The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 34

Thursday 2 March 1989

Contents

o German hackers breaking into LOS ALAMOS, NASA,...
Claus Kalle via Mabry Tyson
o The Gumbel Machine Becomes a Candid Camera
PGN
o (Un)fairness in European s/w protection
Herman J. Woltring
o Info on RISKS (comp.risks)

German hackers breaking into LOS ALAMOS, NASA, ...

Mabry Tyson <TYSON@Warbucks.AI.SRI.COM>
Thu, 2 Mar 89 14:55 PST
    Date: Thu, 2 Mar 89 10:44 PST
    From: A0061%DK0RRZK0.BITNET@cunyvm.cuny.edu
    To: INFO-NETS@Think.COM
    Subject: hackergerman hackers breaking into LOS ALAMOS, NASA, ...

    Three hours ago, a famous german TV-magazine revealed maybe one of the
    greatest scandals of espionage in computer networks:
    They talk about some (three ?) german hackers (West Germany) breaking
    into several secret data networks (LOS ALAMOS, NASA, some military database,
    (Japanese) war industry, and many others...) in the interests of the KGB,
    USSR. They got money (sums about 50000-100000$ are mentioned) and even drugs,
    all from the KGB, the head of the politic TV-magazine told.
    Read more about it in tomorrow's newpaper....

    Many greetings from Cologne ..                    ^    ^
                             | |  | |
    Claus Kalle                                      | |  | |
    Cologne University, Regional Computing Center   /   \/   \
                            |   ||   |
    BITNET: A0061@DK0RRZK0                          |   \/   |
    ARPA  : A0061%DK0RRZK0.BITNET@WISCVM.WISC.EDU   /        \
    Letter: Regionales Rechenzentrum der Uni Koeln  |  The   |
        Robert-Koch-Str. 10                     | Koeln  |
        D-5000 Koeln 41                         | Cathe- |
        West Germany                            |  dral  |


The Gumbel Machine Becomes a Candid Camera

Peter Neumann <neumann@csl.sri.com>
Thu, 2 Mar 1989 14:52:50 PST
For those of you who did not notice, NBC's TODAY show Executive Producer
Marty Ryan asked Bryant Gumbel for a candid evaluation of the show's on- and
off-camera staff, which he wrote on-line.  Recently the private report was
``apparently stolen out of Gumbel's computer file and then given by an NBC
employee to a reporter for Newsday.''  There were lots of red faces.
(Source: San Francisco Chronicle article by Jay Sharbutt of the LA Times, 1
March 1989, p. E1.)


(Un)fairness in European s/w protection

<WWTMHJW@HEITUE5.BITNET>
Tue, 28 Feb 89 13:22 N
     A DRAFT PROPOSAL ON SOFTWARE PROTECTION FOR THE EUROPEAN COMMUNITY

A few weeks ago, the Council of the European Communities in Brussels/Belgium
published a draft "Proposal for a Council Directive on the Legal Protection of
Computer Programs" [COM(88)816 (not final)], written by Lord Cockfield M.P. in
agreement with Mr Narjes and Mr Sutherland.  Until January 1989, Lord Cockfield
(pronounced as "cowfield") was Council Commissioner for the Internal Market in
the Community.  As the document seems to challenge various copyright/author's
right doctrines in the Member States of the Community, it is likely to elicit
considerable debate.

From a Risks and Anglo-American law point of view, the draft evokes a number
of questions to be discussed below.  These concern (a) the Anglo-Saxon Law
concept of "Fair Dealing" which is more restricted than its "Fair Use" coun-
terpart under section 107 of the US Copyright Act (for example, wholesale
copying for classroom use is not allowed), (b) copyright/"author's right" in
the case of commissioned works or works created by virtue of employment, and
(c) the scope of protectability in the form/contents or expression/idea
dichotomy under classical copyright which is largely responsible for the
software "look and feel" controversy in the USA.

(a) Fair Dealing

The draft proposes that "computer programs" (also to include source code and
documentation from which the program could be written) should be treated like
any other literary work under the Berne and Universal Copyright Conventions,
including the standard exemptions for literary works under national legislation
in the Member States.  This definition goes much further than the 1977 defini-
tion of the World Intellectual Property Organization (WIPO) in Geneva which is
responsible for administrating the Berne Copyright Convention (the BCC recog-
nizes moral rights and does not require copyright claim formalities on a work).
In 1985, a joint WIPO/UNESCO meeting on Software Protection refused to include
source code in the definition of "computer programs".

The most important states of the European Community are Western Germany, France,
and Great Britain.  Following copyright law revisions in France (1985), Western
Germany (1985), and Great Britain (1988), copyright exemptions are quite differ-
ent between these countries.  In Germany, unauthorized copying for scientific
purposes is standard for literary works (not too much, though), but "programs
for data processing" cannot be copied without authorization.  In France, all
USE and copying of "software" (including documentation) is controlled, except
for the making of a single back-up copy.  In Great Britain, the classical "Fair
Dealing" exemption for research and private study, review, criticism, and news
reporting was maintained last year for commercial research, despite "immense
pressure from monopolistic concerns that wish to restrict information" (E.
Nicholson M.P., debate on the Copyright, Designs and Patents Bill, 19 May 1988);
the same has recently happened in Canada.  In both countries, computer programs
are to be treated like any other literary work.

It may be that the 1985 German and French law revisions were largely motivated
by a desire within the software industry to use copyright law for creating
trade-secret protection for the pure information or know-how underlying a
software package.  If decompilation (a form of research through analysis or
reverse-engineering) is outlawed, know-how is protected against retrieval from
a software package, but independent invention of such know-how and its use for
creating another software package remain free.  In the European Commission's
"Green Paper on Copyright and the Challenge of Technology" published in June
1988, reference was made to a general agreement within the information industry
that "independent invention (...) and reverse engineering" should be allowed
lest competition would be stultified, and Lord Cockfield's draft proposal seems
to ignore the latter part of this citation.

On p. 26 of the draft, reference is made to "(...) the Anglo-Saxon law concept
of 'Fair Dealing' by which reproduction of insubstantial parts of literary
works is permitted under certain circumstances".  In this wording, the differ-
ences between German, French, and British law seem insubstantial, since proper
research, review, criticism etc. of a computer program will usually require
substantial if not complete copying.  In the case of object code, this would
involve decompilation which under copyright law doctrine is a form of copying/
reproduction.  In the case of original or decompiled source code, this would
involve listing, compilation, and running which are also (interpreted as)
legally relevant forms of copying/reproduction.

However, Lord Cockfield's suggestion is incomplete, as the Anglo-Saxon law
concept of "Fair Dealing" is not confined to insubstantial copying of a work
(whether a book, paper, computer program, or other literary work).  Thus, there
are considerable differences between major Member States within the Community,
with an equal competiton opportunity between Silicon Valley (California) and
Silicon Glen (Scotland): under Anglo-American Law, continental-european soft-
ware may be investigated while Anglo-American software cannot currently be
investigated in France and Western Germany unless authorized by the copyright
holder.  This, of cource, constitutes a distinctive competitive advantage out-
side the European continent.

I believe that copying of a complete work, such as a computer program, may be
necessary for fair dealing to apply if done for one of the statutory purposes,
i.e., for research or private study, review, criticism, or news reporting.  In
the words of Barry Torno's "Fair Dealing -- The Need for Conceptual Clarity on
the Road to Copyright Revision" (Consumer and Corporate Affairs Canada 1981,
ISBN 0-662-11746-8, pp. 32 seq.):

   "It might very well be the case that, upon proper application of fair dealing
   considerations, there will be very few situations in which a finding of fair
   dealing will prevail where an entire work has been taken.  However, to pre-
   clude such a possibility AB INITIO is to fetter the dynamic nature of fair
   dealing unnecessarily.

   In what is widely regarded as one of the most incisive Commonwealth explo-
   rations of fair dealing, Lord Justice Megaw of the British Court of Appeal
   stated in the 1971 case of Hubbard et al. v. Vosper et al. (1972, 2 Q.B. 84):

   'It is then said that the passages which have been taken from these various
   works ... are so substantial, quantitatively so great in relation to the
   respective works from which the citations are taken, that they fall outside
   the scope of 'fair dealing'.  To my mind, the question of substantiality is
   a question of degree.  IT MAY WELL BE THAT IT DOES NOT PREVENT THE QUOTATION
   OF A WORK FROM BEING WITHIN THE FAIR DEALING SUBSECTION EVEN THOUGH THE QUO-
   TATION MAY BE OF EVERY SINGLE WORD OF THE WORK ...' "

On 9 Feb 1972, the Appeal Committee of the British House of Lords dismissed a
petition for leave to appeal against this verdict.  Note that 'fair dealing'
does not in a statutory way distinguish between various forms of reproduction
such as quoting, listing, or translating; this has been left to case law.
Furthermore, computer programs were hardly discussed by Torno.

In "Copyright and the Computer" (Consumer and Corporate Affairs Canada 1982,
ISBN 0-662-11748-4), John Palmer and Raymond Resendes from the University of
Western Ontario wrote on p. 126:

   "Allowing fair dealing provisions for computer software seems questionable.
   On the one hand, there should be no objection to allowing researchers for
   PRIVATE (and personal) study and review once the software has been developed
   and marketed.  On the other hand, the loss of a single sale of the software
   could result in the loss of revenue to the developer of thousands of dollars.
   If fair dealing provisions are allowed for computer software, they should be
   limited specifically to personal study and research concerning the SOFTWARE
   ITSELF, and they should NOT include study and research which uses the soft-
   ware for the study and research of other questions."

In my mind, the latter would not necessarily apply always, as in the case of
software published in the academic literature or via non-commercial electronic
mail libraries (e.g., NETLIB@RESEARCH.ATT.COM, cf. the paper by Dongarra &
Grosse in the May 1987 issue of the Communications of the ACM).  Especially
numerical software is widely available for non-commercial use, and this aspect
seems to have been overlooked by most writers on software protection, even
though such software is not necessarily in the public domain.

A Canadian Library of Parliament report (Monique He'bert, "Copyright Act
Reform", ISBN 0-660-12598-6, 1987, p. 5) states:

   "(E)ven when substantial reproduction has occurred, users may be exonerated
   if they come within one of the statutory defenses.  The most important of
   these is the 'fair dealing' provision which excuses 'any fair dealing with
   any work for the purposes of private study, research, criticism, review, or
   newspaper summary'."

Wrapping up these quotations in a software context, I think that copying of
a complete work such as a computer program may be necessary for FAIR dealing
to hold; only in this way, a researcher, reviewer, or criticist may be able
to "tell the truth, the whole truth, and nothing but the truth".  This applies
to profitable situations, where the underlying but unprotected ideas (trade
secrets?) of a computer program are to be found and used for creating a differ-
ent, and hopefully better computer program.  Under the US "Fair Use" doctrine,
this is perfectly lawful, industrial practice; cf. the "clean room" procedure,
where one team analyses a competitor's package, while a second, clean team
writes a new package from the first team's specifications.  For a hardware
product under, e.g., patent law or semiconductor topography protection law,
research is perfectly legitimate, and there is no reason why this should be
outlawed for software, especially since hardware and software can often be
interchanged.

Similar arguments hold for the non-profit situation, as when claims about
the quality of a commercial software package in the academic or commercial
literature are to be verified by scientists or consumer organisations, or when
a software package is suspected of endangering human life, health, or property;
this latter aspect was addressed in Risks Digest Vol. 8, No. 5 of 11 Jan 1989
with respect to the Therac-25 radiation therapy machine malfunction.

While the Universal Copyright Convention requires a Copyright notice to be
included in a work for copyright protection to hold, such a formality is not
required under the Berne Copyright Convention recently ratified by the USA
which are currently the world's leading software producer.  By consequence,
various "fair" forms of copying are currently under threat of being outlawed
even if no copyright claim is provided on a work.

Of course, copying for unfair purposes should be prevented, both in a profit-
able and non-profitable context.  For example, a number of recent, federal US
verdicts that the US Copyright Act should yield to the 11th Amendment are reason
for serious concern:  see "An Open Letter on Piracy", Software Magazine 8(3),
March 1988, republished in ACM's Computers & Society 18(3), July 1988.  Under
the 11th Amendment's grant of sovereign immunity to states, civil suits for
copyright damages against state instrumentalities (e.g., state universities!)
will be lost before trial.

(b) Work for hire

Under the Anglo-American "work for hire" rule, copyright law usually gives all
exploitation rights to the employer, and sometimes even to the commissioner of
a copyrightable work; moral rights have been excluded for computer programs in
the United Kingdom, and they have been limited in France.  In Germany, however,
moral rights have been maintained in full, and case law has given an implicit
right of use to the employer or commissioner.  Such use may involve sales to
third parties if this is the (implied) consequence of the contract.  Lord Cock-
field has proposed that all rights on software created under employment or
commission should revert to the employer or commissioner (unless parties agree
otherwise), and this will undoubtedly cause considerable disagreement in most
Member States of the Community, at least for commissioned software.

Under the continental-european doctrine of "author's rights", certain moral
rights (paternity, divulgation, integrity) are inalienable from the natural
author(s) who create a work, and it is largely this aspect which underlies the
debate within the European Community (moral rights were a strong issue in the
USA in the debate around the Berne Convention Ratification Bill).  From a Risks
point of view, I would think that author's rights and author's duties should be
seen in conjunction.  With the commercial pressure that deadlines are met in
software projects (cf. the Risks Digest issue quoted above), an employed or
commissioned author should, in my view, be able to invoke his moral rights in
order to offset any pressure from employer or commissioner to deliver on time.
While Lord Cockfield mentioned the right of paternity (i.e., the right to be
named as the author of a work), it is too simple to leave responsibility for
the quality of a work, closely related to the moral rights of divulgation and
integrity, with the entity that delivers a software-related product to a cus-
tomer.  If an employed or commissioned author has good reason to believe that
his work has been insufficiently tested, his "droit de divulgation" should be
used to prevent premature delivery to unsuspecting customers.  Personal lia-
bility for a defective software package should complement this moral right as
a moral obligation.

(c) Ideas or contents v. form or expression under Copyright

Traditionally, copyright protects merely the expression or form of a work, not
the "naked ideas", contents, or pure information in the work.  The boarderline
is a difficult one, as exemplified by Lord Cockfield's proposal on algorithms
and on accessability of interfaces which, for scientific progress and compati-
bility between different manufacturers' products to be possible, should be free
to anyone:

   Chapter 1, Article 1, "Object of Protection",
   ...
   3. Protection in accordance with this Directive shall apply to the expression
   in any form of a computer program but shall not extend to the ideas, prin-
   ciples, logic, algorithms or programming languages underlying the program.
   Where the specification of interfaces constitutes ideas and principles which
   underly the program, those ideas and principles are not copyrightable sub-
   ject matter.


I hope that this posting on the Risks Digest (and perhaps on other lists) will
elicit a debate that could be fed back to the European Commission.  I look for-
ward to such reactions.


Herman J. Woltring 

                    
    

Please report problems with the web pages to the maintainer

Top