Cyber-security heating up on both sides of the Atlantic

In the US, another version of CISPA was reintroduced yesterday in the House of Representatives. The White House has also issued an executive order on the same topic. Similarly in Europe, the European Commission recently published two documents which articulate a strategy for cybersecurity – Cybersecurity Strategy of the European Union and the Proposed Directive on Network and Information Security. Info sharing programs to improve Internet security may be one of the most important global technology policy issues this year. We’re currently looking at these proposals to develop a view and understand if and how they may impact the Mozilla mission. If you would like to contribute to this effort, we welcome your participation.

Full post on the Mozilla privacy blog.

Windows EU Ballot Screen Technical Glitch

We’re encouraged by the European Commission’s efforts to ensure that users have meaningful browser choice in the Windows PC environment. The 2009 Commitments adopted by Microsoft were a foundational part of the remedy developed by the Commission to resolve Microsoft’s competition violations in EC countries. A key part of the remedy was Microsoft’s commitment to present the browser ballot screen to Windows users through vehicles like the Windows 7 Service Pack 1. Earlier this year, we learned that Microsoft failed to fully comply with the browser choice ballot screen obligation for nearly 15 months.

Most recently the EC sent a statement of objections to Microsoft for failing to include the browser-choice screen as promised. Our data suggests that the absence of the browser choice screen had the following impact:

• Daily Firefox downloads decreased by 63% to a low of 20,000 just prior to the fix;
• After the fix, Firefox downloads increased 150% to approximately 50,000 per day; and
• Cumulatively 6 to 9 million Firefox browser downloads were lost during this period.

After accounting for the aggregate impact on all the browser vendors, it seems like this technical glitch decreased downloads and diminished the effectiveness of the remedy ordered in the 2009 Commitments.

Draft Framework for Policy Engagement – Why, When, and How

Over the past few years we’ve become more engaged in public policy issues driven by proposed legislative and regulatory actions that threaten core tenants of the open web. These threats are global in nature and manifest themselves in national legislative bodies, judicial venues, trade organizations, and international treaty setting bodies among others. After engaging in a number of policy issues such as SOPA, ACTA, DNT, jailbreaking, and further seeing a forecast of “more rain” we set out to craft a draft framework that could guide our approach on these issues.

The framework is not meant to be exhaustive nor be a detailed roadmap,  but rather directional in nature.  Hopefully it’s a level set and creates a common point of reference for our community. As time goes on, we’ll naturally iterate and develop the ideas further. At this point we want to test it, incorporate feedback, and see if the approach makes sense. Please add any comments to the governance thread here.

Some key assumptions that inform the framework are:
•    Tech policy can help or hurt the web
•    Key attributes of the open web need to be nurtured and protected
•    All tech policy issues are not the same
•    We can make a difference
•    The nature of the threat will dictate different kinds of responses
•    We remain a project that is primarily focused on building stuff
•    Don’t build what already exists

The framework reflects our current thinking and should answers key questions like:
•    What’s the goal? What are we trying to protect?
•    Can we make a difference?
•    Why do we get involved?
•    When do we get involved and when don’t we?
•    How do we engage?

If you want more color on some of these ideas, take a look at the presentations below where we have begun discussing the broader notions of threats to the open web.

* Open Forum Europe summit presentation by Mitchell Baker
* World Economic Forum presentation by Gary Kovacs
* FISL 2012 presentation “powerful v. empowered” by Harvey Anderson

FISL Talk “Powerful v. Empowered”

During the FISL12 conference last week, I had the opportunity to present a keynote entitled “Powerful v. Empowered – Threats to the Open Web.” The talk examines the threats, the drivers,  and how we can make a difference. The prezo can be found here: FISL Prezo Final. The FISL community was pretty awesome. There’s something about their approach and perspective that had a delicate and thoughtful quality that was really impressive.

Preliminary Comments for Senate Commerce Committee Hearing on DNT

This Thursday, the US Senate Committee on Commerce, Science and Transportation is holding a hearing entitled “The Need for Privacy Protections: Is Self-Regulation Adequate?” Mozilla along with several others have been asked to comment at the hearing on the current state of: i) industry self-regulation; ii) Mozilla’s Do Not Track feature; and iii) the industry’s ability to provide consumers with adequate tools to protect their personal information online.

We’re planning to participate and provide comments based on our experience and perspective. We also posted the questions to governance for input.

In addition to core Mozilla messages about user choice, control, and transparency, the comments will include the following key key points:

• Industry self-regulation can work when it’s a multi-stakeholder process that reflects the views of all of the relevant parties involved in data transactions including users, developers, service providers, publishers, and the ad networks.

• Non-voluntary regulatory measures are a last resort. They can introduce unintended consequences that can be harmful to a fragile web ecosystem. As a result we should be cautious in this regard and give voluntary industry efforts every chance to succeed before interceding with regulation.

• The desire to predict and deliver content that appeals to users is a core driver behind efforts to collect and analyze data about us. This will only increase particularly with the inclusion of the mobile data graph. This is not inherently bad, and delivering content that users want, when they want it, is a good thing if it’s done transparently and in harmony with user intent.

• Commerce is a vital and beneficial Internet activity. Enabling and maintaining economic ecosystems on the web is essential to a robust and healthy Internet. Commercial imperatives and user choice/control are not mutually exclusive. They can and must coexist through a combination of technical capabilities and user-centric business and data practices.

• DNT requires cooperative efforts of services providers, ad networks, browsers, and other parts of the web ecosystem. We’re optimistic that the multi-stakeholder process ongoing at the W3C will result in a consensus on both the meaning of DNT and how websites should respond.

• DNT is one method to give users a voice in how third parties collect, use, and track information about them. It’s not the only method, nor the be all and end all of the data and privacy relationship that exists between users and service providers.

We’re in the process of completing the comments now and will submit them in advance of the hearing on Wednesday.

Patent Matters – Don’t Hate the Player, Hate the Game

The recent acquisition of the Netscape/AOL patent portfolio reminded me that an update on Mozilla’s patent strategy is long overdue. This post is about what we’ve done and what we could/should do in the future.

As you may have seen, there’s been a lot of patent litigation activity lately. The Yahoo suit against Facebook is one of the most surprising – at least to me. And the US Supreme Court just recently weighed in to re-affirm a long held axiom of patent jurisprudence that laws of nature are not patentable subject matter, so the judiciary is getting more active as well.

What’s driving the increase of patent activity? There are numerous drivers in my view including increased competition in the mobile space, the desire for competitive advantage particularly if a company is struggling in the market, and demands for incremental license revenues. Invariably, patent portfolios become more attractive tools for revenue and market competition when a business is not doing well or threatened.

The traditional strategy has been for each company to develop the largest possible patent portfolio to act as a deterrent against potential plaintiffs. This is known as a defensive approach. Others make no such claim at all, and still others do a bit of both depending on the circumstances. For early stage companies and start-ups, patent rights may also be important. If the business fails in the market, IP rights may turn out to be the most valuable asset for investors.

I personally struggle with the effectiveness of “build a big patent pool” as a one size fits all approach. It may not work if you’re way behind in the game or even conflicted about software patents. Also, if done organically, it simply takes too long. In other settings it may however make perfect sense, especially with enough resources and sufficient inventive material that is relevant to your competitors. I got to do this for a few years in my first in-house counsel job working for Mitchell Baker long ago where I was tasked with creating the initial Netscape patent portfolio.

So far Mozilla has not adopted the traditional strategy. A while back we made an exception to file four patent applications on some novel digital audio and video compression codecs co-invented with a contributor at the time. We assigned those applications to xiph.org, a non-profit focused on open video and audio codecs. The assignment included a defensive patent provision which prevents the patent from being used offensively. One of those applications has been published for examination as part of the standard USPTO patent application process. We believe that these applications may help in standards settings so we could achieve a better open standard for audio codecs. For better or worse, in the standards bodies participants use their IP to influence the standards and without some leverage, you’re left only with moral and technical arguments. We’ll see if our theory plays out in the future.

We haven’t filed other applications yet, but I don’t think the past should necessarily dictate the future. I can imagine many places where inventive developments are occurring that have strategic value to the industry, and where we want those protocols, techniques, and designs to stay open and royalty-free to the extent they are essential parts of a robust web platform. Ofcourse filing patent applications is one possible technique, but at those strategic intersections, I think we should entertain filing patent applications as one tool in our overall strategy.

In addition to patent filing strategies, there are other things we could  do including:

• Adopting techniques to constrain offensive use, like the Inventors Patent Assignment with defensive use terms proposed by Twitter today. (+1 for Ben and Amac at Twitter for this)
• Building out a robust defensive publication program. IBM wrote the book on this, maybe its time to make source code publications work the same way.
• Developing an ongoing working prior art system available for defendants. We worked on a version of this a few years back, but the urgent beat out the important and no progress has been made since then.
• Pooling patents with other like minded groups into safe pro-web entities with defensive protections. The pools need to be relevant to competitive threats for this to have value in my view.
• Creating other disincentives to the offensive use of patents (similar to the MPL defensive patent provision) but relevant to larger parts of the web.

Sometime mid-year, I’d like to have a broader discussion to brainstorm further and prioritize efforts. Nonetheless, I’m pretty confident that given the changing landscape and markets, we’ll need to play in this domain more significantly one way or the other.

Microsoft acquisition of Netscape/AOL patents

As reported in the news this week, Microsoft acquired some 800 patents from AOL for a billion dollars. A few people have asked what this means for Mozilla. At present, I don’t believe that the acquisition poses an immediate danger to Mozilla.

There are many possible motivations for the acquisition including reducing exposure, preventing others from obtaining the patents, increasing your portfolio size and quality, using them for cross-licensing, or even patent license programs. We’ll never know for sure, but viewing this acquisition in the broader context of the patent battle playing out across the tech sector, it makes sense for strategic reasons.

Certainly Google, Apple, and Microsoft are key competitors in this battle, and Google recently increased its portfolio size dramatically with the acquisition of 17,000 Motorola patents. Other players hold thousands of patents as well, topped out by IBM with 6,000+ new US patents in 2011 alone. Obtaining a huge chunk of patents and licenses in one move, saving time along the way, makes sense for broader reasons, and in this context it is hard to imagine it’s driven by anything related to Mozilla. Frankly, there are easier ways to influence the market without near the attention or the cost.

In this particular case, it would seem that the exposure is even lower because portions of the Mozilla code base are already licensed under some set of these patents. Early code contributions from Netscape to the Mozilla project came with patent licenses from Netscape/AOL via the Mozilla Public License. These licenses are still in play. For example, the first granted Netscape patent was for HTTPS as I recall. To the extent this is implemented in the Firefox browser or Thunderbird code bases by Netscape/AOL (and subsequently the Mozilla code base) patent grants would flow with the code under the MPL. The express MPL patent grant, which didn’t exist in other open source license at the time, finally sees its day.

Overall, while this acquisition is certainly surreal for many Mozilla folks that worked at Netscape including those who are inventors for some of the patents, I don’t view this as a threatening move in and of itself. Patent holders like Microsoft and Google are generally considered more predictable, subject to market and ecosystem pressures, and more often than not, targets of patent litigation themselves. That being said, Yahoo did sue Facebook, so conventional wisdom may no longer apply these days.

I believe the real threat is what ultimately happens with the patents. If Microsoft maintains ownership of the patents, on the margins, it is better than having them sold off piecemeal to non-practicing entities, often called IP trolls. If they end up in the wild, it’s not a good thing. We will need to watch this carefully.

It would be great to see Microsoft express its intentions in this regard or put some protections around the portfolio if it transfers the patents. This could alleviate many of the concerns raised by the transaction.

Comments supporting DMCA jailbreaking exemption

Every three years the US Copyright office, examines whether it will renew certain exemptions to the DMCA. In 2009 we submitted arguments supporting the EFF’s petition for the exemption of  jailbreaking from the DMCA. The Copyright office granted the exemption in 2010 which now expires at the end of 2012.

Although it seems a bit silly to have to do this every three years, we’re going to again file a brief supporting the exemption for jailbreaking, also known as “rooting.” EFF has more information here on the arguments and the process.

Based on feedback from developers around the Mozilla project, the brief will contend that rooting is important because it’s necessary to achieve competitive application performance on Android mobile platforms, to effectively debug applications, and for regression testing.  In addition, it’s even more critical now as mobile devices surpass desktop, and Internet access increasingly comes from mobile platforms.

We plan to file our comments on Friday afternoon. If you have ideas or thoughts that could be incorporated in the brief, please let us know. Alternatively, you can file your own comments, or if your flavor is petitions go here.

SOPA – the Stop Online Piracy Act – Is It Really Dangerous?

Recently, the Stop Online Piracy Act, 112 HR 3261 (SOPA) was introduced as a bill in the US House of Representatives. This is the House companion to the Senate Protect-IP Act that drew considerable opposition from the tech and First Amendment quarters, so many of the issues remain same. The intent of SOPA is to help combat online piracy. This is a laudable goal; however, the unintended consequences are scary for intermediaries, websites with user generated content, DNS providers, and those of us who rely on the Internet as a vibrant and rich communications network.

SOPA grants IP claimants a lot more power than they currently have to remove allegedly infringing content and expands the scope of people who may be liable by giving:

• the Attorney General the power to compel companies that maintain DNS look-ups to change the tables, also known as domain name filtering. See analysis by Larry Downes.

• IP owners the power to require ad services and payment processors to stop doing business with a site by giving it notice that the site contains allegedly infringing content. See Public Knowledge’s analysis by Rashmi Ranganth.

• the Attorney General injunctive relief power over anyone who allegedly circumvents copyright protections, and anyone who aids in the circumvention. See Public Knowledge’s analysis by jgraham.

The problem is that these are powerful remedies made available based upon unproven assertions and little due process. Imagine you’re a website operator, under SOPA you can get your Paypal payment processing services cut-off merely because someone claimed there’s infringing content or apps on your site. Faced with that choice, it’s an easy decision, remove the content early and often just to be safe.

IP rights are certainly important and need to be respected on the Internet, and there is a very real piracy problem, but SOPA threatens an essential attribute of the Internet – its ability to easily share information without friction and permissions. This doesn’t mean that the Internet should be a lawless expanse void of law or consequences either. The challenge is that SOPA exposes intermediaries to undue financial and legal liability for content in a way that will undoubtedly chill the free flow of content and ideas embodied in both software and media. In addition, the language in the bill is ambiguous leaving it open to abuse by plaintiffs who have already demonstrated aggressive interpretations of the existing DMCA framework. This is why there is so much concern that SOPA represents a real and dangerous threat to the Internet.

Some describe this debate in polemic terms, as Hollywood vs. the Internet, where the Internet slowly becomes managed by dominant media interests. Others have focused on the deleterious impact on human rights. Perhaps Masterswitch writer Tim Wu would see this as part of a larger pattern of how open information ecosystems become closed over time. US House Representative Zoe Lofgren, representing voters in Silicon Valley, warns that this “would mean the end of the Internet as we know it.” It could also just be bad legislation.

If SOPA becomes law, few think it will actually solve the problem. For example, it seems clear that blocking domains is not an effective means to combat piracy because domains can be redirected so easily. A while back Homeland Security asked Mozilla to take-down an add-on without a court order or a finding of liability. Under a SOPA regime, it appears the same incident would allow the putative plaintiffs to petition the Attorney General to issue an injunction compelling take-down based only on a specious claim of contributory infringement. Oddly SOPA makes one really appreciate the DMCA.

Many in the tech and policy communities are organizing to oppose SOPA. What’s most important is that Congress hears from everyone on this, whatever their view.  Plus it’s Tuesday November 8th -voting day- so let your voice be heard. If you want to let Congress know that you oppose the legislation EFF and Public Knowledge have sites set up to easily send your message to Congress.

Additional links to the bill and other commentary can be found below.

Read more of this post

Homeland Security Request to Take Down MafiaaFire Add-on

From time to time, we receive government requests for information, usually market information and occasionally subpoenas. Recently the US Department of Homeland Security contacted Mozilla and requested that we remove the MafiaaFire add-on.  The ICE Homeland Security Investigations unit alleged that the add-on circumvented a seizure order DHS had obtained against a number of domain names.   Mafiaafire, like several other similar  add-ons already available through AMO, redirects the user from one domain name to another similar to a mail forwarding service.  In this case, Mafiaafire redirects traffic from seized domains to other domains. Here the seized domain names allegedly were used to stream content protected by copyrights of  professional sports franchises and other media concerns.

Our approach is to comply with valid court orders, warrants, and legal mandates, but in this case there was no such court order.  Thus, to evaluate Homeland Security’s request, we asked them several questions similar to those below to understand the legal justification:

• Have any courts determined that the Mafiaafire add-on is unlawful or illegal in any way? If so, on what basis? (Please provide any relevant rulings)
• Is Mozilla legally obligated to disable the add-on or is this request based on other reasons? If other reasons, can you please specify.
• Can you please provide a copy of the relevant seizure order upon which your request to Mozilla to take down the Mafiaafire  add-on is based?

To date we’ve received no response from Homeland Security nor any court order.

One of the fundamental issues here is under what conditions do intermediaries accede to government requests that have a censorship effect and which may threaten the open Internet. Others have commented on these practices already.  In this case, the underlying justification arises from content holders legitimate desire to combat piracy.  The problem stems from the use of these government powers in service of private content holders when it can have unintended and harmful consequences.  Longterm, the challenge is to find better mechanisms that provide both real due process and transparency without infringing upon developer and user freedoms traditionally associated with the Internet.  More to come.