Mark MacCarthy

Maintain Cybersecurity Spending

October 2, 2012 By Mark MacCarthy

A recent article in Politico warned that cybersecurity could be a casualty of a sequester ax. The problem is that without a change in course, the federal budget is headed for a uniform across the board reduction and that would include the multiple programs that carry out our nation’s responsibilities for protecting federal networks, staving off foreign cyber attacks and researching new technologies. As Politico put it: “Many of those initiatives would be hit hard by deep cuts beginning in 2013 unless Congress pushes back the target date for its legally mandated cuts, exempts some categories of spending or does away entirely with its fallback, deficit-reduction plans.”

And then the news hit that the White House itself had been the target of a cyber attack. Fortunately, this time, no classified systems were compromised and no data was extracted. This time.

It is not often that events illustrate so vividly the risks to the nation in continuing an unacceptable compromise policy. No one really wants a sequester, and no one really wants the consequences that would flow from one. Policymakers need to do what it takes to avoid it.

But failing that, the Administration should find a way to prioritize cyber security spending. Congress did not agree on all aspects of the stalled cybersecurity legislation, but they did agree that more Federal funding for cyber security programs and research was an urgent national priority. Sequester planning should maintain that priority.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Share|

Filed Under: Policy, Policy - Cybersecurity Tagged With: cybersecurity

Do Not Track: Time for DAA to Move Forward

October 2, 2012 By Mark MacCarthy

It is increasingly likely that the W3C process for Do Not Track will reach an impasse. In a recent note to Federal Trade Commission Chairman Jon Leibowitz several consumer groups described their sense that the process is deadlocked, and asked the Chairman to intervene. FTC officials are usually at the discussion, which are set to resume in Amsterdam this week, but in his letter to Congress last week Chairman Leibowitz made it clear that it is the private sector group not the government that will adopt any Do Not Track standard. Even with more direct FTC intervention, however, it is unlikely that parties will act contrary to their perceived fundamental interests.

The key disagreement is an understanding of what the Do Not Track flag means and what actions users can expect from websites and service providers if they turn it on. Without this, the Do Not Track standard is incompletely specified, and provides less than comprehensive guidance for browser providers, websites and their service providers, and the general public.

If the W3C cannot reach a common understanding, perhaps the industry can. The Digital Advertising Alliance has been looking at this issue for some time. Indeed, back in February it indicated to the White House that it was going to address it:

“…the DAA intends to begin work immediately with browser providers to develop the consistent language across browsers regarding the browser based header signal uniform consumer choice mechanism that is simple to use and in a clear manner that describes to consumers the effect of exercising such choice.”

Mozilla proposed an easy-to-understand focused definition of Do Not Track back at the beginning of 2011: “Tracking is the accumulation and use of a profile by advertising networks through invisible or subtle noting of which sites an individual visits, and the use of the profile data to customize advertisements displayed.” Or, more succinctly, DNT means “a way for people to opt-out of online behavioral advertising (OBA).”

These definitions make sense. They focus on the issue that appears to be of most concern to the public and policymakers: cross-site tracking for the purpose of advertising profiling and targeting. We need to give consumers another mechanism to say no to OBA if they wish. Of course, the DAA definition should incorporate the current W3C consensus that DNT “on” imposes no obligation on first parties, except that first parties may not help third parties circumvent DNT.

Other uses of tracking should be permitted. For example, if a website is doing standard analytics, such as keeping track of where their visitors come from and where they go, market research, product debugging and improvements, investigating possible fraud or intellectual property violations or security risks.

DAA is doing great work on OBA. Its AdChoices program already gives consumers a cookie-based mechanism to opt out of OBA. With DNT, DAA can do the industry and the public a service by bridging the browser DNT flag with the existing AdChoices program.

Customers should be told clearly that they can decline online behavioral advertising and how to do it. DAA is in a unique position to move forward and break the logjam that is threatening to derail the promising initiative that is DNT.

Share|

Filed Under: Policy, Policy - Privacy Tagged With: DAA, do not track, WC3

The European Cloud Computing Strategy: A Promising Step

September 27, 2012 By Mark MacCarthy

Today, the European Commission announced the release of its long-awaited cloud strategy in a communication entitled “Unleashing the Potential of Cloud Computing in Europe.” The Commission clearly recognizes cloud computing’s capacity to allow people, businesses and governments to rent services and data storage for much cheaper than buying new equipment and software. Indeed, combined with the emergence of big data analytics, cloud computing represents a sea-change in the business and technical opportunities for the information technology industry and its myriad customers, business and consumer, large and small. The Commission’s strategy report is a major step forward by policymakers in coming to grips with the policy thinking needed to foster this new development and to deal with its many challenges in Europe and around the world.

SIIA particularly welcomes the Commission’s focus on the use of cloud computing in government. The Commission’s encouragement of the use of cloud computing is the counterpart of the US government’s Cloud First approach.

Unfortunately, some parts of the Commission’s communication go in a direction SIIA warned against in its report to policy makers last year. In places, the communication treats cloud computing as a discrete entity that is potentially subject to specific government regulation. In reality, cloud computing is a variety of evolving business and technical developments that share only a rough similarity. NIST has described three different service models for cloud computing (Software as a Service, Platform as a Service, and Infrastructure as a Service); and four different deployment models (private, community, public and hybrid). There is also the enormous difference between consumer uses of cloud computing and its business uses, and within the latter, still further important differences between uses by large organizations and by small and medium sized businesses. Cloud computing is used in industries ranging from financial services, to energy to telecommunications.

The European Commission’s cloud strategy document recognizes this issue, noting that cloud computing has a “range of defining features (which make a general definition elusive)…” Despite this it goes on to propose a series of government regulations that can be effectively implemented only if there is a reasonably precise legal definition of cloud computing.

Privacy rules, security rules, intellectual property, and consumer protection rules apply when cloud computing is used, but there is no need for special privacy, security, intellectual property or consumer protection rules that apply just to cloud computing. Generalized rules, indeed, globally interoperable rules, are best suited to the global, borderless nature of cloud computing.

Some of the specific suggestions in the report are good in themselves. This is the case for example in the idea that security guidelines should be developed that take into account the special characteristics of cloud computing. But again there is no need for European regulations that mandate specific security requirements just for cloud computing. Security standards should be market-driven and global, not just European, in character

Another concern is the possible development of privacy rules just for the cloud. The Commission and the Parliament are working on a new data protection regulation that would apply across the board, but the cloud strategy suggests the development of alternative or competing privacy rules just for cloud computing.

The Commission also seems to be interested in mandating specific consumer protections such as data portability, interoperability and reversibility in standardized service level agreements. But it is a leap to jump from a concern for consumer protection to the conclusion that specific European consumer protection rules need to be incorporated into standardized terms of service. Industry groups, not European-wide regulators, are best situated to fill any perceived need for optional model contracts.

SIIA welcomes the Commission’s strategy and intends to engage in the process of working with the Commission to see that the benefits of cloud computing are fully realized in the European single market and throughout the world.

Share|

Filed Under: Cloud Computing, Cloud Computing: Education, Government, Policy, Policy - Cloud Computing, Software Tagged With: cloud computing, EC

SIIA Weighs in on China’s Trade Practices at Issue at USTR

September 24, 2012 By Mark MacCarthy

Today, SIIA filed the comments with the United States Information Technology Office (USITO) in the annual review of China’s compliance with its accession commitments to the World Trade Organization (WTO). The review is held by the United States Trade Representative (USTR).

The comments cover a broad range of concerns on the part of the US tech industry aimed at improving trade and investment in China, including China’s indigenous innovation policies, intellectual property rights, market access and technical barriers to trade, national treatment, communications services and commercial Internet regulations.

The annual USTR review provides USITO and its members an effective means to recognize areas where progress has been made, to raise issues of concern and suggest approaches to resolve areas of disagreement with China’s government over implementation of its WTO agreements.

USITO is the leading independent non-governmental policy organization focused on the technology industry in China. USITO acts as the joint office in China of several U.S.-based trade associations representing the high-tech industry, including SIIA, the Information Technology Industry Council, the Semiconductor Industry Association, TechAmerica and the Telecommunications Industry Association.

I will be testifying on behalf of SIIA and USITO at the USTR’s hearing on these issues on October 3, along with Jimmy Goodrich, Director of Global Policy at the Information Technology Industry Council (ITI), and Brian C. Toohey, President & CEO of the Semiconductor Industry Association (SIA).

Share|

Filed Under: Policy, Policy - Intellectual Property Tagged With: China, trade, WTO

China’s Utility Model Patent System: A Perfect Storm for Patent Trolls

September 20, 2012 By Mark MacCarthy

In testimony at today’s House Subcommittee on Intellectual Property hearing on international intellectual property enforcement, Victoria Espinel, the US Intellectual Property Enforcement Coordinator, made reference to “unexamined utility model patents” as a problem in the Chinese patent system.

Chairman Bob Goodlatte also raised the issue in his opening statement, noting that it is “problematic” when “a country grants many low-quality or “junk” patents to local companies, so that they can sue American companies and get rich quick. Many of these are utility model patents that go through minimal review and lack real inventiveness.”

It is good news that the Administration and the Congress are focusing on this. A recent Washington Post story highlights the problem. It looks as if China is about to recreate the patent troll problem we are struggling with here in the United States. The Post story puts the problem this way: “ Small companies that take on bigger firms in questionable patent cases have become known here as “patent cockroaches,” a play off the U.S. term “patent trolls,” used to describe companies that make money primarily by hoarding flimsy patents and suing others.”

A recent report from Thompson Reuters describes how this lesser-known part of China’s patent system works. It is intended to apply to incremental improvements that change the shape or structure of an object. It is typically used for electronic or communication devices but software implemented inventions have also been issued as utility model patents.

The problem is that it is too easy, cheap and quick to get these patents. As a result, they are often of low quality. Despite this they carry with them the same arsenal of remedies as higher quality invention patents do, including substantial fines and even injunctions.

The threshold of inventiveness is lower for utility model patents. As compared to prior art, an invention patent has “prominent substantive features and represents a notable progress;” while a utility model patent merely has “substantive features and represents progress.” As a result it is more difficult to invalidate a questionable utility model patent. And there is no mandatory examination upon filing an infringement action.

The utility models are issued without substantive examination typically in under 6 months (3 months is the target) Utility models are 20% cheaper than invention patents to obtain.

Because of these attractive features utility model patents are growing quickly. Most of these are owned by Chinese individuals.

A few problematic cases have already surfaced. Several years ago, the French company Schneider lost a utility model suit in China, costing them a $23 million settlement. A patent infringement case was filed on July 30, 2012 involving a utility model against Apple by Mr. Lee of Taipei in Zhenjiang Immediate People’s Court. The case involves Facetime.

The situation is ripe for abuse. Since 2008, well-known non-practicing entities have begun to establish a presence in China. It is only a matter of time before the patent troll problem burst out there and by then it will be too late to prevent the damage these.

We know the extent of the problem here. A recent study by Boston University faculty members James Besen and Michael Meurer suggest that the economic loss from patent trolls reached $29 billion in 2011. We don’t need to recreate this problem in the world’s second largest economy. The time is now to begin consultations with industry and other governments to investigate remedies to this potential problem.

Share|

Filed Under: Policy, Policy - Intellectual Property Tagged With: China, patent, patent trolls

Google in the Middle

September 18, 2012 By Mark MacCarthy

A U.S. ambassador is killed in a consulate in Libya, along with three other Americans. Anti-US riots spread throughout the Middle East. At the heart of the unrest is a short anti-Islamic video posted on YouTube.

What should YouTube’s parent company, Google, do? It cannot review videos before the fact, because there are too many of them, and because its system of user-generated content is designed to allow a broader range of expression than the old broadcaster/newspaper model of strict editorial control.

But Google has an elaborate system of review after the fact. After its review of the anti-Islamic video, it made a judgment that the video “is clearly within our guidelines and so will stay on YouTube. However, given the very difficult situation in Libya and Egypt we have temporarily restricted access in both countries.”

YouTube blocked access in others such as India and Indonesia because it is localized in those countries and received a valid court order or official government notification that the video violated local law. Other countries including apparently Afghanistan blocked access to all of YouTube pending the removal of the video.

The U.S. government asked Google to review its decision to keep the video up, but Google repeated its judgment that the video was within its community guidelines.

The issues here are complex and muddied. Jonathan Zittrain got it right when he dismisses those who think this is a “no-brainer.” What is clear is that Google is in the middle. They have a responsibility to act in the face of this complex mixture of speech that is offensive to some, and yet appears not to violate its community guidelines.

So Google did the right thing by acting. In our system it is their decision, and that’s the way it should be. It has stepped up to its responsibility by crafting a balanced, reasonable response to this challenging situation.

Share|

Filed Under: Policy Tagged With: google, Middle East

Do Not Track is at a Crossroad

September 17, 2012 By Mark MacCarthy

The New York Times weekend piece on Do Not Track revived the debate on what the industry should do when users’ online privacy choices are made for them. Our view is that the choice should be left to the user, and not imposed by any platform or service provider. Last week, Google announced that it would make available this user-controlled feature in its Chrome browsers by the end of the year.

In June Microsoft disrupted the industry discussions about how to provide a workable mechanism to empower users to make choices about online privacy and personalization. It announced that it would turn on the Do Not Track (DNT for short) signal in Internet Explorer 10 by default. Mozilla, the maker of the competing browser, Firefox, was critical. SIIA objected. Advertisers announced that this decision ran counter to an agreement struck between the industry and the White House around opt-out as a genuine consumer choice.

Last week, Apache revealed that it will disable the DNT signals coming from Internet Explorer 10. Roy Fielding, an author of the DNT standard and principal scientist at Adobe Systems, wrote a patch for Apache that sets the Web server to disable DNT if the browser reaching it is Internet Explorer 10.

The message is that a unilateral action forced on users by one industry player is not a sustainable solution. We as an industry have to do it together, or not at all. If websites powered by Apache do not accept the IE10 DNT signal, it simply won’t reach critical mass. Consumers, mislead by industry announcements and superficial stories from the trade press, might think their browers are giving them privacy over personalization–but the reality will be very different.

The danger is that the collaborative effort that has been building toward real privacy protection collapses. As Peter Bight said in ArsTechnica in August,” …there’s a very real prospect that the Do Not Track header will be both widely used, and widely ignored. In this situation, it would be difficult to describe it as anything other than a failure.”

Do not track is at a crossroad. Now it is up to the industry to create a a simple, easy to use, consumer activated Do Not Track system that all parties can respect.

Share|

Filed Under: Policy, Policy - Privacy Tagged With: consumers, do not track

Maintain Cybersecurity Spending

Do Not Track: Time for DAA to Move Forward

The European Cloud Computing Strategy: A Promising Step

SIIA Weighs in on China’s Trade Practices at Issue at USTR

China’s Utility Model Patent System: A Perfect Storm for Patent Trolls

Google in the Middle

Do Not Track is at a Crossroad

About SIIA