Slashdot Mirror

An anonymous reader writes "The Electronic Privacy Information Center (EPIC) today filed a complaint with the Federal Trade Commission, asking the agency to investigate the recent changes made by Facebook to the privacy settings of Facebook users. The complaint discusses the sharing of user information with third-party developers and the new, widely-opposed 'Everyone' setting, which allows certain user information, such as name, profile picture, and friends lists, to be publicly available. EPIC also urges the FTC to compel Facebook to restore privacy safeguards. The complaint was signed by nine privacy and consumer organizations."

snydeq writes "The Electronic Privacy Information Center filed a 15-page complaint asking the FTC to force Google to stop offering online services that collect data until the presence of adequate privacy safeguards is verified. The EPIC also wants Google to disclose all data loss or breach incidents, citing several incidents where data held by Google was at risk, the most recent of which occurred earlier this month with its Google Docs. The EPIC complaint [PDF] also listed other security flaws in Gmail and Google Desktop, a desktop indexing program, and urged Google to donate $5 million to a public fund that will support research into technologies such as encryption, data anonymization and mobile location privacy." EPIC has raised privacy concerns about Google before, and about Windows XP as well.

bfwebster writes "According to a local news article from last week, Kentucky state lawmaker Tim Couch wants to ban anonymous posting on the internet in order to 'cut down on online bullying', which he says has been 'a particular problem in eastern Kentucky.' His bill would require posters to register with their real names and e-mail addresses under threat of fines. Looks like another battle in the right for anonymous free speech."

Magnifico writes "USAToday is reporting on the National Security Agency's goal to create a database of every call ever made inside the USA. Aided by the cooperation of US telecom corporations, AT&T, Verizon and BellSouth, the NSA has been secretly collecting phone call records of tens of millions of Americans; the vast majority of whom aren't suspected of any crime. Only Qwest refused to give the NSA information because they were uneasy about giving information to the government without the proper warrants. The usefulness of the NSA's domestic phone call database as a counterterrorism tool is unclear."

Jamie adds: Traditionally, the devices which record dialed phone numbers are called pen registers, and trap-and-trace devices. The ECPA provided some legal privacy protection. It was controversial when Section 214 of the Patriot Act amended 50 USC 1842 to allow the FBI to record this information with minimal oversight. The Department of Justice has been required for some time to report to Congress the number of pen registers and trap-and-traces, though in recent years [PDF, see question 10] it declared that information classified.

If anyone has information about how the NSA, as opposed to the FBI, has been involved in domestic phone number collection, please post links in the discussion.

In related news, the National Security Agency has closed down an inquiry into the so-called "Terrorist Surveillance Program," a separate program from this one, by refusing to grant security clearance to the lawyers in the Department of Justice. The NSA and the DoJ are both established under the executive.

LogError writes "Two weeks ago, Department of Treasury received a D-minus grade in the Federal Computer Security Report Card for 2005, down from a D-plus grade in 2004. The majority of Treasury systems are those belonging to IRS. The government-wide computer-security grade for 2005 was D-plus, while Homeland Security and Defense both received an F. Grades are based on reports submitted to Congress by the agencies; the reports are required under the Federal Information Security Management Act of 2002.8 The scores are meant to reflect whether departments meet federally mandated security standards."

An anonymous reader writes "...All 123 pages of it. Public comment period runs thorough February 27th, so if you're thinking of joining the latest class of jet-setters, better get your opinions in now. The FAA mentions the possibility of incorporating the "no-fly" list of the TSA into security requirements for space travel."

Noksagt writes "The Washington Post is reporting that recently discovered documents indicate serious intelligence violations by the FBI. This comes just months after the U.S. House voted to extend the Patriot Act, EPIC (the Electronic Privacy Information Center) has obtained documents through the Freedom of Information Act of thirteen cases of possible misconduct in intelligence investigations. The case numbering suggests that there were at least 153 investigations of misconduct at the FBI in 2003 alone."

Noksagt writes "The Washington Post is reporting that recently discovered documents indicate serious intelligence violations by the FBI. This comes just months after the U.S. House voted to extend the Patriot Act, EPIC (the Electronic Privacy Information Center) has obtained documents through the Freedom of Information Act of thirteen cases of possible misconduct in intelligence investigations. The case numbering suggests that there were at least 153 investigations of misconduct at the FBI in 2003 alone."

smooth wombat writes "Do Not Call. Those words are music to millions of Americans who have signed up for the list so they're not bothered by telemarketers. Not content to let things as they are telemarketers are now lobbying the FCC to have state laws which regulate the practice overturned. In April an ad-hoc group of firms ranging from the Direct Marketing Association to the National Children's Cancer Society filed a joint petition asking the FCC to declare that it has 'exclusive jurisdiction over interstate telemarketing calls.' The issue revolves around some states whose Do Not Call laws are more strict than Federal law and which prohibit telemarketers from calling anyone on a Do Not Call, regardless of an existing business relationship." Update: 07/21 18:42 GMT by Z : Official EPIC page, with contact info and background.

Chris Hoofnagle writes "EPIC has released ten privacy resolutions for the New Year. In addition to losing weight next year, lose all those data brokers who are after your bits."

Chris Hoofnagle writes "EPIC has released ten privacy resolutions for the New Year. In addition to losing weight next year, lose all those data brokers who are after your bits."

NW writes "According to FOIA documents obtained by EPIC new Postal Service self-service postage machines take portrait-style photographs of customers and retain them for 30 days." IBM is the contractor behind the kiosks. Note that the kiosk is supposed to not complete the transaction if it determines the photograph has been compromised, so simply covering the camera is unlikely to work. As the cost of cameras and digital storage approaches zero, is it inevitable that every machine you interact with will take your photograph and store it?

andyring writes "In a move that will undoubtedly make many /. readers jump for joy (although perhaps not myself), Attorney General John Ashcroft announced he will resign, according to multiple news sources. While many here dislike him, others have more favorable opinions of him. He became the point man on the USA Patriot Act, which typically ignites harsh opinions on both sides of the aisle." Reader cnsc1rtr , referring to the AP's version of the story, writes "He gave Bush a five-page, handwritten letter in which he stated, 'The objective of securing the safety of Americans from crime and terror has been achieved.'"

octaene writes "The Electronic Privacy Information Center (EPIC) has applied for an emergency court order (pdf) requiring the FBI to release information about the Terrorist Screening Database and its role in Secure Flight, the government's proposed passenger prescreening system. Secure Flight will compare passenger records against information in the database, which will include expanded 'Selectee' and 'No-Fly' lists. EPIC argued that information about the database must be made available prior to the October 25 deadline for public comments on the Transportation Security Administration's plans for testing Secure Flight."

octaene writes "The Electronic Privacy Information Center (EPIC) has applied for an emergency court order (pdf) requiring the FBI to release information about the Terrorist Screening Database and its role in Secure Flight, the government's proposed passenger prescreening system. Secure Flight will compare passenger records against information in the database, which will include expanded 'Selectee' and 'No-Fly' lists. EPIC argued that information about the database must be made available prior to the October 25 deadline for public comments on the Transportation Security Administration's plans for testing Secure Flight."

SECURITY GURU writes "Security Focus has posted a story about The Federal Communications Commission (FCC) launching a public comment period on its plan to compel Internet broadband and VoIP providers to open their networks up to easy surveillance by law enforcement agencies. The 1994 Communications Assistance for Law Enforcement Act (CALEA), a federal law that mandates surveillance backdoors in U.S. telephone networks, is what would allow the FBI to start listening in on Internet communications. The EFF, ACLU, and the Electronic Privacy Information Center all opposed the plan, and an ACLU letter-drive generated hundreds of mailings from citizens against what the group called 'the New Ashcroft Internet Snooping Request.' If you have a comment on why you don't want the governemnt reading your email please post it here. All comments are due by November 8th."

linuxwrangler writes "Officials at the National Transportation Safety Board are recommending the government require data recorders in all passenger vehicles. David Sobel of EPIC says his group has privacy concerns - especially when drivers are unaware of the presence of the devices. Auto black-boxes have been covered here before."

An anonymous reader writes "The Telephone Consumer Protection Act prohibits junk faxes without first obtaining consent of the recipient but EPIC is reporting a bill is being proposed by congressman Fred Upton (R-Mich.) to allow junk faxes that are now prohibited and to undo new rules that go into effect January 2005 that would have further tightened the junk fax ban. In keeping with congressional truth in naming rules, this bill that will allow more junk faxes is understandably titled 'The Junk Fax Elimination Act of 2004.' There will be a hearing Tuesday in the Telecommunications and Internet subcommittee. I'll be faxing my concerns and opposition to this bill to Mr. Upton and the Committee several times today."

An anonymous reader writes "The Telephone Consumer Protection Act prohibits junk faxes without first obtaining consent of the recipient but EPIC is reporting a bill is being proposed by congressman Fred Upton (R-Mich.) to allow junk faxes that are now prohibited and to undo new rules that go into effect January 2005 that would have further tightened the junk fax ban. In keeping with congressional truth in naming rules, this bill that will allow more junk faxes is understandably titled 'The Junk Fax Elimination Act of 2004.' There will be a hearing Tuesday in the Telecommunications and Internet subcommittee. I'll be faxing my concerns and opposition to this bill to Mr. Upton and the Committee several times today."

Pemdas writes "On March 22nd, the U.S. Supreme Court is slated to hear a case involving an arrest for lack of producing ID on the demand of a police officer. Dudley Hiibel was parked off the road, and was asked 11 times to show ID to the police officer, who gave the justification of 'investigating an investigation.' Finally, he was arrested, and eventually convicted of delaying a police officer,' and fined $250. The incident occurred in Humboldt County, Nevada; Mr. Hiibel's side of the story includes a good section on Terry stops, and has a video of the incident for download. The parallels to the previously covered Gilmore v. Ashcroft case are striking, and the ruling will be an interesting precedent on the issue of requiring ID's. The ACLU, EPIC, and EFF, among others, have filed Amicus briefs in the case."

scubacuda writes "Could casinos be the next Gillette or Wal-Mart? New Scientist and others report that casinos could soon start using RFID tags to spot counterfeits and thefts, and also to monitor the behaviour of gamblers. Embedded RFID tags should make the chips much harder to counterfeit, and placing tag readers at staff exits could cut down on theft by employees. (With companies like Infosys helping clients identify and plan pilot RFID projects, we'll no doubt be seeing more and more companies dabbling in this area. Those interested in reading objections to RFID use should check out the position paper issued by CASPIAN, EPIC, Privacy Rights Clearinghouse, Junkbusters, ACLU, Meyda Online, EFF, and PrivacyActivism.)"

An anonymous reader writes "A group of activists has apparently bypassed physical security checks at the WSIS Meetings. Not only did they bypass the physical security with a fake card, they found the system uses RFID tags to monitor participants -- possibly even who they interact with and their movements through the conference."

Privacy Digest writes "Out-Law.com, UK - Global privacy report is the most comprehensive ever . The Electronic Privacy Information Center and Privacy International on Friday released their sixth annual Privacy and Human Rights survey which claims to be the most comprehensive survey on privacy and data protection ever published. The report reviews the state of privacy in over fifty-five countries around the world. Key topics include Total Information Awareness, the public response to the U.S.A.-Patriot Act, traveller profiling, biometric identification, and other new technologies of surveillance. Privacy and Human Rights 2003: An International Survey of Privacy Laws and Developments is available free online or it can be purchased from the EPIC Bookstore."

Privacy Digest writes "Out-Law.com, UK - Global privacy report is the most comprehensive ever . The Electronic Privacy Information Center and Privacy International on Friday released their sixth annual Privacy and Human Rights survey which claims to be the most comprehensive survey on privacy and data protection ever published. The report reviews the state of privacy in over fifty-five countries around the world. Key topics include Total Information Awareness, the public response to the U.S.A.-Patriot Act, traveller profiling, biometric identification, and other new technologies of surveillance. Privacy and Human Rights 2003: An International Survey of Privacy Laws and Developments is available free online or it can be purchased from the EPIC Bookstore."

Chris Hoofnagle writes "The Dept. of Housing and Urban Development is proposing a massive system of tracking for homeless people and others who are served by shelters and care centers. The system will track people by their SSN, and will collect health (HIV, pregnancy) and mental information. Secret Service and national security agents can gain access to the database by just asking for it! EPIC has released a fact sheet on HMIS, and the public can comment on the guidelines until September 22, 2003, but no electronic comments are being accepted."

Chris Hoofnagle writes "CNN reports that companies who heavily use telemarketing are planning to counterattack consumers with a barrage of spam and junk mail in October, when the new do-not-call registry goes into effect. Slashdotters should be aware that, as well as anti-spam email software, there are tools to avoid junk snail-mail, such as Junkbusters' free Declare, Private Citizen's excellent service and the Postal Service's Prohibitory Order service, which is described at the EPIC privacy page."

NumberField writes "According to an article by Steven Levy posted on MSNBC, Jay Walker of PriceLine fame is talking about a system he calls US HomeGuard. His plan is to hire large numbers of unsophisticated users to monitor Internet-connected security cameras looking for suspicious activity. Although many security details (i.e., DOS attacks, cryptography, privacy) need to be handled carefully, it's a weird enough idea that it might actually work..."

submicron writes "The Electronic Privacy Information Center or EPIC announced today a Privacy Threat Index patterned after the Office of Homeland Security's Homeland Security Threat Index. This Privacy Threat Index is intended to track the growing threat to personal privacy and present it in an easy-to-understand index. EPIC assesses the current threat level as Yellow based on events over the past year. These factors include expanded use of the Foreign Intelligence Surveilance Act, the decision of the FBI to relax the legally mandated accuracy requirement for the National Crime Information Center (NIPC) and increased funding for surveillance systems including immigration control and video surveillance."

submicron writes "The Electronic Privacy Information Center or EPIC announced today a Privacy Threat Index patterned after the Office of Homeland Security's Homeland Security Threat Index. This Privacy Threat Index is intended to track the growing threat to personal privacy and present it in an easy-to-understand index. EPIC assesses the current threat level as Yellow based on events over the past year. These factors include expanded use of the Foreign Intelligence Surveilance Act, the decision of the FBI to relax the legally mandated accuracy requirement for the National Crime Information Center (NIPC) and increased funding for surveillance systems including immigration control and video surveillance."

de la mettrie writes "The EU Commission has agreed in principle to make airlines provide U.S. Homeland Security with detailed passenger data for flights to the USA. Things Uncle Sam would like to know about passengers include their itinerary, their credit card number and whether or not they asked for a meal without pork. The data are supposed to help prevent terror attacks and are to be 'handled appropriately'." The U.S. is collecting the data for a massive passenger database, intended to increase passenger profiling.

TCPALaw writes "A huge decision in privacy law was handed down today by the NH Supreme Court in the Amy Boyer case. Amy was stalked and killed by a man who got her personal information, including SSN, from an on-line information broker. Privacy groups such as EPIC have argued that access to sensitive personal information should carry with it liability for misuse, and can constitute a tort. The NH Supreme Court agreed. Now perhaps you can sue the spyware companies."

scubacuda writes "The NY Times reports (free registration) that immigrations officials are putting in place a sophisticated new identification system that uses ID cards encrypted with digital photos, signatures, biographical information and fingerprints that have been issued by the State Department and the Immigration and Naturalization Service by the millions over the last five years. "With more information systems, there are more opportunities for abuse," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which is pushing the government to release more information on its biometric plans."

scubacuda writes "The NY Times reports (free registration) that immigrations officials are putting in place a sophisticated new identification system that uses ID cards encrypted with digital photos, signatures, biographical information and fingerprints that have been issued by the State Department and the Immigration and Naturalization Service by the millions over the last five years. "With more information systems, there are more opportunities for abuse," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which is pushing the government to release more information on its biometric plans."

Buck Mulligan writes "The Center for Public Integrity reports that it has obtained a copy of PATRIOT II -- a huge law enforcement power grab that is intended to build on the USA PATRIOT Act. It's called the 'Domestic Security Enhancement Act.' CPI says it would increase domestic intelligence gathering and surveillance while reducing judicial review and public access to information. For more on the first PATRIOT Act, see the EPIC page."

Some excellent questions got asked. And these answers, from Larry Rosen, an attorney who works heavily on open source licensing matters, ought to give you a bit of insight into what the Microsoft "final judgement" means in the context of open source development and the software marketplace in general.

How do consumers benefit?
No, really! by Enry

Both Bill Gates and John Ashcroft talked about how the decision benefits consumers. But there's nothing really in the decision that changes the way MSFT does business. I can't call IBM and get a discount on a system without Windows installed, if I load XP onto a machine, MSFT can take it over and install software without my permission, and the APIs can be buried in MSDN, forcing OSS software developers to not only subscribe to MSDN, but also follow whatever licensing MSDN forces on users.

For the most part, this is MSFT business as usual.

Where, in this decision, do the consumers benefit? If you could put yourself in CKK's shoes, what would you say?

Larry:

I would have expected Bill Gates and John Ashcroft to say how happy they are with the decision. That fact alone doesn't help me interpret its effects.

I'm also pretty confident that there will soon be important Microsoft business practice changes to solve the problems you suggested, at least partly as a result of this decision but more importantly as a result of inevitable market forces.

The court decision discourages Microsoft from using its market power to coerce OEMs and distributors into exclusive marketing arrangements. That may encourage companies to offer computers without an operating system installed, or with Linux installed. Let's make sure that distributors friendly to open source offer these options, and let's help prove, by offering competitive open source software solutions to customers, that there's a healthy market for such systems. We know from this court decision that distributors need no longer fear retaliatory licensing practices from Microsoft. Now all we need to do is compete on quality and value.

Microsoft's XP software installation and upgrade model seems to be a dud in the marketplace too. The more Microsoft does nasty things like that to its customers, the more those customers turn to Linux and open source. So I don't see that as being a problem that the antitrust judge had to deal with.

As for your point about APIs, that to me is the most interesting part of the court's decision. The judge found it necessary to define an area in which Microsoft must disclose its APIs. While not as broad a definition as most of us would have liked, it does require Microsoft to disclose a lot more than it ever has before. We must be vigilant to prevent Microsoft's movement of APIs from one operating system level to another simply to hide them from us.

You ask, "Where, in this decision, do consumers benefit?" That's hard to see at the moment. Antitrust law does not deal with a static game in which one party says "check mate" at the last move. It merely attempts to prevent certain behaviors that distort the game as it is played. In answering this and other Slashdot questions, I want to look for ways that the court helped to prevent game distortions. I don't want to grouse about the fact that we didn't get everything we wanted, but instead to identify new opportunities in this court decision for the open source community to play this game against Microsoft successfully as an equal.

On Palladium
by forged

With Microsoft pretty much doing what they want [bbc.co.uk] these days, do you have fear that their Palladium project could be a real threat to Linux and other free-software projects, if MS try to force it upon their installed base? What will be the best way to fight Palladium?

Larry:

Great question, but fortunately it wasn't in my charter to answer it.

I can tell you that the court's decision in the remedy phase of the Microsoft antitrust trial said absolutely nothing about Palladium. I doubt it was anywhere in the judge's mind at the time. And I don't see a clear connection between the two issues.

Your real question, I guess, is hidden in your leading comment, that Microsoft is "pretty much doing what they want these days." After this antitrust decision, they're going to be watched intensely for evidence of anticompetitive behavior. I don't think they're going to be doing only what they want, at least for a few years.

There are plenty of interesting comments on Palladium. I just did a quick Google search and found this page at EPIC. Why don't you ask one of the people at EPIC whether they see the antitrust decision as making a difference to the "trusted computing" technology?

Copyright != Antitrust
by HaeMaker

I have heard in various other cases that if a copyright holder uses his copyright to commit antitrust, they lose the ability to defend their copyright.

Clearly, Microsoft has been found guilty of using its copyright on Windows 95 to kill Netscape.

Is is possible for a pirate to successfully defend himself by claiming Microsoft has lost its copyright? (I assume this applies to only that software specifically mentioned in the case. Not all software produced by Microsoft)

Larry:

Copyright law and antitrust law both deal with monopolies. In copyright law, the monopoly is sanctioned -- encouraged -- as a reward for creativity. In antitrust law, the monopoly is restrained to prevent unfair advantage in anticompetitive ways. So as the questioner rightly points out, there may be ways in which these two laws will have contradictory effect.

It is important to remember that the antitrust law doesn't directly prevent a company from gaining a monopoly by legal means. It is the *use* of that monopoly power to gain unfair advantage over competitors that is prevented. A company can't, for example, use its monopoly in one business area to gain a monopoly in another business area. It can't use a monopoly in water softening systems to force its customers to buy the company's own salt. It can't use its monopoly to prevent competitors from selling their products through independent distributors. It can't sell products at a loss to force competitors out of business.

A copyright owner has a legal monopoly. Antitrust law doesn't trump it. The only thing the antitrust law can do is address a situation in which that legal monopoly is used in an anticompetitive manner by a monopolist.

Ordinarily a company would have the right to publish, or not to publish, its copyrightable subject matter, or to license it under any terms it wanted including confidentiality provisions or withholding the right to create derivative works. Almost every proprietary software vendor uses licenses with such provisions. But Microsoft used that power to lock competitors out from the lucrative "middleware" business. (What the court meant by "middleware" is a potential later topic.) Other companies could not create certain types of applications because Microsoft kept secret some of its copyrightable code in Windows. Even though Windows and those other applications were potentially different business areas, Microsoft tied them together (e.g., used its copyrightable and trade secret materials) in ways that enhanced its monopoly. That was a violation of the antitrust law.

So the court fashioned several remedies to prevent that unfair business tactic by Microsoft.

The court requires Microsoft "to disclose certain APIs, along with related technical information, which 'Microsoft Middleware' utilizes to interoperate with the Windows platform." It also mandates the "disclosure and licensing of protocols used by clients running on Microsoft's Windows operating system to interoperate with Microsoft servers." Executive Summary, pp. 14-15.

At the same time, the court refused to require the disclosures of Microsoft's intellectual property that describes Windows' internal interfaces:

"Over-broad disclosure, such as that proposed by Plaintiffs, must also be avoided because it will likely enable wholesale copying or cloning of Windows without violating Microsoft's intellectual property rights. The cloning of Microsoft's technology carries the potential to hinder some aspects of competition and discourage innovation. As antitrust law does not exist for the protection of competitors, but for the protection of competition, the Court does not regard this end as a legitimate one."

So that's why the court balanced copyright with antitrust.

The court also ordered Microsoft to license its intellectual property for APIs on "reasonable" and "non-discriminatory" terms. Having just lived through a W3C effort to define those words for patent licenses, I expect this part of the court's decree will provide full-time employment to more than a few lawyers. :-)

Valid Business Model
by Mr. Smoove

In the settlement it talks about MS having to disclose information only to companies with a sound business model that meats critera set out by MS. Where does OSS fall? Can MS say OSS is not up to its standards and therefore not release the code?

Additionally what effect will MS's right to charge have on OSS? Can MS only charge for developers to see the code or are they entitled to charge royalties for the implementation of the code? (Can you legally reverse engineer a software having seen the code?)

Larry:

My editor assured me that I would have to answer ten questions, and this one query alone includes five. I'm almost more than half-way done!

The court never once mentioned open source software in its decision. That is not remarkable because judges -- especially district court judges -- are always reluctant to make an issue broader than the case before it. The court was asked to determine a remedy for Microsoft's monopolistic practices. This decision, with all its flaws, does that in a comprehensive way. This means that the court's provisions regarding the disclosure of APIs, the availability of "reasonable and non-discriminatory" licenses from Microsoft, that company's licensing practices with OEMs, and so on, apply equally to competition from open source software as for proprietary software.

To be perfectly clear about this point: Open source software is the most effective competition to Microsoft and they know it. They will not be able to discriminate against our software in monopolistic ways. The court retains the right to step in for the next five (or up to seven!) years if Microsoft doesn't cooperate. We'll be watching.

No, Microsoft can't discriminate against us if they say we're "not up to their standards." That's hogwash any way you look at it! The court did, however, set a one-million-copy-per-year threshold for certain obligations, so that Microsoft isn't forced to "redesign its product to accommodate a particular piece of software with extremely limited use." I'm not sure how this will play out in practice, but I think it is likely to affect smaller proprietary vendors rather than us. After all, we can give away one million copies of open source software to willing customers much easier than a proprietary vendor can sell them.

As I said, Microsoft can charge "reasonable" and "non-discriminatory" royalties. In law school we always used to joke that the word "reasonable" in a statute was a full-employment opportunity for at least two lawyers. Judge Colleen Kollar-Kotelly will be keeping her eyes on that too for at least the next five years. Here's the vague words she used in her decree:

"The Court will prohibit Microsoft from imposing unreasonable or discriminatory license terms, but will permit Microsoft to require a reasonable royalty for the licenses necessary to exercise the rights guaranteed by the final judgment." (Executive Summary pp. 15-16.)

One representative from Microsoft personally reassured me several times over the past few year that her company does not intend to charge high royalties for licenses to patents. Perhaps that also means that her company won't attempt to stifle competition by charging higher royalties than the open source community can afford.

Finally, I'm confused by your question "Can you legally reverse engineer a software having seen the code?" If you've seen the code, why do you need to reverse engineer it? I'll assume you mean, having seen the API documentation, can you reverse engineer Microsoft's code to see how they implemented the API? No! Reverse engineering may be done only if Microsoft allows it in their licenses. Consult a lawyer before you reverse engineer something.

You may have meant one other thing: Under Microsoft's Shared Source licenses you may look at their code. But beware of the conditions under which they show it to you. That software can contaminate you and put your own open source software at risk if you -- even inadvertently -- copy their code. This has nothing to do with the antitrust topic so I'll say no more about that here.

Can Microsoft Pull a "Fast One"?
by viperjsw

What is being put into place to insure that Microsoft actually hands over real code? I mean really. We've got legal consul that doesn't know jack about code trying to, possibly, enforce somehting that they know nothing to little about. Microsoft could hand over out of date code, partial code, bugged code, and any number of other variables on the "truth" and legal guys would be none the wiser.

Larry:

I resent this. Most of the lawyers I meet in open source circles know a lot more than "jack" about code. Some of us even wrote lots of code in prior careers. We're just frustrated engineers who wanted to make our parents proud by going to law school.

We have to count on talented experts in the software field to be able to prove that Microsoft is doing any of the things you described. Keep your eyes open for any signs of cheating.

I've handled lots of civil litigation in which a defendant's misrepresentations come out, and then the defendant lost. The discovery rules give us lots of ways to prove bad faith.

The court appointed an "enforcement committee" to protect the plaintiffs' interests. Here's what that committee has the power to do:

"The remedy adopted by the Court will provide Plaintiffs, acting only after consultation with their enforcement committee, reasonable access to Microsoft's source code, books, ledgers, accounts, correspondence, memoranda, and other correspondence, access to Microsoft employees for interview, and the right to request and receive written reports from Microsoft on any matter contained in the Court's remedial decree. Plaintiffs will, of course, be bound to limit any use of information obtained through these means for the purpose of ensuring Microsoft's compliance with the remedial decree, or as otherwise required by law. Similarly, should information and documents provided to Plaintiffs be subject to disclosure to a third party, Microsoft will not be deprived of the opportunity to claim protection pursuant to Federal Rule of Civil Procedure 26(c)(7)." (Executive Summary, p. 17.)

That's pretty strong. Imagine what life would have been like if we'd had that power all along....

APIs
by mrkurt

Just how much of their remaining undisclosed APIs does Microsoft have to make public? I found the judge's references to this issue quite confusing; in one place she said that MS would have to reveal all of its "communications" protocols; in another she ruled that MS wouldn't have to reveal anything that pertained to such topics as "encryption" or "digital rights management". Isn't it possible for MS to claim that existing or future new APIs for Windows would fall into the latter category, and thus allow them to keep much of it in the dark? My followup question is: what mechanism did the judge set up for determining whether an API should be public or not?

Larry:

Judge Kollar-Kotelly's ruling in the Microsoft antitrust trial was not good news but neither was it a doomsday ruling. Microsoft had already been found liable for monopolistic practices, and the court was just deciding the remedy phase for those plaintiffs who hadn't settled along with the Justice Department quite a while ago.

It is interesting to me to see how such cases are won and lost. Microsoft controlled the definitions that the court accepted and by doing so it won this battle over its future. The court said clearly that the definitions were of paramount importance:

"Integral to understanding the two remedies proposed in this case is a preliminary understanding of the manner in which the two remedies treat middleware." (Executive Summary, p. 5)

The court found that Microsoft's definition of middleware was more consonant with the treatment of the term during the liability phase of the trial.

Middleware is software that resides in the middle between the operating system and something else. "It relies on the interfaces provided by the underlying operating system while simultaneously exposing its own APIs to developers." If defined broadly, such middleware would include almost any software product. If defined narrowly, it would encompass software that provides the functionality of Internet browsers, email client software, networked audio/video client software, and instant messaging software.

The court decided to accept Microsoft's narrow definition of middleware.

Microsoft now has the obligation to expose operating system APIs that are necessary to implement middleware as that term is defined by the court. To avoid confusion, the court specifically required disclosure of APIs for network and server-based applications. The court specifically excluded from disclosure APIs for interactive television software, handheld devices, and Web services.

It seems that, if you can get a court to accept your definitions of terms, you can watch your opponent's proposed remedies disappear in the wind.

The open source community should make sure that Microsoft publishes all the APIs it is required to by this decision. We want to provide valuable open source software that can compete, on Microsoft's own platform and on Linux computers, against all of Microsoft's middleware products.

So experts in open source software should read the court's definitions of middleware carefully, and understand each of the exceptions to the disclosure requirements precisely. I could spend a lifetime analyzing hypotheticals about "communications" protocols, or about "encryption" or "digital rights management." Or I could wait until an important real issue arises. Guess which alternative Judge Kollar-Kotelly chose?

Microsoft is going to have to tread very carefully in this area. If they refuse to disclose certain APIs that their customers, distributors, OEMs and competitors want to have disclosed, they will have to have an intelligent reason. The judge will be listening, and so will we.

Sua Sponte?
by fava

What about the sua sponte provision.

"Jurisdiction is retained by this Court over this action such that the Court may act sua sponte to issue further orders or directions, including but not limited to orders or directions relating to the construction or carrying out of this Final Judgment, the enforcement of compliance therewith, the modification thereof, and the punishment of any violation thereof. Jurisdiction is retained by this Court over this action and the parties thereto for the purpose of enabling the parties to this action to apply to this Court at any time for further orders and directions as may be necessary or appropriate to carry out or construe this Final Judgment, to modify or terminate any of its provisions, to enforce compliance, and to punish violations of its provisions."

It sounds a very open ended authority that grants the judge broad powers over all aspects of the settlement.

Can the judge use this provision to broaden the scope of the agreement or to force Microsoft to use a particular intrepretation of some clause, for example the security exemption or the viability clause?

Or am I just a geek grasping for straws?

Larry:

What's wrong with being a geek grasping for straws?

That's exactly the straw this geek grasped at when I first read the court's decision.

Was the judge's ruling based on the case....
by wowbagger

Many folks are whipping themselves into a frenzy blaming the judge for this decision - but a judge can only (and SHOULD only) judge the case they're brought.

Do you feel the judge was judging within the context of the case she was brought (in other words, that the DOJ fell down on the job of bringing the appeal), or do you feel that the judge's decision was in error based on the case that was brought to her?

Larry:

I am sure that Judge Kollar-Kotelly did not ask for the privilege of handling this case. Yet her decision -- agree or disagree -- demonstrated careful reasoning, an appreciation of computer software beyond that of the typical lawyer or judge, and a good understanding of the limitations of her role.

Here's how she got the case:

"On appeal, the United States Court of Appeals for the District of Columbia Circuit deferred to Judge Jackson's factual findings, altered his findings of liability-affirming in part and reversing in part, and vacated the remedy decree. The appellate court affirmed only limited violations based on 2 of the Sherman Act for illegal monopoly maintenance; all other grounds were reversed. Soon thereafter, the case was randomly reassigned to this Court for the imposition of a remedy." (Executive Summary, p. 3.)

Here's how errors are corrected in such situations. The plaintiffs may appeal this decision. Assuming that the appeals court upholds the district court's decision, the plaintiffs can then appeal to the U.S. Supreme Court. That Court may elect not to hear the appeal. Or it can turn this into an important case to be argued by the best lawyers we can find.

At none of those appeals steps will any court care what Larry Rosen feels.

From a Different Point of View
by Bilbo

Most Slashdot readers are, of course, looking at this decision from a strong technical point of view. It is clear that this decision is going to hurt our favorite technology, and is a bad thing for the Technology sector. We tend to draw parallels from other technology cases, such as the breakup of AT&T, and the outcome of that case.

My question however, is, if you look at this decision from a Business perspective, how does it fall? Is this decision in line with existing case law when it comes to dealing with individuals and corporations who have come to exercise huge amounts of power over their various sectors of the economy? Was this decision made with the intent of strengthening the overall business climate of the US, especially given the current state of the world economy? Will it make perfect sense to the average CEO?

Larry:

You're looking at this decision from the right perspective. Antitrust law deals with business practices, not technology. But this case was brought because of a technology monopoly, so the court fashioned a remedy that it felt addressed the business of technology in which Microsoft's monopolistic practices were most obvious.

The previous court found that Microsoft abused its monopoly power to gain new (related) monopolies and to strengthen its market dominance. When that happens, the court must fashion a remedy. Here's how Judge Kollar-Kotelly, at pages 3-4 of her Executive Summary, described the law of antitrust remedies:

1. Since the appeals court already reduced the scope of Microsoft's liability, that higher court ordered the district court to "determine the propriety of a specific remedy for the *limited* ground of liability we have upheld."

2. Microsoft had not been found to have acquired its monopoly unfairly, but merely to have maintained it by illegal means. Therefore, "rather than termination of the monopoly, the proper objective of the remedy in this case is termination of the exclusionary acts and practices related thereto which served to illegally maintain the monopoly."

3. The goal of antitrust remedies is not to punish a past transgression, nor merely to end specific illegal practices. A remedy should "effectively pry open to competition a market that has been closed by [a] defendant['s] illegal restraints." Equitable relief in an antitrust case, the court wrote,

"should not 'embody harsh measures when less severe ones will do,' nor should it adopt overly regulatory requirements which involve the judiciary in the intricacies of business management. In crafting a remedy specific to the violations, the Court 'is not limited to prohibition of the proven means by which the evil was accomplished, but may range broadly through practices connected with acts actually found to be illegal."

4. Finally, the plaintiffs did not request a structural remedy of dissolution ("a break-up of Microsoft") and instead proposed a remedy which focuses on regulating Microsoft's behavior.

Within those constraints, the district court could range rather widely in crafting specific remedies in this case. That remedy must be tailored to fit the situation before it.

The plaintiffs in this case obviously felt that the court did not go far enough in fashioning a remedy. They may appeal. But we've got a remedy that we're all -- including Microsoft -- going to have to live with at least for now.

You ask whether this decision was made "with the intent of strengthening the overall business climate of the US, especially given the current state of the world economy?" I gather from Judge Kollar-Kotelly's written decision that this wasn't one of the considerations for her. Will it accomplish that goal anyway? Perhaps it will be a modest step forward if we're diligent in our efforts to ensure compliance by Microsoft in every way that is important to us.

Finally, you ask whether the decision will "make perfect sense to the average CEO?" There are no average CEOs. Just like in Garson Keillor's hometown of Lake Wobegon, everyone in such positions is above average. But I can bet you that CEOs of software companies are reading this decision with great interest.

The real question for me: microsoft laptop tax
by sanermind

Does the wording on non-discriminatory licensing to OEMS mean that I will finally be able to purchase most laptops without having to pay a microsoft tax for software I delete as soon as I get it?

Larry:

I sure hope so. The court's decision doesn't require distributors or OEMs to offer that option, but it does prevent Microsoft from entering into exclusive contracts that force distributors or OEM's to impose a "laptop tax."

Mephie writes "News.com is reporting that, in response to letters the RIAA sent to universities warning about P2P file sharing, the Eletronic Privacy Information Center (EPIC) is sending letters to universities warning against cracking down on file swapping. EPIC calls attempts to do so "fundamentally incompatable with the mission" of "foster[ing] critical thinking.""

Mephie writes "News.com is reporting that, in response to letters the RIAA sent to universities warning about P2P file sharing, the Eletronic Privacy Information Center (EPIC) is sending letters to universities warning against cracking down on file swapping. EPIC calls attempts to do so "fundamentally incompatable with the mission" of "foster[ing] critical thinking.""

gabec writes "'Initial rollout of what may eventually become the world's largest silicon repository of personal data could be less than 90 days away....The Computer Assisted Passenger Prescreening System II (CAPPS II) is designed to scan multiple public and private databases for information on individuals traveling into and out of the United States. The system will feed the results to an analysis application that mathematically ranks travelers' potential as security threats.' It will happen by the end of the year, if nothing is done to stop it: And here are some articles on this."

mdecerbo writes "The Boston Globe is reporting that next year's Intel processors will include hardware support for Microsoft's "Palladium" DRM system. There are chilling privacy implications. AMD, here I come."

There will be a number of stories out shortly (here's an early one) noting that Microsoft has settled with the FTC over privacy complaints relating to Microsoft Passport. Short summary: Microsoft made lots of false representations about the security of Passport, and collected more information than it disclosed in its privacy policy, and now must be penalized in the usual Microsoft fashion - they must promise not to do it again. The FTC's settlement page has the complaint and settlement documents. We've covered this extensively - All Your Bits Are Belong to Us, EPIC's complaints about the integration of Windows XP and Passport, Microsoft Defends Passport, EPIC pushing state attorneys general to act against Passport, etc. In fact EPIC has an entire page devoted to Passport. The FTC settlement requires two main things: that Microsoft adopt basic security practices (what were they doing before?), and that Microsoft be audited by a third-party to assure compliance - perhaps it will be TrustE, since Passport's privacy policy remains approved by TrustE.

scubacuda writes "According to Wired, Stanton McCandlish, the Internet's "first full-time activist" (and previous employee of Electronic Frontier Foundation), is retiring. McCandlish is famous for using the comp.org.eff.talk newsgroup and EFFector mailing list to spread the word about the threat of the notorious Clipper Chip (Clipper Chip glossary here) and started the wildly popular "blue ribbon" free-speech campaign."

An Anonymous Coward writes: "The FBI apparently used Carivore in an attempt to collect information on Osama bin Laden't network. Unfortunately they screwed up and collected information on "non-covered targets" (*ahem*, isn't this the sort of thing we weren't supposed to worry about...). Then the FBI tech was "so upset" that he destroyed ALL of the collected email, not only the information that was not covered by the warrant. Here is the SF Gate Story and EPIC's press release."

securitas writes "The NYTimes tells us Senator Trent Lott forced the Senate Commerce Committee to adjourn this morning as it was on the verge of adopting an online privacy bill requiring ISPs and commercial Web sites to get customers' permission before they could disclose important personal information. That would include financial, medical, ethnic, religious and political information along with Social Security data and sexual orientation. I urge Trent Lott's constituents to make your voices heard on this. Same goes for readers whose senators serve on the Senate Commerce Committee." Salon and EPIC have written about Hollings' bill.

ebonkyre writes "According to this article, federal Judge Florence-Marie Cooper has stayed the order which would require SONICBlue to begin recording users viewing habits and reporting them to the MPAA, et al. It has been stayed until June 3rd, at which time the court is to review SB's motion to throw out the order entirely." EPIC has filed a brief supporting Sonicblue's position. EPIC's argument (starting on page 5 of the PDF) neatly summarizes why this order should never have been given.

Last week we noted that Senator Hollings had introduced a privacy bill and that there were likely to be more introduced. Now Salon has a piece critical of Hollings' bill. EPIC wrote about it as well, and they seem to think it's not too bad, all things considered. Read Hollings' bill yourself and decide who's right. Also of note is a bill introduced in the House that would require all Federal agencies to prepare privacy impact statements (the ACLU has a summary) akin to the environmental impact statements now required for actions adversely affecting the environment. Seems like a good idea to me.

tekneeq writes "According to this article on Yahoo, the FCC will require all US wireline, cellular, and broadband PCS carriers to provide law enforcement with surveillance capabilities by June 30th. Carriers will have to supply a multitude of information upon request, such as numbers dialed after a call is connected, call forwarding signals, and signals pertaining to voice mail services." Although it's hard to tell from the Reuters story, this is a continuation of a lawsuit filed against CALEA a few years ago. Read on for more.

This is a complex issue that we don't cover very often, so it requires some background. CALEA is the Communications Assistance for Law Enforcement Act. EPIC has a set of pages about CALEA, a law enacted in 1994 to require telephone companies to build "tap-ability" into their communications equipment. This is voice traffic, not data - don't get this confused with Carnivore, the FBI's tool for slurping down internet traffic. At the time, carriers were transitioning from analog networks to digital ones, and there was some concern that the new digital network would not permit the FBI to listen in easily. Due to the possible expenses incurred by the telephone companies in implementing this, Congress greased the skids with a $500,000,000 (yes, that's half a billion dollars) grant to the companies. Congress granted the FCC the power to decide exactly how to implement this, and the FCC asked for comments. The FBI suggested that the rules should make sure lots of information was available to the FBI, the civil liberties groups suggested that the rules should make sure little information (or at least no more than was available in the old analog system) was available to the FBI, and the phone companies suggested that the rules be inexpensive.

Let's go back in time a moment to look at the old, analog way of doing things. In a nutshell, there are two different ways to conduct a government search on someone's telephone calls: you can search to see who was calling who, or you can search to get the actual content of a telephone call. The first type of search is called a pen register or trap and trace. The pen register is the list of phone numbers you've called. Trap and trace gets the numbers of people who call you. These were (at one time) literal devices which would be physically attached to your phone line. Both of these have been seen by the courts and Congress as much less private (after all, you're "giving" the information to the phone company with every call) than the actual content of your calls, which can only be obtained with a wiretap. Under the old rules, getting pen register or trap and trace information requires only a simple warrant, issued by any judge. Under the law, the judge does not even have the discretion to refuse to issue the order! Nor should you get the impression that this is solely the FBI. Many states allow similar telecommunications searches, and in fact state law enforcement does the bulk of them.

The open question was, with many new digital phone services becoming available, what information would be obtainable with the (non-refusable) pen register or trap and trace-type order, and what would require a real search warrant where a judge is supposed to exercise his discretion in deciding whether to grant it or not? That is, in what cases would "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." be applied, and in what cases would the government be allowed to simply take the information without meeting those requirements?

Eventually the FCC released its interpretation of what the phone companies should do to implement CALEA. The FCC required several things that were "new" and expanded law enforcement's surveillance abilities. One requirement was that all the digits you dial after the call is put through be recorded and provided. So if you dial your bank to transfer funds to checking, or dial your voicemail to retrieve it, or send a message to someone's pager, your bank account number and PIN, your voicemail password, whatever you sent to the pager - all that can be retrieved without a search warrant by any law enforcement official. The FCC also required that if you were using a cell phone, that your physical location be provided as well. They required that if more than two people were on the line, complete information about who joined or dropped out of the conference call be made available. Similarly, data about call waiting or call forwarding was to be provided if these were used. And finally, if you were using VOIP, the government could get all the headers of all your packets sent during the call.

Cue the lawsuits. Civil liberties groups were concerned that the rules were too broad, the FBI was happy (the FCC had given them all they could want), and the telephone companies were concerned that the changes would be too expensive. The civil liberties groups and the telecom industry filed suits to force the FCC to revise its order.

In the case at hand, the telecom industry sued, claiming various things but attempting, in general, to reduce the cost of compliance. The lawsuit was partially successful. The court rejected certain aspects of the FCC's order, and accepted the cell-location and packet-headers parts. The reason for rejecting the other parts was basically that the FCC did not justify itself sufficiently - there are various requirements, created by previous courts, that when an agency creates rules like this that will have the force of law, that they do so in a reasonable and justified manner. The court felt that the stricken requirements did not meet this standard, and chucked the ball back into the FCC's court.

Fast-forward to today. The FCC has reinstated all of the four requirements that were stricken by the courts, and this time it took pains to justify itself. That's what the Reuters article linked above is talking about, and you can read the order yourself in text or in PDF.

There are other lawsuits filed against CALEA that have not yet concluded. Rulings in those may be expected this summer.

As a sidenote, a great many other laws have passed since then expanding other surveillance activities. Under them, the government can now record your internet-browsing activities in much the same way as they can can trace your phone calls - without judicial supervision. If you haven't already, you might wish to read more about the PATRIOT Act.

BuckMulligan writes "Attention, Citizens! The deadline for filing comments against the telenuisance industry is Friday at 5 PM. You can send comments via e-mail to TSR@FTC.GOV. Also, EPIC has a guide to telemarketing and suggestions for comments online. It's important to note that the FTC regulations won't apply to banks and telephone companies that telemarket. However, these rules could be extended to those industries. This is also a lesson that state privacy legislation is better because state do-not-call lists apply to all telemarketers--even banks and common carriers." My state has a statewide do-not-call registry and although it has a list of exemptions a mile wide - charities, anyone you've done business with, etc. - getting on that list has cut out most of the telemarketing calls we used to get. Very nice. Update: 03/28 17:57 GMT by M : EPIC informs me that the deadline has been extended to April 15. Taxes and telemarketing, two great things that go great togeth... well, nevermind.

technogamy writes: "CNN is reporting on the industry's take on P3P, the W3C's Platform for Privacy Preferences.According to the article, the W3C is expected by April to formally adopt P3P -- of course, as many of you are aware, Microsoft's IE6 already includes an implementation of the client side of P3P. 'Because Microsoft's browser checks for P3P, sites risk getting flagged if they don't adopt it.' P3Pizing (or 'pethripizing') a complex site can evolve into a Herculean task...! (See also EPIC's critique of P3P.)"

Default.cfg writes: "In response to news reports that the Metropolitan Police Department (MPD) had constructed an extensive surveillance camera network in Washington, D.C., EPIC has filed a series of Freedom of Information Act (FOIA) requests to learn more about the system. The system allows police to monitor surveillance cameras from around the city in a central office called the 'Synchronized Operations Command Center' (SOCC)." Read on below for more information, including some interesting links. " The system was assembled and activated with no public dialogue or debate. Since its activation, the camera network has been used to monitor individuals engaged in legitimate First Amendment activities, including the participants in the World Bank and International Monetary Fund protests in April 2000. Basic questions regarding the system -- such as the cost of the system and issues of access to data, data retention, and data sharing -- remain unknown.

EPIC's request seeks information about the cameras, the policies on their use, and future plans for expansion of the network. The request was directed to the MPD and federal agencies that have access to the SOCC for monitoring. The MPD has plans to link even more cameras to the system, including cameras from private stores in Washington's Georgetown neighborhood.

Rep. Connie Morella (R-MD) has expressed objections to the monitoring network as well. Rep. Morella chairs a House Government Reform subcommittee that has oversight on DC policy, and has called for hearings on the issue.

On February 26, the MPD announced that it had turned off twelve cameras that monitored buildings in and around the National Mall. The cameras were deactivated with the close of the Olympic Games in Salt Lake City, Utah and the end of the terror alert announced last month by Attorney General John Ashcroft; however, the cameras could be reactivated at any time.

EPIC Press Release on DC Surveillance Cameras: http://www.epic.org/open_gov/FOIA/dccameraspr.html

EPIC Face Recognition Page: http://www.epic.org/privacy/facerecognition/

Privacy International Video Surveillance Page: http://www.privacyinternational.org/issues/cctv/in dex.html"

Default.cfg writes: "In response to news reports that the Metropolitan Police Department (MPD) had constructed an extensive surveillance camera network in Washington, D.C., EPIC has filed a series of Freedom of Information Act (FOIA) requests to learn more about the system. The system allows police to monitor surveillance cameras from around the city in a central office called the 'Synchronized Operations Command Center' (SOCC)." Read on below for more information, including some interesting links. " The system was assembled and activated with no public dialogue or debate. Since its activation, the camera network has been used to monitor individuals engaged in legitimate First Amendment activities, including the participants in the World Bank and International Monetary Fund protests in April 2000. Basic questions regarding the system -- such as the cost of the system and issues of access to data, data retention, and data sharing -- remain unknown.

EPIC's request seeks information about the cameras, the policies on their use, and future plans for expansion of the network. The request was directed to the MPD and federal agencies that have access to the SOCC for monitoring. The MPD has plans to link even more cameras to the system, including cameras from private stores in Washington's Georgetown neighborhood.

Rep. Connie Morella (R-MD) has expressed objections to the monitoring network as well. Rep. Morella chairs a House Government Reform subcommittee that has oversight on DC policy, and has called for hearings on the issue.

On February 26, the MPD announced that it had turned off twelve cameras that monitored buildings in and around the National Mall. The cameras were deactivated with the close of the Olympic Games in Salt Lake City, Utah and the end of the terror alert announced last month by Attorney General John Ashcroft; however, the cameras could be reactivated at any time.

EPIC Press Release on DC Surveillance Cameras: http://www.epic.org/open_gov/FOIA/dccameraspr.html

EPIC Face Recognition Page: http://www.epic.org/privacy/facerecognition/

Privacy International Video Surveillance Page: http://www.privacyinternational.org/issues/cctv/in dex.html"