March 27, 2015

avatar

The Dangers of the New Trade Secrets Acts

First, I want to state how thrilled I am to be joining the great group here at CITP. Every CITP scholar that I’ve gotten to know over the past several years have become friends and influenced my work in areas ranging from voting machine code access to international lawmaking processes. I’m delighted to be a part of CITP’s dynamic team and environment and look forward to an exciting year. Now, on to business.

Congress is actively considering legislative responses to increased foreign cyber-espionage, driven by the perception that theft is increasing both in scale and in severity. Two bills – the “Defend Trade Secrets Act of 2014″ (“DTSA“) and the “Trade Secrets Protection Act of 2014″ (“TSPA“) – are the latest attempts at legislating in this area. The bills both create a new private cause of action under the Economic Espionage Act (“EEA”) for theft of commercially-valuable secret information.

Currently, trade secret misappropriation is a federal crime under the EEA, but trade secret owners can seek civil remedies only in state courts, under state laws. The theory underlying the Acts is that a private cause of action under the EEA will be an effective weapon against foreign cyber-espionage. Current law, so the argument goes, is ineffective in combating cyber-espionage.

Unfortunately, the bi-partisan sponsors of the Acts have gotten this one wrong. In reality, the Acts will create or exacerbate many existing legal problems, yet solve none. As such, Sharon Sandeen and I authored the linked letter in opposition to the sponsors of the Acts and Congress, which has been signed by 31 United States legal academics. While acknowledging that the United States needs to increase protection against cyber-espionage, we assert that, in sum, the Acts should be rejected for five primary reasons:
[Read more...]

avatar

Takedown 2.0: The Trouble with Broad TROs Targeting Non-Party Online Intermediaries

On August 14, a federal district court in Oregon issued an ex parte temporary restraining order (TRO) in a civil copyright infringement case, ABS-CBN v. Ashby. The defendants in the case are accused of operating several “pirate websites” that infringe the plaintiffs’ copyrights in broadcast television programs. In addition to ordering the defendants to stop engaging in infringing conduct, the court ordered unspecified “Internet search engines, Web hosts, domain-name registrars, and domain name registries or their administrators [to] cease facilitating access to any or all domain names and websites through which Defendants engage in the [infringement] of Plaintiffs’ copyrighted works.” The court ordered the domain name registrars that had originally registered the defendants’ domain names to transfer the registrations for the pendency of the litigation to a new registrar chosen by the plaintiffs. It then ordered the new, as-yet-unidentified registrar to divert traffic from the defendants’ sites to a location displaying legal documents from the case. None of the online intermediaries targeted by the order is a named party in the case, and none was represented in court before the TRO issued.

A little over a week before the Oregon court issued its TRO, a federal district court in California issued a TRO in another “pirate website” case involving sites streaming and distributing pre-release copies of “The Expendables 3.” The California court’s order to stop providing services to the defendants was directed broadly to “persons and entities providing any services to or in connection with the domain names <limetorrents.com>, <billionuploads.com>, <hulkfile.eu>, <played.to>, <swankshare.com> and/or <dotsemper.com> or the websites to which any of those domain names resolve.” In addition to domain name registrars and hosting services, the California court’s order swept in “[a]ll banks, savings and loan associations, payment processors or other financial institutions, payment providers, third party processors and advertising service providers of Defendants.” Again, none of the online intermediaries targeted in the order is a named party in the case and none was represented in court before the TRO issued.

The reach of these orders is breathtaking, particularly in light of the non-party status of the targeted intermediaries. [Read more...]

avatar

Airport Scanners: How Privacy Risk Leads to Security Risk

Debates about privacy and security tend to assume that the two are in opposition, so that improving privacy tends to degrade security, and vice versa. But often the two go hand in hand so that privacy enhances security. A good example comes from the airport scanner study I wrote about yesterday.
[Read more...]

avatar

Researchers Show Flaws in Airport Scanner

Today at the Usenix Security Symposium a group of researchers from UC San Diego and the University of Michigan will present a paper demonstrating flaws in a full-body scaning machine that was used at many U.S. airports. In this post I’ll summarize their findings and discuss the security and policy implications.
[Read more...]

avatar

The End of a Brief Era: Recent Appellate Decisions in “Copyright Troll” Litigation

The onslaught of “copyright troll” litigation began only a few years ago, with lawsuits implicating hundreds or even thousands of “John Doe” defendants, who were identified by IP addresses with timestamps corresponding to alleged uses of BitTorrent services to share and download video content without authorization. Recently, federal appellate opinions confirmed growing consensus in district courts concerning this type of litigation.
[Read more...]

avatar

Princeton likely to rescind grade deflation policy

A Princeton faculty committee recommended yesterday that the university rescind its ten-year-old grading guideline that advises faculty to assign grades in the A range to at most 35% of students. The committee issued a report explaining its rationale. The recommendation will probably be accepted and implemented.

It’s a good report, and I agree with its recommendation. Princeton would be better off without its grading quota.
[Read more...]

avatar

Criminal Copyright Sanctions as a U.S. Export

The copyright industries’ mantra that “digital is different” has driven an aggressive, global expansion in criminal sanctions for copyright infringement over the last two decades. Historically speaking, criminal penalties for copyright infringement under U.S. law date from the turn of the 20th century, which means that for over a hundred years (from 1790 to 1897), copyright infringement was exclusively a civil cause of action. From 1897 to 1976, there were criminal penalties, but only misdemeanor ones. In 1976, felony penalties were introduced, but only for repeat offenders. Following enactment of the 1976 Copyright Act, the pace of amendments expanding criminal liability greatly accelerated—a trend that more or less coincided with the PC revolution. In 1982, felony penalties were extended to some first-time offenses, but not for all types of copyrighted works. In 1992, felony penalties were extended to all types of works. In 1997, as the commercial Internet was beginning its exponential growth, the No Electronic Theft (NET) Act eliminated a longstanding requirement of commercial motive for criminal liability, making some infringements criminally actionable even if they are undertaken without any expectation of financial gain. Under the NET Act, a willful infringer acting without any commercial motive faces up to three years in prison for reproducing or distributing as few as 10 unauthorized copies of a copyrighted work.

As criminal penalties have ballooned domestically, they have also been expanding internationally.  The international expansion in criminal copyright liability has occurred in part (and increasingly) through the vehicle of plurilateral and bilateral trade agreements. The United States uses its negotiating leverage in the trade policy arena to pressure trading partners, particularly less powerful ones, to incorporate strict IP norms into their domestic law.   [Read more...]

avatar

The hidden perils of cookie syncing

[Steven Englehardt is a first-year Ph.D. student in the computer security group at Princeton. In this post he talks about the implications of a recent study that we published in collaboration with researchers at KU Leuven, Belgium. — Arvind Narayanan]

Online tracking is becoming more sophisticated and thus increasingly difficult to block. Modern browsers expose many surfaces that enable users to be uniquely identified, including Flash cookies and browser fingerprints. In a new paper that will appear at ACM CCS, we present the first large scale study of three advanced tracking mechanisms — canvas fingerprinting, evercookies, and cookie syncing. We developed novel measurement techniques and found that these tracking mechanisms are used on a large number of sites. Our findings on canvas fingerprinting, in particular, have been in the news (Propublica, BBC, EFF).

In this blog post I’ll focus on a different part of our paper that looked at cookie syncing, the process by which two different trackers link the IDs they’ve given to the same user. The most common use of cookie syncing is to enable real-time bidding between several entities in an ad auction. It allows the bidder and the ad network to refer to the user by the same ID so that the bidder can place bids on a particular user in current and future auctions. Cookie syncing raises subtle yet serious privacy concerns, but due to the technical complexity of explaining it, didn’t receive much press coverage. In this post I’ll explain cookie syncing and why it’s worrisome — even more so than canvas fingerprinting.
[Read more...]