White House Says It Can Withhold Vulnerabilities If It Will Help Them Catch 'Intellectual Property Thieves'

from the say-what-now? dept

We’ve been among those critical of the White House for the administration’s dangerous policy of not revealing security vulnerabilities it discovers, as it seeks to exploit them. In trying to respond to some of the criticism about this policy, the White House has put out a blog post by White House Cybersecurity Coordinator Michael Daniel, in which he explains how the intelligence community determines whether to disclose a vulnerability… or hoard it for its own use. He lists out three potential reasons for not disclosing:

Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

As Marcy Wheeler points out, withholding the release of such vulnerabilities for terrorism purposes is not new or surprising. Ditto for so-called cybersecurity (protecting against “hackers or other adversaries” looking to “exploit our networks”) What’s a bit of a surprise is the new inclusion of “intellectual property theft.” However, the NSA, DHS and various supporters have long used claims of China “stealing intellectual property” as an excuse to try to ratchet up surveillance powers. Rep. Mike Rogers, author of CISPA, used the “scary Chinese stealing our IP!” FUD card to push CISPA a few years ago. And former cybesecurity czar Richard Clarke has argued that China stealing intellectual property is a good reason for DHS to be able to spy on all internet traffic.

So, the fact that this argument is used as a sort of “cybersecurity” claim perhaps isn’t that surprising. However, it still seems like a massive logical leap to go from “well we need to protect corporate intelletual property from the Chinese” to arguing that’s a good reason for withholding the disclosure of key technical vulnerabilities that might put everyone at risk. Does anyone honestly believe that the US government should withhold details of a major technical vulnerability… just so it can catch some IP infringers?

And of course, by broadly allowing the NSA and others to fail to patch vulnerabilities, because they want to “prevent intellectual property theft,” it’s just opening up the whole system to be abused even more widely than before. Sure, they may mean “stopping Chinese hackers from swiping plans for a new fighter jet,” but vaguely denoting that it can withhold info on zero day vulnerabilities because of “pirates” seems wide open to abuse — especially given the way many in law enforcement and the administration seem to want to equate every day file sharers with “internet terrorists” or whatever.

Filed Under: cybersecurity, disclosure, intellectual property, michael daniel, nsa, surveillance, vulnerabilities, white house

Yelp Fights Back Against Carpet Cleaning Service That Sued Anonymous Critics For Defamation

from the good-for-yelp dept

We’ve seen plenty of lawsuits involving people upset about Yelp reviews, but here’s a fairly extreme case. Apparently, a DC-area carpet cleaning service named Hadeed Carpet Cleaning, which is somewhat infamous in the area for its “pervasive advertising” and direct mail coupons promising a $99 cleaning special, does not have the greatest reputation on Yelp. The key issue: apparently that $99 deal is often not honored. Also, there are multiple reviews of people getting a quote, dropping off a carpet, and then being told later if they want the carpet back they have to pay much more — with various excuses being offered as to why they’re charging more than the quote.

Hadeed then decided to sue seven anonymous reviewers for defamation. Here’s the oddity: Hadeed does not appear to be suing them over the contents of the bad review. In fact, the company doesn’t seem to dispute the various complaints about its pricing practices. Rather, it argues that it could not match these seven reviewers to actual customers within its database, and therefore, the reviewers are defaming them by misrepresenting that they were ever Hadeed customers. Hadeed appears to suggest that they reviews were really written by a competitor.

As we’ve discussed, many courts have adopted the so-called Dendrite rules for identifying anonymous speakers. The rules require giving the anonymous users a chance to respond and (more importantly) require the plaintiff to present enough evidence to prove there’s an actual case. However, the court in Virginia chose to not apply any such rules, but rather allowed a subpoena to Yelp ordering it to identify the posters. Yelp has refused, and the court ordered compliance, which Yelp again refused, leading to the court saying Yelp was in contempt.

Public Citizen has now filed a brief on behalf of Yelp with the appeals court, arguing both that the Virginia court had no jurisdiction over Yelp, a California company, and that Yelp was correct to ignore the order since the First Amendment (which protects anonymous speech) requires much more proof before an anonymous speaker can be revealed.

When pervasive advertisements from a local merchant feature prices that seem to be just too good to be true, they may, in fact, not be the price that the average consumer will pay. Dozens of consumers who have used pseudonyms to post about their experiences with appellee Hadeed Carpet Cleaning, Inc. (“Hadeed”) on the popular website www.yelp.com, maintained by appellant Yelp Inc. (“Yelp”), report that Hadeed routinely fails to honor the advertised discount prices. Hadeed’s responses to several consumers on Yelp suggest that it recognizes the problem; yet its complaint for defamation singles out the authors of seven reviews posted on Yelp that say the same thing as the other online detractors of Hadeed and its sister business, Hadeed Oriental Rug Cleaning. Based on that allegation, Hadeed invoked the court’s subpoena power to strip its pseudonymous critics of their First Amendment right to speak anonymously.

The main question on this appeal—an issue of first impression at the appellate level in Virginia—is whether the trial court applied the proper legal standard in overriding the anonymous speakers’ First Amendment rights. Courts elsewhere have recognized that, given the valuable role played by the First Amendment right to speak anonymously in encouraging ordinary people to express themselves fully, it is necessary to balance that right against a plaintiff’s right to seek redress for wrongful speech by adopting a standard requiring a plaintiff to do more than articulate a good faith belief that the speech “maybe tortious.” Before stripping the defendant of a First Amendment right, these courts take an early look at the merits of the plaintiff’s claim to determine whether a valid claim has been alleged and whether there is a prima facie evidentiary basis for that claim. In this appeal, Yelp urges Virginia to adopt the same approach, and to remand this case to give Hadeed an opportunity to pursue its subpoena by meeting the proper standard.

In the meantime, though, we have yet another case of a company suing over Yelp reviews — which just makes me wonder how they ever expect to get more customers. Any company that sues over online reviews someone makes is clearly a company not worth doing business with, since they might, potentially, sue you over any bad review you write online about them.

Filed Under: anonymity, carpet cleaning, defamation, dendrite, disclosure, privacy, reviews
Companies: hadeed carpet cleaning, yelp

Everyone's Up In Arms Over Instagram's Terms Of Service They Didn't Read In The First Place

from the this-again? dept

It never fails. No one actually reads the various terms of service for the different online services you use, but when someone finally does — out of boredom or (more likely) because the terms are changing (yet again!) — it’s not uncommon to see sudden mass outrage. It seems to flare up every few months. Last time around it was Pinterest and this time it’s Instagram, based on the claim that the company (now owned by Facebook) will have new terms that allow it to sell your photos to the highest bidder, for which you will get nothing. There is some outrage over that (selling my work!), but the thing that seems to be upsetting people the most is the fact that the company is reserving the right to have your images be used in advertisements. Here’s the part in the new terms:

Some or all of the Service may be supported by advertising revenue. To help us deliver interesting paid or sponsored content or promotions, you agree that a business or other entity may pay us to display your username, likeness, photos (along with any associated metadata), and/or actions you take, in connection with paid or sponsored content or promotions, without any compensation to you.

This has created quite a bit of general outrage, though I’d argue that most (though, not all) of it is misplaced. There are some extreme arguments on both sides — from Sam Biddle at Gizmodo telling everyone to “shut up” because they’re acting like a “little whiny baby” to David Meyer at ZDNet insisting this is a move too far, and is totally unacceptable. Others are pulling out the “it’s a business, what did you expect” line.

The most reasonable take I’ve seen so far comes from Kash Hill at Forbes, who goes through the new terms methodically, explaining what they mean. The whole “use in advertising” thing sounds basically like they’re going to integrate Instagram images into Facebook’s existing efforts for things like “Sponsored Stories.” If that doesn’t creep you out, then perhaps you shouldn’t be too worried about this new thing:

If this sounds familiar, it’s because it’s a page from the Facebook book. It sounds like Instagram is planning something along the lines of “Sponsored Stories.” So if you go into a business and gram your experience, the business can use the gram in ads, probably targeted at your friends to encourage them to do the same. The fact that Instagram grants itself the right to use metadata is significant — that means it knows the exact location where a photo was taken, making it easy for businesses to know a photo was taken inside one of their fine establishments. A big question here is whether these ad campaigns will be limited to Instagram’s (and Facebook’s) platforms or if they will migrate outside of the Instabook ecosystem.

Le’s be honest: Many of the photos on Instagram are perfect for this. A sample gram from my weekend: “Best bloody mary in D.C. At the Pig;” that’s a Pig ad waiting to happen. Actually it’s a Pig ad that already happened, but no one got paid for it. Most of us are already essentially packaging and advertising our experiences to our friends (as Joe Brown at Gizmodo makes clear); Instagram is wisely trying to make money off of it.

When pitched that way, it doesn’t sound nearly as bad. After all, if you were talking about how awesome the burgers at your favorite burger joint are, is it so crazy to think that the burger place might want to repeat your enthusiasm as part of their push to get more customers? Furthermore, even if the terms are worded poorly (it’s mostly boilerplate, and you’ll find somewhat similar terms in lots of places) if Instagram really went out and started selling your photos to appear in, say, a big magazine or TV ad, there would be significant public backlash over that, such that it’s probably in their own best interest not to do that without direct permission.

That said, there are a few questionable things in the terms that may lead to legal trouble. When they say: “You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such” they’re asking for a beatdown from the FTC (though, the current Facebook terms include an almost-identical item).

The thing that really surprises me in all of this is that Facebook/Instagram didn’t see this coming. Perhaps it’s because Facebook seems to do this kind of thing every few months — in which they change their terms or launch a new feature that has a surprising impact on some element of privacy — leading to mass complaints and outrage… which all gradually fade away. So maybe Facebook just figures to weather the storm — and, chances are, for all the people complaining, very few will actually leave Instagram.

Still, earlier this year, Tumblr finally realized that it makes sense to put up plain language terms of service that isn’t chock full of legalese (beyond what’s necessary) and which include straightforward explanations for what the different clauses mean and how they impact you. It seems like Facebook/Instagram could have cut off a significant amount of criticism of this move if they’d simply done that: better explain in plain language what they’re doing and why they’re doing it. Instead, just flipping the switch on new terms is bound to set off this kind of firestorm of anger.

Filed Under: advertising, disclosure, instagram, terms of service
Companies: facebook, instagram

Pfizer Can't Keep Its Viagra Patent Up In Canada

from the no-quid,-no-quo dept

Today, in a ruling from the Supreme Court of Canada, Pfizer lost its Canadian patent on Viagra as the result of a long-fought battle with rival pharmaceutical manufacturer Teva, which sought to make a generic version of the popular drug. Though the patent was not set to expire until 2014, Teva argued (and the Supreme Court agreed, though lower courts had rejected the argument) that it was in fact never valid in the first place, because it was written in such a way as to obscure the information that is required disclosure in a patent:

P holds Patent 2,163,446 for the use of a “compound of formula (I)” or a “salt thereof” as a medicament for the treatment of erectile dysfunction (“ED”). The patent’s specification ends with seven cascading claims for successively smaller ranges of compounds, with Claims 6 and 7 relating to a single compound each. Only sildenafil, the subject of Claim 7 and the active compound in Viagra, had been shown to be effective in treating ED at the time of the patent application. Although the patent includes the statement that “one of the especially preferred compounds induces penile erection in impotent males”, the patent application does not disclose that the compound that works is sildenafil, that it is found in Claim 7, or that the remaining compounds had not been found to be effective in treating ED.

…

The patent application did not satisfy the disclosure requirements set out in the Patent Act, R.S.C. 1985, c. P‑4 (“Act”). The patent system is based on a “bargain”: the inventor is granted exclusive rights in a new and useful invention for a limited period in exchange for disclosure of the invention so that society can benefit from this knowledge. Sufficiency of disclosure lies at the very heart of the patent system, so adequate disclosure in the specification is a precondition for the granting of a patent.

The ruling goes back to this all-important concept a few times: without disclosure, there can be no patent. It’s good to see the court making this a central point, because pharma companies are notorious for attempting to twist the patent system so they get virtually perpetual monopolies on their drugs, while still shrouding their research and manufacturing methods in as much secrecy as possible. In the US, Pfizer had a similar showdown with Teva over generic Viagra starting in 2010, in which Pfizer won using a second patent that didn’t cover the active compound in Viagra itself, but rather the marketing of it as an erectile dysfunction drug. Thus, even though the core patent on the drug expired this year, Pfizer will likely retain a monopoly on it until 2019. This is in stark contrast to the UK, where the patent on using the drug to treat ED was invalidated for obviousness way back in 2000—but Pfizer still dominates the market there thanks to related patents on manufacturing methods.

Basically, Pfizer uses any method it can think of to prevent its patents from ever expiring and benefiting the public the way patents are supposed to, including writing disclosures that obscure the necessary facts. The Supreme Court was having none of it—rather than letting Pfizer retroactively fix the disclosure, or coming up with any kind of partial remedy that allowed them to retain the patent, the ruling correctly states that patents must be a deal between two sides to function, and thus the patent is (and always has been) invalid:

Although s. 27 does not specify a remedy for insufficient disclosure, the quid pro quo underpinning the Act leads to the conclusion that deeming the patent invalid is the logical consequence of a failure to properly disclose the invention and how it works. If there is no quid — proper disclosure — then there can be no quo — exclusive monopoly rights.

…

There is no question that sildenafil’s utility had been demonstrated as of the time of filing of the patent application. This takes the invention out of the realm of sound prediction. As to the delay of 13 years between the filing of the patent and the challenge, the relevant question is whether the disclosure was sufficient as of the date of filing, so the delay is inconsequential.

This is a big victory for Teva and a major blow to Pfizer’s Viagra empire, which is slowly crumbling around the globe. It’s also likely to lead to even more illegal cross-border pharma sales, and even more of everyone’s favorite email spam advertising online Canadian pharmacies—but that’s another story.

Filed Under: canada, disclosure, patents, viagra
Companies: pfizer, teva

Research Shows: You Don't Need Patents To Disclose Information

from the people-figure-out-ways... dept

One of the things that we frequently hear in defense of patents (and to a lesser extent, copyrights) is that without that kind of protection, companies would never share information with one another about certain products, because it would be way too easy to simply copy the idea and run with it. The standard example is a case where an inventor or small company has an idea for a product, where they’d need a bigger company to manufacture it. We are told, without patents, how could the inventor possibly go to the manufacturer, without fear of completely losing the product. Similarly, in the drug business, where the key bit of information is the chemical formula, companies often insist that they absolutely need patents, or smaller companies won’t bother to share the details of their research with others who can help manufacture the product.

Jerry Brito’s Surprisingly Free podcast recently had a wonderful interview with Michael Burstein from Cardozo Law School, in which he talks about his recent research showing that a ton of information exchange occurs in the absence of intellectual property protection, and that inventors and companies figure out ways to protect themselves against someone just flat out copying their idea and running off with it. It’s an area of research that is quite fascinating, because in the past, I’d thought that the argument about information sharing actually was one of the more compelling arguments for patents. Now… I’m beginning to question that assumption as well. The key thing that Burstein realized, was that information isn’t quite as “clear cut” as people think it is, thus you can share some information without revealing all of the key points:

This article explains that, contrary to the conventional account of the disclosure paradox, information is not always nonexcludable and is not always a homogeneous asset. Instead, information is complex and multifaceted, subject to some inherent limitations but also manipulable by its holders. These characteristics give rise to a range of strategies for engaging in information exchange, of which intellectual property is only one. Information holders can use the characteristics of information itself as well as contractual and norms-based mechanisms and other legal or business strategies to achieve exchange. And examples drawn from fields as diverse and disparate as software and biotechnology show that entrepreneurs and inventors use these strategies alone or in combination to effectively link their ideas with capital and development skills, often without intellectual property playing a significant role in the transaction.

In other words, inventors and companies have already adapted to do this, even without relying on IP laws. Burstein argues that anyone relying on the claim that IP is needed to facilitate information exchange appears to be flat out wrong, based on his empirical research.

Intellectual property is therefore not necessary to promote robust markets for information and is, in fact, just as contingent and context-specific a solution to the paradox as the alternatives described here. At the very least, then, there is reason to doubt that commercialization theories founded upon information exchange provide a standalone justification for intellectual property. This article urges caution in policy interventions that seek to respond to the disclosure paradox and sets the stage for future empirical research to better understand the dynamics of information exchange strategies and the social welfare costs and benefits that may accompany them.

One example used in the report is how biotech firms share information without relying on intellectual property laws. They basically do a bit of a dance, in which they sign agreements and share bits of information with each other, which really seem to serve the purpose of testing whether each other is trustworthy. And, of course, because firms are involved in many, many transactions, there’s a reputational issue at play here: a company that simply copies an idea presented to it by another will quickly find itself shut out of future opportunities to work with innovative companies. These are issues that patent system defenders and policymakers seem to rarely consider.

In some ways, this actually reminds me of the posts we’ve done on cargo cults and copying. Too many people seem to assume that it’s easy to define and capture all of the information you need to copy someone else. If someone has a successful product, no problem, just make an exact replica of that product. But what we’ve seen over and over again is that there’s superficial information, which can be easily copied, but most of the time there is also substantial tacit information which is not easy for a copycat to figure out without working closely with the original producer. This can be information into what kind of positioning worked with customers (and what failed). It can be as simple as experience with a unique way to calibrate a machine. There are all sorts of “little things” that those with experience have, that simply is not easy to easily capture from the outside. Thus, no matter how much superficial information is shared, it’s not enough to make a really useful copy.

Filed Under: disclosure, surprisingly free

Juror Didn't Disclose MySpace Friendship With Defendant… Because It Was Just MySpace

from the talk-about-damning-myspace dept

Here’s a fun one. An appeals court in West Virginia has granted a new trial to a defendant because one of the jurors failed to disclose that she was a “friend” on MySpace with the defendant and had sent him a message during the trial. The message itself was mostly meaningless (“I can tell ya that God has a plan for you and your life…” etc. and even mentioned “Hey, I don’t know you very well”), but the juror never bothered to mention that she knew the defendant at all, let alone well enough to be a MySpace connection. When asked why, she answered:

I knew in my heart that I didn’t know him . . . I should have at least said that . . . he was on MySpace, which really [wasn’t] important, I didn’t think.

Ouch for MySpace. Either way, a new trial has been ordered, and yet again questions revolving around social media in the courtroom need to be tackled in court.

Filed Under: disclosure, friendship, jurors, social networking
Companies: myspace

Why Is Product Placement Okay On TV Without Disclosure?

from the questions... dept

We’re still wondering if the FTC is really going to go after blogs that don’t disclose financial relationships concerning products they’re pitching. So far, the only action the FTC has taken (publicly) has been to investigate retailer Ann Taylor for giving bloggers gift cards — an action for which it was given a pass. In that case, it was worth noting that the focus was on the company, not the bloggers involved. However, there are still many questions about how arbitrarily the rules will be applied. Danny Sullivan is pointing out that with so much undisclosed product placement on TV, shouldn’t that be a bigger concern than if a blogger mentions he or she got a free gift card before writing about a product? While I, like many people, tend to think disclosure is important for your own reputation, the ambiguity and subjectiveness of the FTC’s rules is worrying. While I don’t know for sure, my guess is that the FTC would say that most people already understand how TV product placement works, so they’re not too bothered by it. That, at least, was the explanation an FTC person gave when questions were raised about why the FTC doesn’t go after celebrities talking up products and services they were given for free… But it does seem kind of ridiculous that a celebrity is given more leeway not to disclose just because they’re famous.

Filed Under: disclosure, ftc, product placement

FTC Gives Ann Taylor A Pass In First 'Blog Disclosure' Investigation

from the disclose-everything dept

We expressed some serious concerns with the somewhat ambiguous FTC disclosure rules directed at blogs and new media that went into effect last year, and we’ve been waiting to see how the FTC enforces those rules. We found it odd that the FTC apparently felt that celebrities could be held to different standards. There have been some questions about different activities — for example, Viacom’s actions in trying to make authorized uploads look as if they were bootlegs certainly appears to run afoul of the rules. And, more recently, there were some concerns over the NY Times’ lack of disclosure concerning its relationship with Apple when reporting on the iPad.

However, back in February, some were wondering if retailer Ann Taylor’s offer of gift cards to bloggers who covered their new line of clothing violated the rules. Apparently, the FTC did take notice, and Michael Scott points us to the news that last month, the FTC decided to give Ann Taylor a one-time pass, though it did express some concerns about the program:

What strikes me as interesting here is that the FTC investigation focuses on the advertiser’s actions, rather than the bloggers’. That is, most of the concerns about the program were about whether the FTC would take action against bloggers. But, here, it was focused on the advertiser and its actions. That does make more sense, but does leave open a questionable loophole: if an advertiser tells a blogger to disclose some information and then the blogger does not do so… is the advertiser still liable? In this case, the FTC even mentions that one of the reasons it’s not taking action is because many (though not all) of the bloggers, who wrote about the event, disclosed the gift cards. But if they had not — even though Ann Taylor had told them to — then is Ann Taylor to blame?

Filed Under: advertising, blogs, disclosure, ftc
Companies: ann taylor, ftc

Software Patents Violate The Patent Bargain, Since There Is No Disclosure To Trade-Off

from the trade-away dept

It’s always fun talking to big time patent system supporters, because it’s easy to predict their arguments. After you point out all of the evidence that has shown absolutely no proof that patents increase innovation, the supporters always shift from “patents are necessary for innovation” to “patents are really about disclosure.” The argument here is that part of the “bargain” for getting a government granted monopoly over your invention is that you have to describe the invention, so that those who are skilled in the art can replicate it from your description. Of course, as patent attorneys and software engineers admit, that’s a myth. Patents are written these days to be incredibly broad, and really only understandable to other patent attorneys, rather than other engineers.

Reader brad points us to an interesting blog post by Lukas Mathis, who points out that, at least in the software world, disclosure is useless anyway, because any competent programmer can understand how to do something without needing to look at any patent:

This trade-off does not apply to many software patents. I only need to spend five minutes on Amazon’s site to figure out how one-click shopping works. There is nothing useful I can learn from reading the patent. Likewise, I only need to turn on an iPhone once to figure out how to unlock it. This means that Amazon or Apple don’t give up anything when they patent these ideas. There is no trade-off involved; the state grants these patents «for free», because nobody gains anything from the publication of these ideas. They are already public.

This is a really good point, and a great way of highlighting the ridiculousness of most software patents. The deal is supposed to be “we give you a monopoly, you tell us how to do this hard thing that we wouldn’t figure out otherwise.” But the latter half of the bargain isn’t done because it’s not necessary. And thus, those software patents are given away “for free,” without the other half of the bargain. That would, you might think, bring their entire validity into question.

Filed Under: disclosure, patents, software