August 2007
Draper later developed
the "blue box" that would generate the 2600 Hz trunk-line-idle tone and
also other tones necessary for dialing.
How do we judge these people today? At the time, they were folk heroes.
Everyone hated the Phone Company!
Is phone-phreaking like file sharing? Arguably, there's some public
understanding now that phone phreaking is wrong. Will there later be a
broad-based realization that file-sharing is wrong?
How wrong is what they did? Is
there a role for exposing glitches in modern technology?
From Bruce Sterling's book The Hacker
Crackdown: Law and Disorder on the Electronic Frontier, mit.edu/hacker:
What did it mean to break into a computer
without permission and
use its computational power, or look around inside its files without
hurting
anything? What were computer-intruding hackers, anyway -- how should
society, and the law, best define their actions? Were they just
browsers, harmless intellectual explorers? Were they voyeurs,
snoops, invaders of privacy? Should they be sternly treated as
potential
agents of espionage, or perhaps as industrial spies? Or
were they best
defined as trespassers, a very common teenage misdemeanor? Was
hacking theft of service? (After all, intruders were getting
someone
else's computer to carry out their orders, without permission and
without
paying). Was hacking fraud? Maybe it was best described as
impersonation. The commonest mode of computer intrusion was (and
is) to swipe or snoop somebody else's password, and then enter the
computer in the guise of another person -- who is commonly stuck with
the blame and the bills.
What about the Clifford Stoll "Cuckoo's Egg" case:
tracking down an
intruder at Berkeley & Livermore Labs; Markus Hess was a West
German citizen allegedly working for the KGB. Hess was arrested and
eventually convicted (1990). Berkeley culture at that
time was generally to tolerate such incidents.
Robert Tappan Morris (RTM) released his Internet worm in 1988; this was
the first large-scale internet exploit. Due to a software error, it
propagated much
more aggressively than had been intended, often consuming all the
available CPU. It was based on two vulnerabilities: (1) a buffer
overflow in the "finger" daemon, and (2) a feature [!] in many sendmail
versions that would give anyone connecting to port 25 a root shell if
they entered the secret password "wiz".
Were Morris's actions wrong? How wrong? Was there any part that was legitimate? RTM was most likely trying to gain fame for discovering a security vulnerability. There was no financial incentive.
The jury that convicted him spent several hours discussing Morris's
argument that when a server listened on a port (eg an email server
listening on port 25), anyone was implicitly authorized to send that
port anything they wanted.
That is, it is the server's responsibility to filter out bad data.
While the jury eventually rejected this argument, they clearly took it
very seriously.
Mitnick attack: how much of a problem was that, after all? There are
reports that many Mitnick attacks were part of personal vendettas.
(Most of these reports trace back to John Markoff's book on Mitnick;
Markoff is widely believed to have at a minimum tried to put a slant on
the facts that would drive book sales.)
Mark Abene (Phiber Optik) was imprisoned for a year. That was rather
long for the actual charge. Mitnick himself spent
nearly five years in prison, 4.5 of which were pre-trial. That situation is similar to that of Terry
Childs in San Francisco, now finally out of prison.
Calce, Abene & Mitnick now both work in computer security. Is this
appropriate?
One theory is that gaining notoriety for an exploit is the way to get a security job. Is that
appropriate?
If not, what could be done differently?
Once upon a time, authorities debated charging a hacker for the value
of electricity used; they had no other tools. The relative lack of
legal tools for prosecution of computer breakins persisted for some
time.
Computer Fraud & Abuse Act of 1986: made it illegal to access
computers without authorization (or to commit fraud, or to get
passwords)
USAP AT RIOT act:
Extends CFAA, and provides that when totting up the cost of the attack,
the victim may include all costs of response and recovery. Even
unnecessary or irresponsible costs. Even costs they should have already implemented.
Trespassing?
"Trespass of Chattels": maybe.
This is a legal doctrine in which one party intentionally interferes
with another's chattels,
essentially personal property (including computers). Often actual harm
need not be proven, just that the other party interfered, and that the
interference was intentional and without authorization.
In 2000 e-bay won a case against Bidder's
Edge where the latter used
search robots to get information on e-bay auctions. The bots used
negligible computation resources. The idea was for Bidder's Edge to
sell information to those participating in eBay auctions. In March
2001, Bidder's Edge settled as it went out of business.
Later court cases have often required proof of actual harm, though.
In 1998 [?], Ken Hamidi used the Intel email system to contact all
employees regarding Intel's allegedly abusive and discriminating
employment policies. Intel sued, and won at the trial and appellate
court levels. The California Supreme Court reversed in 2003, ruling
that use alone was not sufficient for a trespass-of-chattels claim;
there had to be "actual or threatened interference".
How do you prosecute when there is no attempt to damage anything?
Part of the problem here is that trespass-of-chattels was a doctrine
originally applied to intrusions,
and was quickly seized on as a tool against those who were using a
website in ways unanticipated by the creator (eg Bidder's Edge). Is
that illegal? Should the law discourage that? Should website owners be
able to dictate binding terms of use
for publicly viewable pages (ie pages where a login is not required)?
Modern phishing attacks (also DNS attacks)
Stealing credit-card numbers from stores. (Note: stores are not supposed
to retain these at all.
However, many do.)
Boeing attack, Baase p 262: how much should
Boeing pay to make sure no files were changed?
TJX attack: Baase p 87 and p 271
The breakin was discovered in December 2006, but may have gone back
to 2005.
40 million credit-card numbers were stolen! And 400,000 SSNs, and a
large number of drivers-license numbers.
Hackers apparently cracked the obsolete WEP encryption on wi-fi
networks to get in, using a "cantenna" from outside the building. Once
in, they accessed and downloaded files. There are some reports that
they eavesdropped on data streaming in from stores, but it seems likely
thatdirect downloads of files was also involved.
Six suspects were eventually arrested. I believe they have all now
been convicted; there's more information in the privacyrights.org page
below (which also pegs the cost to TJX at $500-1,000 million). The
attacks were apparently masterminded by Albert Gonzalez, one of the
six: http://www.cio.com/article/500114/Alleged_Kingpin_of_Data_Heists_Was_a_Computer_Addict_Lawyer_Says. Gonzalez was sentenced to 20 years, though part of that was for other crimes.
For a case at CardSystems Solutions,
see
http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html.
Here the leak was
not due to wi-fi problems, but lack of compliance with standards was
apparently involved. Schneier does a good job explaining the
purely contractual security requirements involved, and potential
outcomes. Schneier also points out
The TJX and CardSystems attacks were intentional, not just data gone missing.
When attacks ARE about money, often the direct dollar value is huge. And tracing what happened can be difficult. An entire bank account may be gone. Thousands of dollars may be charged against EVERY stolen credit-card number.
Here's a summary of several incidents: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP.
TJX attack and PCI DSS
An emerging standard is Payment
Card Industry Data Security Standard (PCI DSS), supported by
MasterCard, Visa, Discover, American Express, and others. See http://www.pcicomplianceguide.org/pcifaqs.php
for some particulars; a more official site is https://www.pcisecuritystandards.org.
Note that PCI DSS is not a law, but is "private regulation". Once upon
a time, the most effective regulators of steam-powered ships were
insurance companies [reference?]. This is similar, but MasterCard and
Visa are not quite the same as insurers. From the FAQ above:
It is important to be familiar with your merchant account agreement, which should outline your exposure.
If you are a store, you can refuse to pay the fine. But then you
will lose the ability to accept credit cards. This is extremely bad!
Visa's CISP program is described at http://www.visa.com/cisp.
The PCI standards do allow merchants to store the name and
account-number data. However, this is strongly
discouraged. Sites that
keep this information are required by PCI to have it encrypted.
CardSystems
was keeping this data because they were having a higher-than-expected
rate of problems with transactions, and they were trying to figure out
why.
what is it? What can be done?
And WHO IS RESPONSIBLE??
The most common form of identity theft is someone posing as you in
order to borrow money in your name, by obtaining a loan, checking
account, or credit card. When someone poses as you to empty your bank
account, that's generally known as "just plain theft".
Note that most "official" explanations of identity theft describe it
as something that is stolen from you; that is, something bad that has
happened to you. In fact, it is probably more accurate to describe
"identity theft" as a validation error made by banks and other lenders;
that is, as a lender problem.
This is a good example of nontechnical people framing the discourse to make it look
like your identity was stolen from you,
and that you are the victim, rather than the banks for making loans
without appropriate checks. And note that banks make loans without
requiring a personal appearance by the borrower (which would give the
bank a chance to check the drivers-license picture, if nothing else)
because that way they can make more
loans and thus be more profitable.