TechnoLlama

What’s up with software copyright? Contrasting Oracle v Google and SAS v WPL

Andres — Fri, 25 May 2012 15:29:39 +0000

For something which has the unequivocal weight of the law behind it, software copyright has had a rather bumpy history in the courts. Once we get past the obvious facts of law, namely that copyright protects source code, the application of such protection has been more difficult. The reason for this is simple: while source code is clearly protected by copyright, infringement involving code plagiarism rarely happens. Similarly, the copying of a full program is also a matter of clear copyright infringement. The law however has been struggling with non-literal copying, for example, the adoption of functionality, manuals, interfaces, computer languages, and the like. This is where the interesting legal questions are being asked and litigated, and in the last few weeks we had two very important cases decided on some of these issues in both sides of the Atlantic.

The first case is SAS v WPL decided by the European Court of Justice (a case we have discussed at length previously). SAS is a business software giant that relies heavily on proprietary control over its own programming language called Base SAS, and also by providing services and know-how. While users are allowed to program using this language to fit their own needs, SAS keeps a tight leash on the know-how elements of the equation, particularly access to the Base SAS components and training materials. World Programming Limited (WPL) is a UK software company which saw an opening in the market, it created an SAS clone (knows as WPS) which would be able to run programs coded using Base SAS and the SAS components. It also produced manuals and other supporting materials in order to train users. SAS sued WPL in England for copyright infringement, and the case was referred to the ECJ. The question at the heart of the litigation was very interesting, does SAS have a copyright claim over its programming language and training materials? In short, the answer is no.The ECJ stuck closely to the advice by the Advocate General and left the door open to wider interoperability in the software environment.

The ECJ has decided that SAS did not have copyright claim over the underlying functionality of a computer program, the programming language it is written in, nor the data format of the interface files. Moreover, the Court analysed whether any legitimate user of some piece of software has the right to “study or test the functioning of a computer program in order to determine the ideas and principles which underlie any element of the program.” The answer here was positive, as the court considered that any legitimate user “should not be prevented from performing acts necessary to observe, study or test the functioning of the program, provided that these acts do not infringe the copyright in that program.” The Court states:

“ Consequently, the owner of the copyright in a computer program may not prevent, by relying on the licensing agreement, the person who has obtained that licence from determining the ideas and principles which underlie all the elements of that program in the case where that person carries out acts which that licence permits him to perform and the acts of loading and running necessary for the use of the computer program, and on condition that that person does not infringe the exclusive rights of the owner in that program.”

While there have been some criticisms against the decision because it seems to be awkwardly drafted, in my humble opinion this truly is a landmark case with regards to software functionality and interoperability. The ECJ has enshrined those principles, and I for one believe that this is a good thing.

Now contrast that with the widely publicised case of Oracle v Google (a very good FAQ about the case here). Oracle sued Google in August 2010 alleging copyright and patent infringement of Oracle’s Java by the Android mobile operating system. A jury in San Francisco decided in favour of Google in the patent case, striking a mighty blow against software patents in the process. However, everyone agrees that the really interesting part of the case was almost a sidetrack to the main patent argument, and it was whether Oracle could claim copyright over the structure of its application programming interfaces (APIs). When designing Android, Google was careful not to use Java’s interfaces in order to avoid having to pay licence fees to Oracle. It then created its own mobile APIs based on existing open source software. While these had the similar functionality to Java, they did not use Java’s code. Oracle argued that Google was infringing copyright because its interfaces were too similar to its own.

This question is really important because APIs are at the heart of the modern software development, they are the building blocks that allow devices to interact with other services and applications, and at the basic level, they allow mobile operating systems to exist. So, if a company could prove that it has copyright protection over the basic structure of its APIs, then it would force competitors to license its own offering. The judge in the case did not have to decide this question outright, but he had to instruct the jury on the matter of whether Oracle’s APIs were protected by copyright. Judge William Alsup instructed the jury that they should assume that the APIs were subject to copyright, and that he would decide fully after the verdict. As the jury struck down the patent claim, it is now up to the judge to decide on the copyright question fully.

Here is where the comparison to the SAS case is relevant, and let us hope that someone will point Judge Alsup towards that decision for inspiration. Oracle continues to claim that the very functional aspect of its APIs is protected by copyright, which is a very similar argument to that put forward by SAS. It has always been my contention that functionality should never be a part of copyright, this is an area best protected by patents. If Google produced its own API based on other code, then one has to ask if programming something which fulfils the same functions as another software infringes copyright. The answer to this question usually has been a resounding negative.

From a purely selfish perspective, I have to admit that as the proud owner of an Android phone, I want Google to win. Anything that will make a Galaxy S3 more expensive to purchase must be discouraged.

Should jailed convicts have access to social media?

Andres — Tue, 15 May 2012 15:16:15 +0000

If you live in Costa Rica, the answer to the question appears to be ‘No’. La Nacion newspaper reports today that Facebook has decided to close the accounts of 19 convicts, who had maintained a presence in the social network despite being in jail. FB took this decision prompted by a direct request from the Costa Rican Ministry of Justice, which objected to the presence of these pages after earlier news reports had highlighted the practice of jailbird social media usage.

This news report highlights an interesting question of modern times. Should jailed convicts have their access to sites like Facebook removed when they lose their freedom? If so, what is the legal basis for such practice? Digging a little bit, I was very surprised to find that the case seems to be based on completely shaky legal foundations.

The report in La Nacion is not clear, but apparently Facebook removed the offending pages alleging that they violated their terms of use. I have scoured through FB’s infamous policies before, so I was very surprised to read that this was the case, so I had another look. There are a few clauses that might apply to specific cases, for example:

“We do our best to keep Facebook safe, but we cannot guarantee it. We need your help to do that, which includes the following commitments:[...]
6. You will not bully, intimidate, or harass any user.[...]
7. You will not post content that: is hateful, threatening, or pornographic; incites violence; or contains nudity or graphic or gratuitous violence.[...]
10. You will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory.”

All of these are very specific issues. There were some profiles where the convicts were posing in menacing fashion, or in which they were showing knives and drug paraphernalia. There was also some discussion of smuggling items into jail. These specific cases may have fallen under some of the above prohibitions, but I have seen much worse. Then there is this other section:

“We respect other people’s rights, and expect you to do the same.
1. You will not post content or take any action on Facebook that infringes or violates someone else’s rights or otherwise violates the law.”

This is more specific. If posting to FB from jail is against the law in Costa Rica, then clearly they can remove the content. So, is it illegal to use social media from jail? Interestingly, I was not able to find a single piece of legislation that deals specifically with this issue. The main regulation about what convicts can and cannot do is a statutory instrument in the shape of the 1993 Executive Decree N° 22139-J on the rights and duties of prisoners. This clearly states that those deprived of freedom have full use of their constitutional rights, except those incompatible with their captivity. Art 6 of the decree reads:

“All prisoners or detainees shall have the same individual, social and economic rights that all citizens of the Republic hold, except those which are inconsistent with imprisonment itself. Also enjoy the guarantees to be derived from their stay in the prison system.”

Similarly, Art 12 allows prisoners a limited right to communicate to the exterior world “by mail, pay phones installed in the center, and receive regular visits”. I have to concede that there may be a more recent norm that I have missed, but at least in light of the above, there is nothing that specifically prohibits communication through social media sites. Perhaps there is a specific ban on cellular phones, which are the preferred device of choice to connect to FB, but I could not find it. Moreover, as stated in this blog, access to the Internet has been declared as a fundamental right by the Constitutional Court of Costa Rica, so any ban on communicating online would violate that principle.

So let’s assume that connecting to social media sites from jail is not illegal in Costa Rica. What is left? Facebook has a devastatingly broad Termination clause in its Terms of Use:

“If you violate the letter or spirit of this Statement, or otherwise create risk or possible legal exposure for us, we can stop providing all or part of Facebook to you. We will notify you by email or at the next time you attempt to access your account.”

Notice that the mere act of creating a “risk or possible legal exposure” for Facebook can be enough to have one’s account removed. In this case, the mere fact that there was a complaint from a small Central American government was enough to have the accounts removed, as it could be construed as the a possible legal risk for FB.

In short it seems like the removal could just be justified legally, but from what I have read this is not straightforward. I am more concerned that a media storm was started by newspapers in Costa Rica that were appalled at what they saw as a flaunting of the prison regime.

Expect this question to come up more and more in the future.

Creative Commons statement to the Committee on IP and Development at WIPO

Andres — Fri, 11 May 2012 10:24:58 +0000

Yours Truly is in Geneva at the 9th session of the Committee on IP and Development at WIPO (all current and previous statements here). Here is our comment on the Agenda Item CDIP/9/INF/2: Scenarios and Possible Options Concerning Recommendations 1c, 1f and 2a of the Scoping Study on Copyright and Related Rights and the Public Domain. The Study by Prof Dussolier can be located here for reference. The recommendations that we are talking about are:

“1(c) The voluntary relinquishment of copyright in works and dedication to the public domain should be recognised as a legitimate exercise of authorship and copyright exclusivity, to the extent permitted by national laws (possibly excluding any abandonment of moral rights) and upon the condition of a formally expressed, informed and free consent of the author. Further research could certainly be carried out on that point. [...]

1(f) International endeavours should be devoted to developing technical or informational tools to identify the contents of the public domain, particularly as far as the duration of copyright is concerned. Such tools can be data collections on works, databases of public domain works, or public domain calculators. International cross-operation and cross-referencing of such tools is of particular importance. [...]

2(a) The availability of the public domain should be enhanced, notably through cooperation with cultural heritage institutions and UNESCO (through its work on the preservation of intangible cultural heritage).”

Creative Commons statement to the CDIP on the Public Domain

Thank you Mr Chairman, we would like to congratulate you on your election to preside this Committee.

In his keynote presentation to the Global INET Conference here in Geneva just a couple of weeks ago, Dr Francis Gurry described intellectual property as a balancing mechanism for all of the often competing rights and equities that occur in and around the creation of innovation. Creative Commons strongly believes in this balance of rights, and strives to offer technical and legal tools to make that balance possible. We also believe that an integral part of that balance has to be the protection and promotion of the Public Domain. The public domain enriches the global cultural and intellectual environment; it allows the reproduction and reuse of countless classics that are often modernized and reintroduced to new audiences and new generations. One could almost say that they are remixed.

It is with that in mind that we welcome the Secretariat’s inclusion on this session of the Scenarios and Possible Options Concerning Recommendations 1c, 1f and 2a of The Scoping Study on Copyright and Related Rights and The Public Domain, and commend the author of The Scoping Study, Prof. Severine Dusollier. We encourage the adoption of all three recommendations, but we would like to complement the information contained in the document with regards to recommendations 1c and 1f.

With regards to Recommendation 1c, and as the document CDIP/9/INF/2 accurately describes, Creative Commons offers CC0, a universal tool that allows users to voluntarily relinquish all copyright, database and related rights to the fullest extent allowed by law. CC0 is a tool that was conceived and created out of both necessity and demand. Dedicating works to the public domain is difficult if not impossible for those wanting to contribute, voluntarily and of their own free will, their works for public use before applicable copyright or database protection terms expire. Few if any jurisdictions have a process for doing so easily and reliably. Laws vary from jurisdiction to jurisdiction as to what rights are automatically granted and how and when they expire or may be voluntarily relinquished. We understand the inherent difficulties with dealing with this issue in a comprehensive manner given the different approaches to copyright seen from Common and Civil legal traditions. Moreover, our conversations with copyright holders over CC’s 10 years in existence revealed that for some rights holders, there is a desire to signal clearly and unequivocally that their work may be used without reference to restrictions that the holder no longer wishes to retain for any number of reasons. This demand, coupled with the complex and lack of harmonized copyright frameworks, resulted in the creation of CC0. CC0 has been leveraged by numerous important rights holders, including the Dutch Government, the British Library, and the Personal Genome Project, and is part of the legal framework for important projects such as Europeana. For these reasons, we second the Secretariat’s recommendation to conduct a study on copyright relinquishment, and we also encourage this Committee to continue this important avenue.

With regards to Recommendation 1f, we once again welcome the Secretariat’s specific mention of the practices and tools available through Creative Commons. The possibility of marking copyright works with license metadata can tell search engines what is available for reuse, and under which conditions. We applaud all of the national and regional practices cited in the Secretariat’s document, and agree that these efforts must continue. Specifically, we encourage member states and regional bodies to continue to attempt to make public registry data more widely available. We would like to see a more proactive role by WIPO in the international arena. Among other promising avenues, WIPO could host some tools to facilitate the sharing of public registry information on their website, such as an aggregated database of existing registries

Concluding, Creative Commons thoroughly supports efforts that will enhance the ability of rightsholders to voluntarily relinquish copyright thereby enriching the public domain, and of the public to access and use the public domain as copyright law full intends.

Thank you.

US judge finds that IP addresses cannot be used to identify infringers

Andres — Thu, 10 May 2012 09:33:15 +0000

Magistrate Judge Gary Brown has produced an interesting document in the United States District Court for the Eastern District of New York involving four lawsuits regarding so-called copyright trolls, porn producers who sue lots of users based on IP address evidence. The ruling states:

“The complaints assert that the defendants – identified only by IP address – were the individuals who downloaded the subject “work” and participated in the BitTorrent swarm. However, the assumption that the person who pays for Internet access at a given location is the same individual who allegedly downloaded a single sexually explicit film is tenuous, and one that has grown more so over time. An IP address provides only the location at which one of any number of computer devices may be deployed, much like a telephone number can be used for any number of telephones. […]

Thus, it is no more likely that the subscriber to an IP address carried out a particular computer function – here the purported illegal downloading of a single pornographic film – than to say an individual who pays the telephone bill made a specific telephone call.

Indeed, due to the increasingly popularity of wireless routers, it much less likely. While a decade ago, home wireless networks were nearly non-existent, 61% of US homes now have wireless access.5 Several of the ISPs at issue in this case provide a complimentary wireless router as part of Internet service. As a result, a single IP address usually supports multiple computer devices – which unlike traditional telephones can be operated simultaneously by different individuals. […] Different family members, or even visitors, could have performed the alleged downloads. Unless the wireless router has been appropriately secured (and in some cases, even if it has been secured), neighbors or passersby could access the Internet using the IP address assigned to a particular subscriber and download the plaintiff’s film.”

How refreshing to read a technically accurate and astute legal decision. More please!

Chronicle of a Block Foretold: UK ISPs ordered to block Pirate Bay

Andres — Wed, 02 May 2012 16:16:59 +0000

The High Court of England and Wales has ruled that UK internet service providers must start taking steps to technically block access from their customers to The Pirate Bay (Virgin Media has already started). Arnold J has delivered a short copyright order in Dramatico Entertainment Ltd & Ors v British Sky Broadcasting Ltd & Ors [2012] EWHC 1152 (Ch) (decision regarding infringement here). The ruling should come as no surprise to anyone following recent High Court decisions regarding copyright infringement, and the blocking is the result of a concerted campaign by copyright industry interests in the UK.

For such an important and newsworthy ruling, there is very little meat in the actual wording of the decision. This is because most of the legal framework that sustains the order was undertaken in previous cases, namely in blocking access to the Newzbin2 last year in 20th Century Fox v BT (decision here and order here); and to a lesser extent in Golden Eye v Telefónica. Interestingly, Arnold J cites, but in my opinion does not follow, the ECJ case of Scarlet v SABAM.

The legal question at the heart of this case is rather simple: does a judge have the power to order intermediaries to exercise technical blocking of specific websites where copyright infringement is taking place? Arnold J already gave a positive answer to that question in Newzbin2. In that case, he was asked to rule that the site was being used for copyright infringement, and if that was the case, to order UK ISPs to block access to that site by technical means. He was clearly impressed with the existence of filtering technology already in place in the UK (namely BT’s Cleanfeed), and therefore argued that the inclusion of a site dedicated to copyright infringement would be feasible, efficient, and would constitute a proportional response.

So, in this ruling, all that is required is for a judge to be convinced that a site is being used mostly for copyright infringement, and an order to block it can be issued. Arnold J explains:

“Section 97A of the 1988 Act empowers the High Court “to grant an injunction against a service provider, where that service provider has actual knowledge of another person using their service to infringe copyright”. I have already held that both users and the operators of TPB infringe copyright. In order for this Court to have jurisdiction to make the orders sought by the Claimants, three further matters must be established. First, that the Defendants are “service providers” within the meaning of section 97A. Secondly, that users and/or the operators of TPB use the Defendants’ services to infringe copyright. Thirdly, that the Defendants have actual knowledge of this.”

I was however, surprised at how little consideration is given to the matter of copyright infringement in The Pirate Bay. The reason for this is that the defendants in this case are UK internet service providers, and as such, they are really not interested in defending TPB. Arnold J seems content to simply restate that TPB (and its users) infringe copyright:

“As to the second matter, I am satisfied that both users and the operators of TPB use the Defendants’ services to infringe for similar reasons to those which I gave in 20CFox v BT at [99]-[113]. In this connection, I note that the evidence of Mr Sehested (as to which, see the First Judgment at [41]-[42]) was that, out of 3,299,337 instances where an IP address for a device connected to the internet and making available sound recordings from a list of 15,000 titles using an internet service provided by one of the Defendants had been identified, 970,529 instances related to Virgin, 386,268 to TalkTalk, 596,872 to Sky, 439,181 to Everything Everywhere and 6,363 to O2. (Mr Sehested explains that his company monitored instances relating to O2 for a much shorter period than the other Defendants, which explains the lower total.)”

In the decision in which TPB and its users were declared to be infringing, there was no need to serve TPB with a notice because even the courts in Sweden were unable to reach them:

“The operators of TPB have not been joined as defendants to this claim, nor has it been served upon them. They did not appear at the hearing, nor have they been represented. Nor has any user been joined, served, appeared or been represented. It might be asked why it would be appropriate for this Court to determine the preliminary issues in their absence. Counsel for the Claimants gave four answers to that question, the first three of which I agree with [...] it would be impracticable, or at least disproportionate, to require joinder or service of the operators or users of TPB. TPB was set up and originally operated by four Swedish individuals (Fredrik Neij, Gottfrid Svartholm Warg, Peter Sunde Kolmisoppi and Carl Lundström) who were convicted of criminal offences of aiding and abetting copyright infringement by the Swedish courts. It appears that, while their (unsuccessful) appeals against conviction were pending, they left the jurisdiction of the Swedish courts. While Warg is said to be in Cambodia, it is unclear where the others are. Furthermore, they have claimed that TPB is now operated by a Seychelles company called Reservella Ltd, although this is disputed. In subsequent civil proceedings brought by a number of record companies in Sweden against Warg, Neij and Sunde, the court has thus far been unable to serve the proceedings on the defendants. There is no reason to believe that any attempt to serve English proceedings on them would be any more successful. “

Fair enough, so we must consider TPB properly dealt with as infringers. Where I think that the ruling truly misses the trick is with regards to the technical aspects of the order. Arnold J seems to gloss over the fact that the order will be easily circumvented. He simply comments:

“One point is nevertheless worthy of mention. Mr Walsh’s report (as to which, see the First Judgment at [19]) drew attention to one particular method by which BT’s Cleanfeed system (as to which, see 20C Fox v BT at [70]-[73]), the use of which was required by the order I made in 20C Fox v BT, could be circumvented (as to which, see 20C Fox v BT at [192]-[198]). As Mr Walsh explained, it is straightforward to prevent that method of circumvention by using IP address blocking. IP address blocking is generally only appropriate where the relevant website’s IP address is not shared with anyone else. If it is shared, the result is likely to be overblocking (see 20C Fox v BT (No 2) at [6]). In the present case, however, TPB’s IP address is not shared. Thus IP address blocking is appropriate. Accordingly, the Defendants have agreed to orders which require IP address blocking, although the specific technical means to be employed varies from Defendant to Defendant.”

I have little comment to make to the actual legalities of the ruling. Any strict reading of the letter of the law would produce a similar result. Copyright enforcement mechanisms allow for the implementation of injunctions and court orders that will try to prevent further infringement from taking place. Blocking access to an infringing site is the logical next step in the legal fight against piracy. My comment about this ruling is that it will not work to achieve its stated goal, namely to reduce copyright infringement online. Blocking does not work. Blocking has never worked.

Buried in the middle of the huge Newzbin2 ruling, there is a little jewel that exemplifies the problems with any sort of blocking decision:

“It is not disputed that technical means of avoiding detection are available, for those knowledgeable and skilful enough to employ them. However, the central difficulty of this argument is that it rests upon assumptions about human behaviour. Experts can seek to establish a profile of those who engage in P2P file sharing, and their various reasons for doing so, and may then attempt to predict how these users may be likely to respond if confronted with the kind of regime that the DEA enacts. In theory, some may cease or substantially curtail their unlawful activities, substituting or not, for example, lawful downloading of music; others may simply seek other means to continue their unlawful activities, using whatever technical means are open. The final outcome is uncertain because it is notoriously difficult accurately to predict human behaviour…”
As it happens, the Studios’ evidence is that when a similar kind of order was made by an Italian court blocking access to the Pirate Bay, use of the site appears to have been markedly reduced. It is fair to observe that, as BT’s evidence points out, diverted traffic may not have been picked up by the monitoring results relied on; but there is no hard evidence of a substantial quantity of diverted traffic.”

What can you do against such blatant disregard of technical realities, or in front of an ossified system that fails to learn from past mistakes? We are living in an evidence-free legal environment that seems to take copyright enforcement as an act of faith. They hope to be able to curb piracy although it is difficult to predict human behaviour. The problem is that it really is not that difficult to predict what people will do. We have had more than a decade of experience, which these people continue to ignore.

Presented with a block, those knowledgeable enough will simply bypass it. The truth is that bypassing the order will become quite easy through technical means, TPB has issued instructions on how to circumvent blocks from other ISPs, which include signing up to OpenDNS, or to get people to sign up to a VPN service. Those not knowledgeable enough, will simply migrate to one of the hundreds of other services that do exactly the same thing as the Pirate Bay does. Then we are back to the game of whack-a-mole.

But perhaps the saddest part of the ruling is that it should serve as a reminder of the utter failure in the “War on Piracy”. I am sure that the irony that people will cough up money to buy a VPN service in order to infringe copyright works will be completely lost on the industry. These people should be paying the industry for their works, not some obscure VPN service. They just make it too damn difficult.

I do not consider myself a pirate, I spend thousands on content; I buy DVDs, Blu-ray discs, music CDs, books, magazines. You name it. But lately, I keep losing patience with the content industries, as they seem to make it incredibly difficult for people like me to continue operating on the right side of the law. The ridiculous region restrictions on DVDs and Blu-rays mean that as a traveller who has lived in two incompatible regions and purchases content from a third I require 3 different players to be able to reproduce my content. Moreover, I cannot get the legally purchased digital copies of my content from the iTunes store because these are “not available in my country”. I tell you what, movie industry, do you know what is available in my country and has no restrictions? Pirated copies! Yes, as The Oatmeal eloquently explained recently, it is often easier to infringe than not.

So, I predict that this will be the judgement that launched a thousand VPNs, and the content industry will only have itself to blame.

CISPA is a threat to the world

Andres — Sat, 28 Apr 2012 13:41:36 +0000

The United States Cyber Intelligence Sharing and Protection Act (CISPA) has passed in the US House of Representatives despite vocal online opposition, and the surprising threat of veto from the White House. H.R. 3523 drew criticism because it is purported to be a threat to privacy as it encourages Internet services to share user information with government agencies (full final text here).

While online groups were very vocal against CISPA, they failed to reach the same level of opposition as they did with SOPA and PIPA. It is possible that privacy is just not as sexy a subject as copyright infringement. It is possible that CISPA’s proponents were much more aware of the way in which the Internet defeated the previous two bills, and how it is on the verge of giving ACTA the killing blow. But perhaps the reason why the bill passed is because nowadays users assume that they have no online privacy anyway. It does feel like Big Brother is constantly watching us, so what damage could one more piece of legislation do?

In previous articles related to US legislative efforts, we have commented that laws passed in the United States have a lot of relevance for the rest of the world because of that country’s importance in the Web’s architecture. This assessment is also proved historically; consider the DMCA’s notice and take-down regime, which has become a de facto international standard, but there is also the fact that it has had considerable extra-territorial effects knocking down content in countries where the law was not supposed to have effect.

So, is CISPA a threat abroad as well? Does the pontiff subscribe to the Roman Catholic theology? Do members of the ursine species perform bodily functions in heavily-wooded areas?

From the start the Bill was advertised with an unhealthy dose of jingoism, its proponents sold it as a way to defend against foreign cyber-threats. While not mentioned specifically, the Act talks mostly about US intelligence agencies sharing information with private parties (with adequate security clearance) and viceversa. Checks and balances are supposedly placed on the use of that information and how it is to be stored and handled by the US government. The heavy implication here is that these threats come from abroad, or that is how the proponents sold it to the tech industry and to the media. The reality is that the final ACT is horrendously vague, and seems to create a private intelligence apparatus. My greatest concern about CISPA is that it will create surveillance sub-departments in technology companies, just like there are DMCA compliance offices everywhere.

CISPA becomes truly worrying in Sec. 1104.(b)(1), which cites the private entities that will be subject to the law. These are “cybersecurity providers” and “self-protected entities”. The definitions for these are too vague, to say the least. A cybersecurity provider is “a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.” In other words, this covers anyone who manufactures anything which can be used to secure information online, including certificate authorities and other similar security intermediaries. The clear threat here is that these intermediaries will have to snoop on their users and report back to the US federal government. Interestingly, I think that the definition clearly covers VPN and proxy providers! Similarly, a self-protected entity is “an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.” In other words, any company with antivirus software and a firewall is subject to the law. Nice piece of legislative jiggery. So, what are the responsibilities of these service providers? The Act states:

“(1) IN GENERAL-
`(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes–
`(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
`(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.
`(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes–
`(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and
`(ii) share such cyber threat information with any other entity, including the Federal Government.”

This is truly terrifying. The vagueness in the definition of terms seems to be on purpose to cover all internet intermediaries, from the big to the small. Another worrying aspect is that CISPA spends more time reassuring businesses that all proprietary information is to be maintained as such, and that the data shared will not be used by another private entity to gain a competitive commercial advantage, than it does ensuring user privacy. Furthermore, CISPA creates a blanket exemption from liability for privacy breaches sanctioned by the Act. It reads:

“`(4) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith–
`(A) for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or
`(B) for decisions made based on cyber threat information identified, obtained, or shared under this section.”

For the above, read “If you spy for us, we won’t sue you”.

If you think that CISPA won’t affect us in the rest of the world, you better think again. As stated above, the US has such a prominent central role in the Web’s architecture that chances are you are already covered by the legislation. Think of the purposeful vagueness in the cited sections. The obvious implication is that if you use an American certificate authority, you will be subject to the law. Similarly, if you use a US-based or hosted antivirus, firewall, VPN, or proxy service , you should consider all of your traffic insecure. In my opinion, CISPA is clearly intended to bring into the fold the anonymising industry based in the US. But what worries me is that the law, as drafted, includes every other service provider, from search engines to social networks, from World of Warcraft to Instagram. If the law passes through the entire legislative process, we are all subject to it.

The solution is simple. The rest of the world needs to continue moving away from the incredible push towards the application of US supra-national jurisdiction that we have experienced in the last few years. Just vote with our feet and start using services that are not subject to such controls. That is, at least, until our governments buckle under the pressure and adopt similar compliance legislation and treaties.

But every cloud has a silver lining… at least your fire gun sales records are exempt from scrutiny!

Passwords and cybersecurity

Andres — Wed, 25 Apr 2012 15:10:34 +0000

The above xkcd cartoon should be required viewing for every IT professional making decisions about cybersecurity. We are now constantly faced with services that ask us to change passwords all the time, and these must meet certain requirements. The password must have a cap, a number, and increasingly, a special character such as !$&# (it looks like I’m swearing!)

I would not be surprised if the number of written passwords in yellow sticky notes by the side of a laptop are on the increase. If you have a couple of minutes of idle time, type “password sticky note” into Google Image, you won’t be disappointed.

Having said that, I can see the argument for standardised requirements for stronger passwords though. Left to their own devices, most people will use 12345 as their password, or simply use “password” as a password.

In the end, the weakest link in cybersecurity is the carbon-based organism sitting behind the keyboard.

ETA: More on stupid password policies.

Text of the Costa Rican ruling declaring Internet as a fundamental right

Andres — Mon, 23 Apr 2012 16:50:43 +0000

One of the most frequent questions I receive is with regards to the 2010 ruling by the Costa Rican Constitutional Court (Sala IV) declaring access to the Internet as a fundamental right. The Costa Rican online jurisprudence system is considerably clunky and difficult to navigate, and most of the requests for information come from non-Spanish speakers, so I have decided to include the full text of the decision as a Google Document. The relevant part of the decision in my opinion, is as follows (translation mine):

“FUNDAMENTAL RIGHTS ABUSED. On this last point, it must be said that progress in the last twenty years in information and communication technology (ICT) has revolutionized human social environment. Without a doubt, it can be argued that these technologies have impacted the way humans communicate, facilitating the connection between people and institutions worldwide and eliminating the barriers of space and time. At this time, access to these technologies becomes a basic instrument to facilitate the exercise of fundamental rights and democratic participation (e-democracy) and social control, education, freedom of expression and thought, access to information and public services online, the right to interact with government electronically and administrative transparency, among others. Moreover, others have affirmed the fundamental right that covers the access to these technologies, in particular the right of access to the Internet or World Wide Web. In this regard, the Constitutional Council of France, in Case No. 2009-580 DC of 10 June 2009, declared Internet access as a basic right, when detached directly from Article 11 of the Declaration Rights of Man and Citizen of 1789. [...] In this context of the information or knowledge society, it is imposed on public authorities for the benefit of the governed to promote and ensure in universal form, access to these new technologies. Based on the foregoing, the Constitutional Court concludes that the verified delay in opening the telecommunications market has not only violated the right enshrined in Article 41 of the Constitution, but also has affected the exercise and enjoyment of other fundamental rights such as freedom of choice of consumers as enshrined in Article 46, last paragraph, the constitutional right of access to new information technologies, the right to equality and the eradication of the digital divide (info-exclusion) -Article 33 of the Constitution- the right to access the internet through the interface that the user or consumer chooses, and free enterprise and trade.”

And here is the entire ruling in Spanish (available directly from Google Docs here, or in PDF format here):

Enjoy!

Assassin’s Creed maker sued for copyright infringement

Andres — Fri, 20 Apr 2012 20:28:59 +0000

"I wonder if I can find a lawyer around here"

A science fiction author has sued games company Ubisoft for copyright infringement in its wildly popular game series Assassin’s Creed. The plaintiff, one Mr John L Beiswenger, is asking for either $1,050,000.00 USD for infringement, or up to $5 million USD for wilful infringement of his novel Link.

It would be fair to say that Link is not a runaway publishing success, or that it seems to have set the literary world alight. The book’s synopsis in Amazon (one has to guess written by the author) reads:

“Contrary to the beliefs of Nobel Laureate Dr. Francis Crick and most modern day scientists, but in alignment with the religious beliefs of billions of human beings on earth, the soul is alive and well and active in our daily lives. Contrary also to the beliefs of most neuroscientists, it is the soul, not the brain, which is designed to remember.
This story principally takes place in the facilities of Search International, Inc., a product research firm near Madison, Wisconsin. They call their work “product research,” because the engineers, medical professionals and scientific staff are specifically focused on the development of new products for client manufacturers.
Commercialization of new technologies was the company’s only objective until an unusual accident occurred; an accident which led management and the biotechnology research staff known as the Biochip Team into a discovery beyond their imaginations, a discovery which could well be considered the most important to mankind for all time.
The truly astonishing hypothesis, developed by Search International, suggests that at the functional center of the nucleus of every cell is an atemporal Particle of zero mass and infinite capacity for memory a biological singularity. The same Particle is a component of every cell in the body. It is the “fabric of the soul.”

Ugh. If the introduction is anything to go by, the book does not look promising. Not my cup of tea to say the least. According to the complaint, the main plot in Link is that scientists have discovered a way to access genetic memories from a subject using a memory device called, you guessed it, Link. It allows people to witness historical events, but as far as I could tell from the excerpts included in the complaint, it does not allow the person to participate. The plaintiff argues that Assassin’s Creed is too similar to the plot of Link for it to be a coincidence.

For those unfamiliar with the Assassin’s Creed franchise, it is a game in which the protagonist, who is a descended from a line of assassins, is forced to use a device called the Animus, which allows him to awake genetic memories from one of his ancestors. The plot revolves around using those memories to uncover a series of artefacts called Pieces of Eden. During the gameplay, you switch from the present to the past, and you have direct input in finding the pieces. Mr. Beiswenger claims that there are too many elements in Assassin’s Creed similar to his novel. The complaint states:

“42. The Assassin’s Creed video game introduces the Animus device and process; the characters describe the Animus as a device and process that allows the user to access, recall, relive, and reexperience ancestral memories stored in the DNA in vivid detail.
43. A major plotline of Assassin’s Creed is based on the access of ancestral memories via the Animus.
44. Another major plotline is the introduction of Abstergo Industries and the Templars verses the Assassins in a good vs. evil theme.
45. In the Assassin’s Creed video game, characters access ancestral memories of historically accurate persons, events and times.
46. In the Assassin’s Creed video game, characters encounter biblical and spiritual plotlines such as Gods, Adam and Eve and Pieces of Eden.
47. In the Assassin’s Creed video game, characters frequently use the words “genetic memories,” “ancestors,” “link,” “synchronize,” and “assassins,” and variations thereof, when describing the Animus device and process.”

Even if we grant those plot similarities (and they seem quite thin to say the least), does the plaintiff have a case? I would almost state with certainty that he does not, according to well-established US case law in this area. In Nichols v. Universal Pictures, the 2nd Circuit Court of Appeals was asked to look at the similarity between a play and a motion picture, both featuring Irish youth marrying Jewish counterparts without the agreement of their respective families, both resulting in comedic situations. The judges in that instance found that while copyright does protect characters and plots, the copying must be substantive, and stock elements and tropes are not protected. The idea is not protected, it is the expression of the idea.

I have played the game, but not read the novel (and do not intend to), so I can only give an uninformed opinion. From the excerpts in the complaint, and from the plot elements discussed, there is just not enough similarity to warrant copyright infringement. Characters are a very important element in Assassin’s Creed, and there no similarity whatsoever in that respect. Moreover, character development is perhaps one of the most important elements of the game, the gameplay rests entirely on the character’s ability to uncover the plot and find the artefacts. This is not even hinted at in Link from what I’ve read.

Now excuse me, I will go and dust-off my copy of the game and kill me some medieval guards.

In defence of NonCommercial clauses

Andres — Wed, 18 Apr 2012 14:26:40 +0000

Does NC lock down content?

Creative Commons has released the first draft of the 4.0 version of its licences for public comment, and while there is much to discuss about it, I will be doing it in a later post. The following words are prompted by something that I have noticed arising from the public discussion taking place in one of the mailing lists dedicated to the topic, and it is something also that continually bothers me in most public discussion of open licensing in general. It seems to me that a significant number of those who participate in these discussions are opposed to the very existence of NonCommercial clauses in Creative Commons licences, and another good number dislike it, but endure its existence. All throughout long threads dedicated to the NC element, the attacks on NonCommercial clauses are relentless.

The cause for this vocal opposition stems from a combination of factors. Firstly, a lot of participants in those discussions come from the Free Software movement, where NC clauses are considered anathema to the development environment; anything that is considered NonFree is incompatible with the GPL, which is the standard for Free Software. Secondly, in 2006 Benjamin Mako Hill and Erik Möller created the influential Definition of Free Cultural Works (DFCW), which states clearly that NC clauses are not Free (in the freedom sense, not the free beer one). The DFCW was adopted by the Wikimedia Foundation, and therefore the dislike of NC within the open community was cemented.

Given the volume of opposition to NC, I would like to make a small defence of those clauses. I am not interested in attacking those who prefer to use Free licences only, I agree with most of the arguments in favour of free works, and I have nothing against that position. I do however disagree strongly with the utter demonisation of NC. I have to admit that I have always used NC licences, so I can talk from experience.

The first thing to note is the continuing popularity of NC clauses. If you were to read any random discussion on CC-Licenses or any similar list, you would assume that there is only a small minority of users who prefer NC licences, but in most CC licence metrics and statistics that I have read over the years, NC elements continue to be very popular by any measure. Historically, it seems like the NC clause is present in around 60% of works licensed with CC (if not more).

: Data from 100 million Flickr images (2009).

Why the popularity? I have been presenting about Creative Commons since 2004 to all sorts of audiences around the world. When preaching to the converted (free software advocates, developers, and CC communities), it is clear that NC is not favoured. However, when presenting to the general public, most people dig the NC clause. I have been pleasantly surprised by the willingness of people to share their work, but they are not happy at the prospect of some nameless corporation coming to take their work and profit from it. It is very human to rebel against the prospect of future unfairness, and this seems to drive the popularity of NC clauses. In my experience, it is easier to sell CC to wider audiences with the NC clause.

My personal experience with NC clauses has been very positive. Since 2007, all SCRIPTed articles have been using BY-NC-ND Scotland licence, and in 14 issues since only one person has asked to change the licence to remove the NC element. This blog has always been published with an NC licence, and while it is not intended to gain any money, it has allowed me to get some profits here and there. For example, all the blog’s content is offered through a commercial syndication service that sells content to Amazon, Thompson, Lexis and other aggregators, which gives me about $50 USD per year. I won’t make a living from this, but it is nice to be able to afford a good bottle of whiskey from time to time from money obtained through these pages. Similarly, I just sold an article to a large Canadian textbook publisher for a small fee. Were I not using an NC licence, it is possible that I would not have been able to get money in both instances. To me being able to get that money from time to time is more of a psychological incentive to continue writing.

More importantly, the NC element allowed me to sell the idea of releasing a book under Creative Commons to a UK academic publisher, who had never done it before. In the end they were happy to maintain control of all commercial uses, and to allow NonCommercial uses of the work. They were worried that if they did not have the NC clause, a competitor could simply reprint the book in its entirety and slap a ShareAlike licence to it.

Here is a list of some of the most common arguments that I have read throughout the years against NC, with my comments:

NC should be destroyed and cast into the fiery chasm from whence it came. Thankfully this is a minority opinion that deserves little comment, it is given by the likes of those who believe that everyone should be forced to install Linux tomorrow.
NC elements pollute the commons because they create incompatible works that cannot be mixed. This seems to be the strongest argument against NC, and it would be fair if one assumes that the objective is to create a large pool of works where everything should be remixed. I do not believe this to be the case, as cultural works are very different to software. In my opinion, it is more important to enable sharing, and compatibility is a desired secondary goal.
NC clauses are complicated, and therefore difficult to enforce. Funnily enough, in most cases where CC has been enforced in court, the NC element was present, and the courts had no problem applying the NC clause (examples here and here).
Creative Commons should strive to diminish its importance by renaming it, offering fewer options, or even demoting it in the licence chooser. This is an interesting idea, but again assumes that it is wrong to want to use an NC licence. I do no think this to be the case.
It is unfair for you to profit from your work, and not allow others to do the same. I have seen variations of this from time to time, I have no real response to it because the thought behind it seems to be alien to me. I find it fair that I should profit from my work.
People who use NC do not know any better and should be educated into the right way of doing things. This a surprisingly popular view, yet I find it highly patronising and insulting to say the least. There is a non-negligible number of people who are quite aware of the reason why they use NC.
People who use NC are not really into Free Culture. Ah, the No True Scotsman fallacy!
People who use NC are evil, bad, or in the pocket of Apple and/0r Microsoft. Have you taken your frog pills today?

In the end, the best argument that I have in favour of the existence of NC clauses is freedom itself. It seems fundamentally wrong to propose freedom as the highest principle in the open licensing ecology, only to begrudge those who choose to exercise their freedom in ways that those who have defined it narrowly disapprove of. Freedom comes from recognising that there are various reasons why people make licensing decisions, and that those may be different from your own.

But do not take my word about all of this. Will you consider the advice of one Richard M. Stallman? Surprisingly (at least for me), he has agreed that non-free elements are not so problematic in non-technical fields. In an email exchange he explains:

“I think that is the right definition of “free”, but I don’t think that non-functional works must be free. It is enough for them to be sharable. It is nice if other works are free, but not ethically imperative in my view.”

He then explains that art and software are different:

“If you use something to do jobs in your life, you must be free to change it today, and then distribute your changed version today in case others need what you need. Art contributes something different to society. You appreciate it. Modifying art can be a further contribution to art, but it is not crucial to be able to do that today. If you had to wait [...] for the copyright to expire, that would be ok.”

To stress this point, RMS published yesterday an article in The Guardian under an Attribution NonDerivatives licence, which I may add, does not meet the requirements of the Freedom Defined site.