Barry Law Firm: Does your lawyer speak tech?

Google v. Privacy – Round 2

Posted on September 08, 2014

Remember back in January where I cautioned about what happens when we give our privacy away, especially by putting all of your eggs in one basket?  Seems that the warnings are becoming a bit more real today.

See this article by Andrew Hinks.

Oracle v. Google – Copyrightability of APIs

Posted on June 07, 2014

On May 9 US Court of Appeals for the Federal Circuit handed down their ruling on the appeal (and cross appeal) of Oracle v. Google, a very interesting case that could have wide impact on the use of “application programming interfaces” or APIs. At issue are 37 Java packages, 8 specialized Java security packages, and a routine called “rangeCheck.” Oracle claims that Google infringed on its copyrights in the packages and rangeCheck, in using them in the Android operating system without license. Google admits copying eight of the files verbatim, and that they copied the declarations sections of the other 37 Java packages, but that they were not guilty of infringement because they had an affirmative defense under the “Fair Use Doctrine.”

The ruling from which both parties appealed is a mixture of jury verdict and judge’s decisions from the Northern District of California’s Federal District Court. The parties agreed in the district court case that the jury would decide on infringement and fair use, including whether the copying was “de minimus,” which would lead to a not guilty verdict on infringement. Meantime, the judge would decide on whether the API files were copyrightable, and if so, would go on to decide whether Google had an adequate equitable defense to infringement. The jury returned a verdict of infringement of the 37 Java packages and rangeCheck, but said that there was no infringement as to 8 decompiled security files that Google claimed made up the “core” of the Java operating system. The jury explained that it was necessary to use the 8 decompiled files verbatim, in order to access the Java language. The jury could not reach a verdict regarding fair use.

Once the jury had completed their findings, Oracle asked for a judgment as a matter of law (“JMOL”) which would throw out the defense of fair use since the jury hadn’t reached a verdict. Oracle asked, in addition, that the judge nullify the jury verdict on the 8 security files and find that Google’s use was infringing. Google asked for a JMOL on the rangeCheck files, which would basically nullify the verdict of infringement for that program. The judge ruled that the 8 security files were indeed infringed, since Google admitted copying them verbatim, and no reasonable jury could find that the copying was de minimus and therefore excused. The judge denied Google’s motion regarding rangeCheck.. In addition, the district court found that none the elements of the 37 API files were copyrightable, but rangeCheck and the 8 decompiled security files were copyrightable. The final verdict, in a nutshell, was that Google was guilty of infringement of the 8 decompiled security files, and rangeCheck, with no affirmative defenses.

On appeal, the Federal Court of Appeals decided that the district court was incorrect on several counts. First, the court ruled that the 37 API files were indeed copyrightable, and since the jury found infringement, Google was guilty of infringing the 37 API files, the 8 decompiled “core” files, and rangeCheck. However, since it was up to the jury to determine fair use, which was Google’s defense, that part of the case goes back to the district court for determination. The district court’s granting of Oracle’s JMOL that excluded fair use as a defense for the 8 decompiled files was upheld by the appeals court. Google’s request for JMOL to reject the jury’s verdict of infringement on rangeCheck was denied.

In other words, Google is guilty of infringement of 8 decompiled security files, and rangeCheck, and the 37 API files. Google has no available defense regarding the 8 security files it decompiled and copied verbatim. The case now goes back to the jury to decide whether Google has a defense against the infringement, such as fair use, which would result in a not guilty verdict.

The Court’s Reasoning for Finding Copyrightability

In order to determine whether a copyright is infringed, the first step is determining whether the copyright itself is valid. This can often be a difficult analysis when dealing with specific software functions such as APIs that are meant to be interoperable with a given software language. At the center of the court’s analysis was the question of whether or not the verbatim copying of Oracle’s code was necessary in order to access the functionality of the Java language and programming platform. The crux of the matter seemed to come down to whether or not the verbatim copying of Oracle’s code was necessary in order to access the functionality of Java. There were several additional considerations that the court looked at, which will be taken in turn.

Necessity

The district court concluded that “there is only one way to write” the declarations to interface with Java. If true, the use of identical declarations would not be copyrightable. However, except for three of the API packages, Google did not dispute the fact that it could have written its own API packages to access the Java language.

Oracle argued, and the appeals court agreed that the files in question consisted of two parts: 1) literal elements, as in 7000 lines of declarations in the source code, and 2) non-literal elements, being the structure, sequence, and organization of each of the 37 API packages. Infringement of the literal elements, according to the court, occurred through the verbatim copying of original expression. Non-literal, in this case would be paraphrased, or loosely paraphrased copying, rather than word for word. Oracle claimed copyright in both literal, and non-literal aspects. The appeals court analysis did not proceed to non-literal copying, since Google conceded that it copied the declarations verbatim. The court found that since the literal aspects were copied, the underlying code was then copyrightable.

Oracle’s Appeal

Oracle appealed from the district court decision that none of the elements of the 37 API files were copyrightable. Their argument was that the code was original, and as such met the standard for copyrightability. As issues of whether or not a work is copyrightable are reviewed “de novo” (reviewed ‘fresh,’ without any reliance on the previous ruling), the appeals court took a new look at the files, while noting as undisputed, two key premises of the previous decision:

1. Java is open and free for anyone to use (with appropriate licensing for commercial use)
2. Google could have written its own API packages using Java, but instead copied the declarations files and replicated the overall structure, sequence and organization of the 37 API packages.

While examining this issue, the court made note of a telling line in Judge Boudin’s concurring opinion in Lotus Dev. Corp. v. Borland Int’l, Inc., 47 F.3d 807: “Applying copyright law to computer programs is like assembling a jigsaw puzzle whose pieces do not quite fit.” The court acknowledged that examination of the jigsaw pieces was indeed a difficult task, but also concluded that the district court did not properly separate the concept of copyrightability and the concept of copyright infringement. The district court used factors that should have been examined solely in relation to infringement, in their analysis of copyrightability.

The appeals court found that the threshold for copyrightability is a “low bar” and in this light, the 37 API packages were indeed copyrightable. The requirement for a work to be “original” in order to be copyrightable is not difficult to reach. Originality, as defined in Feist Publ’ns, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 358 (1991) is: “only that the work was independently created by the author (as opposed to copied from other works), and that it possesses at least some minimal degree of creativity.” Id. at 345.

Google’s argument was not based on the originality of the API pages, but instead argued that a work cannot be copyrightable if it is also functional. They cited Section 102(a) of the Copyright Act, claiming that this section takes away any designation of copyrightability if there are any functional components to the work. The appeals court disagreed, and cited the Congressional Record (H.R. Rep. No. 1476, 94th Cong., 2d Sess. 54) “Section 102(b) does not extinguish the protection accorded a particular expression of an idea merely because that expression is embodied in a method of operation.”

Google’s final argument revolved around the doctrines of merger and scenes a faire, both of which relate to the concept that as copyright can only apply in the expression of an idea rather than the idea itself, if a given idea can be expressed in only one, or a very limited number of ways, it can not then be copyrightable. The idea becomes as the idea becomes so intertwined with its expression that the two are “merged.” Google argued, in order to utilize Java, there are only very limited number of ways you can write the API in order to access Java’s functionality. While this is an argument that many Java programmers agree with, the appeals court disagreed that these doctrines should be considered in concluding whether or not a work is copyrightable as a threshold factor. They instead concluded that both merger and scenes a faire should only be considered to determine whether or not a work has been infringed, as expression of an idea that may only be expressed in a limited number of ways, was fair use and should be examined as a defense to copying, and not as dispositive of whether or not the expression could be copyrighted.

Functions, Parameters, Variables and Declarations

The argument by many Java programmers that there are very limited ways to express variables and functions in which to access the Java language through creating an API package is an agument worth examining. There is no doubt that using a standard set of variables and function calls is much easier for others to understand and further develop upon (which was the original point of the General Public License concept under which Java was originally released). The GPL concept is that the licensee can use the declarations and implementing code verbatim, in any way it wishes, so long as it “contributes back” the innovations to the public domain. This is called the “open source” license, and is free for use so long as the user returns any source code it creates to the community for continued usage. This model is not often appealing to companies that pay for development of a product for sale. Those companies have two options: the first, a Specification License, which allows a company to write its own implementation code and use the declarations and general organization of Oracle’s code. If Google had chosen to purchase a Specification License, there would have been no infringement question, as Google created its own implementation code and used Oracle’s declarations and general organization in a manner in which the license contemplated. The second option is a Commercial License whereby a company can use all of Oracle’s code, declarations, organization, implementation, etc. while keeping its own code secret.

Indeed, Google was in negotiations with Sun (predecessor to Oracle) to purchase a license for a derivative version of the Java platform for use on mobile devices, called Java Micro Edition. Google and Sun also discussed co-development, partnership, or other types of ventures under which they could co-produce a mobile operating system. The sticking point was that Google wanted all code to be proprietary rather than compatible with the Java virtual machine or other Java programs. For this reason, Sun did not grant Google a license to the packages. The court was no doubt influenced by the fact that Google had originally determined that they would need a license to use the API packages, and when denied, decompiled and used them verbatim.

The court found the 37 API packages to be indeed copyrightable, as they are expressive, and “could have been written and organized in any number of ways to achieve the same functions.” As Google admitted to copying the declarations verbatim, Google infringed Oracle’s copyright by definition. The remaining question is whether or not that infringement was “fair use” under either the Merger Doctrine, or other interoperability arguments.

Evaluation at the Time of Creation

An interesting discussion in the opinion, which could be seen as dicta concerns infringement analysis, which was not a question the appeals court was asked to decide. The court provided guidance regarding how the Merger Doctrine could still be used in order to evaluate claims of infringement. The district court had originally found that the Merger Doctrine applied to the 37 API files because “under Java, a programmer must use the identical declaration or method header lines to declare a method specifying the same functionality.” However, a key point that the lower court missed was when one analyzes whether the identical declarations must be used. In this case, as in many cases of interoperability and necessity of duplication, timing was everything.

Copyrightability and the scope of protectable activity (which is a key component of an infringement analysis), is evaluated at the time of creation, not at the time of infringement Apple Computer, Inc. v. Formula Int’l Inc., 725 F.2d 521, 524 (9th Cir. 1984.) (emphasis added). So, when Sun created Java, and the API packages, example questions to ask include whether it would have been possible, at the time Java was created, to call the package by another name, defined as such in the declarations? Would it have been possible to name the variables in another way? Would the functions have to be in any specific order? The district court, interestingly enough, had found that nothing in the rules of Java required the same groupings of function calls or declarations, found that there were many ways to express the code, yet still found that the API packages were not copyrightable. The appeals court made a point to mention that the “core” Java files, when Java was created, had greatly limited the expression of functions, classes, and variables, idea and expression may then have been merged, and the Merger Doctrine may apply. However, Google did not argue this, nor differentiate between the types of packages it was accused of infringing. Google did not build a factual record to support its argument that external factors that existed at the time of creation, mandated that the expression of the API packages were either common, or essential to the functionality of their implementation code. Had they done so, the court hinted that their findings may have been different, at least with regard to the core programs.

The appeals court states outright, quoting an amicus filed by the former Register of Copyrights of the United States, “[h]ad Google reverse engineered the programming packages to figure out the ideas and functionality of the original, and then created its own structure and its own literal Code, Oracle would have no remedy under copyright whatsoever.”

Expediency

The court’s findings could also have been swayed by findings of the district court that Google intended to capitalize on the familiarity that developers already had with the Java API packages they copied. The district court stated outright that “Google’s interest was in accelerating its development process by ‘leverag[ing] Java for its existing base of developers.”

What’s Next?

This is hardly the end of the story. Although the court found that the 37 Java API packages are copyrightable, and the jury at the district court level found infringement, the appeals court reversed the district court on copyrightability, and reinstated the jury’s verdict. Therefore Google is guilty of copyright infringement for the 37 Java API files.

However, the matter of whether Google has sufficient affirmative defenses, such as fair use, to dismiss the infringement as inapplicable, goes back to the district court jury to determine, as the previous jury deadlocked on the issue.

The court also held that the eight decompiled files that Google used were also infringed, as was rangeCheck. These findings also go back to the jury for analysis to determine whether there are any affirmative defenses.

It’s Not a Question of “If”

Posted on May 22, 2014

Do you have a plan for data breach? Just about every company, large or small, will eventually be caught up in a data breach scenario, whether real or assumed. Do you know what you’ll do?

According to forensics company Stroz Friedberg, 52% of senior leadership gave corporate America’s response to cyber threats a grade of C or lower. That hardly fosters optimism. The Washington Post reported that in 2013, federal agents informed over 3000 companies that their systems had been hacked. This included Target’s system, which was breached with millions of personal records exposed, which caused a dramatic loss of sales. April 3, 2014, the Heartbleed exploit was discovered. It is not known how much information was compromised. April 30, 2014, ex counterterrorism czar Richard Clarke warned that Russia may use cyber warfare against the US and Ukraine. May 19, the New York Times reported that 5 Chinese Army personnel had been indicted for hacking US systems. May 21, eBay was hacked, including its e-commerce pseudo-banking site PayPal The damage to consumers is still unknown. May 22, Bloomberg News reported that “UglyGorilla,” one of the 5 indicted Chinese, is claimed to have hacked into Westinghouse and US Steel.

These are merely the publicized exploits. Meantime, there are tens of thousands of attempts to break in, usually by “script kiddies,” or kids who collect malicious code on the Internet that they use to try to break into random systems. Usually, these attacks are not very sophisticated. My blog’s automatic blocking of people who try to get in too many times has been triggered thousands of times this year. More savvy attacks would easily have gotten in. Of course, they wouldn’t have found anything except my articles, for which I have backups.

But what about the small to midsized defense contractors, software/hardware developers with intellectual property secrets, customer lists, employee SSNs, pay records and direct deposit accounts? What if you’re a HIPAA Business Associate with Private Health Information (PHI)?

It is very important for all companies to have systematic procedures in place long before the intrusion or possible intrusion happens. A sample team for a small company might include your system administrator, chief technical officer, legal counsel and the CEO. You should have identified and contracted with a competent computer forensics company and outside counsel who are well versed in cybersecurity. All team members should be involved with writing your company’s plan and with doing table top simulations so they’re comfortable with the procedures.

So, what do you need a lawyer for? Shouldn’t the forensics company in combination with the company IT staff be more than capable of handling an investigation? Maybe. If the techs find that no data was compromised, that the intrusion alarm went off for nothing and all is well, then you really don’t need legal assistance. What happens, however, if you find that customer data, protected medical information, employee SSNs or other identifying information has been disclosed? What if you have data from several states? What if you have international data? Trade secret information or classified materials? Would you know where to begin, and whether the company could be civilly or criminally liable?

All companies that deal with protected data of any kind that may be vulnerable to cyber attack (which is any data on a network), should have competent cybersecurity counsel, either as in house or outside counsel (hopefully both if your investigation needs attorney/client privilege), assisting in the creation of a comprehensive response plan. The lawyer should work closely with the technical and operations staff, a forensics company, as well as C level executives to draft a workable, easily understandable plan. The plan should be kept up to date with appropriate names and contact information, and scenarios should be simulated against the plan with changes made as necessary.

Having a rehearsed plan immediately implemented can make the difference in the outcome of any cyber incident. Rapid identification, verification, and containment, followed by ensuring compliance in reporting or other requirements, appropriately involving law enforcement, and improving safeguards as well as response, may keep your company out of the news.

Crowdfunding a Law Firm?

Posted on March 26, 2014

Mikki Barry FOR IMMEDIATE RELEASE 03/26/2014
Barry Law Firm, PC
m.barry@barrylawfirmpc.com

Barry Law Firm Celebrates Groundbreaking Fundable Campaign

Great Falls, VA: Mikki Barry, CEO of Barry Law Firm, PC, a technology-based enterprise, announces the ramp-up of the company’s “Fundable” campaign.” Thought to be the first crowd-funding effort for building a law firm, Barry is confident that its time has come. Barry seeks to leverage the power of technology as a funding source that will be friendlier to start-ups than traditional methods.

She states, “Technology is the basis of everything Barry Law Firm does. The idea of offering the technology community ‘first dibs’ on our services through a proven vehicle such as “Fundable, “ fits in perfectly with our identity in the legal industry.”

Barry Law Firm, whose tagline is “Does your lawyer speak tech?” wants to “walk the talk,” as Barry put it. “We know the Internet, we know technology. Why not use its emerging capabilities to increase our reach?”

The firm is offering discounted legal and consulting fees for backers, as well as Barry Law Firm T-shirts that carry the message “My Lawyer Speaks Tech”), in addition to fixed price package offerings for trademark registrations and government solicitation analysis. Backers of the “Fundable” campaign, for example, can save up to $250.00 for three hours of advice. “We want to offer real value to our backers,” Barry said. “With privacy and cybersecurity at the forefront of people’s minds due to recent events, companies need to examine their practices and compliance. We are happy to provide some incentive for them to do some preventative planning.”

The firm will use proceeds from the “Fundable” campaign for expansion. The promotional video now posted online lists current needs such as office space, marketing, increased staffing, and other considerations as Barry Law Firm “grows” the company. “We have lots of plans for non-traditional offerings,“ Barry said. “Look for more announcements soon!”

About Barry Law Firm, PC: Barry Law Firm is a technology firm located in Great Falls, Virginia, leveraging proven IT knowledge capital in practice areas such as government and commercial contracts, Internet security, privacy issues, data-breach, encryption, contractual compliance, policies and procedures, and soft intellectual property. For more details about the new “Fundable” campaign, please visit: (http://www.fundable.com/barry-law-firm-pc)

###

Tona Brown liked this post

Michael Geist on US Control of the DNS

Posted on March 26, 2014

An interesting view on the subject from Michael Geist, a noted Canadian Intellectual Property attorney with views I am usually aligned with. Geist brings up some 800 pound gorilla topics, such as jurisdiction over dot com, dot net and dot org domain names, and the ICANN GAC (Governmental Advisory Committee) made up of governments to allow them to opine on Internet governance matters. Some may even go so far as to claim that the GAC is the backseat driver, often determining ICANN policy.

Why the U.S. Government Isn’t Really Relinquishing its Power over Internet Governance

Deleted Data in MA370 Mystery

Posted on March 25, 2014

I normally don’t comment on speculation regarding plane crashes. As an Air Traffic Control friend once told me, the cause of every aviation accident is the same – Gravity. Given the number of surprises that come along with crash investigations, speculation is fraught with uncertainty, and should be met with skepticism.

However, this article, written by an Internet attorney and a “cyber investigator” is one of the reasons why the general public should avoid putting stock into any reports that deviate from the facts in front of us (although in this particular case, even the “facts” are not necessary factual).

The headline screams “The Deletion of Data is Often Key Evidence in Proving Facts of a Case.” Ok so far. But then, they focus on MA370’s Captain, Zaharie Ahmad Shah, and the fact that flight simulator data was deleted.

As you may recall, the media had jumped to the conclusion that the Captain must have had something to do with the disappearance of the aircraft, because he had a simulator in his home. Perhaps they should have asked some professional pilots whether they also had simulators in their homes. Without a doubt, I would prefer a pilot who flew simulations on her off time than a pilot who does not. Day in and day out, a pilot’s job is basically the same in modern aircraft. You take off, you lock in the auto pilot, and you monitor the instruments until you’re close to landing. Sometimes you even let the aircraft land itself. Most everything is routine. Every 6 months, pilots in the US undergo recurrent training, where they go into a simulator and practice emergency maneuvers and hope that they never have to use them.

The bottom line is that pilots who want to keep in practice flying instrument approaches, landing at airports that are too short, or too high, or experimenting with aircraft characteristics when overloaded, or losing an engine before take off, the best place to do that is the simulator. Simulators generally record data so you can critique yourself accordingly. So, when would you delete that data?

One of the most important tools in logic is Occam’s Razor which states, in essence, that the hypothesis that makes the fewest assumptions should be selected. While not an irrefutable prospect, it can possibly provide us a bit of guidance in the current situation. Rather than assume that Captain Shah was planning the unthinkable, including all of the assumptions that must be made in order for that scenario to be the correct one, why not instead start off with the premise that the data was deleted because the Captain was either embarrassed by his performance in the sim, or nailed it so perfectly that he found it too easy to repeat, and deleted the file. An even simpler scenario would occur if the drive he was using was full, and he wanted to save some space. Any of those possibilities make fewer assumptions than a pre-determined plot to doom the flight.

Articles such as this one, that try to marry two disparate fields of technical expertise, would do well to have an expert from each of the fields as a consultant. This same concept can be carried forward into legal advice. Find an attorney who understands both the law, and the core capabilities of your business. Doing that will save you from possibly incorrect or misleading assumptions such as the ones portrayed in the article.

Multinational Stakeholders and Political Unrest

Posted on March 24, 2014

It will be interesting to see what happens to Internet access after the US Department of Commerce plan to relinquish control of the Domain Name System. As we have seen time and time again, one of the first things that a threatened government does when faced with significant opposition, is turn off means of communication. When an individual government has control of cellular service, television and other news media, and imposes curfews so individuals have difficulty organizing, the Internet was available through various social networking platforms. However, as more nations develop central control over “their” DNS, outages develop.

It remains to be seen how these outages will affect a multinational governance system. Is there a fundamental difference between “the government” of a country, and entities controlled by the government that would likely become part of this multinational governance?

Turkey orders block of Twitter’s IP addresses

Barry Law Firm on Fundable

Posted on March 24, 2014

The time has come for expansion of Barry Law Firm, so as an experiment in the use of crowd funding for more “traditional” endeavors such as law practices, we’ve chosen Fundable to see whether the concept is feasible. Thus far, it doesn’t look terribly promising. However, we’re not ready to call it a day just yet.

We’ve added a few new perks such as t-shirts along with discounted hourly time and discounted flat fee services. There’s still a bit of time in the run, so we’ll provide updates as things go along in the experiment.

Please have a look at the Fundable site here, and please feel free to comment. We’d love to hear your views.

Please also have a look at the video made for the campaign. Thanks!

Today’s Word to the Wise

Posted on March 21, 2014

Ok, maybe it’s a few words, but please take heed.

One should always be very careful about what they post themselves to the Internet. Remember when teachers would tell you that misconduct would be recorded on your “permanent record?” The Internet has become that permanent record.

Internet “Give Away?”

Posted on March 18, 2014

Interesting story in Defense One this morning, however some important issues should be brought out. First, ICANN is currently running on a sole source, zero dollar procurement that was not properly competed. This may be why the latest move is seen as a “giveaway” as the US has asserted control over the DNS function. It could be argued that ICANN itself is quasi-governmental, as it has taken direction from the US government regarding which top level domains (TLDs) appear in the root system. Secondly and most importantly, ICANN has never allowed Internet users an individual say in governance, claiming they are already represented by other constituencies that often don’t have users best interests in mind.

For those of us who were there in the “before time” when the Commerce Department was looking for a “NewCo” to run the “technical governance” of the Internet, we remember how the mandate for a single company with worldwide consensus was handed down by Ira Magaziner in what was called the White Paper. the IFWP (International Forum for the White Paper) was created in order to achieve consensus on the processes by which this consensus should materialize. Meetings were held world wide in order to engage as many international constituencies as possible. However, as consensus was finally achieved, back room deals between intellectual property interests (who are not covered in the concept of ‘technical governance’), registrar interests and other business interests (including the law firm that would make millions from NewCo) presented their own fait accompli, usurping the two year process with a submission to Commerce called ICANN. Interestingly enough, the White Paper called for only one draft set of bylaws to be produced from the IFWP process, and if there were more than one, the authors would be “locked in a room until they could achieve consensus on one draft.” Although three drafts were presented, (links provided along with collaborative information) one was chosen (without the benefit of a full procurement cycle), and of course it was the back room deal that excluded individuals, where the majority (later all) of the Board of Directors was appointed rather than elected by Internet users and other stakeholders.

This historical perspective adds some light to the current plans. ICANN has issues a press release with their take on the issues. Please note that during ICANN’s public meeting in Singapore from March 23-27, in person or remote participation is scheduled.

How the US Outsmarted Everyone by Giving Up the Internet

NSA Spying on Americans is Ok, but CIA Spying on Torture Records is Not?

Posted on March 12, 2014

So what do you think? Dianne Feinstein, a Democratic senator from California, normally a CIA supporter, called the CIA’s breaking into a secure database of interrogation records concerning torture allegations under the Bush Administration, “a defining moment for the oversight of our intelligence community.

In June of 2013, Senator Feinstein said that Edward Snowden was guilty of treason. Last month, she said that the NSA’s bulk collection of billions of American phone calls safeguarded the nation without trampling on civil liberties.

So what do you think? Are these two views as disparate as they look at first glance?

Whistleblower Protection Extended by the Supreme Court

Posted on March 11, 2014

Last week, the Supreme Court made clear that the whistleblower protections of the Sarbanes-Oxley Act of 2002 apply not only to employees of public companies, but also to contractors and subcontractors of those companies. They stated that Congress intended for workers in a position to see, understand and report improper dealings, have the means to report without retribution. Given that there is no bright line between a contractor vs. a vendor, there could well be further litigation to shore up the definitions so that businesses can be clear on where SOX does and does not apply. The dissent, by Justice Sotomayor, while not addressing this issue, did point out that she was concerned with the reach of the majority opinion, saying in part, “Congress did not envision a system in which employees of other private businesses – such as cleaning and construction company workers who have little interaction with investor – related activities and who are ill suited to assist in detecting fraud against shareholders – would fall within §1514A. Nor, needless to say, did it envision §1514A applying to the household employees of millions of individuals who happen to work for public companies – housekeepers, gardeners, and babysitters who are also poorly positioned to prevent fraud against public company investors.”

This is a dramatic expansion of Sarbanes-Oxley to include millions more employees than previously thought. Contractors should begin training as soon as possible to ensure that they remain compliant with this ruling.

PDF of the Supreme Court Ruling

Protection From Liability for Cybersecurity Failures. What do you think?

Posted on March 10, 2014

In a controversial move, Congress is debating H.R. 3696, the “National Cybersecurity and Critical Infrastructure Protection Act of 2013” (NCCIP Act). Among the verbiage and protections, the bill would use the liability protections of the SAFETY act to shield cybersecurity providers from certain types of liability issues in the event of cyber attacks.

Some of the protections include:

• Elimination of punitive damages
• Limitation of liability to the cybersecurity provider’s insurance coverage
• Federal jurisdiction only for claims
• Reduction in liability compensation by deduction of insurance or government benefits

So what do the technical folks think about this idea? Are cyber attacks so sophisticated that special protection is needed from liability for data theft? Is this an excuse for sloppy security practices, or selling flawed product or procedures?

What do you think?

HR 9636 – NCCIP Act

Mommy, Can I Jailbreak the Coffee Maker?

Posted on March 04, 2014

Keurig, creators of the leading single cup of coffee brewer technology, the K-Cup, is fitting its new machines with its own version of DRM (Digital Rights Management).  The company announced that only “approved and licensed” K-Cups would work in the new machines, assumedly meaning your choices of Morning Joe will be limited to  those manufacturers who provide a revenue stream to Keurig.  Rather annoyed by the idea that I can’t do what I wish with something I have purchased, I wrote to Keurig asking them to reconsider their flawed idea.

coffee cup

I received a timely, but worthless response:

“Dear Michaela,

Thank you for contacting us. The Keurig® 2.0 brewing system features advanced functionality that has been developed in response to consumer feedback. Both current Keurig brewer owners and non-owners told us the brewer functionality they wanted most was the ability to brew both a single serving and a pot of coffee from one system with Keurig speed, convenience and brand choice. Our next generation Keurig 2.0 brewers will do just that, utilizing the now over 250 available varieties as well as future partnerships to offer the perfect cup or pot of coffee for any occasion.

 To ensure the Keurig 2.0 system delivers on the promise of excellent quality beverages, produced simply and consistently, the system uses interactive technology. This means that the brewer will be able to recognize the type of Keurig pack that has been inserted, whether a single-serve or a carafe pack, and therefore guarantee the perfect beverage every time. 

We certainly appreciate your feedback and I will be sure to forward your comments along to the appropriate departments.  If you have any further questions regarding our products, please feel free to contact us at 866-901-BREW (2739). Representatives are available seven days a week from 7am to midnight, EST.

Sincerely,

Nicole Mailloux
Keurig At Home Customer Service
www.keurig.com
1 866 901 BREW (2739)”

In other words, we know what’s best for you, regardless of the fact that third party refills are between 5 and 25% cheaper than Keurig’s fare.  People have also been using reusable pods.  However, this new plan would ensure that you won’t be using a Keurig for that cup of Jamaican Blue Mountain.

Not to be locked out of the market, Treehouse Foods has filed  a lawsuit (pdf) against Keurig, claiming state antitrust and unfair competition statutes, violations of the Sherman Antitrust Act, and common law violations by monopolizing the market.  They mention that, oh by the way, Green Mountain (Keurig’s parent) had patents on K-Cups, but those expired in 2012, opening the market that they are now attempting to put back in its bottle (or K-Cup).

Keep your eyes on this lawsuit.  Next might be a car that only accepts one manufacturer’s tires, laptops whose hard drives reformat if you try to use 3rd party cases, or music you can only play on one type of machine.  Ooops.  Guess they already did that one…

Ever Been Burned by a Credit Report?

Posted on February 13, 2014

Up until now, an individual consumer having inaccurate or derogatory information being reported by any “consumer reporting agency” has had very little recourse. Unless you could show actual damages, you did not have the legal standing to sue. Without standing, you couldn’t even get through the courtroom door to make your case.

However, last week the Ninth Circuit Court of Appeals changed the playing field, allowing for the allegation of an “injury in fact,” or the violation of a statutory right, is enough to get you into the courthouse door.

Spokeo, Inc. operates a website that provides individual contact data, wealth level, occupation, and other personal information for a fee. Thomas Robins alleged that false information about him was being provided by Spokeo, despite Robins contacting them and telling them that the information was indeed false. The District Court rejected the suit, saying that Robins had not shown any actual or imminent harm. The Ninth Circuit reversed the decision based on the allegation that Spokeo had violated Robins rights under the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681.

While it is still unknown as to whether Robins will win the suit, or win any monetary damages, credit reporting companies are now on notice that consumers can bring individual causes of action to remedy inaccurate information.

An Excellent Example Of Press Sensationalism

Posted on February 07, 2014

While it is clear that the technically savvy amongst us would scoff at the story NBC News presented regarding computer hacking at the Sochi Olympics, the uninitiated might be convinced that Russia is a haven of Internet evils. The reality is that clicking on suspect web links, downloading unknown files, failing to use firewall or malware prevention software, or doing a myriad of other things we’ve all been warned about, will likely result in your computer being compromised regardless of where in the world you happen to be.

As a purely circumstantial example, I receive close to 200 email scams, phishing, and/or malware email spams every day right here in the US. Does that make the US a haven for hackers? While one could debate the need for preventative measures at the ISP level to shut down bulk emailing, the fact is that unscrupulous individuals are not limited to any one venue, and spoofing headers can mean that the threats could come from across the street or across the Pacific.

As with any attempts at reporting on technical issues by the mainstream press, it is advisable to check your sources carefully prior to believing what you see, hear or read. Although I suppose that these days, that is true of any reporting.

NBC News Confuses the World About Cybersecurity

European Privacy Rules In the News – Cookie Policies

Posted on January 30, 2014

The EU is trying to add some teeth into its data privacy policies, sending a clear message to the United States to get our act together if we want to maintain access to data stored in the EU, or data regarding EU citizens. It’s certainly a trend worth following:

EU Cookie Rule Fine

EU getting “serious” on data protection

Google Vs. Privacy

Posted on January 16, 2014

Watching the various entanglements between Google and privacy has been quite the lesson in privacy “what ifs”. Back in September, Google argued that Gmail users have no reasonable expectation of privacy when using Gmail in a class action brought against them in the Northern District of California. The Plaintiffs’ argument was that Google had violated the Federal Wiretap Act as amended by the Electronic Communications Privacy Act, as well as various state wiretap statues when scanning emails in order to peddle goods and services relating to the contents. Google’s interesting interpretation of “automated processing” of emails is that users give implied consent by virtue of knowing that the emails are processed from user to recipient by electronic means. However, when most of us consider automated processing of emails, we think of the method by which headers are analyzed in order to assure delivery to the appropriate recipient, not an analysis and compilation of the contents of the email themselves. Google made a motion to dismiss the suit based on these arguments, which was denied by the court. The eagerly awaited suit will go forward.

The latest clash between Google and privacy interests revolves around its interception of unencrypted Wifi data as it collected information and shot photos for its Street View feature in Google Maps. In September 2013 (a very busy month for privacy issues), the 9th Circuit rejected Google’s argument that people who did not take affirmative action to encrypt their wireless networks should have no expectation of privacy over the data. This is similar to arguing that interception of cellular data is not a violation of the Wireless Communication Voice and Data Privacy Act unless the parties to the call use an encrypted service. The court didn’t buy that, and neither did the 9th Circuit Court of Appeals. Google was unsuccessful at differentiating Wifi from radio transmissions.

So what does this mean for privacy? There are no hard and fast rules regarding a company’s privacy policy, and the circumstances under which a company can determine to make drastic changes, to the detriment of its customers. Google has stated outright that its customers should not expect privacy in their email, nor in their unencrypted Wifi traffic. However, these aren’t the only privacy issues we should be concerned with. This week Google purchased Nest, a home automation company, for 3.2 million dollars. Nest’s CEO Tony Fadell reports directly to Larry Page, meaning that Google has big plans for Next products. Looking at this from the singularity of home automation data being used to advertise products to users doesn’t seem too alarming. However, a different picture begins to emerge if you consider all of the different pieces Google now owns or controls. Google’s Google+ is now so tightly integrated with Gmail and other services, that it is appearing in places that were never envisioned by its users. Google Buzz broadcasted your most frequent contacts to the public. Google took reviews that people have written for products and services and placed in advertisements. Email is harvested for data mining. Google can cross match Nest data of where you live and when you are home, coupled with unencrypted wifi broadcasts. It can gather your energy usage data and sell it to power companies. Data from Nest’s smoke detector system can collect smoke, fire, CO leakage, etc. and report it to your insurance company, or to a central repository where insurance companies can determine whether you are a “risk” or not. It could conceivably determine whether you are a smoker or not and report it to health insurance companies, or sell it to cigarette companies. It’s also not inconceivable that law enforcement could secretly subpoena the data from your email, wifi, whether you are home or not, search engine information, Google+ posts you’ve made (whether limited to friends or not), ads you’ve clicked through, whether or not you’re attempting to extend your life (presumably providing medical data to their division, Calico), DNA data from Google investment 23andMe etc., presenting us with an even greater privacy dilemma than the NSA tapping into our communications. It also wouldn’t be inconceivable that Google purchases insurance companies and determine your premiums through consolidating all of that information it has collected.

In the “Pre-Snowden” age of privacy protection, it might have been easier to brush off the implications of a mega conglomerate obtaining enough information about an individual to enhance or destroy their lives. We no longer have that luxury. Unless consumers keep themselves informed, choose products and services based at least in part on privacy implications, and let their elected officials know where they stand regarding privacy, the lines between public and private data will continue to blur in potentially dangerous ways.

Heightened Compliance Necessary For Affiliates

Posted on January 13, 2014

The ruling has come down in a case that many have been watching with trepidation, and it’s not good news for companies who are affiliated with an indicted parent. In a nutshell, all affiliate companies may be suspended indefinitely for the indictment of a parent. It is not necessary to show any wrongdoing on the part of the affiliate, it is enough that the parent was indicted. This decision, in Agility Defense and Government Services, Inc. v. U.S. Dept. of Defense, 2013 WL 6850891 (11th Cir. Dec 31, 2013), overturned a lower court decision holding that without independent legal proceedings against the particular affiliate, it was improper to continue indefinite suspension of that affiliate. This means that an affiliate suspended due to a parent’s indictment has recourse only so far as the agency’s due process rules. The agency has the authority, under FAR 9.403, to suspend affiliates if it chooses to do so, provided the affiliate receives notice, and has the opportunity to contest the action.

The take away from this decision is that affiliates or affiliates counsel should inquire early and often regarding compliance of all companies it is affiliated with.

Contributory Cybersquatting?

Posted on January 07, 2014

I was a domain name attorney before domain names were cool. Back in the very early days of the World Wide Web, companies began noticing this thing called the Internet, and learned that they could have their very own “web presence” in what was to them a new frontier. To people who had been using the Internet for communication for decades prior, a domain name was simply a clever word used to point to an IP (Internet Protocol) address to keep from having to type numbers like 123.45.67.8. The system that matched the words to the numbered address was called the Domain Name System (DNS). When some corporations found that the names they wanted to use were already taken, they coined the term “cybersquatter” to insinuate that the pervious registrant of the domain name was illegally taking the corporation’s “property,” i.e. their domain name of choice.

While there were indeed some entrepreneurs who bought up names such as McDonalds.com or xerox.com for the sole purpose of trying to sell these names to the named companies at high premiums, there were also individuals and small businesses that bought names like rugrats.com to talk about her career as a nursery school teacher, or peta.org for People Eating Tasty Animals, neither of which could be mistaken for a TV cartoon show or the animal rights group respectively. Both of these registrants, and hundreds more who had registered generic words being used for websites that in no way infringed on trademarks or were otherwise confusing to consumers, were labelled “cybersquatters” and the name was bandied about by those wishing to use the legal system to achieve transfer of the names to themselves. Laws ere passed, pushed largely by companies who did not wish to go through lengthy trademark infringement suits to procure domain names they felt were rightfully theirs. ICANN, the body tasked with international technical governance of the Internet created a policy where if a party was using a domain name to infringe a trademark and using it in bad faith, then an expedited process could occur whereby the “cybersquatter” was required to transfer the name or otherwise stop using it. (How this could be the purview of a techncal governance body is beyond me however, as there is no technical reason for domain names in the first place. They are not a matter of technical policy as typing in the IP address would do the same thing from a technical level. That argument did not go over well with those who coveted specific domain names, and they demanded that ICANN extend its authority to this policy area.)

Enter the latest legal theory – contributory cybersquatting. Petroliam Nasional Berhad, owners of the Petronas towers, got the novel idea that if someone purchasing a domain name afoul of the prevailing law or custom could be a cybersquatter, then the registry that sold the domain name could be called a contributory cybersquatter. This theory would wreak havoc on every registry of domain names, shifting the burden of policing intellectual property from the proper owner or licensee to domain name registries and registrars. This seems to be a common tactic, as major content providers attempted to do the same to YouTube, Google, and others, and continue to do so to this day.

In this case, the legal theory of contributory cybersquatting, creative as it may have been, failed unanimously as a panel of the Ninth Circuit Court of Appeals unanimously held for GoDaddy in its registration of petronastower.com and petronastowers.com. See the published decision here.

International Travel and Sensitive Information

Posted on January 02, 2014

While policies haven’t changed, a recent ruling by the US District Court for the Eastern District of New York underscores the fact that sensitive company information on employee laptops can be copied and held by the DHS at border crossings. The ACLU, on behalf of an individual as well as the National Association of Criminal Defense Lawyers and the National Press Photographers Association, requested a declaratory judgment that the searches and seizures without reasonable suspicion were in violation of the First and Fourth Amendments. The court denied the request, allowing for the continuation of these activities without articulated suspicion. Of specific note to business travelers carrying time sensitive information, DHS may hold the electronics for as long as they like, as no regulatory time limits are provided to officers.

Also of note, attorney/client privilege does not exclude information from search, although “special handling procedures” are employed by the Customs and Border Patrol, with other directives under which ICE officers operate. Variations of these special procedures are employed for medical records, and business confidential information, although there is no specific recourse for improper disclosure of that information. The directives cite to the Trade Secrets Act and the Privacy Act, but the court provided no examination of how and where the Acts apply.

The court’s conclusion is that declaratory relief is not appropriate because “it is unlikely that a member of the association plaintiffs will have his electronic device searched at the border, and it is far less likely that a comprehensive forensic search would occur without reasonable suspicion.” The court noted that the devices of lawyers and journalists had been singled out for special protection.

The judge used colorful language in dismissing the idea that a reasonable suspicion standard be employed. “Plaintiffs must e drinking the Kool-Aid if they think that a reasonable suspicion threshold of this kind will enable them to ‘guarantee’ confidentiality to their sources…”

Perhaps the “take-away” from the opinion was stated by the judge on page 23 of his opinion; “…it would be foolish, if not irresponsible, for plaintiffs to store truly private or confidential information on electronic devices that are carried and used overseas.”

The full opinion is located at https://www.aclu.org/sites/default/files/assets/abidor_decision.pdf