I Was Wrong. SCOTUS Denies Cert In Google v. Oracle.

 Although certainly less high profile than Obergefell v. Hodges and King  v. Burwell (gay marriage and Obamacare, ICYMI while vacationing on Mars), Google, Inc. v. Oracle America, Inc. has some weighty implications in the open source and programming communities.  We had mentioned it several times in this little blog (see here and here and here) and had gone out on a limb and predicted that SCOTUS would grant certiorari.  Boy, did I miss that one.  The Supremes up and decided not to hear such case.  There's a good chance I will go none for fifteen in my Nostradamus imitation.

What effect does the denial of cert for Google have?  It leaves the lower court's ruling in place that such interfaces are subject to copyright.  Google still have a fair use argument and that could be taken up by the lower court again.  In the interim, programming of interfaces is fraught with the possibility of infringement, which is in contrast to the prevailing former view (at least in the programming community) that such APIs were not subject to such protection.

As always, this is not completely over.  Stay tuned

TechCrunch Disrupt NY: Our Good Friends Bitfusion.io Compete On Tuesday.

 TechCrunch Disrupt NY starts today.  Part of their program is providing emerging technologies an  opportunity to preach the gospel of their ideas (and perhaps win some money).  Our friends at Bitfusion.io get the podium on Tuesday afternoon to demonstrate how they will bring "super computing to the masses".  Good luck, Subbu, Mazhar and Maciej!

Now The Bitcoin Technology Is Going To Revolutionize The Securities Trading Industry, Just Like It Didn't Revolutionize The Currency Industry.

 Every body's second favorite "Big O", Overstock.com (the owner of the world's shortest domain name: O.co) has ventured into the hitherto untraveled wilderness of "cryptosecurities".  Last week, Overstock, led by its visionary chairman, Patrick Byrne, filed an application for a shelf registration with the SEC for an as yet undescribed offering of securities (like common stock), that would completely bypass any formal exchange (NYSE, NASDAQ, AMEX) in the sale, transfer and documentation of such equities.

Mr. Bryne proposes to use the technology behind the "cryptocurrencies" (e.g. Bitcoin) to accomplish this.  As everyone knows, such technology is referred to as "blockchain", a distributed, peer to peer exchange platform.  When a transaction is initiated, such as a message that "X sells Y shares of Overstock crytosecurities to Z", the transaction is distributed to a network of communicating computers running blockchain software.  All such computers maintain their own copy of the ownership ledger and when they receive such a message, it is evaluated to determine whether the seller owns such securities.  If it is validated, the transaction is added to their copy of the ledger and transmitted to the other computers in the network, which updates their ledgers.  In the Bitcoin world, a new block of transactions is sent out about every 10 minutes and when validated, provides a "chain" back to the previous blocks. Hence, "blockchain".  Each block has a difficulty target and a "nonce" (a number only used once).   Proving that the transaction is valid requires a great amount of work and in the crytohash algorithm used to encrypt the information, there is only one way to find the nonce.  So, the extremely remote possibility that this could be hacked or accidentally duplicated.  But you all knew this already.

 Finding the nonce is called "mining" in the Bitcoin world and the discovery of that is rewarded by a fee (i.e. the releasing of more Bitcoins) to the finder's account.  As can be imagined, this requires a great deal of compute power and there is some discussion of whether the cost of the electricity exceeds the fees earned in using the compute power.

Obvious problems with crytosecurities (acknowledged by Mr. Bryne), include the opposition of the established exchanges to their business model, resistance to change by the SEC, the fear of the unknown in the securities world (like the present scheme worked so well for Mr. Madoff's clients) and how the members of the network would be paid.  Processing transactions only every 10 minutes or so may be too slow for the present environment and may not work for that reason.

Therefore, in this imagined brave new world of libertarian stock trading, the billions of dollars in fees now paid to the exchanges, stock brokers, the on-line trading sites and the people working the pits in the NYSE and the commodity exchanges could be threatened.  How much howling do you think will come from them about the possibility of fraud and the potential for abuse that this brings?  It's a good thing they can point to the absence of these things in the present environment.

However, when you consider the potential for completely anonymous, on-line trading in credit default swap derivatives in a marijuana growing consortium using Bitcoins for payment, what could possibly go wrong?


Google Wants SCOTUS To Call "No Copyright" On APIs. 77 Computer Mavens Agree.

 This is another update on a previous post.  We have written several times about the seesaw battle between Google and Oracle relating to the single issue of whether interfaces ("APIs") can be protected by copyright.  Oracle won the last round, which held that "Yes, Indeedy.  Copyrights are just peachy for interfaces.  However, we don't know whether the use is 'fair use'."  Yeah, I'm paraphrasing a bit but that's the gist.

Google has applied to the Supreme Court of the U.S. for a writ of certiorari.  If the Court grants such a writ, it merely means they will hear the case, not how they will rule.  The Electronic Frontier Foundation has filed an amicus curiae brief supporting the application for the writ and indicating how it is their position that it would be disastrous if the present ruling were to remain in effect.  Seventy-seven computer scientists, engineers and pioneers signed on to the amici brief.   Pay no attention to the fact that over 20% of the 77 are presently a Google "employee, consultant and/or director".  That may not have affected their position at all.

In any event, perhaps the Supremes will get around to this after they have decided whether a typo can cause several million people to go without health insurance or whether you can marry someone configured just like you.  Stay tuned.

Interfaces ("APIs") Are Subject To Copyright. No, They're Not! Are Too! Courts Continue To Muddy Up The Water.

There are a mere 37 pieces of computer code that are the subject of this face off between the tech titans, Oracle and Google.  We have followed this case since its inception and you can review the history here, here and here.

In the latest installment, Oracle appealed a lower court ruling that held that application programming interfaces ("APIs") were not subject to copyright.  We thought that the issue might be settled.  Not so fast, my friend.  A three judge panel in the United Court of Appeals for the Federal Circuit has reversed and held that such APIs are indeed subject to copyright protection and the only question is whether Google's use is allowed under the "fair use" exception.  The panel remanded the case to the lower court for a determination of the possibility of such fair use.

After reading the very detailed opinion, the main facts to be gleaned are there was 7,000 lines of code involved, there were 37 different interfaces and the opinion is 69 pages in length.  There is much good discussion regarding the application of copyright law to interfaces and the fair use doctrine.  You should read it.  The law the court cites is extensive but some quibble with the application of such law.  Given past performance, the odds are even that the result will change on appeal.

Following The "Silk Road". Where Exactly Was That Supposed To Go?

Originally, the Silk Road was a series of routes over which commerce traveled in Asia beginning over 2,000 years ago.  Silk, gold, technology, religion and diseases (e.g. bubonic plague) were carried and exchanged over the Silk Road.

Fast forward to the present day and the Silk Road was, until recently, a website accessible only in the deep web and only by TOR (The Onion Router), a network and browser designed to preserve your anonymity on the web.  Silk Road was the brainchild of fellow Austinite and former neighbor Ross Ulbricht.  Ross was a 2002 graduate of West Lake High, a school that I pass every day coming to work.  His Facebook page is still up and he seems like a pretty cool guy.  We even have a mutual Facebook friend.

However, when I visited Silk Road before the feds closed it in September and arrested Ross on Oct. 2nd of this year, I found that you could purchase most any kind of drug I had ever heard of and many that I hadn't.  Since I have a background in Pharmacy, that's a wide range of stuff.  Cocaine, Ecstasy, black tar heroin and 'shrooms were in abundance.  Apparently, you could also arrange for murder by hire and Ross is accused of that in regard to one of his clients on Silk Road supposedly threatening to expose everybody unless certain conditions were met.

The medium of exchange on Silk Road was Bitcoin, our favorite virtual currency.  When Ross was arrested, the FBI seized over $3,000,000 in Bitcoins belonging to Silk Road customers.  They were also trying to get an estimated 600,000 Bitcoins from Ross' personal Bitcoin wallet.  That's about five percent of all the Bitcoins presently in existence.

All in all, a very sordid story, including the allegation that Ross went by the pseudonym of the "Dread Pirate Roberts", which comes from my favorite movie "The Princess Bride".

So how does a 20s something, suburban, white bread guy go from wake boarding on Lake Austin to being one of the biggest drug dealers (or at least the facilitator) in the world ?

Apparently Ross is brilliant (degree in physics at the Univ. of Texas, graduate work at Penn State), a libertarian fan of Ron Paul and idealistic and naive.  On his Facebook page he wrote an essay on "Thoughts On Freedom".  On his LinkedIn page, he described an idealized version of Silk Road, when he wrote:   "Now, my goals have shifted. I want to use economic theory as a means to abolish the use of coercion and agression amongst mankind. Just as slavery has been abolished most everywhere, I believe violence, coercion and all forms of force by one person over another can come to an end. The most widespread and systemic use of force is amongst institutions and governments, so this is my current point of effort. The best way to change a government is to change the minds of the governed, however. To that end, I am creating an economic simulation to give people a first-hand experience of what it would be like to live in a world without the systemic use of force."

He apparently viewed Silk Road as beneficial because it was a place where people could obtain illegal drugs without the concomitant hazard of having to deal directly with a drug dealer.  Regardless of your view on drugs and their use, it would seem to be preferable if people didn't have to risk their life to obtain them.

In the end, despite his brilliance and perhaps because of his naivete, he got sloppy and used his real name and address in obtaining fake passports and made other mistakes that enabled his arrest.  This could have been a family member of any of us (assuming any of us has anybody that smart in our gene pool) and we would have been simultaneously amazed at  his drive, ambition and success and aghast at what he has wrought.

Hey, Bro! Can You Spare A Bitcoin? Digital Currency For The Homeless And Unemployed.

We have discussed bitcoins several times before, see here and here, for example.  We exulted in the fact that the Winklevoss twins of Facebook fame are starting a bitcoin investment vehicle.  We also talked about how the regulators were taking a bigger interest in how bitcoins were use or abused.

Now a Wired article shows how the unemployed and homeless are using sites such as Bitcoin Get, Bitcoin Tapper and Coinbase to get paid bitcoins for watching videos and tapping an icon, each a technique for driving traffic on the internet.  The Wired article then quotes some of the homeless as preferring bitcoins because it is much harder to steal (at least from them) and they can convert it to money or prepaid cards using their computers or smart phones.  Now, I can hear conservative heads exploding all over at the thought of homeless, unemployed people with computers and smart phones particularly if they are getting food stamps or other assistance.  Be that as it may, engaging in this activity provides them some small bit of assistance to help feed them.  That can't be all that evil.

Some day, you may be approached (or approach somebody) on the street and asked for a handout.  They then offer the internet address for their bitcoin wallet and you send them some from your smartphone.  Panhandling in the digital age.

A Copyright Claim Is Only As Good As Its Weakest (Hyper)Link.

It has long been assumed by the legal literati that the mere sending of a link in an e-mail or the embedding of a link in a blog post, which link directed the user to a copyrighted work of someone other than the linker, did not constitute direct infringement of the copyrighted work.  However, there was very little actual case law on the subject.  Last month, the federal district court for the Southern District of New York stated unequivocally that: "As a matter of law, sending an email containing a hyperlink to a site facilitating the sale of a copyrighted work does not itself constitute copyright infringement."

In Pearson Education, Inc. et al v. Ishayev and Leykina, the plaintiffs were publishing companies that sold educational material and manuals for which the plaintiffs owned the copyright.  Apparently, one the defendants uploaded such material to a cloud server controlled by the defendants.  Both defendants would then advertise the sale of the material.  When someone bought the material, the defendants would either e-mail the purchaser a zip file with the material in it or would e-mail the purchaser a hyperlink to the file on the server, which would allow the purchaser to download the file.

The defendants filed a motion for summary judgment on several of the counts, including the allegation that the act of sending a link to a copyrighted work that allowed the receiver to illegally access the material constituted infringement.

Although most of the other stuff that the defendants did obviously was an infringement (e.g. sending the works in a zip file), the court held that merely sending a hyperlink did not amount to infringement. 

The court likened a hyperlink to the "...digital equivalent of giving the recipient driving directions to another website on the Internet. A hyperlink does not itself contain any substantive content; in that important sense, a hyperlink differs from a zip file. Because hyperlinks do not themselves contain the copyrighted or protected derivative works, forwarding them does not infringe on any of a copyright owner's five exclusive rights..."

However, the court said that the result could be different if, in addition to sending the hyperlink, the defendant had actually uploaded the copyrighted material to the cloud server himself.  Since the court found that there was no evidence that would allow a jury to find that one of the defendants had uploaded the material, the court granted summary judgment to that defendant on that limited issue.

Whew!  So, everyone of my blog posts is safe to that extent.  We won't discuss issues relating to some of the pictures.

Zappos Gets Zapped. Browsewrap Agreements Are Collateral Damage.

You know Zappos.  That's where you ordered those 5 inch stiletto clear heeled stripper shoes.  And some of you women bought from there too.  Zappos is a part of Amazon and a year or so ago, Zappos suffered a really bad security breach.  Exposed something like 24 million customers' information.  Well, as almost always happens when something like this occurs, our legal comrades descended in droves and many lawsuits ensued (I guess that's a pun).  These were consolidated in a court in Nevada and procedural motions were filed. 

Zappos claimed that class actions were not justified because Zappos' terms of use agreement specified that all claims by customers had to be settled by arbitration.  The result would have been that each individual customer would be required to have his or her claim settled by a separate arbitration and presumably actually appear at the arbitration rather than be represented in a class.  So, instead of one lawsuit with 24 million plaintiffs in a class, it would have required 24 million individual arbitrations with one claimant in each.  This would have been good for the tourism industry in Nevada but not good for the individual claimants (or their class representing attorneys).

Zappos' terms of use agreement stated that by using the web site, the users consented to the terms of the user agreement, which contained the aforementioned arbitration requirement.  While a link to the terms of use was included on each page, it was in the same font and same color as the rest of the page and nothing compelled the user to look at the terms of use nor take any action that indicated assent to the terms of use.  In addition, Zappos reserved the right to amend the terms of use at any time.

Zappos' terms of use agreement has been referred to as a "browse wrap" agreement or a "click through" agreement.  We discussed the differences in a "clickwrap" agreement (which requires some evidence of assent, such as clicking a box) and a browse wrap agreement in a prior post.  We indicated that some courts have upheld these agreements and that the trend might be toward their acceptability but this court says "Not so fast".  The Nevada court held that a requirement to arbitrate is strictly a contractual matter and therefore, to compel the plaintiffs to arbitrate would require a binding agreement between Zappos and the plaintiff.  The court failed to find such a creature in this situation.  They found: "...we cannot conclude that Plaintiffs ever viewed, let alone manifested assent to, the Terms of Use.  The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use.  No reasonable user would have reason to click on the Terms of Use...".  The court also found that because Zappos reserved the right to unilaterally change the Terms of Use, the contract Zappos sought to enforce was "illusory" and therefore unenforceable.

It is possible that if the issue was not the requirement for 24 million folks to arbitrate in Nevada and something less impactful, like whether you could return your stripper heels, the result might have been different.  However, the fact remains that this case makes the enforcement of such browse wrap agreements tenuous and therefore, we should all review our policy regarding how we get people to agree to our terms of use.  It could become very important.

Massachusetts Imposes Sales and Use Tax On Computer and Software Services. Check Your Agreements With Your Massachusetts Customers.

Recently, Massachusetts amended its sales and use tax laws to include a tax on services relating to computer and software services.  In an act entitled "An Act Relative to Transportation Finance" (you might understand why it could be missed if all you were looking at was the title), effective July 31, 2013, a 6.25% sales and use tax is imposed on "computer system design services and the modification, integration, enhancement, installation or configuration of standardized software".

Computer system design services is defined as "the planning, consulting or designing of computer systems that integrate computer hardware, software or communication technologies and are provided by a vendor or a third party" and is imposed on any company "sourcing" such services in Massachusetts.  There are a hierarchical set of rules for determining where the sourcing occurs for tax purposes so some opportunity exists for reducing the tax by planning where the actual services take place.  There remains several undefined areas such as where the services would take place in a hosting environment, cloud computing or whether it applies to such services as staff augmentation.

However, it is plain that the tax applies to taxable services supplied under contracts that are in existence before the act became effective as long as the services are performed and billed for after  July 31, 2013. 

Therefore, if you have such contracts for the delivery of such services to an entity with a connection to Massachusetts, you should review your agreements and see if you need to begin collecting and remitting this tax.  Also, you should have your agreements reviewed to see if the tax impact can be reduced by thoughtful construction.

If You Use Bitcoin To Buy the "War Games" Home Computer, You Will Be Cool and From the Future.

Bear with me a little here.  All of this will supposedly come together.

First, when War Games came out in the 80s, a lot of us nerds coveted the home computer set up that Matthew Broderick used to almost start thermonuclear war but which was really only good for playing tic tac toe.  Much like the computers we now use at work for solitaire and FaceBook.  If you wanted to, you can now purchase the actual computer used in that movie.  The guy that helped design it for the movie still owns it and is considering auctioning it. The asking price is expected to be somewhere north of $25,000.   If you purchase it, that will make you the coolest dork on the block.

However, if want to really be cool and cutting edge, you could purchase the War Games stuff with Bitcoin, which has been called the currency of the future or a hacker's wet dream.  What is bitcoin, you ask?  That's a very good question.

Bitcoins are the world's most current currency.  This currency sprang from an open source cryptography released in 2008 by an anonymous source.  The source is presumed by some to be a developer named Satoshi Nakamoto but this could be a pseudonym.  Bitcoins are digital currency and has the backing of no government nor assets.  Because of the algorithm that created bitcoin, there can never be more than 21 million bitcoins issued (unless someone changes the code, but when has that ever happened?).

Bitcoins can be used to buy services if the provider will accept them.  You can also purchase bitcoins with standard money.  The value of a bitcoin can fluctuate fairly dramatically and no entity regulates its trading.  The value of a bitcoin as this is being typed is $93.88 USD according to Mt. Gox, a website that trades bitcoins.  The only other way to get bitcoins is to "mine" them.  This method is beyond the scope of this post (and frankly, beyond the capacity of the author to understand) but is principally carried on by people with high end computers that devote a great deal of their time and effort to the mining and essentially make it impossible for mere humans to actively participate in this.

You can buy a lot of stuff with bitcoins on the internet but you can't use it to buy a beer at most of your local bars.  There is a lot of suspicion that bitcoins are being used to purchase illegal items at sites like Atlantis and Silk Road (not that I know anything about that).  There is also a fair amount of money laundering that goes on with bitcoins.  The DEA just seized bitcoins for the first time and the State of California is investigating whether the Bitcoin Foundation is a financial institution within the definition of California laws.  Apparently, bitcoins are getting prominent enough to start attracting the attention of regulators and law enforcement.

So, if you wanted to purchase the War Games computer set up and your winning bid at the auction was $30,000, you would need approximately 320 bitcoins to complete the transaction.  Actually, I would really like to see that happen.  If one of you can pull this off, please let me know.

Updates and Breaking News on Gene Patents, PHI in the Cloud, Class Actions on ClickWraps and SEC Disclosures On Cybersecurity.

Some recent developments in the great, wide world of technology include:

(i)  The Supremes, in a unanimous decision (what?) ruled that naturally occurring genes could not be the subject of patent protection.  However, if you can create a gene artificially, you might still qualify.  Therefore, the creative force described in the Hebrew bible, missed his or her chance when on the sixth day, he or she created all those man genes.  Further, the one year bar and the first to file things have cluttered up the claim.  Also, since man was supposedly created in the image of the creator, there's that pesky prior art issue.  See Assn. for Molecular Pathology v. Myriad Genetics, Inc

(ii)  The recently released rules under HIPAA provide that entities that store protected health information ("PHI") for a covered entity are business associates even if the storage provider does not routinely access the information.  [See 45 CFR Parts 160 and 164 IV(3)]On the other hand, a data transmission organization (such as the U.S. Postal Service or internet service providers) that serve as a mere conduit are not business associates even if they do access the information occasionally in order to provide the service.  So, cloud providers of storage of PHI must sign a business associate agreement.  It is not clear how long one must hold on to a piece of information to be a storer as opposed to a transferor or if encrypting the information in storage without the key would serve to exclude the storage provider from the definition of a business associate.

(iii)  In a recent decision by the Seventh Circuit in Harris v. comScore, Inc., the court allowed the certification of a class to stand.  The class was composed of entities that had downloaded comScore's software that gathered information on the user's activities and sent the information back to comScore's servers.  One of the basic allegations of the plaintiff class was that comScore's clickwrap license was ineffective.  We have discussed this before in this post.  The court did not make factual finding as to any issues and this is only a class certification hearing and comScore may have legitimate individual defenses to many of the allegations.  However, comScore will have to deal with this in the context of a class action.

(iv)  The Securities and Exchange Commission has regulations in place regarding a publicly traded company's obligation to disclose its controls for cybersecurity and is now considering increasing the stringency of those rules.  A recent study by Willis Fortune 500 finds that a substantial percentage of  reporting companies fails (in Willis' opinion) to adequately disclose such company's exposure to cybersecurity issues and the impact on the company if an event occurs.  Look for this to increase in importance as the supposed cybersecurity wars increase in intensity.

eFax Scam - Look For This In Your Inbox.

From time to time we try to alert you to scams.  This morning I received an e-mail that looked like this:




Fax Message [Caller-ID: 310-293-1860]

You have received a 2 pages fax at 2013-05-17 10:09:12 .


* The reference number for this fax is min1_did71-9694455268-1026725108-89.


View this fax using your PDF reader.


Click here to view this message


Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home Contact Login

Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

This is a phishing expedition.  See here and here.  Since we use an online faxing services here at the firm, and this looks really real, I was ready to click on the link.  In addition, eFax is a legitimate faxing service.  Thankfully, our friends at McAfee warned me off of this.  Apparently, going to the link would load malware or a virus on your system.  Be careful.





We Are In The Midst Of a Hot Cyberwar, Make No Mistake About It. Iran Fires The Latest Salvo (That We Know Of).

In December of last year, several banks' (Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC) websites were inundated by DDoS (distributed denial of service) attacks.  DDoS attacks generally do not seek to penetrate the sites or to obtain information or steal anything but try to overwhelm the capacity of the website to respond to the traffic directed toward them.  The attacks in December were launched by an entity that had access to multiple computers, such as in a data center, and exceeded the capabilities usually found in your standard run of the mill hackers.

Today, the New York Times ran an article that lays the attacks at the doorstep of Iran.  An independent hacker group called Izz ad-Din al-Qassam Cyber Fighters has tried to take credit for the attack, saying it was retaliation for the anti-Muslim movie that prompted riots throughout the Muslim world and which was involved in the Benghazi consulate attack.  Izz ad-Din al-Qassam called it Operation Ababil, referring to Allah sending birds to drop bricks on elephants sent by the King of Yemen to Mecca.  However, U.S. officials think it is the work of Iran and is in retaliation for economic sanctions and the release by the U.S. and/or Israel of the Stuxnet, Flame and DuQu malware. 

Whatever it is, the DDoS attacks spewed 70 gigabits per second at the sites, which included a new wrinkle involving requests for encryption, and which adversely affected the sites' performance.  The attacks used a readily available malware toolkit called Itsoknoproblemobro

It is certain that the attacks that we have heard of are only the tip of the malware iceberg and it is probably as certain that these attacks and counterattacks will continue to escalate.  Warriors on the front lines of these wars will be keyboard commandos and may someday sport the malware marksman ribbon on their dress uniforms.  This is war.

Having An Open WiFi Does Not Ipso Facto Make You Liable For Negligent Infringement.

Here's the scenario:  You have an open WiFi (i.e. no password required), someone (maybe you, maybe not), uses that IP address to download a copyright work, someone (probably a copyright troll) sends a subpoena to your internet service provider and finds that this happened, you receive a letter from a copyright troll attorney that says in basic terms:  "You are a horrible person.  A copyright protected work was illegally downloaded using your IP address.  It was entitled something that included "hot", "wet" and a bodily orifice in the title.  You should be ashamed and if you pay me $3,000 now, it will all go away and your wife/girlfriend/scout troop/sunday school class will never know.  Otherwise, we can sue you for negligence because your WiFi was not protected and we don't even have to prove you did the download."

Maybe this comes as a huge surprise to you, maybe it doesn't.  However, will the negligence claim fly and allow the trolls to tag you with liability even if they can't prove you actually did it?  A couple of courts have said no.  Last week the U.S. District Court for Northern California in a case styled AF Holdings LLC v. John Doe and Josh Hatfield held that the mere inaction of not protecting your WiFi was not negligence because the defendant did not owe a duty to the plaintiff to take an affirmative action to protect the plaintiff's intellectual property.  In addition, the court held that this was still a copyright case and state law of negligence was preempted by the federal copyright statute.  And to further make a point, the court found immunity for the defendant under Section 230 of the Communications Decency Act.

So, it seems to be the trending opinion that you aren't strictly liable for contributory infringement for just leaving your WiFi open.  Seems right to me.

Anonymity On The Internet. What a Concept!

You will recall that we have discussed a few cases regarding anonymity on the internet.  In one, which involved a potential securities scam, the court removed the anonymity from some people that were involved in the alleged scheme. 

In another, the court allowed the anonymity of some detractors of The Art of Living Foundation to continue for a while.  After publishing the post, we received a call from the attorney for The Art of Living Foundation, who indicated that he thought our post was more even handed than some regarding this subject, but he would like to send us a letter from the president of The Art of Living Foundation explaining their position.  We were amenable to that and a copy of that letter follows.  We reproduce it without comment nor endorsement.  When we asked about the progress of the case, the attorney indicated that he felt the judge would rule in a manner that would allow them to obtain the identity of their detractors in the near future.  Any updates from any of the participants would be appreciated.


The "Safe Harbor" Provisions of the DMCA Become Safer and More Harbory.

Two recent decisions have provided context for the DMCA's "safe harbor" provisions and have given an expansive reading to such provisions.

In the Ninth Circuit Court of Appeals, the decision in a case called UMG v. Veoh (even though there are dozens of parties) has affirmed a district court's decision that a video sharing site (Veoh) qualified for the safe harbor provisions and therefore was not liable for copyright infringement.  This case was decided on December 20, 2011.

In the Southern District of New York, summary judgment was entered for Photobucket.com and the Kodak Imaging Network against Sheila Wolk, an artist that claimed that Photobucket was liable because several of her works had appeared on Photobucket.  For example, see here for examples on the day this post was written.  The case is styled Wolk v. Photobucket and was decided on December 21, 2011.

 In UMG v. Veoh, Veoh allows people to share video content over the internet.  The service is free and Veoh makes its money through related advertising. 

The Digital Millennium Copyright Act ("DMCA") allows "service providers" "safe harbor protection" if the service provider: (i) does not have actual knowledge that the material on the system is infringing; (ii) is not aware of facts or circumstances from which infringing activities are apparent; (iii) upon obtaining actual knowledge acts expeditiously to remove or disable access to such infringing material; or (iv) does not receive a financial benefit in cases where the service provider has the right and ability to control such activity.

Veoh employed the standard methods of having its customers agree not to upload any infringing material and the customers give Veoh a license to use and display such material.  When a video is uploaded, the software resident at Veoh's site automatically (i.e. without human intervention), breaks the video into 256 kilobytes chunks that facilitates streaming and converts the video into Flash 7 format.  If the customer is a "Pro" user, the software further converts the files to Flash 8 and MPEG-4 formats.  The software also extracts metadata to aid in the search function for the videos.  No Veoh employees review videos before they are posted.

However, Veoh uses “hash filtering” software. When Veoh is aware of an infringing video and disables access to it, the hash filtering software automatically disables access to any identical video and prohibits any subsequently submitted duplicates. Veoh also used another filtering system that compares audio on a video to a database of copyright content and if it finds a match, the video never becomes available for viewing. After obtaining this software, Veoh applied it to their catalog of previously uploaded videos and as a result, removed more than 60,000 videos, including some that supposedly infringed on UMG’s copyrights. Despite the precautions, UMG and Veoh agree that some UMG copyrighted material is on Veoh’s site. The parties also agree that UMG never gave Veoh notice of any infringing material before UMG filed this suit.
Veoh asserted as an affirmative defense that it was entitled to protection under the safe harbor provisions of the DMCA. UMG alleged that Veoh was not entitled to such safe harbor because its activities were not “infringement of copyright by reason of the storage [of material] at the direction of a user”, that Veoh had actual knowledge of infringing acts or was “aware of facts or circumstances from which infringing activity [wa]s apparent and that Veoh “receive[d] a financial benefit directly attributable to …infringing activity” that it had the right and ability to control.
The court disagreed with UMG on all three issues.
UMG had asserted that the language required that the infringing conduct be limited to storage and that Veoh’s facilitation of access to the material went beyond “storage”. The court said the statute language was “by reason of storage” and that the language was clearly designed to cover more than “mere electronic storage lockers”. The court reasoned that if Congress had intended the safe harbor to extend only to web hosts, it would not have included the language “by reason of storage”.
The court followed a line of other cases that said that just because a defendant had been notified of some infringing activities that this put it on notice for other infringing activities. It was undisputed that Veoh removed all material for which it was put on notice and that it could identify from such notices, even though UMG had not provided any such notices.
The court further stated that the “right and ability to control” requires control over specific infringing activity that the provider knows about. “A service provider’s general right and ability to remove materials from its services is, alone, insufficient. Of course, a service provider cannot willfully bury its head in the sand to avoid obtaining such specific knowledge.” The court found that Veoh had not acted in such manner.
In the Wolk v. Photobucket case, Ms. Wolk is an artist that depends on her paintings and sculptures as her sole source of income. She alleges that Photobucket facilitates the infringing of her copyrights and is not entitled to the protections of the safe harbor.
In its analysis, the court found that Photobucket met the definition of a service provider because the court believed that the definition of service provider includes a “broad set of Internet activities”. Photobucket also had a policy that allowed copyright holders to submit a takedown notice, had made that policy available on its website and had acted to remove infringing material when given notice. It also found that Photobucket met the other requirements for safe harbor and dismissed Ms. Wolk’s pro se complaint.
Both of these cases allowed immunity from activities that go substantially beyond the mere storage of materials. Decisions of this type, which most likely accurately apply the legislative intent of the DMCA, would probably come down differently under the recently proposed SOPA legislation.
This will not be the last we’ve heard of these issues.


Who Owns Your Social Media Account? You Or Your Employer?

Here's the situation:  You establish a Twitter, Facebook, LinkedIn, etc. account while you are employed and use the account to tweet, post, blog, etc. about your employer.  Then your employer falls out of love with you and you are no longer employed.  Who owns your followers on Twitter or your Facebook or LinkedIn account?  That's a really good question and one that the courts are dealing with right now.

Rich Sanchez was an anchor on CNN and has a Twitter account with the handle: "richsanchezcnn".  Rich was rendered unemployed because of some ill advised statements he made.  So, does CNN own the account or was Rich popular with the Twitter followers because of his good looks and sex appeal or because he was on CNN?  Should he have to change his handle?  This was settled out of sight, so we don't know what happened there.

On another front, a company called PhoneDog LLC filed a suit against former employee Noah Kravitz.  Noah tweeted while an employee of PhoneDog under the name "PhoneDog_Noah" but then changed it to "noahkravitz" after the break up.  PhoneDog alleges that Noah's 17,000 followers are worth $2.50 per month for 8 months and are asking for a $340,000 judgment against our friend Noah.  PhoneDog has, for the moment, survived a motion for summary judgment with the judge finding enough question of fact about "trade secrets" in the account to let the case go on for a little longer.

Then there's the strange case of Dr. Linda Eagle, who was one of the original founders of Sawabeh Information Services.  As is the case sometimes, all the founders were fired and Sawabeh alleges that it owns Dr. Eagle's LinkedIn account and that she has somehow "misappropriated" her own  account.  As you know, most LinkedIn accounts (as was Dr. Eagle's) are in the employee's name alone and refers to the company in the employment history and in the connections established.

We have explored the issues of who owns clients of an LLC and whether a toxic ex-spouse might have some rights in a patent in a community property state, but this is an area of the law that is developing.

In most instances, this is probably not a huge issue but employers who want to have control over these accounts (and the wisdom of this should be evaluated thoroughly), should provide guidelines in the social media section of their employment rules.  If stated clearly, there seems to be no reason why the employer would not be entitled to control and ownership of such accounts if they fall into the parameters set out in such policy.  Otherwise, it's pretty gray.

In Cyberspace, No One Can Hear You Scream, But They Can Get Your Identity.

The Securities and Exchange Commission thought that a particular individual was engaged in a
"pump and dump" scheme, which is where bloggers, commentators, anonymous "experts" or others tout a small cap stock on line in forums, chat rooms, etc. and often with false or deceptive material and then when the price gets a bump as a result, the persons doing the touting sell the stock for a profit.

The SEC wanted the identity of the person behind jeffreyhooke@gmail.com and subpoenaed Google to get the information.  Google notified the person and the person (using the clever pseudonym "John Doe") moved to quash the subpoena.  The lower court denied the motion to quash and Mr. Doe appealed. 

The Court found that Mr. Doe had made a prima facie showing that his First Amendment right of free speech was implicated and therefore, the burden shifts to the government to show: (i) the information sought was rationally related to a compelling governmental interest and (ii) the disclosure requirements are the least restrictive means of obtaining the desired information.  The Court found that the government's interest in disclosure (being ancillary to a fraud investigation) trumped Mr. Doe's private interest in anonymity and that the information requested was the least restrictive means available.

Mr. Doe argued that the standard in Anonymous Online Speakers should be applied here instead of the Brock standard.  The Court held that in Anonymous Online Speakers, there was no government interest at issue (i.e. it was between private parties) as there was in Brock and therefore the Brock standard should be applied, i.e. the government did not have to present evidence sufficient to overcome a summary judgment.

The Court overruled the motion to quash and John Doe is anonymous no more.


Move Over Stuxnet, Here Comes DuQu - Son of Stuxnet, Stuxnet 2.0 or Demon Spawn?

The latest addition to the family of badass malware is DuQu.  DuQu was born sometime in the near recent past but only became obvious to the world on September 1, 2011 when the Laboratory of Cryptography and System Security (CrySyS) notified the world of its birth. 

If the proud parents were to issue a birth announcement it would read something like:

"The Stuxnet family is proud to announce its latest variant, DuQu, named after its propensity to create files with DQ as a prefix.  Born: Sometime lately.  Weight: Heavy.  Breadth: Remains to be seen.  The bouncing baby malware shares a good portion of its mother's (Stuxnet) source code.  Its father is undetermined but likely is a good looking roving nation state with sabotage or corporate espionage on its mind, like Mossad or the CIA, who are also related to Stuxnet, so birth anomalies are possible.  DuQu shares its likely father's fondness for stealth and trickery."

Most experts like Symantec would agree with the announcement's statement on DuQu's lineage but Dell's SecureWorks doesn't necessarily buy it.

Stuxnet has been used to infect the Iranian nuclear program by causing the centrifuges used to purify uranium to exceed their design for spinning speed and destroy themselves.  DuQu seems to extract information and send it to an unknown site.  Although not proven, this blog along with others have surmised that the sophistication of Stuxnet, the targets and the amount of programming resources required point to the involvement of a group of people more technically advanced and well funded than the average virus creator.  We also chronicled Stuxnet's move from being merely menacing to becoming a military weapon.

Anti virus groups are moving to address the issues, Microsoft says it will address the zero day defect that DuQu exploits when it gets around to it but proposes an emergency fix and the "whitelisting" folks like CoreTrace say that they've been ahead of this all along.

As this new arrival grows and spreads, the real purpose and the damage it may do can be assessed but if malware continues to be more sophisticated than some of the applications we regularly use, problems will abound.

Update: The Acquisition That Keeps On Giving. SAP Agrees To Pay Criminal Fine of $20 million For TomorrowNow's Transgressions.

 In 2005, SAP acquired TomorrowNow, a company designed to provide third party maintenance for Oracle software.  Unfortunately, TomorrowNow chose to reduce its operating costs by pirating a bunch of Oracle software and then using it in its business.  

Oracle found that to be somewhat offensive and sued TomorrowNow and SAP and originally obtained a judgment against them for $1.3 billion dollars.  We recently noted that a judge had reduced this amount to a mere $272 million.

During the civil trial, federal prosecutors listened and then filed criminal charges against TomorrowNow.  TomorrowNow is basically defunct and has fewer than ten employees and no individuals were named in the indictment.  This was done as part of a plea bargain and SAP worked out a deal where they would pay a $20 million dollar fine for TomorrowNow, even though SAP was not named in the indictment either.  One would have to assume that some individual actually performed the criminal act of stealing the software, although in this case, it appears that Mitt Romney is correct in that: "Corporations are people, my friend."  At least for plea bargains.

Court Reduces Oracle's Judgment Against SAP From $1.3 Billion (With a B) to $272 Million (With a M).

Once upon a time, SAP purchased a company called TomorrowNow.  TomorrowNow apparently downloaded Oracle software thousands of time in an effort to get the software cheaply (free) and obtain some of Oracle's customers.  Oracle sued and SAP did not contest the fact of the downloads but alleged that the damages to Oracle should be equal to the profits that Oracle would have realized from the pirated software.  The Court allowed the jury to find damages based on a "hypothetical license" that would have existed between Oracle and SAP if Oracle allowed SAP to use the software in question.  This allowed the jury to find damages in the amount of $1.3 billion, the largest copyright infringement verdict in history.  However, today, in the U.S. District Court for the Northern District of California, the judge found that there was no evidence that Oracle would have ever granted such a license and that damages must be based on evidence and not speculation or guesswork.  The judge then said that the judgment could be reduced to $272 million and if the parties could agree on that, then it would be settled.  If they do not agree, then a new trial will be ordered.

It's an interesting world when a $272 million dollar verdict is considered a victory for the defense.

Zediva's Cord Is Too Long. Court Considerably Shortens It.

You know our friends at Zediva, the entrepreneurs that used DVD players in a data center and DVDs they had bought to rent the DVDs and the players to individuals and stream movies over the internet to subscribers.  We chronicled their launch and subsequent encounter with the legal system here and here.  Zediva had thought their arrangement would be legally equivalent to renting a DVD and player to an individual in their home, a situation that is legally acceptable.  They reasoned that the only difference was a little longer cord, i.e. the distance through the cloud from Santa Ana, California to the respective user.

The Federal District Court, Central Division, of California recently disagreed.  In a decision that has been roundly criticized by some and lauded by others (no surprise there), the Court granted a preliminary injunction, which effectively shut down the Zediva enterprise.  Their website now shows the following:

The Court reasoned that the Zediva service constituted a public performance and that the method of providing the movies constituted a transmission, both violations of the exclusive rights of a copyright holder.  Consequently, the Court found that the plaintiff had shown a likelihood of success on the merits, a requisite of the granting of an injunction.  Another requisite is the showing of irreparable injury.  The Court solved this by reasoning that the provision of the movies by the unlicensed provider deprived plaintiff of its ability to control the use and transmission of their copyrighted works and deprived the plaintiff of revenue (the crux of the matter).  The Court also decided in a rather conclusory manner that the balance of hardships weighs sharply in favor of the plaintiffs and the public interest is best served by the issuance of the injunction.

The Court seemed to think that some kind of physical act on the part of the user, such as recording on a DVR or physically inserting the DVD in a player owned by the user on the user's premises, was required to remove the transaction from the "public performance" and transmission arenas.  Zediva maintained that this was a distinction without a difference.

This area of the law continues to evolve, although more slowly than the technology driving it.  Although it looks like it probably will not happen, it would be helpful if Zediva were to proceed to trial on this so that we could get a more complete consideration of all the issues and some judicial instruction in this cloudy area (pun intended).

New Top Level Domain Name Scheme Approved By ICANN

You will recall that we mentioned in February that the Internet Corporation for Assigned Names and Numbers (ICANN) was proposing opening up the top level domain game to everybody.  ICANN has now approved that move by a vote in Singapore on June 20.  Applications for positions as new top level domain registrars will be accepted for a three month period beginning on January 12, 2012.

So, anyone with $185,000 and an infrastructure for doing registration acceptable to ICANN can get their own top level domain registration business.  As we mentioned before, this will greatly expand the present .com, .edu, .net scheme to anything you could imagine and that ICANN will approve.  This could include names relating to common interests (.badminton, .skiing or .coins), society segments (.democrats, .gay or .baptist), individual company or brand names (.ford, .ibm or .dell), professions (.doc, .law or .cpa) or any else that can be envisioned and approved.

Get your applications ready.

Our Long National Nightmare Is Over. Facebook/Winklevoss Lawsuit Comes To An End.

This blog has been in sort of a TMZish mode regarding the unfolding drama of the Winklevoss twins vs. Zuckerberg.  See here, here and here.  Apparently the era of easy blog posts is coming to an end as the twins have announced through a filing that they will not pursue an appeal to the U.S. Supreme Court.


Hear All That Screaming and Gnashing Of Teeth? It's World IPv6 Day!

OMG!  It's already World IPv6 Day and you forgot to buy gifts.  What are you doing to celebrate?  Who has the day off?

Forget About Stomping On Public Unions, Wisconsin Is Now Stomping On Automatic Renewals In Contracts.

I'm pretty sure that activists didn't occupy the State Capitol building in response to this bill, but it could have some ramifications for companies that enlist language that purports to let contracts automatically renew, unless one of the parties takes some affirmative action.

There is a pretty common provision in a lot of contracts, including those that provide for technology consulting and services that goes something like this:

"This Agreement has a one year initial term, beginning on the Effective Date ("Initial Term"). The Agreement will automatically renew on each anniversary of the Effective Date for subsequent one year terms (each a "Renewal Term") unless either party gives written notice to the other at least thirty (30) days prior to the expiration of the Initial Term or the Renewal Term that the Agreement will terminate at the end of the present term."

Nothing sinister here.  It is designed to take some administrative work out of renewals and vendors like them because of the inertia that induces customers to not think about nor terminate an agreement.

The Wisconsin legislature, having solved all of the harder problems, turned its attention to agreements like this in the present session.

They have decreed that after May 1, 2011, agreements between businesses to lease equipment or provide business services (supposedly technology services would qualify) can not have an enforceable automatic renewal clause unless adequate notice was given and the customer's initials appeared in a certain place on the contract. 

There are several exceptions to this of course.  Lobbyists are good at their jobs.  However, anybody that does business in Wisconsin and leases equipment or provides services should look at this statute and determine if they would profit from adjusting their forms.  There is also a provision that provides for a right of private action for failure to comply.  The amount of recovery provided for in an individual contract is relatively minor and repair is simple but one could envision class actions under this statute that would be a real nuisance.

And just when you thought it was safe to go back into Wisconsin.

The Rapture or World IPv6 Day, Which One Is Likely To Cause More People To Disappear?

Well, the Rapture came and went and apparently everyone I know is a dirty, rotten sinner.  Now, we get another chance to be elevated into something greater than ourselves.  You will recall that we warned you that the Internet ran out of numbers a month or so ago and it had about as much impact as last Saturday's event.

Now, the Internet Society is tempting fate by calling for a World IPv6 day on June 8, 2011.  We are less likely to see billboards and covered cars extolling this day than we did for the Rapture and we certainly will see less media coverage although this touches far more people than 144,000.

On June 8, several hundred websites and a few large companies will provide their content in IPv6 compatible mode to remind people of the coming apocalypse when all websites and devices with IPv4 numbers try to switch over.  Talk about your Armageddons!  Just wait until the internet and cell phones don't work.  At that point, not even one of the major deities could save us.

To determine your browser's ability to be screwed up by this change over, you can go here to check now.  To prepare for IPv6 day and the return of Y2K, please fasten your seat belt and return your browser to its full uptight and locked position.  Your pilot has been advised of some choppy air ahead.

(To be clear, this is this Blog's lame attempt at sarcasm.  We believe the IPv6 changeover is beneficial and necessary.  Really, we do.)

Cookies, COPPA and Contracts

Alliteration abounds.  Reports today concern the EU Directive on the use of cookies, a settlement with a Disney subsidiary for violation of COPPA (Children's Online Privacy Act of 1998) and why paying attention to the construction and organization in the drafting of a contract can be extremely important.

1.  The European Union has issued a directive that will go into effect on May 26 of this year that basically reverses the way cookies are handled.  In the past the regulations required that the user be advised of the way that cookies are used and be given the opportunity to opt out of receiving them.  The new regulations requires the same advising but requires "consent" before cookies can be placed.  This is the so-called "opt in" provision.  The regulations recognize that enforcement of this will be a phased in approach with the most intrusive cookies getting the most attention.  The Information Commissioner's Office has issued advice about how to deal with this.  If your website attracts significant traffic in the European Union, you would be well advised to read the ICO's advice and plan accordingly.

2. COPPA has requirements about what information can be collected from children online and what use can be made of such information.  The Federal Trade Commission accused Playdom, an online game provider, of violating COPPA by collecting information from children without parental consent and by violating its own stated privacy policy.  Playdom is a subsidiary of the Disney company.  The FTC filed a complaint against Playdom that resulted in a consent decree, which among other things, required a $3,000,000 civil penalty.   This is the largest penalty yet assessed for such a violation.

3.  The placement (or misplacement) of a single word recently made a $1,000,000 difference in a Maryland case.  In Weichert Co. of Maryland, Inc. v. Faust, an ex-employee of a real estate firm was sued for violation her obligation of  loyalty and the non-solicitation clause of her employment agreement.  The Court found that she violated the obligation of loyalty but not the non-solicitation clause.  Her contract had an attorneys' fee provision where the prevailing party is entitled to its fees.  The real estate firm prevailed on the breach of the duty of loyalty but the employee prevailed on the issue about non-solicitation.  The attorneys' fee provision was included in the non-solicitation clause and gave fees to the party that prevailed "hereunder".  Since the "hereunder' was in the particular clause, the Court reasoned that it applied only to that clause and not the contract or the relationship as a whole.  Hence, the employee was entitled to her attorneys' fee, which were approximately $1,000,000, even though she had "prevailed" on only half of the issues.  In the lessons learned department for us attorneys, if you intend to make a provision apply to the contract as a whole and not just a specific clause, move the provision into a section of its own or make it very clear that it is applicable to the whole contract.

The Social Network II - The Facebook Legal Saga Continues.

We've all seen the movie.  Mark Zuckerberg versus the Winklevoss twins.  Uber-nerd versus uber-jocks.  Outsider versus the privileged and connected.  In the balance rests the right to violate the privacy of virtually everybody in the "civilized" world.

The movie shows some of the discovery proceedings in the lawsuit filed by the Winklevosses in Massachusetts alleging that Zuckerberg stole the Facebook idea.  Zuckerberg filed a countersuit in California (typical Facebook ploy, see here) against the twins and ConnectU, alleging that ConnectU had hacked into Facebook and stolen information and attempted to steal Facebook users by spamming them.  The California dismissed the action against the Winkelvosses, finding that there was no personal jurisdiction over them. The Court then ordered the parties to mediate to attempt to find a settlement to all their issues.

Then things start to get stranger.  With billions of dollars at stake, the parties mediate for one day, reach a settlement and document it with a one and a third pages of hand written notes with the title: "Term Sheet and Settlement Agreement".  This Agreement envisions the transfer of ConnectU to Facebook in exchange for cash and an interest in Facebook.  Facebook lawyers then present 130 pages of documents to flesh out the Agreement (merely 100 times the volume of the Agreement).  The deal then comes off the tracks for a number of reasons including the Winklevosses asserting that the value of the Facebook stock is less that they were lead to believe.  Facebook files a motion to enforce the Agreement.  The twins alleged that the Agreement is not enforceable because it lacks material terms and was procured by fraud.  The Court finds the Agreement enforceable and the Winklevosses appeal.

Then Ninth Circuit, in a decision released yesterday, upheld the enforcement of the Settlement Agreement.  The Winklevosses had alleged that the Agreement violated Rule 10b-5 of the Securities Act and as such was void.  The Ninth Circuit rejected this argument and found: "The Winklevosses are sophisticated parties who were locked in a contentious struggle over ownership rights in one of the world's fastest-growing companies. They engaged in discovery, which gave them access to a good deal of information about their opponents. They brought half-a-dozen lawyers to the mediation. Howard Winklevoss—father of Cameron and Tyler, former accounting professor at Wharton School of Business and an expert in valuation—also participated."

The Court also held: "The Winklevosses are not the first parties bested by a competitor who then seek to gain through litigation what they were unable to achieve in the marketplace. And the courts might have obliged, had the Winklevosses not settled their dispute and signed a release of all claims against Facebook. With the help of a team of lawyers and a financial advisor, they made a deal that appears quite favorable in light of recent market activity. See Geoffrey A. Fowler & Liz Rappaport, Facebook Deal Raises $1 Billion, Wall St. J., Jan. 22, 2011, at B4 (reporting that investors valued Facebook at $50 billion —3.33 times the value the Winklevosses claim they thought Facebook's shares were worth at the mediation). For whatever reason, they now want to back out. Like the district court, we see no basis for allowing them to do so. At some point, litigation must come to an end. That point has now been reached." (Emphasis added)

So, the poor Winklevoss twins are stuck with a deal that is only worth millions and not billions.  In the lessons learned department, we are struck by the fact that you probably couldn't turn around in the mediation room without tripping on a lawyer or a financial advisor and yet, they ended up with slightly over a page long, hand written document.  That either means you don't need lawyers at all or you really need them to do their job. 

Maybe we'll find the answer in the next sequel, "Social Network III, The Legal Grievance Phase".


Update On the Epsilon E-Mail Hack.

Last week we discussed the very large, very disruptive loss by Epsilon of a number of e-mail addresses and the identities of the companies with whom the e-mail owners did business. 

InfoWorld Tech Watch reports that it appears that the hack relied on the gullibility of Epsilon employees.  So, there was no midnight rappelling from the ceiling through banks of laser beam alarms like you see in the movies, but merely a "social engineering" attack using e-mails targeting Epsilon employees that contained some personal information about the employee and made them think it was from a personal acquaintance. 

The messages included links (bad idea to click links in a message) that took them to a site that downloaded one malware program that disabled the antivirus software, one that logged keystrokes and one that gave hackers remote access to the infected machines.  It also turns out that Epsilon was warned about such attacks several months ago.

In the "lessons learned" department or more appropriately, the "lessons we should already have known" department, it would be prudent for a company with large amounts of customer data (everybody on line?) to train their employees not to respond to personal e-mails at work, recognize the tell tale signs of a social engineering attack and not to click on links in a message the origin of which you do not know.

This is not hard to teach but apparently compliance is difficult.  This lesson will get expensive for Epsilon.

Well, That Didn't Take Long. Movie Studios Sue Zediva.

It seems like only last week (actually, it was) when we first talked about the Zediva launch, which allowed you to view streamed videos from the cloud via a DVD that you rent played on a DVD player that you rent.  Of course, you never see or possess either, given that they reside somewhere in a Zediva leased data center.

Wasting no time, several movie studios have sued Zediva.  The complaint can be found here.  The Motion Picture Association of America detailed their members' position in a press release.

As expected, the plaintiffs allege copyright infringement, specifically, the exclusive right of the copyright holder to publicly perform their movies.

Interesting times, these.

Massive E-Mail Hack. Phishing Season To Begin Early This Year.

On April Fools' Day, Epsilon (one of the largest on-line marketing firms) announced through a terse press release that their "...clients' customer data were exposed by an unauthorized entry..." but that the information obtained had been limited to names and e-mail addresses.  Unfortunately, it was not an April Fools joke.

Some of Epsilon's customers include Citigroup, JP Morgan Chase, Brookstone, Kroger, College Board, Walgreens, TiVo, Capital One, HSN Inc., Visa, Kraft, LL Bean, Best Buy and Verizon.

So, what you need to look out for and alert your clients about is the possibility of increased "phishing" attacks.  We have all had e-mails purporting to be from some bank or other entity and requesting us to go to some website (configured to look like the real entity's website) and enter information and  possibly pick up spyware or viruses.  Since most phishing attacks are just random broadcasts, the fact that these intruders have specific names, e-mail addresses and links to specific entities with whom the targets do business leads to a more pointed attack, which is referred to as "spear phishing".  Because of the more targeted approach, the success rate is likely to be higher.

How do you protect yourself?  PC World has some good advice.  As the PC World articles states, the best way to avoid this is never to go to a website from an unknown e-mail link and don't provide any sensitive information such as password, PIN, etc.  Common sense instructions but please tell your grandma about this.

Zediva Tries To Beat Netflix To The DVDs By Invoking Same Doctrine That Will Make It More Expensive For Netflix.

The many avid readers of this blog will no doubt remember our in depth discussion of the "first sale" doctrine as it relates to the inability of Netflix to rely on such doctrine for the streaming of videos, since there is no "sale" involved.  We surmised that this would increase costs because Netflix would have to license the videos from the copyright holders rather than just buy the DVD and rent it out.

Now, another service is trying to side step the issue and offer streaming DVD videos in a time frame well in advance of when Netflix can offer the video.  Zediva went from beta to production last week and is offering streaming videos as soon as the DVD is available for purchase.  Zediva's legal reasoning on this (we believe) is that they are buying the DVDs and physically taking delivery of the DVDs and actually playing them on a DVD player somewhere in their data center.  The particular DVD and the player on which it is playing are leased to the subscriber for four hours, during which no other subscriber can access either that DVD or that player.  The technology employed by Zediva allows that DVD and player to stream the video over the internet to the subscriber's device.  So, according to Zediva, it is like renting the DVD and player and the player just has a really long cord (with the cord serving as a metaphor for the cloud).  Surely, says Zediva, that must be allowed under the "first sale" doctrine.   If DVD copyright holders take umbrage at this arrangement, they might say that the "first sale" doctrine requires physical transfer of the medium and "Don't call me Shirley".  (gratuitous Leslie Nielsen homage)

The roll out of this bears watching.  Zediva's website today says it is down while they get more capacity.  Recently, another company thought they fit into an exception of the Copyright Act. ivi TV was retransmitting television broadcasts and claimed they were a virtual "cable company" and therefore entitled to transact their business under Sec. 111 of the Copyright Act, although they didn't get retransmission consent nor qualify as a cable company under the Communications Act.  The US Court for the Southern District of New York granted a preliminary injunction that ceased their operation until further adjudication.

As new technology challenges the present state of the law, we close this post as we almost always do.  Stay tuned.

Stanfield Hiserodt To Present Discussion On Cloud Computing At RISE Tomorrow.

We will be leading a discussion on "Ten Things You Should Know About Cloud Computing Agreements" at Austin RISE Week 2011 tomorrow at 4:00 pm at the PeopleFund offices at 207 Chalmers Avenue in Austin.  If you need something to do during that awkward time between afternoon coffee break and happy hour, come on out and share it with us.

Updates: Stuxnet, Bilski, COICA, Arcade Fire (HTML5)

Updates on a few of our earlier posts:


S.E.O = Sinister Enhancement Option?

SEO is, of course, the acronym for Search Engine Optimization.  It's the practice of creating web sites, links, references and other mysterious arcana to enhance the chances that a particular web site will appear on the first page of results whenever you do a search (e.g. Google, Yahoo, Bing).  It is a well respected practice and something most everybody does.  The largest search engine, Google, has a trade secret algorithm that determines how such searches are ordered.

Google has a vested interest in appearing to present the search results in a rational order.  If it appeared that the system was materially flawed or gamed, then less importance would be placed on a search by Google and they might lose market share.  For that reason, they have a set of rules by which SEO purveyors are supposed to abide.  To violate these rules is to risk having Google take steps to cause your web site to appear lower in the Google results.

This brings us to the interesting case of J.C. Penney.  The New York Times reported on Saturday that during the recent holiday season, the rankings for searches for a number of things that J.C. Penney carries (e.g. dresses, bedding, area rugs, furniture, skinny jeans) routinely returned a number one ranking.   This raised the question as to whether this would have occurred without significant manipulation of the Google algorithm.  Turns out, probably not. 

J.C. Penney apparently engaged SearchDex, a SEO firm based in Dallas.  SearchDex supposedly used suspect methods, including placing links on unrelated, obscure, underused or dormant websites that pointed back to the J.C. Penney site.  Effective, definitely.  Ethical, matter of opinion.

SearchDex lists its ethical standards on its website and also lists its response to the Google standards for SEO activities.  According the New York Times article cited above, Google believes that SearchDex and J.C. Penney have violated the Google standards.  However, none of this appears to violate any laws and J.C. Penney has filed the obligatory "We Didn't Do Nothing" response.

One of the methods is to use services like TNX, which purports to raise website traffic by placing paid links on other sites that redirect the search to the target site.  The redirecting sites agree to allow the links in exchange for payment based on the number of redirects.

So, with sponsored links, Google AdWords, Google Places, TNX and really creative SEO operators, who's to know whether the searches are credible.  And, I would like to sign up somewhere to get our name on the first page of the listings.  Oh, wait, we are (today)!  (Search "Austin Technology Attorneys")

The Internet Runs Out of Numbers. No Big Deal.

A couple of days ago, the Internet ran out of numbers.  How is that possible, you say?  Aren't numbers infinite? 

The numbers referred to are the internet protocol addresses (IP addresses) that are assigned to every device connected to the internet.  Each device has its unique number and the number is what allows the devices attached to the internet to talk to each other.  We humans deal in domain names like www.austintechnologylawblog.com but the computers convert these names into numbers that look like this:  This numbering convention is called IPv4 and was developed in the early days of the internet and has been adequate until now.  IPv4 has a finite capacity of just over 4 billion addresses. 

IP addresses are administered by a non-profit entity known as ICANN (The Internet Corporation for Assigned Names and Numbers) and they allocate the numbers among 5 Regional Internet Registries (RIR).  What the exhaustion of numbers really means is that all available numbers have been allocated to the RIRs for further distribution and none remain in the ICANN central pool.  The RIRs will continue to distribute such numbers but even the end of that is in sight.

What happens now?  Complete shutdown, anarchy, the end of the Egyptian uprising and the demise of sexting?  Nope, luckily the folks looking after this have anticipated this (like Y2K) and have established IPv6, a new and improved IP address protocol.  IPv6 addresses are written in hexadecimal and have a 128-bit address space, which provides for 340 undecillion addresses.  Suffice it to say, that's a lot and should last into the foreseeable future.

IPv6 addresses will contain colons and will look something like this: 2001:0db8::53.  When you see two colons together it means that the segments between contain only zeros.  In the example above as given by ICANN, it really means: 2001:0db8:0000:0000:0000:0000:0000:0053

So, no need to panic just yet.  Supposedly, most existing devices we use today are compatible with IPv6.  Internet service providers will initiate roll out of the new numbers when needed and (supposedly) users will not have to take any real actions.  That remains to be seen but as of now, we've still got numbers.


Digital Crannies. Six Places Data Hides That Most People Don't Know Exist.

As we have stated before, from time to time, we like to improve the content of this blog by getting input from subject matter experts in relevant fields.

Today, we are glad to include information from our friend Will Ambruzs, an attorney and computer forensics expert at Austin based Flashback Data.  Will graced the pages of this blog before with this post.

We asked Will to give us some inside information about where attorneys or others should look when they are seeking information for investigative or discovery purposes.

Here is what Will said:

Digital Crannies.

Unlike paper, electronically stored information is everywhere. Unfortunately, it’s our experience that most attorneys don’t appreciate exactly how much of it is recoverable from computers. It’s literally a Chinese food menu. Sure, it’s not always important or cost-effective to review all of it, say, for litigation or each time a company fires a bad employee. However, most folks don’t know the menu well enough to even know the sorts of things they can order. The digital world is bigger than General Tso’s Chicken!

Here are 6 random things on the menu you may find interesting:

Email vs. Correspondence
Lawyers commonly want to look at email, but more often than not it turns out that looking at all communication would be more helpful. Because it turns out a bad employee at Company X also did a lot of text messaging at work. And online chatting. And instant messaging. And she also sent messages to clients and coworkers through LinkedIn and Facebook. And she frequently used her internet browser to send webmail through Yahoo! and Gmail. Unfortunately, preserving Outlook files and Exchange mailboxes doesn’t get this material.

Don’t Forget the Phone!
iPhones and Blackberrys have fast become like third kidneys when it comes to conducting business in the 21st century. However, folks tend to overlook them when thinking about electronic storage. The truth is phones can be excellent sources of data, not only because they’re designed to hoard data and sync with just about everything under the sun, but also because the privacy expectations of their users tends to be high.
For example, on a phone, our bad employee probably gets right to the point when communicating. Unlike computers, she’s not typing out heavily-syllabled, Shakespearean text messages with her thumbs. Consequently, remnants of communication are likely to be closer to the first cut of her thoughts, not the second or third.
There’s also a good chance she configured her phone to sync with email accounts at the company. There’s an even better chance she connected the phone each day to her work computer to charge the battery and keep her contacts and calendar synced. If so, there may be a treasure trove of backup files sitting quietly on her work computer. And since each file would represent a snapshot of the data on her phone at a particular time, things that were deleted from her phone many months ago may still exist in one of the backups.

Speaking of iPhone... Dynamic Text
Let’s face it, Apple’s business model is building gadgets that know you better than you know yourself. Apple’s gadgets learn about you, and to do this their gadgets have to store data.
One of the lesser known features of iPhone is its dynamic text database. Dynamic text is basically a repository iPhone uses to keep track of words and phrases you like to use when you type. That way the phone eventually learns to quit autocorrecting Alavert to slavery when, say, you keep texting others that you love Austin, but so do your allergies.
This can be a goldmine. Especially if text messages on the phone have been deleted and can’t be recovered. Reading entries in the dynamic text database that have been chronologically preserved is like listening to a conversation through a wall. It’s muffled, and some common words are omitted, but you get the gist and all the interesting parts are preserved:

wow.hate.Kevin.can.you.believe.arrogance.ugh.how.did.ever.become.Director.wait.until.he.finds.out.copied.all. company.passwords.hahahahaha.sounds.great.yessir.talked.to.James.he’s.leaving.company.with.us.said.downloaded. company’s.client.lists.from.database.no.difficult.yes.took.thumbdrive.with.him.said.will.email.everything.you.from.home. not.work.so.don’t.get.caught.haha.call.if.can.next.few.minutes.something.urgent.tell.you

Internet History
When folks think of a computer, they tend to think of it as a collection of things that live on the computer. For example, the most common data recovery request attorneys make involves: (i) collecting all email and user-created files from a computer, (ii) processing them against an exhibit of keywords, and (iii) producing the responsive material to be reviewed by fellow attorneys.
Candidly, this is probably enough heavy lifting from an “80/20 rule” perspective, especially when processing large data sets. However, it’s created a mindset that gives little regard to activity on a computer. And sometimes that activity is interesting.
For example, say John receives a preservation letter from opposing counsel. Here we see it sitting in John’s My Documents folder. There’s nothing else interesting in the folder. However, looking at John’s activity on the computer, right after he gets the letter we see him go to Google.com and type “how to securely delete data” into the search bar. Then we see 20 minutes of John clicking a bunch of URLs. Uh oh, next he’s on a website selling a product called “Evidence Eliminator v4.0.” And next we see him buying Evidence Eliminator and downloading it. Oh snap – here he is running it! And here’s him poking around later in My Documents to confirm the files are gone.
Wow! You suspected the keyword searches of John’s computer came back a quart low. And while all of this activity may or may not explain it, it’s certainly interesting!

Recent Documents
Speaking of file elimination, another good source of data can be the repositories used by software programs to keep track of recent documents. Microsoft Word has such a repository. So does Windows Media Player. These repositories won’t help you recover a wiped file, but they may help you substantiate that the file existed on the computer at some specific time in the past, or when files were accessed.
Forensic examiners frequently draw from this well in criminal prosecutions involving possession of child pornography. Defendant swears up and down he wasn’t aware of the illicit material. Or, if he was aware, that he looked at it once by accident several years ago and, upon realizing its nature, never looked at it again. Unfortunately, that’s not the same story Windows Media Player tells. It shows Defendant playing contraband files from multiple locations on a regular basis (e.g., from the hard drive, from a thumb drive, from his Blackberry via a USB cable, etc.).

Keeping with the deleted file theme, don’t forget about simple hidden artifacts like Thumbs.db. You ever open a folder in Windows and view the contents as thumbnail images? Thumbs.db is the hidden file used by Windows to store those ‘thumbnail’ images. Importantly, the data in the Thumbs.db file tends to stick around even after someone deletes the actual file. So, while a folder in which you’re interested no longer contains the data you want, you may be able to demonstrate that what’s in there now isn’t what was in there before. (And, if so, what’s missing.)


Fifth Circuit Holds That Grant of Access to Licensee's Attorneys Breaches License Agreement

Licensors licensed database technology to Licensee to allow Licensee to prepare residential mortgage loan documents.  The license agreement explicitly allowed access to the technology by "Originating Lenders" and Licensee's general counsel, an outside law firm.  Licensee granted access to another law firm to prepare loan packages for Licensee.

Licensors claimed that the license agreement expressly prohibited any use of the licensed technology that was not specifically authorized and nothing in the license agreement gave explicit authority for access by the loan package preparing law firm.  The Licensee said that nothing in the license agreement prohibited such access when it was done exclusively for the benefit of and on behalf of the Licensee.

A lower court had relied on Geoscan, Inc. of Texas v. Geotrace Technologies, Inc., 226 F.3d 387 (5th Cir. 2000) and Hogan Systems, Inc. v. Cybresource International, Inc., 158 F.3d 319 (5th Cir. 1998) for the proposition that the use of a licensed property by a third party solely on behalf of and for the benefit of the licensee is not a transfer or sublicense of that property.

The Fifth Circuit reversed and said it disagreed with the district court that the Geoscan and Hogan decisions allowed a court to look past the actual language of a licensing agreement and absolve a licensee who grants third party access merely because that access is on behalf of, and inures to the benefit of the licensee.

The Fifth Circuit added that the agreement in the subject case did not contain a provision that generally permits the Licensee to grant third party access and in fact, expressly prohibited it except for the two express exceptions set out above.  "Because the licensing agreement in this case withholds rights not expressly given, Geoscan and Hogan Systems are of limited relevance, and we therefore decline to interpret the agreement to allow general third-party access on behalf of and for the benefit of (Licensee)."  Compliance Source, Inc., et al v. Greenpoint Mortgage, Docket No. 09-10726, Decided October 18, 2010  at page 13.

Licensors concerned about third party access (almost all of them) should review the language in this case and compare with their relevant documents. 

Senile Musings of the World's Oldest Baby Boomer Lawyer- How Technology Has Changed The Practice of Law.

Indulge me for a moment.  Today is my birthday.  I'm old.  I've been practicing law for a long time (parts of five decades).  I'm slightly nostalgic on this, the occasion of my becoming a ward of the state.  This blog talks generally about technology and the law.  This post will address technology in the law.

I know that most of you assume that the internet has existed forever.  At least since the nineties, which is forever for a lot of you.  Let me describe the technology of law when I first burst on the scene in the 70s: Lawyers dictating to secretaries (no one knew what an administrative assistant was) sitting at the end of the desk while the lawyer paced and talked, secretaries taking the dictation in shorthand on steno pads, secretaries typing on manual typewriters with carbon paper making one copy on onion skin paper, other lawyers dictating on Dictaphones (machines about the size of an old VCR with a circular magnetic tape), which was then given to a secretary for transcribing, no lawyer would have deemed to do his or her own typing even if they could.

Then the advancements starting coming in torrents (at least one or two every three or four years):

  • Electric typewriters, first with an arm and a head for each character and then followed by a rotating ball with all characters (Selectric typewriters)
  • Self correcting electric typewriters (mistakes were corrected not by erasing and retyping but by backing up and typing the incorrect character(s) again, which pounded a white material into the prior indentation.  This didn't do anything for the underlying copy, which still had to be manually corrected)
  • Copiers - big, clunky, expensive, slow moving machines
  • Fax machines - one line for the whole firm and it was used only on special occasions
  • Hand held dictation equipment, first with full sized cassette tapes and then later with mini-cassettes 
  • Mag-card "word processors" - the first "computerized" advance in office technology.  Machines about the size of small refrigerators, which had magnetic media (in the shape of old IBM punch cards) on which you put standard documents with blanks in the text for names, addresses, etc.  These large machines were attached to Selectric typewriters that would operate until it found one of these blanks indicated by a "stop code" at which point the typewriter would stop and the operator would enter the optional text manually.  These machines were hot and noisy and had to be enclosed in a room with sound absorbing material and were run overnight because of the long production time for large documents and the fact that there were only a few machines for the entire firm.
  • The advent of personal computers moved rudimentary word processing to the administrative assistants desk tops and Word Perfect ruled the legal world and only special Word Perfect gurus knew how to use the "codes".
  • Legal research by computer was introduced by Lexis-Nexis.  One large terminal tucked way back in the library with an exorbitant per minute search rate and a per line print rate with a printer as part of the terminal.
  • Desktops, then laptops with Microsoft Word and Westlaw and the internet and mobile phones evolving into pocket held computers, Microsoft 365, Google voice, Google docs, Twitter, LinkedIn, Avvo, social media, the cloud, etc., etc. and the torrent really has begun.

However, the more things change, the more they stay the same.  Even though technology has changed the face of law practice, the same basics remain: Lawyer competence, client contact and trust and good, old fashioned integrity still count.  Maybe now more than ever.

Thanks for indulging me.  I look forward to many more advances over the next five decades.





Stuxnet - Military Malware?

We hate to say we told you so (actually, we revel in it), but we surmised early on (without any real information) that the Stuxnet virus was the result of a nation state's activity to impact the Iranian nuclear development.  Now it appears that we were probably correct.  Stuxnet set back the Iranian nuclear program by several years by causing the centrifuges to rotate in excess of their capacity.  It has been hailed as being as effective as a military strike but in spite of being more sophisticated than any previous malware, it was messy in that it didn't really cover its tracks like some other malware. 

Kinda like a military strike.

SXSWi Panel Picks: ATLB Selections (so far)

South by Southwest Interactive is just around the corner, coming March 11-15, 2011, and now it's time for the selection process to begin. For those of you who aren't familiar with the process check this out to get up to speed. There are three groups that vote on what panels will participate in the 2011 SXSWi: public (30%), SXSWi staff (30%), and advisory board (40%). There is a feeling here at ATLB that it's our duty to assist in crafting this year's event. I mean it's for the public, so why shouldn't we have a loud voice. This bog goes out to several different groups that have interest in a variety of things, so in order to provide a broad range of issues here are a couple that seem relevant to our readers: Bootstrapping, Entrepreneurism and Monetization, Funding, Web Apps, and our personal favorite Licensing, Fair Use and Copyright. Please check out these categories and see if a subject of interest pops up.

Additionally, there are a few individual panels this year that we'd like to suggest:


Apps vs. Mobile Web: Which to reach consumers?

Copyright Criminals

Download Illegally, It's the Right Thing to Do

Social Network Users' Bill of Rights: You Decide

Legal Frontiers In Social Networks, Blogs and Beyond

I.P. Fearlessly: Copyright, Contracts, and Clients


I'm sure there are many more that would do a great job of bring value to next year's event, but these were the ones that caught our eye on first go around. It would be a good idea to get on twitter and find some other good Austin Tech Sources to get a feel for some other good panels.

Enjoy the weekend!

More Sophisticated Spyware Hits Utility Systems - "Stuxnet" Gone Wild

Cyber security experts are scrambling to assess the past effects and the potential of a recently detected malware that has targeted utility systems primarily in the Middle East (beginning in Iran) and the United States. Microsoft has named the Trojan intruder “Stuxnet”.

On a very basic level, here is what Stuxnet does:
1. So far, it has targeted a Siemens system (SCADA) used primarily in the operation and control of electric power plants;
2. It has been carried on USB sticks that, when attached to a computer, automatically executes without any further action by a user, even if the AutoRun function is disabled;
3. The Trojan then seeks out and copies certain database information, including power plant designs;
4. Stuxnet exploits a flaw in the shortcut links files in Windows.

Microsoft has issued a work around that essentially turns off the shortcut function and changes the shortcut icons appearance on the screen.

So, if this only targets utility companies, unless you are a utility company or have one as a client, why should you care? Experts surmise that this was created to carry out industrial espionage but the same technique can be used for other targets. It could be used to target other trade secrets, personal financial information, medical records, etc.

We talked to a local security expert and there are reports that Stuxnet or variants are “in the wild” and could be delivered by a manner other than USB sticks via networks and remote web servers.

McAfee alleges that it has a defense against Stuxnet as does Symantec. As we noted in earlier posts (see here and here), these are examples of blacklisting. CoreTrace has demonstrated effectiveness against the intruder by using the whitelisting capabilities of its product Bouncer. See the YouTube video here:  http://bit.ly/bFCEdc.

This attack seems to be much more targeted and much more sophisticated that most of the prior threats and may herald a new age of malware menace.

So, it’s a dangerous cyber world out there. Use protection.

Contract Provisions That Should Be Considered In A Cloud Computing Arrangement

This is actually Chapter 4 in a rambling dissertation on why the "Cloud" is what it is.

In previous posts (see here, here and here), we have chronicled the evolution of the “Cloud”, Software as a Service and various permutations thereof and labels therefor. So, now that we think we know how we got here, what do we do now? If you are considering the procurement of cloud services and if you have the negotiating clout to request changes to the vendor’s standard contract, you need to consider some additional things to request.

In addition to the general considerations such as price, term, etc., the following are additional considerations to be discussed with the vendor and possibly included in the governing agreement:
1. In most cases, the vendor owns or licenses the software and the customer owns the data. The customer should always have the right to access and move its data, even in an alleged default situation. This is particularly true if the customer is in a regulated industry.
2. What happens if the vendor goes out of business, declares bankruptcy or is acquired? What happens if the acquirer is one of your competitors? The customer should have an exit strategy and the agreement should be compatible with such strategy.
3. How much responsibility or liability will the vendor assume if the systems are unavailable or if your data is lost? What are the backup procedures, business continuity plans and disaster recovery arrangements? Most vendors’ heads would explode if you requested that they be responsible for the value of your lost data but what are the procedures to recover the data, to back it up and protect it and who pays for that?
4. What kind of investment will the vendor make in software upgrades, enhancements and development? A company for which I once worked pledged 5% of its outsourcing revenue to software development and maintenance. Most companies won’t commit to a specified amount or percentage but a purchaser should review their plans and should have some input, through user groups or otherwise, into the direction of software development.
5. What will you use to determine if the software is functioning in the manner that you expected? What are the warranties surrounding such? Most software providers will warrant that the software will perform in accordance with its documentation but you should request that the basics of any functionality found in sales proposals, demos, RFPs or other material used to sell you on the software be part of the warranty.
6. A purchaser should consider whether the vendor routinely conducts a SAS 70 audit and makes the results available.
7. Since the purchaser has less control over the software used in a SaaS situation than in any on-site situation, a reputable vendor should be willing to provide an intellectual property indemnification that will pay for a legal defense (usually the biggest exposure for a user) and should provide an alternative if use of the subject system is enjoined or interrupted in any manner.
8. The escrow of source code, executables and other information necessary to carry on the processing if the vendor goes out of business or becomes unavailable should be considered. In most cases, this makes the user feel better but because of the long lead times involved, may be of marginal benefit.
9. Performance metrics, also called service level agreements (SLA) should be negotiated. Matters that are important to the user should be identified and reflected in the SLAs.
10. The foregoing are fairly standard components of most outsourcing contracts (which the delivery of cloud based software is, even if it is referred to as a software agreement). Perhaps the biggest divergence by Cloud based solutions from standard outsourcing situations is the question of security, the location of the data and the compliance of the system with Gramm Leach Bliley, HIPAA, Sarbanes Oxley and international data transfer restrictions. If the user is a financial institution or subject to HIPAA then the problem becomes particularly acute and addressing those issues in a manner that the benefit of Cloud computing can be realized by regulated entities is a difficult process.

Now that we've looked at the Cloud from both sides now, it may be the Cloud's illusions we recall and that we really don't know the Cloud at all.  Or it may be just that we are out of cheesy cloud references.



Virus Protection Using Whitelisting

Last week, we posted an article about some of the ways of protecting a computer or computer network from malicious code.  We discussed primarily methods called "blacklisting" (the more widely used approach) and "whitelisting" (an approach receiving increased attention in recent days).

There is an Austin based company called CoreTrace that features the whitelisting approach.  When we asked, they were kind enough to provide us access to one of their subject matter experts. 

We discussed various aspects of this issue with Greg Valentine, CoreTrace's Director of Technical Sales and Services.  

Pertinent portions of that conversation follow:

ATLB:  CoreTrace’s products are designed to protect computers and networks from viruses, spyware, malware and other harmful stuff. How does it do it and how does that compare to the conventional anti-virus software we regularly see?

Greg:  CoreTrace has a product called “Bouncer”. Bouncer works at the operating system level and allows only the programs or executable code that has been whitelisted by the system administrator through Bouncer to run on that computer. Typical antivirus software works by maintaining a huge database library of virus signatures (which you have to keep up to date) and it attempts to eliminate them by searching a computer’s hard drives, comparing the code it finds on the hard drives to the virus library and then if it finds a match, it eliminates the virus code. There are a few challenges with this type of a defense.
1. This is reactive in nature – By definition, a signature does not exist until someone gets infected.
2. Because it is reactive, antivirus is vulnerable to a ‘zero-day’ attack. This simply means that a ‘bad guy’ can create a new piece of malware and as long as the antivirus companies are not aware of his new virus/worm then they will be blind to it.
3. In order to be protected by antivirus, you must deploy the updated signatures as quickly as possible. This can lead to inadequate testing before pushing out the ‘change’. If the antivirus vendor has made a mistake in their signature update then you could be causing more harm.
a. See McAfee’s recent ‘false positive’ signature update fiasco

ATLB:  You used the term “whitelisting”. What does that mean?

Greg:   At the time it is first installed, Bouncer takes an inventory of the executable programs on the hard drives of the computer and approves each of them to run. It puts them on a “whitelist”, i.e. stuff that is allowed to run. It is called whitelist because the antivirus providers say the stuff in their libraries is on the “blacklist”.

ATLB:  So, if a virus or other malware is present on the machine when Bouncer is first installed, then it will be allowed to run?

Greg:  That’s true, unless it is specifically found and eliminated later. That’s the reason that a good antivirus software should be run before Bouncer is installed or it should be installed in new machines before they are attached to the internet or anywhere else that they could become infected. Should you discover that one of your systems was infected prior to deploying Bouncer, you can rest a little easier at least in the knowledge that the infection will not be able to spread (to any other Bouncer protected computers).

ATLB:  Doesn’t having to authorize every piece of code to run on a system require an inordinately large amount of administrator time?

Greg:  The program takes an inventory of all the programs running on the machine at the time of the installation and thereafter the administrator does not have to be involved. The administrator can ‘pre’-authorize all software from a specific company or with a specific signature and software installed later from that company or with that signature will automatically be whitelisted and allowed to run.

ATLB:  How much computer resources does the CoreTrace system utilize and how does this compare to antivirus software?

Greg:  Our software requires a very small amount of hard disk space for our program. Since it merely prevents unauthorized programs from running, it doesn’t regularly use many computer resources. Antivirus software needs to run on a regular basis to see if any identified malware has been added since the last scan. You may have noticed that when your antivirus software is running its scan, which may last an hour or two, your computer is devoting significant resources to the scan and can have an effect on the capabilities of the computer. Bouncer only needs to check the program as it is launched. This check against the whitelist is extremely fast and does not impact the load time for any whitelisted applications.

ATLB:  How often is your software updated?

Greg:  Except for enhancements and upgrades to the program for operational purposes, our software does not need to be regularly updated. Since our method of operation is to keep anything but authorized programs from executing, we don’t have to continually seek out new viruses and add them to our database. Because of this method, we can never be behind when a new virus comes out, because regardless of the sophistication or newness of the virus signature, it can be deposited on the computer’s hard drive but because it is not authorized, it simply can’t harm the computer or its contents. Compare that to antivirus databases that are required to be updated constantly on a real time basis and must necessarily contain millions of virus signatures and sometimes can only catch a virus after it has infected a number of machines, if the virus doesn’t match their database.

ATLB:  Is there a version for single workstations or computers?

Answer:  Not yet. Right now, our program is only deployed on an enterprise basis.

Microsoft sues SalesForce.com for Patent Infringement


Ina Fried, from CNET.com, reported this week that Microsoft filed a patent infringement case against SalesForce.com. SalesForce.com is, among other things, a customer relations management (CRM) software company that provides its product through the cloud. Microsoft is no stranger to patent lawsuits. In fact, they were just ordered to pay $200 Million to Virnet X in a patent infringement lawsuit regarding VPN technology. However, the peculiar thing about the lawsuit filed against SalesForce.com was that it was Microsoft doing the suing. Microsoft has only filed 4 suits against competitors. Most infringement issues involving Microsoft commonly end up in some type of license agreement with the alleged infringer. (See HTC) From this Microsoft receives damages and then licenses their technology to the competitor. However, there appears to be more uncertainty surrounding this case.


It is no secret Microsoft is one of the more established players in the IT world. However, Microsoft, along with everyone else has been losing ground to Google. Microsoft and Google are competitors in e-mail (Gmail/Hotmail), browsers (chrome/IE), search engines (Bing/Google), electronic documents (Office/Google docs), and soon in operating systems (Windows/Chrome OS). Microsoft is attempting to chase Google into the cloud computing realm, as evidenced by the direction Office 2010 and other products are trending. The lawsuit against Salesforce.com might be just another way to gain ground. One of the benefits of being in the game as long as Microsoft has is that they have ownership to some of the foundational technology we all use today. Take a look at the subject matter referenced in these patents:


Ø       7,251,653: Method and system for mapping between logical data and physical data

Ø       5,742,768: System and method for providing and displaying a web page having an embedded menu

Ø       5,644,737: Method and system for stacking toolbars in a computer display

Ø       6,263,352: Automated web site creation using template driven generation of active server page applications

Ø       6,542,164: Timing and velocity control for displaying graphical information

Ø       6,281,879: Timing and velocity control for displaying graphical information (the 164 patent above looks to just be a continuation of this patent)

Ø       5,845,077: Method and system for identifying and obtaining computer software from a remote computer

Ø       5,941,947: System and method for controlling access to data entities in a computer network


All of these patent subjects are associated with cloud computing factors. This is no surprise since Salesforce.com is run from the cloud, but it does question what Microsoft will do next? Will they pursue other companies that infringe on the broad patents? Are they trying to get enforcement out of their patents before the Supreme Court returns an opinion on In re Bilski? Are they just trying to get another license agreement?

Google's Chrome OS to Finally Launch on Acer Netbooks

Google's much anticipated operating system, Chrome OS, will finally be revealed at the Computex Taipei show early next month.  Reportedly, Acer will launch netbooks equipped with Chrome OS.  Via venturebeat.com:

It’s still unclear how Chrome OS-equipped netbooks will coexist with those running Google’s Android mobile operating system. We’ve known that Android netbooks would begin popping up this year since early 2009, and even Acer announced its intention to sell them.

This comes one day after Verizon CEO, Lowell McAdam, announced they were working with Google to create an Android-based tablet to rival Apple's iPad.

Update:  Acer has now denied the reports that they will be introducing netbooks running Chrome OS at Computex so we will have to wait a little longer to see the operating system in action.  In the meantime, here are some screenshots of what it might look like.


ASP, Software as a Service, Cloud Computing or Whatever the Kids Are Calling It These Days. Part III of a Trip Down Memory Lane

In a previous post, we chronicled the evolution of the provision of computing resources from the days of gigantic, room filling behemoths requiring chilling towers and close proximity to the users to the emerging concept of “cloud” computing where the computing resources are “somewhere out there” in the undefined, amorphous thing called the “cloud”.
In this post, we will discuss the evolution of the provision and use of software from floppy drive, hard drive based software to the cloud applications of today.
Once again, please forgive the trip down memory lane. At the advent of my legal career, the use of computers in anything other than a giant research lab was only a gleam in somebody’s eye. In my law office, documents were created on manual typewriters with carbon paper and onion skin. Lawyers dictated into a machine the size of a small refrigerator or to a stenographer who took it down in shorthand and transcribed it. It's true. 

Look it up on the interwebs. This is how it really happened. Electric typewriters with automatic correction capabilities (tamping a white, chalky substance into the indention made by the incorrect character) were a big breakthrough. Then we stepped into the new age. We obtained two “magcard” word processors that truly were the size of refrigerators and made so much noise that they had to be housed in a separate room lined with insulating material. The “software” was hard wired and resident on the machines and the documents were recorded on a magnetic card the size of the older data entry cards and these cards were read by the machine, which activated an electric typewriter that pounded out the document until a “stop code” was reached, whereupon an operator inserted the appropriate words in the blank. We were cutting edge.
At some point in my career, I was fortunate to obtain a job in-house with an outsourcing and software company, although I had neither experience nor knowledge of any such things. This company managed data centers (primarily for banks) and produced software (again primarily for banks) for giant, honking mainframes. Desktop computers were still the exception rather than the rule. In fact, my company had a “desktop czar” that had to approve all purchases for desktops (even in a “technology” company!). The software was generally written in COBOL and the computing resources were generally in the same room or building as the user and ordinarily owned by the company employing the users. The company I worked for changed that paradigm somewhat by entering into agreements whereby they purchased the computer equipment from the customer, hired the customer’s data processing personnel, operated the data center in place on the customer’s premises and installed my company’s proprietary software in the data center over the course of the contract term. My company also did some remote facilities management where they owned the data center off site from the customer and provided remote processing through dedicated lines. In all cases, the customer could touch, feel and taste the computing resources if desired.
Fast forward to the Internet age and then fast forward again to the age where massive amounts of computer resources are looking for users as opposed to the reverse. 

Continue Reading...

Cloud Computing - Part 2.0 - Evolution (or just intelligent design?)


The first part of this entry was published on March 11 here.  The saga continues. 

In the 1980s, in the arena of big data processing users the cord ran from a workstation to a large mainframe or AS400 computer, which was often in the same room or in close proximity. The cord was whole, undivided and dedicated. Nothing would interfere with the communication between the workstation and the processor unless the cord was cut or the commands from the station caused the processor to work harder. Most of the computing assets were owned and maintained by the users and programming and maintenance staffs were huge.
The next step was removing the processor from the general vicinity of the workstation. The processor could be in the next building or the next county or state but was still connected by a dedicated cord (e.g. a dedicated T1 phone line or equivalent).
At some point in this process, it became advantageous for some users to not own the computing resources and “outsourcing” or “facilities management” came into vogue. With these delivery models, a party other than the user owned and controlled some part of the computing environment. However, both parties together owned and/or controlled the entirety of the environment with the exception of the lines leased from the phone company. Some companies even used the satellite transmission of data so the connecting “cord” traveled from the user to a satellite, down to the processing site and then in reverse.
Along with these changes, the processing environment became more diverse. Instead of connecting with one machine or one logical partition within the machine, data may be processed on numerous machines and stored on others and may be moved from one machine to another as needed by the processor and to optimize computing efficiency. At this point, the user could not directly identify the specific machine upon which its data resided or was processed, although the user generally knew the location of the data center or centers and could, if necessary, walk in the door and see and touch the machines where the data was processed and stored.
Cue the Internet.

Continue Reading...

Will Microsoft Survive the Cloud Revolution?


For over three decades, Microsoft has been arguably the most important and pervasive company in our day to day lives. But could the “Decade of Cloud Computing” end that reign? There is a very good article over at ZDnet.com examining that subject.  

"Under these conditions, how can we expect a company like Microsoft to welcome with open arms a Tsunami named Cloud Computing which will sweep away three quarters of its earnings and market valuation?" 

Microsoft is obviously too big to go away over night, but it will be interesting to see how it adapts to the changing industry over the next decade.


Cloud Computing: Game Changer or Next Buzz Word

“Cloud” computing has garnered a lot of attention lately. Not as much as the iPad, but sufficient buzz to warrant the examination of this phenomenon and to determine what impact, if any, it has on the legal landscape, i.e. is this sufficiently different to require new legal approaches and what aspects of agreements relating to cloud computing should be examined carefully with this delivery model?

Over the next few weeks in this blog, we will examine how we got to this point, how cloud computing differs from previous delivery models and how it is similar. We will look at the evolution of computing and the evolution of legal concepts to address such evolution and we will try to determine what changes in contract language and deal structure need to occur to address issues unique to cloud computing.

Continue Reading...