Flawed From the Start & Missing the Mark: Georgia's Proposed Anti-Drone Legislation

Bad state laws can have the same chilling effect on technology as bad federal laws.  In this guest post, friend of Errata Elizabeth Wharton (@lawyerliz) discusses the latest anti-drone law introduced here in the Georgia legislature and how one bill manages to kill innovation across several key Georgia industries. 

By Elizabeth Wharton 

Georgia’s newly proposed anti-drone legislation is an economic and research buzz kill.  The bill, HB 779, through poorly crafted provisions places unnecessary red tape for use of drones by the film industry and by cellular, telephone, and cable utility companies.  It also completely shuts down Georgia's aerospace defense industry research (and related funding) conducted by universities including Georgia Tech and all related manufacturing by companies such as Lockheed Martin.  Biting the industry hands that bring billions of dollars into Georgia’s economy seems a bold move for state legislators, particularly during an election year.    

Gaps between technology policy and technology practice at the federal level such as the Commerce Department’s proposed Wassenaar Arrangement rules, extend to the states as well.  With over 168 drone-related bills considered by 45 states in 2015 according to the National Conference of State Legislatures, 2016 is already off to a quick start.  California lawmakers want to require "tiny" drone license plates and for operators to leave their contact information behind after an "accident." In the latest policy disconnect, the devil went down to Georgia but had to leave his Star Wars X-Wing Fighter drone at home (it included a replica of a weapon), he faced jail time for his school-sponsored drone research project, and couldn't fly his other drones for fear of inadvertently capturing RF signals from a neighbor’s iPad.  When your legislative goal is to encourage economic development in the aerospace and technology industries and the end result has the exact opposite effect, this is a failure.

After spending four months of meetings and hearings on the "Use of Drones" in Georgia, members of a Georgia House Study Committee introduced House Bill 779.  The Committee's Final Report (copy available here) recommend that commercial uses of drones should not be "over regulated at the state level" and the state should "avoid passing legislation which might ….. cause the process to be more onerous and thus drive business to other states." Further, "Georgia's goal is to remain competitive and to allow for expansion of this industry…" 

Georgia's film industry generated a $6 billion impact on Georgia's economy in 2015, the aerospace industry had a total economic impact of $50.8 billion in 2013 accounting for 5.3% of the state's GDP.  Transportation logistics also plays a key part in Georgia's economy, Atlanta is home to the busiest passenger airport in the world and Savannah boasts the 4th largest and fastest growing container port in the U.S.  Georgia has heavily recruited telephone and cable service providers to roll out new products such as Google Fiber and Comcast's Ultra-Fast Internet within Georgia before doing so in other states. Several of the key service providers and experts in each of these industries testified or otherwise met with the members of the Study Committee that crafted HB 779, explaining their existing uses and the potential beneficial applications of unmanned aircraft systems. 

HB 779 provides that it will regulate the use of unmanned aircraft systems and the resulting captured images, prohibit operations in connection with hunting and fishing, and to prohibit the possession of, operation of, manufacturing of, and transportation of unmanned aircraft systems with a weapon attached.  

In its current form, HB 779 will halt or chill use of drones for film projects and safety inspections, shut down ongoing university research projects, and drive out manufacturing and shipping of aerospace drone equipment. 

Using words without understanding their application within the technology spells trouble.    

At the heart of the main provisions in HB 779 is its definition of "image." "Image" is broadly defined to include electromagnetic waves and "other conditions existing on or about real property in this state or an individual located on such property."  HB 779 would prohibit using an unmanned aircraft system "to capture an image of a private place or an individual in a private place," knowingly using an image in a manner prohibited by the statute, possessing an image known to have been captured in violation of the statute, and disclosing, distributing, or otherwise using an image known to have been captured in violation of the statute. 

This definition of "image" and resulting application within the statute becomes problematic in part within the context of how unmanned aircraft systems, cell phones, and all other "connected devices" function.  In each instance, the devices use some form of electromagnetic wave to communicate and connect.  These radio frequency (RF) signals are constantly being sent and received.  The resulting communication data is automatically transmitted and saved by the devices.  The Federal Communications Commission (FCC) deems the RF signals from the fitness tracker around my wrist or the signals sent from an individual’s pacemaker, for example, to be one and the same as the individual.  Here, the RF signal from my fitness tracker captured by an unmanned aircraft system flying overhead could expose the drone's operator to civil penalties when they sync and send the flight data.  Each captured signal (image) equates to a separate offense under the language of HB 779.

Georgia isn't the only state to trip over this concept, legislation passed in Florida, Texas, and other states also use a similar definition of "image." Cutting and pasting from other state’s legislation does not always equal good policy, here it perpetuates the use of inaccurate technology terminology. 

Adding Hurdles & Increasing Costs on Georgia's Film Industry and Technology-Related Utility Companies

In addition to missing the basic underlying technology mark, HB 779's definition of "image" and "private place" creates costly hurdles for film, cable utility companies, and telephone communication utility companies. HB 779 carves out liability protections for images captured in connection with specific projects but as with legislation passed in other states, exception lists always overlook a few.  The list of exemptions here includes law enforcement, electric or natural gas utility providers, fire-fighting operations, real estate sales and financing, and rescue operations. Noticeably absent, television or film production uses and inspection and maintenance operations by telephone, cable, or cell phone tower companies (all key industries in Georgia).

Use of unmanned aircraft systems outside of the exemption list requires the extra time and expense of tracking down every person and property owner whose image has been captured during the flight.  Without such consent, the image must be immediately deleted or face civil penalties.  The penalties accumulate per for each image, quickly adding up.  For example, a television crew or film company captures footage of a condominium high-rise. Each condo unit within the building is a separate parcel of real property.  Under HB 779, the company would have to contact every single condominium owner whose property could be clearly seen in film footage or risk civil penalties from the homeowners if they do not start all over and reshoot the footage without a clear picture of the building.  Cell phone tower operators and cable line operators would have to obtain permission from every property owner and person along their infrastructure lines or the areas surrounding their towers at that particular flight time prior to using for inspections and repairs. 

A weapon ban heard around the state, halting all research, manufacturing, and shipping throughout Georgia's aerospace defense industry.

Singlehandedly shutting down an entire (and growing) sector of the aerospace defense industry within the state should raise a few eyebrows, particularly for legislators who represent districts that count the research institutions, aviation manufacturers, or logistics hubs among their constituents or supporters.  Under HB 779, any sale, transportation, manufacturing, possession, or operation of unmanned aircraft systems that have been equipped with a "weapon" would constitute a felony, punishable by up to 3 years in prison and a fine of up to $100,000.  "Weapon" is defined to include a device or object that could cause or looks like it could cause or that is a replica of something that could cause serious bodily injury against a person.  Shipping a drone with a replica of a weapon (think the Star Wars themed X-Wing Fighter toy drones) or the perception that it could be a weapon on the drone is enough to trigger jail under HB 779.  The proposed ban contains zero exceptions and zero exemptions.  

Eight of the top 10 defense contractors in the country have operations within Georgia according to the Georgia Department of Economic Development.  Georgia universities and colleges including Georgia Institute of Technology and Middle Georgia State University receive research funding grants for the development and testing of defense-related projects.  The Port of Savannah is shipping hub, equipment arriving into the port is then transported through Georgia on its way to the final destination (civil or military).  Georgia Tech students use Fort Benning facilities for their drone research.   Moody Air Force Base in Valdosta, GA is home to several cutting-edge unmanned aircraft technology projects.  Contractors, students, and other civilian suppliers transporting unmanned aircraft systems to and from the military installations using Georgia roads, rail, or airways would be jailed and fined. Lockheed Martin would be grounded from manufacturing or shipping most of its unmanned aircraft systems in and through Georgia.  Not exactly the welcome mat that the Georgia Center of Innovation in Aerospace has been marketing.

Go back to the drawing board, Georgia (and quit copying from other state's bad legislation).

When legislation harms your state’s economic drivers and grounds Star Wars toys, then aerospace manufacturers, research institutions, electric and communications providers, transportation logistics companies, and Georgia voters take notice.  HB 779 cuts off the hand that provides 5.3% of Georgia’s GDP and slices the fingers from the other hand that represent the state’s main economic development priorities all in one fell swoop.  Go back to the drawing board Georgia, and this time don't copy off the flawed legislative papers from surrounding states.

Elizabeth is a business and policy attorney specializing in information security and unmanned systems.  While Elizabeth is an attorney, nothing in this post is intended as legal advice.  If you need legal advice, get your own lawyer.

Unwanted access

Weev's lawyers have filed their appeal. It's interesting, readable even for non-lawyers.

Part of the appeal is based on the obvious idea that public websites are, well, public. Just because some computer access isn't "wanted" doesn't necessarily mean that it's "unauthorized". Sure, physical trespass is a good analogy for private computers, but the analogy for public websites is that you've invited the guest into your home, but they ignore your hints they should leave, because you haven't explicitly told them so.

Take search engines as an example. They steal a website's content in order to profit by it. That's the definition of "search engine". Back when they were invented, they made people upset. They'd overload the server with their aggressiveness. They would make things available and public things that website owners didn't want to be so public. Somehow, zealous prosecutors avoided making felons out of search engineers, and they have become the social norm today -- even though these problems still persist.

The same is true of cyber-security research. I do unwanted things against websites all the time, such as my frequent testing of the Un.org website to see if it it's still vulnerable to SQL injection. Those guys hate me. Yet, my blogposts have improved the situation (they fix whatever I post a few days later, and now they've got a WAF in front. I really need to play with that WAF, but I'm lazy).

The reason I'm writing this blogpost is to solicit other examples of unwanted behavior -- things you do that you know is unwanted, but which you believe is "authorized". Or, things that you would do, but aren't sure if you'll be crossing a line. Please add them to the comments below, or send me a tweet @ErrataRob.

The debate over evil code

In the debate over “selling exploits” people haven’t defined what, precisely, an “exploit” is. The only definition is that they “know it when they see it”. In this post I’m going to describe something that isn’t clearly an exploit.

Back in 1998, I created one of the first “personal firewalls”, known as “BlackICE Defender”. We designed it to run on both Windows 95 and Windows NT. Win95 was the dead-end 16-bit operating that is no longer in use, WinNT is the progenitor of today’s Win7.

Hackers on a plane: who has jurisdiction? (legal)

Let's say a Canadian flies from New York to Tokyo on Korean Air and hacks the German tourist's computer seated in front of her while over the Pacific. Who's laws apply? (Canada, US, Japan, Korea, Germany?)

Apparently almost anybody's, including the French.

Firstly, there is Korea. While over "international waters", the registered country's law applies. Therefore, a 20 year old American can drink alcohol, because while the drinking age in America is 21, it's only 20 in Korea. The Korean's would get first stab at prosecuting

Secondly, there is the country of the victim. If the Koreans decline to prosecute this hacking case, then the Germans can, since it's the German tourist in our scenario who is the victim.

Thirdly, almost any country can under the principle of the "universal jurisdiction" against "international crimes". This means any country (such as the French, even though) can prosecute for a violation of international law like piracy or slave trading (but only as long as the Koreans decline to). This may or may not apply in this case, depending upon whether hacking is considered illegal by international law.

All this is only my guess based upon this article at FindLaw (h/t @KippiHax). The final admonition from that article is that international law is terribly complex and you need an expert to interpret this, so if you plan on hacking any German tourists over the Pacific, you should probably engage an attorney first.

Code as physical property: interpreting legal descissions

As reported by Wired, the programmer who stole code from Goldman-Sachs had his conviction overturned because "code is not physical property", implying that it's somehow above the law, that there is some sort of right to open source code. That's an incorrect interpretation of the decision. The conviction was overturned because of technicalities, while the laws may have been intended to cover to this theft of code, their wording is outdated and cannot be stretched to cover this incident.

The decision says:

the source code was not a "stolen" "good" within the meaning of the National Stolen Property Act (NSPA)

It clarifies later that the NSPA wording clearly means "physical good", and not intangible goods. It cites similar cases, such as bootleg recordings also being intangible goods not covered by the NSPA.

The ruling says that congress could easily amend the NSPA to include intangible goods. It's not that intangible goods are special and above the law, the issue is simply that the court doesn't find that the wording of the NSPA covers intangible goods.

The ruling likewise found that the crime didn't fall under the Economic Espionage Act (EEA) because the source code wasn't used for interstate or international commerce. The source code in question was for high-speed trading by Goldamn-Sachs, something that happened within the state of New York. Again, the court finds that while law makers might've intended to cover this theft of secrets, the fact that they specifically mention "interstate commerce" means that the law doesn't technically cover this incident.

People on Twitter are interpreting this as meaning that "code" is somehow above the law, that there is some natural right that code must be free and open. The ruling specifically tries to dispel this interpretation. It says only that the wording of existing laws doesn't cover this specific case, and that a minor change in wording would've covered it.

---

BTW, I'm not criticizing the above article. The article makes the same points I make. It's just that people can't read, and make assumptions without paying attention to the article itself.

Supreme Court Bilski Decision Watch - Coming Monday?

On Monday, the scales of justice will tip one way or the other in the Bilski business-method patent case. The Supreme Court is scheduled to wrap up its current term June 28th with only four outstanding decisions remaining. Barring an order for re-arguments in the case next term, the technology patent landscape may significantly shift with this decision. At stake are whether mental-process patents such as those currently held by technology companies, researchers, and other innovators are actually patentable. Since the State Street Bank case in 1998 removed the physical change or machine test in patents, a flood of patents have been issued for software, biomedical, and technology ideas. As discussed in my earlier blog post, upholding the lower court's decision to reinstate the physical change or machine test throws all existing and future technology patents into turmoil.



Keep your eyes on the Court's website for the latest decisions.

UPDATE: Apologies for the delay, here is the decision.


** I am an attorney with a firm in Atlanta, GA., contributing as a guest blogger on behalf of Errata Security. These are just my personal views and thoughts, not intended to reflect the views of anyone else nor intended to provide advice, legal or otherwise.

Law & Tech Geek Alert: Future of Software and Technology Patents in Supreme Court's Hands

by Elizabeth Wharton **

The future of thousands of technology patents is playing out in front of the Supreme Court today. At stake are patent protections, possible infringement lawsuits, and millions of dollars of profits to inventors. The Bilski case asks the Supreme Court to determine whether business-methods (those that are more of a mental-process as opposed to those tied to manufacturing or a tangible product) may be patented. Starting with the State Street Bank decision in 1998, the Federal Circuit recognized that software programs that transform data, but do not physically transform an article or create a machine, are patentable. Thousands of patents were issued to technology companies, researchers and innovators based on this decision.

When Bernard Bilski’s and Rand Warsaw’s patent application for a unique set of mathematical formulas to crunch numbers and manage risks associated with weather patterns and utilities was rejected 13 years ago, a landmark patent case was born. The patent office determined that their process dealt with solving a purely mathematical problem and rejected their application. Mr. Bilski and Mr. Warsaw fought for their patent all the way through the court system. In October 2008, the Federal Circuit upheld the patent office decision, reigning in their earlier State Street Bank decision, and determined that an application must meet a machine or transformation test in order to be patentable.

The Federal Circuit's Bilski decision marked a dramatic shift from the past ten plus years and sparked a controversy in the current technology innovation era - not only for software companies but also biomedical and technology companies. Over 67 amicus briefs were filed in connection with the Bilski case. Among those filing briefs in support of one side or the other in Bilski are the likes of computer and technology giants IBM, Novartis, Microsoft, Google, Symantec Corp., and others such as Bank of America and clothier L.L. Bean. At risk are software, technology, and biomedical patents held by such companies as IBM, Nortel, Medtronics, and many others. As pointed out by Judge Newman in her dissent, many technology innovations and inventions today are novel ways to approach data and information.

Narrowing technology patents to exclude processes that produce a “useful, concrete, and tangible result”, per the State Street Bank decision, will stifle technology innovation and product development. More and more users will listen to a presentation, take out the original and unique content, and ultimately circumvent the inventor. The inventor of this content will not have the patent protections for their unique solutions and ideas. Part of the inventor’s incentive in working to develop the solution has been stripped away.

The amicus briefs and legal arguments today are just the start of the Supreme Court’s review of the case. Legal geeks and technology geeks, along with thousands of patent holders, will be anxiously watching and waiting for the Supreme Court’s final decision in the months to come.

(For more in-depth discussions about this case and intellectual property law, I recommend the following websites - Law.com and IPwatchdog.com.)

** Reminder, these are just my thoughts and are not intended to provide advice, legal or otherwise. While I am a lawyer, I am not your lawyer.