Using Patents To Prevent Researchers From Pointing Out Security Holes In Your Technology

from the a-new-low dept

Someone who prefers to remain anonymous writes: "We've seen people use bogus DMCA claims to shut up speech they don't like. Now, it turns out that if you demonstrate security vulnerabilities, you may have to deal with the threat of patent lawsuit as well. IOActive, a security firm based in Seattle, built a hand-held device capable of reading and cloning the prox cards used for building access in many companies. They demo'd the device at the RSA Conference and were going to give an in-depth talk at Black Hat in DC. HID Global, who makes the cards, found out about it and sent them a letter claiming that the cloning device infringes on HID patents. Faced with the threat of a patent infringement lawsuit, IOActive pulled the presentation." Jennifer Granick, over at Wired News, does a good job highlighting the ridiculous consequences of an action like this: "Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products. The use of patent law to prevent vulnerability discovery and discussion is bitter irony, because a fundamental purpose of patent law is disclosure." Yet another example of the patent system doing exactly the reverse of what it's supposed to do.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    nedu, Feb 28th, 2007 @ 11:21am

    ACLU to present instead

    Nicole Ozer, Technology and Civil Liberties Policy Director for the ACLU of Northern California will be presenting at BlackHat in place of the IOActive researchers.

    Her presentation is at 1:45pm, Wednesday. It will be followed by a press conference.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    misanthropic humanist, Feb 28th, 2007 @ 11:58am

    so what's the story?

    Okay. Lets break this down and get to the issues.

    If a company holds a patent on a device it can bring a lawsuit to prevent another company from selling a substantially similar device. That's it.
    To infringe you have to have a commercial interest. If Bobs Saussage Factory has a patent on "pork sizzlers" then I can't set up shop selling pork sizzlers. However, there's nothing Bob can do to stop me making my own pork sizzlers for my private BBQ party, even if I use the exact same tecnique and recipe. There must be a commercial activity to infringe.

    Now, IOActive made a proof of concept device. It may well "infringe" on some patents of HID Global (I fail to see how at this point, but let's admit that assumption), but there is absolutely jack that HID can do about it until IOA bring the device to a commercial market.

    Merely exhibiting it at a non-profit conference means nothing, it is private use. They already exhibited it at RSA and should have continued to exhibit it at the next one in DC.

    But:

    "Faced with the threat of a patent infringement lawsuit, IOActive pulled the presentation."

    They made a cowardly mistake. Unless they were producing this device commercially HID haven't got a let a leg to stand on HID can posture and threaten and bawl and scream like a little bitch throwing her toys around the nursery but there's nothing that they can do to stop IOA from exhibiting the device and publicly discussing it's operational details. Patents are not tools to protect trade secrets.

    So IOA screwed up by getting frightened and caving in to mafioso style threats. That's all the story says. There is no point of law or principle to debate here. Perhaps IOA should grow some balls.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    casey kochmer, Feb 28th, 2007 @ 12:19pm

    Legal notice you are in trouble now

    Sorry I have a patent regarding using blogs to report news about bad security practices.

    Please desist from this practice now.

    ------------------------------------

    Seriously this isn't about law, or whats right

    It's all about what you can get away with and who you can pay to help you achieve it,

    Law is never about whats right, it's just about how society retains control. In America that just happens to be primarily tied to the power behind the flow of money.

    If we want to change it, then it starts in the way we each personally act and what we tolerate (Or if you want to use the existing system: then in this case what we pay for).


    Be free, practice your own law...

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Casper, Feb 28th, 2007 @ 12:27pm

    It's all a matter of limits. In my opinion, you should not be able to patent anything you do not have a prototype of. There is no way some random company should be allowed to patent a "molecular transporting device", for example, and sit back and wait for someone to make a technological break through, then sue them.

    Whatever happened to people having to have something to protect with a patent? Now we are not protecting anything with patents, we are just limiting the market with them. They were never intended to prevent two products from doing the same thing, but rather to prevent one company from copying another directly.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Feb 28th, 2007 @ 12:47pm

    Today, HID Global has made a statement, where they claim:

    HID Global did not threaten IOActive or Chris Paget, [...]

    Under no circumstance has HID asked IOActive or Mr. Paget to cancel their presentation.

    But, the letter they sent a week ago is not consistent with their story today:

    HID Global
    9292 Jeronimo Road
    Irvine CA 92618-1905 USA

    February 21, 2001

    [Redacted]

    Re: HID GLOBAL CORPORATION's Intellectual Property

    Dear [Redacted]

    Please be advised that HID Global Corporation RFID reader and card technology are protected by United States Patent no. 5,041,826 and 5,166,67.

    It has come to our attention that you and IOActive have published, on the internet, and likely elsewhere, information regarding a “spoofer” which purportedly “clones” HID cards. Based on our understanding of how your “spoofer” works, we believe your conduct may subject you to liability for inducing and/or contributory infringement under 34 U.S.S. § 271(b) and (c).

    We understand from reviewing IOActive's Web page that you intend to publicly present and publish additional information about your spoofer at the Black Hat convention in Washington, D.C. on February 28, 2007. We believe such presentation will subject you to further liability for infringement of HID's intellectual property.

    We urge you to refrain from publishing any further information regarding the improper use of HID's intellectual property and hereby demand that you refrain from publishing any information at any public forum, including the upcoming Black Hat convention, that violates HID's intellectual property or induces others to do so.

    It is unfortunate that I have had to contact you in this way. First impressions of your company through you Web site would have us believe that you have good intentions as honest brokers intent on providing independent, professional security systems counseling and audit services in a fast-changing data driven world. It is a business we understand and wholeheartedly support.

    We're disappointed that you did not seek our comments before conducting your public cloning demonstration. If you had contacted us first, you would have discovered that both our cards and readers are not only protected under the law, but that HID's products are in use in thousands of secure, reliable access control systems worldwide today, and where cloning is simply not a credible threat — for example, the simple use of two-factor authentication can solve this perceived threat immediately — and some of our installed systems have this additional security feature, where there is a requirement.

    Indeed, for a company purporting to be interested in promoting the service and awareness of security as independent consultants, you have demonstrated your lack of knowledge of the physical access control industry, and, perhaps, the law. We feel that you have done a great disservice to yourselves and your clients, in addition to damaging HID's reputation.

    Please contact me as soon as possible so that we can resolve this issue in a timely and cordial manner. We look forward to your response.

    Very truly yours,

    [Redacted]

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    DMM, Feb 28th, 2007 @ 12:54pm

    Re: so what's the story?

    Talk about someone with a little bit of knowledge being dangerous! Do everyone a favor and stop handing out legal misinformation. About the only thing you got right is that IOA made a cowardly mistake, assuming the original story and Mike got all the facts correct.

    On the face of things, this appears to be pure and simple case of abuse of the patent system, which was never intended to have any application on speech or the dissemination of information.

    Mike, I am surprised at your sensationalism, although maybe I shouldn't be. I know you are a vocal opponent to the current patent system, but this is not the patent system doing anything. Rather it is some corporate head employing attorneys to abuse the patent system.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    misanthropic humanist, Feb 28th, 2007 @ 1:17pm

    Re: Re: so what's the story?

    Are you talking to me DMM? If not I apologise, but if you are let me inform you that what I have stated above is absolutely correct from a British / European standpoint. If you disagree then kindly state where your difference of opinion lies as clearly as you can providing references if you feel it demonstrates your case better, otherwise your post amounts to nothing more than you pulling funny faces at me.

    However your second phrase I would agree with. It is not merely a broken patent system that is damaging society and industry, it is a combination of

    1) A broken patent system

    2) A runaway broken legal system that rewards agressive rather than defensive stances.

    3) Widespread mental problems with people in positions of high pressure responsibilty who "shoot first and think later" and are too quick to behave in an abusive manner.

    I detect a little of that in your reply, you are on the back foot from the outset and far too quick to criticise without any substance other than your emotional response.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Grimace, Feb 28th, 2007 @ 1:47pm

    Re: Re: Re: so what's the story?

    Mis Hum - From the relevant (U.S.) patent perspective, you are not accurate. Infringement is codified at 35 usc 271, which states, in part: whoever without authority makes, uses, offers to sell, or sells any patented invention, within the United States, or imports into the United States any patented invention during the term of the patent therefor, infringes the patent

    Note that selling is different from using, and that they are both infringing. So, in the US, there is no requirement that there be an economic interest for an act to be infringing.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    misanthropic humanist, Feb 28th, 2007 @ 1:48pm

    Re: Legal notice you are in trouble now

    I'm quite intrigued by your comment Casey, with which I heartily agree. There is no point of law at debate here, only issues of human antagonistic behaviour, aggression and capitulation.

    But I disagree that "Law is never about whats right, it's just about how society retains control." That may be true in minds of many in the United States right now because your legal system and government has been hijacked. And I salute those of you who have the balls to challenge that and take it back by whatever means you see fit. That is the American spirit at its finest. But ideally it is about both these things. It's fine for educated and balanced people to "practice their own law". In most cases they will arrive at a lifestance greatly superior to the prescriptive standards deemed by a society which must necessarily balance all kinds of behaviour with the greatest possible permissiveness.

    However, not everyone is capable of that self regulation and (real) laws exist to enshrine some form of normative ethics, much as religion "believes" it can. Before you can act as a patriot and upstanding citizen by breaking and changing objectively bad laws you must admit to recognising good laws and the rule of law generally, even when you do not personally agree with them. Otherwise you are just anti-social and selfish.

    The difference is simply a practical one. When enough people do not recognise an erroneous law it is defacto void. For example when the state tries to interfere with the sexual behaviour of its citizens. Homosexuality was once "illegal" in England (yes I appreciate the irony), but it was a non-law from the outset because fully 20% of the judges and politicians also like a bit of uphill gardening.

    Actually 20-25% is probably a very useful figure in this respect. If you don't have the support of 1/4 of your population no law is ever going to prosper no matter how much state sanctioned violence and terrorism you apply to the people.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    DMM, Feb 28th, 2007 @ 1:54pm

    Re: Re: Re: so what's the story?

    Yes, misanthropic humanist, I was talking to you. Unfortunately, you did not make it clear that you were talking about the patent system from the British/EP point of view. Mike's summary was written about events happening in the U.S., a conference in Washington DC (implicating U.S. patent law), and referenced the DMCA, a U.S. law. From all this, it is a bit of a non sequitur and a source of confusion for you to jump into a discussion of British/EP law without so much as informing the rest of us where you're headed.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    misanthropic humanist, Feb 28th, 2007 @ 2:04pm

    Re: Re: Re: Re: so what's the story?

    Thankyou Grimace. That's very interesting. It may even be the case that similar wording has or still is in use in some European domains, but it is never ever enforced to that letter of the law here.

    I can see now why so many believe that patents law should not merely be reformed but absolutely abolished.

    As it stands the above definition is an encumberance on *ALL* human behaviour whether commercial or not. As such it is abhorrent and unworthy of recognition.

    What you quote also changes the facts of this case. In the USA the HID Global company are not abusing the civil law system by threatening the researchers, they are quite within their rights as given by law to stiffle legitimate research by others.

    The only question then is whether we are prepared to stand for this as citizens who desire progress and promotion of the arts and sciences.

    As a businessman, entrepreneur and inventor my position is that I am not prepared to accept the advantages granted to me by such a draconian unfair system against the damage that it does to my fellow members of society. Only a dysfunctionally selfish person could hold that position.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    erinol0, Feb 28th, 2007 @ 2:18pm

    Re: so what's the story?

    I understand why you say cowardly (and in principle I agree), but there is the cost to consider as well. As I understand it, the cost of defending yourself alone can destroy a company financially.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    misanthropic humanist, Feb 28th, 2007 @ 2:20pm

    Re: Re: Re: Re: so what's the story?

    Yes DM, 'tis a little off base of me to be still assuming ( I made an assumption) that we still share a large body of common law between Europe and the USA. Since 9.11.2001 it's most unfortunate that your country and ours are diverging in our notions of what makes a good society.

    As I say above in the post responding to Grimace, this knowledge changes my view on what is at stake here. It is no longer an "abuse" of patent law to impede other peoples research. Your patent law grants the power to do that.

    Do you find this acceptable as a citizen of the USA? I would not.

    Perhaps you have faith in your democratic process to correct this problem. From where I stand I am far more pessimistic and believe that the way forward for scientists, artists and industrialists in the US is to engage in wholesale civil disobediance and simply make it clear that you do not recognise such laws as a precursor to forcing reform or abolition.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    casey kochmer, Feb 28th, 2007 @ 3:23pm

    Reasons of Law

    misanthropic humanist: Thanks

    However, Ii do stand by the statement: law is a tool for society to exert control of the general population by a smaller group of people holding the power.

    Now, a truth is that it isn't a the most efficient way to exert control. Your point supports my point. If we as point dont support a stupid law, its nullified.

    In England and Europe with an accumulation of a thousand years of laws, your country has had a decent amount of practice at ignoring hundreds of silly laws, still on the books, that have no modern practical application. However, those laws at the time of creation were created to guide and control human reaction within the society itself. To help establish a baseline of conduct ... to work along side with the non-written rules passed on through the ever changing practices of social etiquette. To also stop people who "cross the line" of behavior. The law will always tolerate a certain level of lawbreaking... many laws exist only to punish the more extreme offenders.

    However, I look at this from a Taoist point of view. Pay attention to the laws which show respect to my nature, and stand against the ones which are bullshit and that directly impact me.

    The fact of the matter, lots of money is at stake here with the emergence of rapidly changing technology. Money is power, and people are simple being "dicks" to get that money and power. Since they can run rings around the court system, they will do so , and continue to abuse the system to gain more power and money: since it works as a tactic.

    Of course misuse is happening, and right now these actions are shaping the rules of social conduct for the future. Using lawyers and expensive court cases are a great way for those with the most amount of money to retain and steal control of as much as they can grab.

    Look at how Disney rewrote US copyright laws to protect and extend their cash flow.

    This process is going to continue until enough people take the time to actively resist this. Something most people are unwilling to do, since its easy to be comfortable and go with the flow right now.

    So unless people get off their arse...which also means losing many comforts of the established system also... not much of this behavior will change no matter how much "we scream" at this is bullshit...

    so it goes..

    Its not frustrating, rather its just basic human behavior. The problem is many of us in the Technology Field can see how these firms and people in power are raping the system for profit. However, the "common man" doesn't see this , after all it doesn't directly impact them other than to increase cost of service here and there currently...

    oh well. no easy solutions,

    So I only suggest to people to be themselves. It seems the most efficient solution if enough people feel the same way, then things will change.


    peace in your journey

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    ScytheNoire, Mar 1st, 2007 @ 3:01am

    I will patent...

    I am going to patent stupidity, and then any one who does something stupid, i.e. against logical evidence, I will sue for a ton of money. Soon, stupidity shall be wiped out, and I will own the entire world.

    Or we can just start shooting stupid illogical people and make the world a better place, one dead idiot at a time.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This