RISKS-LIST: RISKS-FORUM Digest Thursday 2 March 1989 Volume 8 : Issue 34 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: German hackers breaking into LOS ALAMOS, NASA,...(Claus Kalle via Mabry Tyson) The Gumbel Machine Becomes a Candid Camera (PGN) (Un)fairness in European s/w protection (Herman J. Woltring) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Thu, 2 Mar 89 14:55 PST From: TYSON@Warbucks.AI.SRI.COM (Mabry Tyson) Subject: German hackers breaking into LOS ALAMOS, NASA, ... Date: Thu, 2 Mar 89 10:44 PST From: A0061%DK0RRZK0.BITNET@cunyvm.cuny.edu To: INFO-NETS@Think.COM Subject: hackergerman hackers breaking into LOS ALAMOS, NASA, ... Three hours ago, a famous german TV-magazine revealed maybe one of the greatest scandals of espionage in computer networks: They talk about some (three ?) german hackers (West Germany) breaking into several secret data networks (LOS ALAMOS, NASA, some military database, (Japanese) war industry, and many others...) in the interests of the KGB, USSR. They got money (sums about 50000-100000$ are mentioned) and even drugs, all from the KGB, the head of the politic TV-magazine told. Read more about it in tomorrow's newpaper.... Many greetings from Cologne .. ^ ^ | | | | Claus Kalle | | | | Cologne University, Regional Computing Center / \/ \ | || | BITNET: A0061@DK0RRZK0 | \/ | ARPA : A0061%DK0RRZK0.BITNET@WISCVM.WISC.EDU / \ Letter: Regionales Rechenzentrum der Uni Koeln | The | Robert-Koch-Str. 10 | Koeln | D-5000 Koeln 41 | Cathe- | West Germany | dral | ------------------------------ Date: Thu, 2 Mar 1989 14:52:50 PST From: Peter Neumann Subject: The Gumbel Machine Becomes a Candid Camera For those of you who did not notice, NBC's TODAY show Executive Producer Marty Ryan asked Bryant Gumbel for a candid evaluation of the show's on- and off-camera staff, which he wrote on-line. Recently the private report was ``apparently stolen out of Gumbel's computer file and then given by an NBC employee to a reporter for Newsday.'' There were lots of red faces. (Source: San Francisco Chronicle article by Jay Sharbutt of the LA Times, 1 March 1989, p. E1.) ------------------------------ Date: Tue, 28 Feb 89 13:22 N From: Subject: (Un)fairness in European s/w protection A DRAFT PROPOSAL ON SOFTWARE PROTECTION FOR THE EUROPEAN COMMUNITY A few weeks ago, the Council of the European Communities in Brussels/Belgium published a draft "Proposal for a Council Directive on the Legal Protection of Computer Programs" [COM(88)816 (not final)], written by Lord Cockfield M.P. in agreement with Mr Narjes and Mr Sutherland. Until January 1989, Lord Cockfield (pronounced as "cowfield") was Council Commissioner for the Internal Market in the Community. As the document seems to challenge various copyright/author's right doctrines in the Member States of the Community, it is likely to elicit considerable debate. From a Risks and Anglo-American law point of view, the draft evokes a number of questions to be discussed below. These concern (a) the Anglo-Saxon Law concept of "Fair Dealing" which is more restricted than its "Fair Use" coun- terpart under section 107 of the US Copyright Act (for example, wholesale copying for classroom use is not allowed), (b) copyright/"author's right" in the case of commissioned works or works created by virtue of employment, and (c) the scope of protectability in the form/contents or expression/idea dichotomy under classical copyright which is largely responsible for the software "look and feel" controversy in the USA. (a) Fair Dealing The draft proposes that "computer programs" (also to include source code and documentation from which the program could be written) should be treated like any other literary work under the Berne and Universal Copyright Conventions, including the standard exemptions for literary works under national legislation in the Member States. This definition goes much further than the 1977 defini- tion of the World Intellectual Property Organization (WIPO) in Geneva which is responsible for administrating the Berne Copyright Convention (the BCC recog- nizes moral rights and does not require copyright claim formalities on a work). In 1985, a joint WIPO/UNESCO meeting on Software Protection refused to include source code in the definition of "computer programs". The most important states of the European Community are Western Germany, France, and Great Britain. Following copyright law revisions in France (1985), Western Germany (1985), and Great Britain (1988), copyright exemptions are quite differ- ent between these countries. In Germany, unauthorized copying for scientific purposes is standard for literary works (not too much, though), but "programs for data processing" cannot be copied without authorization. In France, all USE and copying of "software" (including documentation) is controlled, except for the making of a single back-up copy. In Great Britain, the classical "Fair Dealing" exemption for research and private study, review, criticism, and news reporting was maintained last year for commercial research, despite "immense pressure from monopolistic concerns that wish to restrict information" (E. Nicholson M.P., debate on the Copyright, Designs and Patents Bill, 19 May 1988); the same has recently happened in Canada. In both countries, computer programs are to be treated like any other literary work. It may be that the 1985 German and French law revisions were largely motivated by a desire within the software industry to use copyright law for creating trade-secret protection for the pure information or know-how underlying a software package. If decompilation (a form of research through analysis or reverse-engineering) is outlawed, know-how is protected against retrieval from a software package, but independent invention of such know-how and its use for creating another software package remain free. In the European Commission's "Green Paper on Copyright and the Challenge of Technology" published in June 1988, reference was made to a general agreement within the information industry that "independent invention (...) and reverse engineering" should be allowed lest competition would be stultified, and Lord Cockfield's draft proposal seems to ignore the latter part of this citation. On p. 26 of the draft, reference is made to "(...) the Anglo-Saxon law concept of 'Fair Dealing' by which reproduction of insubstantial parts of literary works is permitted under certain circumstances". In this wording, the differ- ences between German, French, and British law seem insubstantial, since proper research, review, criticism etc. of a computer program will usually require substantial if not complete copying. In the case of object code, this would involve decompilation which under copyright law doctrine is a form of copying/ reproduction. In the case of original or decompiled source code, this would involve listing, compilation, and running which are also (interpreted as) legally relevant forms of copying/reproduction. However, Lord Cockfield's suggestion is incomplete, as the Anglo-Saxon law concept of "Fair Dealing" is not confined to insubstantial copying of a work (whether a book, paper, computer program, or other literary work). Thus, there are considerable differences between major Member States within the Community, with an equal competiton opportunity between Silicon Valley (California) and Silicon Glen (Scotland): under Anglo-American Law, continental-european soft- ware may be investigated while Anglo-American software cannot currently be investigated in France and Western Germany unless authorized by the copyright holder. This, of cource, constitutes a distinctive competitive advantage out- side the European continent. I believe that copying of a complete work, such as a computer program, may be necessary for fair dealing to apply if done for one of the statutory purposes, i.e., for research or private study, review, criticism, or news reporting. In the words of Barry Torno's "Fair Dealing -- The Need for Conceptual Clarity on the Road to Copyright Revision" (Consumer and Corporate Affairs Canada 1981, ISBN 0-662-11746-8, pp. 32 seq.): "It might very well be the case that, upon proper application of fair dealing considerations, there will be very few situations in which a finding of fair dealing will prevail where an entire work has been taken. However, to pre- clude such a possibility AB INITIO is to fetter the dynamic nature of fair dealing unnecessarily. In what is widely regarded as one of the most incisive Commonwealth explo- rations of fair dealing, Lord Justice Megaw of the British Court of Appeal stated in the 1971 case of Hubbard et al. v. Vosper et al. (1972, 2 Q.B. 84): 'It is then said that the passages which have been taken from these various works ... are so substantial, quantitatively so great in relation to the respective works from which the citations are taken, that they fall outside the scope of 'fair dealing'. To my mind, the question of substantiality is a question of degree. IT MAY WELL BE THAT IT DOES NOT PREVENT THE QUOTATION OF A WORK FROM BEING WITHIN THE FAIR DEALING SUBSECTION EVEN THOUGH THE QUO- TATION MAY BE OF EVERY SINGLE WORD OF THE WORK ...' " On 9 Feb 1972, the Appeal Committee of the British House of Lords dismissed a petition for leave to appeal against this verdict. Note that 'fair dealing' does not in a statutory way distinguish between various forms of reproduction such as quoting, listing, or translating; this has been left to case law. Furthermore, computer programs were hardly discussed by Torno. In "Copyright and the Computer" (Consumer and Corporate Affairs Canada 1982, ISBN 0-662-11748-4), John Palmer and Raymond Resendes from the University of Western Ontario wrote on p. 126: "Allowing fair dealing provisions for computer software seems questionable. On the one hand, there should be no objection to allowing researchers for PRIVATE (and personal) study and review once the software has been developed and marketed. On the other hand, the loss of a single sale of the software could result in the loss of revenue to the developer of thousands of dollars. If fair dealing provisions are allowed for computer software, they should be limited specifically to personal study and research concerning the SOFTWARE ITSELF, and they should NOT include study and research which uses the soft- ware for the study and research of other questions." In my mind, the latter would not necessarily apply always, as in the case of software published in the academic literature or via non-commercial electronic mail libraries (e.g., NETLIB@RESEARCH.ATT.COM, cf. the paper by Dongarra & Grosse in the May 1987 issue of the Communications of the ACM). Especially numerical software is widely available for non-commercial use, and this aspect seems to have been overlooked by most writers on software protection, even though such software is not necessarily in the public domain. A Canadian Library of Parliament report (Monique He'bert, "Copyright Act Reform", ISBN 0-660-12598-6, 1987, p. 5) states: "(E)ven when substantial reproduction has occurred, users may be exonerated if they come within one of the statutory defenses. The most important of these is the 'fair dealing' provision which excuses 'any fair dealing with any work for the purposes of private study, research, criticism, review, or newspaper summary'." Wrapping up these quotations in a software context, I think that copying of a complete work such as a computer program may be necessary for FAIR dealing to hold; only in this way, a researcher, reviewer, or criticist may be able to "tell the truth, the whole truth, and nothing but the truth". This applies to profitable situations, where the underlying but unprotected ideas (trade secrets?) of a computer program are to be found and used for creating a differ- ent, and hopefully better computer program. Under the US "Fair Use" doctrine, this is perfectly lawful, industrial practice; cf. the "clean room" procedure, where one team analyses a competitor's package, while a second, clean team writes a new package from the first team's specifications. For a hardware product under, e.g., patent law or semiconductor topography protection law, research is perfectly legitimate, and there is no reason why this should be outlawed for software, especially since hardware and software can often be interchanged. Similar arguments hold for the non-profit situation, as when claims about the quality of a commercial software package in the academic or commercial literature are to be verified by scientists or consumer organisations, or when a software package is suspected of endangering human life, health, or property; this latter aspect was addressed in Risks Digest Vol. 8, No. 5 of 11 Jan 1989 with respect to the Therac-25 radiation therapy machine malfunction. While the Universal Copyright Convention requires a Copyright notice to be included in a work for copyright protection to hold, such a formality is not required under the Berne Copyright Convention recently ratified by the USA which are currently the world's leading software producer. By consequence, various "fair" forms of copying are currently under threat of being outlawed even if no copyright claim is provided on a work. Of course, copying for unfair purposes should be prevented, both in a profit- able and non-profitable context. For example, a number of recent, federal US verdicts that the US Copyright Act should yield to the 11th Amendment are reason for serious concern: see "An Open Letter on Piracy", Software Magazine 8(3), March 1988, republished in ACM's Computers & Society 18(3), July 1988. Under the 11th Amendment's grant of sovereign immunity to states, civil suits for copyright damages against state instrumentalities (e.g., state universities!) will be lost before trial. (b) Work for hire Under the Anglo-American "work for hire" rule, copyright law usually gives all exploitation rights to the employer, and sometimes even to the commissioner of a copyrightable work; moral rights have been excluded for computer programs in the United Kingdom, and they have been limited in France. In Germany, however, moral rights have been maintained in full, and case law has given an implicit right of use to the employer or commissioner. Such use may involve sales to third parties if this is the (implied) consequence of the contract. Lord Cock- field has proposed that all rights on software created under employment or commission should revert to the employer or commissioner (unless parties agree otherwise), and this will undoubtedly cause considerable disagreement in most Member States of the Community, at least for commissioned software. Under the continental-european doctrine of "author's rights", certain moral rights (paternity, divulgation, integrity) are inalienable from the natural author(s) who create a work, and it is largely this aspect which underlies the debate within the European Community (moral rights were a strong issue in the USA in the debate around the Berne Convention Ratification Bill). From a Risks point of view, I would think that author's rights and author's duties should be seen in conjunction. With the commercial pressure that deadlines are met in software projects (cf. the Risks Digest issue quoted above), an employed or commissioned author should, in my view, be able to invoke his moral rights in order to offset any pressure from employer or commissioner to deliver on time. While Lord Cockfield mentioned the right of paternity (i.e., the right to be named as the author of a work), it is too simple to leave responsibility for the quality of a work, closely related to the moral rights of divulgation and integrity, with the entity that delivers a software-related product to a cus- tomer. If an employed or commissioned author has good reason to believe that his work has been insufficiently tested, his "droit de divulgation" should be used to prevent premature delivery to unsuspecting customers. Personal lia- bility for a defective software package should complement this moral right as a moral obligation. (c) Ideas or contents v. form or expression under Copyright Traditionally, copyright protects merely the expression or form of a work, not the "naked ideas", contents, or pure information in the work. The boarderline is a difficult one, as exemplified by Lord Cockfield's proposal on algorithms and on accessability of interfaces which, for scientific progress and compati- bility between different manufacturers' products to be possible, should be free to anyone: Chapter 1, Article 1, "Object of Protection", ... 3. Protection in accordance with this Directive shall apply to the expression in any form of a computer program but shall not extend to the ideas, prin- ciples, logic, algorithms or programming languages underlying the program. Where the specification of interfaces constitutes ideas and principles which underly the program, those ideas and principles are not copyrightable sub- ject matter. I hope that this posting on the Risks Digest (and perhaps on other lists) will elicit a debate that could be fed back to the European Commission. I look for- ward to such reactions. Herman J. Woltring Brussellaan 29, NL-5628 TB EINDHOVEN, The Netherlands, Tel. INT+31.40.480869 Member, Study-Committee on Software and Semiconductor Topography Protection, Netherlands Association for Computers and Law Research Associate in Biomedical and Health Technology, Eindhoven University of Technology, The Netherlands (On leave from the Software Engineering Department, Philips Medical Systems, Best near Eindhoven, The Netherlands) ------------------------------ End of RISKS-FORUM Digest 8.34 ************************ -------