See this article by Andrew Hinks.

The ruling from which both parties appealed is a mixture of jury verdict and judge’s decisions from the Northern District of California’s Federal District Court. The parties agreed in the district court case that the jury would decide on infringement and fair use, including whether the copying was “de minimus,” which would lead to a not guilty verdict on infringement. Meantime, the judge would decide on whether the API files were copyrightable, and if so, would go on to decide whether Google had an adequate equitable defense to infringement. The jury returned a verdict of infringement of the 37 Java packages and rangeCheck, but said that there was no infringement as to 8 decompiled security files that Google claimed made up the “core” of the Java operating system. The jury explained that it was necessary to use the 8 decompiled files verbatim, in order to access the Java language. The jury could not reach a verdict regarding fair use.

Once the jury had completed their findings, Oracle asked for a judgment as a matter of law (“JMOL”) which would throw out the defense of fair use since the jury hadn’t reached a verdict. Oracle asked, in addition, that the judge nullify the jury verdict on the 8 security files and find that Google’s use was infringing. Google asked for a JMOL on the rangeCheck files, which would basically nullify the verdict of infringement for that program. The judge ruled that the 8 security files were indeed infringed, since Google admitted copying them verbatim, and no reasonable jury could find that the copying was de minimus and therefore excused. The judge denied Google’s motion regarding rangeCheck.. In addition, the district court found that none the elements of the 37 API files were copyrightable, but rangeCheck and the 8 decompiled security files were copyrightable. The final verdict, in a nutshell, was that Google was guilty of infringement of the 8 decompiled security files, and rangeCheck, with no affirmative defenses.

On appeal, the Federal Court of Appeals decided that the district court was incorrect on several counts. First, the court ruled that the 37 API files were indeed copyrightable, and since the jury found infringement, Google was guilty of infringing the 37 API files, the 8 decompiled “core” files, and rangeCheck. However, since it was up to the jury to determine fair use, which was Google’s defense, that part of the case goes back to the district court for determination. The district court’s granting of Oracle’s JMOL that excluded fair use as a defense for the 8 decompiled files was upheld by the appeals court. Google’s request for JMOL to reject the jury’s verdict of infringement on rangeCheck was denied.

In other words, Google is guilty of infringement of 8 decompiled security files, and rangeCheck, and the 37 API files. Google has no available defense regarding the 8 security files it decompiled and copied verbatim. The case now goes back to the jury to decide whether Google has a defense against the infringement, such as fair use, which would result in a not guilty verdict.

The Court’s Reasoning for Finding Copyrightability

In order to determine whether a copyright is infringed, the first step is determining whether the copyright itself is valid. This can often be a difficult analysis when dealing with specific software functions such as APIs that are meant to be interoperable with a given software language. At the center of the court’s analysis was the question of whether or not the verbatim copying of Oracle’s code was necessary in order to access the functionality of the Java language and programming platform. The crux of the matter seemed to come down to whether or not the verbatim copying of Oracle’s code was necessary in order to access the functionality of Java. There were several additional considerations that the court looked at, which will be taken in turn.

Necessity

The district court concluded that “there is only one way to write” the declarations to interface with Java. If true, the use of identical declarations would not be copyrightable. However, except for three of the API packages, Google did not dispute the fact that it could have written its own API packages to access the Java language.

Oracle argued, and the appeals court agreed that the files in question consisted of two parts: 1) literal elements, as in 7000 lines of declarations in the source code, and 2) non-literal elements, being the structure, sequence, and organization of each of the 37 API packages. Infringement of the literal elements, according to the court, occurred through the verbatim copying of original expression. Non-literal, in this case would be paraphrased, or loosely paraphrased copying, rather than word for word. Oracle claimed copyright in both literal, and non-literal aspects. The appeals court analysis did not proceed to non-literal copying, since Google conceded that it copied the declarations verbatim. The court found that since the literal aspects were copied, the underlying code was then copyrightable.

Oracle’s Appeal

Oracle appealed from the district court decision that none of the elements of the 37 API files were copyrightable. Their argument was that the code was original, and as such met the standard for copyrightability. As issues of whether or not a work is copyrightable are reviewed “de novo” (reviewed ‘fresh,’ without any reliance on the previous ruling), the appeals court took a new look at the files, while noting as undisputed, two key premises of the previous decision:

1. Java is open and free for anyone to use (with appropriate licensing for commercial use)
2. Google could have written its own API packages using Java, but instead copied the declarations files and replicated the overall structure, sequence and organization of the 37 API packages.

While examining this issue, the court made note of a telling line in Judge Boudin’s concurring opinion in Lotus Dev. Corp. v. Borland Int’l, Inc., 47 F.3d 807: “Applying copyright law to computer programs is like assembling a jigsaw puzzle whose pieces do not quite fit.” The court acknowledged that examination of the jigsaw pieces was indeed a difficult task, but also concluded that the district court did not properly separate the concept of copyrightability and the concept of copyright infringement. The district court used factors that should have been examined solely in relation to infringement, in their analysis of copyrightability.

The appeals court found that the threshold for copyrightability is a “low bar” and in this light, the 37 API packages were indeed copyrightable. The requirement for a work to be “original” in order to be copyrightable is not difficult to reach. Originality, as defined in Feist Publ’ns, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 358 (1991) is: “only that the work was independently created by the author (as opposed to copied from other works), and that it possesses at least some minimal degree of creativity.” Id. at 345.

Google’s argument was not based on the originality of the API pages, but instead argued that a work cannot be copyrightable if it is also functional. They cited Section 102(a) of the Copyright Act, claiming that this section takes away any designation of copyrightability if there are any functional components to the work. The appeals court disagreed, and cited the Congressional Record (H.R. Rep. No. 1476, 94th Cong., 2d Sess. 54) “Section 102(b) does not extinguish the protection accorded a particular expression of an idea merely because that expression is embodied in a method of operation.”

Google’s final argument revolved around the doctrines of merger and scenes a faire, both of which relate to the concept that as copyright can only apply in the expression of an idea rather than the idea itself, if a given idea can be expressed in only one, or a very limited number of ways, it can not then be copyrightable. The idea becomes as the idea becomes so intertwined with its expression that the two are “merged.” Google argued, in order to utilize Java, there are only very limited number of ways you can write the API in order to access Java’s functionality. While this is an argument that many Java programmers agree with, the appeals court disagreed that these doctrines should be considered in concluding whether or not a work is copyrightable as a threshold factor. They instead concluded that both merger and scenes a faire should only be considered to determine whether or not a work has been infringed, as expression of an idea that may only be expressed in a limited number of ways, was fair use and should be examined as a defense to copying, and not as dispositive of whether or not the expression could be copyrighted.

Functions, Parameters, Variables and Declarations

The argument by many Java programmers that there are very limited ways to express variables and functions in which to access the Java language through creating an API package is an agument worth examining. There is no doubt that using a standard set of variables and function calls is much easier for others to understand and further develop upon (which was the original point of the General Public License concept under which Java was originally released). The GPL concept is that the licensee can use the declarations and implementing code verbatim, in any way it wishes, so long as it “contributes back” the innovations to the public domain. This is called the “open source” license, and is free for use so long as the user returns any source code it creates to the community for continued usage. This model is not often appealing to companies that pay for development of a product for sale. Those companies have two options: the first, a Specification License, which allows a company to write its own implementation code and use the declarations and general organization of Oracle’s code. If Google had chosen to purchase a Specification License, there would have been no infringement question, as Google created its own implementation code and used Oracle’s declarations and general organization in a manner in which the license contemplated. The second option is a Commercial License whereby a company can use all of Oracle’s code, declarations, organization, implementation, etc. while keeping its own code secret.

Indeed, Google was in negotiations with Sun (predecessor to Oracle) to purchase a license for a derivative version of the Java platform for use on mobile devices, called Java Micro Edition. Google and Sun also discussed co-development, partnership, or other types of ventures under which they could co-produce a mobile operating system. The sticking point was that Google wanted all code to be proprietary rather than compatible with the Java virtual machine or other Java programs. For this reason, Sun did not grant Google a license to the packages. The court was no doubt influenced by the fact that Google had originally determined that they would need a license to use the API packages, and when denied, decompiled and used them verbatim.

The court found the 37 API packages to be indeed copyrightable, as they are expressive, and “could have been written and organized in any number of ways to achieve the same functions.” As Google admitted to copying the declarations verbatim, Google infringed Oracle’s copyright by definition. The remaining question is whether or not that infringement was “fair use” under either the Merger Doctrine, or other interoperability arguments.

Evaluation at the Time of Creation

An interesting discussion in the opinion, which could be seen as dicta concerns infringement analysis, which was not a question the appeals court was asked to decide. The court provided guidance regarding how the Merger Doctrine could still be used in order to evaluate claims of infringement. The district court had originally found that the Merger Doctrine applied to the 37 API files because “under Java, a programmer must use the identical declaration or method header lines to declare a method specifying the same functionality.” However, a key point that the lower court missed was when one analyzes whether the identical declarations must be used. In this case, as in many cases of interoperability and necessity of duplication, timing was everything.

Copyrightability and the scope of protectable activity (which is a key component of an infringement analysis), is evaluated at the time of creation, not at the time of infringement Apple Computer, Inc. v. Formula Int’l Inc., 725 F.2d 521, 524 (9th Cir. 1984.) (emphasis added). So, when Sun created Java, and the API packages, example questions to ask include whether it would have been possible, at the time Java was created, to call the package by another name, defined as such in the declarations? Would it have been possible to name the variables in another way? Would the functions have to be in any specific order? The district court, interestingly enough, had found that nothing in the rules of Java required the same groupings of function calls or declarations, found that there were many ways to express the code, yet still found that the API packages were not copyrightable. The appeals court made a point to mention that the “core” Java files, when Java was created, had greatly limited the expression of functions, classes, and variables, idea and expression may then have been merged, and the Merger Doctrine may apply. However, Google did not argue this, nor differentiate between the types of packages it was accused of infringing. Google did not build a factual record to support its argument that external factors that existed at the time of creation, mandated that the expression of the API packages were either common, or essential to the functionality of their implementation code. Had they done so, the court hinted that their findings may have been different, at least with regard to the core programs.

The appeals court states outright, quoting an amicus filed by the former Register of Copyrights of the United States, “[h]ad Google reverse engineered the programming packages to figure out the ideas and functionality of the original, and then created its own structure and its own literal Code, Oracle would have no remedy under copyright whatsoever.”

Expediency

The court’s findings could also have been swayed by findings of the district court that Google intended to capitalize on the familiarity that developers already had with the Java API packages they copied. The district court stated outright that “Google’s interest was in accelerating its development process by ‘leverag[ing] Java for its existing base of developers.”

What’s Next?

This is hardly the end of the story. Although the court found that the 37 Java API packages are copyrightable, and the jury at the district court level found infringement, the appeals court reversed the district court on copyrightability, and reinstated the jury’s verdict. Therefore Google is guilty of copyright infringement for the 37 Java API files.

However, the matter of whether Google has sufficient affirmative defenses, such as fair use, to dismiss the infringement as inapplicable, goes back to the district court jury to determine, as the previous jury deadlocked on the issue.

The court also held that the eight decompiled files that Google used were also infringed, as was rangeCheck. These findings also go back to the jury for analysis to determine whether there are any affirmative defenses.

According to forensics company Stroz Friedberg, 52% of senior leadership gave corporate America’s response to cyber threats a grade of C or lower. That hardly fosters optimism. The Washington Post reported that in 2013, federal agents informed over 3000 companies that their systems had been hacked. This included Target’s system, which was breached with millions of personal records exposed, which caused a dramatic loss of sales. April 3, 2014, the Heartbleed exploit was discovered. It is not known how much information was compromised. April 30, 2014, ex counterterrorism czar Richard Clarke warned that Russia may use cyber warfare against the US and Ukraine. May 19, the New York Times reported that 5 Chinese Army personnel had been indicted for hacking US systems. May 21, eBay was hacked, including its e-commerce pseudo-banking site PayPal The damage to consumers is still unknown. May 22, Bloomberg News reported that “UglyGorilla,” one of the 5 indicted Chinese, is claimed to have hacked into Westinghouse and US Steel.

These are merely the publicized exploits. Meantime, there are tens of thousands of attempts to break in, usually by “script kiddies,” or kids who collect malicious code on the Internet that they use to try to break into random systems. Usually, these attacks are not very sophisticated. My blog’s automatic blocking of people who try to get in too many times has been triggered thousands of times this year. More savvy attacks would easily have gotten in. Of course, they wouldn’t have found anything except my articles, for which I have backups.

But what about the small to midsized defense contractors, software/hardware developers with intellectual property secrets, customer lists, employee SSNs, pay records and direct deposit accounts? What if you’re a HIPAA Business Associate with Private Health Information (PHI)?

It is very important for all companies to have systematic procedures in place long before the intrusion or possible intrusion happens. A sample team for a small company might include your system administrator, chief technical officer, legal counsel and the CEO. You should have identified and contracted with a competent computer forensics company and outside counsel who are well versed in cybersecurity. All team members should be involved with writing your company’s plan and with doing table top simulations so they’re comfortable with the procedures.

So, what do you need a lawyer for? Shouldn’t the forensics company in combination with the company IT staff be more than capable of handling an investigation? Maybe. If the techs find that no data was compromised, that the intrusion alarm went off for nothing and all is well, then you really don’t need legal assistance. What happens, however, if you find that customer data, protected medical information, employee SSNs or other identifying information has been disclosed? What if you have data from several states? What if you have international data? Trade secret information or classified materials? Would you know where to begin, and whether the company could be civilly or criminally liable?

All companies that deal with protected data of any kind that may be vulnerable to cyber attack (which is any data on a network), should have competent cybersecurity counsel, either as in house or outside counsel (hopefully both if your investigation needs attorney/client privilege), assisting in the creation of a comprehensive response plan. The lawyer should work closely with the technical and operations staff, a forensics company, as well as C level executives to draft a workable, easily understandable plan. The plan should be kept up to date with appropriate names and contact information, and scenarios should be simulated against the plan with changes made as necessary.

Having a rehearsed plan immediately implemented can make the difference in the outcome of any cyber incident. Rapid identification, verification, and containment, followed by ensuring compliance in reporting or other requirements, appropriately involving law enforcement, and improving safeguards as well as response, may keep your company out of the news.

Barry Law Firm Celebrates Groundbreaking Fundable Campaign

Great Falls, VA: Mikki Barry, CEO of Barry Law Firm, PC, a technology-based enterprise, announces the ramp-up of the company’s “Fundable” campaign.” Thought to be the first crowd-funding effort for building a law firm, Barry is confident that its time has come. Barry seeks to leverage the power of technology as a funding source that will be friendlier to start-ups than traditional methods.

She states, “Technology is the basis of everything Barry Law Firm does. The idea of offering the technology community ‘first dibs’ on our services through a proven vehicle such as “Fundable, “ fits in perfectly with our identity in the legal industry.”

Barry Law Firm, whose tagline is “Does your lawyer speak tech?” wants to “walk the talk,” as Barry put it. “We know the Internet, we know technology. Why not use its emerging capabilities to increase our reach?”

The firm is offering discounted legal and consulting fees for backers, as well as Barry Law Firm T-shirts that carry the message “My Lawyer Speaks Tech”), in addition to fixed price package offerings for trademark registrations and government solicitation analysis. Backers of the “Fundable” campaign, for example, can save up to $250.00 for three hours of advice. “We want to offer real value to our backers,” Barry said. “With privacy and cybersecurity at the forefront of people’s minds due to recent events, companies need to examine their practices and compliance. We are happy to provide some incentive for them to do some preventative planning.”

The firm will use proceeds from the “Fundable” campaign for expansion. The promotional video now posted online lists current needs such as office space, marketing, increased staffing, and other considerations as Barry Law Firm “grows” the company. “We have lots of plans for non-traditional offerings,“ Barry said. “Look for more announcements soon!”

About Barry Law Firm, PC: Barry Law Firm is a technology firm located in Great Falls, Virginia, leveraging proven IT knowledge capital in practice areas such as government and commercial contracts, Internet security, privacy issues, data-breach, encryption, contractual compliance, policies and procedures, and soft intellectual property. For more details about the new “Fundable” campaign, please visit: (http://www.fundable.com/barry-law-firm-pc)

###

Why the U.S. Government Isn’t Really Relinquishing its Power over Internet Governance

However, this article, written by an Internet attorney and a “cyber investigator” is one of the reasons why the general public should avoid putting stock into any reports that deviate from the facts in front of us (although in this particular case, even the “facts” are not necessary factual).

The headline screams “The Deletion of Data is Often Key Evidence in Proving Facts of a Case.” Ok so far. But then, they focus on MA370’s Captain, Zaharie Ahmad Shah, and the fact that flight simulator data was deleted.

As you may recall, the media had jumped to the conclusion that the Captain must have had something to do with the disappearance of the aircraft, because he had a simulator in his home. Perhaps they should have asked some professional pilots whether they also had simulators in their homes. Without a doubt, I would prefer a pilot who flew simulations on her off time than a pilot who does not. Day in and day out, a pilot’s job is basically the same in modern aircraft. You take off, you lock in the auto pilot, and you monitor the instruments until you’re close to landing. Sometimes you even let the aircraft land itself. Most everything is routine. Every 6 months, pilots in the US undergo recurrent training, where they go into a simulator and practice emergency maneuvers and hope that they never have to use them.

The bottom line is that pilots who want to keep in practice flying instrument approaches, landing at airports that are too short, or too high, or experimenting with aircraft characteristics when overloaded, or losing an engine before take off, the best place to do that is the simulator. Simulators generally record data so you can critique yourself accordingly. So, when would you delete that data?

One of the most important tools in logic is Occam’s Razor which states, in essence, that the hypothesis that makes the fewest assumptions should be selected. While not an irrefutable prospect, it can possibly provide us a bit of guidance in the current situation. Rather than assume that Captain Shah was planning the unthinkable, including all of the assumptions that must be made in order for that scenario to be the correct one, why not instead start off with the premise that the data was deleted because the Captain was either embarrassed by his performance in the sim, or nailed it so perfectly that he found it too easy to repeat, and deleted the file. An even simpler scenario would occur if the drive he was using was full, and he wanted to save some space. Any of those possibilities make fewer assumptions than a pre-determined plot to doom the flight.

Articles such as this one, that try to marry two disparate fields of technical expertise, would do well to have an expert from each of the fields as a consultant. This same concept can be carried forward into legal advice. Find an attorney who understands both the law, and the core capabilities of your business. Doing that will save you from possibly incorrect or misleading assumptions such as the ones portrayed in the article.

It remains to be seen how these outages will affect a multinational governance system. Is there a fundamental difference between “the government” of a country, and entities controlled by the government that would likely become part of this multinational governance?

Turkey orders block of Twitter’s IP addresses

We’ve added a few new perks such as t-shirts along with discounted hourly time and discounted flat fee services. There’s still a bit of time in the run, so we’ll provide updates as things go along in the experiment.

Please have a look at the Fundable site here, and please feel free to comment. We’d love to hear your views.

Please also have a look at the video made for the campaign. Thanks!

One should always be very careful about what they post themselves to the Internet. Remember when teachers would tell you that misconduct would be recorded on your “permanent record?” The Internet has become that permanent record.

For those of us who were there in the “before time” when the Commerce Department was looking for a “NewCo” to run the “technical governance” of the Internet, we remember how the mandate for a single company with worldwide consensus was handed down by Ira Magaziner in what was called the White Paper. the IFWP (International Forum for the White Paper) was created in order to achieve consensus on the processes by which this consensus should materialize. Meetings were held world wide in order to engage as many international constituencies as possible. However, as consensus was finally achieved, back room deals between intellectual property interests (who are not covered in the concept of ‘technical governance’), registrar interests and other business interests (including the law firm that would make millions from NewCo) presented their own fait accompli, usurping the two year process with a submission to Commerce called ICANN. Interestingly enough, the White Paper called for only one draft set of bylaws to be produced from the IFWP process, and if there were more than one, the authors would be “locked in a room until they could achieve consensus on one draft.” Although three drafts were presented, (links provided along with collaborative information) one was chosen (without the benefit of a full procurement cycle), and of course it was the back room deal that excluded individuals, where the majority (later all) of the Board of Directors was appointed rather than elected by Internet users and other stakeholders.

This historical perspective adds some light to the current plans. ICANN has issues a press release with their take on the issues. Please note that during ICANN’s public meeting in Singapore from March 23-27, in person or remote participation is scheduled.

How the US Outsmarted Everyone by Giving Up the Internet