Guillaume Tena, a researcher also known as Guillermito, is now being tried on criminal copyright charges, and facing jail time, in France. He wrote an article analyzing an antivirus product called Viguard, and pointing out its flaws. The article is in French, and standard online translators seem to choke on it. My French is poor at best so I have only a general idea of what it says. But it sure looks like the kind of criticism a skeptical security researcher would write.
This is a standard legal-attack-on-security-researcher story. Company makes grand claims for its product; security researcher writes paper puncturing claims; company launches rhetorical and legal attack on researcher; researcher’s ideas get even wider attention but researcher himself is in danger. Everybody in the security research field knows these stories, and they do deter useful research, while further undermining researchers’ trust in unsupported vendor claims.
At least one thing is unusual about Tena’s legal case. Rather than being charged with violating some newfangled DMCA-like law, he is apparently being charged with old-fashioned copyright infringement (or the French equivalent) because his criticism incorporated some material that is supposedly derivative of the copyrighted Viguard software. Unlike some previous attacks on researchers, this one may not have been enabled by the recent expansion of copyright law. Instead, it would seem to be enabled by a combination of two factors: (1) Traditional copyright law allows such a case to be brought, even though Tena had not caused the kind of harm that copyright law is supposed to prevent; and this allowed (2) a decision by the authorities to single him out for prosecution because somebody was angry about what he wrote.
It’s bad enough that Tegam, the company that created Viguard, is going after Tena. Why is the French government participating? Here’s a hint: Tegam’s statement plays on French nationalism:
TEGAM International has for many years been the only French company to design, develop, market and provide support for antivirus and security software in France. It has chosen a global approach to security, not relying on signature updates [a method used by the most popular U.S. antivirus products].
In the software sector, everybody knows that some people would like to exert their technological domination, and as a result crush any attempt to create an alternative. As the battle goes on to try to preserve and strengthen research in France, TEGAM International defends its difference and the results of its own research.
We have the S.E.C. and Justice Department.
However, consider this…
According to the New York Times: Recently, a number of for-profit colleges have faced inquiries, lawsuits and other actions calling into question the way they inflate enrollment to mislead/increase the value of their parent company’s stock.
In the last year, the Career Education Corporation of Hoffman Estates, Ill., has faced lawsuits, from shareholders and students, contending that, among other things, its colleges have inflated enrollment numbers. The company acknowledged that it was under investigation by the Justice Department and the Securities and Exchange Commission.
In February 2004, F.B.I. agents raided 10 campuses run by ITT Educational Services of Carmel, Ind., looking for similar problems.
Kaplan is wholly own by the Washington Post Company. I provided the S.E.C., Department of Education, and federal courts information that appears to prove Kaplan inflated the Concord School of Law enrollment, telling investors that the “flagship” of its higher education division has as many as 600 to 1000 or more students.
Why didn’t the Justice Department and S.E.C. included Kaplan with their investigation?
Please see the Kstreetfriend original post/comment.
Soapy, just to clarify, I largely agree. The whole episode reminds me of Dr. Felten’s experiences with the RIAA challenge.
“Here…break this lock.”
“No, don’t you dare tell anyone you did! Drat!”
I was secretly hoping you would give this case a big more publicity outside the francophone blog community. Thank you. (I did my bit of reporting from the trial in English, but just having a small-scale blog isn’t enough.)
One small quibble, about your question “Why is the French government participating?” It baffles me a bit. It isn’t. Part of the complaint TEGAM filed (for slander/defamation) was dismissed outright, another part (for using an infringing copy) during the investigation. During the trial, TEGAM and their software was quite the laughing stock. Which doesn’t mean they won’t win, of course.
Given the unsatisfactory state of the law as it’s written, this doesn’t much look like a failure of the judicial system. And I don’t think Goverment pressure was applied.
The remaining bit, the infringing act itself, for which the prosecution has demanded a 4 month suspended sentence plus a hefty fine (in practice, the court won’t go beyond this), hinges on two points:
a) whether the status of his licence ownership (which is a bit hazy — could be interpreted either way) was enough for him to do with the software what he did
b) whether he was allowed to re-use some (very small) bits of the software in the demonstration code he published.
Part of the decision will depend on how well the judges have understood the technical matters.
And this case will test new French copyright law (imported from EU law) for the first time.
Alex, that’s a weird thing to say. Critizing and security reviews are part of makeing something secure.
Arresting/sueing anyone who points out that your security is rubbish, on the pretence that this somehow ensures your security, is a seriously stupid idea. If someone tells you your front door isn’t locked, you don’t call the police and try to get them arrested for attempted burglary. You thank the guy, and lock the door! Otherwise, you
a) piss off your would-be allies,
b) anyone who wants to rob you just walks in, and
c) no-one is going to feel sorry for you.
d) is obviously that you may well get done over again, since no-one is going to help work out what went wrong!
“Fair Use” is like “lawful authority” in the UK – they would rather you forgot (or were never told) that you had the right, because eventually it will disappear under layers of bad law, until the right really is lost forever…
Well, I guess he doesn’t have the freedom to tinker with that device because he doesn’t own it, does he?
French researcher charged with violating copyright laws
Ed Felten has an interesting post on his “Freedom To Tinker” weblog right now regarding a French researcher who’s has been charged with violating copyright laws for publishing the results of his research.
CNET News.com has the story, here, as well.