- Email: [email protected]
Free CSI report explores threats to secure electronic commerce
[LI[.- AUG
THE CONPUTER ~.AW AND SECURITY REPORT
timately to the computer itself, how to make the encryption algorithm (the ideas) functional. While copyright and First Amendment law were by no means coextensive and the analogy between the two should not be stretched too far, copyright law did lend support to the conclusion that source code was a means of original expression. Accordingly: "for the purposes of the First Amendment analysis this Court finds that source code is speech." Having concluded this, the Court then briefly reviewed the claims contested by the defendants as not entitling the plaintiff to relief. On the points in question, the Court ruled: • Since the 'Snuffle' source code as speech, the plaintiff's prior restraint claim was colourable. •
At this stage in the proceedings, the Court could not say the plaintiff's claim, that enforcement of some provisions of the Statute or regulations could significantly compromise the protected speech of third parties, was frivolous.
•
It could not be said that the plaintiff's allegations that a number of terms and provisions within the AECA and ITARwere impermissibly vague, in that they failed to give notice of the conduct they regulated and had a chilling on speech, was frivolous. Accordingly, the defendants' motion to dismiss was denied. APPEAL PENDING IN SHRINKW R A P LICENCE CASE Pro CD Inc. v Zeidenberg, No. 95-C067 (W.D.Wis. 4 January 1996) The Seventh Circuit Court of Appeals is shortly to hear argument in an appeal brought by the plaintiffs, Pro CD, over allegations that the defendants misappropriated data from Pro CD's CD-ROM directories and placed those CD's data on the Internet. A second charge alleges the unauthorized copying and use of the plaintiffs' copyrighted software in violation of a licence agreement governing the product. In January 1996, the District Court granted summary judgement for the defendants and denied Pro CD'Scross motion for partial summary judgement. The District
Court held that the defendants' copying and use of Pro CD's software was permissible, even though the undisputed facts established that copying the software for commercial uses was expressly prohibited by Pro CD.The District Court also held that Pro CD's licence agreement was unenforceable on the basis that, to be enforceable, the licence agreement had to be printed in full on the outside of the box. The District Court also dismissed Pro CD's state law claims, holding that they were pre-empted by the Federal copyright laws. The defendants will argue that the District Court's decision is factually and legally flawed and, in reaching its decision, it failed to follow established law, made new law and ignored critical undisputed facts. The plaintiffs claim that, if allowed to stand, the decision will invalidate virtually all legitimate restrictions on copying and use of computer software products and computerized databases. It is seeking a reversal of the decision. The defendant -- Appellees -- argue that the District Court correctly ruled that Appellees use of Pro CD's product did not infringe on Pro CD's copyright and its software. The defendants argue that the Supreme Court's decision in Feist Publication v Rural Telephone Service (499 US 340 (1990)) makes it clear beyond question that factual data in Pro CD's product cannot be copyrighted. The defendant - Appellees - also assert that they made no copies of the plaintiffs' software, except for their own personal use.They deny transferring, selling or making the program available to third parties, declaring that the only thing placed on the Internet was the unprotected data. The defendants also reject the plaintiffs assertions that use of its product was subject to a licence agreement.This assumed a binding licence. However, the District Court had found that the transaction involved in this case was a sale of goods within the meaning of the uniform commercial code (UCC). Applying the provisions of the UCC, the Court held that the proported licence was not binding on the defendants because the contract of the sale of software was completed at the time of purchase, and the terms of the licence were not known to the defendants at that time.
260
[1996] 12 CI.SR
The case has attracted widespread interest, which has included submission of statements from the Software Publishers Association and the BusinessSoftware Alliance. The case continues. FREE CSI REPORT EXPLORES THREATS TO SECURE ELECTRONIC COMMERCE The drive toward Internet commerce is unstoppable. But how serious are the security threats associated with it? And how effective are the proposed solutions? The Computer Security Institute's 'Special Report on Electronic Commerce Security: Treasure of Sierra Madres', offers a comprehensive look at the risk, threats and vulnerabilities of Internet-based transactions.Will the profits justify the risk? What lessons can be drawn from recent revelations, such as the vetting of Netscape, the robbing of Citibank, the ransacking of the Netcom and the Kocher 'timing attack'? This latest CSI Special Report contains answers from a broad range of experts, including Dr Gene Spafford of Computers, Operations, Audit, Security and Technology (COAST), Donn V. Parker of SRI International, Dan Farmer, author of SATAN, and Mack Hicks,Vice President of Bank of America. "The scent of riches wafting from cyberspace is overpowering", comments Richard Power, CSI Editor and author of the Report. "The risk of failing to go online is perceived as greater than the risk of failing to go online securely. But recent revelations about the vulnerabilities in Java and Netscape highlight how much still needs to be done." The 19 page study includes practical tools, such as electronic commerce, security checklists and sample electronic commerce policies. To obtain a free copy of CSl Special Report, E-mail your mailing address to: [email protected] or tel: +1 415 9052310 or fax: +1 415 9052218. Editor's Note:The Computer Security Institute (CSI) is the industry's leading international membership organization, specifically servicing the information security professional. Established in 1974, CSI has members worldwide, and provides a wide variety of information and education programmes to assist practi-
~UL ~ ALG
THE COMPUTER lAW AND SECURITY REPORT
tioners in protecting the information assets of corporations in governmental organizations.
PRIVACY IN THE EUROPEAN UNION The EU Data Protection Commissioners met recently in Manchester. During the two day conference they looked at some key issues such as the steps being taken to implement the recently approved EU Data Protection Directive in Member States; the inadequacy of protection when data is sent to some third countries; the proposed special draft Data Protection Directive for telecommunications systems; and cooperation between data protection authorities themselves and with other bodies such as the European Commission and the Council of Europe. It was obviously quite a packed agenda. In particular, Mrs France, the UK Data Protection Registrar, said after the conference that it is most important the data protection commissioners cooperate regarding the protection of privacy of information about individuals %specially in the world of the Internet where such information is readily sent round the globe". Three key decisions were made at that meeting: (a) the Commissioners called upon the European Commission, the Council of Ministers and the Member States to ensure that the data protection rules - already applied in Member States - should be honoured by the institutions of the Community. (b) to ask the Council of Ministers to set up a supervisory body to watch over the design of the new computer system for maintaining criminal intelligence files in the new European Police Office so that privacy protection issues would be taken into account during its development; and (c) the Commissioners agreed that they would work together on privacy enhancing technologies to promote techniques for reducing the extent
to which personally identifiable information is used in information systems - hopefully to develop pilot projects which the Commissioners could examine at their next annual meeting and which could be used as models to promote the adoption of such techniques in industry, commerce and public administration. Heather Rowe, Report Correspondent, Lovell White Durrant
REGULATION AND THE INFORMATION SUPERHIGHWAY It is believed that the European Commission is planning a proposal for a "transparency mechanism" in relation to the information superhighway. This would require Member States to notify any planned regulations which would affect the free flow of services on the information superhighway. The proposal will be made underArtide 59 of the EU Treaty regarding the freedom to provide services. This means that it would require co-decision with the European Parliament. It would be similar to the existing procedure under which Member States are obliged to notify any new regulations made on the grounds of public interest which might impede the free flow of goods. A date has not yet been given for adoption of a proposal by the Commission. Heather Rowe, Report Correspondent, Lovell White Durrant SIMPLER LEGISLATION FOR THE SINGLE M A R K E T Simpler and more effective EU legislation is the aim of the SLIM initiative (Simpler Legislation for the Internal Market), launched by the European Commission. SLIM responds to demands from Member States and industry for rapid action and concrete results, linked to the need to promote growth and employment in the EU. In the initial phase, SLIM teams, consisting of representatives of the Commission, Member States and those directly affected by the legislation - industry, small businesses and consumers - will look at plant legislation, the recognition of diplomas, technical rules for construction products, and intrastat - the system
261
[1996] 112 C[SR
for collecting data on intra-Community trade. The Commission plans to put the first proposals for simplification to the Internal Market Council in November 1996.
STATE AID, SMEs AND TECHNOLOGY Investment in transfers of technology will be eligible for the same favourable level of aid as tangible investment, under new guidelines for state aid to small and medium-sized enterprises (SMEs) agreed recently by the Commission. Aid for the acquisition of patent right, licences, know-how, or unpatented technical knowledge, will now be allowed at the same level as the tangible investment: 15% for small enterprises and 7.5% for medium-sized enterprises. Other changes to the guidelines, which were first adopted in 1992, take account of the new common definition of SMEs agreed by the Commission in February, and clarify the concept of tangible investment. While retaining the 50% threshold of aid to help SMEs with consultancy services and training, the rules specify that it cannot be used for on-going tax consultancy, legal or advertising services.
EC TELECOMS COUNCIL The Internet came under scrutiny recently when the Council reviewed the need for arrangements at EU or other level to deal with privacy, intellectual property and criminal activities. After discussion with their colleagues responsible for cultural affairs, ministers asked the Commission to prepare a study on this subject. Commissioner Martin Bangemann presented the Commission's communication on universal telecoms service. The Council is likely to approve a resolution on the paper at its next meeting. Ministers also discussed the Commission's proposed Directive on the development of the postal service, and Commissioner Bangemann updated the Council on the state of play of World Trade Organization necjotiations on telecoms.
THE FIGHT AGAINST FRAUD European tax payers must know that their money is well spent, according to Commissioner Anita Gradin. Presenting the
THE CONPUTER ~.AW AND SECURITY REPORT
timately to the computer itself, how to make the encryption algorithm (the ideas) functional. While copyright and First Amendment law were by no means coextensive and the analogy between the two should not be stretched too far, copyright law did lend support to the conclusion that source code was a means of original expression. Accordingly: "for the purposes of the First Amendment analysis this Court finds that source code is speech." Having concluded this, the Court then briefly reviewed the claims contested by the defendants as not entitling the plaintiff to relief. On the points in question, the Court ruled: • Since the 'Snuffle' source code as speech, the plaintiff's prior restraint claim was colourable. •
At this stage in the proceedings, the Court could not say the plaintiff's claim, that enforcement of some provisions of the Statute or regulations could significantly compromise the protected speech of third parties, was frivolous.
•
It could not be said that the plaintiff's allegations that a number of terms and provisions within the AECA and ITARwere impermissibly vague, in that they failed to give notice of the conduct they regulated and had a chilling on speech, was frivolous. Accordingly, the defendants' motion to dismiss was denied. APPEAL PENDING IN SHRINKW R A P LICENCE CASE Pro CD Inc. v Zeidenberg, No. 95-C067 (W.D.Wis. 4 January 1996) The Seventh Circuit Court of Appeals is shortly to hear argument in an appeal brought by the plaintiffs, Pro CD, over allegations that the defendants misappropriated data from Pro CD's CD-ROM directories and placed those CD's data on the Internet. A second charge alleges the unauthorized copying and use of the plaintiffs' copyrighted software in violation of a licence agreement governing the product. In January 1996, the District Court granted summary judgement for the defendants and denied Pro CD'Scross motion for partial summary judgement. The District
Court held that the defendants' copying and use of Pro CD's software was permissible, even though the undisputed facts established that copying the software for commercial uses was expressly prohibited by Pro CD.The District Court also held that Pro CD's licence agreement was unenforceable on the basis that, to be enforceable, the licence agreement had to be printed in full on the outside of the box. The District Court also dismissed Pro CD's state law claims, holding that they were pre-empted by the Federal copyright laws. The defendants will argue that the District Court's decision is factually and legally flawed and, in reaching its decision, it failed to follow established law, made new law and ignored critical undisputed facts. The plaintiffs claim that, if allowed to stand, the decision will invalidate virtually all legitimate restrictions on copying and use of computer software products and computerized databases. It is seeking a reversal of the decision. The defendant -- Appellees -- argue that the District Court correctly ruled that Appellees use of Pro CD's product did not infringe on Pro CD's copyright and its software. The defendants argue that the Supreme Court's decision in Feist Publication v Rural Telephone Service (499 US 340 (1990)) makes it clear beyond question that factual data in Pro CD's product cannot be copyrighted. The defendant - Appellees - also assert that they made no copies of the plaintiffs' software, except for their own personal use.They deny transferring, selling or making the program available to third parties, declaring that the only thing placed on the Internet was the unprotected data. The defendants also reject the plaintiffs assertions that use of its product was subject to a licence agreement.This assumed a binding licence. However, the District Court had found that the transaction involved in this case was a sale of goods within the meaning of the uniform commercial code (UCC). Applying the provisions of the UCC, the Court held that the proported licence was not binding on the defendants because the contract of the sale of software was completed at the time of purchase, and the terms of the licence were not known to the defendants at that time.
260
[1996] 12 CI.SR
The case has attracted widespread interest, which has included submission of statements from the Software Publishers Association and the BusinessSoftware Alliance. The case continues. FREE CSI REPORT EXPLORES THREATS TO SECURE ELECTRONIC COMMERCE The drive toward Internet commerce is unstoppable. But how serious are the security threats associated with it? And how effective are the proposed solutions? The Computer Security Institute's 'Special Report on Electronic Commerce Security: Treasure of Sierra Madres', offers a comprehensive look at the risk, threats and vulnerabilities of Internet-based transactions.Will the profits justify the risk? What lessons can be drawn from recent revelations, such as the vetting of Netscape, the robbing of Citibank, the ransacking of the Netcom and the Kocher 'timing attack'? This latest CSI Special Report contains answers from a broad range of experts, including Dr Gene Spafford of Computers, Operations, Audit, Security and Technology (COAST), Donn V. Parker of SRI International, Dan Farmer, author of SATAN, and Mack Hicks,Vice President of Bank of America. "The scent of riches wafting from cyberspace is overpowering", comments Richard Power, CSI Editor and author of the Report. "The risk of failing to go online is perceived as greater than the risk of failing to go online securely. But recent revelations about the vulnerabilities in Java and Netscape highlight how much still needs to be done." The 19 page study includes practical tools, such as electronic commerce, security checklists and sample electronic commerce policies. To obtain a free copy of CSl Special Report, E-mail your mailing address to: [email protected] or tel: +1 415 9052310 or fax: +1 415 9052218. Editor's Note:The Computer Security Institute (CSI) is the industry's leading international membership organization, specifically servicing the information security professional. Established in 1974, CSI has members worldwide, and provides a wide variety of information and education programmes to assist practi-
~UL ~ ALG
THE COMPUTER lAW AND SECURITY REPORT
tioners in protecting the information assets of corporations in governmental organizations.
PRIVACY IN THE EUROPEAN UNION The EU Data Protection Commissioners met recently in Manchester. During the two day conference they looked at some key issues such as the steps being taken to implement the recently approved EU Data Protection Directive in Member States; the inadequacy of protection when data is sent to some third countries; the proposed special draft Data Protection Directive for telecommunications systems; and cooperation between data protection authorities themselves and with other bodies such as the European Commission and the Council of Europe. It was obviously quite a packed agenda. In particular, Mrs France, the UK Data Protection Registrar, said after the conference that it is most important the data protection commissioners cooperate regarding the protection of privacy of information about individuals %specially in the world of the Internet where such information is readily sent round the globe". Three key decisions were made at that meeting: (a) the Commissioners called upon the European Commission, the Council of Ministers and the Member States to ensure that the data protection rules - already applied in Member States - should be honoured by the institutions of the Community. (b) to ask the Council of Ministers to set up a supervisory body to watch over the design of the new computer system for maintaining criminal intelligence files in the new European Police Office so that privacy protection issues would be taken into account during its development; and (c) the Commissioners agreed that they would work together on privacy enhancing technologies to promote techniques for reducing the extent
to which personally identifiable information is used in information systems - hopefully to develop pilot projects which the Commissioners could examine at their next annual meeting and which could be used as models to promote the adoption of such techniques in industry, commerce and public administration. Heather Rowe, Report Correspondent, Lovell White Durrant
REGULATION AND THE INFORMATION SUPERHIGHWAY It is believed that the European Commission is planning a proposal for a "transparency mechanism" in relation to the information superhighway. This would require Member States to notify any planned regulations which would affect the free flow of services on the information superhighway. The proposal will be made underArtide 59 of the EU Treaty regarding the freedom to provide services. This means that it would require co-decision with the European Parliament. It would be similar to the existing procedure under which Member States are obliged to notify any new regulations made on the grounds of public interest which might impede the free flow of goods. A date has not yet been given for adoption of a proposal by the Commission. Heather Rowe, Report Correspondent, Lovell White Durrant SIMPLER LEGISLATION FOR THE SINGLE M A R K E T Simpler and more effective EU legislation is the aim of the SLIM initiative (Simpler Legislation for the Internal Market), launched by the European Commission. SLIM responds to demands from Member States and industry for rapid action and concrete results, linked to the need to promote growth and employment in the EU. In the initial phase, SLIM teams, consisting of representatives of the Commission, Member States and those directly affected by the legislation - industry, small businesses and consumers - will look at plant legislation, the recognition of diplomas, technical rules for construction products, and intrastat - the system
261
[1996] 112 C[SR
for collecting data on intra-Community trade. The Commission plans to put the first proposals for simplification to the Internal Market Council in November 1996.
STATE AID, SMEs AND TECHNOLOGY Investment in transfers of technology will be eligible for the same favourable level of aid as tangible investment, under new guidelines for state aid to small and medium-sized enterprises (SMEs) agreed recently by the Commission. Aid for the acquisition of patent right, licences, know-how, or unpatented technical knowledge, will now be allowed at the same level as the tangible investment: 15% for small enterprises and 7.5% for medium-sized enterprises. Other changes to the guidelines, which were first adopted in 1992, take account of the new common definition of SMEs agreed by the Commission in February, and clarify the concept of tangible investment. While retaining the 50% threshold of aid to help SMEs with consultancy services and training, the rules specify that it cannot be used for on-going tax consultancy, legal or advertising services.
EC TELECOMS COUNCIL The Internet came under scrutiny recently when the Council reviewed the need for arrangements at EU or other level to deal with privacy, intellectual property and criminal activities. After discussion with their colleagues responsible for cultural affairs, ministers asked the Commission to prepare a study on this subject. Commissioner Martin Bangemann presented the Commission's communication on universal telecoms service. The Council is likely to approve a resolution on the paper at its next meeting. Ministers also discussed the Commission's proposed Directive on the development of the postal service, and Commissioner Bangemann updated the Council on the state of play of World Trade Organization necjotiations on telecoms.
THE FIGHT AGAINST FRAUD European tax payers must know that their money is well spent, according to Commissioner Anita Gradin. Presenting the