Everyone, take a deep breath: it seems we’ve had a moment of sanity in the patent wars. Last week, a jury invalidated the dangerous Eolas patents, which their owner claimed covered, well, essentially the whole Internet. The patents were originally granted for an invention that helped doctors to view images of embryos over the early Web. A few years later, smelling quick cash, their owner insisted that they had a veto right on any mechanism used to embed an object in a web document. Really? The patents were obvious—now in 2012, and back in 1994, when the first one was filed. Thankfully, a jury realized that and did what should have happened years ago: it invalidated these dangerous patents.
That's the good news. The bad news: it came after the patents already caused plenty of damage. Companies large and small have taken licenses from Eolas rather than pay millions to fight in court. Many, such as Tim Berners-Lee (who testified during trial), warned about the dangers of the Eolas patents:
The existence of the patent and associated licensing demands compels many developers of Web browsers, Web pages, and many other important components of the Web to deviate from the fundamental technical standards that enable the Web to function as a coherent system.
We couldn't agree more, but let's go a step further. What the Eolas patents make clear is that the system isn’t working. We’ve been saying it for years, yet both Congress and the courts have failed to fix the problem. In the now infamous Bilskicase, the Supreme Court gave the green light to business method patents, and, consequently, to software patents. But the patent system, which is largely a one-size-fits-all program, simply stops making sense when we start to talk about software.
Software Patents Should be an Oxymoron
In order to understand why software patents don’t make sense, you have to understand a little bit about the patent system. The Constitution gives Congress the power
To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.
This single sentence represents an important bargain: when someone invents a novel invention, the government grants him a 20-year monopoly to exploit that invention. At the end of those 20 years, the inventor dedicates that invention to society, allowing others to practice it and build upon it. Traditionally, this monopoly was intended to provide an important incentive, especially where, as with pharmaceuticals, companies have to build factories and laboratories, hire workers, and endure rounds of testing at the FDA before they can sell a drug.
Software often does not require that kind of investment—often all you need is a coder and a computer. Even complex programs don't require 20 years of exclusivity to recoup their investment. We’ve also seen time and again that software developers don’t need patent incentives to create new and great programs. Take, for example, companies like Google and Twitter; neither relied on software patents to grow its early business.
It’s also clear that 20 years is too long to protect software inventions. Many who obtain patents—those who may feel obligated to appease venture capitalists or who get patents for defensive purposes, for example—quickly learn that technology moves so quickly that it’s often been replaced or vastly improved upon by the time by the time the patent is granted. And it’s expensive to get an application through the patent office—costs and fees for “complex software” can range well into the $10,000s! So what do you think happens when a company spends all that money getting a patent and then finds out its product is no longer popular? Enter the patent troll, who buys the antiquated patent and starts suing (more on that below).
Further, software is fundamentally situated as a building block technology. You write some code, and then I improve upon it (the open source folks already have this figured out). But if your code is covered by a 20-year patent, I can’t even test my improvements until that patent expires.
Software Patents Only Benefit Lawyers, Not Inventors
Software patents are nearly five times as likely to be litigated as other patents. In fact, lawsuits surrounding software patents have more than tripled since 1999. What does that mean? It means that if you do business in America, and it involves any even arguably patented software, you'd better have a serious legal budget. Take, for instance, Spotify, the popular music streaming service that came to the States in late 2011. A few weeks after it launched—boom!—Spotify is facing a patent lawsuit (the kind of suit that will easily cost each side millions of dollars). Not only is this bad for U.S. businesses, but it drives innovators out of the country, which is bad for all of us, not least of all because it sends jobs abroad. Increasingly, patents serve as a dangerous tax on innovation in America, especially when it comes to software. And domestically this means that instead of helping grow R & D or engineering departments at software companies, software patents increasingly help grow legal departments.
Software Patents Harm Innovation
So what do you do if you’re a small inventor, working in your free time on coding new software, and all of a sudden you’re threatened with a patent suit? Unfortunately, time and again, we hear of folks closing up shop. When part-time inventors without financial backing, or tinkerers in their free time, stop inventing the next Facebook or tomorrow’s Twitter, we’re all worse off. And right now, that’s the threat software patents pose.
Now, back to Eolas. What would have happened if the jury went the other way? Virtually every website that allows embedded objects, such as images or video, for example, (in other words, nearly every website) would have to pay up. Sadly, this is the norm and not the exception. The jury in this case got the information it needed, but not every defendant can afford to fight, much less inspire Sir Berners-Lee to testify. Dangerous, overbroad software patents have become a tax on innovation that cannot stand. Software patents are harming innovation and our economy. It’s time to rethink our policies.
EFF is committed to defending innovation and fixing the problems with software patents in the long-term. That's why we'll soon be launching our new campaign around software patents, Patent Fail: In Defense of Innovation. Stay tuned.
Update (2012-02-17): After some investigation and facts that came to light as a result of a parallel experiment by researcher Nadia Heninger at UC San Diego and collaborators at the University of Michigan, it seems the scope of the problem with respect to keys associated with X.509 certificates is limited primarily to certificates that exist for embedded devices such as routers, firewalls, and VPN devices. The small number of vulnerable, valid CA-signed certificates have already been identified and the relevant parties have been notified. Nadia's excellent blog post provides a good overview of the situation right now. We are working with her on disclosure and to provide people with tools to audit against these types of vulnerabilities via the Decentralized SSL Observatory.
Using previously published and new data from EFF's SSL Observatory project, a team of researchers led by Arjen Lenstra at EPFL conducted an audit of the public keys used to protect HTTPS. Lenstra's team has discovered tens of thousands of keys that offer effectively no security due to weak random number generation algorithms.
The consequences of these vulnerabilities are extremely serious. In all cases, a weak key would allow an eavesdropper on the network to learn confidential information, such as passwords or the content of messages, exchanged with a vulnerable server. Secondly, unless servers were configured to use perfect forward secrecy, sophisticated attackers could extract passwords and data from stored copies of previous encrypted sessions. Thirdly, attackers could use man-in-the-middle or server impersonation attacks to inject malicious data into encrypted sessions. Given the seriousness of these problems, EFF will be working around the clock with the EPFL group to warn the operators of servers that are affected by this vulnerability, and encourage them to switch to new keys as soon as possible.
While we have observed and warned about vulnerabilities due to insufficient randomness in the past, Lenstra's group was able to discover more subtle RNG bugs by searching not only for keys that were unexpectedly shared by multiple certificates, but for prime factors that were unexpectedly shared by multiple publicly visible public keys. This application of the 2,400-year-old Euclidean algorithm turned out to produce spectacular results.
In addition to TLS, the transport layer security mechanism underlying HTTPS, other types of public keys were investigated that did not use EFF's Observatory data set, most notably PGP. The cryptosystems that underlay the full set of public keys in the study included RSA (which is the most common class of cryptosystem behind TLS), ElGamal (which is the most common class of cryptosystem behind PGP), and several others in smaller quantities. Within each cryptosystem, various key strengths were also observed and investigated, for instance RSA 2048 bit as well as RSA 1024 bit keys. Beyond shared prime factors, there were other problems discovered with the keys, which all appear to stem from insufficient randomness in generating the keys. The most prominently affected keys were RSA 1024 bit moduli. This class of keys was deemed by the researchers to be only 99.8% secure, meaning that 2 out of every 1000 of these RSA public keys are insecure. Our first priority is handling this large set of tens of thousands of keys, though the problem is not limited to this set, or even to just HTTPS implementations.
We are very alarmed by this development. In addition to notifying website operators, Certificate Authorities, and browser vendors, we also hope that the full set of RNG bugs that are causing these problems can be quickly found and patched. Ensuring a secure and robust public key infrastructure is vital to the security and privacy of individuals and organizations everywhere.
On February 15, a verdict will be handed down that determines whether or not the Tunisian Internet Agency (ATI) will need to censor pornography on the Internet. Last May, after receiving--and unsuccessfully attempting to block--an order to censor such websites, the ATI appealed the decision citing, among other things, a lack of financial resources. As a result, the case was sent to the Court of Cassation, Tunisia’s highest court
All Tunisians have a reason to be concerned: Under the rule of Ben Ali, it wasn’t just obscene content that was unavailable to citizens, but political opposition websites, information on human rights, even YouTube.
As a result, Tunisian digital rights activists are wary of letting the government force the ATI to re-install the tools that allowed such overreaching censorship (which in the Ben Ali era were made by American company SmartFilter, owned by Intel). For others--such as the activist community that was active in fighting censorship during the Ben Ali era--it’s a matter of principle. Or as Moez Chakchouk, CEO of the ATI, has argued: “It's not a matter of pornography or not, it's a matter of whether we have censorship or not in Tunisia.”
Indeed, though the current target may be pornography, installing a tool like SmartFilter would enable the ATI to block other categories of websites. And while Chakchouk has spoken out against the idea of any government-mandated censorship outside of the legal process, he is also concerned that putting the tools of censorship in place could easily allow the government to expand its reach.
EFF reiterates our support for Chakchouk and the Tunisian Internet Agency. Tomorrow's decision will not only affect the free speech of Tunisians, but could have broader implications for the region as well. We call on the Court of Cassation to uphold the right of free expression in their decision.
Update: The hearing has concluded and the verdict will be read out on April 30th.
The trial of Chiranuch Premchaiporn, director of one of Thailand’s most popular alternative news sites who was arrested in October 2010 continues on Tuesday, 14 February following a 5-month recess. Jiew, as she is more commonly known, was charged with Lèse Majesté and intermediary liability under Thailand’s 2007 Computer Crime Act when comments left on an article published on her site Prachatai were deemed to be defamatory against Thai royalty. She faces a combined sentence of 82 years for these two alleged crimes. Her trial first began February 2011, was suspended until September, and was again put on hold until this week.
Jiew has been an outspoken proponent for free expression online for many years. We conducted an interview with her about how things unfolded shortly after her arrest. EFF will be following the proceedings closely. We stand with Freedom Against Censorship Thailand (FACT) in condemning Jiew’s arrest and demand that Thai authorities immediately drop all charges against her.
For more updates and to sign a petition to Thailand's National Human Rights Commission, visit FACT's website.
2011 was by many accounts ‘the year of the protester.’From Tunisia to Oakland, activists took to the streets—and to social networks—to express themselves and their grievances.But while many were successful in using online tools in their activism, others faced grave consequences.
So far, 2012 hasn’t been any easier. Less than six weeks into the year, EFF has already documented nine cases of bloggers under fire: in Oman and South Korea;Bahrain and China; Thailand; Iran; Vietnam; and Ethiopia.And just this week, two more Iranian bloggers were arrested, a Saudi citizen was forced to flee his country after receiving death threats for content he’d posted on Twitter, and both an Indonesian and a Moroccan were detained for posts made on Facebook. These additional cases mean that so far in 2012, fourteen netizens have been threatened for content posted online...and those are just the ones we know about.
This is a trend that shows no signs of abating.To that end, we are working with Global Voices Online’s Threatened Voices project to help shed light on the threats faced by netizens around the world.We have created a new landing page to track instances of bloggers and other Internet users being threatened, arrested, harassed, or otherwise harmed.We will also continue our efforts to report new cases, working with other organizations and individuals around the world, to ensure that those individuals’ voices and stories are heard.
This week has seen a marked increase in the blocking and filtering of certain kinds of Internet traffic in Iran. The Iranian government has not openly acknowledged these new measures, but they are widely thought to be preliminary steps towards a nation-wide Halal Internet that would cut off a majority of citizens from the global web and replace it with one that would effectively block all foreign sites and only allow state-controlled content to e accessed within Iran.
Starting February 7th, Internet users in Iran began reporting that they were having difficulty reaching certain websites outside of the country using HTTPS, the secure, encrypted version of the HTTP protocol used to transfer the data you see in your web browser. Many websites, including banks, many Google services, Twitter, Facebook, and Microsoft Hotmail, employ HTTPS to protect their users’ private data from eavesdropping and government surveillance. Some services, such as Gmail, use HTTPS across the board by default, but others such as Facebook, require users to choose “HTTPS by default” as a privacy setting in their profile.
This has led to some Iranians to suggest turning off HTTPS encryption in order to get access to the services they use every day. Iran Media Research quotes two allegedly Iranian users who say:
“To access Google search without needing to use a VPN, [you] can sign out from your [Gmail] account. With this method Google is available”.
“Those users who have disabled Gmail’s SSL [HTTPS] can use it without any problems.”
This is dangerous advice that can expose Iranian users to government surveillance of their email and other private data. Iran has a long history of Internet surveillance, including deep packet inspection of Internet traffic. Bloggers and activists face the possibility of intimidation, arrest, and torture. Now that the Iranian government as put up these barriers to safe, secure, private communication, it is more important than ever that Iranian Internet users take steps to protect themselves from government surveillance.
These steps include using proxies, VPS, or Tor to circumvent government censorship. Tor reports that the majority of Tor users in Iran are still able to use the service to access websites that are blocked within Iran, but they are working on solutions assuming that the government will eventually expand their censorship program to block all HTTPS connections outside of the country.
Hamza Kashgari is under threat. The blogger and journalist fled to Malaysia from Saudi Arabia on February 8 after tweets he wrote about the Prophet Mohammed provoked clerics to demand he be tried for apostasy and members of the public to call for his murder. After arriving in Malaysia on his way to a third country, however, he was arrested by security officials at Kuala Lumpur airport, according to a report from Human Rights Watch. Kashgari is currently under threat of extradition to Saudi Arabia. The Guardian has reported Malaysian sources as stating that the request for extradition came from Interpol, a charge that Interpol denies.
Kashgari was a columnist for Jeddah-based daily Al Bilad until last week when, following public outrage over the tweets, Saudi Minister of Culture and Information Abdul Aziz Khoja gave orders that Kashgari "not write in any Saudi paper or magazine." Ironically, Khoja also tweeted the order. Although Kashgari retracted his statements, deleted his Twitter account, and apologized for the comments, threats to his life continued unabated, with his home address posted online and a monetary reward offered to his killers.
As a member of the United Nations Human Rights Council, the Malaysian government has committed to upholding the highest standards of human rights. Extraditing Mr. Kashgari to Saudi Arabia will undoubtedly result in his death and is therefore constitutes a serious violation of Malaysia’s commitments to the international community. Though Kashgari's ideas may offend some of his fellow citizens, they are protected speech under Article 19 of the Universal Declaration of Human Rights.
EFF urges the government of Malaysia to release Hamza Kashgari immediately and ensure that his extradition to Saudi Arabia is prevented.
EFF is pleased to announce that our legal director and general counsel, Cindy Cohn, will be honored as a champion of the First Amendment by the Society of Professional Journalists, Northern California Chapter.
Cindy is one of a dozen recipients of this year’s James Madison Award honoring local journalists, organizations, and others who fight for access to government information and promote the public’s right to know. SPJ singled out Cindy’s litigation and oversight of First Amendment and open government cases, like the NSA spying on Americans’ communications.
Cindy and the other award winners will be honored March 15 at the City Club of San Francisco. Congratulations Cindy!