Category Archives: Other IP

Intellectual Property Under Attack by Secret Chinese Military Unit

Does this sound like a Michael Crichton novel?  We can only hope.  Several news agencies are reporting on a study released by Mandiant, an American computer security firm, that has traced huge volumes of hacking activity to a building in a rundown neighborhood of Shanghai believed to be under the control of a Chinese military unit identified as the “Comment Crew” or “Shanghai Group.”

 

What are they after?  In addition to orchestrating attacks against high level US and Canadian government interests, they are increasingly targeting the intellectual property of companies involved in critical infrastructure such as the electrical power grid, gas lines, and waterworks.  Other industries targeted include information technology, aerospace, military contractors, satellite and telecommunications, financial services, and even legal services.   The group is reportedly draining terabytes of data from these sources.

 

The study details the efforts of the Comment Crew in hacking Coca-Cola during its acquisition of a large Chinese company, presumably in an effort to uncover negotiation strategies and other information critical to the deal.  The attack was traced to a “spearphising” email sent to a Coca-Cola executive.  The email appears to be from a friend and includes a link that initiated the download of malicious code.  The executive clicked on the link.

 

The group is also believed responsible for a similar attack on RSA, the computer security company owned by EMC, a large technology company. It is best known for its SecurID token, carried by employees at United States intelligence agencies, military contractors, and many major companies.

 

Scary stuff indeed!  Cyberwarfare, or government sponsored cyberattacks, are not new and there have been many high profile incidents in the news.  According to former US national security advisor Richard Clark, Israel used cyberwarefare to make their planes invisible to the Syrian air command system during a 2007 bombing raid carried out against a nuclear facility under construction in Syria.  The US and Israel are believed to be responsible for the attack on an Iranian uranium enrichment facility that supposedly destroyed several pieces of key equipment using a highly sophisticated computer virus.  The Chinese are also believed to have gained access to key elements of the F-35 advanced fighter jet when they hacked into the computer systems of BAE Systems, a British defense contractor.

 

In an attempt to head off more of these types of attacks the Obama administration last week issued a cybersecurity executive order designed to promote security through a joint government and industry self monitoring program.  The order puts into place key elements of the cybersecurity legislation that was defeated last term by a Republican filibuster and was opposed by key groups like the US Chamber of Commerce for fears that it would place undue regulatory burdens on business.

 

Government sponsored cyberattacks on business is somewhat of a new phenomena and seriously escalates the risks of business to business dealings.  I suspect we only know the tip of the iceberg when it comes to hacking, and the protection of key business intellectual assets should be at forefront of all business dealings.  It would appear that you cannot really be too cautious these days.

Advertisements

Protecting Intellectual Property Through Cybersecurity: Does an asymmetric threat call for a centralized solution?

It may be generally understood that globalization has resulted, at least in part, in an increase in the dissemination and popularization of technology, information and finance. Smart phones, social media networks, open source technologies, and crowd sourcing (whether for ideas or funding) are some examples of this trend.  But when it comes to protecting your intellectual property and privacy in this sphere (e.g., cybersecurity), all that glitters is not gold.  This proliferation aids state and non-state actors to level the playing field against a target by working as a multiplier for an individual or group’s ability to wreak havoc.

Whether you are a shoe retailer (e.g., Zappos.com) or a cybersecurity firm (e.g., HB Gary), computer hackers may now directly target and disrupt your business operations with relative ease.  See, e.g.,  Cyber Attacks on IP: A Civil Response.  And unfortunately, these threats are not isolated incidents.  McAfee® recently published a white paper that analyzed “Project Blitzkrieg,” and a plan hatched by vorVzakone (Russian for “thief in law”) in which he has urged the “underground to join him in attacking 30 US banks.”

These attacks are not driven merely by an anarchistic or crime syndicate.  For instance, Bloomberg, among others, reported this last summer that a group codenamed “Byzantine Candor” by the U.S. intelligence community is linked to China’s People’s Liberation Army (i.e., the national military) was behind the hacking of the president of the European Union Council, Haliburton Co. and  the Washington D.C. law firm of Wiley Rein LLP.   In that report, Bloomberg quoted Shawn Henry, former executive assistant director of the Federal Bureau of Investigation (FBI) in charge of the agency’s cyber division as saying: “What the general public hears about — stolen credit card numbers, somebody hacked LinkedIn — that’s the tip of the iceberg, the unclassified stuff. I’ve been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that we’ve ever seen. It’s a machine.” Indeed last month, The New York Times reported that Kaspersky Lab (a Russian cybersecurity firm) had announced that “it had identified a sophisticated cyberespionage campaign that has been in operation since 2007,” which targeted “a range of governmental and diplomatic organizations, mostly in Eastern Europe and Central Asia, but also in Western Europe and North America.” The investigation into this campaign showed that “the attackers engineered their malware to steal files that have been encrypted with a classified software, called Acid Cryptofiler, that is used by several countries in the European Union and NATO to encrypt classified information.” However, the New York Times further reported that Kaspersky Lab “said that the digital clues suggested that the perpetrators were Russian-speaking, but that the campaign did not appear to be the work of a nation state.”

These threats are not only real, but traditional security measures are wholly inadequate.  In its 2013 Technology, Media & Telecommunications Predictions, Deloitte, recognized that passwords alone are not enough, predicting “that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT department, will be vulnerable to hacking.”  Deloitte thus predicts that “[i]nadequate password protection may result in billions of dollars of losses, declining confidence in Internet transactions and significant damage to the reputations of companies compromised by attacks.”  In support for its predictions Deloitte noted that “[i]n a recent study of six million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts.”  Further Deloitte noted that “[a] dedicated password-cracking machine employing readily available virtualization software and high-powered graphics processing units can breach any eight-character password in 5.5 hours.”  This relative small amount of time will only get shorter as technology continues to improve and tactics leveraging multiple persons and/or pieces of hardware (i.e., “crowd-hacking”) are employed. Read the rest of this entry

Can Schools Seize Ownership of Students’ Copyrights?

The Washington Post reports that Prince George’s County Board of Education has proposed asserting ownership over student copyrights. The draft policy states:

Works created by employees and/or students specifically for use by the Prince George’s County Public Schools or a specific school or department within PGCPS, are properties of the Board of Education even if created on the employee’s or student’s time and with use of their materials.

Further, works created during school/work hours, with the use of school system materials, and within the scope of an employee’s position or student’s classroom work assignment(s) are the properties of the Board of Education.

Examples of works which the Board hereby takes ownership are:

1. PGCPS Website

2. Individual School Website

3. Curriculum documents

4. Instructional materials for use in PGCPS or a specific school

5. Software and platforms developed for use by PGCPS, a specific school and/or the Board

6. Other works created for classroom use and instruction

The issue of Board ownership over its employees’ copyrightable works is well-settled. Board ownership over student-created work is less settled. bookshelves-with-books-in-library_w482_h725

The Board is a governmental actor, and therefore subject to the Constitution. In a draft outline, co-blogger Professor Cotter explains that the Fifth Amendment’s Takings Clause probably entitles a property owner to “just compensation” when their property—including intellectual property—is appropriated by the government. The Board’s proposal contemplates an condemnation-like power: “…the Board…hereby takes ownership.” Even if the Board has eminent domain or condemnation power under state or local law, its policy may still be ineffective at transferring ownership from student creators to the Board.

Federal law trumps conflicting state and local law. And 17 U.S.C. § 204 sharply limits how copyright ownership may be transferred:

A transfer of copyright ownership, other than by operation of law, is not valid unless an instrument of conveyance, or a note or memorandum of the transfer, is in writing and signed by the owner of the rights conveyed or such owner’s duly authorized agent.

Some courts and commentators view the phrase “by operation of law” as referring to transfers of copyrights that are limited in number, and depend upon the owner’s express or implied consent. See Taylor Corp. v. Four Seasons Greetings, LLC, 403 F.3d 958, 963 (8th Cir. 2005).

It is unclear from the Board’s draft policy whether they expect students to consent to the Board’s assertions of ownership, or whether the Board is considering a policy to provide “just compensation” to students whose copyrights are taken by the Board.

The Suicide of Aaron Swartz: An Appropriate Platform For CFAA Reform?

The January 11, 2013 suicide of internet activist Aaron Swartz has sparked a debate about the proper scope and application of the criminal provisions of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq.

Two days after his death, The New York Times reported that Aaron’s “family said in part: ‘Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. attorney’s office and at M.I.T. contributed to his death.’”  Similarly, The Rolling Stone reported  on January 23 that “Swartz’s friends and family have said they believe he was driven to his death by a justice system that hounded him needlessly over an alleged crime with no real victims,” and “Swartz’s tragic death has already begun forcing lawmakers to start rethinking our draconian computer laws. And House Oversight Committee Chairman Darrell Issa (R-California) even promised an investigation of the Justice Department prosecutors who did their best to send a young Internet pioneer to prison.”

Yet, George Washington University Law School’s Professor Orin S. Kerr of The Volokh Conspiracy has committed to writing a two-part post as an apology for the prosecution of Aaron.  Part 1 of Professor Kerr’s post summarizes the criminal charges against Aaron, describes the alleged criminal conduct and explains that:  “Aaron Swartz decided to ‘liberate’ the entire JSTOR database[, much of which is copyrighted, according to the indictment.] He wanted everyone to have access to all of the journals in the database, so he came up with a plan to gain access to the database and copy it so he could make it publicly available to everyone via filesharing networks.”  Professor Kerr tentatively concludes: “I think the charges against Swartz were based on a fair reading of the law. None of the charges involved aggressive readings of the law or any apparent prosecutorial overreach. All of the charges were based on established caselaw. Indeed, once the decision to charge the case had been made, the charges brought here were pretty much what any good federal prosecutor would have charged.”

Stanford Law School’s Professor Jennifer Granick disagrees, and she chastises Professor Kerr for lumping Aaron’s alleged conduct of “circumventing code-based restrictions” in with the crime of ”using someone else’s password, which is the quintessential access without authorization” proscribed by the CFAA because, as Professor Granick explained, “[u]sing another person’s password gets you access to their files.  Circumventing the JSTOR/MIT efforts to block him merely got Aaron _fast_ access to files he was already authorized to download.”  Professor Granick, like Professor Kerr, has written a two-part blog post, entitled Towards Learning from Losing Aaron Swartz.

The outcry surrounding Aaron’s suicide is understandable.  As JSTOR recognizes: “He was a truly gifted person who made important contributions to the development of the internet and the web from which we all benefit.”  Yet a reform of the CFAA should be based on desired, rational outcomes, not a grief reaction to the tragic loss of Aaron Swartz.

Accordingly, any proposal for immediate reform should be received with equally immediate skepticism.  To illustrate, Forbes has reported that “an ‘Aaron’s Law’ that’s already been proposed to make those reforms may need serious tweaking if it’s going to prevent the next overzealous hacker crackdown.”  More specifically, Forbes quotes Tor Ekeland, the attorney for convicted hacker Andrew Auernheimer (a/k/a Weev), who recognizes that “[t]he [CFAA] is a prosecutor’s wet dream and a defendant’s nightmare,” “[a]mending the definition of unauthorized access to exclude [terms of service] violations is just putting a band aid on a gaping, gushing wound.”

Professor Granick proposes that we learn from losing Aaron.  I agree. But the lessons from the loss of such genius should be infinitely more thoughtful and intricate than some myopic fix of the CFAA.

“I know it when I see it.”

Federal trademark law prohibits the registration of a mark that includes “immoral, deceptive, or scandalous matter.” 15 U.S.C. § 1052(a). Today in In re Fox, the Federal Circuit affirmed a scandalous-based rejection under § 1052(a), effectively holding that one of these things is not like the other:

suckers

“Cock Sucker” is scandalous, according to the Federal Circuit, Read the rest of this entry

Supreme Court to resolve reverse-payment legality

The United States Supreme Court announced Friday that it has agreed to review the issue of reverse patent settlements in drug cases in Federal Trade Commission v. Watson Pharmaceuticals, Inc..  The Federal Trade Commission has been angling for nearly a decade to get this issue before the Supreme Court over concerns about the anticompetitive nature of these settlements. The actual question presented is pretty straightforward:

Whether reverse-payment agreements are per se lawful unless the underlying patent litigation was a sham or the patent was obtained by fraud, or instead are presumptively anticompetitive and unlawful.

The facts of these cases are troubling to many people.  The present case involves AndroGel – a testosterone gel product under patent until 2020.  A generic drug manufacturer filed documents indicating it planned to challenge the AndroGel patents by entering the market with a generic product.  The patent owner, initiated patent infringement litigation to stop the generic, which was settled pursuant to profit-sharing arrangement that included an agreement that would keep the generic versions of AndroGel off the market until 2015 in exchange for a considerable amount of money paid by the patent owner.  The patent owner was essentially paying to keep the generic off the market.

The FTC filed a complaint alleging the settlement violated antitrust law.  The district court dismissed the complaint stating that the FTC failed to state an antitrust claim.  The Eleventh Circuit affirmed the district court stating the general rule that absent sham patent litigation or fraud in obtaining the patent, a reverse payment settlement is immune from antitrust attack so long as its anticompetitive effects fall within the scope of the exclusionary potential of the patent.

In other words, as long as the infringement claim, and the patent it is based on, are not a sham the settlements do not constitute an antitrust violation.  These settlements are controversial because the patent owner is paying the generic drug manufacturer (and alleged infringer) to keep a cheaper version of the drug off the market allowing the patent owner to enjoy a longer period of exclusivity and therefore higher profits, without the patent owner proving its case or proving the validity of the patent.  The FTC’s position is that litigation that allows both litigants to benefit at the expense of the general public amounts to a conspiracy against the general public.

The Supreme Court is likely to take a strong look at these issues as they set directly into conflict intellectual property law, which is based on the idea of a monopoly, and antitrust law which abhors a monopoly.

Protect Your IP: Hashing Your Passwords

The legal system provides civil litigation as a means for vindicating IP rights that have been violated. But the best protection may lie in avoiding problems at the outset. Preventative self-help, you could call it. What you're looking at is not acutally database.

Passwords are a first line of defense for protecting intangibles—whether trade secrets, copyrighted materials or pre-patent information. Recently there’s been a spate of stories about password security breaches: LinkedIn, Yahoo Voices, others. Even well-known computer security companies, like RSA, are vulnerable to data breaches.

So it’s worth asking, how are passwords protected in the computers that store them? Read the rest of this entry

%d bloggers like this: