RISKS-LIST: Risks-Forum Digest Friday 23 April 2021 Volume 32 : Issue 61
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/32.61>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Two people killed in fiery Tesla crash with no one driving (Sundry sources) Israel appears to confirm it carried out cyberattack on Iran nuclear
facility (The Guardian)
Blackout in China's Xinjiang region caused almost half of the bitcoin
network to go offline for 48 hours (Twitter via geoff goodfellow)
U.S. Unveils 100-day Plan to Avoid "Going Dark" (Henry Baker)
Data Integrity (Dan Geer)
They Hacked McDonald's Ice Cream Machines -- and Started a Cold War (WiReD) U.S. and Japan to invest $4.5bn in next-gen 6G race with China (Nikkei Asia) Jaguar Land Rover to suspend output due to chip shortage (BBC News)
Bitcoin Plunges in Biggest Intraday Drop Since February (Bloomberg)
IBM Clarifies Stance On Developers Working On Open-Source Projects In
Off-Hours (Phoronix)
Grey-hat "security research," Linux, and U of Minnesota (Rob Slade)
A growing problem of 'deepfake geography': How AI falsifies satellite images
(Techxplore.com)
In bot we trust: People put more faith in computers than other humans
(StudyFinds)
The Incredible Rise of North Korea's Hacking Army (The New Yorker)
$40,000 Swindle Puts Spotlight on Literary Prize Scams (NYTimes)
Processes changing for redacting documents (Chesterfield County VA)
Victory for Fair Use: The Supreme Court Reverses the Federal Circuit in
Oracle v. Google (Michael Barclay))
What's Really in Your Water? (Scientific American)
Water Safety That Uses Your Mussels (nowiknow via Gabe Goldberg)
Stealthy Dopant-Level Hardware Trojans (IACR paper via Rob Slade)
The Postal Service is running a 'covert operations program' that monitors
Americans' social media posts (Yahoo! item via Lauren Weinstein)
The Pandemic Proved That Our Toilets Are Crap (WiReD)
Space Junk Removal Is Not Going Smoothly (Scientific American)
Re: We tested the first state's vaccine passport: Here's what to expect
(John Levine)
Re: Miss'taken assumptions lead to plane incident (David Lesher)
Election Systems, Security, and the Future (Rebecca Mercuri)
Infosec Ethics -- VSS, 4 May 2021 (Rob Slade)
Abridged info on RISKS (comp.risks)
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 18 Apr 2021 09:19:13 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Two people killed in fiery Tesla crash with no one driving
(Sundry sources)
*Authorities said it took four hours to extinguish the fire*
Authorities in Texas say two people were killed when a Tesla with no one in
the driver's seat crashed into a tree and burst into flames, Houston
television station KPRC 2 reported. <
https://www.click2houston.com/news/local/2021/04/18/2-men-dead-after-fiery-tesla-crash-in-spring-officials-say/>
The cause of the crash, which happened at about 9PM local time in Spring,
Texas (near Houston), is under investigation. According to KHOU <
https://www.khou.com/article/news/local/tesla-spring-crash-fire/285-c28a4993-5b5f-43f4-a924-e39638390647>
in Houston, first responders had to use 30,000 gallons of water over four
hours to put out the fire, as the Tesla's battery kept reigniting.
Authorities tried to contact Tesla for advice on putting out the fire; it's
not clear whether they received any response.
Two men dead after fiery crash in Tesla Model S.
``[Investigators] are 100-percent certain that no one was in the driver seat driving that vehicle at the time of impact,'' Harris County Precinct 4 Constable Mark Herman said. ``They are positive.'' #KHOU11 <
https://twitter.com/hashtag/KHOU11?src=3Dhash&ref_src=3Dtwsrc%5Etfw> https://t.co/q57qfIXT4f pic.twitter.com/eQMwpSMLt2 <
https://t.co/eQMwpSMLt2>
-- Matt Dougherty (@MattKHOU) April 18, 2021 <
https://twitter.com/MattKHOU/status/1383821809053683721?ref_src=3Dtwsrc%5Etfw>
Preliminary reports suggest the car was traveling at a high rate of speed
and failed to make a turn, then drove off the road into a tree. One of the
men killed was in the front passenger seat of the car, the other was in the back seat, according to KHOU. Harris County Precinct 4 Constable Mark
Herman told KPRC that ``no one was driving'' the fully-electric 2019 Tesla at the time of the crash. It's not yet clear whether the car had its Autopilot driver assist system activated. [...]
https://www.theverge.com/2021/4/18/22390612/two-people-killed-fiery-tesla-crash-no-driver
[Also noted by Matthew Kruk. PGN]
------------------------------
Date: Mon, 12 Apr 2021 09:03:50 +0900
From: Dave Farber <
farber@gmail.com>
Subject: Israel appears to confirm it carried out cyberattack on Iran
nuclear facility (The Guardian)
https://www.theguardian.com/world/2021/apr/11/israel-appears-confirm-cyberattack-iran-nuclear-facility
https://about.rogers.com/news-ideas/a-message-from-jorge-fernandes-chief-technology-officer-at-rogers/
------------------------------
Date: Sun, 18 Apr 2021 10:37:29 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Blackout in China's Xinjiang region caused almost half of the
bitcoin network to go offline for 48 hours
https://twitter.com/GoldTelegraph_/status/1383823066166226947
------------------------------
Date: Tue, 20 Apr 2021 21:48:55 -0700
From: Henry Baker <
hbaker1@pipeline.com>
Subject: U.S. Unveils 100-day Plan to Avoid "Going Dark"
Perhaps end2end encryption might help?
Just a suggestion... ;-) ;-)
Michael Riley and Jamie Tarabay, Bloomberg, 20 Apr 2021
U.S. Unveils Plan to Protect Power Grid From Foreign Hackers
https://www.bloomberg.com/news/articles/2021-04-20/u-s-unveils-plan-to-protect-power-grid-from-foreign-hackers
The White House unveiled on Tuesday a 100-day plan intended to protect the
U.S. power grid from cyber-attacks, mainly by creating a stronger
relationship between U.S. national security agencies and the mostly private utilities that run the electrical system.
The plan is among the first big steps toward fulfilling the Biden administration's promise to urgently improve the country's cyber-defenses.
The nation's power system is both highly vulnerable to hacking and a target
for nation-state adversaries looking to counter the U.S. advantage in conventional military and economic power.
"The United States faces a well-documented and increasing cyber-threat from malicious actors seeking to disrupt the electricity Americans rely on to
power our homes and businesses," Secretary of Energy Jennifer Granholm said.
Although the plan is billed as a 100-day sprint -- which includes a series
of consultations between utilities and the government -- it will likely take years to fully implement, experts say. It will ask utilities to pay for and install technology to better detect hacks of the specialized computers that
run the country's power systems, known as industrial control systems.
The Edison Electric Institute, the trade group that represents all U.S. investor-owned electric companies, praised the White House plan and the
Biden administration's focus on cybersecurity. "Given the sophisticated and constantly changing threats posed by adversaries, America's electric
companies remain focused on securing the industrial control systems that operate the North American energy grid," said EEI president Tom Kuhn.
While an early draft had proposed helping small utilities and rural co-ops
pay for the new monitoring, the final version is more vague about whether
the money will come from the federal government or be passed to customers in the form of higher utility bills. Large utilities often have sophisticated security teams and pay for cutting edge monitoring technology, but it's
unclear how enthusiastically smaller utilities will take on the cost of additional security.
The government will take suggestions from utilities within 21 days about
ways to incentivize participation in the voluntary effort, according to
details of the plan described by a person familiar with it.
The final plan also drops the draft's proposal for enhancing supply chain security for grid components by calling for a list of recommended equipment vendors. Now, the administration plans to ask utilities for suggestions for improvement.
Experts say initiatives to enhance the security of the U.S. electrical grid
are years behind better-known efforts to shield data centers and corporate systems. At the same time, hackers from Russia, China, Iran and North Korea
are launching increasingly aggressive attacks on U.S. power companies,
hoping to install malware that could leave cities and towns in the dark.
Under the new plan, owners and operators of electricity networks are now expected to "enhance their detection, mitigation and forensic capabilities," according to the Department of Energy statement. They would also need to
share information with the federal government if something happens to their systems. Priority sites will need to identify and report their technology capabilities, gaps and requirements within 45 days of the launch.
CISA, the Cybersecurity and Infrastructure Security Agency, will establish a team of government and agency representatives to coordinate analysis between the government and private sector.
"The safety and security of the American people depend on the resilience of
our nation's critical infrastructure," said acting CISA director Brandon
Wales, in a statement. The partnership would "prove a valuable pilot as we continue our work to secure industrial control systems across all sectors."
-- With assistance by Shaun Courtney, and Josh Saul
------------------------------
Date: Thu, 22 Apr 2021 10:41:14 PDT
From: Peter Neumann <
neumann@csl.sri.com>
Subject: Data Integrity (Dan Geer)
"Business decision makers no longer have to deal with information along a
previously believed continuum of certitude; *Through a Glass Darkly*, but
rather can see clearly the demarcations where information is useful and
not useful.
The rapid digitalization of business processes has caused a greater need
for accurate data as there are no longer humans further upstream in the
process to keep the low-quality data from infecting the automated business
decision process. Now is the time to align the ordinal scales of
jurisprudence and accounting with each other and with like-minded ordinal
scales for business processes. We offer a first cut at that necessary
advance; we hope that it is sufficient to purpose and self-explanatory,
and will allow this advancement in technology to open new markets with
innovative products."
https://securityledger.com/2021/04/can-blockchain-solve-datas-integrity-problem/
[Thanks to Paul F. Roberts. PGN]
------------------------------
Date: Fri, 23 Apr 2021 00:44:50 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: They Hacked McDonald's Ice Cream Machines -- and Started a Cold
War (WiReD)
Secret codes. Legal threats. Betrayal. How one couple built a device to fix McDonald’s notoriously broken soft-serve machines -- and how the fast-food giant froze them out.
https://www.wired.com/story/they-hacked-mcdonalds-ice-cream-makers-started-cold-war/?utm_source=pocket-newtab
Right to repair, revisited -- at McDonald's.
------------------------------
Date: Mon, 19 Apr 2021 13:30:16 +0900
From: Dave Farber <
farber@keio.jp>
Subject: U.S. and Japan to invest $4.5bn in next-gen 6G race with China
(Nikkei Asia)
TOKYO/WASHINGTON -- U.S. President Joe Biden and Japanese Prime Minister Yoshihide Suga have agreed to jointly invest $4.5 billion for the
development of next-generation communication known as 6G, or "beyond 5G."
The two countries will invest in research, development, testing, and
deployment of secure networks and advanced information and communications technology, according to a fact sheet released after the two leaders met in Washington on Friday <
https://asia.nikkei.com/Politics/International-relations/Biden-and-Suga-refer-to-peace-and-stability-of-Taiwan-Strait-in-statement>.
"The United States has committed $2.5 billion to this effort, and Japan has committed $2 billion," it said <
https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/16/fact-sheet-u-s-japan-competitiveness-and-resilience-core-partnership/>.
The call for "secure and open" 5G networks, including advancing Open Radio Access Networks (Open-RAN), reflects the leaders' intent of creating an alternative to a China-led communications network.
Open-RAN is an open-source platform where network operators can mix and
match hardware from different vendors, without having to own entire systems
of antennas and base stations.
As of now, Chinese companies such as Huawei Technologies and ZTE hold a
roughly 40% share of base stations. European players Eriksson and Nokia, as well as South Korea's Samsung Electronics are the other heavyweights,
together accounting for a 90% market share. American and Japanese
enterprises lag behind.
In terms of 5G patents, U.S. leader Qualcomm owns roughly 10% -- on par with Huawei -- but Japan's top player NTT Docomo only has about 6%.
The Chinese leadership under President Xi Jinping gained confidence after catching up with advanced countries in the 5G development race. Now it is determined to repeat the success in sixth-generation technology. The new five-year plan adopted at the National People's Congress, China's
parliament, in March also included the development of 6G.
Japane`se government officials lament the country's late start in the 5G
race. "Even if we had better technology, we couldn't win the race to win
market share," one official said.
To avoid the same mistake, Tokyo is determined to play on the international field from the get-go in 6G. With a goal to elevate Japan's share of patents
to 10%, a joint industry-government-academia organization was set up late
last year.
Japan believes that global standards setting will be crucial to the
development of next-gen communications, and therefore sees cooperation with
the U.S. to help in this regard.
One of the goals stated in the fact sheet is to extend the U.S.-Japan cooperation on communications to "third-countries" to promote secure connectivity. Adding partners to the U.S.-Japan led initiative should help
in the competition with China to set global standards.
The fact sheet also advocated cooperation on sensitive supply chains,
including semiconductors. Here the response in the Japanese industry is divided.
One official at a chipmaker welcomed the announcement, saying that if the governments prepare subsidies to strengthen supply chains in like-minded countries, it could bring down the cost to establish facilities inside
Japan.
But an official at a chip-manufacturing equipment maker said, "if the
U.S. expands sanctions on China, it will be difficult to grow our business
in China," which is a major market for Japanese equipment makers.
Yuichi Koshiba, managing director and partner at Boston Consulting Group in Tokyo, said extensive government intervention in the chip market would have
a negative effect on the industry. "Governments should not try to control global supply chains to fit their own country's interests," he said.
------------------------------
Date: Thu, 22 Apr 2021 13:33:40 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Jaguar Land Rover to suspend output due to chip shortage (BBC News)
Jaguar Land Rover (JLR) is shutting its two main car factories temporarily
due to a shortage of computer chips.
The difficulties at Britain's biggest carmaker echo similar problems at
other manufacturers, including Ford, who have been hit by a global shortage
of chips.
JLR said there would be a "limited period" of closure at its Halewood and Castle Bromwich sites from Monday.
A mixture of strong demand and Covid shutdowns at chipmakers has also hit phone, TV and video games companies.
Tata-owned JLR said in a statement: "We have adjusted production schedules
for certain vehicles which means that our Castle Bromwich and Halewood manufacturing plants will be operating a limited period of non-production
from Monday 26th April.
"We are working closely with affected suppliers to resolve the issues and minimise the impact on customer orders wherever possible." Production at a third factory, at Solihull, will continue.
https://www.bbc.com/news/business-56841946
------------------------------
Date: Sun, 18 Apr 2021 17:39:32 +0900
From: David Farber <
farber@keio.jp>
Subject: Bitcoin Plunges in Biggest Intraday Drop Since February (Bloomberg)
Shamim Adam and Emily Barrett, Bloomberg, 18 Apr 2021
Bitcoin sinks as much as 15% days after hitting record
Bitcoin Plunges in Biggest Intraday Drop Since February
https://www.bloomberg.com/news/articles/2021-04-18/bitcoin-falls-as-much-as-15-biggest-intraday-drop-since-feb
------------------------------
Date: Fri, 23 Apr 2021 15:48:57 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: IBM Clarifies Stance On Developers Working On Open-Source
Projects In Off-Hours (Phoronix)
Earlier this week was a surprising Linux kernel networking commit that
removed an IBM engineer as one of the driver maintainers for the IBM Power SR-IOV Virtual NIC driver. Seemingly at issue with this VNIC driver work was the developer using his personal email address in working on the driver in
his off-hours. IBM has now clarified their stance on such work.
The VNIC maintainer updating patch yielded much attention for carrying the following quoted message, "As an IBM employee, you are not allowed to use
your gmail account to work in any way on VNIC. You are not allowed to use
your personal email account as a "hobby". You are an IBM employee 100% of
the time. Please remove yourself completely from the maintainers file. I
grant you a 1 time exception on contributions to VNIC to make this change."
IBM has now reached out to Phoronix to provide further comment. They shared that contrary to the Git commit, "IBM promotes and encourages engagement in
the Linux open source community regardless whether an IBM email ID or a personal email ID is used."
When asked about this specific situation that portrays the direct opposite
of their communication, Todd Moore, VP Open Technology at IBM explained: "We respect our developer's need to be individuals, and their open source code contributed under a personal ID represents them and their resume. This was a one off disagreement that should not have gone public as there are internal guidelines to resolve it. Often our contributors will have a personal GitHub
ID and an IBM GitHub ID. We use tooling to track contributions under both
IDs to ensure everyone gets credit towards our recognition program. We value and encourage contribution whether it be code, code reviews, documentation, issue triage, or advocacy as part of their careers or their own time."
https://www.phoronix.com/scan.php?page=news_item&px=IBM-Open-Source-Leisure-Work
Someone speculated: ``Interesting ... I believe that there is more to this
than meets the eye as the IBM employee changed his eMail from IBM to Gmail
just three days before receiving this reprimand. Very likely some kind of disagreement between his employee and his idiot manager. This appears to be
an open source project that is owned/sponsored by IBM (all contributors have
an IBM eMail address) and working on this project (IBM Power network driver) was a part of his job.''
Idiot managers are always a risk.
------------------------------
Date: Thu, 22 Apr 2021 11:51:51 -0700
From: Rob Slade <
rslade@gmail.com>
Subject: Grey-hat "security research," Linux, and U of Minnesota
This is a big and messy fight, with a lot of points to make about how we should, and shouldn't, conduct security.
A particular program in the University of Minnesota Department of Computer Science and Engineering is run by professor Kangjie Lu. At least two
students from this program, apparently with the knowledge of the professor, have been submitting what they refer to as "hypocrite commits" to the core Linux repository. (In other words, some form of malware, at least in terms
of the code not being what it purports to be.)
This type of thing is not exactly new. We know of, and use, red team
attacks, and pen tests of various types. No less a luminary than Fred Cohen initially thought that teaching students to write viruses could be
beneficial (although he later change his mind when he found that the
students weren't learning all that much about security from the exercise).
The University of Calgary had a virus writing program at one time (with somewhat less control).
But this attempt, while addressing a slightly different aspect of the
concept behind "Reflections on Trusting Trust" and supply chains, seems to
have both fewer controls, and potentially much greater consequences (as well
as a pretty massive disregard for the work of the Linux volunteers *and*
users all over the world). The students involved seem to have offered some half-hearted apologies over the issue.
For more details:
https://nakedsecurity.sophos.com/2021/04/22/linux-team-in-public-bust-up-over-fake-patches-to-introduce-bugs/
https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/
The next VanTUG Security Series meeting (details of series:
https://community.isc2.org/t5/C/V/m-p/42919 , meeting link for 4 May 2021, 7
pm [PDT] meeting:
https://is.gd/dA1c3O ) is on the topic of "Infosec
Ethics," so this issue is a bit of a gift, and will be used as one of the
main "case studies" for discussion.
------------------------------
Date: Thu, 22 Apr 2021 11:45:40 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: A growing problem of 'deepfake geography': How AI falsifies
satellite images (Techxplore.com)
https://techxplore.com/news/2021-04-problem-deepfake-geography-ai-falsifies.html
"But with the prevalence of geographic information systems, Google Earth and other satellite imaging systems, location spoofing involves far greater sophistication, researchers say, and carries with it more risks. In 2019,
the director of the National Geospatial Intelligence Agency, the
organization charged with supplying maps and analyzing satellite images for
the U.S. Department of Defense, implied that AI-manipulated satellite images can be a severe national security threat."
Risk: Map source corroboration and authentication.
------------------------------
Date: Sat, 17 Apr 2021 08:07:14 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: In bot we trust: People put more faith in computers than other
humans (StudyFinds)
Do you find yourself reaching for the calculator, even for the *really*
simple math problems? There's a lot of concern these days that technology,
like artificial intelligence, is too smart for its own good. Despite fear
over how intrusive these algorithms are becoming, a new study finds people
are actually more willing to trust a computer than their fellow man.
Researchers at the University of Georgia say this is especially true when people find tasks too challenging to handle alone. However, it's not just
the ``heavy lifting'' humans are running to computers for help with. From choosing the next song in the playlist to finding better fitting pants, algorithms are making more and more of the *daily decisions in people's
lives* -- whether they realize it or not. <
https://www.studyfinds.org/no-way-to-control-super-artificial-intelligence-ai/>
``Algorithms are able to do a huge number of tasks, and the number of tasks that they are able to do is expanding practically every day,'' says Eric Bogert, a Ph.D. student in the Terry College of Business Department of Management Information Systems, in a *university release* <
https://news.uga.edu/people-may-trust-computers-more-than-humans/>. ``It
seems like there's a bias towards leaning more heavily on algorithms as a
task gets harder and that effect is stronger than the bias towards relying
on advice from other people.''
Letting the computer do the work
Researchers evaluated the responses of 1,500 individuals tasked with
counting the people in a series of photographs. The team also supplied participants with suggestions on how to do this, generated either by other people or computer algorithms. [...]
https://www.studyfinds.org/people-trust-computers-over-humans/
------------------------------
Date: Tue, 20 Apr 2021 10:41:00 PDT
From: Peter Neumann <
neumann@csl.sri.com>
Subject: The Incredible Rise of North Korea's Hacking Army (The New Yorker)
https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army?currentPage=3Dall
The country's cyberforces have raked in billions of dollars for the regime
by pulling off schemes ranging from ATM heists to cryptocurrency thefts.
Can they be stopped?
------------------------------
Date: Sun, 18 Apr 2021 13:56:50 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: $40,000 Swindle Puts Spotlight on Literary Prize Scams (NYTimes)
The organizers of at least five British awards received emails asking them
to transfer prize money to a PayPal account. One of them paid out.
https://www.nytimes.com/2021/04/16/books/phishing-book-prizes.html
------------------------------
Date: Tue, 20 Apr 2021 11:52:47 -0400
From: Joe Finnegan <
joe@finneganfunnyfarm.net>
Subject: Processes changing for redacting documents (Chesterfield County VA)
Yesterday's note from the Superintendent of Chesterfield County, Virginia, Public Schools.
Redaction, again.
Begin forwarded message:
- - - - - - - - - - -
From: Chesterfield County Public Schools <ccpsinfo@ccpsnet.net>
Subject: Processes changing for redacting documents
Date: April 19, 2021 at 12:05:22 EDT
CCPS UPDATE: Dear Team Chesterfield families,
We recently learned of a defect in a redacted document that allowed one
citizen to access what was thought to be blacked-out student and staff
names. We share concerns that approximately 575 students and 400 staff names were made accessible as a result of an inadvertent software application
error that allowed a citizen to see the student names that were underneath
the redaction.
After being made aware that the names of COVID-positive students and staff members listed in a contact-tracing spreadsheet required by the Virginia Department of Health could be accessed, we immediately began to investigate
the concern. The citizen who received the defective document said they immediately destroyed it after recognizing the defect and notified the
school division.
Other redacted public records provided in compliance with Virginia Freedom
of Information Act, the state’s open records law, are being reviewed. We are in the process of reaching out to the U.S. Department of Education's Student Privacy Policy Office for additional guidance. We will be in contact with affected families as appropriate.
We are sorry that this technical error occurred, and already have taken appropriate steps to change our practice on how information is redacted
moving forward.
Superintendent, Chesterfield County Public Schools
[Redact Redux? But not a Red Act? PGN]
------------------------------
Date: April 11, 2021 19:50:50 JST
From: Dewayne Hendricks <
dewayne@warpspeed.com>
Subject: Victory for Fair Use: The Supreme Court Reverses the Federal
Circuit in Oracle v. Google (Michael Barclay))
[via Dave Farber]
Michael Barclay, EFF, 5 Apr 2021
https://www.eff.org/deeplinks/2021/04/victory-fair-use-supreme-court-reverses-federal-circuit-oracle-v-google
In a win for innovation, the U.S. Supreme Court has held that Google's use
of certain Java Application Programming Interfaces (APIs) is a lawful fair
use. In doing so, the Court reversed the previous rulings by the Federal Circuit and recognized that copyright only promotes innovation and
creativity when it provides breathing room for those who are building on
what has come before.
This decision gives more legal certainty to software developers' common practice of using, re-using, and re-implementing software interfaces written
by others, a custom that underlies most of the Internet and personal
computing technologies we use every day.
To briefly summarize over ten years of litigation: Oracle claims a copyright
on the Java APIs -- essentially names and formats for calling computer functions -- and claims that Google infringed that copyright by using (reimplementing) certain Java APIs in the Android OS. When it created
Android, Google wrote its own set of basic functions similar to Java (its
own implementing code). But in order to allow developers to write their own programs for Android, Google used certain specifications of the Java APIs (sometimes called the ``declaring code'').
APIs provide a common language that lets programs talk to each other. They
also let programmers operate with a familiar interface, even on a
competitive platform. It would strike at the heart of innovation and collaboration to declare them copyrightable.
EFF filed numerous amicus briefs in this case explaining why the APIs should not be copyrightable and why, in any event, it is not infringement to use
them in the way Google did. As we've explained before, the two Federal
Circuit opinions are a disaster for innovation in computer software. Its
first decision -- that APIs are entitled to copyright protection -- ran contrary to the views of most other courts and the long-held expectations of computer scientists. Indeed, excluding APIs from copyright protection was essential to the development of modern computers and the Internet.
Then the second decision made things worse. The Federal Circuit's first
opinion had at least held that a jury should decide whether Google's use of
the Java APIs was fair, and in fact a jury did just that. But Oracle
appealed again, and in 2018 the same three Federal Circuit judges reversed
the jury's verdict and held that Google had not engaged in fair use as a
matter of law.
Fortunately, the Supreme Court agreed to review the case. In a 6-2 decision, Justice Breyer explained why Google's use of the Java APIs was a fair use as
a matter of law. First, the Court discussed some basic principles of the
fair use doctrine, writing that fair use ``permits courts to avoid rigid application of the copyright statute when, on occasion, it would stifle the very creativity which that law is designed to foster.''
Furthermore, the court stated:
Fair use ``can play an important role in determining the lawful scope of a computer program copyright . . . It can help to distinguish among
technologies. It can distinguish between expressive and functional features
of computer code where those features are mixed. It can focus on the
legitimate need to provide incentives to produce copyrighted material while examining the extent to which yet further protection creates unrelated or illegitimate harms in other markets or to the development of other
products.''
In doing so, the decision underlined the real purpose of copyright: to incentivize innovation and creativity. When copyright does the opposite,
fair use provides an important safety valve.
Justice Breyer then turned to the specific fair use statutory
factors. Appropriately for a functional software copyright case, he first discussed the nature of the copyrighted work. The Java APIs are a ``user interface'' that allow users (here the developers of Android applications)
to ``manipulate and control'' task-performing computer programs. The Court observed that the declaring code of the Java APIs differs from other kinds
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)