Changes are coming for US Copyright – Should Developers Even Care?

June 19, 2019 3013 Views Christy Hofffman

I recently had the opportunity to sit down with Sebastian Holst, PreEmptive’s Chief Strategy Officer, to talk about his most recent trip to Capitol Hill where the topic of the day was copyright protection for small businesses – and for development shops in particular.

Q1: You’ve just returned from another one of your trips to Washington DC. What was the occasion?

I was part of a Congressional Briefing Panel along with Robert Kasunic, Director of Registration Policy and Practice, U.S. Copyright Office and Keith Kupferschmid, President and Chief Executive Officer, Copyright Alliance. The Briefing was organized by ACT | The App Association in cooperation with The Intellectual Property Promotion and Piracy Prevention Caucus.

Briefings are like "mini-lectures" for Congressional leadership and their staff.

I know that’s a mouthful – basically Congressional Briefings are an effective way to communicate with policymakers. They’re like a mini-lecture on a specific topic – this one focused on two related topics; simplifying Copyright Office processes to hopefully increase registration and, the topic that was most interesting to me personally, discussing the implications for developers of a Bill recently introduced into both the House and the Senate, The CASE Act of 2019. It would create a kind of “small claims court” for copyright infringement claims.

Q2: Why would a Copyright Small Claims Court be important for developers?

Today, infringement claims are only heard in Federal Court. It’s a complex, expensive and lengthy process. The CASE Act promises “an alternative dispute resolution program for copyright small claims” that would not require a lawyer or a physical court appearance. …but today it’s just a Bill.

Q3: You’ve been making trips like this since I’ve been at PreEmptive. How did you get involved?

Well, even before I joined PreEmptive – who obviously have a stake in protecting developers’ Intellectual Property – I had been immersed in Digital Asset Management and related standards – even sitting on the W3C Advisory Committee when XML 1.0 was being hammered out in the late 90’s. I’ve been focusing on structured content – its uses and value – for decades.

But in terms of actual engagement – and even some influence – over US legislative and regulatory policy – all credit has to go to ACT. They were the organizers of this week’s briefing – but I’ve been working with them for over a decade now – and their work on behalf of their 5,000+ members – all US development shops – has been amazing to watch. If you represent a US company developing software, get in touch with ACT. They can offer a variety of ways that you can get involved – there’s no set amount of time commitment required and no fees. It’s always a win-win deal – participate when and where it makes sense.

Q4: ACT sounds like a great resource. What are some other concrete examples of ACT events or activities?

Every person and company will be a little different I suppose.

Working at PreEmptive is kind of a unique situation. Not only are we a development company ourselves, our thousands of clients and many many thousands of users are also all developers who – based on the simple fact that they use our app protection software – also care about these same issues. We are, like any company, always focused on our clients’ needs and wants – and so we track issues around risk management, IP protection, and compliance as part of our core business. Our users span industries and jurisdictions and so we have a unique view into the state of app protection in general and IP protection in particular.

As CSO – understanding these trends is actually in my job description and so, in this way, I’m able to serve as a very unofficial voice of a much larger development community.

The most interesting example of this was when I testified before the House Judiciary Committee's Subcommittee on Intellectual Property – this was an on the record testimony in front of elected officials. The entire thing was, to be honest, just a very cool experience.

Swearing in and Congressional testimony on Copyright in the "age of apps."

One activity available to every ACT member is the ACT Fly-In. I’ve attended probably ten of these – they consist of a day of training and then a series of briefings with Senate and House staff (and sometimes the Representatives or Senators themselves) on timely issues. It’s a crash course in US civics as well as important tech issues of the day.

Q5: Any closing thoughts you’d like to share?

Just stay tuned – we (PreEmptive) will be putting together updates and even training as The CASE Act comes up for a vote. No matter what the political climate, protecting Intellectual Property is always popular with all parties (a close second to children). This Bill has bipartisan support and will almost certainly be passed in the not too distant future. We plan to help with outreach to make it as easy as possible to layer US Copyright Protection practices on top of the actual app security technology and practices that we license. In the end, we see this as a part of our core mission – to help secure our clients’ work – and in particular – the VALUE our clients create.

The Secret to Effective In-App Protection

Gartner calls In-App Protection “crucial” in their July 2019 Market Guide for In-App Protection In-App Protection. The guide’s summary advises security and risk management leaders to “take due care in protecting their application clients” in order to avoid “security failure.”

This raises the question – what constitutes “due care?” Obviously, no development organization looks to recklessly expose their applications or sensitive data to attack or compromise. On the other hand, over-engineered (or poorly engineered) security controls can quickly lead to excessive development costs, performance and quality issues, and, ultimately, unacceptable user experiences. While terms and terminology may vary, there is broad consensus on how to best define “due care” for any given application/user scenario.

If you don’t follow application security closely, you might think of application obfuscation and symbol renaming as being synonymous – and with good reason. Many platforms and languages, like .NET, Java, and JavaScript have popular obfuscators that do little else--our own Dotfuscator Community Edition for .NET and ProGuard for Java are good examples. However, obfuscation is far more than symbol renaming – and in-app protection is far more than obfuscation. Much of this expansion has been driven by new security requirements, shifting attack vectors, the rise of mobile and IoT computing and, lastly, the growing recognition inside regulations and legislation of the exposure that can result from inadequately protected software.

PreEmptive has partnered with Microsoft for 16 years and we’ve been involved with .NET since before version 1.0 shipped. From that perspective, it’s hard for us to pinpoint a time where the energy and enthusiasm in the .NET community has been higher than it is now. Over the past few years, Microsoft has put together the annual .NET Conf, completely online with viewers, participants, and local events all over the world. The event is virtual and streamed live over three days.

The big news at this year's .NET Conf was the launch of .NET Core 3, the next step in the continued evolution of .NET. .NET Core 3 is a huge effort, with many moving parts, and Microsoft announced many related releases to support it. Highlights for us included:

Search for lockpicking and you’ll see that there’s no shortage of suppliers ready to serve locksmiths and hobbyists, each community having a perfectly legitimate need. Is there any reason to believe that burglars don’t shop the same sites?

Hackers are developers and they have a long history of enthusiastically embracing and adapting development (and DevOps) innovations to speed their work, extend their reach, and ship software – the only difference is that they’re more likely to use those development tools and platforms on YOUR software rather than on their own. Static code analysis tools, debuggers, and even public bug tracking databases are all go-to hacker resources.

Can you tell the difference? Exception or the norm?

Of course, everyone is “for security” in principle. The hard question that each organization has to answer for themselves is “how much is enough?” Over-engineering is (by definition) excessive, and over-engineering application security can, in fact, be devastating as overly-complex algorithms, architectures and processes can compromise user experience, degrade performance and slow development velocity. On the other hand, punishment is swift for organizations that cut corners and do not effectively secure their applications, their data and, most importantly their users and business stakeholders. Finding and maintaining that balance can be time consuming and, because you can never be sure you’ve gotten it exactly right, it can also be a thankless job.

Changes are coming for US Copyright – Should Developers Even Care?

Q1: You’ve just returned from another one of your trips to Washington DC. What was the occasion?

Q2: Why would a Copyright Small Claims Court be important for developers?

Q3: You’ve been making trips like this since I’ve been at PreEmptive. How did you get involved?

Q4: ACT sounds like a great resource. What are some other concrete examples of ACT events or activities?

Q5: Any closing thoughts you’d like to share?

The Secret to Effective In-App Protection

Symbol Renaming: App Security’s Maginot Line?

Highlights from .NET Conf 2019

Tools don’t hack apps, hackers do: Securing Android apps against Frida

Trusted Computing: Panacea or Magical Thinking?

Can you tell the difference? Exception or the norm?

Latest Blog Posts

The Secret to Effective In-App Protection

Symbol Renaming: App Security’s Maginot Line?

Highlights from .NET Conf 2019

Tools don’t hack apps, hackers do: Securing Android apps against Frida

Trusted Computing: Panacea or Magical Thinking?

Twitter