December 21, 2024

Archives for August 2005

Cisco Claims Its Product is a Trade Secret

I wrote Friday about the legal threats by Cisco and ISS against researcher Mike Lynn, relating to Lynn’s presentation at Black Hat about a Cisco security vulnerability. The complaint Cisco and ISS filed is now available online. Jennifer Granick, Lynn’s lawyer, has an interesting narrative of the case (part 1; part 2; part 3; part 4).

The complaint claims that Lynn wronged ISS, by giving a PowerPoint presentation that was copyrighted by ISS (because Lynn allegedly prepared it as a work for hire), and by violating the NDA he signed as a member of ISS’s board of directors. The complaint also claims that Lynn wronged Cisco by including snippets of its copyrighted software code in the presentation, and by presenting Cisco trade secrets that had been misappropriated.

The trade secret misappropriation claim is the most interesting one. Cisco’s argument goes as follows. The executable machine code that ships with Cisco routers is a trade secret of Cisco. Customers agree to a contract in which they promise not to disassemble the code. ISS agreed to that contract. Some unspecified person disassembled the code, in violation of the contract, to get information that was used in Lynn’s presentation. Lynn knew that the information was acquired by breach of contract and therefore was a misappropriated trade secret. Lynn disseminated the information anyway.

[Oddly, the complaint incorrectly refers to the executable machine code that ships on Cisco routers as Cisco’s “source code.” This false characterization looks deliberate – it is made repeatedly in the documents, and even occurs more than once in the two-page declaration signed by Cisco’s Vice President for Customer Support. Lawyers in a hurry might make this mistake in their papers, but it’s hard to come up with a charitable explanation for how this mischaracterization occurred twice in a very short statement under oath by the VP for Customer Support. Does he really not know the difference between machine code and source code? Does he not know which kind of code Cisco ships on its routers? Did he not recognize that the code in the presentation which he claims to have reviewed was not source code? Did he sign the declaration under oath without reading it carefully enough to catch such a simple error, which occurred twice in a document with less than one page of text? Or did he know about the error and sign anyway? He could easily have corrected the error himself by deleting or crossing out the word “source” before signing.]

Any discussion of this argument has to start with the obvious: Cisco is claiming that part of its product is a trade secret. The software is key to the product’s function, and Cisco sells the product to essentially anybody who wants it. It’s hard to think of any reasonable sense in which this can be called a secret. (I know that legal definitions of terms like “trade secret” aren’t always intuitive, but still, this seems a bit much.)

It’s also pretty clear that the alleged harm to Cisco from Lynn’s action was not the kind of harm that trade secret law was meant to prevent. There is no real argument that the brief snippets of code in Lynn’s presentation (2MB PDF) would help Cisco’s competitors improve their products. The reason Cisco wanted to prevent Lynn’s presentation is that it wanted to keep truthful information about flaws in its products out of the hands of the public. Why should information about product flaws be considered a trade secret?

As I argued on Friday, ISS is in a difficult position. The complaint alleges that ISS agreed not to disassemble Cisco’s code. It does not assert that Lynn himself had agreed not to disasssemble the code, and it does not accuse Lynn of directly misappropriating the secrets. It only says that Lynn knew that they had been misappropriated. The complaint essentially accuses ISS of misappropriating the trade secrets. Which is interesting, considering that ISS was one of the parties that filed the complaint.

Jennifer Granick, Lynn’s lawyer, also had her doubts about the trade secret claim. It would have been interesting to see the claim litigated. Instead, Lynn, on Granick’s advice, decided prudently to settle the case. It’s one thing to talk about cases like this in the abstract; it’s another thing entirely to be in the legal meat-grinder yourself.

The only good news here is that Cisco seems to be getting what it deserves after the legal strongarming of Mike Lynn. Cisco’s efforts have only notified more people that its product has a serious security flaw, and that Cisco is afraid to allow independent evaluation of its products’ security.

Entertainment Industry Pretending to Have Won Grokster Case

Most independent analysts agree that the entertainment industry didn’t get what it wanted from the Supreme Court’s Grokster ruling. Things look grim for the Grokster defendants themselves; but what the industry really wanted from the Court was a ruling that a communication technologies that are widely used to infringe should not be allowed to exist, regardless of the behavior and intentions of the technologies’ creators. The Court rejected this theory.

Last week the Senate Commerce Committee held a hearing (a video stream is available) on the Grokster aftermath. This was a chance for witnesses representing various interests to put their official spin on the Grokster ruling. All of the witnesses praised the ruling and asked Congress to wait and see what develops, rather than legislating right away. But different witnesses put different spins on the ruling.

The entertainment industry line was presented by Mitch Bainwol of the RIAA, Fritz Attaway of the MPAA, and Gregory Kerber of Wurld Media (a music distribution service). Their strategy was essentially to pretend that the Court did give the industry what it wanted, and that P2P technologies were now presumptively illegal unless they had cut licensing deals with the industry. They didn’t argue this directly, but the message was clear. For example, they tried to draw a line between “legitimate” P2P technologies and others, where legitimacy was apparently achieved by signing a licensing deal with major recording or movie companies.

For example, in response to concerns from Mark Heesen of the National Venture Capital Association about venture capitalists’ fears of financial ruin from investing in even well-intentioned communication technology companies, Mr. Kerber said this:

It’s very clear how you get investment. The rules are there. We’re a P2P – we’re a real peer-to-peer – it’s centrally controlled, we can control that … we can respect the copyright holder’s wants during – through a contractual process.

And the way that investors realize that is when we go out and get deals with the record labels, movie studios; and … the venture capitalists do their due diligence, they call and they find out that … the content owner of these assets [says] yes, we will allow this to be transferred and distributed and sold … within – on the network.

So … it’s very, very clear. If you have a contract with a major label, indy label, movie studio, publisher, what they have said is, we will allow the content to be sold in this manner across our network. So I’m a little confused by – there’s an absolute clear path for an investor to understand what’s right and wrong in the process.

It’s a simple message. Investing in technologies that have been blessed by the entertainment industry: right; investing in other technologies: wrong.

But it’s not what the Court said. The Court rejected the proposition that P2P or other communication technologies can exist only at the pleasure of the entertainment industry.

Despite this, we can expect to hear more of this rhetoric of “legitimacy”. And when P2P technologies continue to exist and be popular, we can expect calls for legislation to control the scourge of “illegitimacy”.

WiFi Freeloading Now a Crime in U.K.

A British man has been fined and given a suspended prison sentence for connecting to a stranger’s WiFi access point without permission, according to a BBC story. There is no indication that he did anything improper while connected; all he did was to park his car in front of a stranger’s house and connect his laptop to the stranger’s open WiFi network. He was convicted of “dishonestly obtaining an electronic communications service”.

As the story notes, this case is quite different from previous WiFi-related convictions, in which people were convicted not of connecting to an open network but of committing other crimes, such as swiping financial information, once connected.

Most WiFi equipment operates in an open fashion by default, allowing anybody to connect. It’s well known that few people change their network settings. I used to find quite often that my laptop was connected accidentally to my neighbor’s WiFi network – failing to get a strong enough signal from my own (secured) network, the laptop would connect automatically to any open network it found.

Often the person who set up the network is happy to let strangers use it. Many businesses set up open access points to attract customers. Unfortunately, the technology offers no agreed-upon way for the network owner to say whether he welcomes connections. Taking steps to secure an access point is a clear statement that connections are not welcome; but many people worry that changing security settings will break their network, so the lack of security precautions doesn’t always indicate that the owner welcomes connections.

It would be nice if people used the SSID to indicate their preference. (Joe Gratz says he uses the SSID “PleaseUseSparingly”.) Changing the SSID is easy and is unlikely to break anything that is already working.

Another part of the BBC article is even scarier:

“There have been incidences where paedophiles deliberately leave their wireless networks open so that, if caught, they can say that is wasn’t them that used the network for illegal purposes,” said NetSurity’s Mr Cracknell.

Such a defence would hold little water as the person installing the network, be they a home user or a business, has ultimate responsibility for any criminal activity that takes place on that network, whether it be launching a hack attack or downloading illegal pornography.

I doubt this is true. If it is, everybody who runs a WiFi network is at risk of a long jail sentence.