"How E-Voting Threatens Democracy" (Wired News, 3/29/04) reports on Bev Harris' discovery of 40,000 Diebold emails including source code and live vote data from California. The political and legal drama caused by her subsequent disclosures of the content is having continuing impacts as we approach elections.
Thanks to beSpacific: "Commentary on the Growing Concern With E-Voting Technology" (3/29/04)
Universities facing issues of unauthorized file sharing may find value in a new report, “University Policies and Practices Addressing Improper Peer-to-Peer File Sharing," issued by the Education Task Force of the Joint Committee of the Higher Education and Entertainment Communities of the American Council on Education.
Intended to be "illustrative, not prescriptive," it includes examples of institutional responses to various P2P and copyright issues. The Committee was formed in December, 2002, to work collaboratively to address the problem of unauthorized file sharing. An August 2003 paper, on the legal aspects of P2P file sharing, "Background Discussion of Copyright Law and Potential Liability for Students Engaged in P2P File Sharing on University Networks," is available on the American Council on Education web site in PDF form.
Thanks to: The Chronicle: Daily news: 03/30/2004 -- 04 (subscription required).
Seton Hall Law School Institute of Law, Science & Technology hosts a symposium on Peer-to-Peer networking and the law, scheduled for April 16, 2004. The registration fee is nominal, and students will be admitted free.
Thanks to Seton Hall Prof. David W. Opderbeck, Associate Director of the Institute.
M.I.T. has released CADDIE.net software for free downloading. Created by the Intelligent Engineering Systems Laboratory (IESL), using Microsoft Web technology to enhance education processes – for professors, students and administrators, it is described at the illustrative site CADDIE.NET Team Server Portal:
"Developed to be highly scalable across institutions and countries, it can support an unlimited number of courses and students. The CADDIE Collaborative Architectures for a Distributed Instructional Environment is designed to take advantage of the wide range of collaboration technology available on today's highly scalable Web Platforms, including messenger, voice over IP and real time and streaming video."
MIT's OpenCourseWare project currently provides free educational materials online for some 500 courses from 33 academic disciplines and all five of MIT's schools.
Athabasca University in Alberta, Canada offers free, online, their collection of "individual practitioners’ views of the principal pedagogical and course management opportunities and challenges raised by the move to an online environment." (quoting from the Preface). The online education methods they developed were a necessary response to a fiscal crisis in the 1990's. The methods resulted in a dramatic improvement in the quality and quantity of the University's offerings. They now share as a gift the benefit of their faculty's experience.
From the Introduction: "This book is written by authors from a single university — Athabasca University — which has branded itself “Canada’s Open University.” As an open university, we are pleased to be the first such institution to provide a text such as this one as an open and free gift to others. The book is published under a Creative Commons license (see http://creativecommons.org) to allow for free use by all, yet the copyright is retained by the University (see the copyright page for license details)."
Thanks to the Legal University Weblog for this discovery.
Legal Aid University, the online campus of the Legal Services Training Consortium of New England, provides access to educational and professional development resources supporting the work of the national civil legal aid community. Their new weblog provides resources for distance learning for lawyers and includes "Notes & Thoughts from Tufts Director of Academic Technology" (3/9/04) from the author's lunch with Tuft's David Kahle.
James Grimmelmann comments in LawMeme - Great Ideas Dept.: Open Source Insurance about news that Open Source Risk Management may counsel companies about managing the risk of being sued by SCO. Below are some comments I added to his posting. (Read more ... )
James, I took a look at OSRM's site, and thought about your comment that
it would not be likely to have sufficient capital to respond if many SCO
suits came in at once.
OSRM, from all I can see on their site, does not hold itself out as an insurer or even an insurance broker. Rather, it is a provider of fee-based risk management, consulting and training. Such companies take a fee from the ultimate customer in order to independently evaluate and advise regarding the management of risk, but do not sell or provide insurance coverage. I know of no real capital requirements to operate as a risk manager.
A risk manager may advise their clients about available insurance and introduce them to licensed brokers representing companies that offer such. A risk manager may advise a client to self-insure, or join with others similarly situated to form a risk pool, perhaps set up an offshore captive insurer owned by the pool members to which the risk may be transferred. They might even administer such a pool, acting as a third party administrator or "TPA". State regulation of TPAs varies.
If actual insurance were to be available, it would have to come from an actual insurer, which would need to have capital and/or reinsurance. I did not find anything on the OSRM site that indicated that any particular insurer was offering this type of coverage. That does not surprise me, because coverage like this is quite unusual, and there are very few players in the market.
This sort of coverage is *not* likely to be offered by a standard, licensed insurer with offices and agents in the prospective insured's state. Its the sort of non-standard coverage that would typically come from a "surplus lines" insurer licensed out-of-state or outside of the U.S. Most folks are familiar with the unusual types of insurance written by Lloyds of London, whose underwriters are an example of a S/L carrier. There are many others less well known, some that are subsidiaries of famous companies.
S/L carriers are not licensed or regulated by states (other than the state where they may be domiciled) so that buyers need to do due diligence. Risk managers are useful in that due diligence, because they are (usually) not compensated by the insurers with which the risk may eventually get placed.
Purchase of S/L coverage is typically through a specially licensed surplus lines broker, an insurance intermediary that takes a commission from the insurance company for the service of arranging insurance coverage for particular insureds with an insurer not licensed in the insured's state.
You've put your finger on the main challenge for any underwriter thinking about putting out a line on this type of risk ... lack of distribution of the potential hazard. If SCO starts a suit campaign, and only one or two insurers cover the whole waterfront, they will be hit hard.
Such can be handled much like "retroactive" coverage ... which is sometimes purchased *after* a disaster. In essence, the insured, who has already been sued or expects to be sued because of some known event, pays a premium that the insurer figures will cover the costs of defense, indemnity, its administrative costs and a margin for profit. The transaction may be beneficial to both parties because the insured can take a business expense deduction in the year the premium is paid (rather than over the ensuing years of defense and ultimate payout).
Unlike the insured, the insurer *is* allowed to deduct its actuarially justifiable reserve for all that anticipated expense and indemnification, in the year the premium is paid. If the likely main pay-out is several years away, the insurer may also be able to generate investment income on the premium paid by the insured over the years of defense. So, there are tax advantages for the customer in placing the risk into an insurer.
Either way, the coverage is likely to be expensive, if available at all. The more likely the coming lawsuits, the more expensive it will be. In some cases, the premium will equal the limits of coverage, so that it may be somewhat like a banking transaction. Under IRS rules, there must be sufficient transfer of risk to the insurer for the premium to be deductible, however.
One may ask: "but isn't the real value of such a policy in the insurer's coverage of defense expenses?" Good question. Many surplus lines policies provide that defense is "within the limits," so that payouts for defense costs reduce the remaining limit for indemnity. If one has a million dollar limit, and the insurer pays out $750k to defend, there may only be $250k left for any indemnity or settlement. Careful analysis of the policy language by an expert may reveal similar limitations.
Surplus lines coverage prices are also volatile, because they are not regulated. So, if a flurry of lawsuits hits the cover, the renewal may be *dramatically* more expensive. And, if the management of the insurer changes and decides it no longer has an appetite for that type of risk, the coverage may get prohibitively expensive or simply unavailable. It is not unusual to find that there are no other sources of the coverage at such times.
Insurers sometimes fail, become insolvent. In the US, all insurance insolvencies are handled under state insurance insolvency law, not federal bankruptcy law. Also, except in one or two states, surplus lines insurers are *not* covered by insurance guaranty funds, which act in a way like FDIC or FSLIC to pay some claims of insolvent insurance companies. Purchasers of insurance from a surplus lines carrier that becomes insolvent may have little recourse except to wait for their share in the insolvency proceeding in the insurer's home jurisdiction. If the insurer is domiciled in a jurisdiction outside the U.S., the insolvency laws may be less favorable to creditors (policyholders) than is the case in the U.S.
Even in the U.S., insurance insolvencies often take decades to liquidate, if the principal liabilities are disputed "long-tail" claims and the principal assets are reinsurance policies with reinsurers that are financially strained, insolvent or just plain stubborn. Reinsurers may be particularly stubborn about paying claims of insolvent insurance companies, because they cannot produce future business for the reinsurer.
When caveat emptor is the word of the day, independent advice is most valuable, so that a good risk manager may be worth the investment.
Douglas Simpson, J.D. "Unintended Consequences" at DougSimpson.com
Sloppy work by an inexperienced system administrator exposed every sensitive Senate Judiciary Committee file created since August 2001, according to Calpundit's analysis of the Pickle Report. Authors of comments to his post disagree on whether or not the exploitation that resulted was criminal; most agree it was predictable given the lack of basic security precautions. Calpundit: Memogate
One might ask what has changed since the revelations, and how many other governmental networks are run with a similar level of security.
Thanks to Ernie the Attorney "Oops! - my computer system accidentally gave the enemy a look at my information"
Although Homeland Security asked for special analysis and monitoring of the new worm that uses P2P technology to surreptitiously network infected computers, then use them for malicious attacks or spamming, many security authorities rate its threat level as low ... for now, says the Times. Malicious Computer Worm Detected (New York Times 3/18/04)
MATRIX (Multistate Anti-Terrorism Information Exchange) describes itself as "a pilot effort to increase and enhance the exchange of sensitive terrorism and other criminal activity information between local, state, and federal law enforcement agencies." Created by a private company for the state of Florida after 9/11, it had 16 states participating at one time, but most have since withdrawn. Privacy is one concern, according to a 3/15/04 article in the New York Times. Privacy Fears Erode Support for a Network to Fight Crime
Supporters of MATRIX had expected that the number of participating states would increase, but the number has instead shrunk to five as of last week. Among those expressing concern over privacy and seeking more information about the workings of the system are the American Civil Liberties Union (ACLU), the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC), says the Times.
See MATRIX's FAQ.
See also ACLU's 3/11/04 feature on MATRIX, including links to FOIA requests and documents received in response.
Senate Republicans and Democrats signed a letter to Atty. Gen. Ashcroft, calling for criminal investigation of allegedly improper disclosure of Senate Judiciary Committee files by a former staffer. It called for the appointment of a "professional prosecutor who is free from all conflicts and appearances of conflict -- or, if appropriate, a special counsel -- who has full investigatory, charging and reporting authority."
The letter cited Patrick Fitzgerald, the U.S. attorney now investigating the leak of the identity of CIA operative Valerie Plame, as an example of the sort of counsel needed. Signed by Judiciary Committee Democrats Charles E. Schumer (N.Y.), Richard J. Durbin (Ill.) and Edward M. Kennedy (Mass.) as well as Republicans Lindsey O. Graham (S.C.), Saxby Chambliss (Ga.) and Mike DeWine (Ohio), the letter is online courtesy of TalkingPoints.com. (more ... )
More in the Washington Post: "Senate Panel Agrees to Seek Federal Probe: GOP Aides' Accessing of Democratic Files at Issue," Washington Post March 12, 2004, p. A21 (free registration required). In that article, lawyers for Manuel Miranda are quoted as calling "remarkably negligent and biased" the recently released report by the Senate Sergeant-at-Arms William Pickle that identified Mr. Miranda in connection with allegations of inappropriate access to confidential computer files.
See also: Unintended Consequences: Senate Judiciary Computergate: Criminal?
And "Pickle Report Names Staff in Judiciary Files Scandal" (Unintended Consequences March 6, 2004)
In "Hack the Vote," VF probes the partisan politics, murky accountability and lurking felons inside the e-voting systems industry and the government procurement decisions regarding it. As author Michael Shnayerson prefaces it, "this is a story of good intentions gone awry, of Congress bamboozled into thinking the machines were ready when they weren't, of county and state election officials softened over lavish dinners into endorsing one kind of machine over another, with some later induced to take jobs at voting machine companies. And like most American stories its about money -- big money, $3.9 billion, showered on the states to buy the machines, and buy them fast." Vanity Fair, April 2004, p.158.
The article provides an overview of the rogue's gallery of the players in government and in the private sector (including the convicted felons) who have been close to several surprising political upsets in states using the new D.R.E.s -- direct recording electronic voting systems. It provides some sympathetic background on the role of Bev Harris, to whom the Diebold email archive was leaked, and her new book "Black Box Voting: Ballot Tampering in the 21st Century." (Talon 2003). BlackboxVoting.org
(more ... )
A perennial favorite of sophisticated readers for its rich writing and photography, and its eclectic journalism of "people, personalities and power," Vanity Fair announced in its inaugural issue (1860), that it "looketh upon all politics as vanity, and will, therefore, persistenty intermeddle therewith." Vanity Fair, 1860, p. 13
Vanity Fair content is not available online. Subscribers received the April issue this week -- its the one with Keira Knightley (Bend it Like Beckham and Pirates of the Caribbean) on the cover. Other articles include "MacBush," a satire of the Bush presidency as a Shakespearian tragic drama; "The Laptop Brigade," about weblogger's infusion of "passion and independence" into journalism; Dominick Dunne's diary on the Martha Stewart trial; and Marie Brenner's investigation of forced marriages of Islamic girls in France, "Daughters of France, Daughters of Allah."
See also "Bev Harris on E-Voting and DMCA" (Unintended Consequences, Feb. 24, 2004)
The Senate Judiciary Committee named two Senate staffers in a report on the unauthorized use of its computer system. Both were in the office of Republican Senator Orrin Hatch. The report, in two parts here and here, documents the results of the investigation by Senate Sergeant-at-Arms William Pickle. Sen. Patrick Leahy called for a criminal investigation. (Read more ...)
The report found that the staffers' computers held some 4,670 unauthorized files, most of them Democratic strategy documents. The leaked memos had been publicly posted to the Internet by the conservative Coalition for a Fair Judiciary and at this writing were accessible here .
Senator Patrick Leahy, ranking Democrat on the Judiciary Committee, called for a criminal investigation by the Department of Justice in a March 4 statement. In it, Sen. Leahy said, in part:
Sen. Orrin Hatch (R-UT), Judiciary Committee chair, said that "I am mortified that this improper, unethical and simply unacceptable breach of confidential files occurred," according to the New York Times. "There is no excuse that can justify these improper actions."
According to Jurist's Paper Chase on March 5, an unredacted version of the report was released to the press and identified the two individuals whose names were redacted from the official version intended for publication.
CNN quoted one of the two staffers, Manuel Miranda, earlier this year as saying he was not concerned about a criminal probe. "I am worried about absolutely nothing, and at least if it were to go to a criminal investigation, it would go to the hands of adults," he told CNN. Miranda resigned from the staff of Senate Majority Leader Bill Frist, (R-TN), when the story about the documents first broke, and CNN quoted him as saying that he violated no laws and that the documents in question were neither confidential nor classified.
Downstream republishers of cracked secrets take limited comfort from the 2/27/04 decision for Andrew Bunner by the Court of Appeal in California. Limited to a ruling on a preliminary injunction, the opinion finds "little question" that the sharing of DeCSS "is unethical and and that it probably violates other laws." But an injunction against information no longer secret "can be justified only on a rationale of punishment and deterrence * * * ordinarily inappropriate in trade secret actions."
The opinion invites further research and analysis around its apparent limitations:
(Read more ... )
On February 27, 2004, a California appeals court ruled that an injunction against Andrew Bunner's publication of DeCSS constituted an improper prior restraint. The decision was in large part based upon the finding that the encryption algorithm affected by DeCSS had lost its "trade secret" status due to extensive publication of DeCSS over the Internet to "a worldwide audience ready and waiting to download and repost it." Electronic Frontier Foundation has the Court of Appeals decision in PDF.
Bunner was sued under California's Uniform Trade Secrets Act ("UTSA"), (Civ. Code §3426 et seq.) which protects information that is valuable because it is unknown to others. The Court decided only the propriety of an injunction against Bunner's disclosure of the information, not the propriety of other forms of deterrent sanctions.
The Court of Appeals found the element of secrecy important for two reasons, in both of which a temporal element was important:
According to the Court, the record showed that Bunner was a downstream discloser of information that had already passed into public knowledge. The Court quoted July discussions on Slashdot about interest in cracking CSS as evidence of "a worldwide audience ready and waiting to download and repost" DeCSS when it first appeared on October 6, 1999. By November 1999, DVD CCA had spotted and noticed 66 websites hosting either DeCSS or links to it, and Wired magazine had written that DeCSS was on the Net. See "DVD Piracy: It Can Be Done" (Wired November 1, 1999)
Bunner does not shield the original cracker.
None of these facts would apply to the original cracker. The Court noted the common theory that Jon Johansen, a Norwegian resident, cracked the CSS code by means of reverse engineering and was the original source of the DeCSS code. Had not "DVD Jon" shared DeCSS, it would not have become public knowledge.
In December, a Norwegian appeals court affirmed the acquital of Jon Johansen on criminal charges of breaking the CSS copy protection on DVDs he bought. The charges were brought by the Norwegian Economic Crime Unit (ØKOKRIM) under Norwegian Criminal Code 145(2), upon the complaint of DVDCCA and the Motion Picture Association of America (MPAA). The Norwegian court ruled that his action was legal under Norwegian law. An earlier acquittal had been appealed by the government. See "Legal victory for 'DVD hacker," BBC News 12/22/03, and " and "DVD-Jon" Defeats Hollywood: Consumer Rights Upheld in Norway," IP Justice.
Questions for further study:
The case of Russian programmer Dmitri Sklyarov is illustrative. While in Russia, Sklyarov allegedly programmed a bypass of Adobe's technical protection measures ("TPM"). While in the United States at a DEF CON conference speaking about the resulting software, Sklyarov was arrested and charged with a criminal violation of the DMCA, based upon a complaint by Adobe. The Justice Department later dropped charges against Sklyarov, allegedly in return for his testimony against his employer ElcomSoft (a software company based in Moscow) on a similar charge. At a jury trial in December 2002, ElcomSoft was acquitted. Post-verdict interviews with the jury indicated that they found that the ElcomSoft code was probably illegal, but that the DMCA was sufficiently confusing that they were not convinced that ElcomSoft's Russian managers knew that sharing the code they wrote was criminal.
The Bunner Court was careful to distinquish a case cited by the plaintiff, Underwater Storage, Inc. v. United States Rubber Co., 371 F.2d 950 (D.C.Cir. 1966). In that case, a Navy contractor took trade secrets and republished them as its own know-how. The Underwater Storage Court rejected the argument that subsequent publication insulated the defendant from liability for misappropriation, saying: "Once the secret is out, the rest of the world may well have a right to copy it at will; but this should not protect the misappropriator or his privies." 371 F.2d. at 955.
Questions for further study:
Bunner does not shield sharing in a closed community.
In the Bunner case, the enthusiasm and anticipation of the global programmer community for a CSS decoder, together with the culture of free code sharing, meant that whatever the threshold between "public knowledge" and "still secret" was quickly crossed. The Bunner Court did not attempt to define that threshold. Doing so will be more pertinent in a case in which the information was held more closely.
The Court noted that this case "does not fit neatly into classic business or commercial law concepts." Typically in trade secret cases, a competitor wrongfully takes trade secrets to exploit them, and has no interest in sharing the advantage with others (except perhaps for a sufficiently valuable consideration). Had DeCSS been held more closely and shared only among a controlled circle of users, it may never have reached the level of public disclosure that sacrificed its status as a trade secret.
Consider, hypothetically, a secret resale or exchange of code exploiting a trade secret, or confidential data wrongfully obtained. Such might be distributed through a controlled access "darknet" or among a limited number of conspirators -- none of which put it on the open Net. Would such breach the "public knowledge" threshold?
As holders of intellectual property rights and security organizations become more aggressive in monitoring and enforcing casual sharing of protected content, they may tend to drive "warez" swappers and users underground, into closed, "virtually gated" online communities. Entry to such communities may require exchange of valuable consideration, either in the form of cash, copyrighted code or secret data. The exclusivity and secrecy of such private networks may itself disqualify them from the protection of the Bunner decision's logic. Such networks may also be usefully analyzed under state, federal and international laws regarding conspiracy and racketeering.
Bunner does not shield against liability under other laws.
The Court's decision made clear that its decision was limited to the propriety of an injunction under the UTSA, and that the disclosure of the DeCSS code "is unethical and that it probably violates other laws. But what is in the public domain cannot be removed by action of the states under the guise of trade secret protection." Citing Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 at 481 (1974)
The DVD CCA did not bring claims under the DMCA, and there was no indication of complaints under the California law criminalizing theft of trade secrets (California Penal Code §499c) or the Economic Crime Act (California Penal Code §1203.33), which has been interpreted to cover theft of trade secrets valued over $50,000. People v. Farell, 48 P.2d 1155 (Cal. 2002). The narrow scope of the Court's decision leaves open the possibility of civil or criminal prosecution of original and "midstream" distributors of the DeCSS code under those statutes or others like them in force either inside or outside of the United States.
Copyfight has links to a variety of commentators on the decision: Copyfight: the Politics of IP
Due to the volume of comment spam, I have turned off comments on this posting. Trackbacks are welcome, as are private comments via email.
Chair Tom Davis of Virginia opened with the statement:
Henry Waxman of California added more context:
"Today we are exploring another aspect of computer security:
how worms and viruses spread rapidly across the Internet,
finding unprotected computers. We also will learn how millions
of people are using wireless networks, many unaware that their
computers are vulnerable to attack. Business, governments, and
individual home users are at risk for computer invasion.
Efforts must be taken by all users to make the Internet more
Thanks to beSpacific for this link. beSpacific: Impact of E-Mail Security Issues on Gov't, Corporations and Home Users
A House Fact Sheet on: HR 3159, the “Government Network Security Act of 2003 (passed the House in Fall 2003).