Wednesday, September 24, 2008

GikIII starts

The autumn equinox has past and a horde of geeks, quasi-lawyers and other wild animals have landed on the Oxford Internet Institute to spend two days talking and discussing the cutting-edge topics of law, technology, science fiction and alike that will be the discussion topics some years from now…yes, it is Gikii time. Once again, the coolest legal conference on earth is taking place and the participants and topics are as top-notch as ever…if you have one international conference to attend, this must be the one or risk keep tallking about yesterday news…you’ve been warned…

Monday, September 22, 2008

Blogger that posted ex-girlfriend’s porn photos jailed in Argentina

The Criminal Court N 1 of Bahia Blanca found a defendant guilty of attempted murder and criminal publication of pornographic images, for which sentenced him to five years in prison. The defendant took pornographic photos of his then girlfriend and published them on a blog in once the relation ended in November 2006. Then, in January 2007, the defendant rammed into the girls new boyfriend’s car when the girl was inside, forcing the car out of the road and to hit a lamppost. The three-judge panel found the defendant “criminally responsible for the divulgation of sexually explicit images” in addition to the attempted murder charges…

Sunday, September 21, 2008

Technology companies’ valuation, the credit crunch and keeping an eye on legal issues

There is an argument to be made that the “market value” of a company is some sort of fiction that transforms the whole stock-based valuation in a constant self-sustaining bubble. In the case of technology companies the situation is sometimes quite clear and easier to understand. If you take a company that has a market value of 128 billion dollars and gives a net profit of 4.83 billion dollars, forgetting the business that is buying and selling the stock, you would be crazy to spend such a huge amount of money to get 3.77% annual return. But the market value of the company represents the value that investors are willing to pay with the expectation that the value will increase (quite more than 3.77%) and sell it at a profit. And, as far as the company has a proper business model and some profits that allow it to expand and recruit the best talents, the market value is justified because other people will want to buy the stocks too and the original buyer will see the price of his/her stocks raising, so, while to use 128 billion dollars to buy Google and live out of its net profits would be crazy, to use several thousands, millions or billions to buy its stock is not crazy and it may even be advisable. It is easy to use the example of Google because it has a clear business model that deliver profits consistently and because has not given any reasons to investors to doubt about the future value of their stock, but the idea of the expectations-bubble applies to most technology companies and not all may have the same solidity. Sometimes their business model is good and solid and some even have products to sell and some “hardware” that make part of their valuation, but not paying proper attention to legal issues, even those looking small, may prove fatal.

The issue of the relation between companies’ valuation and legal issues refers to institutional investors, hedge funds and other financial-world wild-animals. Those investors normally use other-people’s money and, although there are big disclaimers telling to that “other-people” that the value of the investment may go either up or down, when it goes down pronouncedly the real owners of the money start to ask questions, and when the losses are substantial (big, huge), those owners are willing to (and normally do) go to court to recover some of the losses they have suffered, allegedly due to the lack of care of the investors. During credit crunches and stock markets meltdowns that type of lawsuits become far too common, which make institutional investors to run away from any stock belonging to a company that even smell of having a legal problem, not because that stock in particular would be the cause of the losses in the portfolio (the losses may be purely due to market conditions and unrelated to the stocks in the fund) but because once the losses have accrued the owners of the money would look for any potential pitfall to take the fund’s administrators to court. Accordingly, the impact that a legal issue may have on the valuation of a company does not relate to the monetary value of the damages that the company may have to pay in case of loosing a lawsuit, but it relates to investors shying away from it due to their need to be protected in case of lawsuits. Thus, in uncertain markets funds administrator give (or should give) as much importance to the analysis of the legal issues surrounding their investments as they give to the financial and economic ones, and become very conservative.

In that context, it seems surprising when big, prestigious and good companies rush products to the market creating the possibility of putting themselves in situations that, due to the particular characteristics of their market valuation and the current financial environment, can hurt them in a way that no product-launch delay could and, on top of that, to not take proper measures to ensure that, if a problem occurs, the situation can be controlled and isolated promptly.

From the past 16 August the new Blackberry Bold is available in UK. Having had Blackberry for a while and having the mobile provider that introduced it to the market, I got mine on August 17th (I did have the machine on the 16th but due to certain issues with the provider they were not able to register it until the 17th). The phone is probably the best thing in the market and for business users the phrase stands without the “probably”. So, it was obviously visible that I was excited of having one in my hands…until things started to happen. The fact that the phone freezes many times without reason and that it fails to check automatically for signal quite often (you are underground without signal and when you go over ground the phone does not check for signal, so you have no signal until you turn it off and on) and things like that are not relevant to this post, so I’ll concentrate into the problems with the battery. Few days after start using the phone, I noticed that the battery life was quite short, even without using it, but I did not worry much until one day while teaching I felt something really hot inside my suit’s internal pocket, which was my phone. I turned the phone off and after the class I turned it on again assuming that it was related to some application not closing properly. Next day, after a full night of charge my battery died near the end of the afternoon and it was warm most of the day. Finally, the following day, and again after a full night of charging, the battery was burning hot for the whole morning until it went flat at noon (four hours after disconnecting it from the charger). With the exception of Toyota or Rolls Royce, lemons do exist in any industry, so I did not worry much and tried to contact the people of Blackberry to see whether it was a known issue and there I had to surprises: the first was that all those issues were the ones perfectly identified in trials and that had delayed the launch; and the second was that I had no way to contact Blackberry directly. The next day I went to my mobile service provider and when I told what had happened, they very promptly replaced the faulty device. So, that should be the end of the story, but it brings us back to the valuation, the credit crunch and legal issues.

Leaving apart the issues with the performance of the phone itself, the battery issue is not a minor one. Batteries not only get discharged early, but they also catch fire and explode, so you would imagine that if you put a new product in the market you are going to make sure that things like that cannot happen and, also, to have in place some sort of early warning system and costumer service to avoid any serious consequence of a failure, which through the mechanism briefly described before can have a severe impact on the valuation and access to finance of your company…delaying a product could be costly but facing a lawsuit for product liability in times of the crunch can cost far far more, so companies that depend on expectation to keep their valuation steady, like most technological companies, in this uncertain times should pay more attention to the lawyers than the financiers and marketers to keep their finances healthy.

Monday, September 08, 2008

Caring about cybersecurity or preparing the ground for an I-Patriot Act?

Few months ago in a talk given at the Institution of Engineering and Technology (very cool place) organised here in London by the Society for Computers and Law, Professor Lessig recounted a conversation he had with former US Counter Terrorism Czar Richard Clarke, where Larry asked the question that many had in the US Government managed to conceptualize, design and draft a piece of legislation as vast and complex as the USA PATRIOT Act in such a short period of time (a month and 15 days after 9/11), and the answer was what many people had imagined: that the act was ready in some desk’s drawer at the US Department of Justice from long before, just waiting for the action that would justify its implementation and that the attacks of September 11 gave that justification. Following that, Larry asked whether there was an I-Patriot Act dealing with Internet issues also ready and waiting for an action that justified its implementation and the answer was yes. However, since such an action is unlikely to happen in the way that would create the outrage necessary for people giving up privacy, data protection, 1st and 4th amendment rights, it seems that once in a while there are news created to instil, slowly and by stealth, the same level of fear that would justify the creation of such a law. Today, while scouting through technology news I’ve found a piece that fits exactly that profile.
Most of what the article says is true, but the combination and inferences may represent a “little” of overstretching to create the sensation that the US is in clear and present danger (the test created by the US Supreme Court in Near v Minnesota to justify the suppression of certain 1st Amendment rights)…
The first thing that one needs to take into account when reading/analysing articles like that is that those interviewed and giving their expert opinions have a vested interest in the matter. Some own Internet security companies that would benefit from an expansion in Internet security budgets, others are Internet security researchers who have to compete for research funds or justify those that already have been received. Of course, that doesn’t imply that they are wrong or they have any bad intentions; it should just lead us to ask for the facts that back up their assertions and to not take opinions by their face value (even if they are probably right).
Once that issue has been properly understood, it is necessary to dissect the arguments put forward to separate the wheat from the chaff, since it is true that cyberterrorism can cause havoc in a way that no plane or combination of them can, but it is not true that because something has happened in Georgia the same would happen in the US and, even if it did, it is not true that those are the actions to fear.
The story begins referring to some distributed denial of service attacks and some defacing directed to some Georgia’s government websites, to quickly link that to the US and the catastrophic consequences that such actions would have in the US…well, yes, denial of service attacks (specially distributed denial of service attacks that involve spoofing and/or smurfing) can cause damage and are a huge annoyance, but they can be controlled by a series of measures that, in the case of the US government, are supposed to be already in place (for example, I pay few pounds per month for my hosting and the measures to neutralize/limit the impact of at DdoS are supposed to be already in place in the hosting company). So, not much of Die Hard VI scenario there…but cyberterrorism could be nasty and very. In the mentioned Die Hard IV you can find some solutions to protect the critical national infrastructure from a cyberattack, like having the need of physical presence to modify certain features of power plants and the likes. Here, once again, the solution is regulation and making compulsory that companies dealing with resources deemed to be critical comply with some cyberterrorism protection scheme and that, instead of using resources to see who is downloading whose song, ISPs are put in charge of monitoring the existence of good practices within their users. However, there is no measure that can be effective if those in charge of the operation of the systems are not properly trained. The case of the English hacker mentioned few days ago gave place to some jurisdiction talk, but it was also the child poster of IT ineptitude: according with his original declaration, he entered into NASA and military computers by creating a very simple bot that looked for passwords that had been left blank (yes, a blank, empty password in NASA and the military, which means that you only need to hit enter to be inside)…so, not much hope of having grannies to deal with IT security if those in charge of securing the most powerful country in the planet leave the passwords of their systems blank (the most basic form of security). But this takes us to the grannies…
One of the central issues in Internet security is that the Net will not be secure enough until most, if not all, computers are also secure, which, taking into account that there are many people without the necessary knowledge to keep a system secure, implies that :
1) the computers by default must run safe and secure software
2) the software mustbe properly updated
3) everyone must have proper antivirus software
4) the antivirus must be always up to date
The first issue hits the wall when we realize that most computers in the world run software that is not very secure and that, every time that software developers/producers have been tried to be held responsible for their bad code, courts have ruled that due to the complexity of software it is expected that they would have mistakes and bugs…
The second, third and fourth issues interlink with developments in IP rights, their enforcement and the lack of coherence by many (most) governments in that respect (specially in developed countries and particularly the US). It is no secret that in many countries most computers run on software that has been copied, most times by the vendor, without acquiring the corresponding licence from the software producer. It is also publicly known that in order to counteract that trend, software producers have restricted to almost zero the updates available for those running non-official software, which leave them with the vulnerabilities that those pieces of software have had since they were originally made and that are later been discovered along the use of them. It is from those computers not running properly updated software that most attacks are perpetrated, without the owner being aware of it. So, you would imagine that, in a situation where governments are willing to trample over their own citizens constitutional rights to protect it national security , they would also be willing to interfere with the profits of these very large corporations (which are having profits reaching the obscene anyway) and make sure that the whole planet is running up-to-date and safe software in order to guarantee the safety of its citizens. However, while contending that the security of the nation is so important that 1st and/or 4th amendment rights can be set apart when needed, the US government also keeps pressing for stronger IP protection and enforcement around the world, which allows those same companies that produce faulty/unsafe software to not update it when in presence of a copy not complying with their licences (which have prices representing in some cases a sum representing almost the annual median income of some developing countries' families).
The solution could be found in having a global security standard for software security while having a multi-tiered Intellectual Property regime, where the level of IP protection relates to the level of development of a country and thus allowing updates on non-official software in developing countries , so the cyberterrorists have less, or none, unprotected computers where to prey on. This option could look like too interventionist and could be seeing as proposing that the governments and not the market make decisions about companies profits, but if that is the case, so be it: if when things go wrong the losses of huge corporations have to be paid and shared by the societies through their governments in order to prevent alleged bigger damage, it is only fair that the profits are also decided and shared by the society through their governments, specially if we take into account that we are not talking about preventing some market meltdown (although in my college years' textbook said correction of past excesses) but the security of whole nations…

Saturday, September 06, 2008

The end of the world and the Large Hadron Collider lawsuits: protecting us all, technophobia, or something else

Next week the CERN’s Large Hadron Collider will be switched on and there are those who believe that the action will trigger a sequence of events leading to the end of the world…yeap, as you read it, the end of the world. The scientific explanation is quite difficult and we need to be aware that we are dealing with some of the most complex and theoretical discussions in the world of physics, but there are those that have thought that their concerns have certain scientific entity and that the switching on has to be stopped until they are properly addressed…and they have gone to court to try to stop it.

A brief, and probably not entirely correct, summary of the facts is that:

1) The Large Hadron Collider (LHC) is

a gigantic scientific instrument near Geneva, where it spans the border between Switzerland and France about 100 m underground. It is a particle accelerator used by physicists to study the smallest known particles – the fundamental building blocks of all things. It will revolutionise our understanding, from the minuscule world deep within atoms to the vastness of the Universe.

Two beams of subatomic particles called 'hadrons' – either protons or lead ions – will travel in opposite directions inside the circular accelerator, gaining energy with every lap. Physicists will use the LHC to recreate the conditions just after the Big Bang, by colliding the two beams head-on at very high energy. Teams of physicists from around the world will analyse the particles created in the collisions using special detectors in a number of experiments dedicated to the LHC.

2) Nobody knows for sure what is going to happen (off course there are several theories that are being tested)

3) One of the sub products could be small black holes (tiny, mini, minuscule)

4) after that, most scientists (by most here I mean almost everyone in the planet) believe that, if these black holes happen to exist, they would “disappear” due to a series of very complicated reasons or, if they stay, it would take them several billion years before they grow to “eat” the earth

5) A quite small number of scientists (allegedly 1 or 2 or the groups surrounding them), believes that this black holes would grow and fast, so they would end eating the earth in 50 months and, although the probability is not easily quantified, the gravity of the potential result deserves to put the experiment on hold until a proper discussion takes places within the scientific community

6) Their concerns where addressed by CERN and dismissed

7) Two lawsuits were initiated, one in the European Court of Human Rights and other in the US Federal District Court in Honolulu. The first sought an emergency injunction based on the experiment violating the right to life of European citizens and pose a threat to the rule of law, and the second tried to force the U.S. government to withdraw its participation in the experiment. It is important to note that the European Court of Human Rights rejected the request for the injunction but will hear the case (after the experiment has started) and that the US case is pending.

Are we here in front of yet another group of technophobes trying to stop science? Are most scientists of the planet wrong while a group of them (mainly from Germany and Austria) are right? Is this another battle of egos, like the one seen at the Fifth Solvay Conference in Brussels? At least here we know that in few days we may know who is right (and can actually solve some of the discussions held in Brussels in 1927).

The legal issues are probably more straightforward than those seeking injunctions would like. The first of them is, as always, a question of jurisdiction. It is probably self-evident that the US Federal District Court in Honolulu has no jurisdiction over the CERN, which is based in Switzerland, unless the scientific/lawyer that presented the lawsuit had claimed that a crime against humanity might be committed, what would kick in the universality nexus accepted for those types of crimes (although the theory may not have a lot of adepts in Washington lately). Unfortunately, that type of jurisdiction would need the crime to be committed first, so it could be used only after we are all been devoured by an always growing black hole. So, its best shot is to stop US government participation, which would transform it in a lawsuit so meaningless as to almost constitute an abuse of process. If what the lawsuit alleges is really true, the lack of participation of the US government would not stop the end of the world, and if the experiment cannot cause such scenario, the lawsuit has not merits and is, at best, a frivolous one.

The European one deserves more attention, not only for the alleged breach of the European Convention of Human Rights, but also because the Court accepted the suit. The Court clearly states that in order to lodge an application the applicant has to have been directly and personally victim of the alleged violation of one of the rights protected by the European Convention of Humans Rights and in the present case, leaving apart that the violation only exists in the realm of very theoretical physics, the rights of the applicant have not been violated yet. It is true that in exceptional cases the court would grant interim measures when there is a serious risk of physical harm, but in this case, since the interim measure has been rejected it is fair to imply that there is no case at all (if there is risk of physical harm the interim measure should have been approved, if not, since the violation to the right has not occurred, there is no case at all). Regarding the issue of jurisdiction, the Court has jurisdiction over violations to the ECHR committed by Council of Europe's member states and all CERN members are also members of the ECHR, but the jurisdiction over the CERN itself, needs to be properly asserted.

On the subject matter of the suit, it could be argued that the answer is not as esoteric as one may think. Even here in UK Human Rights legislation has not have good press and the European Court of Human Rights is seen here as been quite soft and pro-applicant, in order to persuade the Court that a violation of the Convention has occurred the applicant has to produce a large amount of evidence and it is normally understood that, due to the high standard of proof to be met, when the effects of an action are not straightforward or not yet understood by scientists, the circumstantial or theoretical evidence would normally not suffice to find a violation to the ECHR. Here we are dealing with a purely theoretical situation and one where most scientists of the planet disagree with the observations made by the applicant. So, why did the Court take the case while dismissing others where the violation seemed more straightforward (like the distubing Thiermann and Others v. Norway)? We may never know, but by dismissing the interim measure and accepting to have a full hearing later the judges seem to make clear that they belong to the large group of those related to law that think that technology is inherently evil or that they also believe that there is no case to be heard but they leave the door open just in case something goes really wrong (but they shouldn’t care much in that case because in that situation we will have no much time to blame them).

Some may argue that as most legal decisions this one also has to address the issue of proportionality, so you ponder the requested measure, with the probability of the damage to occur and the gravity of the damage. In that case, and taking into account that here the resulting damage would imply the end of the world (having infinite value), you may be inclined to think that regardless how low the probability of that to happen, any measure would be justified. The problem is that if in one side of the equation we have infinite the only way of not having a very large value as result is having 0 in the other, which would translate into that the experiment shouldn’t be carried out unless there is absolute certainty that the risk is 0 and, if that is the standard of proof, that experiment and many others would never exist (to the argument that this case is different because the existence of the world is at stake, one may easily answer that no medicine would exist either because, even highly improbable, there is no 100% certainty that a modified virus cannot mutate and start a humanity-wiping pandemic). Had the court accepted that being the risk so big the experiment should have been stopped regardless the probability of the damage occurring, it would have created the dangerous precedent that any time somebody wanted to stop something it would only have to claim the existence of the risk of a great damage, without reference to the certainty of the materialization of that risk.

In any case, next Wednesday the experiment will start and we will have many scientific answers and, probably, two lawsuits less to care about (the battle in the press and in Wikipedia between those pro and against LHC deserve other post)

Tuesday, September 02, 2008

New portal on cybercrime for Latin America

A new portal dealing with cybercrime was launched yesterday and its yesterday’s press release reads (own translation):

Today has been officially launched the portal, which has as principal mission to provide a practical and
useful tool with current and specialized information in the fields of law and
public policy tending to create and encourage a culture of information,
education and prevention in the fight against cybercrime in Latin America [yes,
sentences in Spanish are that long and have many ideas in them…].
Ciberdelincuencia. org is a non-for-profit portal partially financed through
donations from two non-for-profit organizations: the Internet Society (ISOC) and
the North American Consumer Project on Electronic Commercer (NACPEC), and other
private donations.

The portal is in Spanish and it represents an initiative that deserves to be praised and welcomed.