November 25, 2024

Microsoft Ruling Released Early

Ted Bridis at the Associated Press reports that Friday’s rulings on the Microsoft case put on the Court’s website at 2:40 PM, about two hours before their official release. As in the Intentia/Reuters incident, the documents were put on the website in a guessable location, but without any links to them being released.

Slashdot published the news about the rulings’ availability at 3:30 PM, still about an hour before they were to be released. At this point, even the DOJ and Microsoft had not seen the rulings. The markets were still open at this point, and the trading price of Microsoft stock predictably went up.

Fritz's Hit List #29

Today on Fritz’s Hit List: logic analyzers.

These devices, which are standard equipment in electronics laboratories, record electrical signals in digital form, so they qualify for regulation as “digital media devices” under the Hollings CBDTPA. If the CBDTPA passes, any newly manufactured logic analyzers will have to incorporate government-approved copy restriction technology.

Fight piracy – regulate laboratory equipment!

[Thanks to John Zulauf for suggesting this item.]

Microsoft Decisions Tomorrow

Judge Kollar-Kotelly has announced that she will release her decisions in the Microsoft antitrust case tomorrow at 4:30 Eastern time.

Intentia vs. Reuters: A (Slightly) Contrarian View

The recent dispute between Intentia and Reuters has gotten lots of online attention, most of it scornful of Intentia’s position. I think Intentia is wrong, but it’s a closer call than most online commentators seem to think.

Here’s the factual background, as far as I can tell: Intentia, a Swedish company, prepared their earnings report, and put that report on its web site, at a “hidden” URL to which there were no links anywhere. A Reuters reporter guessed the URL, accessed the earnings report, and published a story about it, all before Intentia intended for the information to be released. Now Intentia is suing Reuters in Swedish court, charging that Reuters accessed Intentia’s computers illegally and without authorization.

As a non-Swede and non-lawyer, I won’t opine on what Swedish law says about this. Anyway, the more interesting question is what what the law should say about this case. Or to put it another way, how should we draw the line between proper and improper access to a computer system?

Most people seem to feel that what Reuters did was legitimate. That’s my gut feeling too. But it’s not as easy as you might expect to explain why.

One common argument is that because Intentia put the file in a place where it was easily accessed, Intentia should have known that people would access it there, so Reuters cannot be faulted for doing so. This has intuitive appeal, but I don’t think it’s right to argue entirely from technical capabilities. That is, the mere fact that Reuters knew how to access the file cannot be enough to show that the access was proper.

Consider a hypothetical in which Intentia puts the file on its site, protected by a password. Is it proper for Reuters to guess the password and access the file? I don’t think so. I’m not comfortable with a rule that would legalize arbitrary file access via password-guessing.

Now from a technical standpoint, there is little difference between using a secret URL and using a secret password. Both rely on the user typing a secret text string; both send that string across an unencrypted HTTP connection; and both provide the requested file only if the string has been entered correctly. Both provide the same level of security. So if password guessing is improper, then why isn’t URL guessing improper?

The answer, I think, is that using a password sends different signals about Intentia’s intentions than using a URL. If a system challenges you to enter a password, it’s clear that the system’s owner is not authorizing you to continue. But if you just type a URL into a browser and the system supplies you with a file, the owner’s intentions are not clear. If, in fact, the URL was something obvious like “3rd_quarter_earnings.pdf,” then a reasonable person might have concluded that Intentia meant it to be accessed by the public.

Ultimately, this depends on the law recognizing social norms about the Net: that accessible files are by default meant to be accessed; that people use a password if they want to restrict access; and that the lack of a password mechanism is taken to imply that public access is allowed.

Fritz's Real Hit List

Seth Finkelstein suggests that I should reexamine my “Fritz’s Hit List” feature in light of the “leeway” concept. Seth says, in effect, that it is possible, or at least it might be possible, to redefine the scope of the Hollings CBDTPA so that it covers “what 99.9% of the population uses for business or entertainment,” while not covering the items on Fritz’s Hit List.

I started Fritz’s Hit List to illustrate the extreme overbreadth of the Hollings CBDTPA. This can’t be fixed by making minor adjustments to the bill, or by relying on leeway to cover a few exceptional cases. The bill’s scope is far, far too broad. That’s the real point of Fritz’s Hit List.

This raises the obvious question of whether the bill can be fixed. Is it possible to redefine “digital media device” so that it is broad enough to cover the things it “needs” to cover, yet narrow enough to leave out dolls, dictaphones, and dog toys?

That’s harder than it sounds. I don’t know how to write such a definition. I haven’t seen anybody else offer a good definition either. The CBDTPA’s authors gave us a definition that is pretty far off.

So here is my challenge to the advocates of the Hollings CBDTPA: When you respond to Fritz’s Hit List, don’t just say, “That isn’t what we meant.” Tell us – specifically – what you did mean.