Blog

Posted on

Software-Based Claims Attack Strategies

Under Italian laws, hiring a software-house to produce an industrial application may expose a non-IT savvy company to civil and criminal action filed by the software-house itself and/or by the other software-house that has been called to replace the one the initially did the job. This is the consequence of a lazy attitude towards a properly written agreement and a deep ignorance of the intricacies of the software development’s world.

Here is a fairly usual scenario: a tiles manufacturer needs a software to control the temperature of the ovens used to finally release the products. It asks a software house to write the application, securing in the agreement that “all the intellectual/industrial property belongs to the company”. By doing this the company feels on the safe side and believes to be shielded by no matter what problem.

But.

The agreement didn’t clarify the exact way the IP must be transferred, so the software-house delivers the software on a LICENSING basis and not as a full-ownership transfer. Once the agreement has been signed, the company doesn’t read the following papers at all and thus, de facto, the agreement has been amended (possibly) unbeknownst to the company’s legal department.

Let’s say, now, that the business relationship with the software house breaks and the company finds another partner, giving him access to the source code made by the previous developer. The company sees no problem in doing so since believes to “own” the software so the new developer just start working on the code.

But.

The company failed to identify the code given by the original developer (for instance, by adding disclaimers or comments both in the source and the executable version) thus infringing the moral IP rights that, under Italian Copyright Act belong to the author and cannot be sold or otherwise transferred.

So the software’s author steps in claiming that the company has violated his rights because allowed a third party to access and use a LICENSED code. And when the company tries to blame the new developer he counter the move by accusing the company of infringement of the Criminal Corporate Liability Act (Legislative Decree 231/2001) because of the lack of prior identification of the supplied source code as being authored by a third party.

Lesson learned: under Italian Laws a proper software development agreement should at least contains:

– a precise identification of the source code that has been released, with a duty, on the software-house side, to mark and duly comment the software,

– a clear statement about the IP ownership transfer to the company,

– a clear exclusion of any further change or amendment including the impossibility of turning the agreement from a full-transfer into a license,

– a clear provision that, whatever the legal status of the software, the company is entitled to be given the source-code,

– a clear clause that grants the company, whatever the legal status of the software, the right to allow third parties to access and modify the source code.

Furthermore, since such kind of agreements – once signed – rarely come back on the legal department desks, it is fundamental to train the technical and financial department involved in the further steps, to carefully scrutinize papers and communications so to avoid any “mudding” of the original stipulation.

A final note: when a third party is hired to work on the software, it should be made it clear that the software, while owned by the company, still bears the original author’s moral right, with all the legal consequences.

 

Posted on

My Answers to the House of Lords EU Committee about the Right To Be Forgotten

A Linkedin post by Luciano Floridi announce a British House of Lords EU Committee hearing about the Google Spain ECJ Decision and the right to be forgotten. Here are my two cents (sorry, this isn’t going to be a short post):

Q. Do you agree with the Court’s ruling that Google (and other search engines) can be classed as data controllers?

A. NO. The search engine activity as such doesn’t handle personal data under the 95/46/CE Directive. The collection and organization of the retrieved data are the automatic output of a search algorithm. The issue arise when the retrieved data are used for purposes different than the pure providing search engines results, thus attempting to identify a natural person and creating his/her profile. To give an example: Duckduckgo.com and before, Cuil, are no-user-data-collection search engines so it is not possible to include them into the legal “data-controller” definition.

Q. The question put by the Spanish court to the Court of Justice referred to the data subject wishing to have information “consigned to oblivion”. Isn’t the true position that information removed from websites will always continue to exist, but will simply not be so easily accessible?

A. Yes. And fact is that information still available are still accessible by alternative means (word-of-mouth, newsgroups, social networks etc.) The point is that we are lured into thinking that there isn’t anything else, on the Internet, outside Google but this is simply not true. Google is used because is quick and effective, but when proper information are needed nobody will rely upon a search engine while trying to connect with an expert of the matter.

Q. The Court has ruled that the data subject’s fundamental right to privacy “as a rule” overrides the right to receive information, but that this will not be the case if there is a public interest in “the role played by the data subject in public life”. Do you agree with this order of priorities? Can it in practice be implemented?

A. It is a legal mistake to build the right to be forgotten on the EU Data Protection Directive. The right to privacy is set forth by the European Convention on Human Rights and the data protection is a principle set forth in a EU Directive. Thus data protection is a subordinate and particular right that doesn’t necessarily implies privacy issues. EU Data Protection Directive, indeed, is contrary to the Right to be forgotten because sets a precise legal duty to handle personal data so that they are readily available, updated and exact. This is contradictory with the idea of being forgotten, because a messy way to handle personal data (i.e. non reliable information) would be the best protection for an individual, whose personal whereabouts wouldn’t be easily found.

Q. Do you think it is in practice possible for Google to comply with the Court’s ruling?

A. Yes, but the decision is wrong and Google shouldn’t be forced to comply. The balancement between individual rights and public needs can only be assessed by a Court and we can’t bear the risk of letting a private company to decide what we should and shouldn’t find. The Google Spain ECJ decision shift the burden of protecting the public interest on a private company’s shoulders. To put it short: the ECJ ruling gave Google the legal power to re-write the History.

Q. What do you consider to be a ‘reasonable time’ for companies to put in place an acceptable response to the CJEU’s ruling?

 ?A. I don’t think a general answer is possible. There are issues to be considered such as the number of users’ claims, the kind of legal issues involved by every single claim, the impact on the technical infrastructure and so on that make giving a figure a roll of dice.

Q. The proposed new EU Data Protection Regulation would give data subjects an even stronger ‘right to be forgotten’. Do you think the UK Government are right to oppose this?

A. Again, data protection doesn’t equal right to privacy. The upcoming EU regulation shouldn’t deal with the right to be forgotte because it is an out of scope issue that should be handled within the EU Convention of Human Rights framework.

Q. How do you think an acceptable balance can be achieved at EU level between the public’s right to know, and the right to privacy?

A. By re-affirming and hardening the principle that online (as offline) the main legal liability is on the natural person that performs an action. In the specific case, if a fact is true and reported in a proper way there is no reason to erase it. Following the contrary opinion, today we wouldn’t know anything about the Lucius Catilina’s attempted golpe because his heirs might legitimately ask, after about 2.000 years, that their ancestor be let rest in peace.

Posted on

Italian Data Protection Act As Censorship Tool

The news of the day is that the lawyers of an indicted Italian politician will ask the Italian Data Protection Authority to block the publication of a video ?covertly-made by a journalist portraying this indicted politician while serving his sentence in and elder-care facility (as a substitution for a 4 month jail term.)

While it is (still) not known whether the request will actually be filed, the news is a confirmation that the Data Protection Act is now seen as an effective tool to remove “unpleasant” information from the public sources in the name of “privacy protection”.

It will be interesting to see if, in this case, the Italian Data Protection Authority will follow the censor attitude showed back in the 2006 in the case of a TV show that exposed several Italian MPs to make use of drugs.

It really doesn’t matter whether, in this case, the Data Protection Authority shall block the video or not. The point is that by confusing “privacy” with “data protection” and giving room to a devious interpretation of the “right to be alone” – such in the Google Spain case – on the long term we are making impossible the work of the future historian and, on the short term, we are favouring the possibility for the powers-that-be to finally get back its dark, quiet obscurity where anything can happens, hidden from the public scrutiny.

In the name of “privacy”.

Posted on

Aperture’s EOL And The Consequence Of Livining in a Golden Cage

Apple discretely manage software lifecycles to push users into buying new, its new, expensive hardware.

A recent news is that is going to dump Aperture, its photo management pro app, announcing in the meantime the availability of a “photo” application in the next iteration of OSX. True, Apple shall not drop the support for the new OS versions, but for how long? This uncertainty ? will force people to either stay stuck to older machines or move to Adobe Lightroom, the (currently only) competitor. In either case this will cause financial and time issues for Aperture’s user-base.

Aperture is nothing but the last Apple-made software to meet this ? or a similar fate. Final Cut Pro X latest version, so Pages, Numbers and Keynote, just to name a few, only work with the current OSX version, Maverick.

True, compared to the consequences of Microsoft XP dismissal, the Apple choice looks a trivial issue but on the long term it shouldn’t, since managing the lifecycle of its applications as well as the backward compatibility, Apple is able to force its users into buying new expensive hardware. Furthermore, for those who choose not to upgrade, the software old-versions might not be anymore permanently available through the AppStore and cannot be locally downloaded. So why a professional user should enter into this uncertain – or, on the contrary, safe-but-costly, world?

This is the consequence of living in a Golden Cage: stay comfortable as soon as you can afford it. And when (“when”, not “if”) you don’t anymore, just get lost and give room to the next, wealthy-at-the-moment, occupier of your place in the Golden Cage.

Posted on

Why Do We Blog (or Tweet, or Whatever…)?

Secure your presence online, get traffic on your website or social network profile, target potential customers and talk about them so you can be noticed and – hopefully – hired… The Internet is full of (often) contradictory advices on how to exploit the communication tools to increase the business and get new clients.

Of course there is nothing wrong in using marketing techniques like these, especially by complying with the McCann-Ericson motto: “Truth Well Told”. Nevertheless I find unfair to use this “Trojan Horse” approach: pretending to be nice – or talking about some specific issues – ? just because of the chance to be spotted and hired.

When, together with Stefano Chiccarelli, I wrote Spaghetti Hacker I couldn’t even foresee its success: 10.000 copies sold back in the late nineties, when the Internet wasn’t so available and with no support of a PR agent. We got media coverage, conference invitations and – yes – a fair share of business. And the tide, after almost twenty years, is still high since we (Stefano and I) both meet people praising for the book.

Well, we didn’t write the book because we were following a marketing strategy or to enter into somebody else’s radar. We just felt we had something to say about a topic we care, and that was – and still is – largely unknown: the Italian hacker culture. In other words, Spaghetti Hacker was a sincere, straight-to-the point message to whoever was interested in understanding what was going on in the then newborn Italian Internet.

So, where’s the point of this post?

Answer: sincerity and transparency: if you blog/tweet/post for marketing purposes, please do not pretend to be born on July, 4th.