Non disclosure agreements (NDAs) for IT Projects.

Non disclosure agreements (NDAs) for IT Projects.

NDAs can be defined in one instance as a contract: where two parties agree to share information for a certain purpose, but restricting informational access to third parties. These act as a means to ensure the IPR of a firm are protected.

This allows a client to secure any IPRs and as well prevent too much exposure which could effect any future patent applications. This also will act to clarify who owns the copyright. Instances where NDAs should be considered are:

- where there is outsourcing for new blue-skies project work

- transfer of data into the cloud

- acting within an existing system to add in addition services.

In the latter, all aspects of the ETL cycle would be under investigation which involves the non-client party gaining considerable insight into the client's business. Hence some form of agreement is required.

What does the NDA cover: this should be both the code itself, but also the sources of the data as well as the transformed information. However one area which can be negotiated is re-use of meta-material, the processes and scripts which were used during the project i.e. if this devolves entirely to the client or can this be freely implemented in other projects.

Audits provide a means to ensure that NDA procedures are being adhered to. Elements of audit might include investigation of specific documentation or visits by vetted client personal to observe procedures. However if the terms of the audit are too broad, where the client oversees all elements of the other party's work, this would act as delay on the project. Hence some measure of balance is required.

The issue of penalties should also be considered. These would come into effect if the terms were breached. It is non-uncommon (as mentioned in Cloud Computing by Millard) for clients to seek unlimited liability for such, which for the other party is very much a show-stopper. In passing, while there are element of similarity, the NDA is not a non-compete agreement with the latter having to engage with elements of employment law.

Thus NDAs are at best a means to provide a support framework so long as it does not devolve into a strait-jacket that sabotages the work of the parties.

The Sony cyberattack and the Legal options, in war and peace.

The Sony cyberattack and the Legal options, in war and peace.

There are a series of recent news reports that indicate that the Sony corporation in the US had been subject to a cyberattack. The result of this was the compromising of the corporation's internal systems, with the disclosure of both Intellectual property right material and private personal data relating to employees. This was in the form of movie scripts and emails. As one motive of the attack was a Sony film which denigrated the North Korean regime, "The Interview", it currently is thought this entity is the prime suspect in this.

From a legal perspective, what are the actions the various stakeholders can peruse in the context of how such international cyberattacks should be dealt with. These can be placed in context of earlier such attacks and what subsequent framework was created to pursue legal or other socio-political actions.

In 2007 the Baltic state of Estonia was targeted by a series of cyberattacks mostly on public sites. As it was believed to be related to moves purported to be anti-Russia by the Estonian government, this neighboring country was thought to be the main culprit. While this was never proved to be linked to the Russian government, traces of the cyberattack were connected to known pro-Russian sites. The actual damage done was by the targeting of infrastructure websites, incorporating defacement and DDoS which essentially made these unusable. This was of major impact as Estonia pursued a digitization of essential services: so a result as the seizing up of state utilities.

In the wake of this the Tallinn manual was crafted as a rule book to meet future attacks. In parallel as Estonia was a member of NATO, it was declared that any such cyberattack on a member state would be regarded as an attack on all. The means of this response was to be proportionate, but kinetic weaponry was not specially ruled out.

Thus the differences between this and the Sony attack are a private company was the subject to the attack and that incident while seemingly well planed did not extend to the same length of time. So in light of this, what in the US government's options as per the Tallinn Manual rule 11- ‘[a]‌ cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force’.

First, was this an act of Armed Conflict/War? While Sony is a private company, the militarization of North Korean society would imply that any such attack would have the backing of their armed forces. Given the economic damage caused by the attack (loss of confidence in Sony and its cancellation of the film "The Interview") this breaches the prohibition on the use of force Article 2(4) of the United Nations Charter.

Second, however even if was so, then unlike physical world attacks, the identity of the perpetrators in cyberattacks might be cloaked and difficult to trace. For instance, the authors of the Stuxnet attack have not been definitely identified but only suggested.

So to sum up the author Roscini, the response has to be proportionate to the damage. While the private nature of this precludes an armed state response, in different circumstances with different actors such can never be ruled out.

Further Reading

- Who controls the Internet by Tim Wu

- Cyber Operations and the Use of Force in International Law by Marco Roscini

DDoS and the law.

DDoS and the law.

A distributed denial of service (DDoS) is where a computer cannot correctly function due to an intentional act which incapacitates the channels (ports in IT parlance) which a computer depends on to communicate with the outside world. The Mens Rea and the Actus rea are thus summed up. The DDoS usually comprises a number of infected computers (a botnet) acting in concert against the target: thereby flooding any attempt to block IP addresses. A physical world analogy would be if one could not leave one's house due to someone using a tennis ball machine to throw items at the doors and windows, trapping the occupant and not allowing anyone else to enter. This thus would be illegal in the analogue, so how is this dealt with in the digital and why does this occur?

The good news being, a DDoS is unlikely to be targeted at single users. There are other easier ways to target individual coupled with the real IT issues which are more likely to be the problem (mis-blocked ports, firewall settings etc.). However, to paraphrase the Sutton rule on illicit money, commercial enterprises are vulnerability to this type of attack. Not only is there is need under normal circumstances to be in operation 24/7, in seasonal sales times such as Christmas there is additional pressure to respond to any outage. If a business is unable to respond to user requests, then that sale's opportunity is likely gone. Thus even if there is no associated damage or corrupted, which could occurred in a Virus or Trojan based attack, loss of good will and customers would cripple a business. Thus what are means to deal with this under law and enforcement?

The Police have some measure of discretion of enforcement of legal matters. There would be difference between if the matter was minor and only effecting one person to the other extreme of a serious issue or effecting a group. However while Police have being more tech-savvy with an increasing online present (Anderson's "The Internet Police") due to the potential global nature of any DDoS attack, they are unlikely to be of intimidate assistance during an attack. Thus an IT department which has planned and drilled for this outage is a key requirement to handle such attacks.

Once the immediate DDoS is over what are the legal avenues to explore. In statute due to the evolving nature of IT the various acts which deal with computer crime are written as broadly as possible so as not to become obsolete which the common law filling any lacunas. Thus as the key effect of a DDoS is to deny the user proper use of his computer, then a Criminal Damage Act which covers actually impairing, threatening to or controlling items which damage property would be relevant. There might be more specific actions which is found in the UK's Computer Misuse Act under sections mentioning degradation of the target's PC functionality. All of these come under the remit of the steps which are required to be taken under the Council of Europe's Cybercrimes convention. Thus as per section 5 this provides a push to enact relevant laws which can deal with DDoS :

"

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offenses under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

" - Article 5 –System interference 

An example of a course case involving DDoS would be the UK's DPP vLennon. Here the defendant was convicted for email-bombing (a type of DDoS attack) his former employees, blocking their IT system. Finally, the extortion element of such could be followed up in any civil or criminal actions.

A Saga of Copyright : Authors Guild, et al.v. Google.

A Saga of Copyright : Authors Guild, et al.v. Google.

A saga can commonly be held to be a long tale involving many parties interacting within a complex environment seeking to overcome both their own flaws and outside forces. A classic example of this would be the Eddas of Iceland. While not as long running or (as yet) as bloody, there is a similarity with Icelandic sagas the multitude of legal pleadings of the parties before a judge and the search for justice & fairness in the dispute which has embroiled Google Books; which continues as per the latest in Authors Guild, et al.v. Google.

The background to this being Google has positioned itself as the the premier search engine company in the global economy (see "How Google test Software" by Wittaker as an interesting insight into how this is achieved). The mission goal for this company can be captured in a desire to allow the world's information to be search-able. As a large part of this heritage of information is present outside the digital format in paper based books, in 2004 Google began to convert the physical to the binary by scanning in books. This however was done without the permission of the copyright owner's permission (leaving aside books which were in public domain or without know authors) and the US based Author's Guild in 2005 brought a copyright infringement suit with Google's defense being that of "fair use".

This term original from the US case of Folsom v Marsh (1841) and facts revolved around a book of one of the American rebel leaders, a George Washington, and the correctness of being able to quote sections of that book. Four main elements of allowing such quotes were enumerated as being.

1- the purpose of such quotes and if these were of commercial nature

2- the original work and if it were copyrighted.

3- the percentage of the work quoted

4- how this might effect the commercial aspect of the work

The Saga initially looked to have a fairly benign ending with an agreement between the parties but this was rejected on the grounds of unfairness, The excellent IPKitten site has commented that the which ever side is the victor, it will mark a key ruling on how "fair use" is to be viewed in terms of transformative (from physical to digital) copyrighted material.

In the European context, how the moral rights of the author might be effected given the less than perfect technology that underlies scanning, could also be an issue. Either way, the Google Books like any good Saga will likely continue to provide years more topics of interest.