 Good morning, ladies and gentlemen. Can you guys hear me there in the back? Okay. Hi. These lights are really bright. So, um, especially for 10 in the morning. So, um, my name is Jennifer Granick, and I'm the Executive Director of the Center for Internet and Society at Stanford Law School. And I teach a couple of classes there. I teach a cyber law clinic and a computer crime seminar. And today I'm going to talk, I think what I'd like to do is talk, um, really briefly about, and I'm looking at my slides, and I'm like, these are my blackout slides. What I think I'm going to do is talk, um, kind of briefly about my topic today, which is, um, how intellectual property law is posing obstacles for computer security research and disclosure. And what I want to do is, um, given our amount of time that we have today, is kind of try to move through it pretty quickly and then try to leave a lot of times for a lot of time for question and answers, which I'll take questions during the talk. So, if you have questions, just raise your hand and we can go that way. Um, and my strategy for today is to use, um, two case studies in order to illustrate these issues. And I'm going to talk about the case of Cisco and ISS versus Mike Lynn, which happened at Black Hat two years ago, which I was personally involved in, and the case of HIDs, um, uh, dispute with IOActive over there, RFID card spoofer, and that happened at Black Hat Federal, um, earlier this year. So, lots of great law comes out of Black Hat, which is really cool. Um, but I, I just want to sort of preface this by saying that I'm particularly, um, happy to be talking about this now and here because, um, this, these topics that I'm talking about today are in a chapter of a O'Reilly book that's coming out, um, in August called Security Power Tools. And, um, it is the first thing I've ever written that's been in a big book format, so I'm excited about that. And secondly, because I am leaving my job at Stanford at the end of August, and I'm going to work at the Electronic Frontier Foundation to do more... Yeah, I feel, I feel pretty much exactly the same way. And, uh, I'm going to do more Fourth Amendment, more Security Law, and more, um, to more, like, technology privacy surveillance stuff there. So I'm really looking forward to that. So, uh, um, you know, I have my contact information, my new place at the end of these slides, and if you guys want a new card, you can, uh, come and get them. And I have a few of those as well. Okay, so, we'll no further ado. Uh, so, as I mentioned, we'll talk about this case. These are some URLs you can go to look at for some more information about it. Um, and for people who aren't familiar with the case at all, who knows about this case? Okay, who doesn't know? Okay, just a few people, so I'll be brief. Basically, what happened is, um, Mike found some vulnerabilities in Cisco routers, and he wanted to report at what those were, report what those were at the Black Hat Conference, and, um, his employer at Cisco objected to, uh, his doing it in the way that he was planning on doing it, and so they, um, told him not to. He quit his job, gave the talk anyway, and then they filed a lawsuit against him. I represented him in that lawsuit, um, and then later on the FBI showed up, and it was, you know, kind of a, a lot of a mess, and it interfered with gambling, and it was, took a lot of work, and you can read my story all about it, um, on my blog, and, and wired at these particular URLs. It's a, you know, I think still a somewhat amusing story. But, um, the complaint claimed these intellectual property, um, torts had been committed. That there was copyright infringement and misappropriation of trade secrets, and breach of contract, and I'm going to talk briefly about the case. You'll see they all kind of weave together into this legal morass. Okay, in the second case I'm going to talk about, um, here's some stuff about it. Um, this did not end up in a lawsuit. Later on, HID disclaimed that they were really trying to stop the talk or anything, but the letter that they had sent to IOACTIV suggested that they thought that, um, that IOACTIV was misusing their patent, um, their patents in these, uh, RFID card readers by creating something that read and spoofed RFID cards. They said, well, we have a patent in for that technology. You're also reading and spoofing RFID cards, so we think you might be in, uh, violating our patents. Okay, so I'm going to not cover all of these things in, you know, great detail because you can see that it's rather complicated, but I want to kind of go through and give you guys a sense of what the basics are about copyright infringement and reverse engineering, how fair use plays into that, and then the complexities of that in light of, um, contract law and licensing and, and ULAs in terms of service. And I should say that, you know, at the end of this talk, my goal isn't for you guys to be able to, like, necessarily know for sure that what you're doing is either, like, okay, and you're going to be fine or not okay, but to give you some kind of idea of the landscape so that when you're doing something, if you think, well, you know, you might notice, like, huh, this kind of implicates some of the stuff that Jennifer was talking about, um, the other day, so maybe I should ask for further information, because it is a really rather complicated area of the law. Um, there were some simple parts about Mike Lynn's case. One of them was that the companies claimed copyright infringement, because they said that his slides that he was going to show at the conference were copyright infringement, because he had made those while he was still at his employer ISS, and, uh, those slides belong to ISS. So this allows me to talk a little bit about copyright infringement and what it's about. Um, it protects original works, right? It doesn't protect an sort of original expression. It doesn't protect facts and ideas. So, you know, um, it covers software, it covers books and music and writing and drawings and all sorts of stuff, um, but it has to be this original expression. Now the standard for originality is pretty low, you know, I mean, it doesn't have to be like a genius work of art, kind of Einstein only would have known how to do it, but it's got to be something, and so, you know, when thinking about what his slides might have looked like, if, you know, if you look at my slides, uh, you know, you guys can steal them, because I don't think it's copyright infringement. You know, there's not a lot of originality here. It's really just sort of in the, you know, these are sort of facts. Maybe you say, well, the way I arranged it or something like that is original, but it's a very weak, kind of weak on the scale of things that are copyright protected. I didn't see the ISS slides, but I wasn't super concerned about that. Um, I was more concerned about what are they saying are the copyright rights with regards to code and what did, what, what if anything did Mike do that might be problematic there. So now the thing about copyright is it's supposed to be this balance between the, uh, creator who gets paid for their original work and the public who has a right of access to these things that are being sold in the marketplace. And the way they balance this out or try to balance this out is that the owner gets to retain certain rights with the exclusive rights of the owner. I've listed those in bullet point three. While the public gets some rights of access and also has the fair use right, as well as some statutory rights. One of the statutory rights that's really important I think for, um, for software people is the, uh, right in section 117, which basically says if you will legitimately own a copy of a program, you can change it in order to make sure it keeps working for you. You know, you don't have to like, uh, you don't have to just be stuck with it and the format it came in, you can make some changes to it. So that's a, you know, useful one because it, you know, you're, you're basically gives you a certain kind of freedom to tinker with the software that you legitimately own as long as you don't, um, you know, violate the other rights or sell it or later or that sort of thing. Um, and then you have some rights to reverse engineer it. Because reverse engineering is generally considered to be fair use. So let me explain just a little bit about, I've put the four factors for the fair use test up here. And there's two things I really want you to, to get out of this. One is that the way we talk about fair use in the law is that we, fair use is a defense, not a right even though I said it was right. That's sort of wishful thinking on my part. Um, the truth is it's a defense. And so what's the difference? Okay. And we sort of kind of got down into dealing with this at the Black Hat conference. So I'll sort of use the example that a guy there used. If it's a defense, it basically means if you are accused of copyright infringing, you can then come back and say, hey, I wasn't infringing because I, it was fair use. And that's a legitimate defense. What it doesn't mean is that you have the right to do it and no one can stop you from doing it. Okay. So is that distinction clear? It doesn't, it's not like, if I do something like that makes it so that you can't copy it at all, and you can't make any fair use of it, then if it was a right, you could say, well, you're not allowed to do that because I have the right to use it. But if it's a defense, you don't have a right to do it. It's only if you then do somehow violate the copyright, you can say, well, I shouldn't be in trouble for having done that. The second thing I want you to get out of this is that this is like your multi-part four-factor test, and the factors are weighed kind of differently. The last factor is, you know, given the most weight because as I said, a big part of copyright is about making sure the owner gets paid. But there's a good and a bad thing about having a law like this. The good thing about having a law like this with a four-factor test is it's flexible. And we need flexibility because, you know, there's all sorts of different creative works that come up. There's lots of stuff that comes up in software engineering that nobody thought about necessarily when the fair use, you know, when courts created fair use and when it was codified into statute. So it's nice to have something that's very flexible and can sort of change meaning over time, because you don't have too rigid a rule that doesn't work, you know, that doesn't work in whole categories of cases. The downside is nobody knows what the hell fair use is, right? Because it is this flexible, fungible test and it kind of ends up being in the eyes of the beholder or whatever the judge thinks. So there's a lot of uncertainty in the question of fair use. Okay, so let's talk specifically about reverse engineering. There are many cases, and I'm not going to go through them right now, because I do want to be relatively quick. Let's say that reverse engineering is a fair use, specifically because copyright doesn't protect functionality or facts or ideas, it only protects originality and original expression. And the cases say basically if you need to make copies as part of your reverse engineering in order to understand the way that a program works, that's totally cool. What you can't do and what will not save you about reverse engineering is if you end up taking copyrighted code and using it in your final product, because there you're still making copies and you're using them and distributing them and taking advantage of that when you sell your whatever is the thing that you're creating, whether it's a patch or a competing product or a compatible product or whatever it is. The other thing is that there are a number of cases that suggest that if you come into possession of the software you reverse engineering illegitimately, either your initial copy is infringing or something like that, then you're kind of in trouble. Well, that's sort of an interesting thing. Here, we'll get to that in a second. That's sort of an interesting thing because some companies try really hard not to sell their products to people who are competitors. And some companies, when they do sell their products to people who are competitors or to the public generally, do so with a end user license agreement. And the end user license agreement often says stuff like you're only going to use the software for these kinds of purposes, sometimes it says you can't reverse engineer it, sometimes it says you can't do benchmarking with it, sometimes it says you can't criticize or comment on the program without express written permission by the owner. So one question that the case law still kind of leaves open with reverse engineering is, well, what if I haven't, what if I buy the software secondhand or what if I have the eula but I disregard it and I reverse engineer anyway, what does that mean for my ability to raise a fair use defense later on? And the thing that's really, I want to sort of stress this also as well, the thing that's interesting about this is, you know, in the law you can do something wrong but then the question is, well, what happens to me next, right? So it's the same thing in real life, you know, you did something wrong but are you going to get the slap on the wrist or how much trouble are you going to get in and then you can kind of make some sort of calculation. Well, one thing about this section of the eulas with the right to reverse engineer or the ability to raise that defenses, if you have if the law says that these eulas take away the defense of fair use and you can't have fair use defenses, then what that ends up meaning is that when you're accused of copyright infringement one of your defenses is gone and the reason why that's particularly bad is because copyright infringement has statutory damages associated with it. That means that they don't measure necessarily exactly what you did and how much harm you did by the infringement. So I made one copy and, you know, the copy was worth $10 so it's no big deal, it's just $10. There's a statutory thing that says, oh, well, you're going to owe this many thousands of dollars and more if your infringement was willful and some, under some circumstances copyright infringement is even criminal. So you get this very severe sentence if the result of breaking the eula is that your right to raise the fair use defense is gone. On the other hand, we could look at the eula more as just like a regular contract and if you violate a contract, well, the contract remedies are very different. People in business know that people break contracts all the time and it's totally okay. There's no moral appropriom associated with breaking contracts. There's no punitive damages associated with breaking contracts, no statutory damages. It's basically, you know, if I do a deal with you and I later think I can get a better deal with somebody else, all you're entitled to is to be paid the profit that you expected to make on the deal. I pay you off, I do my deal with person B and, you know, if that's what's economically efficient for me, that's what I do and everything's fine. No big deal. Quite a bit different from having a result of it taking away your fair use rights, okay? So that's an important thing to think about here. Maybe you're still doing something wrong like, oh, you broke the eula but, you know, what does that really mean? Okay. Yeah. So when you're using copyrighted code in the final product, how much of that code gets you in trouble and how much of that code is fair use? So this is a pretty common question and, you know, a lot of times in industry they'll have some kind of bright line rule to try to get rid of the subtleties of the fair use test and they'll say you can use 20 notes or you can use five lines or something like that. Well, that's all wrong under the law actually. None of those rules are really actually true. This four factor test is the test, okay? And this is very fact specific. So you're going to look at why you used it, whether you made money off of it, how creative was the part that you used, how much you used as comparison to the whole amount of code overall and whether your use of this had an effect on the potential market for that piece of software. And this market factor, as I said, is the most important one and it's one of the most complicated and interesting ones as well. So, because, you know, you can have a lot of different types of effects on the market for something. It could be, I think the one that this test is getting at, which is that your thing, which maybe is infringing supplants or takes the very place of this exact thing, or it can be that you hurt the market for it in some other kind of way. So in one of the big reverse engineering cases, it's a video game case. A lot of these reverse engineering cases are video game cases. It's very sort of innovative and competitive market. And in this case, it's Sony versus Connectix. Basically, Connectix wanted to make an emulator so that you could play Sony PlayStation games on your computer. And they made copies of the Sony BIOS in order to make their emulator. And Sony said, hey, this is not fair use. You're making copies and you're affecting the potential market for our works because we sell, our idea is that people are going to buy the PlayStation box and buy the games and that these things go together. And your emulator is taking the place of your emulators eating into our profits because who's going to buy the PlayStation box if they can, you know, play it on the emulator. And I think the court made the right decision in that case and the court said, that's not the kind of market harm we're talking about. We're not talking about something that helps consumers have choice or that untyes one product from other products, goods and services. We're talking about something that's like basically taking the exact same market sector or the exact same market nation and replacing that. So it's a complicated test in a lot of ways. The market factor is the most important and that one's particularly complicated. We've seen other cases that kind of, you know, sort of dance around this and trying to define what's interfering properly with making sure that something's not anti-competitive or that customer's still having aftermarket choices and what's interfering with the real market for the original work is kind of a subtle thing. So there's no bright line rule I can give you as a short way, the short answer. That's the long answer. The short answer, which is true for most of the legal questions is, it depends. So if you guys are having questions and you're like, I wonder what the answer is to that, I'm going to give you like nine out of ten odds, it depends. Okay. So for Mike, I think his use of the code snippets were pretty much classically fair use, especially because of the reason he was using them, right? Using them in a product afterwards, you can do it. I'm not saying it's not fair use, but it's not the classic kind of heart of fair use type of stuff that we think about, which is criticism and commentary and that kind of thing. So he had this, you know, very, very core central fair use type of reason for using the code, which is, you know, to critique. Okay. This is a summary of what I believe I've conveyed to you. Now, I just want to point out something I say. Limits are copyright law, contract law, DMCA. There's probably other limits. I just want to make a distinction between what I'm calling copyright law and what I'm calling the DMCA on this slide. We had some questions about the DMCA when I gave this talk at Black Hat. I just want to make it clear. So DMCA stands for Digital Millennium Copyright Act. It is part of the copyright law. But the way I'm using it here is to specifically refer to one section of the DMCA, which is the anti-circumvention provisions. And the anti-circumvention provisions are, let's see if I have them here, are a particular part of the law that some people have called like a quasi copyright or a para copyright for the owners. It's basically prohibits you from cracking a technological protection measure, which you can think of as being digital rights management or something like that that controls access to a copyrighted work or trafficking in some tool that does the same. Now I've done presentations on this in the past. It's a very complicated statute. It has a couple of complicated exceptions, which are rather narrow in it. But a lot of times when you hear lawyers talk about the DMCA, they're either talking about DMCA anti-circumvention or another provision of the DMCA, which is the safe harbor provisions or notice and takedown, which is how ISPs and other kinds of intermediaries can protect themselves from getting dragged into copyright fights between posters and people who post stuff and owners and stuff. So I want to say that DMCA matters here. I don't necessarily consider it part of like the heart of copyright law, like, you know, sort of fair use, reverse engineering, even though it does impact reverse engineering and it impacts fair use rather substantially because it's this whole different kind of weird statutory scheme that doesn't necessarily have anything whatsoever to do with copying. It has to, you know, if you notice the way I phrase the first part, it's about something that controls not copying, but controls access to a copyrighted work and gives a copyright owner a rather broad set of rights kind of outside of the traditional exclusive rights of the copyright owner. Do you have a question? I don't know much about that particular, oh yeah, I'm sorry. He's asking about the TEACH Act, which he's saying it has some particular provisions about fair use for educational purposes, and I don't know much or anything really about that specific act and how it overlaps or interplays with this. You know, as another statute, it's going to be read, you know, they're going to have to be read in conjunction, but I don't know anything about that. I may be able to get you the, I see some people in here who might already know the answer to that. So I'll be able to get you an answer to that by the end of the talk. Yeah. Yeah, so his question is with DRM, which can last forever, isn't that kind of contrary to copyright law, which is inherently has to have some kind of limited time, even if that limit is long after all of us are dead and gone. And I think the answer, well I rephrased, but I think the answer to that is clearly yes, and this is one of the real concerns that people have librarians and public interest people and free speech advocates and creators have about DRM, which is that you know, it's perpetual and technically copyright is not. So what, you know, what are you supposed to do once copyright ends? Do you have any right to crack DRM? And if you're not able to crack DRM because you're just like kind of a normal person who doesn't know how to do that kind of stuff, are you just SOL or what are you supposed to do? So it's one of the real problems with the DMCA. Definitely. Okay, I'll take one more question here in the front. Good question. So what I'm saying here is that while, what I mean to have these two read together, what I'm saying here is while the DMCA, and I start convention provisions have been successfully used to threaten security researchers in the past, none of these cases have actually gone to decision by a judge. Where a judge has said this is an appropriate proper use of the DMCA. In every case, one or the other of the parties is blinked and they have back down. So no court has ever said yes, you're right, this security researcher. There's rampant numbers of cases where this has happened. The Ed Felton SDMI situation, Snowsoften hit their Hewlett Packard work, Blackboard and the Inner Zone presenters. So there's just a lot of examples, but these were all things that were kind of pre-litigation and didn't end up getting settled. So thank you for asking that question because it does clarify my slide. Yes, of course. Okay, so the question was about California anti-slap law and the intersection with whether researchers can use that law in order to help themselves. Okay, so California has a law that says that if I get, let's say it's me, I'm getting sued. I'm getting sued for something and what I'm getting sued for is connected to my right to free speech or petition or talking about something that's in the public interest. If I'm sued, I'm allowed to make a motion that says, in a very early stage of the litigation, prediscovery before I've spent too much money and stuff, that says, okay, plaintiff, prove that you've got some likelihood of prevailing on the merits before you drag me through court and make me spend all this money. It's California's way of trying to protect people from suits that are intended to squelch criticism or other sorts of First Amendment activities. Other states have these statutes. New York has one. I know some other states have them too. None are really as broad as the one that we have in California. We have a nice healthy anti-slap statute in California and if you win, you get attorney's fees which of course the attorneys really like. And people like it too, but they don't have to pay the attorneys then because the other side plays the attorneys. So it kind of gets to the question of whether, you know, whether let's say you were going to publish a researcher and you were going to publish something or you do publish something. Let's say they sued Mike Lynn in California. He published his Cisco stuff and the question is, well, could he bring an anti-slap statute? And I think the subtext of that question is, is it free speech, what he did? So is code speech? Let's say he put out his findings in code or his PowerPoint or whatever. Well, the law has pretty much settled that code is speech. It is a way that people who can read code communicate with each other. It expresses some sorts of ideas and learning and knowledge. And so, you know, we pushed, as the civil liberties people, we pushed pretty hard for courts to recognize that code was expressive, recognize that code was speech at very early stages of the game. And the reason we did that was we really did it in like 96 and around that time when we were having the encryption wars. And we wanted to say, you know, let people publish their encryption algorithms because encryption algorithms are speech. It's part of university research and all of that stuff. Well, the flip side of that coin of code being speech is that it's expressive. And if it's expressive, then it's protected by copyright also. So yes, it's speech, but yes, it's also copyright protected. So in some ways you're allowed to make it, but in other ways, once somebody's made that code, other people are restricted from the ways in which they use it. And so it is protected, but protection doesn't necessarily mean, as with everything and the law, that it's absolute. Like you can just write whatever code you want and do whatever you want with it and there's no ramifications. There are limits to it. One of the limits is that they look at code, they know it's speech, but it's also functional. And so it's not, you know, sort of analogous to other things which are actions but which have a communicative aspect to it, like let's say burning the flag. Okay, so there are some ways in which they can regulate that. They can say no burning things, right? And there's some ways in which they can't regulate things. They can't say no burning the flag in order to express your distaste for the country's policies, because that's getting at the speech part, but the more general rule is okay. So we've seen a lot of cases where there have been First Amendment challenges to regulations on speech. For example, challenges to the DMCA anti-circumvention provisions. We've said, hey, you know, we're distributing code that tells how to decrypt DVDs. This is First Amendment speech. And the courts have said, yeah, you know, the First Amendment plays in, but the prohibition is general. And you can have general prohibitions that impact speech as long as they're not targeting the communicative part of the message, it's okay. Other limitations to what is a freedom to distribute your code might also be aiding in a betting law, like if I do it with the knowledge that the person to whom I'm giving it is going to use it for a crime, that's bad. Conspiracy law, if I give it to somebody with an agreement that they're going to use it to commit a crime and my giving the code over is part of my helping that conspiracy come to fruition. So, you know, there are definitely limitations to that, but these are limitations that just to round out the question in the context of anti-slap, the plaintiff, once I show that it's about speech, the plaintiff has to show these things, you know, don't apply and that they have a valid case. Okay, does that make sense? We're covering so much stuff, this is great. Okay, let me go back. Okay, let's talk about trade secret. So trade secrets are another sort of type of intellectual property, although they're very different in a lot of ways. Basically it's something that's valuable because it's not generally known. So what kind of thing is this? You know, what was the trade secret supposedly for, what was the trade secret supposedly for Mike Lynn? Well, you know, one question is, do they think that the trade secret is the fact that there are limitations or vulnerabilities in the Cisco code? You know, and I have actually had people tell me, lawyers on the other side, tell me that they believe that the fact that their code doesn't work right is the trade secret. You know, you can see why it makes sense. This is the problem with these laws. You know, it's like, well, are products worth more because people don't know that it's insecure and so, you know, that's our trade secret. And then this has been successfully used. I mean, I've represented people who haven't wanted to fight over this sort of argument before. And in 2003, Door Access Company Blackboard was able to use the trade secret law to get an injunction against two researchers and stop them from presenting their research at the Interzone conference in Atlanta. So, you know, it's not, it's sort of ridiculous. And hopefully what we're going to see is that judges will kind of get this more than they have in the past and they'll understand more because you can see if we had that same rule with cars. You know, sorry, Ralph Nader, you can't tell people that if you rear end the gremlin, it's going to blow up because then nobody will buy gremlins and that would be terrible. So, you know, what's the secret? Well, sometimes source code is secret, right? And you guys, maybe a lot of you know, you get source code and you're allowed to work on it, but you're not allowed to disclose it because you're under NDA. And what's NDA? It's another kind of contract, right? So this is a situation where a contract can kind of make something secret. And it makes a lot of sense that a contract would make something secret when it's an NDA because you're an employee, you come to the company, you negotiate the thing and you know, you're getting money in order for working on the case and it's all well and good. Well, what about other kinds of contracts like ULAs or Terms of Services or that kind of thing? Can those kinds of contracts keep the members of the public who aren't employees or anything like that? Can that kind of put you under a sort of de facto NDA so that you're kind of covered by the trade secret law even though they're distributing code out into the wild? And this was one of the issues in Mike's case. You know, Cisco sells their binary with the long with you can get it. It's out there on the routers. If he decompiles it and finds something, if the NDA says you're not supposed to decompile or you're not supposed to reveal, rather not the NDA, if the ULAs says that, then it's somehow implicated or somehow does trade secret law come into play. Yes, question back there. Okay, so his question is if you come across something and it would be negligent not to reveal it or to continue to distribute the product in that way, what effect does that have on the ULAs or the NDA? And that's a great question. It's a complicated one because there's no answer. So there's the other answer. The other answer in the law is we don't know. So you have two, okay, and you can choose. It's like, it depends. I shouldn't have said nine out of ten. It should be like seven out of ten. It depends. And then, you know, three, the other three is like, we don't know. So in this one, we kind of don't know what the answer is because trade secret law, you know, in copyright law, we have this whole like whether you think it works well or not, we have this accommodation for public access. It's fair use. Criticism is allowed, blah, blah, blah. Well, we don't have that in trade secret. You know, I'm showing you the slide on misappropriation and it doesn't say it's okay to violate this law if you're doing so for the public good. Then we had a fellow at Stanford last year, David Levine who wrote a paper about this and about the way that trade secret law was kind of interacting with public goods and public infrastructure and, you know, that there wasn't any kind of exception. The Cisco routers are one thing. It's not just like a flaw. It's a flaw in like the routers that are the backbone of the Internet. It's pretty serious. But another really serious one is with eVoting, okay? So you have these eVoting machines. It's proprietary code. People want to know if they can look at the code and determine whether these machines do what they say they do and if they're robust and, you know, if they're secure enough. We know nothing's secure. But if they're secure enough and they say, no, sorry, that's our proprietary trade secret code, we're going to not let you look at it. Then what Levine argues in his article is that, you know, as more of these things become kind of intertwined with like our security or our economic safety or our democracy, there's got to be some point at which the trade secret law yields and allows public right of access so that we can make sure that you're not going to get in trouble for, you know, you're not going to get in trouble for talking about it. Now, just to kind of take it into, take a step back into the way it is now, you know, it's sort of a comparison is we still do have these laws apply to people who are whistleblowers for important stuff, you know, and we have, you know there are situations where laws are enforced or could be enforced against people who are simply reporting the wrongdoing of others and that's why we have specific whistleblower protection statutes that maybe work in kind of narrow areas but don't necessarily apply overall so that if you work at AT&T and you know that the NSA has a secret room into which they're funneling all of our communications and you take the internal AT&T trade secret documents or classified government documents and you give them to a civil rights group or to a reporter, there's not even now in the law something that necessarily says that that's okay even though that might be in the public interest. Same thing for those of you who've seen The Insider or Silkwood or, you know, any of these whistleblower type movies, you know, we don't necessarily have that kind of protection now and there may be reasons why in the computer context it's different, you know, than it is in these other situations or it may be that overall we've just kind of stomached a kind of unhealthy amount of you know, an unhealthy amount of chilling on this sort of whistleblowing or, you know, kind of scrutiny of stuff that matters to the public. So we're going to have to see but this is a problem that is, I think, slightly endemic to security researchers but not entirely novel. Okay. So you can see here that it says that, oh here, what misappropriation of the trade secret is it says reverse engineering or independent derivation alone are not improper means. That's great. But what is a loan, and this is the California statute, which is rather broad, what does a loan mean? What if there's a EULA? What if there's the terms of service and it's not just a loan but you didn't just reverse engineer but you did it somehow in violation of the EULA does that somehow, you know, implicate your trade, you know, bring trade secret law to bear on you. Okay. So here's kind of a summary of my point about this. What can, what does a EULA or NDA really do? What effect does it really have? Some cases on EULA enforceability, there's a few more that are really interesting. I wrote a column about it which was out on Wednesday and Wired News so you can look at that for more information about the fascinating issue of EULA's. And the thing I would say about EULA's is it's a little bit similar, the issue is a little bit similar to the question the gentleman over here asked about the DMCA and DRM measures and the limits in copyright. It's like here we have this copyright law that, you know, allegedly Congress and judges have sort of balanced for us and then you've got DRM which is just imposed by the copyright owner, it's like take it or leave it, it's whatever they want and it doesn't necessarily take into account any of this public rights of access. It was very similar with these EULAs. Here we have trade secret law and there's like some exceptions and, you know, there's judge made law about how, you know, it's supposed to work and what if the EULA overrides everything and, you know, you don't get to negotiate these EULAs, it's just, here's your EULA, take it or leave it, this is the rule, this is what the vendor wants, now you're stuck with it. So, you know, we really have this kind of conflict between the public creation of laws and then kind of a private ordering or a private control of what you actually can do enforced either through technology, like DRM, or through contract. So, you know, this is one of the reasons why this is such an exciting and interesting area of the law and also one of the reasons why we have no idea what's going on and you know, we're all totally clueless. Okay, so I'm going to talk very briefly about patent infringement, this is something I know almost nothing about but I want to just talk a little bit about the HID claims with regards to the RFID spoofer, you know, basically the top is what patent infringement is, thank you. And then the bottom it says, well, you know, I think that there's some like, just like I thought there's some theoretical sense to some of the other ridiculous arguments that vendors and companies have made, it makes some theoretical sense because if you have a monopoly over how RFID readers work, okay, because note that patent infringement is very different from copyright, it does control inventions and it does control and regulate ideas, then you know, if you create a reader that works in basically the same way then theoretically kind of make some sense that maybe you're infringing the patents. So, the good thing about patent infringement in terms of what people, you know, in terms of access is there's not statutory damages, there's only actual damages, so, you know, you're not facing this huge number that's completely disconnected from reality if you do end up infringing patent. And that can be less of a chilling effect on people than it might otherwise be. But this thing cuts both ways. So, this is a website that was brought to my attention a couple months ago but it doesn't exist anymore, so I didn't have the I couldn't get the, I couldn't get the, I looked at it on the Google cache, so hopefully this is close to what the most modern version of it was. But basically this was a website organized by some people who wanted to kind of, I guess, in a way sort of stick it to the man over this patent law stuff. And basically what they were saying is, yeah, we're going to do security research, we're going to find flaws in security, we're going to create patches and fixes, and we're going to patent them. And if you want to fix these flaws, you're going to pay us a patent license and we're going to, you know, make money that way and if you don't, we're going to enforce our IP rights. So, you know, as I said, at Black Hat, it's like some part of me is like really amused by this. And then things like yeah, yeah, show them how stupid it is, man. But, you know, some part of me show, it's really like this is why, you know, you can't, this is why having intellectual property law in this field is really counterproductive for computer security. You know, you can't have, when you have something important like this, you have these like really strong private interests that are primarily finance motivated, you can really end up in a kind of IP war where nobody really benefits very much at all. Okay. So, there's my thing of vulnerability reporting, here is my current information, here's my, oh, I didn't put that in there. Well, I thought I had changed this one. Anyway, I'll have cards and I'll tell you my new phone number. I don't know exactly what it is. But you can email me or Google it and you'll see. It's the main EFF number and then I think my extension is 134. So, for those of you who are writing it down, I have eight more minutes. So, I'm going to take questions and while you guys raise your hands for questions, Joe, do you want to come up and answer that Teach Act question for me? Thanks. So, this is Joe Gratz. He's from Kecker and Van Nest and I met Joe when he was our summer intern many, many years ago at Stanford and he's my copyright expert for the day. So, I'm going to let him answer whoever asked the Teach Act question over here. Okay. Thanks. Hi. I'm Joe. So, that was a totally cool Teach Act question. The Teach Act is this obscure part of copyright law that lets you do distance learning. And unfortunately, the answer to the question I think is it doesn't have any bearing on the DMCA at all. So, what the Teach Act lets you do is make performances and ephemeral copies of, like, litter of works and stuff for distance education. But one thing it doesn't necessarily let you do is circumvent copy protections in order to make those performances. So, we can talk about that more but that's the short general answer. Thank you. Sure. Yeah. It's going to be my second brand for the hard copyright questions. I don't know any of the answers to. Okay. Other questions? Anybody in the back who hasn't got a chance? Okay. Yeah. Sir. So, he says it doesn't seem like public good defense is getting any traction. What about, like, a private good nuisance or sort of a you harmed me kind of thing? And you mean by putting out insecure software or by distributing vulnerabilities that other people use to attack or something like that? Oh, like, I need to fix my router because you're causing a nuisance by distributing this crappy non-functioning item. So, this has been a big topic in this area for a long time is what kind of civil liability could there be to kind of encourage vendors to do better or to discourage researchers from reporting for people who feel like that's something that they want to do. And while there's been more movement on the discouraging of researchers than there has been on the holding vendors liable, there hasn't really been that much in the that's actually reached a court decision. And I guess I feel sort of two ways about that because on the one hand you know, I do think that like manufacturers of other products they have a responsibility to their customers to put out a product that is safe and secure. You know, it's sort of like we expect that in all the other realms of commerce, but for some reason, you know, it's sort of not done here and you know, they have all these disclaimers and disclaimer of warranties and you know, that sort of thing and like how can these work? How can you really do business this way? It's kind of bad. And it would definitely incentivize give, you know, incentivize making things more secure. So, you know, a lot of times sometimes things aren't secure because it's hard to secure things and sometimes things aren't secure because it's cheaper for them to just ship it to you and let you deal. You carry the cost. They're in the best positions to fix it but you carry the cost. So, wireless routers are a perfect example of this. The wireless router, they ship them insecure. They don't like have a default with a password on it. And the reason why they don't do that is because A, if you get hacked, it's your problem not theirs. And B, if they put the security on it, it's much harder for normal people to install it in their houses and then they get more calls to customer service and those customer service calls are really expensive. So, you know, that's the calculation there. What do they care? So, you know, you're like well, they're in the best position to secure it. Why not put the burden on them? That's what economic theory in the law says. Say that the legal responsibility falls on the person who can, you know, is in the best position to fix it. But on the other hand, when I think about the way that software is made, I mean, one person can be responsible for a really great program that a lot of people use. Or it could be open source and like a community or a collective of people could have done it. And I'm a lot more uncomfortable with people who are producing software kind of not for profit or who are producing it under kind of a different economic business model or something like that being held liable for mistakes in the you know, being held liable for mistakes in the program. One of the things that you know, we generally kind of fight for in our field is this idea that it's this idea that you know, innovation is harmed by having too many legal rules right up front. And this was something we argued with the encryption debates. It's something we argued with the copyright software, like peer-to-peer you know, in Napster and Grokster we said like, let peer-to-peer flourish, let's see what it brings. Sure, there's some copyright infringement that it brings now, but let's see what happens. That actually turned out to be totally right because what did peer-to-peer bring us, it brought us VoIP, which is awesome. And you know, has nothing to do with copyright infringement. Phone companies hate it, but people love it. So, you know, that we were right about peer-to-peer. This is a valuable technology. Let's see what happens. And not let the fact that the early adopters are almost always criminally associated stop us from seeing how technology can innovate. And so, you know, I personally, it's a great question, but like I personally am just of two minds, you know, of about the liability issue. I'm going to take that person's question in the back and then that's it. Yeah, that's a great question. Thank you. So he's asking about the effective sort of the international aspect of it and whether what we're going to see because of the kinds of rules we have here is that we're going to kind of have like a brain drain, I think is what they call it. And people will move out of the country to do their research elsewhere as they have. Well, I can tell you that the DMCAN and circumvention provisions have caused a lot of researchers from other countries to not want to come to the United States and present their research. So there's been a little bit of a boycott associated with that particular law. And there are some things that companies do for which they don't want to do any of the development in the United States because they don't want to be subject to United States law. But we are, as the United States, we're really making a big push to homogenize our laws with other laws internationally. We have the European Cybercrime Treaty, which the United States is a signatory to, and other kinds of rules where we're trying to kind of make it so that certain things are pretty universal. The DMCA is under the White Boat Treaty and that other countries that are signatories also have a DMCA. They don't necessarily have it written in the same kind of very broad manner that we have with a lot of prohibitions. There's other ways you could write it and also be in compliance with that treaty. So I don't know exactly what's going to happen. In some ways I think these laws are kind of bad, but in some ways I think we're still sort of in good shape. I mean, you guys are here, it's a really robust industry. There's a lot more money and compensation for researchers than there used to be, which is great. It incentivizes a lot of good work. And we do have the First Amendment here, which a lot of places don't have. So I'm not sure that we're actually at the point where you guys all need to move to Canada or anything like that. I think we're still kind of trying to figure out and see how we can make it work. So don't update your passport just yet. Okay, it's 1050. I need to stop. I think I'm going into another room over here for questions and answers. So if you have other questions and stuff, please come in there and thank you very much for coming, especially so early. Thank you.