Search This Blog

Wednesday, May 20, 2020

Software patent debate

From Wikipedia, the free encyclopedia
The software patent debate is the argument about the extent to which, as a matter of public policy, it should be possible to patent software and computer-implemented inventions. Policy debate on software patents has been active for years. The opponents to software patents have gained more visibility with fewer resources through the years than their pro-patent opponents. Arguments and critiques have been focused mostly on the economic consequences of software patents.

One aspect of the debate has focused on the proposed European Union directive on the patentability of computer-implemented inventions, also known as the "CII Directive" or the "Software Patent Directive," which was ultimately rejected by the EU Parliament in July 2005.

Arguments for patentability

There are several arguments commonly given in defense of software patents or defense of the patentability of computer-implemented inventions.

Public disclosure

  • Through public disclosure, patents encourage the open sharing of information and additional transparency about legal exposure.
  • Through public disclosure, patents encourage the transfer of mechanical technology, which may apply more broadly.

Economic benefit

  • Software patents resulting from the production of patentable ideas can increase the valuation of small companies.
  • Software patents increase the return on investment made, which includes government funded research.

Encouragement of innovation

  • The ability to patent new software developed as a result of research encourages investment in software-related research by increasing the potential return of investment of said research.

Copyright limitations

Patents protect functionality. Copyright on the other hand only protects expression. Substantial modification to an original work, even if it performs the same function, would not be prevented by copyright. To prove copyright infringement also requires the additional hurdle of proving copying, which is not necessary for patent infringement.

Copyright law protects unique expressions, while patent law protects inventions, which in the case of software, are algorithms; copyright cannot protect a novel means of accomplishing a function, merely the syntax of one such means.

This means that patents incentivize projects that are unique and innovative in functionality rather than simply form. Copyrights, in turn, only incentivize uniqueness in form.

Protection for small companies

Software patents can afford smaller companies market protection by preventing larger companies from stealing work done by a smaller organization, leveraging their greater resources to go to market before the smaller company can.

Hardware patents analogy

Hardware and software are sometimes interchangeable. If people can patent hardware, then ideas describing software implemented by that hardware should also be patentable.

Arguments against patentability

Opponents of software patents argue that:

Software is math

A program is the transcription of an algorithm in a programming language. Since every (Turing-complete) programming language implements Church's lambda calculus by virtue of the Church-Turing thesis, a program is thus the transcription of a mathematical function. Math is not patentable. Therefore, neither is software.

Software encourages patent thickets

A patent thicket is a dense web of patents that companies must decipher to develop new technology. There are various types of patent thickets such as when a single innovation is protected by multiple patent holders or when a product is covered by numerous patents. The consequences of patent thickets are increased difficulty of innovation, complex cross-licensing relations between companies, and discouragement of newcomers from entering the software industry.

Hinders research and development

  • Some scientific studies and expert reviews have concluded that patent systems paradoxically hinder technological progress and allows monopolies and powerful companies to exclude others from industrial science in a manner that is irreconcilable with anti-trust laws.
  • Gary Becker, Nobel Prize–winning economist, argues, "Their exclusion from the patent system would discourage some software innovations, but the saving from litigation costs over disputed patent rights would more than compensate the economy for that cost."

Hinders innovation

  • The Electronic Frontier Foundation published the Defend Innovation whitepaper after doing two and a half years of research on software patents. They concluded that many overbroad software patents are being awarded, which is actually stifling innovation.
  • Interoperability is thought to promote innovation, and patent systems have the potential to block the development of such technologies.
  • There has been a lack of empirical evidence to suggest that patents have any positive effect on innovation, and furthermore, the system primarily “encourage[s] failing monopolists to inhibit competition by blocking innovation.”

Cost and loss of R&D funds

  • Should a software developer hire a patent attorney to perform a clearance search and provide a clearance opinion, there is no guarantee that the search could be complete. Different patents and published patent applications may use different words to describe the same concepts and thus patents that cover different aspects of the invention may not show up in a search. The cost of a clearance search may not prove cost effective to businesses with smaller budgets or individual inventors.
  • For the U.S. the economic benefit is dubious. A study in 2008 found that American public companies’ total profits from patents (excluding pharmaceuticals) in 1999 were about $4 billion, but that the associated litigation costs were $14 billion.
  • Software developers and hardware manufacturers may be forced to pay license fees for standards that are covered by patents (the so-called essential patents). Some examples are H.264, MP3 and GIF (that uses the patented LZW compression algorithm) and JPEG for graphics.

Copyright

  • It is argued that traditional copyright has provided sufficient protection to facilitate massive investment in software development.
  • Copyright is the right of an author(s) to prevent others from copying their creative work without a license. Thus the author of a particular piece of software can sue someone that copies that software without a license. Copyright protection is given automatically and immediately without the need to register the copyright with a government, although registration does strengthen protection. Copyrighted material can also be kept secret.

Software is different

  • Software programs are different from other electromechanical devices because they are designed solely in terms of their function. The inventor of a typical electromechanical device must design new physical features to qualify for a patent. On the other hand, a software developer need only design new functions to create a working embodiment of the program.
  • Software is a component of a machine. The computer’s hardware is generic; it performs functions that are common to all of the software that is capable of being executed on the computer. Each software program that is capable of executing on the computer is a component of the computer.
  • Computers "design" and build the structure of executable software. Thus, software developers do not design the executable software's physical structure because they merely provide the functional terms.

Trivial patents

  • Anecdotal evidence suggests that some software patents cover either trivial inventions or inventions that would have been obvious to persons of ordinary skill in the art at the time the invention was made.
  • Patent examiners rarely have a comprehensive knowledge of the specific technologies disclosed in the patent applications they examine. This is in large part due to the enormous number of micro-niches in the software field and the relatively limited number of examiners. So, patents are sometimes allowed on inventions that appear to be trivial extensions of existing technologies.

Open source disadvantage

  • The free and open source software community, and many companies that use and contribute to open source oppose software patents because they can impede or prohibit the distribution of free software. They contend that patents threaten to undermine FLOSS, regardless of innovations produced by FLOSS collaborations.

Software patents' usefulness as an information source is limited

  • Some patent disclosures in the software field are not readable to some programmers; as a result, patents are rarely used as a source of technical information by software developers.[25]

Long patent pendencies

  • In the software industry, product lifecycles churn rapidly; a product can run through its entire lifecycle and become outdated during the time it takes a patent filed on the invention underlying it to issue.
  • According to the United States Patent and Trademark Office’s official statistics for 2015, the average pendency for patent applications categorized under “Computer Architecture, Software, and Information Security” was approximately two and a half years, exceeding the pendencies of all other patent categories.
  • The average total pendency of European technology patents in 2015 was approximately two and a half years. Technology patents in China, Korea, Japan, and Europe had first action pendencies of approximately one year compared to those in the United States, with first action pendencies of under two years. Europe and the United States have the longest total pendencies of around 26 months, while China, Korea, and Japan have shorter total pendencies from 15 to 21 months.

Patent trolls

  • Software companies are becoming patent hoarders, spending billions of dollars on accumulating patents and even more on litigations and settlements – resources could be better put to use in creating new and innovative software advances. Too many patents are given out, making it difficult for developers to create new software due to possibility of accidental infringement. Engineers say it impedes their creativity.
  • In 2016 IBM earned 8,088 U.S. patents; thus earning the most grants from the U.S. Patent Office for the 24th year in a row. They bested their closest tech rival by more than 2,500 patents. Behemoths like IBM, Google, and Oracle gather as many patents in the fields considered 'hot' such as Artificial Intelligence to limit the innovation potential of smaller firms. Patent claims were part of the Oracle America, Inc. v. Google, Inc. case, where Oracle claimed that Google's implementation of Java within Android violated Oracle's copyright and patents. Duke Computer Science Professor Owen Astrachan was involved in the case.
  • Not only large companies are patent hoarders. NPEs (Non-Practising Entities) are businesses that assert patents through litigation to achieve revenues from alleged infringers without practising or commercialising the technology covered by the patents they hold. NPEs are very effective in their litigations. Damages awards for NPEs almost are 3 times greater than practicing entities over the last 5 years.

Disproportionately harms startups

  • Patent assertion entities (patent trolls) disproportionately affect startups, which are important for job creation and innovation. Companies with less than $100M annual revenue represent two-thirds of unique defendants in troll suits. A large percentage of startups reported that being sued by trolls resulted in significant operational impact.

U.S. Supreme Court decisions

Several Supreme Court decisions since 2000, as well as the Federal Circuit and district court decisions interpreting and implementing them, have dramatically impacted the status of software patents in the United States. They have particularly affected many thousands of business-method patents that issued as a result of Federal Circuit decisions in the 1990s. The two principal Supreme Court decisions were Bilski v. Kappos and Alice v. CLS Bank, the latter of which confirmed the applicability of the earlier decision Mayo v. Prometheus to computer-related inventions in which a computer was used to implement an abstract principle or preexisting business practice. (These cases are the subject of separate Wikipedia articles, which discuss the background and rulings in these cases in more detail, and supply authorities supporting the generalizations about those cases that follow. Additional detail is found in the Wikipedia article Software patents under United States patent law, along with supporting citations not repeated in this summary of those articles.)

Bilski case

The Bilski case involved a patent application on methods for hedging against commodity price fluctuations, which the PTO had rejected. The Federal Circuit, in In re Bilski, upheld the PTO's rejection on the grounds that the claims failed the machine-or-transformation test, which the court held should be used as the sole test of patent eligibility. The court did not hold that all business methods are patent ineligible, though a minority of the judges would have ruled that business methods are not properly the subject of patents. 

The Supreme Court affirmed the judgment of ineligibility, in Bilski v. Kappos, but on more general, and less articulated in detail, grounds of undue abstractness. It rejected the Federal Circuit's elevation of the machine-or-transformation test as the sole test of patent eligibility, saying that rather it was simply a "useful clue." The 5-4 majority refused to hold that all business methods were incapable of being patented, but four justices would have established such a rule. A concurring opinion pointed out that the Court was unanimous, however, as to many issues in the Bilski case, including a rejection of the Federal Circuit's late 1990s State Street Bank decision, which allowed patents on any advance, technical or nontechnical (and in that case a numerical financial calculation of stock price changes) that produces a "useful, concrete and tangible result."

The Supreme Court's Bilski decision was criticized because of its lack of detailed guidance on how to determine whether a claim was directed to an abstract idea. Nonetheless, it provided some clarification and affirmed the Federal Circuit's taking a new direction in its software-related patent cases.

Mayo case

In Mayo v. Prometheus, the Supreme Court invalidated a patent on a diagnostic method, because it non-inventively implemented a natural principle; the Court drew on cases involving computer software and other abstract ideas. In this case, the Court was much more detailed in describing how to recognize a patent-ineligible claim to an abstract idea. The Mayo methodology has come to dominate patent-eligibility law. It revived the approach of the Flook and Neilson cases, which is to treat the underlying principle, idea, or algorithm on which the claimed patent is based as if it were part of the prior art and to make patent eligibility turn on whether the implementation of it is inventive. This led to the "two-step" Alice test described next.

Alice case

At the time the Mayo case was decided, there was some uncertainty over whether it applied only to natural principles (laws of nature) or more generally to patent eligibility of all abstract ideas and general principles, including those involved in software patents. The Alice decision confirmed that the test was general. The Alice case involved patents on electronic methods and computer programs for financial-trading systems on which trades between two parties who are to exchange payment are settled by a third party in ways that reduce the risk that one party performs while the other does not. The patents cover what amounts to a computerized escrow arrangement. 

The Court held that Mayo explained how to address the problem of determining whether a patent claimed an unpatentable abstract idea or instead a potentially patentable practical implementation of an idea. This requires using a "two-step" analysis.

In the first step, the court must determine whether the patent claim under examination contains an abstract idea, such as an algorithm, method of computation, or other general principle. If not, the claim is potentially patentable, subject to the other requirements of the patent code. If the answer is affirmative, the court must proceed to the next step.

In the second step of the analysis, the court must determine whether the patent adds to the idea "something extra" that embodies an "inventive concept." If there is no addition of an inventive element to the underlying abstract idea, the court finds the patent invalid under section 101. This means that the implementation of the idea must not be conventional or obvious to qualify for a patent. Ordinary and customary use of a general-purpose digital computer is insufficient; the Court said—"merely requiring generic computer implementation fails to transform [an] abstract idea into a patent-eligible invention."

The ruling continued with these points:
  • A mere instruction to implement an abstract idea on a computer "cannot impart patent eligibility."
  • "[T]he mere recitation of a generic computer cannot transform a patent-ineligible abstract idea into a patent-eligible invention."
  • "Stating an abstract idea 'while adding the words "apply it"' is not enough for patent eligibility."
  • "Nor is limiting the use of an abstract idea to a particular technological environment."
The Alice decision met a mixed reception, but profoundly affected U.S. patent law. In its wake, as explained in the Wikipedia article on the case, courts invalidated vast numbers of so-called software and business-method patents (the overwhelming majority of those the United States Court of Appeals for the Federal Circuit considered) and the number of such patents issued has drastically fallen. The Alice decision has been widely criticized for its failure to specify in detail the boundaries of patent eligibility, but it has also been defended because its unanimity tends to stabilize decisional law in the field.

Subsequent developments

After Alice, the Federal Circuit and district courts invalidated large numbers of business-method and software patents based on those courts' interpretations of Alice. Federal Circuit Judge William Bryson summed this up in these terms:
In short, such patents, although frequently dressed up in the argot of invention, simply describe a problem, announce purely functional steps that purport to solve the problem, and recite standard computer operations to perform some of those steps. The principal flaw in these patents is that they do not contain an “inventive concept” that solves practical problems and ensures that the patent is directed to something “significantly more than” the ineligible abstract idea itself. [Citing Alice and Mayo.] As such, they represent little more than functional descriptions of objectives, rather than inventive solutions. In addition, because they describe the claimed methods in functional terms, they preempt any subsequent specific solutions to the problem at issue. [Citing Alice and Mayo.] It is for those reasons that the Supreme Court has characterized such patents as claiming “abstract ideas” and has held that they are not directed to patentable subject matter. 

IT law

From Wikipedia, the free encyclopedia
 
Information technology law (also called "cyberlaw") concerns the law of information technology, including computing and the internet. It is related to legal informatics, and governs the digital dissemination of both (digitalized) information and software, information security and electronic commerce. aspects and it has been described as "paper laws" for a "paperless environment". It raises specific issues of intellectual property in computing and online, contract law, privacy, freedom of expression, and jurisdiction.

History

The regulation of information technology, through computing and the internet evolved out of the development of the first publicly funded networks, such as ARPANET and NSFNET in the United States or JANET in the United Kingdom.

Areas of law

IT law does not constitute a separate area of law rather it encompasses aspects of contract, intellectual property, privacy and data protection laws. Intellectual property is an important component of IT law, including copyright, rules on fair use, and special rules on copy protection for digital media, and circumvention of such schemes. The area of software patents is controversial, and still evolving in Europe and elsewhere.

The related topics of software licenses, end user license agreements, free software licenses and open-source licenses can involve discussion of product liability, professional liability of individual developers, warranties, contract law, trade secrets and intellectual property.

In various countries, areas of the computing and communication industries are regulated – often strictly – by governmental bodies.

There are rules on the uses to which computers and computer networks may be put, in particular there are rules on unauthorized access, data privacy and spamming. There are also limits on the use of encryption and of equipment which may be used to defeat copy protection schemes. The export of hardware and software between certain states within the United States is also controlled.

There are laws governing trade on the Internet, taxation, consumer protection, and advertising. 

There are laws on censorship versus freedom of expression, rules on public access to government information, and individual access to information held on them by private bodies. There are laws on what data must be retained for law enforcement, and what may not be gathered or retained, for privacy reasons.

In certain circumstances and jurisdictions, computer communications may be used in evidence, and to establish contracts. New methods of tapping and surveillance made possible by computers have wildly differing rules on how they may be used by law enforcement bodies and as evidence in court.

Computerized voting technology, from polling machines to internet and mobile-phone voting, raise a host of legal issues.

Some states limit access to the Internet, by law as well as by technical means.

Jurisdiction

Issues of jurisdiction and sovereignty have quickly come to the fore in the era of the Internet.

Jurisdiction is an aspect of state sovereignty and it refers to judicial, legislative and administrative competence. Although jurisdiction is an aspect of sovereignty, it is not coextensive with it. The laws of a nation may have extraterritorial impact extending the jurisdiction beyond the sovereign and territorial limits of that nation. This is particularly problematic as the medium of the Internet does not explicitly recognize sovereignty and territorial limitations. There is no uniform, international jurisdictional law of universal application, and such questions are generally a matter of conflict of laws, particularly private international law. An example would be where the contents of a web site are legal in one country and illegal in another. In the absence of a uniform jurisdictional code, legal practitioners are generally left with a conflict of law issue.

Another major problem of cyberlaw lies in whether to treat the Internet as if it were physical space (and thus subject to a given jurisdiction's laws) or to act as if the Internet is a world unto itself (and therefore free of such restraints). Those who favor the latter view often feel that government should leave the Internet community to self-regulate. John Perry Barlow, for example, has addressed the governments of the world and stated, "Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract. This governance will arise according to the conditions of our world, not yours. Our world is different". A more balanced alternative is the Declaration of Cybersecession: "Human beings possess a mind, which they are absolutely free to inhabit with no legal constraints. Human civilization is developing its own (collective) mind. All we want is to be free to inhabit it with no legal constraints. Since you make sure we cannot harm you, you have no ethical right to intrude our lives. So stop intruding!" Other scholars argue for more of a compromise between the two notions, such as Lawrence Lessig's argument that "The problem for law is to work out how the norms of the two communities are to apply given that the subject to whom they apply may be in both places at once" (Lessig, Code 190).

With the internationalism of the Internet, jurisdiction is a much more tricky area than before, and courts in different countries have taken various views on whether they have jurisdiction over items published on the Internet, or business agreements entered into over the Internet. This can cover areas from contract law, trading standards and tax, through rules on unauthorized access, data privacy and spamming to more political areas such as freedom of speech, censorship, libel or sedition.

Certainly, the frontier idea that the law does not apply in "Cyberspace" is not true. In fact, conflicting laws from different jurisdictions may apply, simultaneously, to the same event. The Internet does not tend to make geographical and jurisdictional boundaries clear, but Internet users remain in physical jurisdictions and are subject to laws independent of their presence on the Internet. As such, a single transaction may involve the laws of at least three jurisdictions:
  1. the laws of the state/nation in which the user resides,
  2. the laws of the state/nation that apply where the server hosting the transaction is located, and
  3. the laws of the state/nation which apply to the person or business with whom the transaction takes place.
So a user in one of the United States conducting a transaction with another user in Britain through a server in Canada could theoretically be subject to the laws of all three countries as they relate to the transaction at hand.

In practical terms, a user of the Internet is subject to the laws of the state or nation within which he or she goes online. Thus, in the U.S., Jake Baker faced criminal charges for his e-conduct, and numerous users of peer-to-peer file-sharing software were subject to civil lawsuits for copyright infringement. This system runs into conflicts, however, when these suits are international in nature. Simply put, legal conduct in one nation may be decidedly illegal in another. In fact, even different standards concerning the burden of proof in a civil case can cause jurisdictional problems. For example, an American celebrity, claiming to be insulted by an online American magazine, faces a difficult task of winning a lawsuit against that magazine for libel. But if the celebrity has ties, economic or otherwise, to England, he or she can sue for libel in the English court system, where the burden of proof for establishing defamation may make the case more favorable to the plaintiff.

Internet governance is a live issue in international fora such as the International Telecommunication Union (ITU), and the role of the current US-based co-ordinating body, the Internet Corporation for Assigned Names and Numbers (ICANN) was discussed in the UN-sponsored World Summit on the Information Society (WSIS) in December 2003.

Internet law

The law that regulates the Internet must be considered in the context of the geographic scope of the Internet and political borders that are crossed in the process of sending data around the globe. The unique global structure of the Internet raises not only jurisdictional issues, that is, the authority to make and enforce laws affecting the Internet, but also questions concerning the nature of the laws themselves.

In their essay "Law and Borders – The Rise of Law in Cyberspace", David R. Johnson and David G. Post argue that it became necessary for the Internet to govern itself and instead of obeying the laws of a particular country, "Internet citizens" will obey the laws of electronic entities like service providers. Instead of identifying as a physical person, Internet citizens will be known by their usernames or email addresses (or, more recently, by their Facebook accounts). Over time, suggestions that the Internet can be self-regulated as being its own trans-national "nation" are being supplanted by a multitude of external and internal regulators and forces, both governmental and private, at many different levels. The nature of Internet law remains a legal paradigm shift, very much in the process of development.

Leaving aside the most obvious examples of governmental content monitoring and internet censorship in nations like China, Saudi Arabia, Iran, there are four primary forces or modes of regulation of the Internet derived from a socioeconomic theory referred to as Pathetic dot theory by Lawrence Lessig in his book, Code and Other Laws of Cyberspace:
  1. Law: What Lessig calls "Standard East Coast Code", from laws enacted by government in Washington D.C. This is the most self-evident of the four modes of regulation. As the numerous United States statutes, codes, regulations, and evolving case law make clear, many actions on the Internet are already subject to conventional laws, both with regard to transactions conducted on the Internet and content posted. Areas like gambling, child pornography, and fraud are regulated in very similar ways online as off-line. While one of the most controversial and unclear areas of evolving laws is the determination of what forum has subject matter jurisdiction over activity (economic and other) conducted on the internet, particularly as cross border transactions affect local jurisdictions, it is certainly clear that substantial portions of internet activity are subject to traditional regulation, and that conduct that is unlawful off-line is presumptively unlawful online, and subject to traditional enforcement of similar laws and regulations.
  2. Architecture: What Lessig calls "West Coast Code", from the programming code of the Silicon Valley. These mechanisms concern the parameters of how information can and cannot be transmitted across the Internet. Everything from internet filtering software (which searches for keywords or specific URLs and blocks them before they can even appear on the computer requesting them), to encryption programs, to the very basic architecture of TCP/IP protocols and user interfaces falls within this category of mainly private regulation. It is arguable that all other modes of internet regulation either rely on, or are significantly affected by, West Coast Code.
  3. Norms: As in all other modes of social interaction, conduct is regulated by social norms and conventions in significant ways. While certain activities or kinds of conduct online may not be specifically prohibited by the code architecture of the Internet, or expressly prohibited by traditional governmental law, nevertheless these activities or conduct are regulated by the standards of the community in which the activity takes place, in this case internet "users". Just as certain patterns of conduct will cause an individual to be ostracized from our real world society, so too certain actions will be censored or self-regulated by the norms of whatever community one chooses to associate with on the internet.
  4. Markets: Closely allied with regulation by social norms, markets also regulate certain patterns of conduct on the Internet. While economic markets will have limited influence over non-commercial portions of the Internet, the Internet also creates a virtual marketplace for information, and such information affects everything from the comparative valuation of services to the traditional valuation of stocks. In addition, the increase in popularity of the Internet as a means for transacting all forms of commercial activity, and as a forum for advertisement, has brought the laws of supply and demand to cyberspace. Market forces of supply and demand also affect connectivity to the Internet, the cost of bandwidth, and the availability of software to facilitate the creation, posting, and use of internet content.
These forces or regulators of the Internet do not act independently of each other. For example, governmental laws may be influenced by greater societal norms, and markets affected by the nature and quality of the code that operates a particular system.

Net neutrality

Another major area of interest is net neutrality, which affects the regulation of the infrastructure of the Internet. Though not obvious to most Internet users, every packet of data sent and received by every user on the Internet passes through routers and transmission infrastructure owned by a collection of private and public entities, including telecommunications companies, universities, and governments. This is turning into one of the most critical aspects of cyber Law and has immediate jurisdictional implications, as laws in force in one jurisdiction have the potential to have dramatic effects in other jurisdictions when host servers or telecommunications companies are affected. Very recently, Netherlands became the first country in Europe and the second in the world, after Chile to pass law relating to it. In U.S, on 12 March 2015, the FCC released the specific details of its new net neutrality rule. And on 13 April 2015, the FCC published the final rule on its new regulations

Free speech on the Internet

Article 19 of the Universal Declaration of Human Rights calls for the protection of free expression in all media. Which includes right such as freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

In comparison to traditional print-based media, the accessibility and relative anonymity of cyber space has torn down traditional barriers between an individual and his or her ability to publish. Any person with an internet connection has the potential to reach an audience of millions. These complexities have taken many forms, three notable examples being the Jake Baker incident, in which the limits of obscene Internet postings were at issue, the controversial distribution of the DeCSS code, and Gutnick v Dow Jones, in which libel laws were considered in the context of online publishing. The last example was particularly significant because it epitomized the complexities inherent to applying one country's laws (nation-specific by definition) to the internet (international by nature). In 2003, Jonathan Zittrain considered this issue in his paper, "Be Careful What You Ask For: Reconciling a Global Internet and Local Law".

In the UK the case of Keith-Smith v Williams confirmed that existing libel laws applied to internet discussions.

In terms of the tort liability of ISPs and hosts of internet forums, Section 230(c) of the Communications Decency Act may provide immunity in the United States.

Internet censorship

In many countries, speech through cyberspace has proven to be another means of communication which has been regulated by the government. The "Open Net Initiative", whose mission statement is "to investigate and challenge state filtration and surveillance practices" to "...generate a credible picture of these practices," has released numerous reports documenting the filtration of internet-speech in various countries. While China has thus far proven to be the most rigorous in its attempts to filter unwanted parts of the internet from its citizens, many other countries – including Singapore, Iran, Saudi Arabia, and Tunisia – have engaged in similar practices of Internet censorship. In one of the most vivid examples of information control, the Chinese government for a short time transparently forwarded requests to the Google search engine to its own, state-controlled search engines.

These examples of filtration bring to light many underlying questions concerning the freedom of speech. For example, does the government have a legitimate role in limiting access to information? And if so, what forms of regulation are acceptable? For example, some argue that the blocking of "blogspot" and other websites in India failed to reconcile the conflicting interests of speech and expression on the one hand and legitimate government concerns on the other hand.

The creation of privacy in U.S. Internet law

Warren and Brandeis

At the close of the 19th century, concerns about privacy captivated the general public, and led to the 1890 publication of Samuel Warren and Louis Brandeis: "The Right to Privacy". The vitality of this article can be seen today, when examining the USSC decision of Kyllo v. United States, 533 U.S. 27 (2001) where it is cited by the majority, those in concurrence, and even those in dissent.

The motivation of both authors to write such an article is heavily debated amongst scholars, however, two developments during this time give some insight to the reasons behind it. First, the sensationalistic press and the concurrent rise and use of "yellow journalism" to promote the sale of newspapers in the time following the Civil War brought privacy to the forefront of the public eye. The other reason that brought privacy to the forefront of public concern was the technological development of "instant photography". This article set the stage for all privacy legislation to follow during the 20 and 21st centuries.

Reasonable Expectation of Privacy Test and emerging technology

In 1967, the United States Supreme Court decision in Katz v United States, 389 U.S. 347 (1967) established what is known as the Reasonable Expectation of Privacy Test to determine the applicability of the Fourth Amendment in a given situation. The test was not noted by the majority, but instead it was articulated by the concurring opinion of Justice Harlan. Under this test, 1) a person must exhibit an "actual (subjective) expectation of privacy" and 2) "the expectation [must] be one that society is prepared to recognize as 'reasonable'".

Privacy Act of 1974

Inspired by the Watergate scandal, the United States Congress enacted the Privacy Act of 1974 just four months after the resignation of then President Richard Nixon. In passing this Act, Congress found that "the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies" and that "the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information".

Foreign Intelligence Surveillance Act of 1978

Codified at 50 U.S.C. §§ 1801-1811, this act establishes standards and procedures for use of electronic surveillance to collect "foreign intelligence" within the United States. §1804(a)(7)(B). FISA overrides the Electronic Communications Privacy Act during investigations when foreign intelligence is "a significant purpose" of said investigation. 50 U.S.C. § 1804(a)(7)(B) and §1823(a)(7)(B). Another interesting result of FISA, is the creation of the Foreign Intelligence Surveillance Court (FISC). All FISA orders are reviewed by this special court of federal district judges. The FISC meets in secret, with all proceedings usually also held from both the public eye and those targets of the desired surveillance.

(1986) Electronic Communication Privacy Act

The ECPA represents an effort by the United States Congress to modernize federal wiretap law. The ECPA amended Title III and included two new acts in response to developing computer technology and communication networks. Thus the ECPA in the domestic venue into three parts: 1) Wiretap Act, 2) Stored Communications Act, and 3) The Pen Register Act.
  • Types of Communication
    • Wire Communication: Any communication containing the human voice that travels at some point across a wired medium such as radio, satellite or cable.
    • Oral Communication:
    • Electronic Communication
  1. The Wiretap Act: For Information see Wiretap Act
  2. The Stored Communications Act: For information see Stored Communications Act
  3. The Pen Register Act: For information see Pen Register Act

(1994) Driver's Privacy Protection Act

The DPPA was passed in response to states selling motor vehicle records to private industry. These records contained personal information such as name, address, phone number, SSN, medical information, height, weight, gender, eye color, photograph and date of birth. In 1994, Congress passed the Driver's Privacy Protection (DPPA), 18 U.S.C. §§ 2721-2725, to cease this activity.

For more information see: Driver's Privacy Protection Act

(1999) Gramm-Leach-Bliley Act

-This act authorizes widespread sharing of personal information by financial institutions such as banks, insurers, and investment companies. The GLBA permits sharing of personal information between companies joined together or affiliated as well as those companies unaffiliated. To protect privacy, the act requires a variety of agencies such as the SEC, FTC, etc. to establish "appropriate standards for the financial institutions subject to their jurisdiction" to "insure security and confidentiality of customer records and information" and "protect against unauthorized access" to this information. 15 U.S.C. § 6801

(2002) Homeland Security Act

-Passed by Congress in 2002, the Homeland Security Act, 6 U.S.C. § 222, consolidated 22 federal agencies into what is commonly known today as the Department of Homeland Security (DHS). The HSA, also created a Privacy Office under the DoHS. The Secretary of Homeland Security must "appoint a senior official to assume primary responsibility for privacy policy." This privacy official's responsibilities include but are not limited to: ensuring compliance with the Privacy Act of 1974, evaluating "legislative and regulatory proposals involving the collection, use, and disclosure of personal information by the Federal Government", while also preparing an annual report to Congress.
For more information see: Homeland Security Act

(2004) Intelligence Reform and Terrorism Prevention Act

-This Act mandates that intelligence be "provided in its most shareable form" that the heads of intelligence agencies and federal departments "promote a culture of information sharing." The IRTPA also sought to establish protection of privacy and civil liberties by setting up a five-member Privacy and Civil Liberties Oversight Board. This Board offers advice to both the President of the United States and the entire executive branch of the Federal Government concerning its actions to ensure that the branch's information sharing policies are adequately protecting privacy and civil liberties.
For more information see: Intelligence Reform and Terrorism Prevention Act

Legal enactments – examples

United Kingdom

The Computer Misuse Act 1990 enacted by the United Kingdom on 29 June 1990, and which came into force on 29 August 1990, is an example of one of the earliest such legal enactments. This Act was enacted with an express purpose of making "provision for securing computer material against unauthorized access or modification." Certain major provisions of the Computer Misuse Act 1990 relate to:
  • "unauthorized access to computer materials",
  • "unauthorized access with intent to commit or facilitate the commission of further offences", and
  • "unauthorized modification of computer material."
The impact of the Computer Misuse Act 1990 has been limited and with the adoption of the Council of Europe adopts its Convention on Cyber-Crime, it has been indicated that amending legislation would be introduced in parliamentary session 2004–05 in order to rectify possible gaps in its coverage, which are many.

The CMA 1990 has many weaknesses; the most notable is its inability to cater for, or provide suitable protection against, a host of high tech attacks/crimes which have become more prevalent in the last decade. Certain attacks such as DDOS and botnet attacks can not be effectively brought to justice under the CMA. This act has been under review for a number of years. Computer crimes such as electronic theft are usually prosecuted in the UK under the legislation that caters for traditional theft (Theft Act 1968) because the CMA is so ineffective.

India

An example of information technology law is India's Information Technology Act, 2000, which was substantially amended in 2008. The IT Act, 2000 came into force on 17 October 2000. This Act applies to whole of India, and its provisions also apply to any offense or contravention, committed even outside the territorial jurisdiction of Republic of India, by any person irrespective of his nationality. In order to attract provisions of this Act, such an offence or contravention should involve a computer, computer system, or computer network located in India. The IT Act 2000 provides an extraterritorial applicability to its provisions by virtue of section 1(2) read with section 75. This Act has 90 sections.

India's The Information Technology Act 2000 has tried to assimilate legal principles available in several such laws (relating to information technology) enacted earlier in several other countries, as also various guidelines pertaining to information technology law. The Act gives legal validity to electronic contracts, recognition of electronic signatures. This is a modern legislation which makes acts like hacking, data theft, spreading of virus, identity theft, defamation (sending offensive messages) pornography, child pornography, cyber terrorism, a criminal offence. The Act is supplemented by a number of rules which includes rules for, cyber cafes, electronic service delivery, data security, blocking of websites. It also has rules for observance of due diligence by internet intermediaries (ISP's, network service providers, cyber cafes, etc.). Any person affected by data theft, hacking, spreading of viruses can apply for compensation from Adjudicator appointed under Section 46 as well as file a criminal complaint. Appeal from adjudicator lies to TDSAT

Notable cases

Section 66
  • In February 2001, in one of the first cases, the Delhi police arrested two men running a web-hosting company. The company had shut down a website over non-payment of dues. The owner of the site had claimed that he had already paid and complained to the police. The Delhi police had charged the men for hacking under Section 66 of the IT Act and breach of trust under Section 408 of the Indian Penal Code. The two men had to spend 6 days in Tihar jail waiting for bail. Bhavin Turakhia, chief executive officer of directi.com, a webhosting firm said that this interpretation of the law would be problematic for web-hosting companies.
Section 66A Removed
  • In September 2010, a freelance cartoonist Aseem Trivedi was arrested under Section 66A of the IT Act, Section 2 of Prevention of Insults to National Honour Act, 1971 and for sedition under the Section 124 of the Indian Penal Code. His cartoons depicting widespread corruption in India were considered offensive.
  • On 12 April 2012, a Chemistry professor from Jadavpur University, Ambikesh Mahapatra, was arrested for sharing a cartoon of West Bengal Chief Minister Mamata Banerjee and then Railway Minister Mukul Roy. The email was sent from the email address of a housing society. Subrata Sengupta, the secretary of the housing society, was also arrested. They were charged under Section 66A and B of the IT Act, for defamation under Sections 500, for obscene gesture to a woman under Section 509, and abetting a crime under Section 114 of the Indian Penal Code.
  • On 30 October 2012, a Puducherry businessman Ravi Srinivasan was arrested under Section 66A. He had sent tweet accusing Karti Chidambaram, son of then Finance Minister P. Chidambaram, of corruption. Karti Chidambaram had complained to the police.
  • On 19 November 2012, a 21-year-old girl was arrested from Palghar for posting a message on Facebook criticising the shutdown in Mumbai for the funeral of Bal Thackeray. Another 20-year-old girl was arrested for "liking" the post. They were initially charged under Section 295A of the Indian Penal Code (hurting religious sentiments) and Section 66A of the IT Act. Later, Section 295A was replaced by Section 505(2) (promoting enmity between classes). A group of Shiv Sena workers vandalised a hospital run by the uncle of one of girls. On 31 January 2013, a local court dropped all charges against the girls.
  • On 18 March 2015, a teenaged boy was arrested from Bareilly, Uttar Pradesh, for making a post on Facebook insulting politician Azam Khan. The post allegedly contained hate speech against a community and was falsely attributed to Azam Khan by the boy. He was charged under Section 66A of the IT Act, and Sections 153A (promoting enmity between different religions), 504 (intentional insult with intent to provoke breach of peace) and 505 (public mischief) of Indian Penal Code. After the Section 66A was repealed on 24 March, the state government said that they would continue the prosecution under the remaining charges.
Digital evidence collection and cyber forensics remain at a very nascent stage in India with few experts and less than adequate infrastructure. In recent cases, Indian Judiciary has recognized that tampering with digital evidence is very easy.

Other

Many Asian and Middle Eastern nations use any number of combinations of code-based regulation (one of Lessig's four methods of net regulation) to block material that their governments have deemed inappropriate for their citizens to view. PRC, Saudi Arabia and Iran are three examples of nations that have achieved high degrees of success in regulating their citizens' access to the Internet.

Electronic signature laws

Information technology law

  1. Florida Electronic Security Act
  2. Illinois Electronic Commerce Security Act
  3. Texas Penal Code – Computer Crimes Statute
  4. Maine Criminal Code – Computer Crimes
  5. Singapore Electronic Transactions Act
  6. Malaysia Computer Crimes Act
  7. Malaysia Digital Signature Act
  8. UNCITRAL Model Law on Electronic Commerce
  9. Information Technology Act 2000 of India
  10. Thailand Computer Crimes Act B.E.2550

Information Technology Guidelines

  1. ABA Digital Signature Guidelines
  2. United States Office of Management and Budget

Enforcement agencies

The Information Technology Laws of various countries, and / or their criminal laws generally stipulate enforcement agencies, entrusted with the task of enforcing the legal provisions and requirements.

United States Federal Agencies

Many United States federal agencies oversee the use of information technology. Their regulations are promulgated in the Code of Federal Regulations of the United States.

Over 25 U.S. federal agencies have regulations concerning the use of digital and electronic signatures.

India

A live example of such an enforcement agency is Cyber Crime Police Station, Bangalore, India's first exclusive Cyber Crime enforcement agency.

Quotations

  • "In Cyberspace, the First Amendment is a local ordinance."
    John Perry Barlow, quoted by Mitchell Kapor in the foreword to The Big Dummy's Guide to the Internet
  • "National borders aren't even speed bumps on the information superhighway."
    — Tim May, signature, from 1996

Information privacy

From Wikipedia, the free encyclopedia
 
Information privacy is the relationship between the collection and dissemination of data,
technology, the public expectation of privacy, legal and political issues surrounding them. It is also known as data privacy or data protection.

Data privacy is a challenging since it attempts to use data while protecting an individual's privacy preferences and personally identifiable information. The fields of computer security, data security, and information security all design and use software, hardware, and human resources to address this issue.

Authorities

Laws

Authorities by country

Information types

Various types of personal information often come under privacy concerns.

Cable television

This describes the ability to control what information one reveals about oneself over cable television, and who can access that information. For example, third parties can track IP TV programs someone has watched at any given time. "The addition of any information in a broadcasting stream is not required for an audience rating survey, additional devices are not requested to be installed in the houses of viewers or listeners, and without the necessity of their cooperations, audience ratings can be automatically performed in real-time."

Educational

In the United Kingdom in 2012, the Education Secretary Michael Gove described the National Pupil Database as a "rich dataset" whose value could be "maximised" by making it more openly accessible, including to private companies. Kelly Fiveash of The Register said that this could mean "a child's school life including exam results, attendance, teacher assessments and even characteristics" could be available, with third-party organizations being responsible for anonymizing any publications themselves, rather than the data being anonymized by the government before being handed over. An example of a data request that Gove indicated had been rejected in the past, but might be possible under an improved version of privacy regulations, was for "analysis on sexual exploitation".

Financial

Information about a person's financial transactions, including the amount of assets, positions held in stocks or funds, outstanding debts, and purchases can be sensitive. If criminals gain access to information such as a person's accounts or credit card numbers, that person could become the victim of fraud or identity theft. Information about a person's purchases can reveal a great deal about that person's history, such as places he/she has visited, whom he/she has contacted with, products he/she has used, his/her activities and habits, or medications he/she has used. In some cases, corporations may use this information to target individuals with marketing customized towards those individual's personal preferences, which that person may or may not approve.

Internet

The ability to control the information one reveals about oneself over the internet, and who can access that information, has become a growing concern. These concerns include whether email can be stored or read by third parties without consent, or whether third parties can continue to track the websites that someone visited. Another concern is if websites one visited can collect, store, and possibly share personally identifiable information about users.

The advent of various search engines and the use of data mining created a capability for data about individuals to be collected and combined from a wide variety of sources very easily. The FTC has provided a set of guidelines that represent widely accepted concepts concerning fair information practices in an electronic marketplace called the Fair Information Practice Principles.

To avoid giving away too much personal information, emails should be encrypted. Browsing of web pages as well as other online activities should be done trace-less via "anonymizers", in case those are not trusted, by open-source distributed anonymizers, so called mix nets, such as I2P or Tor – The Onion Router. VPNs (Virtual Private Networks) are another "anonymizer" that can be used to give someone more protection while online. This includes obfuscating and encrypting web traffic so that other groups cannot see or mine it.

Email isn't the only internet content with privacy concerns. In an age where increasing amounts of information is online, social networking sites pose additional privacy challenges. People may be tagged in photos or have valuable information exposed about themselves either by choice or unexpectedly by others. Data about location can also be accidentally published, for example, when someone posts a picture with a store as a background. Caution should be exercised when posting information online, social networks vary in what they allow users to make private and what remains publicly accessible. Without strong security settings in place and careful attention to what remains public, a person can be profiled by searching for and collecting disparate pieces of information, worst case leading to cases of cyberstalking or reputation damage.

Locational

As location tracking capabilities of mobile devices are advancing (location-based services), problems related to user privacy arise. Location data is among the most sensitive data currently being collected. A list of potentially sensitive professional and personal information that could be inferred about an individual knowing only his mobility trace was published recently by the Electronic Frontier Foundation. These include the movements of a competitor sales force, attendance of a particular church or an individual's presence in a motel, or at an abortion clinic. A recent MIT study by de Montjoye et al. showed that four spatio-temporal points, approximate places and times, are enough to uniquely identify 95% of 1.5 million people in a mobility database. The study further shows that these constraints hold even when the resolution of the dataset is low. Therefore, even coarse or blurred datasets provide little anonymity.

Medical

People may not wish for their medical records to be revealed to others. This may be because they have concern that it might affect their insurance coverage or employment. Or, it may be because they would not wish for others to know about any medical or psychological conditions or treatments that would bring embarrassment upon themselves. Revealing medical data could also reveal other details about one's personal life. There are three major categories of medical privacy: informational (the degree of control over personal information), physical (the degree of physical inaccessibility to others), and psychological (the extent to which the doctor respects patients’ cultural beliefs, inner thoughts, values, feelings, and religious practices and allows them to make personal decisions). Physicians and psychiatrists in many cultures and countries have standards for doctor–patient relationships, which include maintaining confidentiality. In some cases, the physician–patient privilege is legally protected. These practices are in place to protect the dignity of patients, and to ensure that patients feel free to reveal complete and accurate information required for them to receive the correct treatment. To view the United States' laws on governing privacy of private health information, see HIPAA and the HITECH Act. The Australian law is the Privacy Act 1988 Australia as well as state-based health records legislation.

Political

Political privacy has been a concern since voting systems emerged in ancient times. The secret ballot is the simplest and most widespread measure to ensure that political views are not known to anyone other than the voters themselves—it is nearly universal in modern democracy, and considered to be a basic right of citizenship. In fact, even where other rights of privacy do not exist, this type of privacy very often does. Unfortunately, there are several forms of voting fraud or privacy violations possible with the use of digital voting machines.

Legality

The legal protection of the right to privacy in general – and of data privacy in particular – varies greatly around the world.

Laws and regulations related to Privacy and Data Protection are constantly changing, it is seen as important to keep abreast of any changes in the law and to continually reassess compliance with data privacy and security regulations. Within academia, Institutional Review Boards function to assure that adequate measures are taken to ensure both the privacy and confidentiality of human subjects in research.

Privacy concerns exist wherever personally identifiable information or other sensitive information is collected, stored, used, and finally destroyed or deleted – in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues. Informed consent mechanisms including dynamic consent are important in communicating to data subjects the different uses of their personally identifiable information. Data privacy issues may arise in response to information from a wide range of sources, such as:

Protection of privacy in information systems

As heterogeneous information systems with differing privacy rules are interconnected and information is shared, policy appliances will be required to reconcile, enforce, and monitor an increasing amount of privacy policy rules (and laws). There are two categories of technology to address privacy protection in commercial IT systems: communication and enforcement.
Policy communication
  • P3P – The Platform for Privacy Preferences. P3P is a standard for communicating privacy practices and comparing them to the preferences of individuals.
Policy enforcement
  • XACML – The Extensible Access Control Markup Language together with its Privacy Profile is a standard for expressing privacy policies in a machine-readable language which a software system can use to enforce the policy in enterprise IT systems.
  • EPAL – The Enterprise Privacy Authorization Language is very similar to XACML, but is not yet a standard.
  • WS-Privacy - "Web Service Privacy" will be a specification for communicating privacy policy in web services. For example, it may specify how privacy policy information can be embedded in the SOAP envelope of a web service message.
Protecting privacy on the internet
On the internet many users give away a lot of information about themselves: unencrypted e-mails can be read by the administrators of an e-mail server, if the connection is not encrypted (no HTTPS), and also the internet service provider and other parties sniffing the network traffic of that connection are able to know the contents. The same applies to any kind of traffic generated on the Internet, including web browsing, instant messaging, and others. In order not to give away too much personal information, e-mails can be encrypted and browsing of webpages as well as other online activities can be done traceless via anonymizers, or by open source distributed anonymizers, so-called mix networks. Well known open-source mix nets include I2P – The Anonymous Network and Tor.
Improving privacy through individualization
Computer privacy can be improved through individualization. Currently security messages are designed for the "average user", i.e. the same message for everyone. Researchers have posited that individualized messages and security "nudges", crafted based on users' individual differences and personality traits, can be used for further improvements for each person's compliance with computer security and privacy.

United States Safe Harbor program and passenger name record issues

The United States Department of Commerce created the International Safe Harbor Privacy Principles certification program in response to the 1995 Directive on Data Protection (Directive 95/46/EC) of the European Commission. Directive 95/46/EC declares in Chapter IV Article 25 that personal data may only be transferred from the countries in the European Economic Area to countries which provide adequate privacy protection. Historically, establishing adequacy required the creation of national laws broadly equivalent to those implemented by Directive 95/46/EU. Although there are exceptions to this blanket prohibition – for example where the disclosure to a country outside the EEA is made with the consent of the relevant individual (Article 26(1)(a)) – they are limited in practical scope. As a result, Article 25 created a legal risk to organisations which transfer personal data from Europe to the United States.

The program regulates the exchange of passenger name record information between the EU and the US. According to the EU directive, personal data may only be transferred to third countries if that country provides an adequate level of protection. Some exceptions to this rule are provided, for instance when the controller himself can guarantee that the recipient will comply with the data protection rules.

The European Commission has set up the "Working party on the Protection of Individuals with regard to the Processing of Personal Data," commonly known as the "Article 29 Working Party". The Working Party gives advice about the level of protection in the European Union and third countries.

The Working Party negotiated with U.S. representatives about the protection of personal data, the Safe Harbor Principles were the result. Notwithstanding that approval, the self-assessment approach of the Safe Harbor remains controversial with a number of European privacy regulators and commentators.

The Safe Harbor program addresses this issue in the following way: rather than a blanket law imposed on all organisations in the United States, a voluntary program is enforced by the Federal Trade Commission. U.S. organisations which register with this program, having self-assessed their compliance with a number of standards, are "deemed adequate" for the purposes of Article 25. Personal information can be sent to such organisations from the EEA without the sender being in breach of Article 25 or its EU national equivalents. The Safe Harbor was approved as providing adequate protection for personal data, for the purposes of Article 25(6), by the European Commission on 26 July 2000.

Under the Safe Harbor, adoptee organisations need to carefully consider their compliance with the onward transfer obligations, where personal data originating in the EU is transferred to the US Safe Harbor, and then onward to a third country. The alternative compliance approach of "binding corporate rules", recommended by many EU privacy regulators, resolves this issue. In addition, any dispute arising in relation to the transfer of HR data to the US Safe Harbor must be heard by a panel of EU privacy regulators.

In July 2007, a new, controversial, Passenger Name Record agreement between the US and the EU was made. A short time afterwards, the Bush administration gave exemption for the Department of Homeland Security, for the Arrival and Departure Information System (ADIS) and for the Automated Target System from the 1974 Privacy Act.

In February 2008, Jonathan Faull, the head of the EU's Commission of Home Affairs, complained about the US bilateral policy concerning PNR. The US had signed in February 2008 a memorandum of understanding (MOU) with the Czech Republic in exchange of a visa waiver scheme, without concerting before with Brussels. The tensions between Washington and Brussels are mainly caused by a lesser level of data protection in the US, especially since foreigners do not benefit from the US Privacy Act of 1974. Other countries approached for bilateral MOU included the United Kingdom, Estonia, Germany and Greece.

Online machine learning

From Wikipedia, the free encyclopedia https://en.wikipedia.org/wiki/Online_machine_learning In computer sci...