Category: Technology

iVirus: Proof of Popularity

So another virus was detected recently that is targeting iPhone users that have jailbroken their phones without changing the default SSH password (see article).  Back in the good old days, Mac users would go: “100,000 viruses for Microsoft, 2 for Mac.”  Now, the numbers are more like: “100,000 viruses for Microsoft, 2 for Mac, and 3 for jailbroken iPhones.”  Look out Microsoft, Apple is catching up!  Well, not quite yet (at least not yet on the virus popularity scale).  But, the fact that there are viruses being written for the iPhone is evidence that the iPhone is getting more popular as there is a relationship between widespread adoption and virus activity.  It goes hand in hand with another rule of thumb: the more widespread use a computer device enjoys, the less secure it is.

So, to all you iPhone users out there who have jailbroken your phone – change your SSH password!

Google’s Not the Only Online Book Deal

The academics have been working on digitizing their book collections with Google’s help.  (See Article here)  I suspect that, in spite of the fact that Google is ahead of the pack in total books digitized today, there may be a fair number of other groups that get together to digitize collections down the road, and as new books are written and published, most will be available electronically anyway.

In spite of the Copyright Office’s current objections to the original Google book deal, my bet is that the market in the future will push changes in how copyright ownership is managed, or perhaps streamline the management of these interests (for example, by requiring a statutory fee for access payable to the copyright owner).

Are You Smarter than Your Computer?

The answer appears to still be yes (even if you sometimes don’t feel that way) – see article here.  The folks at IBM have been working on simulating part of a cat’s brain with their super computer, and it takes a whole lot of processors to do that – almost 145,000 all together.

“Sentient” computers are not expected soon, and the simulation that IBM put on did not result in the massive super computer licking itself or chasing mice, but these kinds of advances will likely lead to more sophisticated infrastructure management systems for air traffic control, weather forecasting, traffic management, and perhaps information security systems.  We take for granted the number of computer systems that surround us today.  For example, your car probably has well over 12 processors that handle a number of tasks for you, like monitoring your tire pressure to helping you get from point A to point B.  Traffic lights, power grids, newer street signs and billboards – many of these are managed by increasingly sophisticated information systems.

And there is more to come, if Mr. Moore has anything to say about it.

Psystar’s Star Dims a Bit

Psystar and Apple have been in a tech law tango based on Apple’s allegations that Psystar violated the end user licensing agreement when it started releasing the OS X operating system on non-Apple manufactured clone computers.  The federal court ruled in favor of Apple on its claims on a motion for summary judgment.  (See article here)  (You can find a copy of the judge’s decision here)

The Court’s decision to grant summary judgment for Apple is primarily based on Apple’s copyright infringement claims against Psystar.  The Court addresses the exclusive reproduction, distribution, and preparation of derivative work rights under the Copyright Act that are exclusive to Apple.  Apple alleged that Psystar, by taking a copy of OS X, modifying it so that it would boot on a non-Apple made computer, and selling that modified work to the public, had violated Apple’s copyright in OS X.  The Court examines the possibility of a section 117 defense under the Copyright Act which does grant the owner of a copy of a copyrighted work a limited right to make an additional copy of adaptation of the work.  17 U.S.C. § 117(a).  There are two possibilities under section 117: a copy of the work is made as an “essential step” in using the computer program, or the copy is made for archival purposes.

The Court held that Psystar had essentially waived this defense by not timely raising it.  In any case, Psystar had been making a lot more than a single copy of OS X when it cloned its modified copy of the operating system and installed it to computers that Psystar offered for sale to the public.  The language in section 117 is more geared towards us consumers that might make a backup copy of our OS X disk, or backup the operating system to our Time Machines in the event of a failure of our prized Macbooks.

The Court briefly addresses section 107, fair use, noting only that Psystar doesn’t attempt to justify its use as a “fair use” under section 107.  Most likely, that Psystar offered a copy of OS X for sale with its computers without paying the “customary” licensing price to Apple would have doomed such a defense anyway under the first element of this test.

Psystar then raised the first sale doctrine as a defense, under section 109.  Under this section, I have the right to resell a copyrighted work I have purchased to the general public, without responsibility to the copyright owner (for example, to resell at a set price).  So, if I were to buy a legitimate copy of Snow Leopard for $100, and offer it on ebay for $50, I have that right under section 109.  The Court found that Psystar was not doing this at all in modifying OS X and then selling this modified copy on computers to which it was installed.  Section 109 does not really help Psystar.

The Court next addressed whether Psystar was creating a derivative work of OS X, by modifying certain operating system files so that OS X would load onto a non-Apple manufactured computer.  Psystar tries to assert that because it did not modify the kernel of OS X, only the bootloader file and certain kernel extensions (disabling Apple extensions and adding its own extensions for the software to run on non-Apple hardware), it had not created a derivative work.  Again, the Court sides with Apple.  Even the modification of such humble files is the preparation of a derivative work, which was unauthorized under the Copyright Act.

Psystar also alleged that Apple was misusing its copyright.  This doctrine addresses a copyright holder who attempts to leverage his limited copyright monopoly to control areas outside of the monopoly.  For example, if I write blog software, and license it under an agreement that requires that you never write blog software, I am misusing my copyright in the work.  I don’t have the right to prevent you from writing a competing software package.

Psystar is arguing that Apple is unfairly limiting where its operating system can be installed, which is perhaps anti-competitive.  Unlike Windows, which can run on a broad range of hardware that Microsoft does not manufacture, Apple limits OS X to Apple-made hardware.  Psystar is essentially arguing that Apple should do what Microsoft does with its operating system, to allow for competition.  The Court sided with Apple on this argument as well, reasoning that Apple was only trying to control the subject matter of its copyright – the software itself.  I don’t think the Court was persuaded that Apple must license its software as others have in the market.  Apple may also have a legitimate reason for controlling the hardware on which the software is operated, given the drivers mess that is created with most Microsoft operating system releases.  Older versions of Linux also struggled with this problem, in spite of the many volunteer developers who write drivers for the Linux system in its many flavors.

iPhone Virus – Aiiiiieeeeeeeeeeee!!!!

Yahoo reported today a virus that infects jailbroken iPhones has been released into the wild.  (See story here)  Apparently the worm will change your phone’s wall paper.  In order to be infected, you must be running SSH and have left the default password on the service.  I’d expect more of these kinds of viruses as smart phones get smarter and more distributed.

Apple Moves to iTouch for in-Store Checkout

Wired reported today that Apple’s stores will be moving to use the iTouch for roving checkout instead of the existing Windows CE-based devices in use today.  I linked to this story in part for the entertaining Wired reader comments, particularly to the partisans of Apple and Windows that continue the division between the companies.  Besides the entertainment value, this circumstance identifies two interesting themes: first, Apple and Microsoft have worked together and continue to innovate within the same, larger technology market (and neither is the consistent leader of the other as a result), and second, Apple gave the Windows CE devices a valiant try and elected to improve the process based on staff input (which is what healthy companies should do, even if it means using the competitions products to do it).

As to the former, Apple was not the first to have stores where people could come to buy their technology products.  Gateway (remember them?) had stores throughout the U.S. in its heyday to sell its brand of personal computers.  Gateway ultimately went under and was replaced by other vendors like Dell and HP (who notably do not have in-person stores).  Apple added a twist to their stores, by also providing a walk-in help desk (the “genius bar” staffed by your kids who know way more than you about computers), and later, by implementing roaming check out staff with wireless credit card terminals.  And, if you have ever been to the Apple store in New York City, they also have some cool architecture (a glass building with most of the store underground, utilizing the natural light from the outside to expand the space downstairs).

DSCN0274

This year, Microsoft started its own line of stores, having recruited former Apple staff to open them.  Microsoft originally had licensed Apple’s initial graphical user interface for its own Windows 1.0, and then later expanded and changed the interface over the last 25 years to the interface we have today in Windows 7.   On the other hand, Microsoft has led (because of enormous market pressure) on improving security to its operating systems.  Apple still does not have the kinds of business enterprise products that Microsoft has developed over the years, like SQL Server and Exchange.  And one might argue that Microsoft’s Office Suite is still the better product compared to the tools that Apple has developed, like Numbers (though I do use and like Apple’s Keynote for presentations, but PowerPoint has been around for far longer).

As to the performance improvement issue, I think Apple is right on to try something out (they have been using these Windows CE devices for over a year at their Towson store), and then see how they can improve them.  My observation of these in the store was that they did need to be rebooted regularly and could be unreliable – especially when Apple first released the iPhone 3G.  Whether Apple employees would hate on these just because they weren’t Apple (as one commentator on the Wired story suggested) is anyone’s guess.  My opinion is that the employees had to use them every day, and were in the best position to say if they worked or not.  Good for Apple to actually ask for input rather than just make a management decision at a conference table.

Windows 7 Upgrade from XP

My dad emailed me over the weekend and asked if I would help with upgrading their PC to Windows 7.  Being the family geek squad, I of course obliged.  My parents are late-adopters of computers.  I am proud to say, however, that they both use email, and they also use software on their computer to keep track of their finances.  In recent months they even began using a digital camera and downloading their photos to their PC.  Unfortunately, they have also fallen victim to a number of virus infections in recent months, in spite of the anti-virus software and their own best efforts to keep their PC working properly.

Being an adventurous techie, I thought I might learn something about the upgrade to Windows 7 and help them out.  There is no direct upgrade path for Windows XP users to Windows 7.  I guess Microsoft was punishing users that refused to self-flagellate themselves with Vista; Vista has engendered plenty of complaints from users of all sorts since it was released by Microsoft, and I doubt my parents would have been happy using it either.  Windows 7, however, does appear to be an improvement on Vista, and seems to be at least as reliable as XP.

Without a direct upgrade, your only real option is to install Windows 7 fresh on the PC, after backing up your data, and then reinstall you applications.  So, be sure you have all the original disks and license keys for the software you need before you start.

Windows 7 also no longer includes Outlook Express (which my parents were using for email), so my dad bought a copy of Outlook 2007.  I’ve never been a big fan of Outlook Express, and my guess is that an email virus was the source of their problems with the PC this year.  Outlook is a more complete application, though it is still susceptible to viruses in email, so we also re-installed the latest version of McAfee to the new computer.

Their PC has but 512 MB of RAM, which was way less than what Vista required to run properly, but is ok for Windows 7.  I may buy them some more RAM to help speed things up a bit, but my guess is that they will not notice much of a difference when just using Outlook or Internet Explorer.

We did run into a problem initially with the proper video driver loading for their Dell Dimension 3000 (for which there are not Windows 7 drivers available from Dell).  However, I was able to get it to use the XP drivers and the display worked properly.  The initial reboot also returned us to a black screen with the mouse cursor and nothing more; however, on the third reboot, the system did boot properly into Windows without a long wait.  My guess is that the initial install was still configuring where we thought we had arrived at the BSOD.  Other users have reported some upgrade problems with the Windows 7 installation, but ours went relatively smoothly.  (See Yahoo Article here)

The printer, however, would not print when I left 5 1/2 hours after starting this odyssey.  My guess is that an updated driver is required for it.  All in all, however, things went relatively smoothly, which is unusual for these kinds of upgrades.  We’ll see if I get any desperate calls for help this week!

Seeing Red

The Federal Trade Commission (FTC) promulgated regulations to help reduce consumer identity theft back in 2007, with implementation of these rules for “creditors” and national banks to begin in 2008 (and then 2009, now November 1, 2009 for certain kinds of creditors).  (See the Red Flags Rule here)

Identity theft is a real problem for people of all sorts (approximately 10 million people fall victim to this kind of fraud at a loss of around $50 billion each year).  As a result, the FTC has interpreted the term “creditor” more broadly than the kinds of businesses we tend to think of, like credit card companies.  (See FTC FAQ)  According to the FTC, a creditor includes anyone that provides a service now and accepts payment later.  Lawyers routinely do that, as do health care providers, department stores with lay-away plans, and other service professionals (except maybe your mechanic who won’t give you your car until you pay for the service).  Because of the broad application of the rule by the FTC, the lawyers decided to sue the FTC to force an interpretation of the Red Flags Rule to exclude, you guessed it, lawyers.  (See the ABA Release here)

As a practical matter, federal courts generally will defer to administrative agency interpretations of their own regulations under the Chevron doctrine.  Every so often, courts will overturn an administrative agency’s interpretation, but the odds are low.  (See Massachusetts v. E.P.A., 549 U.S. 497 (2007)).  The ABA’s odds of getting a decision in their favor are probably about average, but in any case, won’t help other kinds of professionals that accept payments from customers over time.  And for lawyers, as no decision is expected before the latest compliance deadline of November 1, 2009, we find ourselves all in the same boat of needing to comply with the Rules.

Section 681.2 requires that covered organizations (a) identify accounts periodically that may be covered accounts within the rules, (b) develop a program for identifying accounts that “is designed to detect, prevent, and mitigate identify theft,” and (c) administer the program by seeking Board approval of the policy, training staff, and monitoring the program over time to ensure that it is overseen properly.   16 C.F.R. § 681.2(c)-(e).  The program must be in writing, and must be reasonable in relation to the size of the organization implementing it.

The Appendix to section 681 provides some guidelines for covered organizations in formulating their Red Flags Program.

The Red Flag Rules also require that creditors establish a written policy that outlines how the organization will comply with the rules.  For health care providers looking for a sample policy for compliance, the AMA has published one on its web site here.  The FTC has also published a document for creditors who are probably at low risk for identity theft here, which may likely include many solo and small law firms.

Once you have appropriately assessed your risks and written a plan, the plan must be approved by the ownership of your organization.  For solo and small firm attorneys who are already chief cook and bottle washer, that means you.  Larger corporations that have a board of directors will need to take board action to approve and be involved in the organization’s compliance with its program.

The guidelines emphasize that a creditor should exercise reasonable care to protect its covered consumer accounts from theft or unauthorized access.  Implicitly, this means that a covered organization should have appropriate data security systems in place that protect the organization’s data from loss, unauthorized access, or theft.  Health care providers should already by compliant as they have been required to comply with the HIPAA security regulations since 2003.  These regulations require regular technical risk assessments, mitigation plans, access control mechanisms, and data backup plans (among other requirements in the rules – See 45 C.F.R. § 164 et seq.).

Lawyers, however, may not have had the pleasure of complying with these rules (unless of course you are a business associate to a covered entity and are now, under the ARRA, required to fully comply with the HIPAA security regulations next year that already apply to covered entities).  For example, if an attorney accepts payments for services through a web site, the attorney should evaluate the risk of identity theft from the site and take appropriate steps to mitigate those risks, such as ensuring she is using a current SSL certificate to encrypt communications with the client, not storing credit card numbers in a database that can be accessed from the internet, and appropriately maintaining the server that houses the web site to ensure it is patched for known security risks and has appropriate anti-virus software.

From there, staff will need to be trained on identifying that a consumer’s identity has been stolen, and to take appropriate actions to protect the consumer from further loss.  The FTC form also indicates that outside agencies such as a billing agency may also need to be trained (or you need to verify that that organization has its own acceptable policy for complying with the rules).  After that, the program requires an internal annual report on activities, and updating the program to address evolving threats to consumer identities.  Now that wasn’t so bad, was it?

The Quest for Meaningful Use

Section 4101 of the American Recovery and Reinvestment Act creates an incentives program for Medicare providers (and a penalty program after 2015 with regards to reimbursement) for EHR adopters.  See this article from June 2009 on “meaningful use.”  See also an earlier blog post on ARRA incentives here.

One of the provisions for receiving incentive payments is that the provider can demonstrate “meaningful use” of the EHR system.  The section also requires that this meaningful use occur on a certified EHR system.  The term “meaningful use” is not defined by the statute, except as follows: “(i) Meaningful Use of Certified EHR technology – The eligible professional demonstrates to the satisfaction of the Secretary, in accordance with subparagraph (C)(i), that during such period the professional is using certified EHR technology in a meaningful manner, which shall include the use of electronic prescribing as determined to be appropriate by the Secretary.”

The phrase is not defined by the statute, but presumably will be defined by the promulgation of a regulation by the Secretary of Health and Human Services.  The thinking today is that meaningful use would be defined by the achievement of certain milestones over time by providers using EHRs.  Initially, the focus would be on actually putting data into the system.  With time, the definition would expand to being able to look at data trends over time and evaluate this data for trends.  And eventually, providers would be required to have an actual impact on patient health outcomes.  There is likely to be a similar movement within the private insurance world for providers, as in a “pay for improved outcomes” model, moving beyond just reducing the number of times someone comes to the doctor’s office (the old, HMO model of quality).

In more practical terms, a provider that wanted to demonstrate meaningful use would need to buy some software, take it out of the box, and actually use it to put some kind of data into it.  Most likely, a more sophisticated system purchaser would give some thought to how that data would be organized within the computer system, with the goal of being able to get it back out again on demand.  In the paper health record world, this is comparable to having a paper note to document the visit, and a separate flowsheet that is maintained to track certain kinds of lab results over time.  The flowsheet is the manually created output which ultimately can be used to evaluate patient outcomes to treatment.  For example, an HIV patient is routinely checked for his or her HIV viral load.  A lower number (or an undetectable viral load count) is better than a higher one.  HIV care providers also keep track of the number of CD4 cells in a given blood sample: a higher CD4 count is better than a lower one.  Over time, these two values are related to each other, and also predict if a patient is doing better or worse with the disease.

An observant provider would educate the patient about these lab results and their implications for health, and demonstrate how close adherence to the schedule for taking HIV medications helps improve the patient’s health over time.  An HIV provider would also be watching for unexpected changes in these values to determine if the patient should be evaluated for resistance of the disease to the current regimen.  HIV is an expensive and high risk disease to manage; but it only gets more expensive if the patient’s condition is not managed appropriately (with lengthy hospital stays, complications and other health issues).  In addition, a patient’s quality of life goes down the tubes with the progression of the illness; usually the side effects of the medications to treat the illness are the lesser evil.

An EHR can help to improve the efficiency of this quality and management process for providers.  A well-designed and implemented system will place relevant lab values onto an electronic flowsheet which can be charted and analyzed over time, avoiding the time spent updating the paper forms and reducing errors in data entry.  In addition, an EHR can present multiple views to the data depending on the patient’s health condition, and can help manage care to accepted standards by reminding providers of tests or actions that are due (such as annual pap smears, 10 year tetanus boosters, quarterly viral load testing, STD screenings, etc.)  EHR’s can also cut down on duplicate tests being ordered (at least within a practice that uses the system) if a patient is seen by more than one provider over time, as all have access to the same information in the same format.

While not yet fully defined, meaningful use will likely lead our nation to more defined care standards, with incentives (and potentially penalties) for better outcomes.  But a word of caution – patients ultimately have to make decisions about their own health.  Not everyone is convinced that having a BMI over 30 is bad enough to warrant exercising an hour every day and cutting calorie intake by 25-50%.  Or consider smoking, which leads to a fair amount of bad health outcomes over time, yet how many Americans still smoke?  Penalizing physicians for the stupid choices that patients make is not fair, even though the health outcomes for these patients will be worse than if the patient had listened to their physician.  Expect the definition for meaningful use to be published soon, but also expect changes over time, particularly on standards for health outcomes.

Facebook and Twitter: Implications for Your Business?

Technology presents us with new opportunities and challenges on a regular basis.  Social networks and other “web 2.0” applications are starting to make inroads into the mainstream of the internet (ask how many of your iPhone-using friends have apps for one or both of these to measure the reality of the hype).  As a result, staff at your business are bringing their internet usage habits into the workplace.  Prospective customers are looking for you through these tools.  And business owners may want to consider the implications for their organizations.

IT departments at most organizations have struggled with having an effective internet usage policy for staff with internet access.  The difficulty has been in balancing the security of the network from viruses and other security threats against the need of users to access internet resources for business purposes.  The rise of google as a synonym for searching the web has increased the overall utilization of the internet as a business research tool.  Trying to keep inappropriate content from appearing in search results poses a real challenge for IT departments.

In addition, with the advent of more sophisticated attacks from web sites, IT departments have struggled to block phishing and other infectious sites and patch their organization’s computers to be resistant to attacks from the internet.  Facebook and twitter have both been used by malicious users to launch attacks on users of these sites (either by writing malicious applications and publishing them on facebook, or by posting malicious links in twitter postings).  The unfortunate knee-jerk reaction of most IT departments is to simply block these sites at the corporate firewall, preventing staff from having any access to these internet resources.

The typical rationale has been that these are not work-related sites, and staff are just wasting time using them on the clock, therefore, shutting down access to them at work is perfectly reasonable.  But, that rationale may no longer work as the web 2.0 world begins to take shape.  For one thing, more businesses are establishing fan pages on facebook in order to advertise their services and provide information to their customers.  Innovative businesses also may develop applications for facebook that are both popular and help to advertise the services offered by the organization.  Businesses also use twitter to keep customers in the loop on activities and events of the company, or monitor twitter to evaluate how its own advertising campaign may be progressing in reaching certain demographics.

Web 2.0 technologies are becoming more pervasive on the internet, which also increases the minimum skill sets of staff working for organizations that use web technologies to reach customers.  Blocking these technologies from the corporate network may result in a less-skilled workforce.  And, ultimately, according to Gartner, such efforts are futile and bound to fail because of the pervasive nature of these technologies.  (See CNET article)

It would seem that liberalization of internet use policies at companies, then, is an inevitable result.  And with that increased access comes new responsibilities for staff and businesses.   A landlord sued a former tenant for defamation earlier this year as a result of some tweets by the tenant about mold in her apartment.  (See article here)  Twitter itself is a rather informal medium for posting information online – similar to having an instant message chat in the chat rooms of yesteryear (which seem so quaint today).  And because it streams posts real time, you may say something that you later regret.  Imagine, for example, that your business allows access to twitter, and one of your employees angrily posts a series of defamatory tweets about a competitor or vendor.  Your organization may be slapped with a lawsuit if that competitor is monitoring twitter for tweets mentioning it by name.

Facebook represents similar challenges for organizations, especially where employees may blur the line between their social lives and work lives by forming, for example, groups on facebook of other employees.  Suppose a group of employees creates a group for only certain kinds of employees from your organization, and intentionally excludes others (perhaps on the basis of gender or age).  Is your organization discriminating against the excluded group?  Does your organization have liability for the acts of your employees in forming the exclusive group?

The web can also present a trade secret leak for those of you that have proprietary information or processes that are used by your business to generate revenue.  Social media also present challenges for protecting intellectual property, and avoiding infringement claims by others (tarnishment of famous marks on twitter – I’m sure a case is brewing as I type this story).

These questions are unanswered.  And I don’t offer these hypotheticals to scare your organization into shutting down the internet connection at the office.  My point is to encourage your organization to think about your policies related to internet usage and what constitutes acceptable use of the internet during normal work hours.  Establishing an effective policy, and consistently enforcing that policy with your staff goes a long way to managing your exposure to a law suit.  Controlling the internet at the organization’s firewall is unlikely to be a sufficient risk management tool.

There are a number of good starting points for a good internet usage policy for organizations.  Here are some principles to consider when drafting yours:

  1. Empower staff to be responsible for their internet usage.
  2. Disrespectful communication is not acceptable, whatever the medium of communication.
  3. Do not download and install software from the internet that is not approved by your IT staff.
  4. Use the internet for professional reasons.
  5. Be mindful that staff representations online reflect on the reputation of their employer.
  6. There are real-world consequences for staff that abuse access to the internet.

If your organization uses facebook or twitter today to market itself, re-enforce with your staff that organizational posts should be approved prior to posting on the web.  The immediacy of these services should be resisted by staff in order to ensure a consistent and accurate message is communicated to the outside world.