Austin Technology Law Blog : Texas Technology Lawyers & Attorneys for Copyright, Trademarks & Software Licensing in Houston, Dallas & Austin TX

In the highly anticipated decision, Bilski v. Kappos, the Supreme Court affirmed the rejection of a specific business method patent, but left the door wide open on the validity of thousands of similar patents.  In what has become typical for decisions under the Roberts Court, the majority opinion was narrowly defined.  The court ruled only on the specifics of the case while failing to provide much guidance for similar patents. 

Watching the case intently were both sides of the patent divide. Of course, large sectors of the economy depend on patent rights for growth and innovation, and many feel that more patent rights further innovation. However, there exists a large segment of the business community, including many in the tech industry, who were hoping the court would take this opportunity to put an end to controversial business method patents (and software patents) by applying the "machine or transformation" test adopted by the Federal Circuit.  The test requires any patent to either: 1) be tied to a particular machine devised to carry out a process in a non-conventional, non-trivial way, or 2) transform an article from one thing or state to another.  Abstract ideas like business methods would not satisfy the test. 

At issue in Bilski was a rejected business method patent for a system to hedge on energy prices using weather projections.  And while the court rejected this particular patent, it went out of its way to state that it was a narrowly defined decision, and the machine or transformation test is only "useful and important clue," but should not be the sole test.  Many justices on the court expressed doubt about the validity of business method patents, but a majority of them were not ready to categorically exclude them from patentability.  The result is that thousands of business method patents and software patents remain valid, but future litigation will be needed to determine which ones.  So the lesson as always: nobody really wins except the lawyers. 

• Email This
• Print
• Comments
• Trackbacks

Yesterday I wrote about the new domain .CO and the likelihood of success. The .Co Internet S.A.S. (cointernet.co), through its new Top Level Domain .CO, is attempting to provide a potential answer for the shrinking number of available domain names. With today’s announcement that ICANN has given its initial approval of the .XXX TLD, it is interesting to ponder what effects this might have on the structure of how we view and access the internet.

It is no surprise there is no doubt an unbelievable amount of porn related traffic on the internet. In fact, according to Bevan Sabo‘s post “Top 4 Ways Porn Has Advanced the Internet,” Porn has played a large role in the advancement of internet technology. The consumer desire for porn not only increased the popularity of the internet, but this desire also was the stimulus for many technological advances. So why would Top Level Domains (.com, .org, and now .xxx) be any different? With new domain name availability on .XXX, there is a chance the porn industry might be the first industry to gain some traction in creating a popular and useful new Top Level Domains (TLD). As with the .CO, the marketing and launch plans of this new .XXX world could play a major factor in how the domain is perceived and visited. If the implementation of .XXX is done poorly then the TLD will be a joke, but if it's done with legitimacy then it might start and build some steam for a "divided internet". 

If this new .XXX TLD does gain traction, then other TLDs such as .CO could have their place in a newly market segmented internet. However, if history has anything to say about the subject, we know It’s not an easy feat to garner public attention to these TDLs. How many times have you used the .museum for anything? What about .aero for some website in the air-transport industry? What about .mobi or .tel for communications companies or .travel for the travel industry? Porn's .XXX TLD will need to do something none of these industries could do – get anyone to type something other than .COM.

If the .XXX TLD is successful, the .COM might take on a catchall TLD role, while other domains might help organize … well, everything. If these divisions occur, instead of just blindly typing in .COM after everything, we might start to think twice. Additionally, if the new domains gain popularity there might be a need for a domain specific search engine or other domain limiting technology.

In the alternative, will the .XXX be a vehicle for limiting free speech? This is not the first time the issue of the .XXX TLD has been visited by ICANN. In May of 2006, the Guardian reported that the ICANN board voted down the creation of the proposed .XXX TLD. Arguments from both sides have valid points and bring up great issues. Will “porn” be forced to the .XXX? Will it then be restricted to persons over 18? Who will enforce that? Would it be constitutional? Only time will tell, but it might be something to keep your eye on.  

• Email This
• Print
• Comments
• Trackbacks

Unless you’ve visited Godaddy.com, NetworkSolutions.com., or some other domain registrar, you might not have heard about the new .co domain about to open to the general public on July 20th. .Co Internet S.A.S. (cointernet.co), made up of Neustar, Inc. and Arcelandia S.A., obtained a license from Colombia to distribute their .co domain worldwide. Demand for the new domain is high. Twitter announced a new service that provides short links with t.co, TechCrunch for its Disrupt conference incorporated a Disrupt.co domain name, and the domain name e.co was purchased in an auction for $81,000. Domain Name Wire provides a great history and summary of the .co topic in their post, the .Co domain Is Coming and inWhere to get the best price for .Co Sunrise and Landrush,

• Email This
• Print
• Comments (2)
• Trackbacks

This is actually Chapter 4 in a rambling dissertation on why the "Cloud" is what it is.

In previous posts (see here, here and here), we have chronicled the evolution of the “Cloud”, Software as a Service and various permutations thereof and labels therefor. So, now that we think we know how we got here, what do we do now? If you are considering the procurement of cloud services and if you have the negotiating clout to request changes to the vendor’s standard contract, you need to consider some additional things to request.

In addition to the general considerations such as price, term, etc., the following are additional considerations to be discussed with the vendor and possibly included in the governing agreement:
1. In most cases, the vendor owns or licenses the software and the customer owns the data. The customer should always have the right to access and move its data, even in an alleged default situation. This is particularly true if the customer is in a regulated industry.
2. What happens if the vendor goes out of business, declares bankruptcy or is acquired? What happens if the acquirer is one of your competitors? The customer should have an exit strategy and the agreement should be compatible with such strategy.
3. How much responsibility or liability will the vendor assume if the systems are unavailable or if your data is lost? What are the backup procedures, business continuity plans and disaster recovery arrangements? Most vendors’ heads would explode if you requested that they be responsible for the value of your lost data but what are the procedures to recover the data, to back it up and protect it and who pays for that?
4. What kind of investment will the vendor make in software upgrades, enhancements and development? A company for which I once worked pledged 5% of its outsourcing revenue to software development and maintenance. Most companies won’t commit to a specified amount or percentage but a purchaser should review their plans and should have some input, through user groups or otherwise, into the direction of software development.
5. What will you use to determine if the software is functioning in the manner that you expected? What are the warranties surrounding such? Most software providers will warrant that the software will perform in accordance with its documentation but you should request that the basics of any functionality found in sales proposals, demos, RFPs or other material used to sell you on the software be part of the warranty.
6. A purchaser should consider whether the vendor routinely conducts a SAS 70 audit and makes the results available.
7. Since the purchaser has less control over the software used in a SaaS situation than in any on-site situation, a reputable vendor should be willing to provide an intellectual property indemnification that will pay for a legal defense (usually the biggest exposure for a user) and should provide an alternative if use of the subject system is enjoined or interrupted in any manner.
8. The escrow of source code, executables and other information necessary to carry on the processing if the vendor goes out of business or becomes unavailable should be considered. In most cases, this makes the user feel better but because of the long lead times involved, may be of marginal benefit.
9. Performance metrics, also called service level agreements (SLA) should be negotiated. Matters that are important to the user should be identified and reflected in the SLAs.
10. The foregoing are fairly standard components of most outsourcing contracts (which the delivery of cloud based software is, even if it is referred to as a software agreement). Perhaps the biggest divergence by Cloud based solutions from standard outsourcing situations is the question of security, the location of the data and the compliance of the system with Gramm Leach Bliley, HIPAA, Sarbanes Oxley and international data transfer restrictions. If the user is a financial institution or subject to HIPAA then the problem becomes particularly acute and addressing those issues in a manner that the benefit of Cloud computing can be realized by regulated entities is a difficult process.

Now that we've looked at the Cloud from both sides now, it may be the Cloud's illusions we recall and that we really don't know the Cloud at all.  Or it may be just that we are out of cheesy cloud references.

• Email This
• Print
• Comments
• Trackbacks

There's an interesting lawsuit out of the federal district court in Minnesota that could have major ramifications on how employees under restrictive covenants use social media sites like Facebook and LinkedIn.  The plaintiff, TEKsystems, Inc., is a company that recruits IT personnel and places them in various companies throughout the country.  Brelyn Hammernick, a defendant, worked as a recruiter for TEKsystems before leaving to go work with Horizontal Integration, Inc.

Hammernick signed a noncompete agreement with TEKsystems which stated that for 18 months after leaving Hammernick could not directly or indirectly "approach, contact, solicit, or induce any individual or corporation" that is a client, regular employee, or contract employee.  While at Horizontal Integration, Hammernick allegedly "connected" with at least 16 TEKsystem employees through the business and professional networking site LinkedIn.  Furthermore, according to the complaint, Hammernick wrote the following LinkedIn message to a TEKsystems employee:

Tom:

Hey! Let me know if you are still looking for opportunities!  I would love to have come visit my new office and hear about some of the stuff we are working on!

Let me know your thoughts!

Brelyn

All of this raises the novel question of whether merely "connecting" with someone on LinkedIn or "friending" someone on Facebook could constitute contact or solicitation.  With the increasing popularity of social networking sites, companies should modify their employee agreements to more specifically deal with these issues.  The need for specificity in the agreements is especially important since noncompetes are notoriously hard to enforce.  In fact, they are generally illegal in California outside of a couple of exceptions. 

• Email This
• Print
• Comments
• Trackbacks

• Email This
• Print
• Comments (3)
• Trackbacks

The US Copyright Group is a group formed by a lawfirm in Leesburg, Virginia, which according to their website, is designed to "Save Cinema" from the evils of illegal downloading.  We have mentioned them before in relation to their attempts to involve the internet service providers.  They have filed many lawsuits, primarily in the DC Federal District Court, against multiple defendants, mostly described as "John Does" since they have not as yet definitively identified the defendants.  In a couple of the suits involving the movies The Steam Experiment and Far Cry, they have provided for 2,000 and 4,577 defendant Does, respectively.  They propose to obtain the identities of the alleged infringers through discovery in the suits by getting the "infringers' identities through ISP subpoenas", again according to their website.  They advertise that they do all of this on a contingent fee basis.

Although it has not been specifically determined yet, it is unlikely that all of the alleged defendants live in the DC area, so it would be very difficult for each defendant to appear and defend and conversely, it would be very difficult for each defendant to be sued individually in the area where they live.  You can see why the US Copyright Group has tried to join all defendants in a single case. 

The Rules of Civil Procedure for the DC Court states that defendants can be joined in a single suit if the actions giving rise to the suit arose from the "...same transaction, occurrence or series of transactions or occurrences..." and a question of law or fact common to all the defendants will arise in the case...".

The two cases mentioned above have found their way onto the docket of Judge Rosemary Collyer and she has decided to rule on the issue of joinder of all the defendants.  She has given the plaintiffs until June 21 to show cause why all but one defendant in each case should not be dismissed due to misjoinder.  This could result in the dismissal of 1,999 Does in one case and 4,576 Does in the other.  Hence the bad rhyme in the title of this post.

A couple of public interest groups, including the ACLU, have filed amici curiae briefs on the side of the defendants.  The ruling by the judge in this case will have major ramifications on the nature of these types of cases going forward. 

Incidentally, The Steam Experiment's plot line is "A deranged scientist locks 6 people in a steam room and threatens to turn up the heat if the local paper doesn't publish his story about global warming" and Far Cry is based on a video game.  This is not a commentary on the value of the thing allegedly stolen.

• Email This
• Print
• Comments
• Trackbacks

The federal corruption trial of Ex-Governor of Illinois Rod Blagojevich is set to start this week, but the judge first had to order Blagojevich not to use Twitter from inside the courtroom.  The shameless flamboyant Blagojevich had stated earlier that he planned to "live-tweet" the trial during the proceedings, but the judge was having none of it.

The judge told him that he is still free to tweet and talk to the media all he wants outside the courtroom, but with the warning that everything he says can be used against him in the trial.  No word yet on whether Blago will try to update his Facebook status or "check-in" on Foursquare in the courtroom.  Stay tuned. 

• Email This
• Print
• Comments
• Trackbacks

Last week, we posted an article about some of the ways of protecting a computer or computer network from malicious code.  We discussed primarily methods called "blacklisting" (the more widely used approach) and "whitelisting" (an approach receiving increased attention in recent days).

There is an Austin based company called CoreTrace that features the whitelisting approach.  When we asked, they were kind enough to provide us access to one of their subject matter experts. 

We discussed various aspects of this issue with Greg Valentine, CoreTrace's Director of Technical Sales and Services.  

Pertinent portions of that conversation follow:

ATLB:  CoreTrace’s products are designed to protect computers and networks from viruses, spyware, malware and other harmful stuff. How does it do it and how does that compare to the conventional anti-virus software we regularly see?

Greg:  CoreTrace has a product called “Bouncer”. Bouncer works at the operating system level and allows only the programs or executable code that has been whitelisted by the system administrator through Bouncer to run on that computer. Typical antivirus software works by maintaining a huge database library of virus signatures (which you have to keep up to date) and it attempts to eliminate them by searching a computer’s hard drives, comparing the code it finds on the hard drives to the virus library and then if it finds a match, it eliminates the virus code. There are a few challenges with this type of a defense.
1. This is reactive in nature – By definition, a signature does not exist until someone gets infected.
2. Because it is reactive, antivirus is vulnerable to a ‘zero-day’ attack. This simply means that a ‘bad guy’ can create a new piece of malware and as long as the antivirus companies are not aware of his new virus/worm then they will be blind to it.
3. In order to be protected by antivirus, you must deploy the updated signatures as quickly as possible. This can lead to inadequate testing before pushing out the ‘change’. If the antivirus vendor has made a mistake in their signature update then you could be causing more harm.
a. See McAfee’s recent ‘false positive’ signature update fiasco

ATLB:  You used the term “whitelisting”. What does that mean?

Greg:   At the time it is first installed, Bouncer takes an inventory of the executable programs on the hard drives of the computer and approves each of them to run. It puts them on a “whitelist”, i.e. stuff that is allowed to run. It is called whitelist because the antivirus providers say the stuff in their libraries is on the “blacklist”.

ATLB:  So, if a virus or other malware is present on the machine when Bouncer is first installed, then it will be allowed to run?

Greg:  That’s true, unless it is specifically found and eliminated later. That’s the reason that a good antivirus software should be run before Bouncer is installed or it should be installed in new machines before they are attached to the internet or anywhere else that they could become infected. Should you discover that one of your systems was infected prior to deploying Bouncer, you can rest a little easier at least in the knowledge that the infection will not be able to spread (to any other Bouncer protected computers).

ATLB:  Doesn’t having to authorize every piece of code to run on a system require an inordinately large amount of administrator time?

Greg:  The program takes an inventory of all the programs running on the machine at the time of the installation and thereafter the administrator does not have to be involved. The administrator can ‘pre’-authorize all software from a specific company or with a specific signature and software installed later from that company or with that signature will automatically be whitelisted and allowed to run.

ATLB:  How much computer resources does the CoreTrace system utilize and how does this compare to antivirus software?

Greg:  Our software requires a very small amount of hard disk space for our program. Since it merely prevents unauthorized programs from running, it doesn’t regularly use many computer resources. Antivirus software needs to run on a regular basis to see if any identified malware has been added since the last scan. You may have noticed that when your antivirus software is running its scan, which may last an hour or two, your computer is devoting significant resources to the scan and can have an effect on the capabilities of the computer. Bouncer only needs to check the program as it is launched. This check against the whitelist is extremely fast and does not impact the load time for any whitelisted applications.

ATLB:  How often is your software updated?

Greg:  Except for enhancements and upgrades to the program for operational purposes, our software does not need to be regularly updated. Since our method of operation is to keep anything but authorized programs from executing, we don’t have to continually seek out new viruses and add them to our database. Because of this method, we can never be behind when a new virus comes out, because regardless of the sophistication or newness of the virus signature, it can be deposited on the computer’s hard drive but because it is not authorized, it simply can’t harm the computer or its contents. Compare that to antivirus databases that are required to be updated constantly on a real time basis and must necessarily contain millions of virus signatures and sometimes can only catch a virus after it has infected a number of machines, if the virus doesn’t match their database.

ATLB:  Is there a version for single workstations or computers?

Answer:  Not yet. Right now, our program is only deployed on an enterprise basis.
 

• Email This
• Print
• Comments
• Trackbacks

The recent McAfee debacle, which we detailed here, has once again brought into focus the problems inherent with protecting a computer or computer network from code designed to have a non-optimum effect on such computer or network.
Since the early 1970s, when a virus called Creeper was created and introduced into ARPANET, the precursor to the internet, anti-virus software and other means of combating viruses have been created. The code to combat Creeper was called Reaper and so, the dance began.
Viruses are probably better referred to generically as malicious code, which includes a broad range of things including attack scripts, viruses, worms, Trojan horses, backdoors, malicious active content, malware, adware, spyware and many other names.
Malicious code is designed to do a variety of things, including crippling or disrupting computer operations, stealing information, perpetuating pranks and allowing unauthorized intrusions.
As soon as viruses started creating havoc, people started looking for a way to combat them. Shortly thereafter, other people (particularly those who depended on some other people for computer resources or storage) begin to question such people’s response to the virus problem. Then, lawyers got involved (there’s always a silver lining) and suits were brought alleging that not enough was done to protect the computer resources against invasion, whether to steal information, create havoc, generally be a pain in the hard drive or a combination of all.
Although the law is still developing in this area, it is plain that the application of commonly applied negligence principles will require at least a reasonable amount of protection against intrusion and malicious code.
There are two basic approaches to combating such threats and they are generally referred to as “blacklisting” and “whitelisting”. Blacklisting is the most commonly used method and it involves developing a huge database of virus signatures and checking each transmission to and from a computer for such signatures and routinely scanning the storage areas of such computers for evidence of malicious code.  The database needs to be continually updated and entirely new stains of viruses must be recognized and negated after they are released into the wild.
Whitelisting takes the approach of initially scanning drives for their contents and then not allowing anything else to run on that computer unless it is specifically approved. This method does not depend on scanning after the initial scan and does not have to be updated. New virus strains are of no concern as they may reside on the computer but will not be allowed to execute.
You can expect that the issue will arise in some case as to whether one method is better than the other and if the other method is available, was it negligence not to employ such method?
In a subsequent edition, we will post an interview with CoreTrace, a local company that markets the “whitelisting” approach.
 

• Email This
• Print
• Comments (3)
• Trackbacks