LWN.net Weekly Edition for April 17, 2008 [LWN.net]

Turnitin and fair use

April 16, 2008

By Pamela Jones, Editor of Groklaw

The McLean, Va. High School students whose copyright infringement lawsuit against iParadigms, LLC and its Turnitin plagiarism-detection software system was dismissed on summary judgment on March 11 have filed a notice of appeal [PDF] to the Fourth Circuit Court of Appeals. That was likely a surprise to iParadigms, whose CEO John Barrie confidently predicted that hell would freeze over before the students would appeal. Yet, appeal they have. So this story isn't over yet.

District Court Judge Claude Hilton's Opinion [PDF] ruled that Turnitin's use was highly transformative and hence fair use; that is one of the issues that will be appealed, as Robert Vanderhye, the attorney representing the students pro bono, explained to me in an email interview:

What the judge held, and what we are appealing, are (1) if a minor clicks on to the Turnitin.com website he/she is bound by the conditions of the "Agreement" even if it denies the student the ability to enforce his/her copyright, and (2) as a matter of law the Turnitin use is transformative so that it is fair use instead of copyright infringement.

With respect to the first, we submit that the Court misinterpreted Virginia law, and did not apply the controlling Virginia cases that we cited.

With respect to the second there clearly are facts in dispute. Among the facts in dispute are a) does the Turnitin system work to deter plagiarism, or does it actually encourage plagiarism since it is so easily avoided by anyone who really wants to plagiarize; b) is the Turnitin system so insecure that students papers can easily be recovered by a hacker so as to easily allow theft of the students' works, or for a criminal to use information contained in student works against them; and c) how can the Turnitin use be transformative when they will send a student's work verbatim to someone outside the student's school system without the student's permission, or even knowledge. Also, with respect to the second point, Turnitin violates the FERPA since student names, schools, and personal information are usually on the student works; since it violates FERPA as a matter of law the Turnitin system is against the public interest, and therefore there can be no fair use.

He mentions that there are facts in dispute because a court is only supposed to grant summary judgment if the pleadings and supporting documents, when viewed in the light most favorable to the non-moving party, show that there is no genuine issue as to any material fact. Fed. R. Civ. P. 56(c).

The major issues being appealed then are: Was it error to dismiss this lawsuit on summary judgment? Can minors lose copyright rights, because of clicking "I agree" to an agreement that their schools compelled them to agree to? What about the privacy issues under the Family Educational Rights and Privacy Act (FERPA)? But the key question is, Is this fair use?

iParadigms' point of view, one that the lower court agreed with, is that a lot of high schools and universities use this software and rely on it. They find plagiarism goes down significantly. Turnitin isn't using the creative parts of the papers for commercial gain, the judge said; it's a system of integrity checking. And that's a transformative use.

Similarities between Google Books and Turnitin:

The computer does the copying, not humans.
Both archive complete copies of the works.
Neither gets the works directly from the copyright holder.
Both claim the use is transformative.

Differences:

The students are minors.
There are arguably privacy issues with Turnitin.
The student papers are unpublished works.
The conceivable market harm is distinguishable.
There is no way students can opt out. Any author can opt out of Google Books.
Turnitin represents itself as a system for protecting copyrights.

For that matter, so is Google Books, in that it's a kind of digital card catalogue, letting us know where to find books with information we want. In Perfect 10, Inc. v. Google, Inc. (the thumbnail photo case, hence another works-in-a-computer-database fact pattern) the court found that, too, was transformative and hence fair use. Judge Hilton notes this finding in his order on page 13. The photos had one purpose originally, the court found, but putting them into a database was something not originally intended, and the search engine "provides a social benefit by incorporating an original work into a new work, namely, an electronic reference tool." The purpose is limited and the works are used only for comparative purposes that provide a social benefit. He does mention the exception to that, however, in that if there is a request to see the work a student's paper allegedly seems to have plagiarized, a teacher can obtain that work to evaluate. Hence the appeal over archiving by students who don't want their works used that way.

If the students have issues about having to use the system, they should take it up with the schools, the judge ruled, because that is who is giving Turnitin authority to do what they are doing with these student papers, and he thought the schools had the right. As for fair use, Judge Hilton found that this was a transformative use, and he quoted a definition of transformative from a case, Harper & Row Publishers, Inc. v. Nation Enterprises, to mean that it "adds something new, with a further purpose or different character". If use is transformative, he wrote, it's "strong evidence" that the use is fair use.

iParadigms has on its website a legal opinion [PDF] it commissioned from Foley & Lardner. Fair use is a bit hard to pin down. Even the legal opinion notes that fair use is very much dependent on the facts of each situation:

Determining whether a copyright exists in a particular work or is infringed by a particular use of the work is difficult. The analysis is so fact-specific that relatively minor variations between the facts of superficially similar cases often lead to diametrically different conclusions.

To grasp the students' point of view, imagine if a company decided to offer a service to check for infringed code, so it collected all the world's proprietary software it could get its hands on, without permission from the original authors. Say it got copies from the world's libraries. And there was no way to opt out.

Now, imagine that if the software thought it found a match, you could request to see the proprietary code that it was thought to infringe. Do you think the proprietary software companies or the authors of that code would view that as a transformative fair use?

The crux of the students' issue, then, is the archiving. They don't want their papers to remain in the system, even if they must submit them for originality review. It bothers them that iParadigms archives the students' manuscripts and then uses them for profit, while they, the students, lose control over their own work without getting any compensation. The students have their own website, Don'tTurnItIn.com, and they have some additional court filings available there.

A lot of commentary so far has cited Judge Hilton's ruling, because of its fair use arguments, viewing the opinion as perhaps being helpful to Google in the litigation brought against it by the Author's Guild and others regarding Google Books, and I'm sure you can see why. But there are significant differences too.

Some have argued that copyright law is out of date in a digital world, the Internet being nothing but one huge copying machine. Computers copy, and so some suggest it would be more logical and less damaging to penalize wrongful distribution, not copying. In that sense, the judge's ruling was quite progressive. Indeed, it's hard to read his opinion without concluding that to Judge Hilton, copying by a computer isn't a problem, so long as human eyes are not involved, the use is transformative, and there is no distribution for profit or any market harm.

In iParadigm's Counterclaims [PDF], there were several other causes of action, trying to mold the facts into a claim of "trespass to chattels" and even claims of violations of the Computer Fraud and Abuse Act, as well as Virginia's Computer Crimes Act. Those are serious allegations. On the first, the assertion was that the plaintiffs allegedly used nyms like 'Rube Goldberg' and 'Perpetual Motion' to improperly file papers in the Turnitin system without authorization.

The court dismissed those counterclaims, pointing out that you have to prove actual damages and, in the case of trespass to chattels, some impairment of quality or condition or use. It's a bit hard to come up with a dollar figure for how harmed one is by someone's use of a nym. As for filing the papers without authority, where's the financial harm, the court asked?

Trespass to chattels in meat space is like someone taking your car for a joy ride, getting into a fender bender, and then bringing the car back without fixing the fender or even filling the gas tank back up. Not only is the car damaged, but you didn't have use of it while it was out being driven around, and so you couldn't drive it to the airport yourself as you intended and missed your job interview. And it's your car, your personal property, which is what chattel means.

Like many other legal concepts, it has been applied to digital world, as if physical property and intellectual property are identical, and in some ways, it fits. AOL was an early trailblazer in using trespass to chattels successfully against spammers, arguing that the sheer volume of emails interfered with their being able to use their own system as intended to service their real customers properly (here's one example).

iParadigms also claimed that the terms of their Usage Policy provided for indemnification to iParadigm arising out of any use of the Turnitin website. It also has a user agreement that you are confronted with and must click "I Agree" to in order to submit papers to Turnitin. The judge made a distinction between the user agreement and the Usage Policy, however, noting that there was no "I Agree" to the Usage Policy or any evidence that the students saw it, and it was not referenced or incorporated into the user agreement. So he decided that while the students were bound by what they said "I Agree" to, they never agreed to the Usage Policy. But the appeal asks whether these minors ever gave a legally binding assent, since their "I Agree" was really "My School Says I Have to Agree". In some respects, this EULA issue may be as interesting to track as the fair use questions.

Comments (21 posted)

ELC: Trends in embedded Linux

By Jake Edge
April 16, 2008

Henry Kingman, editor of LinuxDevices, opened the Embedded Linux Conference with a look at the trends in embedded development since he started covering the subject in 1999. Based largely on the annual surveys run by LinuxDevices, his keynote speech highlighted the growth of Linux as an embedded operating system as well as where it is headed in the next few years.

The conference, which started April 15 in Mountain View, California, gathers around 175 embedded developers for three days of talks on a wide variety of embedded topics. Sponsored by the Consumer Electronics Linux Forum (CELF), the conference has become the premier technical conference for the ever-growing embedded Linux community. Each day has a keynote, with kernel hacker Andrew Morton and CELF architecture group chair (and conference organizer) Tim Bird rounding those out, followed by a half-dozen presentations slots, with three parallel presentations.

Bird introduced Kingman as one of the main providers of news about embedded Linux, relating that LinuxDevices and LWN.net are his "two main sources of information" about the community. Bird marveled at the body of work that Kingman has amassed: "this guy is prolific". He also reminisced a bit about the early days of embedded Linux, starting with his days at Lineo to his current work at Sony:

It was hard to get people to pay attention to Linux, now Sony is putting Linux into almost everything.

Kingman acknowledged Bird's introduction, but said that he didn't know "if that makes me an expert in the forest, or lost in the trees". He looked back to a 1999 San Francisco Bay Linux Users Group meeting with Linus Torvalds as the featured speaker. Kingman said that Torvalds wanted Linux to be a desktop operating system but that he saw the embedded space as the big growth area.

Later that year, Kingman attended the first LinuxWorld conference where he saw some folks from Transmeta talking about squashfs and cramfs. An article he wrote about those filesystems was published by Rick Lehrbaum, founder of LinuxDevices. That was the first of more than 3000 articles Kingman has since written for LinuxDevices.

Kingman then presented the results of the most recent LinuxDevices reader survey. The survey gathers information about what LinuxDevices readers are doing or planning with regard to embedded Linux development. It has been run for eight years, providing some interesting information on changes in the readers' attitudes over the years.

Usage of Linux in embedded development projects crossed a threshold this year, with more than 50% of the 812 respondents saying that they are currently using it. Usage of Linux has been growing year over year, but didn't cross the halfway mark until 2008. More than 61% believed their company would be using Linux within the next two years.

The ARM family of processors has continued its growth with 30% of the readers using it, while 25% are using x86 variants. ARM overtook x86 three years ago; that trend looks to be continuing with respondents seeing 31% ARM versus 23% x86 over the next two years. Kingman said that he thinks Intel is trying to reverse that trend because spending on consumer devices is predicted to "outstrip IT spending".

There were a couple of questions asking where respondents obtain the version of Linux they use in their products. Ubuntu has a somewhat surprising share at 8%. For a relatively new distribution that is not specifically targeted at that market, it stands out, as does its predicted growth to 10% over the next two years. Kernel.org at 16% and Debian at 14% are the leading sources, with uClinux tied with Ubuntu and MontaVista and Fedora at 6% each.

Unsurprisingly, per-unit royalties were not popular with two-thirds of respondents being unwilling to pay those, but 60% were willing to pay for development and support of embedded Linux, so it is not just the free-beer aspect that is drawing companies to Linux. Most (45%) get their sources as a free download from a community site like kernel.org or handhelds.org, with 18% getting them bundled with their hardware. Only 11% said that cost was the greatest influence on their choice.

Legal threats are still on the minds of some, with copyright or patent concerns being considered a significant threat to roughly half of the respondents. SCO has fallen off the radar, with only 2.5% thinking that it is still a threat. "None of the above" was the big winner, presumably meaning that there are no significant threats, at 40%.

Kingman finished with a request of the embedded community to let him know what things should be covered in more depth and any additional areas they wish to see covered. He is looking for input on what the community wants to talk about: "we want to be your website."

Comments (6 posted)

Notes from the Collaboration Summit

By Jonathan Corbet
April 11, 2008

Your editor has certainly attended no shortage of Linux-related conferences. Many of those are developer conferences, which are invariably interesting events. Others are oriented around marketing or outreach, with rather more variable results. The Linux Foundation's Collaboration Summit, which ran from April 8 to 10, is unique, though, in that it attracts representatives from throughout the Linux ecosystem. Developers are not in short supply (though it seemed like there were fewer than last year), but those developers spend three days talking with corporate executives, industry analysts, and, crucially, a number of high-profile users. This mixture of people creates a very different dynamic which supports a whole range of interesting conversations.

One of the first events was the kernel developers' panel, moderated by your (normally rather immoderate) editor. Panelists James Bottomley, Matt Domsch, Dave Jones, Christoph Lameter, Ted Ts'o, Arjan van de Ven, and Chris Wright discussed a variety of topics ranging from kernel quality (getting better), code review, development process participation, hardware support, and more. Your editor was not able to take notes from the panel; perhaps the best report which has come up so far can be found in this InformationWeek article by Charles Babcock.

IDC analyst Al Gillen spent half an hour going through a bunch of chart-heavy slides on the future of Linux in the marketplace. Overall, things look good, in that a market worth $20 billion in 2007 is expected to go up to $50 billion in 2011. There were lots of associated details which have been reported elsewhere. One interesting aspect was watching how the analyst trade copes with "non-paid" Linux deployments - which, according to Mr. Gillen, is 43% of the total. There was talk about how "monetizing" these deployments is a challenge for those looking to make money in the Linux marketplace. He expressed surprise at just how many companies are confident in their ability to support Linux deployments on their own. But he also talked about just how important that non-paid base is for the support of the entire ecosystem. Non-paid deployments may be a "challenge" to those who would prefer to be paid, but their absence would be a rather larger challenge.

There was an echo of this insight when Red Hat CTO Brian Stevens talked. One of Red Hat's goals, he says, is to give customers the immense value that goes with a "zero cost to exit" offering. There is no RHEL lock-in. To that end, he says, the folks at CentOS have done Red Hat a great favor. Brian also talked about the difference between the old "selling the distribution" business model, which gave Red Hat an incentive to put lots of shiny new things into each release, and the current model, which puts the focus on continuity instead. Since Red Hat's customers have already paid for the next release, Red Hat doesn't need to add lots of cool new features to encourage them all to upgrade.

He then spent the rest of his talk on the various cool new features the company is working on, including messaging, realtime support, and more.

Marten Mickos, once CEO of MySQL and now a vice president at Sun Microsystems, gave a talk which was intended to make listeners feel good about Sun and its plans for free software. It bothers him, he says, when people ask whether MySQL will remain committed to Linux; it strikes him as a demonstration of uncertainty about the future of Linux in general. That uncertainty is unnecessary; Linux's future is strong, regardless of what MySQL does. But MySQL (and Sun) do remain committed to Linux as a platform; the era of monolithic computing platforms is over, and companies have to support customers who will make their own choices at each level in the stack. So LAMP as an "architecture of participation" will remain supported by Sun well into the future.

An industry panel on "the state of Linux" was a useful view into how some large companies see the platform. They are all seeing growth in Linux; Bdale Garbee (representing HP) noted that Linux is "showing up in everything" that customers are planning. IBM's Dan Frye said that Linux is ready for any kind of workload. Oracle's Wim Coekaerts did note, though, that Oracle's revenue from Linux, at a mere $2 billion, is "still lagging."

There was a fair amount of discussion on how to work with the development community; NetApp's Brian Pawlowski asserted that "money helps." By that, he means employing developers to work within the community and advance the platform. Bdale noted that HP tries to work "in" the community, not "with" it. Dan Frye echoed that thought, saying that it's important to have people with credibility in the community and to allow them to work inside the community for long periods of time. Motorola's Christy Wyatt, instead, worried that her company still doesn't have the necessary wisdom to work effectively with the development community; Linux and the mobile industry, she says, are still relatively new to each other.

Wim related a story from the first kernel summit wherein an Oracle representative presented a laundry list of desired features. That is, he says, not the right way to do things; the community tends not to react well to wishlists with no development effort behind them. Oracle now has a Linux development team which is entirely separate from the normal product teams; among other things, it has a blanket approval to contribute the code it develops, avoiding the lengthy and tiresome internal legal review process. The company has also adopted a policy of making projects open from the beginning, getting much-needed review early in the process.

Other participants noted that working with a company's legal department can often be the hardest part of community participation. Dan suggested bringing in the legal department at the beginning of a project and keeping them around; sticking with a single counsel who can slowly be educated in free software ways is also important. Bdale said that we were likely to need "legal domain experts" for some time yet, but that the situation is getting better; most lawyers now have at least some understanding of how free software licensing works. A couple of panelists discussed the legal headaches that come with mixing components with different licenses; they would certainly like to see fewer licenses going into the future.

The final session from the first day covered the state of mobile Linux. It was about the only contentious panel on a day where the majority of the sessions were mostly educational in nature. One area of disagreement was over security models. Some platforms (such as ACCESS) work with a fine-grained set of privileges, while Google's Android uses sandboxing and controlled access to resources determined by asking the user. The fine-grained approach is seen by some as an ideal way for carriers to lock down handsets and exert firm control over what handset owners can do - not the desired outcome. On the other hand, asking users is seen as insecure; it's not usually too hard to get users to agree to almost anything.

Perhaps the lowest moment in this panel came when Google's Eric Chu was asked about participation with the community as opposed to developing everything as a private fork. He replied that the Android code was open, it sits in a repository somewhere. But there will be no effort to engage with (for example) the kernel community and merge this code until it is "done." That approach runs against what others had been saying since the kernel panel that morning: one must get code out there as early as possible. When the Android developers finally decide that their code is ready, they are likely to have a nasty surprise when they try to merge it into the kernel and are told that much of it is unsuitable by design. Google came off looking somewhat bad here, but the truth of the matter is that most of the (many) mobile Linux projects are operating in similar ways. Getting these projects to really work with the communities whose code they are using is, as with many embedded applications, a challenge. One can hope that the suggestions given to these projects at the summit will be taken to heart.

That sort of communication is what makes this event worthwhile; it is often hard for this particular mixture of people to come together in other contexts. The Collaboration Summit was heavy on conversation in general, often to great effect. One well-known developer commented to your editor that the Summit had the biggest disparity between the official content and the "hallway track" that he had ever seen. The hallway track was good, with, hopefully, lots of good things to come from it in the coming months.

Comments (6 posted)

Page editor: Jonathan Corbet

Security

GCC and pointer overflows

By Jonathan Corbet
April 16, 2008

On April 4, CERT put out a scary advisory about the GNU Compiler Collection (GCC). This advisory raises some interesting issues on when such advisories are appropriate, what programmers must do to write secure code, and whether compilers should perform optimizations which could open up security holes in poorly-written code.

In summary, the advisory states:

Some versions of gcc may silently discard certain checks for overflow. Applications compiled with these versions of gcc may be vulnerable to buffer overflows. [...]

Application developers and vendors of large codebases that cannot be audited for use of the defective length checks are urged to avoiding [sic] the use of gcc versions 4.2 and later.

This advisory has disappointed a number of GCC developers, who feel that their project has been singled out in an unfair way. But the core issue is one that C programmers should be aware of, so a closer look is called for.

To understand this issue, consider the following code fragment:

    char buffer[BUFLEN];
    char *buffer_end = buffer + BUFLEN;

    /* ... */
    unsigned int len;

    if (buffer + len >= buffer_end)
	die_a_gory_death("len is out of range\n");

Here, the programmer is trying to ensure that len (which might come from an untrusted source) fits within the range of buffer. There is a problem, though, in that if len is very large, the addition could cause an overflow, yielding a pointer value which is less than buffer. So a more diligent programmer might check for that case by changing the code to read:

    if (buffer + len >= buffer_end || buffer + len < buffer)
	loud_screaming_panic("len is out of range\n");

This code should catch all cases; ensuring that len is within range. There is only one little problem: recent versions of GCC will optimize out the second test (returning the if statement to the first form shown above), making overflows possible again. So any code which relies upon this kind of test may, in fact, become vulnerable to a buffer overflow attack.

This behavior is allowed by the C standard, which states that, in a correct program, pointer addition will not yield a pointer value outside of the same object. So the compiler can assume that the test for overflow is always false and may thus be eliminated from the expression. It turns out that GCC is not alone in taking advantage of this fact: some research by GCC developers turned up other compilers (including PathScale, xlC, LLVM, TI Code Composer Studio, and Microsoft Visual C++ 2005) which perform the same optimization. So it seems that the GCC developers have a legitimate reason to be upset: CERT would appear to be telling people to avoid their compiler in favor of others - which do exactly the same thing.

The right solution to the problem, of course, is to write code which complies with the C standard. In this case, rather than doing pointer comparisons, the programmer should simply write something like:

    if (len >= BUFLEN)
        launch_photon_torpedoes("buffer overflow attempt thwarted\n");

There can be no doubt, though, that incorrectly-written code exists. So the addition of this optimization to GCC 4.2 may cause that bad code to open up a vulnerability which was not there before. Given that, one might question whether the optimization is worth it. In response to a statement (from CERT) that, in the interest of security, overflow tests should not be optimized away, Florian Weimer said:

I don't think this is reasonable. If you use GCC and its C frontend, you want performance, not security. After all, the real issue is not the missing comparison instruction, but the fact that this might lead to subsequent unwanted code execution. There are C implementations that run more or less unmodified C code in an environment which can detect such misuse, but they come at a performance cost few are willing to pay.

Joe Buck added:

Furthermore, there are a number of competitors to GCC. These competitors do not advertise better security than GCC. Instead they claim better performance (though such claims should be taken with a grain of salt). To achieve high performance, it is necessary to take advantage of all of the opportunities for optimization that the C language standard permits.

It is clear that the GCC developers see their incentives as strongly pushing toward more aggressive optimization. That kind of optimization often must assume that programs are written correctly; otherwise the compiler is unable to remove code which, in a correctly-written (standard-compliant) program, is unnecessary. So the removal of pointer overflow checks seems unlikely to go away, though it appears that some new warnings will be added to alert programmers to potentially buggy code. The compiler may not stop programmers from shooting themselves in the foot, but it can often warn them that it is about to happen.

Comments (61 posted)

New vulnerabilities

am-utils: insecure temporary file creation

Package(s):

am-utils

CVE #(s):

CVE-2008-1078

Created:

April 11, 2008

Updated:

January 7, 2009

Description:

From the Gentoo advisory: am-utils creates temporary files insecurely allowing local users to overwrite arbitrary files via a symlink attack.

Alerts:

Fedora	FEDORA-2008-10755	2008-12-07
Gentoo	200804-09	2008-04-10

LWN.net Weekly Edition for April 17, 2008

am-utils: insecure temporary file creation

libpng: denial of service

opera: multiple vulnerabilities

python: integer signedness error

rsync: integer overflow

squid: insufficient bounds checking

Events: April 24, 2008 to June 23, 2008