Computer Ethics, Summer 2012
Corboy Law 602; Tuesdays & Thursdays, 6:00-9:00
Week 6, Class 12
How has the internet affected communication?
Personal
- cheap telephony
- cell phones
- skype
Are there any drawbacks here? Baase identified the following in Chapter
1 as associated with cell phones:
- greater risk-taking
- talking and texting while driving
- loss of solitude
- pervasive cameras
Workplace
- better ways of staying in touch
- better collaboration tools
Are there any drawbacks here? Offshoring? 24/7 work schedules?
Media
- we can google for anything
- There is lots of online news
- grassroots organizations can create their own online news
- most major media outlets have online versions
- wireless makes it even more pervasive
What about drawbacks here? Some possible examples:
- People can now get their information only from like-minded
people.
- What has happened to journalism in the last ten years? Has it
gotten stronger?
Hacking and probing
Is it ok to be "testing their security"?
What if it's a government site?
Should you be allowed to run a security scanner against other sites?
What if the security in question is APPALLINGLY BAD?
What if you have some
relationship to the other host?
Baase, p 270:
"The Defense Information Systems Agency estimated that there were
500,000 hacker attacks on Defense Department networks in 1996, that 65%
of them were successful, and
that the Dept detected fewer than 1%". But 1996 was a long long time
ago.
Do we as citizens have an obligation
to hack into our government's computers, to help demonstrate how
insecure they are?
Actually, the US government has gotten
a lot
tighter in the past decade, and somewhere I have a list of IP addresses
which, if you portscan, will get your ISP contacted and may get some US
marshalls invited to your house.
What about hacking into Loyola's computers? Are we obligated to do that? What about
Loyola's wireless network?
Ok, once upon a time there might have been some notion of an
obligation to inform "friendly" sites that there were problems with
their security, but unsolicited probing is pretty much a bad idea
today.
What is our obligation to prevent
intrusions at other sites that are not likely to be directly harmful to
us?
Hactivism
In 2006, Kevin Mitnick's sites were defaced by a group. There's some
irony there.
Other Baase cases:
- several attacks against Chinese governmentt sites, due to
repressive policies
- pro-Zapatista groups defacing Mexican government sites
- US DoJ site changed to read "Department of Injustice"
Maybe the most famous example right now is the Anonymous group. See the wikipedia
list at http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous.
Most
of the attacks have some connection with some form of authoritarian
governmental crackdown, though some of the crackdowns are "only"
against copyright infringement. Occasionally an attack is to harass a
particularly conservative group, as seen from a relatively juvenile
perspective
(see the entry in the above wikipedia timeline for "No
Cussing Club").
Most of the attacks are based on distributed denial-of-sevice
methods.
More serious entries:
- Iranian election protests
- Zimbabwe
- Support of Wikileaks
- Arab Spring support
- Westboro Baptist Church
- Operation Malasia
- Operation DarkNet (arguably an attack against internet privacy!)
- Occupy Wall Street
- Operation Nigeria
- Operation Russia
Operations more focused on censorship might include
- Operations Didgeridie and Titstorm (about Australian internet
censorship)
- Operation Sony (in response to Sony's lawsuits against George
Hotz)
- Cox DNS server attacks
Can these sorts of activities be justified? What about hacking Sony
over rights to use the Playstation 3 as users see fit?
Zero-Day Exploits
Should they be tolerated? Encouraged?
- Sometimes vendors ignore exploit reports without the publicity.
- Sometimes users really need a script to tell them if they are
vulnerable; such a script is typically tantamount to an exploit
- Sometimes announcing a flaw gives crackers all they need to
exploit it; withholding details merely gives false security.
Consensus seems to be that zero-day
exploits are a bad idea,
that
one has some responsibility to let vendors know about an exploit so a
patch can be developed. Though there is also a fairly significant
consensus (perhaps not quite as universal) that if the vendor doesn't
respond you have to do something public.
Microsoft's Patch Tuesday has long been followed by Exploit Wednesday.
Cisco 2005 case involving Michael
Lynn: see http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
Cisco threatened legal action to stop
the [July 2005 Black Hat] conference's organizers from
allowing a 24-year-old researcher for a rival tech firm to discuss how
he says hackers could seize control of Cisco's Internet routers, which
dominate the market.
Cisco called the disclosure "premature" and claimed Lynn had "illegally
obtained" the information by reverse-engineering. Lynn acknowledged
that he had disassembled some Cisco code, based on an announced Cisco
patch, but found an additional problem that could allow an outsider to
take over the router. Note that a patch had already been released by
Cisco, but many customers had not installed it because Cisco had not
indicated it was important.
Lynn allegedly demoed his findings to Cisco in June 2005. Initially
there had
been talk about a joint security presentation, but these broke down.
Or never started; this is not clear. The Black Hat conference was in
late July 2005.
Lynn pretty much did give his
presentation at Black Hat 2005, somewhat unofficially.
The Cisco lawsuit apparently ended with Lynn agreeing to this day not
to discuss the vulnerability further. An injunction against such
discussion was apparently filed in Federal District Court.
Cisco has never offered an explanation for why they were so upset. It
is safe to assume, however, that the threat was
serious, and that someone within Cisco dropped the ball earlier. Their
official objection was that Lynn violated the EULA by decompiling the
code; generally speaking, as an objection this makes no sense.
At the 2006 Black Hat conference, Cisco was a sponsor. Lynn was
apparently invited to the party the company sponsored, although even
today his relationship with Cisco is frosty.
Schneier also has a 2001 essay on full disclosure (with advance notice
to the vendor) at http://www.schneier.com/crypto-gram-0111.html.
MBTA Card
In 2008, three MIT students, Russell Ryan, Zack Anderson, and
Alessandro Chiesa, developed Anatomy
of a Subway Hack (see http://cs.luc.edu/pld/ethics/charlie_defcon.pdf
(especially pages 5, 8, 11/12, 24ff, 41, 49, and 51)). One of the
methods of attack was to take advantage of a vulnerability in the
Mifare Classic RFID chip used by the MBTA's "Charlie Card". They
intended to present their findings at the 2008 Defcon.
US District Judge George O'Toole granted a 10-day preliminary
restraining order against the group, but then let it expire without
granting the five-month injunction requested by the MBTA. The MBTA's
legal argument was that the paper violated the Computer Fraud and Abuse
Act, but the problem is that the CFAA normally applies to worms and
viruses themselves, and not
to publishing information about them.
Much of the information in the report is highly embarrassing to the
MBTA, such as the photographs of gates left unlocked. Should they be
allowed to block that?
The MIT group apparently asked their professor, Ron Rivest (the R of
RSA), to give the MBTA an advance heads-up, but it apparently did not
happen immediately as Rivest was traveling at the time, and in any
event would have amounted to just a week or so. The MBTA was eventually
informed, and quickly pushed for an FBI investigation.
The MIT group's RFID hack was based on the work of Gans, Hoepman, and
Garcia in finding flaws in the Mifare Classic chipset; see http://cs.luc.edu/pld/ethics/mifare-classic.pdf.
This is a serious academic paper, as you can tell by the font. Their
work is based on earlier work by Nohl and Plötz, which they cite. On
page 4 of my copy the authors state
We would like to stress that we
notified NXP of our findings before publishing our results. Moreover,
we gave them the opportunity to discuss with us how to publish our
results without damaging their (and their customers) immediate
interests. They did not take advantage of this offer.
Note also that the attack is somewhat theoretical, but it does allow
them to eavesdrop on the encrypted card-to-reader communications, and
to read all of data-block 0 stored on the card (and other blocks, if
the data is partially known).
Nohl has said, "It has been known for years that magnetic stripe cards
can easily be
tampered with and MBTA should not have relied on the obscurity of their
data-format as a security measure".
Hacking Summary
What legal responses are appropriate?
Should we criminalize having hacking tools?
What about magnetic-stripe readers? RFID readers?
What about Pringles cans (for use as cantennas)?
What about DVD players that bypass the region code?
What about C compilers?
What about jailbroken phones or other "sealed" devices?
Note that it is in fact already de
facto
illegal (in the sense that police will arrest you if they find out, and
you belong to a Suspicious Group) to possess certain things that
can have illegal uses, such as automotive dent pullers (used to pull
cylinders out of locks) and tools that look like they might be lock
picks.
Felony prosecutions: Kutztown 13,
Randall Schwartz, Terry Childs, Julie Amero
Kutztown 13
Students were issued 600 apple ibooks in 2004
The
admin password was part of school address, taped to the back! The
password was changed, but the new one was cracked too. Some of the
students got admin privileges and:
bypassed browser filtering
installed chat/IM software, maybe others
disabled monitoring software
The students were accused of
monitoring teachers or staff, but that seems unlikely.
The school's security model was hopelessly flawed. Who is responsible for that?
The school simply did not have the resources to proceed properly.
The offenders were warned repeatedly.
But why didn't the schools simply take the iBooks away? Why were felony charges pursued? The charge
was for felony computer trespass.
The school argued that the charges were filed because the students
signed an "acceptable use"
policy. But why should that make any difference in whether felony
charges were pursued?
http://www.wired.com/news/technology/0,1282,68480,00.html
cutusabreak.org: now gone
Wikipedia:
Kutztown_Area_high_School
Randal Schwarz
http://www.lightlink.com/spacenka/fors
Oregon made it a felony to do
anything unauthorized, even if
harm was not shown (or did not exist). Here is the text of part of the
law; note the lack of mention of harm:
(4) Any person who knowingly and
without authorization uses, accesses or attempts to access any
computer, computer system, computer network, or any computer software,
program, documentation or data contained in such computer, computer
system or computer network, commits computer crime.
Also, taking a file without authorization was declared to be theft.
The problem is that, in the real world, authorization is often rather
indirect. If you're doing something for the benefit of your employer,
and your employer does not object, would that always be considered
"authorized"?
Schwartz was a contract employee at Intel. He faced three counts:
- Installation of an email backdoor at Intel (he thought he had
some kind of permission)
- Taking password file
- Taking individual passwords
It seems clear, both at the time and in retrospect, that Schwarz not
only never had any intent to cause any harm at Intel, but that in fact
his intent had been to prevent
harm at Intel, by continuing to monitor for weak passwords. This turned
oput not to matter.
The activities listed in the second and third counts above he had
begun doing while assigned to be a sysadmin at Intel. He was later
assigned to other duties, but was still concerned about password
security, and did not think his replacement shared this concern. So he
continued to run the
"crack" program to guess passwords. This involved copying the public
/etc/passwd file, which at that time contained the encrypted passwords,
and to this day contains the username-to-userid mapping used every time
you run ls -l. His actions
have been described by Wikipedia as "penetration testing", but this is
a bit of a misnomer as he didn't penetrate the systems involved at all.
When weak passwords were discovered, he would notify the user.
Intel strongly pushed for his prosecution. There is no evidence,
however, that before Schwarz's arrest Intel was in any way dissatisfied
with his job performance. Intel's Mark Morrissey insisted that "Randal
did not have permission for this activity," which was doubtless true
narrowly construed, but Schwarz had file-access permission to read the
encrypted passwords and general Intel permission to run work-related
programs. In Morrissey's report, it appears that Intel security people
"found" evidence of Schwarz's cracking, but Schwarz himself had never
made any attempt to conceal it.
During Schwarz's trial, it turned out that Intel VP Ed Masi had also
violated the Oregon Computer Law. He was not prosecuted.
The appeals court held that although "authorization" wasn't spelled
out
in the law, Schwartz did things without authorization as narrowly
interpreted. The appellate court also upheld the trial court's
interpretation of "theft": taking anything without permission, even if
the thing is essentially useless or if the taking is implicitly
authorized.
The appellate court also seemed to believe that Schwartz might have
been looking for flaws to take credit for them, and that such personal
aggrandizement was inappropriate. But employees all the time
look for problems at work and try to fix them, hoping to receive
workplace recognition. In many other contexts, employees who make the
extra effort to "look for flaws" are considered exemplary.
Schwartz and Kutztown 13 cases have in common the idea that sometimes
the law makes rather mundane things into felonies. For Schwartz, it is
very clear that he had no "criminal" intent in the usual sense,
although he did "intend" to do the actions he was charged with.
What
do you do if you are a system administrator, or a database
administrator, and your nontechnical supervisor wants the root
password? And you don't think they are technically competent to have
it? The case of Terry Childs addresses this.
Terry
Childs
The Schwartz, Childs and Amero cases have in common the idea that
behavior that some people might find well within the range of
acceptable, while others might find seriously criminal. These aren't
like banking-industry cases; none of the defendants was trying to push
the envelope in terms of what they could "get away with". All three
felt they were "just doing their jobs".
Julie Amero case
On October 19, 2004, Amero was a substitute teacher (7th grade) at
Kelly Middle School,
Connecticut. At some point early in the school day, the teachers' desk
computer started displaying an onstoppable stream of pornographic web
pages. Clicking the close button on one simply brought up others. This
is by now a well-known javascript vulnerability.
Amero had been explicitly told never
to disturb anything in the classroom,
and in particular not to turn the computer off. So she didn't. She had
apparently no idea how to turn off just the monitor. She spent much of
her day at her desk, trying to fix the problem by closing windows. She
did not attempt to tape something over the monitor, or cover the
monitor with something, or turn the monitor face down.
Someone apparently decided that she was actively surfing porn. Within
two days, she was told she couldn't substitute at that school; she was
arrested shortly thereafter.
Amero had complained to other teachers later that day. Why she didn't
demand that something be done during the lunch hour is not clear. Why
she didn't tape something over the screen is not clear. Amero claimed
that two kids used the computer before the start of class, at a
hairstyles site, but others claimed that could not have happened
because it was not allowed.
It later turned out that the school's content-filter subscription had
lapsed, and so the filter was out of date. Also, the computer had
several viruses or "spyware" programs installed. In retrospect, some
sort of javascript attack seems to have been the proximate cause.
In January 2007, she was convicted of impairing the morals of a child.
This was despite computer-forensic evidence that a hairstyles site
triggered a scripting attack that led to the Russian porn sites.
The prosecutor's closing arguments hinged on the idea that some of the
links in question had "turned red", thus "proving" that they had been
clicked on (ie deliberately by Amero) rather than having been activated
via scripting. This is false at several levels: link colors for
followed links can be any color at the discretion of the page, and if a
page has been opened via a script, links to it are indistinguishable
from links that were clicked on.
In June 2007 Amero was granted a new trial, and in November 2008 she
pleaded guilty to a misdemeanor disorderly conduct charge and forfeited
her teaching credentials.
Amero's failure to regard the computer problem as an emergency probably
contributed to her situation.
I discussed her case with a School of Education class once, and the
participants were unanimous in declaring that Amero was incredibly
dense, at best, and should not be in the classroom.
Trust
With all the concern about online theft, why do we trust online
merchants at all? For that matter, why do we trust people we've met on
facebook, etc?
Why we trust online sites:
- we check out companies (at least some of us do)
- lack of bad experiences
- belief bad things won't happen to us
- credit card limited liability
Overall, it seems that lack of bad past
experience has the most to do with why we trust. (Also, it doesn't
appear to take much experience for many people to feel comfortable with
something.)
What about personal sites? (Not necessarily dating, but those too.) How
do we form online friendships (eg at discussion sites)? What about
forming new friends on facebook? What makes us
think people aren't completely deceiving us? What about in face-to-face settings? Is that any
different????
Some foreign governments have apparently expressed the concern that
Windows must have some sort
of back-door access mechanism accessible to the CIA.
Trusting software:
how do we do this? What responsibility do vendors have?
is there an obligation for software to work
on our behalf?
is there a "fiduciary obligation"?
How much can you count on trusting your email
software, or trusting your browser?
The organization Stopbadware.org
is devoted to identifying (and defining) "badware" on your computer.
Here's an earlier definition:
Badware is software that fundamentally
disregards a user’s choice regarding how his or her computer will be
used. You may have heard of some types of badware, such as spyware,
malware, or deceptive adware. Common examples of badware include free
screensavers that surreptitiously generate advertisements, malicious
web browser toolbars that take your browser to different pages than the
ones you expect, or keylogger programs that can transmit your personal
data to malicious parties. [stopbadware.org/home/badware]
What about DRM? What about Windows?
Recently, however, Stopbadware has shifted its emphasis from locally
installed software to javascript malware included on websites; in fact,
they largely serve as a clearinghouse for bad sites.
The biggest problem stopbadware.org has is figuring out what qualfies. You'd
think this would be easy.
Most is spyware or viruses or some inappropriate "control" software (eg
Sony's "rootkit", below)
An older stopbadware.org definition
1. If the application acts deceptively or
irreversibly.
2. If the application engages in potentially objectionable
behavior without:
- First, prominently disclosing to the user that it will engage in
such behavior, in clear and non-technical language, and
- Then, obtaining the user’s affirmative consent to that aspect of
the application.
Here is their current list, from http://stopbadware.org/guidelines/software,
of things software must not
do:
- Software must be installed or executed on a computer only
with the informed, affirmative consent of the user or administrator.
- Software must inform the user or administrator prior to
engaging in potentially unwanted behavior.
- Software must not use deceptive behavior or language to
influence decisions by the user or administrator.
- Software must provide the ability for the application and
all of its functionality to be removed in a reasonable manner and
without undue interference.
Also see http://stopbadware.org/home/alerts:
RealPlayer had been here (Spr 2008?) (still in stopbadware.org/home/alertsarchive)
We find that RealPlayer 10.5 is badware
because it fails to accurately
and completely disclose the fact that it installs advertising software
on the user's computer. We additionally find that RealPlayer 11 is
badware because it does not disclose the fact that it installs Rhapsody
Player Engine software, and fails to remove this software when
RealPlayer is uninstalled.
KaZaa had been here in (Spr 2008?)
We find that Kazaa is badware because
it misleadingly advertises itself as spywarefree, does not completely
remove all components during the uninstall process, interferes with
computer use, and makes undisclosed modifications to other software.
Spyware Striker Pro (Spring 2009)
(ironically, this is NOT "fake"
spyware-removal software!)
Trusting Merchants
With all the concern about online theft, why do we trust online
merchants at all? For that matter, why do we trust people we've met on
facebook, etc?
Technological issues & trust: can we at least trust that we're
talking to the person we think
we're talking to?
Old-style PGP (Pretty Good Privacy) trust:
You need to VERIFY people's public keys (that the key matches the
person). Otherwise you can get a bad key, write to them using it, and
be victim of a man-in-the-middle attack.
(public key crypto: each person has a public key and a private key. If
someone encrypts a message to you with your public key, you can decrypt
it with your private key. Similarly, if you encrypt something with your
private key, anyone can decrypt it with your public key, and in the process verify that it was
encrypted with your private key. That last bit means that the
message can act as your DIGITAL SIGNATURE.)
How can we be able to TRUST our keys?
Alice needs Bob's key.
- She can meet Bob at a key-signing party. Bob can give her his key
hash.
- She can ask Chuck. Chuck says Bob's online keyhash is legit.
- She can decide NOT to trust Chuck, at least about Bob, and ask
Dora instead. Dora has never met Bob, but got Bob's keyhash from Ernie,
who has.
- She can ask someone who has a large group of signed verifications
of keys. Three of them are signed verifications of Bob's key.
SSL certificates (TLS certificates)
SSL = secure socket layer, old name
TLS = transport-layer security, new name
Any pair of entities can negotiate a session key:
- each gets others public key
- each chooses some bits at random, encrypts with others' public key
- exchange these; other side decrypts
- now pick one key, or xor
them, or concatenate them, or whatever.
You're guaranteed a random key provided
the other side does not see
your bits before choosing theirs. There are protocols to
enforce that
(eg exchanging encrypted bits and then exchanging special keys to
decrypt them)
BUT: how do you know you're not about to give your credit card to a bad
guy with whom you've just created a session key?
Ask landsend.com for their SSL
certificate. Receive it. It includes digital signatures by well-known
Certificate Authorities, or CAs. It also includes DNS name.
CHECK it by using known public key from one of the CAs. These keys are
preinstalled in your browser.
This prevents man-in-the-middle attacks, but won't help if router or
DNS is hacked
their SSL server uses public-key encryption to sign something with the
current date/time; replay isn't feasible either.
What does this have to do with TRUST?
Do you trust the CAs listed in your browser? Huh? Have you even heard of any of them?
Edit => Preferences => Advanced => Encryption => View Certs
Of course, one of the real
reasons we trust online commerce -- that we have relatively few bad
experiences -- is
related to all this encryption in that it makes it much harder for bad
guys to eavesdrop. (The most likely location for bad guys, btw, is
either in your house or on your local cable loop.)
Note this is powerless against phishing attacks. Although the new
Extended Valuation SSL Certs might help. Might.
Back to why we trust online vendors:
- we check out companies (at least some of us do)
- lack of bad experiences
- belief bad things won't happen to us
- credit card limited liability (not applicable to debit cards!)
- ???
Overall, it seems that lack of bad past experience has the most to do
with why we trust. This seems to be
the case with face-to-face and brick-and-mortar relationships just as
much as with online situations.
What about personal sites? (Not necessarily dating, but those too.) How
do we form online friendships (eg at discussion sites)? What makes us
think people aren't completely deceiving us? What about in face-to-face settings? Is that any
different????
Trusting software part 2:
how do we do this? What responsibility do vendors have?
We've seen that people form trust relationships based on a fairly
limited set of positive experiences (though a limited set of negatives,
as well). Sometimes it seems that software has a lot to live up to, in
that we trust it because we don't see
bad experiences, but it is so easy for software to take advantage of us.
- collecting personal information
- Sony "rootkit" cd driver (below)
Email: who is responsible for keeping you safe from spam?
From embedded tags in html that reveal to the sender if you've viewed
the email?
The images issue has been around for almost a decade; many email
vendors (and many freemail providers) have been reluctant to support
image-blocking until ~2006 or later. (There may be legitimate reasons
for that: it may be perceived as a
hard-to-understand option.)
Browsers: browsers do all sorts of identification of themselves
when
they connect. Some of that is important; some is questionable. Most
browsers do not leak "private" information, though they do leak the
browser and OS you are using. Furthermore, this is hard to change!
Try http://www.jms1.net/ie.shtml,
with internet explorer. (Actually, go to jms1.net,
and you get
redirected to the linked site if you're using IE. At one point there
was a page on the site that would simply make IE die.)
IE's entire ActiveX security model arguably is broken; ActiveX is an
approach to security where you trust any signedsoftware.
Java, on the other hand, trusts any source, but runs the
software in a "sandbox" where it (hopefully) can't damage your machine.
Note that, in the real world, Java controls are rarely used; instead,
websites run Javascript
on your machine. While Javascript has some of the sandbox features of
Java, it can still have a very negative effect on your browser.
What about plugins?
Many browser plugins do leak
some degree of private information. When you register a plugin, you
connect some personal information to that plugin. Also, some plugins
contact the mothership at regular intervals.
See http://spywareremove.com/remove-BrowserPlugins
SEVERAL media players (plugin or otherwise) may do some checking of
licenses or with the mothership before allowing play. Perhaps most
players
from media companies behave this way.
What about compatibility lock-in?
To what extent should your OS be required to act on your behalf?
Palladium (aka Next-Generation Secure Computing Base):
locks you out of lots of things.
Trusted side: can't be reached by debuggers or
viruses
Problem: machine now is autonomous; vendor has
complete control. Do you trust your vendor?
Software updates, file compatibility,
From Windows Internals by
Russinovich & Salomon:
In the Windows security model, any
process running with a token containing the debug privilege (such as an
administrator’s account) can request any access right that it desires
to any other process running on the machine...
This logical behavior (which helps ensure
that administrators will always have full control of the running code
on the system) clashes with the system behavior for digital rights
management requirements imposed by
the media industry
on computer operating systems that need to support playback of
advanced, high-quality digital content such as BluRay and HD-DVD media.
To support reliable and protected playback of such content, Windows
uses protected processes.
These processes exist alongside normal Windows processes, but they add
significant constraints to the access rights that other processes on
the system (even when running with administrative privileges) can
request.
Protected processes can be created by
any application; however, the operating system will only allow a
process to be protected if the image file has been digitally signed
with a special Windows Media Certificate. The Protected Media Path
(PMP) in Windows Vista makes use of protected processes to provide
protection for high-value media, and developers of applications such as
DVD players can make use of protected processes by using the Media
Foundation API.
Will all software vendors eventually request that their applications
be protected? It would sure put a damper on reverse-engineering!
SONY case has the rights of users front and center.
Sony's 2005 "XCP" copy-protection scheme : it installed a private CD
driver
AND a hidden "r00tkit" (so named by Mark Russinovich, then of
sysinternals.com) that conceals itself and hides some registry
keys.
Is this legit?
How does it compare with Palladium (secure-computing platform)?
Users do click on a license
agreement. Were they sufficiently warned? (The software was apparently
installed before the EULA
came up; and in any event clearly the EULA did not explain just what
was going on.)
Note from Mark Russinovich, via wikipedia:
He also mentioned that the XCP software
installed silently before the EULA appeared, that the EULA does not
mention the XCP software, and that there was no uninstaller, all of
which are illegal in various ways in various jurisdictions. Several
comments to the entry recommended a lawsuit against Sony BMG.
There is now a virus/worm out that takes advantage of the sony kit.
Sony issued an uninstall utility that didn't actually uninstall the
software, but did make it visible. However, users had to supply an
email address, which by Sony's privacy policy was eligible for spamming.
This or a later removal kit allegedly ADDED a bad ActiveX control.
While we're on the subject of Sony, there was once a recent report (in
print, which I can't find now) that a significant breakin at US
Government sites was precipitated by flaws in the LimeWire file-sharing
package. As in, under some circumstances LimeWire would share everything.
Trusting voting machines
If we trust our phones and calculators, why on earth shouldn't we trust
voting machines?
Because nobody will gain from
secretly having our phones and calculators give incorrect results. We
would find out almost immediately, after all.
(And there are many phone
viruses.)
In 2006, Ariel J Feldman, Alex Halderman and Edward Felten examined a
particular model of the Diebold voting machine. They found serious
flaws.
Look at the video here.
Question to think about and for discussion:
- Who are we trusting when we use these machines in an
election?
- How is this trust different with paper ballots?
- Why did they make the video (versus just writing a
paper)?
- Why did most voting officials insist there was no serious problem?
Notes: just booting with a clean memory card does NOT necessarily
clear the machine! The bootloader in flash memory may have been
corrupted. The machine loads a new bootloader from every card with a
file fboot.nb0
Seals (which Diebold recommends) are often ignored, and if not then
breaking them constitutes an effective DoS attack.
Remember that there were a batch of internal Diebold memos and
sourcecode leaked, which Diebold aggressively tried to have taken down.
In 2004, Online Policy Group won its case against Diebold, establishing
that distribution of the documents does not infringe on Diebold's
copyrights.
Jurisdiction online
jurisdictional issues: where did the sale take place? This one is very
important for e-commerce. Here are some legal theories that have been
applied (eg in the LICRA/Yahoo case):
- the "affects" test: the court decides that the remote action
affects its own local citizens. A passive website would count here.
- the "affects intentionally" test: the court decides that the
source intended to have an
effect on its local citizens
- the "targeting" test: the court feels that the action was
actually directed at its
local citizens, with some level of intent.
- the "primarily affects" test: the court decides that the action's
primary effect is on its
local citizens
- the plaintiff test: the affected party (buyer or the one defamed,
for example) lives in the local jurisdiction
- purposeful availment: by choosing to engage in local commerce,
the remote entity "purposefully avails" itself of the legal system of
the local country.
- contract: the remote site has a contract with parties in the
local jurisdiction
The following are the traditional three rules for a US court deciding
it has "personal jurisdiction" in a lawsuit:
- Purposeful availment: did
defendant receive any benefit from the laws of the jurisdiction? If
you're in South Dakota and you sell to someone in California, the laws
of California would protect you if the buyer tried to cheat you.
Generally, this is held to be the case even if you require payment
upfront in all cases. The doctrine of purposeful availment means that,
in exchange here for the benefits to you of California's laws, you
submit to California's jurisdiction.
- Where the act was done.
- Whether the defendant has a reasonable expectation of being
subject to that jurisdiction.
eHarmony lawsuits, for alleged discrimination against homosexuals
eHarmony is headquartered in California.
New Jersey lawsuit by Eric McKinley, 2005
California lawsuit by Linda Carlson, 2007
How does jurisdiction apply? Should it have applied in New Jersey?
Is the fact that users must enter their address the deciding factor?
Would it have mattered if eHarmony was a free service?
Could eHarmony simply have agreed not to do business in NJ and CA?
What if residents of Newark (or Princeton) simply gave NYC addresses?
sales
trademarks
libel/defamation
criminal law
laws governing sales: the seller can sue in his home state. This is
more or less universal.
But in consumer disputes, it is usually the buyer
with the grievance. Should the buyer always be allowed to sue in his or
her home state? This subjects the seller to a potential maze of legal
regulations.
laws governing trademarks
Trademark scope
The Blue Note Cafe was
located in NYC
The Blue Note, St Louis
(actually Columbia, MO) was a club, sued for trademark infringement by
Blue Note New York because they had a web site.
The case: Bensusan
Restaurant Corp v King, 937 F. Supp. 295 (SDNY 1996)
The case was brought in federal district court, which decided there was
a lack of jurisdiction. Before that, however, note that the Missouri
club began using the name in 1980, and the NYC club did not register
the trademark until 1985. Note that, generally
speaking, in this sort of situation the Missouri club retains
the right to continue to use the name locally,
while non-local use is reserved to the federal trademark-holder.
The district court did look at the "long-arm statute" of the "forum
state", that is, New York. The New York law provides that
a New York court may exercise personal
jurisdiction over a
non-domiciliary who "in person or though an agent" commits a tortious
act within the state.
The State-court interpretation of this was that the act had to be
committed in New York State,
and the federal court deferred to this interpretation.
Another part of the NY state law did provide for jurisdiction when
the other party was outside the state. However, the law also
... restricted the exercise of
jurisdiction under sub-paragraph (a)(3)
to persons who expect or should reasonably expect the tortious act to
have consequences in the state and in addition derive substantial
revenue from interstate commerce
The second circuit decided that Blue Note Missouri did not derive revenue from interstate
commerce. End of case.
Blue Note St Louis had a mostly passive web site, although they did
advertise tickets online, to performances at the club itself. These
tickets had to be picked up at the
Missouri box office; they were never mailed. Does this matter? Does it matter
that the tickets were technically not sold over the internet, but
instead you had to call a phone number?
This case was decided on jurisdictional
grounds: NY State did not have
jurisdiction.
The second-circuit appellate decision is at http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=2nd&navby=docket&no=969344.
This was a reasonable decision, but notice that it sure doesn't
offer many guarantees that your website won't infringe on a trademark
far far away.
Domain names
Zippo v Zippo, 1997
See http://cyber.law.harvard.edu/metaschool/fisher/domain/dncases/zippo.htm
zippo lighters v zippo.com
trademark infringement was an issue under Pennsylvania state law, but the lawsuit was filed in federal
district court.
PA "long arm" statute
zippo.com was a news service. They had email customers in PA, and two
ISP customers.
(1) the defendant must have sufficient "minimum
contacts" with the forum state,
(2) the claim asserted against the defendant must
arise out of those contacts, and
(3) the exercise of jurisdiction must be reasonable.
We find Dot Com's efforts to
characterize its conduct as falling short of purposeful availment of
doing business in Pennsylvania wholly unpersuasive. At oral argument,
Defendant repeatedly characterized its actions as merely "operating a
Web site" or "advertising." Dot Com also cites to a number of cases
from this Circuit which, it claims, stand for the proposition that
merely advertising in a forum, without more, is not a sufficient
minimal contact. [FN7] This argument
is misplaced. Dot Com has done more than advertise on the
Internet in Pennsylvania. Defendant
has sold passwords to approximately 3,000 subscribers in Pennsylvania
and entered into seven contracts with Internet access providers to
furnish its services to their customers in Pennsylvania.
[emphasis added]
The decision addressed the jurisdictional
issue, plus others: Pennsylvania did
have jurisdiction
Note the gray area between a completely passive website, just an
"electronic billboard", and “the knowing and repeated transmission of
computer files over the Internet”. Usually the latter means
subscriber-specific information.
But also consider whether zippo.com should expect to be hauled into
court in every jurisdiction in which it has a customer, even for complaints unrelated to that
customer. In this case, as the issue was the use of the
trademarked name "Zippo", the jurisdiction based on other customers might be
reasonable.
The Zippo court developed the following three-part strategy for
assessing long-arm internet jurisdiction:
- The defendant actively does business in the state, eg accepting
orders from state residents, and that this business goes beyond
internet contact (eg the shipping of physical goods)
- intermediate: the defendant does business in the state, but the
activity is conducted over the internet.
- The
defendant's activity in the state is more-or-less limited to passive
viewing. While orders may be accepted on the site, it would be clear
that sales were not intended to those in the state.
The problem with this example is that nobody really knows what Case 2 should include.
What about google.com? Should Illinois courts have jurisdiction over
issues involving google.com search? What about google+?
Internationally, we already looked at LICRA v Yahoo, filed in France
(and won by LICRA) for Yahoo's selling of Nazi memorabilia on its
auction site in the US. Yahoo had initially agreed to comply with the
French order, and then later changed its mind, and filed suit in the US
asking that the US court declare that the french court did not have
jurisdiction. That case ended in a draw (specifically, in a declaration
that the case was not "ripe").
Suppose your bank makes an error. Where do you sue them? What if their
only presence in your state is online? Consider the case Soma Medical v Standard Chartered Bank.
SCB is located in Hong Kong. Soma is in Utah. Soma did banking with SCB
online. Some money disappeared. Soma lost their lawsuit in Utah,
because the court ruled that the fact that SCB had a website accessible
in Utah did not give the State of Utah personal jurisdiction.
[Michael Shamos]
NTP v RIM: RIM's network hub was in Canada. RIM lost on that point, but there remain serious questions
about whether US patent law extends to other countries.
Butler v Beer Across America
http://itlaw.wikia.com/wiki/Butler_v._Beer_Across_America
BAA is an Illinois company selling beer over the internet. Butler's
minor son ordered beer, and it was delivered to him despite rules that
required an adult signature. Butler sued BAA under an Alabama law that
makes it illegal to sell alcohol to minors. In this case, Butler lost
her bid to get Alabama jurisdiction, though the case was transferred by
the Alabama court to Illinois.
Deciding that the sale of beer by
Illinois defendants to an Alabama minor on the Internet occurred in
Illinois, the federal court held that a single sale was insufficient
minimum contacts to establish
personal jurisdiction
over the defendants in Alabama.
Cybersquatting
This is somewhat related to trademark disputes, but an essential
component is the claim that one party doesn't really want the trademark, but just
wants to "extort" money from the other side.
See http://www.networksolutions.com/legal/dispute-policy.jsp
Uniform Domain Name Dispute Resolution Policy --
ICANN
4(b). Evidence of Registration and Use
in Bad Faith. For the purposes of Paragraph 4(a)(iii), the following
circumstances, in particular but without limitation, if found by the
Panel to be present, shall be evidence of the registration and use of a
domain name in bad faith:
(i) circumstances indicating that you have registered or you have
acquired the domain name primarily for the purpose of selling, renting,
or otherwise transferring the domain name registration to the
complainant who is the owner of the trademark or service mark or to a
competitor of that complainant, for valuable consideration in excess of
your documented out-of-pocket costs directly related to the domain
name; or
(ii) you have registered the domain name in order to prevent the owner
of the trademark or service mark from reflecting the mark in a
corresponding domain name, provided that you have engaged in a pattern
of such conduct; or
(iii) you have registered the domain name primarily for the purpose of
disrupting the business of a competitor; or
(iv) by using the domain name, you have intentionally attempted to
attract, for commercial gain, Internet users to your web site or other
on-line location, by creating a likelihood of confusion with the
complainant's mark as to the source, sponsorship, affiliation, or
endorsement of your web site or location or of a product or service on
your web site or location.
Also AntiCybersquatting Consumer Protection Act.
Some form of bad faith is usually necessary. But not always, if the
effect is to resemble a famous trademark and if you have good lawyers.
Sometimes the only "bad faith" or "intent to profit" is the offer of
the domain holder to settle the case by selling the domain to the
plaintiff.
All this is really about trademarks, not about jurisdiction. But the
"flat" namespace of the web makes all trademark disputes national, or
even global.
vw.net: virtual works
http://www.news.com/2100-1023-238287.html
Peculiarity: vw.net, a one-man company with James Anderson as
principle, offered to sell the name to volkswagen in 1998, and
threatened to auction the name off if volkswagen did not buy. This
triggers a presumption of domain-name squatting.
"A federal appeals court in Virginia
[2001] affirmed a lower court's ruling that online service provider
Virtual Works Inc. violated the 1999 Anticybersquatting Consumer
Protection Act when it registered the domain vw.net with the intent to
sell it to Volkswagen of America."
"Grimes' [Anderson's early partner]
deposition reveals that when registering vw.net, he and Anderson
specifically acknowledged that vw.net might be confused with Volkswagen
by some Internet users," Wilkinson wrote. "They nevertheless decided to
register the address for their own use, but left open the possibility
of one day selling the site to Volkswagen 'for a lot of money'."
See http://vwx.com. Oops, I guess not;
that site is now for sale. At one point, it was about Anderson's side
of the case.
A possibly important point was that virtual works never used the
abbreviation "vw" except in the domain name.
They (vw.net) lost.
Is this about cybersquatting? Or is it about the (lack of) rights of
the Little Guy to use their trademark in good faith?
american.com: formerly owned by
cisco, later a private 'zine (the airline is aa.com), and now a more
serious magazine The American
gateway 2000 v gateway.com
gateway.com was a computer consulting firm, run by
Alan Clegg. There was absolutely no evidence that Clegg foresaw that in
the year 2000 the name gateway2000.com would become obsolete, and
reserved gateway.com in anticipation of a domain sale.
yahoo.com v yahooka.com [which see]
Case was actually never filed
state-law libel and
jurisdiction
A state court in Clayton v. Farb, 1998 Del. Super. LEXIS 175 (Del.
April 23, 1998), found that Delaware's long arm statute did NOT reach
the defendant, who posted allegedly libelous and slanderous false
statements about the plaintiff on his Internet site. The statute
provided for jurisdiction over tortious activity outside of Delaware
ONLY if defendant regularly conducted business in the state. The court
found that access in Delaware to defendant's Internet posting did not
constitute sufficient contact to support the exercise of personal
jurisdiction.
This case was decided on JURISDICTIONAL grounds: Delaware did not have jurisdiction
Laws governing libel:
Truth is a defense, but can be expensive to prove. If you say something
false about a public figure, they have to prove actual malice. If you
say something false about anyone else, all they have to prove is that
you were negligent.
We've seen Batzel v Cremers.
Cremers lost on the
jurisdiction issue. Should he have?
Furthermore, what if the legal climate in the Netherlands was different
for
libel lawsuits? What if in the Netherlands the burden of proof lay with
the plaintiff to prove something false, and Cremers was sued in a
jurisdiction (eg England, which still has pro-plaintiff libel laws)
where the burden of proof lay with the defendant?
Jurisdiction and criminal cases
The 6th amendment to the constitution requires that
In all criminal prosecutions, the
accused shall enjoy the right to a
speedy and public trial, by an impartial jury of the state and district
wherein the crime shall have been committed
But what state and district are involved if you do something allegedly
illegal online?
Venue is extremely important
if "community standards" are at stake. Even if they are not, an
inconvenient venue can be chosen by prosecutors to harass you or make
your defense more expensive; alternatively, a venue can be selected
where longer sentences are handed down or juries are less tolerant of
social differences.
If you are selling something
illegal, the feds may prosecute you in any state in which the material
could be purchased. The Reagan administration did just that when
attempting to crack down on pornography in the 1980's, often filing
parallel lawsuits all over the country.
However, if you are just a buyer,
the legal principle is still muddled. Just where were you in cyberspace
when you were sitting in your living room buying tax-planning software?
Delaware? California?
See Baase, §5.5.2.
International crime
Remember the case of Yahoo selling Nazi memorabilia in California, and
being convicted of that by a French court?
In 2006 the US signed the so-called "cybercrime treaty", to encourage
international cooperation in prosecuting computer crime. However, in an
important area the treaty completely lacked
the usual
"dual-criminality" provision, that the action in question must be a
crime in both nations for the
treaty to apply. The consequence is that US ISPs may be required to
assist in foreign-government investigations of events that are not
illegal under US law, even when the events occurred within the US.
Foreign governments may ask for electronic seizures and searches (eg of
email records), and ISPs must cooperate promptly or face charges.
The treaty also not only permits but requires
the FBI to engage in warrantless wiretapping of Americans if a foreign
government claims that the wiretap is necessary for a cybercrime
investigation.
In Baase §5.5.3, she speculates that the US may have agreed to this
no-dual-criminality wording in order to be able to extend the reach of
its own laws overseas.
British citizen and CEO of BETonSPORTS.com (no longer online) David Carruthers
was arrested in Dallas in July 2006 when changing planes, because in
the US online betting is illegal. He was sentenced on January 8, 2010
to 33 months in prison; apparently this does not include the 3 years already
served under house arrest.
He conducted all his BETonSPORTS business while in England, and was
just passing through the US when arrested. He was charged because some
of BETonSPORTS's customers were allegedly US citizens.
Facing a potential 20-year sentence, he finally agreed to plead guilty
in April 2009.
Carruthers is a major advocate of regulated
internet gambling.
What else could have been done? The real issue with internet gambling
is that it so frequently involves gambling on credit.
(This would not be the case if customers sent in money in advance, but
that greatly complicates use of the sites by impulse gamblers.)
Shrink-wrap and click-wrap licenses
The first name made sense; software was wrapped in "shrink-wrap" and
was returnable unless you opened it and thus "accepted" the license.
The click-wrap form is by back-formation.
Nobody knows how binding these are, though courts regularly uphold
click-based "terms of service". However, this is most common in
situations where you have to create an account, not for otherwise-public web pages.
Click-wrap software licenses remain a grey area.
Courts are in principle in pretty general agreement that a vendor can
require contract terms. Where they differ is in items such as how
explicit the contract has to be, and whether there are any requirements
that are not enforceable. You can pretty much address the first issue
with an explicit "I agree" button and a way to view the terms.
A major case in this area was ProCD v Zeidenberg (begun 1995).
Zeidenberg purchased a database of phone book information from ProCD,
at the "consumer" price. He then put the database online, in effect
reselling it for a lower price. The Supreme Court had ruled in Feist
that databases are not copyrightable, so Zeidenberg was in the clear in
that regard. However, the software that came with the package (and the
written manual) stated that "the [telephone] listings contained within
this product are subject to a License Agreement". The license spelled
out specific terms for the use of the data; one requirement was a
no-resale rule. However, there was no "I Agree" button.
The district court found in Zeidenberg's favor (granting him summary
judgement), but the Seventh Circuit reversed in 1996. The Seventh
Circuit also found that licensing terms preempt copyright. (A big part
of Zeidenberg's argument was that copyright law preempted the license.)
Many click/shrink licenses forbid reverse engineering, generally not
defined in the license but often (though not always) understood to mean
disassembly of the executable. Is this enforceable? In Sega v Accolade
(1993) and Sony v Connectix (2000), the Ninth Circuit has allowed
disassembly if it is the only way to figure out how to create
interoperating products.
In recent years, courts have generally looked with favor on click-wrap
agreements that have an "I Agree" button, because this makes the user
take some active step to agree with the terms. What happens if a user
clicks by mistake is not clear, yet this happens fairly often in the
online world.
However, usually the sorts of terms that the courts have upheld are
relatively traditional:
- limitations of liability for use of the product
- limitations of liability for data
- service may be terminated at any time (subject to refund if
you're paying)
- restrictions on resale of data
If there were limitations on the use
of the data, they would be more questionable. What if the MS Office
EULA required that users submit to MS any articles written with Word
that were critical of MS? At one point the MS .NET EULA had that sort
of requirement: technical articles written about .NET had to be
submitted to MS before publication. MS eventually dropped that
requirement, replacing it with this one
(or maybe this one).
(Note that the new version still has elaborate rules.)
Note that if you make a physical product, you cannot waive liability in
many states.
The 1999 UCITA proposal (an upgrade to the Uniform Commercial Code
titled the Uniform Computer Information Transactions Act) made
shrink-click licenses binding. However, UCITA then went nowhere.
It's probably a good thing UCITA went nowhere. UCITA required that
software vendors be 100% liable for any flaws in their software, unless liability was disclaimed in
a shrink-wrap license. In effect, large software vendors would have no
liability (though they would
have to state that, up front). A more serious issue was that
open-source developers, who don't use shrink-wrap licenses and don't
require that you agree to any license (read the GPL!) would be 100%
liable! That would be a problem.
Here's an example from the Vista Home Basic (and Home Premium) EULA. Is
this a legitimate, enforceable requirement, or is it anticompetitive?
4. USE WITH
VIRTUALIZATION TECHNOLOGIES. You may not
use the software installed on the licensed device within a virtual (or
otherwise emulated) hardware system.
(By the way, note that if you install the appropriate version of Vista
on a VM, the EULA states
6. USE WITH
VIRTUALIZATION TECHNOLOGIES. You may use
the software installed on the licensed device within a virtual (or
otherwise emulated) hardware system on the licensed device. If you do
so, you may not play or access content or use applications protected by
any Microsoft digital, information or enterprise rights management
technology or other Microsoft rights management services or use
BitLocker. We advise against playing or accessing content or using
applications protected by other digital, information or enterprise
rights management technology or other rights management services or
using full volume disk drive encryption.
Note that exactly what constitutes "virtualization" is not as clear as
it might seem to be.
In the case SoftMan
Products v Adobe Systems,
there was an interesting twist to all this. SoftMan bought Adobe
software "collections" and resold the individual CDs. Adobe sued for
violating their copyrights and their license. The court held that
- Adobe had sold the
software, not licensed it,
and therefore the terms of the license did not apply
- SoftMan did not run any of the software, and so the EULAs did not
come up, and so did not apply
This did not end the case, but Adobe was not granted summary judgement.
I do not know if they pursued the case further.
Amazon unbox movie license, version 0.2
Here's a quote
from Cory Doctorow, around 2007.
For example, if you buy a downloadable movie from Amazon Unbox,
you agree
to let them install spyware on your computer, delete any file they
don't like on your hard-drive, and cancel your viewing privileges for
any reason. Of course, it goes without saying that Amazon reserves the
right to modify the agreement at any time.
The most interesting restriction (to me) was that you can only view
Amazon Unbox movies at home.
Not at someone else's home, or at work, or on the road, or in a hotel.
Amazon has since improved this license.
Licenses and Jurisdiction
Generally, if you have a license, your jurisdiction applies. However,
the license may require otherwise. What happens, though, if your
jurisdiction does not allow the license to specify the jurisdiction?
What about linking?
Is a link to a defamatory site a form of defamation? (It
probably depends on the context)
Is a link to "illegal" software forbidden?
2600 case: Universal v Reimerdes:
from wikipedia (http://en.wikipedia.org/wiki/Universal_v._Reimerdes)
In particular the Second Circuit ruled that linking on the Internet
happened so fast that it could be restrained in ways that might not be
constitutional for traditional media.
Also, apparently the defendants more or less admitted that they were
providing links to deCSS for the
purpose of making illegal DVD copies. Things might have been
different had they linked for the
purpose of research.
While we're at it, contemplate 09
F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Is this a legal
number?
Part of the issue with linking is that it can provide easy access to
"forbidden" content such as circumvention software (deCSS) or
copyrighted content (eg providing movie .torrents). For that part,
providing the URL in "unlinked" form is probably also subject to
regulation.
But the other part is conventional "deep links". These can be used
to view a given page out of context, or to view a given page in a
border provided by another page, or to avoid advertising. Should these
kinds of links be subject to prohibition?
Is linking to a site a form of using that site without
authorization? Possibly leading to a claim of trespass-of-chattels?
What about linking to other sites? Here are some issues the other site might have:
- viewers of your site use some of their bandwidth
- their trademarks might be visible on your site
- your viewers might avoid their advertising
- they may just be mean and/or controlling
Search engines do this kind of linking and framing constantly.
For a while this was a serious issue, but it seems to be dying out.
Lots of sites still have bizarre linking policies, though.
http://dontlink.com; alas, active
site work stopped in 2002.
But see: http://www.americanexpress.com/shared/copyright/webrules.html,
item 9, "Linked Internet Sites". Actually, this link is down as of Dec
2009, but it still appears on the
americanexpress.com page!!
Symantec has a different approach: http://www.symantec.com/about/profile/policies/legal.jsp#linking (2009)
Linking to
Symantec's Web Site
Symantec permits anyone to link to
Symantec's web site subject
to the linker's compliance with the following terms and conditions:
A site that links to Symantec's web site:
- May link to, but not replicate, content contained in Symantec's
site;
- Must not create a border environment or browser around content
contained in Symantec's site;
- Must not present misleading or false information about Symantec's
services or products;
- Must not misrepresent Symantec's relationship with the linker;
- Must not imply that Symantec is endorsing or sponsoring the
linker or the linker's services or products;
- Must not use Symantec's logos or trade dress without prior
written permission from Symantec;
- Must not contain content that could be construed as obscene,
libelous, defamatory, pornographic, or inappropriate for all ages;
- Must not contain materials that would violate any laws;
- Must agree that the link may be
removed at any time upon Symantec's
request pursuant to Symantec's reserved rights to rescind its
consent
to allow the link.
Rules 1-8 are entirely reasonable.
Antitrust (omit?)
Once upon a time, long long ago, in a previous century (1998),
Microsoft
was hauled into federal court on antitrust charges. The original issue
was probably that in 1995 Netscape released a better browser, and then
a year later Internet Explorer was bundled in with Windows. Microsoft,
in fact, insisted
that IE be
the only browser on new machines, if a vendor wanted a bulk windows
license (individual windows licenses were and are prohibitively
expensive. (MS also famously insisted that to get a bulk license, you
had
to at least pay for Windows for all
the machines you sold, even if some of them were to be sold with a
non-Windows OS (what would that have been? Pre-gnome linux?).)
During the trial, MicroSoft submitted a video of a computer
allegedly underfunctioning because IE had been removed. Alas for MS,
the video -- presented as representing a single session -- had been
spliced.
From wikipedia:
When the judge ordered Microsoft to
offer a version of Windows which
did not include Internet Explorer, Microsoft responded that the company
would offer manufacturers a choice: one version of Windows that was
obsolete, or another that did not work properly. The judge asked, "It
seemed absolutely clear to you that I entered an order that required
that you distribute a product that would not work?" David D. Cole,
a Microsoft vice president, replied, "In plain English, yes. We
followed that order. It wasn't my place to consider the consequences of
that."
MS's strategy was universally seen as a frontal assault on Netscape,
because MS apparently had the idea that it was important to achieve
dominance in the "browser" market.
But if you're giving it away free, there is no market.
Once upon a time, some people at MS might
have had some notion that, after Netscape was broke, they could resume
charging for IE. That is the sort of behavior that antitrust law is
intended to prohibit. But a more likely idea was that, if MS controlled
the browser market, they would somehow "control" a crucial part of
e-commerce. And, to be sure, controlling the browser would mean that
they could introduce new server
features and be able to guarantee that the browsers out there would
support that feature.
As it turned out, controlling the browser market brought about as
much control of e-commerce as controlling the cash-register paper-tape
market would have brought control over traditional brick-and-mortar
commerce.
MS famously lost their case, at the District Court level. For
several years they had to make it possible to remove IE from windows,
either by owners or resellers. This was also more or less the death
knell for MS's plan to "integrate" the browser with the desktop, ie, to
build IE into the desktop.
Did this make any sense?
A browser is now seen as the
reason people buy computers. It needs to come with the computer, if for
no other reason that you can't download anything without one. How would
I install Firefox, for example, if I couldn't use IE once to download it? Would I order
a CD by mail?
By 2001, the US DoJ was no longer asking for MS to separate its OS
and Application divisions (ie breaking up the company). Instead, they
asked for more mundane restrictions, such as fairer licensing terms.
MS is at it again, but this time not from a position of strength.
They may have recently tried to get the Wall Street Journal to remove
their news content from google, in exchange for payment. This is an
attempt to get people to have a reason to use bing, the new MS search
engine.
Does anyone use bing?
Here's a couple articles:
More seriously, is this a case of antitrust?
Or is this a case of exclusive content licensing?
One issue is that google's use of the WSJ is considered to be fair
use. But google makes a heck of a lot of money by indexing this
content, from advertising. The estimate in the articles above is that
it's in the range of $10-15 million/year. This is sort of like the
youtube lawsuits, where the media companies really want a piece of the
advertising market that youtube gets for displaying "their" videos.
The MS antitrust case should probably be compared to the ATT and IBM
antitrust cases. By the time the 1969 IBM case was dropped by the feds,
after thirteen years, it no
longer mattered. IBM no longer held market dominance. The ATT case led
to the breakup of ATT into the main ATT, now no longer in the local
phone business, and the "seven RBOCs". One of the RBOCs, SBC, has since
acquired most of the others, and the parent ATT itself (and has taken
on the ATT name). (I think the other separate RBOC is Qwest, formerly
US West).
This is probably as good as any a place to bring up Network
Neutrality. The idea there is whether ISPs should be allowed to
throttle content from content providers that don't pay bribes. Is that
antitrust? Or is it all about The Free Market?
A few other issues
- Employment and empowerment: Do computers take jobs away? Do they
make jobs more stressful? Do they reduce worker privacy to an
unacceptable or inappropriate degree?
- Effects of computing and blogging on the political process: does
it help democracy or diminish it? The "diminish" theory comes in part
from the idea that parties can now target individual hot-button issues
for most voters, and that the wealth of political information on the
internet is so vast that only "insiders" and professionals can
comprehend it.
- Computers and risk. What is the probability of software failure?
Under traditional mechanical analysis, it is either 0.0 or 1.0; it
either doesn't fail, or it does. As the latter value implies complete
failure every time, it was generally assumed to be 0.0. Can more
plausible statistical models of failure be developed? If you understand
the failure mode, why don't you just fix the software? Anyway, how do
we analyze software risk? In cars? In air-traffic control systems?
- Star wars: aka The Strategic Defense Initiative. This was to be a
software-engineering project of such magnitude that it was inaccessible
to traditional methods. It was also untestable, as the only meaningful
test would be all-out nuclear war.
- Given all that, software is much more reliable than it used to
be. How do we adjust to that?
- Professional ethics: what are programmers called upon to do?
Network admins? Database managers?
- How do we evaluate technology in the schools? What about the
Kutztown 13? Do computers make kids better writers? Does mathematica
make students better at math?
- Once upon a time, people of all political persuasions all watched
the same 6:00 News. Now you can easily find an internet site that
caters to your perspective, especially if you're a "wingnut". Does this
mean that the Body Politic is fractured?
- Facebook and similar sites generally ban pornography. But
sometimes there are things that get swept up in this crusade that
perhaps should not. For example, Facebook routinely removes pictures of
breastfeeding. Is that appropriate?