Date: Fri, 26 Jul 91 16:34:22 EDT From: Jerry Leichter Subject: File 8--re: Bill Vajk's latest comments I found Bill Vajk's comments in Cu Digest, #3.26 somewhat depressing. Here's a bright guy, willing to take the time to, for example, wade through legal texts, who still seems unable to separate what he WANTS the law to say, so as to get the RIGHT outcome in some PARTICULAR case, from what it either DOES say or SHOULD say as a matter of good social policy. Let's look at the matter of copyrights an publication first. >I was unable to discover the exact requirements currently mandate for >deposit of software in order to support a copyright. First we need to get the language right. I know of no legal significance to the term "support" with respect to a copyright. In order to sue for copyright infringement (and ONLY in that case is such action REQUIRED), you must first register the copyright with the Copyright Office. The Office has regulations governing mandatory deposit for registration (37 C.F.R. Chapter II, Sections 202.19 - 202.21). The regulations, as published in 1978, contain exceptions, including (Section 202.19(c)(5)) "computer programs [and other things, like databases] ... published ... only in the form of machine-readable copies ... from which the work could not ordinarily be visually perceived except with the aid of a machine...." In October 1989, the Copyright Office issued final regulations governing machine-readable copies. These regulations eliminated the exception of 202.19(c)(5), authorizing the Office to demand deposit. Note, however, that the demand is not automatic. Normally, the Copyright Office only issues demands for material the Library of Congress tells it it wants. Appendix B to Part 202 includes a statement that the current policy of the Copyright Office and the Library of Congress is to demand the deposit only of materials in PC-DOS, MS-DOS or "other compatible formats such as Xenix [?]", or Macintosh formats. So, deposit MAY be required. But WHAT must be deposited? If the October 1989 regulations follow the proposed regulations issued for comment in September 1986 - which I believe is the case - then deposit of computer programs for which trade secret protection is also claimed, which have been published only in machine-readable form, can take one of four forms: The first and last 25 pages (or equivalent) of source code, with no more than half the material blacked out; the complete first and last 10 pages of source code; the first and last 25 pages of object code, containing at least 10 consecutive pages with nothing blacked out; or, for programs of less then 25 pages, the whole thing with no more than half blacked out. In addition, it is possible to petition for exceptions or suggest alternative forms of deposit. It's worth noting that, even if a full deposit were required, the deposited information, while a matter of public record, is NOT really fully public: It can be examined at the Copyright Office but may not be removed or copied. It's also worth noting that there is a completely separate deposit requirement for the Library of Congress, mandated under a different part of the law (Section 407 of the 1976 Copyright Act). This applies only to published material, and there are a variety of exceptions. As I noted before, failure to deposit under this regulation has no effect on copyright, although it may subject you to fines. >The Rose indictment calls the source code "confidential and >proprietary." It is confidential in an AT&T security employee's dream, >and that's about the extent. AT&T provides copies of this software only under strict licenses. It goes after violaters, and they've done so for years. (Consider the Lyons book case.) While copies have "leaked", copies of the Unix sources are by no means freely available. I think AT&T could make a strong case for the claim that the sources remain "confidential and proprietary". >Leichter suggests that AT&T could claim to have never published the >source code. This would be true if sale or offer to sell were a >requirement. 17 USC addresses these issues with the term "vend" >instead of "sell." The source code we're talking about has been >published all right, and is in no way entitled to a "trade secret" >status. Nonsense. It's been licensed on a restricted basis. (Hardly anyone sells software - you lose control of it too easily. No one I know of sells sources.) Two kinds of words occur in legal documents: "Terms of art" (technical terms that have taken on specific legal meanings) and normal English words. In copyright law, "publication" has essentially its normal English meaning. Black's Law Dictionary, for example, defines it as "The act of making public a book, writing, map, chart, etc.; that is, offering or communicating it to the public for sale or distribution of copies." ("Publication" used to be a very significant event because it terminated the common-law copyright that protected unpublished works, and started the clock running on statutory copy-right protections. The 1976 Copyright Revision Act abolished common law copy-rights, and the enabling registration under the Berne treaty revised this area yet again, so the old concept is long dead. Curiously, "publication" IS a term of art in another context: For a will to be valid, it must be "pub-lished". However, in this case, "publication" is accomplished by showing it to two (three?) witnesses, whose signature is proof of such publication. "Publication" can also become an issue in tort law: To sue for libel, you have to show the material as "published". Again, there is a special meaning.) Given the way AT&T licenses its source code, it is clear that they don't intend to publish it. In fact, later in the same issue of Cud, Craig Neidorf even includes a copy of AT&T's notice: Copyright (c) 1984 AT&T All Rights Reserved * THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF AT&T * * The copyright notice above does not evidence any * * actual or intended publication of such source code. * AT&T is hardly alone in taking this route to protecting its sources: It's a commonly-recognized technique, recommended by practitioners in the field. I don't know if this has been tested in court, but keep in mind that the judges who decide on the issue will come from the same basic legal community that recommends the technique today. Mr. Vajk, who thinks he knows better, will not be asked for his opinion. Even in the unlikely case that a court threw out this method of protection, I'll give you excellent odds that legislation would be introduced in Congress within a very short time to restore it: The computer business is just too important to this country, and too much of the competitive advantage of American companies stems from software protected under these terms. Congress won't care a whit about the Len Rose's of this world, but they WILL act if they can be convinced that the Japanese or the Koreans or whoever are about to walk in and copy all this important American software, and that no one will be able to stop them. >Leichter defends the errors made by law enforcement, stipulating that >they have to learn how to deal with computer crime. Agreed, in >principle, but not in detail. The problems I am addressing have to do >with the general approach law enforcement seems to be taking to >solving all crime these days. The Constitution hasn't changed >recently. I suggest Mr. Vajk learn a little history. He might try, for example, to talk to a Japanese-American citizen who spent time in American internment camps in World War II. Or to a woman who needed an abortion before Roe v. Wade. (Actually, he may soon be able to find many women to talk to on that issue.) >Essentially the same rules have applied to investigations. What does >an officer have to learn about computer criminality in order to keep >him from kicking in two doors because some law abiding individual >tried to get into a bbs that was no longer a bbs? What does he have >to be taught in order to have the patience necessary to simply wait >for the guy to get home from work, and ask a few questions? The reasoning here is typical of Mr. Vajk's approach: He KNOWS that the individual involved was law-abiding, so he reasons backwards to find that the police acted unreasonably. He takes the approach to an extreme in later responses to Gene Spafford, in which he demands, in effect, that "innocent until proven guilty" should mean that we, as individuals, should not even describe as guilty someone whom we witnessed committing a crime - until a jury finds him so. It may come as a shock to Mr. Vajk, but "innocent until proven guilty" has a fairly limited meaning in the legal system: It means that the burden is on the prosecution to prove the accused guilty, not on the accused to prove himself innocent. The accused only has to show "reasonable doubt" that the charges are true. "Innocent until proven guilty" does NOT mean that those charged with a crime are entitled to all the rights of those not charged. Unless they can put up bail, these "innocents" will sit in jail. If they are charged with certain crimes, or if a judge thinks they are likely to flee - he does NOT need proof, much less proof beyond a reasonable doubt! - bail isn't even available. The accused's dignity is of little importance to the law: When arrested, he will be led out in handcuffs in front of family, friends, and waiting TV camera's. There's nothing at all new about this; the availability of mass media has certainly encouraged political grandstanding, of course, but I'm not at all sure that more of this goes on today than in the past. Anyhow, let's get back to the case at hand and look at it from the side of the police. They receive a report from a doctor's office saying that someone is trying to break into their system. So, as a start we have a complaint from a high-status individual. Beyond that, if someone IS trying to break in, there is potential for serious harm: Beyond the issues of privacy, ANY unauthorized access to medical records has at least the potential to lead to incorrect diagnosis and treatment, possibly causing someone grave harm. So this is certainly worth investigating. Anyhow, relying on the doctors, who the police assume know more about their system than the police do, the police assume someone IS trying to break in. They check the phone records and find one or two suspects. The evidence available is sufficient to convince a judge to issue a search warrant. Now, you can already object and say "why not talk to the suspects first". For a very simple reason: If they are, in fact, guilty you'll likely find out nothing of value from them, but you'll tip your hand and perhaps give them the chance to destroy evidence, something that can be done very quickly on a computer. No, much safer to get the search warrant first; that's exactly what search warrants are supposed to be for. Finally, the police show up at the suspect's house and find no one there. The search warrant authorizes them to gain access to the house and search it. It includes the authority to break in if necessary; and policy probably says that a warrant should normally be executed as quickly as possible. Why? I can think of at least two reasons: Waiting may lead to someone being warned that the police have been around (and consider how quickly evidence on a computer could be destroyed by a simple phone call while the police wait patiently outside); and, besides, posting an officer to wait for the return of the suspect is expensive. Police departments are perpetually under-manned, and if you phrase the question as "is the guy's front door more important than the taxpayer's money, not to mention the protection a cop doing something more useful than baby-sitting a front door could provide" and you may see things a bit differently. Does that mean that I think the action of the police was correct in this instance? With 20-20 hindsight, it's easy to see that they too quickly came to the conclusion that a crime was taking place. That's a direct result of lack of training and experience with the computing world. I hope they've learned from this experience; I'd bet they have. Given the realities of day-to-day law enforcement, I think they acted reasonably given the limited time, data, and resources available to them. I wish it could have come out differently, and I sympathize with the computer owners who got so unlucky, but this is not a perfect world and mistakes can and do happen. >We are seeing some of the fallout from our permissiveness regarding ?RICO. Actually, I don't really disagree with you here. What the police did in this case is NOTHING compared to what Federal prosecutors under Rudolph Guilliani did in various insider-trading cases. The publicity almost got Guilliani elected mayor of New York; now, most of the cases are collapsing in the courts. >These issues have nothing to do with computer criminality as opposed >to using sensible investigative techniques. Are we in an age where >we've been subjected to so many shoot-em-up cops versus the bad guys >TV shows that people here on usenet, among the best educated, most >sensible souls in the US, can accept kicking in doors and summary >confiscation of personal property as a valid and reasonable outcome >from calling the wrong phone number a few times? I don't accept it as a reasonable outcome; I accept that this is not a perfect world, that law enforcement personnel must work under conditions of limited training, information, resources, and time, and under pressure from the public to "do something" about crime. Errors happen. Sometimes the system is too rough; sometimes it's too lenient. (Don't believe that? Try reading Cuckoo's Egg.) If you know of a way to improve it, given the real world - not some ideal world in which everyone is reasonable and honest - please, let's hear about it. ------------------------------