Changes are coming for US Copyright – Should Developers Even Care?

June 19, 2019 443 Views Christy Hofffman

I recently had the opportunity to sit down with Sebastian Holst, PreEmptive’s Chief Strategy Officer, to talk about his most recent trip to Capitol Hill where the topic of the day was copyright protection for small businesses – and for development shops in particular.

Q1: You’ve just returned from another one of your trips to Washington DC. What was the occasion?

I was part of a Congressional Briefing Panel along with Robert Kasunic, Director of Registration Policy and Practice, U.S. Copyright Office and Keith Kupferschmid, President and Chief Executive Officer, Copyright Alliance. The Briefing was organized by ACT | The App Association in cooperation with The Intellectual Property Promotion and Piracy Prevention Caucus.

Briefings are like "mini-lectures" for Congressional leadership and their staff.

I know that’s a mouthful – basically Congressional Briefings are an effective way to communicate with policymakers. They’re like a mini-lecture on a specific topic – this one focused on two related topics; simplifying Copyright Office processes to hopefully increase registration and, the topic that was most interesting to me personally, discussing the implications for developers of a Bill recently introduced into both the House and the Senate, The CASE Act of 2019. It would create a kind of “small claims court” for copyright infringement claims.

Q2: Why would a Copyright Small Claims Court be important for developers?

Today, infringement claims are only heard in Federal Court. It’s a complex, expensive and lengthy process. The CASE Act promises “an alternative dispute resolution program for copyright small claims” that would not require a lawyer or a physical court appearance. …but today it’s just a Bill.

Q3: You’ve been making trips like this since I’ve been at PreEmptive. How did you get involved?

Well, even before I joined PreEmptive – who obviously have a stake in protecting developers’ Intellectual Property – I had been immersed in Digital Asset Management and related standards – even sitting on the W3C Advisory Committee when XML 1.0 was being hammered out in the late 90’s. I’ve been focusing on structured content – its uses and value – for decades.

But in terms of actual engagement – and even some influence – over US legislative and regulatory policy – all credit has to go to ACT. They were the organizers of this week’s briefing – but I’ve been working with them for over a decade now – and their work on behalf of their 5,000+ members – all US development shops – has been amazing to watch. If you represent a US company developing software, get in touch with ACT. They can offer a variety of ways that you can get involved – there’s no set amount of time commitment required and no fees. It’s always a win-win deal – participate when and where it makes sense.

Q4: ACT sounds like a great resource. What are some other concrete examples of ACT events or activities?

Every person and company will be a little different I suppose.

Working at PreEmptive is kind of a unique situation. Not only are we a development company ourselves, our thousands of clients and many many thousands of users are also all developers who – based on the simple fact that they use our app protection software – also care about these same issues. We are, like any company, always focused on our clients’ needs and wants – and so we track issues around risk management, IP protection, and compliance as part of our core business. Our users span industries and jurisdictions and so we have a unique view into the state of app protection in general and IP protection in particular.

As CSO – understanding these trends is actually in my job description and so, in this way, I’m able to serve as a very unofficial voice of a much larger development community.

The most interesting example of this was when I testified before the House Judiciary Committee's Subcommittee on Intellectual Property – this was an on the record testimony in front of elected officials. The entire thing was, to be honest, just a very cool experience.

Swearing in and Congressional testimony on Copyright in the "age of apps."

One activity available to every ACT member is the ACT Fly-In. I’ve attended probably ten of these – they consist of a day of training and then a series of briefings with Senate and House staff (and sometimes the Representatives or Senators themselves) on timely issues. It’s a crash course in US civics as well as important tech issues of the day.

Q5: Any closing thoughts you’d like to share?

Just stay tuned – we (PreEmptive) will be putting together updates and even training as The CASE Act comes up for a vote. No matter what the political climate, protecting Intellectual Property is always popular with all parties (a close second to children). This Bill has bipartisan support and will almost certainly be passed in the not too distant future. We plan to help with outreach to make it as easy as possible to layer US Copyright Protection practices on top of the actual app security technology and practices that we license. In the end, we see this as a part of our core mission – to help secure our clients’ work – and in particular – the VALUE our clients create.

Latest NIST publication reinforces Developer Obligations (and liability)

On June 11, NIST released Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework. While a solid piece of work in its own right, this document is noteworthy because it stands as one more proof point - in an already long list of proof points, that development processes, the developers themselves, and the organizations they belong to, ALL share some degree of responsibility (liability) for:

Untrusted Environments, Valuable Apps? Put the Protection in the App.

IT environments are evolving. Disappearing are the days of in-house, fixed-endpoint, limited access server stacks — replaced instead by a combination of private and public cloud solutions, mobile applications and IoT devices.

As noted by research firm IDC, public cloud spending now outpaces all other IT infrastructure with a growth rate topping 10 percent year-over-year, while Statista reports that users downloaded more than 178 billion apps in 2017 alone — and are on track to break 250 billion over the next few years.

What does this mean for organizations? That application environments are quickly moving beyond the purview of in-house IT, exposing both apps and network services to steadily growing risk. It creates a paradox: Companies can’t deny the benefits of third-party environments and application partnerships, but also can’t ignore the threat of app and data compromise or reverse-engineering and tampering.

In a recent developer survey, Xamarin.Android developers were 50% less likely to have included rooted device detection or anti-tamper prevention as their Java Android peers were. Yet, both sets of apps are being deployed through the same marketplaces onto the same devices and are governed by the same regulations (PCI, GDPR, HIPAA to name just a few that expect these kinds of controls).

Why are more Xamarin.Android apps going unprotected?

The life of a security architect is rarely simple. Assessing, defending and improving corporate networks requires thorough knowledge of industry best practices designed to secure critical data, combined with real-world understanding of hacker tricks and tactics meant to undermine this purpose.

As noted by the InfoSec Institute, this is an in-demand job that often comes with high expectations, odd hours and the need for constant professional evolution to stay ahead of cybercriminal threats. Complicating matters is the breakneck pace of technological advancement. The rapid rise of cloud deployments, mobile applications and IoT devices can make even best-laid security strategies seem like flies in amber — hopelessly out-of-date and effectively immobile.

Here’s a look at what’s really bugging security architects — and how they can break the mold of static security to combat emerging threats.