Don’t look at escaped Microsoft code — smart legal advice

Linux Journal has some good advice for anyone involved with Open Source software development.

As a reminder to our readers, we are repeating the same advice we published in 2000, the last time Microsoft’s source code was compromised. Don’t look at it or you could contaminate yourself legally.

The Wall Street Journal reported today [October 27, 2000 — Ed.] that Microsoft and the FBI are investigating an intrusion in which unknown attackers had access to Microsoft source code for three months. Although nothing purporting to be Microsoft source code copied in the intrusion has surfaced yet, any such code poses a legal risk to people who read it and to any free software project that accepts contributions from those people.

“Anybody who wishes to be involved in free software should have nothing to do with anything claiming to be Microsoft source code released without license or in any informal way,” said Eben Moglen, general counsel of the Free Software Foundation and professor of law and legal history at Columbia University. Microsoft, he said, would be in a position to seek damages from anyone trafficking in misappropriated trade secrets, which can include merely reading the Microsoft code and then contributing to a free project.

If offered any code that implements Microsoft-like APIs, or uses Microsoft’s file formats or protocols, the FSF will go beyond its normal legal paperwork to make sure that the contributor has not had contact with Microsoft’s proprietary information. “We would certainly take additional measures to prove the absence of any relationship between developers and Microsoft’s trade secrets,” Moglen said.

Free software developers are already careful to keep themselves insulated from any contact with proprietary information. Jeremy Allison, one of the lead developers on the Samba project, said that his response to one anonymous offer of Windows NT source code was, “You’re offering to end my career. Thanks but no thanks.” And the Samba team, he said, will refuse to work with anyone who has seen Microsoft’s proprietary code. “Anything we do has to be completely legal,” he said. “There are plenty of people who can work on it who haven’t seen Microsoft source code.” His advice to anyone planning to write free software in the future is, “Stay away from [proprietary Microsoft source code] at all costs.”

“Microsoft Tries to Settle European Union Case”

Thus the headline on a NYT report. On further investigation, it turns out that all Microsoft are offering to do is to include rival software (e.g. RealPlayer) on a CD, while leaving all their stuff pre-installed on the hard drive. This, apparently, is their idea of an attempt to settle with the European Commission!

The Microsoft code leak — a legal perspective

Groklaw asked a well-known US academic lawyer (Dennis S. Karjala, Jack E. Brown Professor of Law, College of Law, ASU) to comment on the legal implications of the Wincode leak. Here’s what he wrote:

“Media reports say that portions of Microsoft’s source code for Windows have leaked and found their way onto the internet. Is this now an opportunity for would-be cloners of Windows to find out how it really works and make their own, let us assume noninfringing, operating systems that are Windows compatible? Or would any such attempt be a violation of Microsoft’s copyright or trade secret rights, subjecting such a competitor to suffer the legal wrath of Microsoft’s litigation teams?

Without knowing more of the facts, the answer could be, “Both.” To the extent that source code is now being widely distributed over the internet, horn book trade secret law would say that Microsoft has lost its trade secret rights (although it may have a claim for damages against the leaker). The code is simply not a secret any longer, notwithstanding Microsoft’s best efforts (let us assume) to keep it so.

Copyright, however, poses a different problem. Every transfer of the code on the internet, and indeed every use of a computer to look at the code, involves making a technical “copy.” Courts have fairly uniformly held that such technical copying – made necessary by digital technology – infringes Microsoft’s exclusive right to reproduce the work in question (here, the Windows source code, a literary work). Absent fair use, anyone who causes his or her computer to put the code onto the screen (or to print out the whole version) is subject to all of the draconian remedies of copyright.

On the other hand, it is still not yet an infringement of copyright simply to read an infringing copy of a work (unless perhaps you break through a technological measure designed to control access to it, which would invoke the DMCA). If someone, without any involvement by you, prints out a copy of the source code and sends it to you, or if you just happen to find such a copy lying around somewhere, reading that copy does not infringe any Microsoft copyrights. (Conceivably, if someone has independently called the document to the computer screen and you happen by and read it after it has been stored in RAM, you are equally in the clear.)

Depending on how far the distribution goes, it seems to me likely that both of these scenarios will take place. Whether Microsoft will go after the infringing ones, especially after infringing hard copies become widely available for noninfringing study, is difficult to predict. But this is in any event unlikely to stop development by others working from illegally made copies that they had no part in making. If that is the case, this event may actually lead to a lessening of Microsoft’s strong grip on the PC operating system market.”

More copyright thuggery

“According to an article in the Irish Times (registration required) the Joyce estate has informed the Irish government that it intends to sue for copyright infringement if there are any public readings of Joyce’s works during the festival commemorating the 100th anniversary of Bloomsday this June.

James Joyce died in 1941 and the copyright in his work expired in 1991. Then the EU extended terms to life+70 years, and the work went back into copyright in July 1995. The estate has been very active in enforcing their copyright, suing regularly. While some of their actions have been aimed at issues such as protecting the memory of Joyce’s daughter Lucia from scrutiny, other suits have been against non-commercial uses of the works by fans. As such, they seem solely concerned with the financial health of the estate [admittedly one of their roles] having no concern for nurturing the greater cultural legacy of Joyce.

The Irish Times notes that ‘In 1998, the Joyce estate objected to readings of Ulysses live over the Internet, which was facilitated by Ireland.com. The case was settled out of court.’ Now the estate has issued a letter to the Irish government warning that all use must be cleared with the estate – which means that there can be no public reading during the festival, and a planned production of Joyce’s Exiles by the Abbey theatre must be cancelled.

Public readings do not displace commercialised use of Joyce’s work, so the estate does not lose income from their occurrence. Of course, the estate is technically within its ‘rights’ (though this does indicate reasons for reforming European copyright law) but such vigorous enforcement is unnecessary and distasteful.

Thanks to funferal for the link.

Shock, Horror!!! Writers secretly review their own books! And give them Five Stars!

Whatever next! A security glitch on the Amazon.ca site revealed the names of the ‘anonymous’ reviewers who post those helpful reviews of books. And guess what? Some of those anonymous reviews were posted by authors of the books being praised. I ask you!!! The phoney outrage of the mainstream media about this is wonderful to behold.

Thinks… I should have thought of doing that when my book came out. Rats! Another golden opportunity missed. No wonder I haven’t got on in life. Sigh….

Courage online

BBC Online technology correspondent Ivan Noble was diagnosed as having a malignant brain tumour last August. Since then he’s been writing an online diary about it. He will have an operation next week, but nobody (he says) expects him to beat this rap. Like many readers, I am moved by his undemonstrative courage. My Sue had it too.

Light at the end of the spam tunnel?

One of the reasons spam has become so ubiquitous is an intrinsic flaw in Simple Mail Transfer Protocol (SMTP) — the Internet protocol that handles the sending of mail. Basically, SMTP doesn’t concern itself with authenticating the sender of an email message. This is because it was designed by a community of researchers who trusted one another. But this flaw is what is mainly exploited by spammers, who spoof senders’ addresses to fool SMTP. I’ve long wondered why the Internet community hasn’t decided to close the loophole. Now, it appears that things are happening. An eWeek article reports that: “A grass-roots movement to improve the SMTP protocol that governs e-mail traffic is gaining acceptance, and its lead developer hopes to get fast-track approval by the Internet Engineering Task Force to make the emerging framework a standard. The developing framework, known as Sender Policy Framework (SPF), would prevent the spoofing of e-mail addresses and hijacking of SMTP servers, common tactics used by spammers to remain anonymous to the millions of addresses to which they send unsolicited e-mail. The group behind SPF, known as SMTP+SPF, published its Internet draft Wednesday, the first step on the road to IETF approval, according to Meng Weng Wong, who’s spearheading the effort. Wong, the CTO of e-mail forwarding service Pobox.com, plans to attend the 59th IETF Meeting, which starts Feb. 29 in Seoul, South Korea, to make his case for the IETF to form a working group to study SPF. But Wong said he’s hoping for more than that. He wants the IETF to adopt the SPF framework, bypassing the workgroup stage.” Hooray!

Tim Berners-Lee wrote a lovely essay a while back explaining why it is anti-social (and dangerous for the network) to exploit a particular protocol to gain a commercial advantage.

Conor Gearty on Hutton

My friend Conor Gearty has a terrific 5000-word piece in the London Review of Books on the Hutton report. Excerpt:

“On his best behaviour, Scarlett made a final seizure of control by Number 10 unnecessary, constructing a document that pleased his political masters, and which required some further tinkering rather than a radical overhaul. The replacement of ‘could’ with ‘capable of being used’ and other concessions of this sort made at Campbell’s request have credibly underpinned the allegation of ‘sexing up’. But the whole document was in its conception, structure and language a ‘sexing up’ of intelligence: all Campbell was alleged to have been doing was ‘sexing up’ the already ‘sexed up’, like offering Viagra to a sex maniac. Right from the start, the intelligence community (a spooky term in every sense) should have had nothing to do with the idea of a dossier intended for public consumption. Instead they were drawn into the Campbell world of spinnery and sleight-of-hand, where even they – arch-spinners and sleighters-of-hand – couldn’t cope.”

Pamela Jones on IP mania

Interesting Wired interview with Pamela Jones, founder of Groklaw, about the Linux/SCO row and other matters. Quote:”With time I expect that as tech savvy-ness increases in the judiciary, and it will, someone will notice that software is just math, creativity and math, and patenting 1 + 1 = 2 will eventually set us up to where only the owners of that and similar patents can write software. Meanwhile the rest of the world will move ahead in development, while the United States is stuck in the mud because no one can write 1 + 1 = 2 without crossing somebody’s palm with silver.”

(Some) Windows code escapes into the wild

According to a BBC report, some of the source code for Windows 2000 and NT has been leaked onto the Net. Wonder how it happened — and whether it’s a byproduct of Microsoft’s “shared-source” initiative.

More…From CNET: “The 203MB file contains code from Microsoft’s enterprise operating system, but the code was clearly incomplete, said Dragos Ruiu, a security consultant and the organizer of the CanSecWest security conference, who has examined the file listing.

“It was on the peer-to-peer networks and IRC (Internet relay chat) today,” Ruiu said. “Everybody has got it; it’s widespread now.”

The 203MB file expands to just under 660MB, he said, noting that the final code size almost perfectly matches the capacity of a typical CD-ROM. The entire source code, he said, is believed to be about 40GB, meaning that the file circulating Thursday is only a fraction of the full code base.

“It looks real,” he said. “You can’t build Windows, however. It’s just a bunch of chunks of the operating system.”