Organic SEO Blog

231-922-9460 • Contact UsFree SEO Site Audit

Friday, August 30, 2013

Spectrum Health employees fired over Facebook picture

Story originally appeared on WWZM13.

GRAND RAPIDS (WZZM) -- Several employees at Spectrum Health have been terminated over a picture posted on Facebook.

A source tells WZZM 13 News that an off-duty employee was in the emergency room when he saw an attractive female. He took a picture of her back side and posted it on Facebook. His message read, "I like what I like." The woman was not identified and her face could not be seen.

Danielle Leek teaches social media at Grand Valley State University. She says people have to be careful about what they post, even if the person isn't named. "Even though that might seem irrelevant to us, it can still be identifying to other people, especially to audiences on social media."

The employee who posted the picture was fired and so was everyone that liked it.

On Thursday, Spectrum would only say that it "Took appropriate action."

Spectrum wouldn't provide WZZM 13 with a copy of its social media policies, but we found it online. There were several guidelines, including upholding Spectrum's standards. The policy says that any violations of these standards could result in disciplinary action up to, and including, termination. It goes on to say that it's unacceptable to use images that are offensive or in poor taste. Employees also have to comply with HIPAA regulations. That's the Health Insurance Portability and Accountability Act that protects patient information.

The Spectrum source tells WZZM that it was another employee who notified administrators about the posting.

Leek says it's a lesson for all; when it comes to social media, be careful what you say and always err on the side of caution.

Among those who were fired include a registrar, a physician'sassistant, and an emergency room doctor. Not all were direct employees of Spectrum; some worked for a company that provided employees to the hospital.

Thursday, August 29, 2013

USE OF ONLINE DATA IN THE BIG DATA ERA: LEGAL ISSUES RAISED BY THE USE OF WEB CRAWLING AND SCRAPING TOOLS FOR ANALYTICS PURPOSES

Story originally appeared on Bloomberg News.

In 2010, Pete Warden, a software engineer living in Colorado, developed a software program to “crawl” publicly accessible Facebook pages and “scrape” (i.e., collect) information relating to Facebook’s members. Within hours of deploying his software, the application had visited approximately 500 million pages and collected information related to approximately 220 million Facebook users – including users’ names, location information, friends and interests. Using this dataset, which Mr. Warden offered to release in anonymized form for research purposes, he created a graphical analysis of the regional and relationship patterns among Facebook’s members. The cost of this exercise: about $100. The results: more than 500,000 visits to Mr. Warden’s website, national media coverage, and cease-and-desist warnings from Facebook, which perceived Mr. Warden’s collection of data from its webpages as a violation of its terms of use prohibiting automated access to the website without the company’s permission. Ultimately, in order to avoid a potential legal dispute, Mr. Warden abandoned his plan to release the information he collected, and agreed to delete all copies of the dataset.1Summing up his experience, he later quipped, “Big data? Cheap. Lawyers? Not so much.”2

AUTOMATED WEB CONTENT GATHERERS

The use of web crawlers, scrapers and others automated tools for gathering online content has long been a feature of Internet (to the extent “long” can be used to describe the history of the Internet). For example, searches engines use web crawling “bots” or “spiders” to continuously visit billions of webpages to create relevant and accurate search results, and the Internet Archive – a non-profit digital library that archives historical versions of publicly accessible webpages – has since 1996 used web crawling tools to create a historical record of the Internet comprising 10 quadrillion bytes of data. Others have used similar tools to offer services that compete with or complement the offerings of the scraped websites – including uses of these tools to aggregate news content, and to monitor and facilitate purchases of airlines and concert tickets (with or without the permission or involvement of the scraped website). As Mr. Warden’s experience suggests, the use of these tools pit the interests of website owners in protecting, controlling and profiting from the content they provide against the interests of others who seek to gather and use that content for other purposes (be they harmful, helpful or irrelevant to the website owner). Not surprisingly, the use of these tools has spurred litigation under a variety of theories, including copyright infringement, breach of contract (e.g., website terms of use), “hot news” misappropriation, trespass to chattels, and criminal statutes prohibiting unauthorized access to a computer system or website.

With the advent of Big Data – the increasingly widespread practice of using advanced data analytics to identify trends and patterns in extremely large datasets collected from a variety of sources – the potential applications for scraped data, and the benefits associated with analysis of that data, have increased exponentially. Whereas past cases involving unauthorized web crawling and scraping often involved simple copying and republication of website content in direct competition with the scraped website, the growing use of advanced data analytics is giving rise to instances where the connection between the data analytics service and the scraped website is attenuated and not directly competitive. Nevertheless, the online content of websites that may be scraped is among such businesses most valuable data, and great lengths are understandably taken to protect such content.

Given both the tremendous value and Big Data-driven demand for Internet-based information, and the relative ease by which such information can be compiled using automated data collection tools such as that deployed by Mr. Warden, it is likely that future cases relating to web crawling and scraping will focus on the legal issues raised by automated data gathering for analytics purposes – and what theories a website owner may exercise to protect any factual data so collected and what theories a data collector may use to justify such collection. Few courts, however, have directly addressed the legal issues raised by Big Data or the collection of data for related purposes, leaving uncertain the legal environment faced by website owners wishing to protect the data on their websites, and those who would gather such data for analytics purposes. Without taking sides – and while recognizing that the legal landscape relating to the Internet is constantly evolving, with previously challenged technologies such as search engines now recognized as nearly per se legitimate while others such as peer-to-peer networks have continually been subject to scrutiny – this article seeks to outline the legal issues such parties may face. In doing so, this article will consider the legal theories that have been applied in prior cases relating to the use of web crawling and scraping tools in other contexts, and will identify issues relating to whether claims under these theories are likely to succeed in connection with disputes relating to automated data collection for Big Data and analytics purposes.

LEGAL THEORIES RELATED TO AUTOMATED ONLINE DATA COLLECTION

A. COPYRIGHT INFRINGEMENT.

The Copyright Act protects original expressions that are fixed in a tangible medium, including mediums such as computer memory or a web server.3 These protections extend not only to original expressions such as images contained on a website, but also the underlying code that enables the display of any content on the website – including facts displayed on a website that are not otherwise entitled to copyright protection. Accordingly, because web crawling and scraping tools generally index information on a targeted webpage regardless of whether the tool seeks to obtain copyrighted content or unprotected facts4, courts have recognized claims for copyright infringement in connection with the use of web crawling and scraping tools.5

Because some courts have recognized that such activities may infringe a website owner’s copyrights, the focus in such cases is generally on whether the web crawling or scraping at issue is a fair use of the copyrighted content. For example, in Kelly v. Arriba Soft Corp., the defendant search engine conceded that its display of low-resolution “thumbnail” copies of high-resolution photographs constituted reproduction of those photographs, but argued that such display was a transformative, fair use of the copied photographs. The Ninth Circuit agreed – holding that the search engine’s display of low-resolution photographs to facilitate the general public’s access to information on the Internet was highly transformative of, and did not provide a substitute for, the plaintiff’s high-resolution photographs whose purpose was primarily artistic.6 Notably, the fact that such use was for a commercial purpose did not bar the court’s finding that the search engine made a fair use of plaintiff’s copyrighted photograph.7 In contrast, in Associated Press v. Meltwater Holdings U.S., Inc., the court found that an online news aggregator that provided its subscribers with nearly 500-character excerpts of copyrighted articles scraped from the website’s of the Associate Press’s licensees did not engage in a fair use of those articles. The court distinguished the news aggregator’s services from those at issue in Kelly on the grounds that the news aggregator did not facilitate the general public’s access to information on the Internet, but instead only provided word-for-word excerpts of the copied articles to the aggregator’s paying customers without transforming that content in any way.8 The court further held that the aggregator’s use of that content to generate analytics relating to the online news sources it covered, while potentially transformative in and of itself, did not render the aggregator’s excerpting transformative insofar as the analytics and excerpting were separate and distinct services.9

While even incidental reproduction of copyrighted webpage material may give rise to copyright liability, courts have also recognized that such reproduction may constitute a fair use of the protected content. For example, inTicketmaster Corp. v. Tickets.com, Inc., the defendant argued that the momentary copying of Ticketmaster’s webpages by its spiders for the purpose of extracting factual information concerning concert times, ticket prices, and venues that defendant then posted to its website constituted a fair use. The court agreed. In so finding, the court emphasized that the copying was momentary, the effect on the market value of the copyrighted material was “nil”, and that the “amount and substantiality” of the material used was negligible insofar as defendant did not reproduce the copyrighted material on its webpage. Further, the court observed that the central purpose of the Copyright Act – i.e., “to secure a fair return for an author’s creative labor and to stimulate artistic creativity for the general good” – would not be served by restricting defendant from momentarily copying Ticketmaster’s webpages for the purpose of obtaining non-protected, factual information.10

In addition to the fair use defense, courts have also considered whether a plaintiff’s copyright claims are subject to implied license or estoppel defenses based on its failure to deploy the “robots.txt” protocol to deter unwanted web crawling or scraping. The robots.txt protocol is industry-standard programming language that a website may deploy to instruct cooperating web crawlers generally, or certain web crawlers specifically, to voluntarily refrain from accessing all or part of the website.11 In Parker v. Yahoo, Inc., the court held that the plaintiff’s failure to deploy the protocol granted Yahoo an implied license to create cache copies of his website where plaintiff was aware that Yahoo – which has a policy of not creating cache copies of websites that deploy the protocol – would do so in the absence of the protocol.12 Conversely, in Meltwater, the court rejected the defendants’ implied license and estoppel defenses based on the Associated Press’s purported failure to require its licensees to deploy the protocol. The court distinguished Parker on several grounds, including that the defendants reserved the right to ignore the protocol if deployed. The court further emphasized that the defendants’ arguments, if accepted, would shift the burden of preventing infringement to the copyright owner, and threatened the “openness of the Internet” by forcing copyright owners to choose between deploying the protocol and deterring all web crawlers (including search engines which may help users locate the website), and refraining from doing so and losing the right to prevent unauthorized use of its protected content.13

With respect to future cases involving use of scraped content for analytics purposes, courts are likely to follow a similar analysis driven by the facts of the specific case. Issues regarding whether the copying is momentary, whether the information extracted is factual, the effect on the market value of the copyrighted material, and the amount and substantiality of the material used are likely to be key issues in these cases. Courts are further likely to focus on whether the object of the Copyright Act – “to secure a fair return for an author’s creative labor and to stimulate artistic creativity for the general good” – would be served by prohibiting the challenged conduct. Courts are also likely to consider, in the context of defenses to copyright claims, the specific circumstances relating to a website’s deployment of the robots.txt protocol, including whether the defendant has a practice or policy of complying with the protocol if deployed.

B. BREACH OF CONTRACT.

Most commercial websites contain terms of use that provide that access and/or use of the website is premised on the user’s agreement to such terms.14 A claim sometimes made in cases regarding web crawling or scraping is that the defendant violated the terms of use by crawling and scraping content. While these cases have explored somewhat novel uses of technology, they often turn on fundamental issues of contract15 – including whether the targeted website’s terms of use are enforceable as against the defendant, whether the conduct complained of violates those terms, and whether any such violation causes any compensable damages. These cases suggests that use of such tools to gather data may give rise to a claim for breach of contract, while also demonstrating the potential hurdles to prevailing on such claims. These issues are discussed in turn.

1. ENFORCEABILITY OF WEBSITE TERMS OF USE.

As is the general rule with any contract, a website’s terms of use will generally be deemed enforceable if mutually agreed to by the parties. In determining whether such mutual agreement exists, courts look to whether the terms of use constitute a “clickwrap” agreement – which typically require that a visitor indicate her agreement by clicking an “I accept” icon before accessing the website – or a “browsewrap” agreement – pursuant to which the user is provided with notice of the website’s terms of use, and informed that use of the website constitutes agreement to those terms.16 Clickwrap agreements, because they require a user to formally indicate his knowledge and awareness of the terms of use, are generally found enforceable.17Browsewrap agreements have also generally been found enforceable where the defendant has actual knowledge of the terms of use or constructive knowledge of such terms.18 Actual knowledge is sometimes demonstrated by evidence that a defendant was advised of its violations of the terms of use via a cease-and-desist letter from plaintiff.19 Constructive knowledge is sometimes found where a website’s terms of use are prominently or conspicuously displayed on the website, such as where a hyperlink to those terms is underlined and set forth in distinctively colored text.20

Regardless of whether a website’s terms of use are clickwrap or browsewrap, the defendant’s failure to read those terms is generally found irrelevant to the enforceability of its terms.21 One court disregarded arguments that awareness of a website’s terms of use could not be imputed to a party who accessed that website using a web crawling or scraping tool that is unable to detect, let alone agree, to such terms.22 Similarly, one court imputed knowledge of a website’s terms of use to a defendant who had repeatedly accessed that website using such tools.23 Nevertheless, these cases are, again, intensely factually driven, and courts have also declined to enforce terms of use where a plaintiff has failed to sufficiently establish that the defendant knew or should have known of those terms (e.g., because the terms are inconspicuous), even where the defendant repeatedly accessed a website using web crawling and scraping tools.24

Issues regarding enforceability of contract are likely to continue to be an issue addressed by courts in this area, with content providers citing clickwrap agreements and actual knowledge of terms, and those using crawling and scraping tools arguing a lack of mutual assent to such terms.

2. TERMS OF USE THAT MAY PROHIBIT AUTOMATED DATA COLLECTION.

The terms of use for websites frequently include clauses prohibiting access or use of the website by web crawlers, scrapers or other robots, including for purposes of data collection. Courts have recognized causes of action for breaches of contract based on the use of web crawling or scraping tools in violation of such provisions.25

Also common are terms of use that limit visitors to personal and/or non-commercial use of a website. For example, in Southwest Airlines Co. v. BoardFirst, LLC, the plaintiff airline alleged that the defendant violated its terms of use restricting access to Southwest’s website for “personal, non-commercial purposes” by offering a commercial service that helped Southwest’s customers take advantage of the company’s “open” seating policy and check-in process to obtain priority seating in the front of the plane. The court granted Southwest’s motion for summary judgment on its breach of contract claim, finding that the defendant’s conduct directly contravened Southwest’s prohibition on commercial uses of Southwest’s website.26

Cases addressing the purported violations of these terms tend to hinge on the precise language of the contractual provisions at issue, and the scope of the agreement between the parties that can be ascertained from that language. Thus, for example, in Southwest, the court rejected defendant’s argument that Southwest’s terms of use were too ambiguous to be enforced against defendant where those terms specifically prohibited use of the website “for the purpose of checking [c]ustomers in online or attempting to obtain for them a boarding pass in any certain boarding group.” Defendant’s services, which helped Southwest’s customers obtain priority seating, fell “within the heart of this proscription.”27 In contrast, in TrueBeginnings, LLC v. Spark Network Servs., Inc., the court found that the defendant did not violate the terms of service of plaintiff’s dating website – which limited use of the “website and related services” to a visitor’s “sole, personal use” – by visiting the website to obtain evidence for use in a patent infringement action against plaintiff. In so holding, the court analyzed the entirety of plaintiff’s terms of use, including those prohibiting use of web crawlers or spiders to gather data from the website, to determine that they related to use of the website’s dating services. Defendant’s use of the website to gather evidence for use in a patent lawsuit did not involve unauthorized uses of the dating services, and thus did not breach plaintiff’s terms of use.28

Terms of use designed to prevent reproduction of website content also raise issues regarding whether such claims are preempted by copyright claims. Courts have generally declined to find claims for enforcement of such terms to be preempted by the Copyright Act, reasoning that terms of use restricting the manner by which a website can be accessed or used go beyond the protections provided under the Copyright Act. For example, in Internet Archive v. Shell, the Internet Archive sought dismissal on preemption grounds of the plaintiff’s claim for breach of contract relating to Internet Archive’s crawling and indexing of plaintiff’s website in violation of terms of use that prohibited any copying of plaintiff’s website for a “commercial or financial purpose.” The court rejected Internet Archive’s preemption argument, finding that Internet Archive’s alleged agreement to refrain from use of the material on plaintiff’s website “for commercial or financial purposes … lie[s] well beyond the protections [the website owner] receives through the Copyright Act”29 (which, as discussed, allows for limited use of copyrighted content, even for a commercial purpose, if sufficiently transformative or unlikely to provide a substitute for the copyrighted work). The court reached this conclusion despite the fact that the Internet Archive is a non-profit entity – apparently on the basis of disputed allegations that Internet Archive’s copying of the content at issue allowed it to “acquir[e] … grant awards, donations, … and the expectation of acquiring additional intellectual property.”30

These cases suggest that future contractual disputes relating to web crawling or scraping for analytics purposes based on terms of use violations will likely focus on the proscriptions on automated data collection that are set forth in those terms of use.

3. DAMAGES RELATING TO UNAUTHORIZED DATA COLLECTION.

The cases discussed above establish that website terms of use may be enforced against any party who accesses or uses a website in violation of those terms, and that, if sufficiently clear and unambiguous, those terms may prohibit any automated data collection from the website. However, a breach of contract claim also requires a showing of damages. To date, few of the cases involving breaches of contract relating to website terms of use have been decided on the merits. As a result, the issue of damages in such cases has received scant attention in reported case law. Those cases that have addressed the damages issue acknowledge the challenges and showing required to establish damages relating to violations of website terms of use.

For example, in Southwest Airlines, the court granted summary judgment to Southwest on its breach of contract claim based on its finding that Southwest sufficiently demonstrated that defendant’s services allowed Southwest customers to avoid the online check-in process, thereby decreasing web traffic to Southwest’s website. By decreasing that traffic, the defendant deprived Southwest of valuable selling and advertising opportunities, and also interfered with Southwest’s brand-building opportunities. Nonetheless, while Southwest established that it suffered some form of harm from the defendant’s breach of the terms of use, the court declined to award any damages – finding that calculation of damages was “impossible.” Though it declined to award any damages, the court granted a permanent injunction in connection with Southwest’ breach of contract claim.31

Indeed, because damages relating to violations of website terms of use may in some circumstances be difficult if not impossible to quantify, some courts have looked to liquidated damages provisions as an estimate of such damages. In Myspace, Inc. v. The Globe.com, MySpace alleged that the defendant used an automated script to send spam e-mails from various MySpace accounts established by defendant in violation of MySpace’s terms of service providing that “MySpace is for … personal use … only and may not be used in connection with any commercial endeavors,” and which prohibited “any automated use of the system” or “transmission of … spam[].” MySpace’s terms also provided that users agreed to pay $50 for each item of spam sent in violation of MySpace term’s as “a[n] … estimation of such harm.” The court granted summary judgment on MySpace’s motion for summary judgment on its breach of contract claim, and found that – because MySpace’s actual damages from defendant’s conduct was impracticable or extremely difficult to determine – liquidated damages of $50 per spam message was a reasonable measure of damages.32

The issue of damages is, of course, an intensely factual determination, but it should be noted that this issue is likely to play a key role in these cases in the future – with content owners trying to either quantify actual damages or establish the applicability of liquidated damages provisions, and those who use crawling and scraping tools arguing the impossibility of establishing such amounts. Based on the difficulty in establishing damages, content owners may also seek injunctive relief in such cases.

C. COMPUTER FRAUD AND ABUSE ACT.

Courts have also considered whether web crawling or scraping in breach of a website’s terms of service constitutes a violation of the Computer Fraud and Abuse Act (“CFAA”), which prohibits access to a computer, website, server or database either “without authorization” or in way that “exceeds authorized access” of the computer.33 While these terms have been variously defined, in essence, a person who accesses a computer “without authorization” does so without any permission at all, while a person “exceeds authorized access” where she “has permission to access the computer, but accesses information on the computer that the person is not entitled to access.”34 So long as a computer is publicly accessible, and not protected by password or other security measures, courts have declined to find any access of the website to be “without authorization.”35Conversely, a CFAA claim may lie where a computer or website is protected from unauthorized access, either by technical measures or even explicit warnings in a cease-and-desist letter.36

Courts are split, however, as to whether access of a website in a manner prohibited by its terms of use “exceeds authorized access” of the website in violation of the CFAA. For example, in an early case on this topic, a federal court in Virginia granted summary judgment on AOL’s CFAA claim based on the defendant’s admission that it harvested email addresses from AOL’s website in violation of its terms of use.37 Several years later, in 2003, the Court of Appeals for the First Circuit seemingly agreed with this theory by stating in dicta that “[a] lack of authorization could be established by an explicit statement on a website restricting access.”38

These decisions, however, have been greeted with skepticism by later courts and commentators.39 For example, in 2012, the Ninth Circuit, held in an en banc decision captioned U.S. v. Nosal that “the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions,” but rather concerns “hacking—the circumvention of technological access barriers.”40 In reaching this decision, the Ninth Circuit emphasized the legislative history of the CFAA, noting that it was enacted in 1984 “primarily to address the growing problem of computer hacking.”41 The court further discussed the absurd results that would follow from criminalizing violations of website terms of use – e.g., on dating websites that purport to require honest self-descriptions, describing “yourself as ‘tall, dark and handsome,’ when you’re actually short and homely, will earn you a handsome orange jumpsuit” – and moreover, would allow for ever-shifting grounds for criminal liability as website terms of use are subject to change at any time, in any way, at the website owner’s complete discretion. Thus, “behavior that wasn’t criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.”42

While the current trend appears to be to reject broad theories that allow terms of use violations to be used as a basis to establish criminal liability under the CFAA (or analogous state statutes), this is a still an unresolved area in most circuits – and one that will likely further be argued in crawling and scraping cases.

D. HOT NEWS MISAPPROPRIATION.

In addition to asserting copyright claims based on incidental reproduction of copyrighted webpage material, numerous plaintiffs have asserted claims for hot news misappropriation relating to scraping of purely factual information. “Hot news” misappropriation – once a claim that existed under the federal common law, but which now exists only under the laws of five states43 – provides a cause of action where a party reproduces factual, time-sensitive information that was gathered at the effort and expense of another party, and thereby deprives the gathering party of the commercial value of that information. Thus, for example, in Int’l News Serv. v. Associated Press, the Supreme Court in 1918 recognized a claim under federal common law for hot news misappropriation in connection with a wire service’s re-publication of breaking news gathered by the Associated Press, which thereby deprived the Associated Press of the news value of its reporting.44 The court justified its decision as protecting the “quasi-property” rights of profit seeking entrepreneurs who gathered time-sensitive information from those who would free-ride on the efforts of those entrepreneurs.45

Since hot news misappropriation generally concerns factual information rather than content that is subject to copyright protection, it is generally found not to be preempted by the Copyright Act.46 However, courts have recognized hot news misappropriation as an extremely narrow claim that survives preemption only in very narrow circumstances that mirror the circumstances in Int’l News Serv. For example, in Barclays Capital Inc. v. Theflyonthewall.com, Inc., financial services firms alleged claims for copyright infringement and hot news misappropriation against a news aggregation website that reported on investment recommendations issued by the firms to their clients who paid to receive those recommendations before they became generally known to the investment community. On appeal from a denial of the defendant’s motion to dismiss the hot news claim, the court found that plaintiff’s claim was preempted by the Copyright Act. In so finding, the court emphasized that the plaintiffs’ claim lacked an “indispensable element of an INS ‘hot news’ claim,” i.e., “free-riding by a defendant on a plaintiff’s product, enabling the defendant to produce a directly competitive product for less money because it has lower costs.”47 Rather, though the defendant’s conduct potentially threatened plaintiffs’ businesses, the defendant was actually breaking news generated by the plaintiffs’ recommendations (and attributing the recommendations to plaintiffs), rather than merely repackaging news that had been reported by plaintiffs.48

The Barclays case suggests the difficulty of stating a valid hot news misappropriation claim against a party engaged in automated data collection for purposes of data analytics. In many factual scenarios, scraping of information would not appear to qualify as “free-riding” within the meaning of INS so long as the scraper did not attempt to pass the information off as his own without attribution to the content provider. Indeed, many factual circumstances would appear similar to the recommendations at issue in Barclays, where the information is only valuable because it was attributed to the source. The fact that data analytics often involves the use of information to create entirely new insights (including in combination with information from other sources) suggests further difficulties in establishing the requisite “free-riding,” which under Barclays involves demonstrating that the underlying information was used to produce a directly competitive product.

E. TRESPASS TO CHATTELS.

Courts have also recognized, in certain narrow circumstances, that unauthorized use of web crawling or scraping tools can give rise to a trespass to chattels claim, which “lies where an intentional interference with the possession of personal property has proximately cause injury.”49 For example, in eBay, Inc. v. Bidder’s Edge, Inc., eBay brought a trespass to chattels claim against the defendant, an online auction aggregation service that scraped auction information from eBay’s website using spiders that accessed the website approximately 100,000 times per day in violation of eBay’s terms of service and in defiance of cease-and-desist demands from eBay. eBay also moved to preliminary enjoin the defendant from accessing its website. In granting that motion, and finding that eBay was likely to prevail on its trespass to chattels claim, the court relied on the fact that defendant’s spiders consumed a portion – albeit very small – of eBay’s server and server capacity, and thereby “deprived eBay of the ability to use that portion of its personal property for its own purposes.”50

In contrast, where tangible interference is absent, or is no more than theoretical or de minimus, courts have declined to recognize claims for trespass to chattel relating to the use of web crawling or scraping tools. For example, in Tickets.com, the court granted summary judgment dismissing Ticketmaster’s trespass to chattel because Ticketmaster failed to present any evidence that its competitor’s scraping of its website either caused physical harm to Ticketmaster’s servers or otherwise impeded Ticketmaster’s use or utility of its servers. In so holding, the court criticized the decision of the eBay court, and required a showing of “some tangible interference with the use or operation of the computer being invaded by the spider.” 51 Later courts have generally agreed with the holding in Tickets.com.52

To the extent that Tickets.com presents the prevailing statement of law, and evidence of a tangible interference with a computer or server is necessary to state a claim for trespass to chattels based on unauthorized web crawling or scraping, courts are likely in the future to focus on evidence of tangible interference with systems.53

CONCLUSION

As indicated above, the legal landscape relating to web crawling and scraping is still taking shape—particularly insofar as few courts have considered claims based on crawling or scraping for analytics purposes. Further, because most cases involving the use of web crawling and scraping tools in other contexts have been highly fact specific, it is difficult to identify bright line rules for determining when use of such tools for analytics purposes is likely to give rise to liability. Nonetheless, the cases discussed above suggest a number of issues that should be considered both by website owners and by those who seek to perform analytics using data gathered from web-based sources.

These issues include (1) the language of the terms of use or service, and whether such terms address access to the website through automated means, use of any data collected through such means, and use of the website for anything other than the user’s personal, non-commercial use; (2) the enforceability of the terms of use, for example, whether they are presented to the user through a clickwrap mechanism that requires the user to indicate his or her assent to those terms as opposed to a browsewrap agreement, or on a terms of use page that can be reached through a conspicuous link on every other page on the website and which indicates that any use of the website is subject to the user’s agreement to those terms; (3) use of technological tools to deter unwanted crawling or scraping, including but not limited to the robots.txt protocols; (4) whether the website owner will license or authorize uses of content; (5) whether access to the website is protected such that a claim the CFAA or California’s Penal Section 502 may be alleged; and (6) the extent to which the website content is protected by copyrighted.

Ultimately, while the claims and theories that may be advanced in connection with the use of web crawling and scraping tools for analytics purposes have yet to be deeply explored by courts, this is likely a temporary state of affairs. Rather, given the increasing number and availability of tools for aggregation and analysis of content in the Big Data era, courts will ultimately be required to address these complicated issues.

Google phone exec quits for Chinese upstart Xiaomi

Story originally appeared on USA Today.

Hugo Barra, a top member of Google's smartphone team, is leaving the U.S. technology company for upstart Chinese phone maker Xiaomi.

Barra, vice president of product management for Google's Android phone operating system, will head up the Chinese company's international business development as vice president of Xiaomi Global, he announced on his Google+ page.

Xiaomi currently sells few phones outside of China, but has quickly carved out an impressive share of the world's largest cell phone market, surpassing Apple in sales in the last quarter and, with its Mi 2S model, taking the title of top selling phone away from Samsung Electronics's Galaxy S4 in the first half of the year.

Part of the attraction is that Xiaomi's phones are usually priced at less than half the level of the leading global models, but the company actively involves customers in its design process through social media to keep up with their changing tastes.

Barra has been with Google for over 5 years and joins a group of Chinese Google, Microsoft and Motorola veterans in guiding Xiaomi's expansion. While Chinese phone makers lag well behind Samsung and its South Korean peers in the U.S. market, Huawei, ZTE, Lenovo and others have already fared far better overseas than Japanese rivals other than Sony.

Xiaomi, whose investors include Singapore sovereign wealth fund Temasek, last week completed a new round of fundraising that valued the company at $10 billion according to Lei Jun, its chief executive. The company has made its mark through sales via social networking sites but this month began also selling phones through China Mobile, the company with the most mobile subscribers in the world and which has been wooed by Apple.

"Xiaomi looks a bit like Apple but is really more like Amazon with some elements of Google," Lei told Reuters earlier this month. "The mobile phone is only the carrier," he said, indicating the company's aim is to sell mobile Internet services.

Wednesday, August 28, 2013

Governments sought info on 38,000 Facebook users

Story originally appeared on USA Today.

SAN FRANCISCO — Governments in 74 countries sought information on more than 38,000 Facebook users in the first half of 2013, and the social-networking giant complied with most of those requests.

Half of the them came from the USA, Facebook said Tuesday in its first report on the breadth of data inquiries it receives from government agents. As with other companies, it is initially hard to tell much from Facebook's data, and how information on individuals was parsed.

The report comes on the heels of allegations by former intelligence contractor Edward Snowden that nearly every major Internet company — including Facebook, Google and Microsoft — routinely forks over troves of data on potentially millions of people to national intelligence agencies.

Facebook has more than 1 billion users worldwide.

U.S. authorities were by far the most active in mining Facebook, seeking information on 20,000 to 21,000 users between January and June — or more than 100 users a day — according to Facebook.

Facebook said it cooperated on about 80% of those requests.

In the previous six-month period, U.S officials sought data on 18,000 to 19,000 Facebook users.

'N.Y. Times' blames hackers in latest website crash

Story originally appeared on USA Today.

The New York Times website was hacked Tuesday, the latest in a series of high-profile attacks on media websites.

It is the second failure of the Times' site in two weeks. It went dark on Aug. 14 due to what the publication said then was an internal problem, not the result of hacking.

The Times said Tuesday the website first crashed at about 3 p.m. ET following an online attack on the company's domain name registrar, Melbourne IT.

Marc Frons, chief information officer for The New York Times Co., issued a statement that the outage was "the result of a malicious external attack" and advised employees to "be careful when sending e-mail communications until this situation is resolved," according to a story that appeared on the newspaper's website.

Frons also said the attack was carried out by the Syrian Electronic Army "or someone trying very hard to be them." The SEA, a group of hackers who support Syrian President Bashar Assad, have organized and carried out online attacks on prominent websites in recent months.

Matt Johansen, head of the Threat Research Center at WhiteHat Security, tweeted Tuesday that he was sent to an SEA domain when he tried to go to the Times' website.

Twitter said Tuesday its website also was affected by a similar attack, but it didn't refer to SEA.

Later in the day, a Twitter account that seemingly belongs to SEA showed an image that indicates SEA also attacked Twitter's domain.

The Times said its site was restored shortly after the initial crash, but the hackers quickly disrupted it again. Trying to call up the website rendered varying experiences for readers in different places.

For many, the site was completely down. Others reported that typing the website's Internet protocol address — a numbered address — loaded a stripped-down version of the site, with links to stories that didn't work. Some found that the IP address led to a version that was similar but not identical to the main site, again with links that didn't work.

Gunter Ollmann, chief technology officer of Internet security firm IOActive, said the site was functional at his office in Atlanta. "The fact that I can see the site but you can't could mean" it could be a regionally limited attack, he said.

Ollmann added that the regionally varying results could also stem from the Times restoring servers located in different locations.

The Times turned to Twitter to tweet news updates.

Media websites are becoming increasingly complex and vulnerable as they integrate more software and content from partners, including third-party vendors, "widget" developers and advertising networks.

But corporate websites' Domain Name System (DNS), which assigns the site's domain names and indexes them on designated servers, remains particularly vulnerable to hacker attacks, Ollmann said. "It's a very complex equation," he said, adding, "there are soft points."

Twitter also said its trouble stemmed from its DNS provider, which "experienced an issue" that resulted in users having trouble viewing images and photos Tuesday. The attack on the unnamed vendor resulted in the outage of a Twitter domain used for images, twimg.com. Twitter did not confirm that SEA was involved. "No Twitter user information was affected by this incident," it said.

A day after the Times' Aug. 14 crash, the SEA also took down the websites of The Washington Post, CNNand Time. The companies said SEA hacked the Internet service of Outbrain, a content recommendation company whose software widget is embedded in their websites.

Such attacks underscore the vulnerability of electronic links and communication that now underpin much of the information flow in the U.S. But targeting media sites brings more attention for hackers, Ollmann said. "If the website of GE or The New York Times went down, which is going to generate more attention?"

The Wall Street Journal, a competitor of the Times, reacted quickly to the news of the outage. The newspaper, which requires subscribers to pay a monthly fee to access its articles, tweeted Tuesday that it is temporarily removing its pay wall for all readers.

The Times allows readers to read several articles for free each month, but requires a subscription for full access to its site.

Women at Google Looking Past the Glass Ceiling

Story originally appeared on the New York Times.

MOUNTAIN VIEW, CALIF. — When Isabelle Olsson, the lead industrial designer for Google Glass, arrived at Diane von Furstenberg’s New York studio to fit models for the new device, she wasn’t concerned about how the models would look strutting along the runway wearing tiny screens and computers on their faces.

Instead, she was nervous about color.

The current palette for the frames of Glass, the Internet-connected eyewear, is limited: cotton (white), tangerine (orange), sky (blue) and two shades of gray. Although wearing a pop of turquoise or coral on your face might fly in Silicon Valley, Ms. Olsson worried they would clash on the runway.

But when she entered the studio days before Fashion Week last fall, she saw coral crepe tunics and flowing turquoise pants. The styles, which Ms. von Furstenberg described as “rebel princess,” just happened to be the same palette as Glass, despite being conceived long before the designer discovered the gadget.

A week later, one model matched a tangerine Glass to the orange architectural squiggle on a jumpsuit, and another paired a sky Glass to a turquoise slouchy tank and bag. When Ms. von Furstenberg took her call at the end, she wore tangerine. On her arm was Sergey Brin, Google’s co-founder, in sky.

“I love color, so I knew it was important, but not the extent to which it is about the emotional connection,” said Ms. Olsson, who trained in Sweden and whose job interview at Google, in which she did not know the secret project she would be working on, included questions like, “Do you like yellow?”

Ms. Olsson, 30, is one of a group of women charged by the company with turning Glass into the next It accessory. If high fashion and high tech are worlds apart, the women of Google Glass are like explorers, trying to connect the two.

They are also pushing another boundary, as senior women in tech, where men still outnumber women three to one. The disparity is even more extreme among engineers. Yet at Glass, women are leading hardware and business efforts for one of Google’s biggest-ever product gambles.

Along with Ms. Olsson, the team includes Jean Wang, 33, a hardware engineer in charge of Glass features like optics and acoustics, and Kelly Liang, 39, the director of business development, who oversees partnerships with app developers and others.

In an interview over a luau-style lunch at the company headquarters here, the three said they do not give much thought to their status as women in tech.

Ms. Liang came from investment banking, where she said she became comfortable being the only person not in cuff links. Ms. Wang said that when she pursued her doctorate in electrical engineering, there were five men for every woman in her courses.

“I’ve been inert to seeing myself as a woman versus a man,” she said. “I see my colleagues as my colleagues, regardless of gender.”

“That being said,” she added, “I think there’s a lot more to do to encourage women in the technical space.”

The three said they are conscious of bringing a woman’s perspective, as it were, to their work on Glass, whether it’s trying it on people with long hair and feminine facial structure or thinking about the apps women would like to see (thus the partnership Ms. Liang struck with Elle for an app that delivers street-style photos and fashion news).

There are the young women who tell Ms. Olsson after they see her speak about Glass that they want to become industrial designers or mechanical engineers, too, and the women with disposable income who ask where they can buy the product, which Google has said would be available more broadly to consumers next year (the cost has not yet been announced, though early testers paid $1,500).“Most of the people who stop me on the street are women,” Ms. Olsson said. “Women have a different reaction than when they see some dude wearing it. It makes a difference seeing it on me.”

That is one of the reasons that — when a Tumblr blog titled White Men Wearing Google Glass (including one in the shower) — made the rounds on the Internet, the women of Google Glass collectively cringed.

“It frustrates me because it’s not representative,” Ms. Olsson said.

Still, the blog highlighted not just technology’s gender problem, but also Google Glass’s style problem. While flaunting the newest gadget may be the epitome of style for people in the tech industry, something that could be so radically paradigm-changing is a harder sell for a set more accustomed to the double G’s of Gucci.

“We absolutely have to consider style and fashion, because once you put something on your body, it becomes part of your expression of who you are,” said Jennifer Darmour of Artefact, a technology design firm. “For the broader mainstream, I think Google Glass is devoid of style.”

Still, the fashion world is intrigued by something that is both a new potential shopping pathway and an accessory in its own right.

Ms. von Furstenberg said she decided to include Glass in her show after running into Mr. Brin, a friend, in Sun Valley, Idaho. He was “wearing these odd glasses,” she said, and when she tried them on, “I was floored.”

Accessories, Ms. von Furstenberg said, “tell someone that extra bit about you, and I think to wear Glass is to show that you are engaged, you are current, you are open to new things.”

Vogue has dedicated 12 pages in its September issue to a futuristic spread featuring models wearing Glass, sleek hair and minimalist designs, like an oversize amethyst Stella McCartney coat, in a rusted steel house in Texas resembling an alien spaceship.

“For me, the trend of the season was color and the attitude was the future,” said Tonne Goodman, Vogue’s fashion director, who oversaw the feature. She said Glass lent “a fantastic dimension to it.”

And Miu Miu’s new Rasoir sunglasses bear a resemblance to Glass, with their frame across the top of the eyes that cuts away below. A spokeswoman declined to comment on whether Miuccia Prada was inspired by Glass, but the sunglasses have sold out twice in the Bay Area.

As wearable technology moves beyond research labs, other tech and fashion companies are also experimenting with how to turn devices into accessories.

Apple hired Paul Deneve, the former chief executive of the Yves Saint Laurent Group, to work on “special projects,” widely believed to be wearable computing like a smart watch. The designer Rebecca Minkoff made a hot pink studded clutch that opens to reveal Bluetooth-connected speakers. A new clutch called Everpurse wirelessly charges smartphones tucked inside.

Ms. Liang acknowledged that Glass does not yet suit everyone, but said the fashion industry’s embrace of it has made a difference.

“All of a sudden it wasn’t just an electronics device,” she said of Ms. von Furstenberg’s show. “It was a fundamental shift in the way consumers and partners looked at Glass, as a fashion accessory that could be beautiful.”

She hinted that more styles and apps are coming that would make Glass attractive to a wider audience, like frames in different styles and ones that could clip onto prescription lenses. Ms. Olsson recently revealed a prototype with a hipster tortoise frame.

The new devices are a far cry from the original prototypes created by the Glass engineers. They took a cellphone’s motherboard, a battery and a Pico projector and taped it all to a pair of white plastic frames printed with a 3-D printer.

Then they had to make it look good, but still function.

“Usually you get design briefs, and they’re documents and requirements and schedules,” Ms. Olsson said. “But this brief was short and sweet: it was ‘comfortable and beautiful.’ Which was terrifying.”

One of the biggest problems was that device components are made for rectangular boxes — computers and phones — and not for wearable gadgets.

Ms. Olsson and Ms. Wang kept pushing the engineers to shrink things. One day they took the camera, shaved off a few centimeters and reattached it, finding it still worked.

Ms. Liang and Ms. Olsson traveled to Asia for inspiration, like a teacup with glaze around the edge that led to a black border on Glass.

“I die for Japanese design and architecture,” Ms. Olsson said. “Sometimes when we’re struggling with something, I say, ‘Make it more Japanese’ — clean and considered and balanced but still bold and edgy.”

That also describes how she incorporates Glass into her look. She favors tangerine (“I’m very pale so I don’t mind a pop of color”) to go with her red hair, minidresses, slouchy Givenchy bag and signature robin’s egg blue fingernails.

Ms. Wang wears charcoal (“It works well with different clothing”), and Ms. Liang, who says Glass is most useful while driving her children in her minivan, likes cotton.

It matches the mother-of-pearl Rolex her husband gave her for an anniversary: a watch she wears only for sentimental reasons now, she said, because Glass, seen out of the corner of her eye, is already telling her the time.

Microsoft says CEO Ballmer to retire in 12 months

Story originally appeared on the Detroit News.

New York — Microsoft CEO Steve Ballmer, who took over the helm of the world’s largest software company from founder Bill Gates, will retire within the next 12 months.

Microsoft Corp. did not name a successor. The company said it is forming a search committee, which will include Gates, and Ballmer will stay on until a replacement is found.

“There is never a perfect time for this type of transition, but now is the right time,” Ballmer said in a statement released by the Redmond, Wash., company.

After the news broke, Microsoft’s stock shot up as much as 9 percent shortly after the markets opened. The shares came within two dollars of their 52-week high.

Microsoft has struggled in the Ballmer era. When he took the helm in January 2000, Microsoft’s market value stood at more than $601 billion. Today, the company is worth less than half that amount, at nearly $270 billion.

The CEO’s announcement comes less than two months after the company unveiled a sweeping reorganization of its business in an attempt to reignite competition with faster-moving rivals such as Apple and Google.

Among Ballmer’s biggest mistakes, detractors say, were his initial dismissals of emerging threats from Google and Apple. He consistently pooh-poohed Google as a one-trick company during its early years and in 2007 declared: “No chance that the iPhone is going to get any significant market share.”

Google quickly made important inroads in Internet video, online maps, email and mobile computing and contributed to the damage that the iPhone and iPad have done to Microsoft and its partners in the PC market.

Microsoft, along with other companies that thrived in the era of personal computers, is scrambling to transform its business as people increasingly come to rely on smartphones and tablets.

Although it derives some three-quarters of its revenue from sales of software and services to businesses large and small, Microsoft has failed to capture the imagination of consumers who have become more enamored with mobile gadgets than PCs. Response to the newest version of its flagship Windows operating system, Windows 8, has been lukewarm.

In his statement, Ballmer noted that the company is moving in a new direction and needs a CEO that will be there for the longer term.

Microsoft, he added, “has all its best days ahead.”

Ballmer, 57, met Microsoft founder Bill Gates in 1973 while they were living down a dormitory hall from each other at Harvard University. He joined Microsoft in 1980 to bring some business discipline and salesmanship to a company that had just landed a contract to supply an operating system for a personal computer that IBM would release in 1981.

Ballmer, a zealous executive prone to arm-waving and hollering, did the job so well that he would become Gates’ sounding board and succeed him as CEO in 2000. He has worked at Microsoft for 33 years, matching the tenure of Gates, who left the company in 2008.

“It’s a tad surprising, but every other business head has been rotated out,” said BGC Financial analyst Colin Gillis. “They swapped out all their segment heads over the past few years. The only one they haven’t changed is the CEO.”

Ballmer, a Detroit native, returned to his home state in June to open Microsoft’s first-ever full-service Michigan store inside Troy’s Somerset Collection. Ballmer helped set a party-like atmosphere at the grand opening, and at one point picked a child out of the crowd and gave him a ticket for a new Xbox One.

Though investors cheered the news on Friday, Gillis cautioned that it could be a “tough 12 months” for the company.

The obvious successor — former Windows head Steven Sinofsky — got booted by Ballmer, he said.

Sinofsky left the company shortly after the launch of Windows 8 last year.

Veteran executive Julie Larson-Green, the head of Microsoft’s devices and studios engineering group, has been floated as a potential successor. She was promoted to her most recent position in July, after being tapped in November to lead all Windows software and hardware engineering.

Although the company said Friday that it will consider both internal and external candidates, some analysts are betting that the company’s next leader will come from outside.

Walter Pritchard, an analyst with Citi Investment Research, said Microsoft’s expected focus on external candidates will make it tough to predict who will become the next CEO and what direction they will take it in. He added that the search will likely take a significant amount of time, potentially the entire 12 months Ballmer has said he will stay.

When Ballmer joined Microsoft in 1980, it was populated with geeky programmers, led by Gates and the other founder, Paul Allen. Ballmer had already held a product management job at Procter & Gamble and was attending Stanford University’s graduate school of business when Gates convinced him to move to the Seattle area to whip Microsoft into shape.

Ballmer dropped out of Stanford, but only after Gates agreed to give him an 8.75 percent stake in a then-tiny startup that still hadn’t even incorporated as a company. It turned out to be one of the world’s greatest business partnerships. By late 2012, Ballmer had accumulated an estimated fortune of nearly $16 billion from his initial Microsoft stake and additional stock options he later received.

He also was instrumental in growing Microsoft from a company that had fewer than 40 employees and $12 million in annual revenue when he came aboard. In 2012, Microsoft had 94,000 employees and $74 billion in annual revenue.

When he took to the stage to extol Microsoft, Ballmer often acted more like a crazed cheerleader than the chief executive of an influential company. In one presentation that eventually became a viral sensation on the Internet, Ballmer bounded across the stage, jumping up and down while yelping and imploring the audience to stand up, before breathlessly proclaiming, “I LOVE THIS COMPANY!”

But Microsoft enjoyed its greatest success with Gates at the helm and Ballmer as his sidekick.

Gates turned over the reins to Ballmer in January 2000 in a surprise move, because Ballmer had been considered more of a numbers and sales specialist, not a technology specialist.

The CEO change came just a few weeks after Microsoft’s stock hit a record high of nearly $60, on a split-adjusted basis. While Ballmer was CEO, Microsoft’s stock performed poorly, slashing billions from the company’s market value.

Part of the downfall stemmed from the bursting of a technology bubble that helped inflate Microsoft’s stock just before Ballmer took over.

But Microsoft also has fallen out of favor because many investors had concluded Microsoft was interested in protecting its Windows franchise than coming up with new ideas and products to enter promising new markets on the Web and mobile devices. It didn’t help that Ballmer seemed to initially underestimate the threats posed by a resurgent Apple Inc. and Internet search leader Google Inc.

By the time Ballmer took Google more seriously and began pouring money into trying to build a better Internet search engine, Microsoft already was hopelessly behind. The company’s online division lost billions of dollars without putting a serious dent into Google’s dominance of the field.

Google’s rise riled the quick-tempered Ballmer, especially when key Microsoft engineers began defecting to the then-smaller company. After one Microsoft employee met with Ballmer in November 2004 to tell him he was leaving to join Google, Ballmer threw a chair across his office, according to a sworn declaration filed in a lawsuit. Ballmer then launched into an obscenity-laced tirade In which vowed to “kill” Google.

By 2012, the iPhone was generating more revenue than Microsoft was as an entire company and giving people less reason to replace their PCs. Again, Ballmer had to scramble in an attempt to adapt and ordered a dramatic makeover of Windows so it could run on mobile devices, as well. The new system, Windows 8, borrowed many of its ideas from the software that ran the iPhone, just as Microsoft had copied some of the concepts for its early versions of Windows from Apple’s Macintosh.

The iPhone’s immense popularity helped Apple overtake Microsoft as the world’s most valuable company while Ballmer was CEO.

In midday trading, Microsoft shares rose $1.88, or 6 percent, to $34.27. Over the past 52 weeks, the company’s shares have traded between $26.26 and $36.43.

Friday, August 23, 2013

Nasdaq outage resembles hacker attacks

Story originally appeared on USA Today.

SEATTLE — Officials for the moment say they cannot pinpoint anything malicious about the extraordinary outage of the Nasdaq stock exchange earlier today.

But the incident had all the earmarks of the three waves of denial-of-service attacks that have bedeviled U.S. financial institutions, including stock brokerages, since last September.

An Iranian hacking collective — Cyber Fighters of Izz ad-Din al-Qassam — has claimed credit for orchestrating sophisticated attacks that have overwhelmed the expensive security systems U.S. banks have put into place to keep their online banking services up and secure.

"My first thought is that it is a denial-of-service attack, but I'm not sure," says Gartner banking security analyst Avivah Litan. "It's a very attractive target. It's very visible, and that's what these Iranian state attacks are all about, making a political statement by disrupting a visible website."

More recently, a copycat group of profit-minded hackers has conducted denial-of-service attacks against certain U.S. banks as a smoke screen to divert attention while they execute an Ocean's 11-style wire transfer fraud.

Litan earlier this month blogged about that caper. These bad guys, she says, set into motion sophisticated denial-of-service attacks that overwhelmed pretty sturdy bank network security. While tech staff labored manually to get the banks' websites back into service, the crooks scrambled behind the scenes to extract funds from a bank employee's privileged account, which they had gained access to.

Instead of getting into one customer account at a time, the criminals used the employee's account to control the master payment switch for wire transfers, and moved as much money as they could from as many accounts as possible for as long as possible, Litan reports.

"Considerable financial damage has resulted from these attacks," says Litan.

However, Litan says those copycats would have a considerably harder time trying to extract funds from a stock exchange, where funds move about in a highly complex process understood only by stock market tech gurus.

It's more plausible that the Iranian ideological hackers would be behind a disruption of Nasdaq, like the three-hour outage that began shortly after noon, Eastern time, Litan reasons.

The first wave of denial-of-service attacks attributed to the Cyber Fighters of Izz ad-Din al-Qassam began last September and lasted about six weeks. Knocked offline for various periods of time were Wells Fargo, U.S. Bank, Bank of America, JPMorgan Chase & Co. and PNC Bank.

The second wave commenced in December and lasted seven weeks, knocking out mid-tier banks and credit unions.

And a third wave of high-powered denial-of-service attacks commenced in March targeting credit card companies and financial brokerages.

"I don't have any inside knowledge, but I think this one (Nasdaq) is political, as well," Litan says.

Nasdaq has been hit by hackers before. In 2011, the FBI disclosed that they discovered suspicious files lurking in a server supporting Nasdaq's Directors Desk, a cloud-based collaboration service for company board members and senior executives.

Hackers often embed such files to snoop for valuable data, in this case possibly to gain information to make trades using insider knowledge.

Nasdaq at the time issued a statement saying "there is no evidence that any Directors Desk customer information was accessed or acquired by hackers."

However, it typically takes weeks to months for forensics experts to unravel where expert hackers have roamed in a breached network.

Security experts also note that brokerage Goldman Sachs reported a startling Internet-related glitch on Tuesday.

The giant brokerage house reported a system programming error that set incorrect price limits and selling algorithms affecting contracts for companies such as JPMorgan Chase & Co., Johnson & Johnson and Kellogg Co., according to Reuters.

The timing of today's Nasdaq outage -- occurring within 48 hours of the Goldman Sachs glitch -- strikes Roel Schouwenberg, senior researcher at Kaspersky Lab, as peculiar.

"It's definitely possible that either cybercriminals or hacktivists were responsible for either of these incidents," Schouwenberg says. "So that means it could either be an operation which is financially motivated or an operation which is aimed at sabotage. However, this is speculation. These could all just be glitches of sorts, but the timing is definitely strange."

Sean Sullivan, a security adviser at F-Secure, concurs.

"Well, so far this week there's been a computer error that caused Goldman Sachs to sell options for a dollar, and now this," Sullivan observes. "It really, really makes me wonder about the undisclosed details surrounding the Nasdaq forum hack."

Tuesday, August 20, 2013

Facebook CEO Zuckerberg's profile hacked

Story originally appeared on USA Today.

SAN FRANCISCO -- Facebook CEO Mark Zuckerberg, whose company prides itself on benevolent hackathons, has been the target of a hacker.

A Palestinian man posted a message on Zuckerberg's page last week after he said repeated attempts were made to report the security hole on the social-networking site.

"First, sorry for breaking your privacy and post(ing) to your wall, I (had) no other choice to make after all the reports I sent to (the) Facebook team," Khalil Shreateh wrote on Zuckerberg's wall.

Shreateh is a self-described unemployed security researcher. Shreateh posted a series of email exchanges he said were between him and Facebook's security team.

The Palestinian researcher said he discovered a security hole allowing him to post to any members page.

Facebook's security team, which awards cash to so-called white hat hackers that report flaws, said the reports from Shreateh were unclear amid the hundreds of daily reports it receives.

"Had he included the video initially, we would have caught this much more quickly," wrote Matt Jones, a member of Facebook's security team, on YCombinator's Hacker News.

Facebook is located in Menlo Park, Calif., on an office park whose street is named Hacker Way. The company posted a hacker manifesto of sorts in its preliminary prospectus outlining its company.

Facebook fixed the flaw on Thursday.

Monday, August 19, 2013

Does Google have a case of Microsoft Fever?

Story originally appeared on USA Today.

SAN FRANCISCO — Recent changes made by Google to its Gmail application remind me of something Microsoft did more than a decade ago, just before the software giant began to suffer its long slowdown in growth.

The e-mail product updates suggest the search giant's overwhelming success in dominating its markets has spawned a corporate disease that ultimately may harm Google more than any rival can.

The affliction — let's call it Microsoft Fever — is a patronizing belief that Google now knows what its users want better than those users themselves and can solve any user problem — real or imagined — by throwing more features at them.

Yet the history of consumer software reveals that when product engineers run amok, interface design suffers, leaving users often alienated by updates they never asked for, and which make a program harder to use.

I can still remember the first time I vowed to stop using all Microsoft software — just as soon as I could make a living without it.

It occurred at the turn of the last century, when Microsoft dumped on users of its PC operating system what is arguably the most unloved animated character in the history of office software.

I'm referring of course to the too-cute digital paper clip (alternately known as "Bob" or "Clippy") which first popped up on Microsoft Office desktops in 1997, a time when the company's revenue and stock price were both soaring.

Clippy, as we'll call it, used to waft over the text on my screen like Casper the Friendly Ghost — bringing along innocuous advice designed to be helpful but which in reality was almost always annoying and unwelcome.

Even though the feature was supposed to be a support tool, Clippy was far more distracting than anything else.

The engineers who designed it presumably assumed that they knew more about what I wanted to do with the software than I did, even though I was the one using it.

They didn't, and I wasn't the only user who felt that way, which is why Clippy was sent to its rightful demise after being included as a standard feature in Office versions from 1997 until 2003 (or 2004 for the Macintosh version.)

The fact that Clippy lasted even six years foretold much that was wrong at Microsoft.

Just three years after Clippy's retirement, Microsoft rolled out a sweeping update of its operating system that CEO Steve Ballmer once touted as the company's most innovative product since Windows 95.

Yet the new version of the OS, dubbed Vista, was both bulky and unstable, slowing down PCs so much that Microsoft began letting customers swap it out for free within a year.

Because media companies aren't exactly on the leading edge of technological change, it took me years to rid my livelihood of Microsoft software. By the time I did, however, the company's revenue growth had withered significantly.

As with the appearance of Clippy, the recent Gmail updates have me looking — for the first time — for an alternative to the program, which I've used exclusively for work for almost five years.

Google's decision to sort my mail into three buckets, called "primary," "social" and "promotions" has been a hassle, for several reasons.

To share just one example, if I now want to see which of my columns has garnered me more followers on Twitter — a key consideration in my trade — I now have to go looking for that data on a separate screen than the one I'm usually using.

Likewise with the way that Google keeps trying to guide me over to its own social network, dubbed Google+, when I'm logging into Gmail from my smartphone.

It seems pretty clear Google made the changes to promote Google+ and give its own ads and coupon offers an advantage of placement over those sent to my inbox from other companies.

That doesn't bother me, because we live in a capitalist system and Google exists to make a profit and not be evil, as its founders once naively asserted in their IPO registration document.

No, my biggest beef with these updates is that Google didn't get my permission before significantly changing the first screen I see at the start of every workday.

Instead, one day I logged on and, instead of seeing my familiar inbox, I saw a screen that had across its top a series of tabs that divided up my e-mail in a way that Google thought was best.

That paternalistic (or cavalier) attitude toward users — similar to when Google collected data from private WiFi networks for its Street View product — seems not only slightly evil but also off the mark.

As with Microsoft's paper clip, the changes to Gmail have annoyed more than just one cranky tech journalist.

A growing list of Google's e-mail marketing partners, ranging from Gap to Groupon to Delta Airlines, have begun sending their customers detailed instructions on how to move e-mails back into their primary inboxes — where they're more likely to see them.

I've made the same changes, but the fact that I have to spend extra time undoing what Google has done is why I'm now looking for another program to use every day.

Dominant tech companies don't fade away overnight. Rather, they and their products persist for decades — long after they stop being helpful and innovative.

But dominance leads to arrogance, which can cause companies to forget to put their users first.

After seeing what Google has done to Gmail, I strongly suspect that within the Googleplex are floating the first spores of Microsoft Fever, the same disease that spawned Clippy and presaged the end of the software giant's glory days.

Hacking assaults on media sites intensify

Story originally appeared on USA Today.

SEATTLE — Middle Eastern hackers infiltrated a popular Internet news delivery service, giving them possible access to some of the largest U.S. news sites on Thursday.

An online group called The Syrian Electronic Army, representing supporters of Syrian President Bashar al-Assad, hacked the Internet service of Outbrain, a content recommendation company whose software "widget" is embedded in the websites of several major publications.

As a result, the websites operated by three Outbrain clients — The Washington Post, Time and CNN — contained messages that referred to the SEA.

USA TODAY is also an Outbrain client, but its site was not affected.

That development — combined with the hack of the Twitter accounts of several New York Post reporters on Tuesday and the website outage of The New York Times on Wednesday — is being viewed by some security experts as evidence that major U.S. news outlets have now emerged as prime targets for nation-state adversaries of the U.S.

The New York Times attributed its outage to a server problem.

"It's starting to look like there's an organized campaign targeting major U.S. media outlets," says Tom Kellermann, Trend Micro's vice president of cybersecurity. "It's not clear whether their end game is to target reporters' sources or to use the news sites as watering holes (to infect patrons.)"

In a statement, Emilio Garcia-Ruiz, managing editor of The Washington Post, confirmed that "some articles on our website were re-directed to the Syrian Electronic Army's site for a period of about 30 minutes" Thursday morning.

Garcia-Ruiz pointed out a tweet by SEA that claimed it used Outbrain as a vehicle for the attack. "We have taken defensive measures and removed the offending module," Garcia-Ruiz wrote. "At this time, we believe there are no other issues affecting the site."

A few days ago, Post newsroom employees were targets of a phishing attack that was allegedly by the Syrian Electronic Army, Garcia-Ruiz said. "The attack resulted in one staff writer's personal account being used to send out a Syrian Electronic Army message," he said.

CNN also confirmed Thursday that an Outbrain headline widget used by its international website, CNNi.com, ran headlines referring to SEA. The widget was subsequently removed. Its main website, CNN.com, was not affected, the company said.

"The security of a vendor plug-in that appeared on CNNi.com was briefly compromised today. The issue was quickly identified and (the) plug-in disabled," said CNN spokesman Matt Dornic.

In a statement, Time Inc. said "content provided by Outbrain that appeared on some of our sites was impacted by the hacking activity at Outbrain. We're no longer running that content."

Outbrain issued this statement: "We are aware that Outbrain was hacked earlier today. In an effort to protect our publishers and readers, we took down service as soon as it was apparent. The breach now seems to be secured and the hackers blocked out, but we are keeping the service down for a little longer until we can be sure it's safe to turn it back on securely. We are working hard to prevent future attacks of this nature."

Gunter Ollmann, chief technology officer at computer security firm IOActive, observes that as websites continue to embed content streams from third parties and other affiliates, "this type of hack can taint many of the more secure and popular sites on the Internet."

Starting last fall, U.S. financial institutions have been hit by three waves of massive denial-of-services attacks, shutting down their consumer websites for extended periods, despite heavy investments in security technology. An Islamic group claimed responsibility. Experts say that those outages may have helped cover large-scale hijacking of funds from online accounts.

"Now we're seeing our geopolitical adversaries moving on to wage a campaign against major U.S. media outlets," says Kellermann. "The U.S. military cannot protect private corporations from these types of attacks. So targeting media is a cultural vulnerability being exploited by the enemies of the U.S. The irony is that we believe in freedom of speech. Our enemies are showing they can control that."

Embedding software from partner vendors is a common practice for media websites. That innovation poses potential dangers for U.S. media companies, as it exposes a vast security weakness intrinsic to the loose-knit trust relationships on which online promotions and advertising has been built.

Third-party partnerships to promote content and direct advertising to specific audiences support the multibillion-dollar online advertising industry. This Internet-enabled collaborative effort to match your Web-surfing habits to things you might buy is wide open to the spreading of malicious coding, experts say.

"From a hacker's perspective, this represents a (form of) soft attack for compromising high value and prestige websites — and we can expect them to be targeted with increased vigor over the next few years," Ollmann said.

The SEA clearly took pains to analyze the supply chain partners of the media giants. And with a bit more digging, anyone can discover which of the thousands of smaller ad networks and third-party affiliates, such as Outbrain, are looped in.

"You can go through and see which are the most vulnerable and which ones have the highest presence on the most news media sites," says Darien Kindlund, manager of threat intelligence at network security firm FireEye. "If I were a large media organization, I'd want to review all of the trust relationships I have with ad partners and make sure none of them are vulnerable in the same way as Outbrain."

Washington Post Site Hacked by Syrian Group

Story originally appeared on New York Times.

Visitors to some articles on The Washington Post’s Web site Thursday morning were being redirected to the site of the Syrian Electronic Army, a hacker collective that supports the Syrian president, Bashar al-Assad.

The Post said on Thursday afternoon the episode was over and under control. “We have taken defensive measures and removed the offending module,” Emilio Garcia-Ruiz, The Post’s managing editor, wrote in an editor’s note on the site. “At this time, we believe there are no other issues affecting the Post site.”

The paper reported that the Syrian collective had said in a Twitter post that it had also attacked Time magazine and CNN, suggesting it had tried to carry out a coordinated attack on American news outlets.

Mr. Assad has faced intense media scrutiny for the government’s role in the long, bloody civil war taking place in Syria, but the collective did not make it clear whether it targeted The Post because it was displeased with its coverage. An article in the newspaper indicated that it was mostly foreign coverage affected by the breach.

In the editor’s note, Mr. Garcia-Ruiz said the Syrian Electronic Army had said in a tweet that it gained access to the site by hacking one of its business partners called Outbrain. A third-party content recommendation service, Outbrain works by embedding a widget on Web sites filled with sponsored links. Time and CNN also use the service.

A spokeswoman for Time, Jane Lehman, said the company’s sites were not hacked and the security was not compromised. “The content on some of our sites provided by Outbrain was impacted by the hacking activity at Outbrain,” she said.

CNN also said its sites were not directly penetrated. “The security of a vendor plug-in that appeared on CNNi.com was briefly compromised today,” it said in a statement. “The issue was quickly identified and plug-in disabled.”

According to The Atlantic Wire, which also employs Outbrain, the recommendation service sent a statement to its business partners saying in part: “This morning, the Outbrain service was attacked, and as a result, we have taken the service down temporarily as a precautionary measure.”

Mr. Garcia-Ruiz’s post provided this background on the security breach: “A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information. The attack resulted in one staff writer’s personal Twitter account being used to send out a Syrian Electronic Army message. For 30 minutes this morning, some articles on our Web site were redirected to the Syrian Electronic Army’s site. The Syrian Electronic Army, in a tweet, claimed they gained access to elements of our site by hacking one of our business partners, Outbrain.”

On Wednesday, The New York Times’s site was down for several hours. The Times cited technical problems and said there was no indication the site was hacked.

Monday, August 05, 2013

Japan sends talking robot into space as part of program to help lonely people

Story originally appeared on PC World.

Kirobo, a talking robot that also recognizes faces, was launched Sunday on a cargo transfer vehicle and will reach the International Space Station in six days.

The robot is part of a program that aims to provide companionship using such devices to people living alone including the elderly.

Kirobo boarded the Kounotori 4 cargo transfer vehicle launched from the Japan Aerospace Exploration Agency's Tanegashima Space Center atop an H-IIB launch vehicle on Sunday morning, the Kibo Robot Project, which counts Toyota and Robo Garage as two of the project partners, said on its website.

The black and white robot, with red boots, is a little over 13-inches (34 centimeters) tall, and combines speech, voice and face recognition and other communications functions. Its first task will be to communicate with Koichi Wakata, a Japanese astronaut who joins the robot in November, according to reports. Backup crew member Mirata, who stays back in Japan, has similar capabilities.

"The Kibo robot has a special mission: To help solve the problems brought about by a society that has become more individualized and less communicative," the project wrote on its website.

Japanese-speaking Kirobo will spend 18 months on the ISS, talking to Wakata.

The project earlier asked people to suggest names for both the robots, and got 2,452 entries from 1,226 people.