A cautionary tale for software engineers/programmers

[zuludelta]

Here's an interesting news story that I got wind of courtesy of Steven Grant's Permanent Damage column.

Read the full article here.

Summary of the article for those of you who can't be bothered to click the link:

US Air Force Sgt. Mark Davenport found his unit's database management software to be inefficient. Denied a request for further training in computer programming, Davenport proceeded to study on his own time, eventually gaining the skills necessary to write his own software. Davenport then started beta testing his database software with his own unit, and his superiors were so impressed with his work and his initiative that he was recommended for promotion. His superiors also demanded the source code for his database application.

Davenport, however, had sold the distribution rights to the program to software publisher Blueport. Now you'd think that the military brass would do a sensible thing like negotiate a licencing deal with Blueport so they can use the software on the Air Force's computers. But no. Instead, they hire a company to crack Davenport's program and bypass the timed expiration code he wrote into the beta version of the software.

Blueport sues the Air Force for copyright infringement but apparently, the federal government can only be sued if it chooses to be liable because of sovereign immunity. End result: Davenport and Blueport don't get paid for their software, and the Air Force gets to keep using pirated software.

A pretty clear cut case of the authorities saying "do as we say, not do as we do." 

[BlueBard]

He made two mistakes.

Number one, he was a government employee.  Not only that, but he was an enlisted member of one of the Armed Services.  So basically, the guy was government property.  You might not see a law phrased in just that way, but believe me, that's how the military looks at it.  It could be questioned as to whether he was "on his own time" even if his activities never got anywhere near a military base or a military operation.

I'm not saying that's reasonable or legal, mind you.  Just giving my opinion as to what certain persons in high places might think of it.

Next mistake.  He beta tested his software on government property, with government equipment, using government data.  Big, big mistake.  He used government resources in his development work, which would tend to give certain persons a sense of entitlement.  Furthermore, he'd deployed his software within his unit, possibly causing the unit to be dependent on the software.  That impacts operational readiness.  You'd better believe that the military would get rid of the timed expiration if they thought it would bring their operations to a screeching halt, and if that's true I wouldn't blame them a bit.  (Probably not, but I don't know the particulars.)

Frankly, they probably could have ordered him to provide the source code (as a member of the military he's required to obey any lawful order, as expressed by the UMCJ) and prosecuted him under military discipline if he'd failed to do so.  Whether it was a lawful order would have been highly debatable, but that would have been determined in a military court.  He's probably lucky that he didn't land in a military brig and/or dishonorably discharged.

I'm not saying that's right.  They really should have compensated him.  But I imagine they felt that he'd been compensated with a promotion.

Had he been a government (non-military) contractor... or even a government bureaucrat... he most likely wouldn't have had that outcome.  He'd have been treated differently and the demarcation between his government work and his civilian life would have been less fuzzy.  Being a member of the military doing 'military' work, he was hosed.

Oh, he'll probably eventually come out ahead.  The USAF may 'own' this version of his software, but they can't expect to get any support for it nor will they be automatically entitled to any future revision.  No other company will be able to sell the software without running afoul of copyright law or the DCMA.  Blueport will probably eventually get their license fees.

[Panther_Gunn]

Thoughts from a recently retired Air Force enlistee:

BB hit quite a few things on the head, but I'd like to redirect/address a couple.

Let's start with the program itself.  The article states that it was a manpower database.  That infers that he worked in the Manpower section somewhere.  The denial of his request for training was a no-brainer.  There is no reason whatsoever for any of the career fields that work in Personnel to have Government-funded computer programming training.  What *should* have happened at this point would have been to forward on the request for a new program to the AF's own programmers, or the very least a request to the Network Center for the purchase of a better commercially available product.  That latter request could also have been channeled to the AF's programmers as a cost-effective solution (depending on if they were using off-the-shelf software or a propietary system).

Teaching himself how to create a database on his own time & equipment was very commendable.  The minute he introduced it to a Government system, he lost any rights to it that he had, and quite likely violated at least one (or more) regulation.  (software is not to be loaded onto any Govt machine by anyone other than Computer Maintenance or Network Control Center personnel (or an authorized contractor), and every computer user is required to be instructed that before being given access, reminded of it on a yearly basis (recurring training), and sign a statement that they understand and agree with this)

According to the article, for his efforts, he was "recommended for an immediate promotion".  That statement hold about as much weight as a trash bag made out of wet single-ply tissue paper.  What actually happened could have ranged from "Joe, Sgt Davenport's program is pretty good.  Tell his supervisor to recommend him for promotion.", to him getting top marks on his next performance report, with the next-to-meaningless statement "Recommend for immediate promotion!", "Promote now!", "Promote ahead of peers." or somesuch.  It's meaningless, because as long as you haven't screwed up, and they think you're ready to move on, you get that kind of bullet on your report every year.  The only way that statement from the article would have meant anything at all was if they actually submitted a paperwork STEP (Stripes Through Exceptional Performance) package to immediately promote him.  And even those don't always get approved.  From the article, it's hard to tell which actually happened, so it's hard to count it for anything.

Also, according to the article, he only sold his code to the civilian company *after* he was instructed to turn over the code to the AF.  That act alone could have been chargeable under the UCMJ, if they really wanted to.  Also, if they wanted to, the Govt could render the sale of the code null & void, since technically he didn't own it exclusively anymore.

What he *should* have done was to beta a very simplistic version on-base, and then develop it further on his own, changing the source code enough to be relavent, adding all the bells & whistles, and *then* sold that version.  He also should have consulted with the Legal office before doing anything on the Government system, which would have given him a heads up to the muddy waters he was heading into.

I wish the article had stated which base this happened at, since the political climate of the base (yes, they do have them, but it's never talked about) could have been a factor.  I also wish it had stated what his *exact* rank was, instead of just "sergeant", since that covers the entire NCO corps, 5 different ranks.  Knowing what rank he was would also help with a guesstimate on how long he'd been in, and whether he should have known better or not.  In the end, he's out of luck, but due to various bits of paper he's signed during his career, he really doesn't have a leg to stand on.

Disclaimer:  I have not worked in any part of Personnel, nor the Legal office, but I *did* spend the last 12 years as Computer Maintenance, at times attached to the NCC.  Statements about other sections are in-depth generalizations gleaned from 22 years of general experience with the military and dealings with those offices.

[zuludelta]

Neat points PG and BlueBard. I've served with the military myself (spent my late teens assigned to the 1302nd Community Defense Group - Philippine Army, back when military service was still compulsory) so the quirks of working within an armed forces' own unique brand of bureaucracy isn't entirely alien to me (it took over a year for my unit transfer to push through!).

But I think the bigger picture here, and what I think is more newsworthy, is the fact that the US federal government is immune to lawsuits filed under the DMCA statute. Davenport and Blueport may not have a legal leg to stand on for all practical purposes due to how the courts may interpret what part of the program is rightfully theirs and what portion of it the Air Force is entitled to use for its own purposes, but the lawsuit didn't even get that far. They basically threw the case out because the federal government has immunity for being prosecuted for violating copyright laws. Now, I'm no lawyer nor do I profess to know anything about US law beyond what a layman would know, but the outcome of the case leads me to think that any office attached to the US federal government can violate copyright law and not be held liable for it. Like say, if the Department of the Treasury wanted to install multiple copies of Windows on its computers without purchasing a license, they can do so at will and without fear of any legal consequences.

I'd be very interested to hear/read opinions from forum members who are more familiar with the law and how it works in this regard. It just seems like such a gigantic loophole. 

[BWPS]

Not that I wasn't aware of the fact prior, but it's always a real treat to be reminded that everything I learn in college is on the internet for free.

I wish I could just give them the government's money and they could give me the damn degree provided I promise to look everything up on the internet (which I do most of the time anyway).

[stumpy]

Interesting topic, zd. However, I think things may be a little more subtle than they seem. The government gets sued fairly often, despite sovereign immunity. It's true that it essentially allows itself to be sued, but it isn't exactly true that whether sovereign immunity is invoked is independent of the merits of the case. In other words, the fact that Davenport and Blueport didn't have a leg to stand on may well have influenced the decision for the government to play the sovereign immunity card. If the litigants had had a stronger case, the tort may well have been allowed.

That's a long-winded way of saying that I wouldn't read this case to imply the government has a more broad ability to pirate software or ignore DMCA provisions.

BTW, I should add that 1) I'm not a legal expert and 2) I haven't read through nearly all of the DMCA, which may well have explicit special provisions for how cases of government copyright infringement are handled. It wouldn't exactly be the first case of the government (or parts of it) having exemptions from laws that apply to others...

[zuludelta]

In other words, the fact that Davenport and Blueport didn't have a leg to stand on may well have influenced the decision for the government to play the sovereign immunity card. If the litigants had had a stronger case, the tort may well have been allowed.

Hmmm. I would have thought it would be the opposite case... if Davenport and Blueport had a weak case against the USAF, then the courts wouldn't have to resort to invoking sovereign immunity, they could just let the litigants' case collapse under its own weaknesses.

Then again, invoking sovereign immunity could have saved the court's time and effort in overseeing a lawsuit that would inevitably get thrown out anyway.

[Uncle Yuan]

In other words, the fact that Davenport and Blueport didn't have a leg to stand on may well have influenced the decision for the government to play the sovereign immunity card. If the litigants had had a stronger case, the tort may well have been allowed.

Hmmm. I would have thought it would be the opposite case... if Davenport and Blueport had a weak case against the USAF, then the courts wouldn't have to resort to invoking sovereign immunity, they could just let the litigants' case collapse under its own weaknesses.

Then again, invoking sovereign immunity could have saved the court's time and effort in overseeing a lawsuit that would inevitably get thrown out anyway.

If this guy had worked for a private company, developed a software application using company data and company resources, and implemented it on the company system, that product would almost certainly belong to the company.  (The exception would be if he had a very, very unusual intellectual property contract with the company.)  I don't see why the USAF would be exempt from an industry standard in this regard - i.e. this guy would have no case.

[zuludelta]

It wouldn't exactly be the first case of the government (or parts of it) having exemptions from laws that apply to others...

I'm sure the dangers of having a governing body being exempt from the same laws that it enforces isn't lost on you stumpy ("Who watches the Watchmen?" sounds like a pretty appropriate question to ask here). What has me wondering is why there hasn't been a bigger outcry regarding this case, especially given how the prosecution of DMCA violations committed by private citizens has been ramped up in recent years.

If this guy had worked for a private company, developed a software application using company data and company resources, and implemented it on the company system, that product would almost certainly belong to the company.  (The exception would be if he had a very, very unusual intellectual property contract with the company.)  I don't see why the USAF would be exempt from an industry standard in this regard - i.e. this guy would have no case.

Davenport developed the bulk application at home using his own equipment on his own time (although his eventually installing and testing the application on a government-owned system makes the case of ownership more nebulous, as Panther_Gunn mentioned in his post). 

But Davenport and Blueport don't even have to prove that the USAF infringed on any of their copyrights. The simple act of circumventing an access control (such as the timed expiration code Davenport wrote into his program) on a copyrighted digital work is already considered a criminal act under the DMCA (at least as far as I understand it).

Again, the bigger issue (at least to me) isn't the validity of Davenport and Blueport's claims to the software. It's the federal government's apparent ability, when convenient, to claim sovereign immunity in cases of alleged DMCA violations perpetrated by branches and offices of the government.

[GogglesPizanno]

What has me wondering is why there hasn't been a bigger outcry regarding this case, especially given how the prosecution of DMCA violations committed by private citizens has been ramped up in recent years.

I been asking myself this question for the last 7 years multiple times a day. It's pretty much par for the course these days. Given all the other "outcryable" things going on, this kind of story easily can get lost in the shuffle.

As a sidenote, a LOT of companies have policies that you agree to (whether you are aware of it or not) when hired that any software or intellectual property conceived or designed while at said job is the property of the company. I've had several friends that have programmed applications on the side and had to be really careful that all work, etc... was done off the clock on their own time, on their own equipment etc.. And they were very careful to document all this. The minute an idea crosses into the employers realm, they often will try and claim it as theirs. This can sometimes be as silly as telling a co-worker in the lunch room an idea for something and suddenly  the company will try and claim intellectual ownership because the idea was conceived and discussed at work (I know someone this has happened to).

[zuludelta]

I've had several friends that have programmed applications on the side and had to be really careful that all work, etc... was done off the clock on their own time, on their own equipment etc.. And they were very careful to document all this. The minute an idea crosses into the employers realm, they often will try and claim it as theirs. This can sometimes be as silly as telling a co-worker in the lunch room an idea for something and suddenly  the company will try and claim intellectual ownership because the idea was conceived and discussed at work (I know someone this has happened to).

Yeah, I've heard numerous horror stories about employers claiming entitlement and ownership for their employees' privately-developed projects, particularly in the software industry (where the lines between office and home are blurry, what with thumb drives, networking, and remote file hosting complicating matters). The simple solution of course is to make your home "work sterile" and don't cross-contaminate your PC with personal and work files.

[stumpy]

[...]What has me wondering is why there hasn't been a bigger outcry regarding this case, especially given how the prosecution of DMCA violations committed by private citizens has been ramped up in recent years.

[...]

Again, the bigger issue (at least to me) isn't the validity of Davenport and Blueport's claims to the software. It's the federal government's apparent ability, when convenient, to claim sovereign immunity in cases of alleged DMCA violations perpetrated by branches and offices of the government.

Both of those are reasons why the circumstances of this case are relevant. There isn't much outcry against exercising sovereign immunity when it looks like the case had no chance, but it looks like an injustice for the government to claim sovereign immunity when there is a credible case against it. The ins and outs of the DMCA are opaque to me, but I have to assume that it isn't criminal to circumvent the copy protection of your own software, which would be, I assume, the government's position.


I tend to agree that sovereign immunity is a very abusable thing and it's full of fairly tortured logic. (E.g. the federal government can sue a state (which also has SI) in federal court instead of the state's court because it would be a conflict of interest for the state court. How it isn't a conflict of interest for the federal court is something of an odd sock.)

But, I'm still not sure this is an indication that the federal government has blanket immunity from software copyright cases. Most software is sold to the government under a contract and Tucker dismisses sovereign immunity for the government when it is a party to a contract. (Otherwise, almost no one would do business with the government.) So, if the government buys 20 licenses for Freedom Force, but then starts pirating them, it can be sued. In this case, I don't know that Davenport had any explicit or even implied contract with the government. He may have put the software on their machines without their agreeing to any sort of deal with him.

And, it's worth bearing in mind that the specific exception to copyright law that the government is claiming here is that a government employee can't use his position to get the government to use his software and then later claim a copyright violation.

(To be sure, I find that exception somewhat specious. If the government has modified software in violation of the DMCA, it shouldn't matter how they came by the software, as long as they know it's a violation to modify it. Though, once again, in this case, while I still think the exception is silly, the claim that there is even a violation of the DMCA is nonetheless weak because Davenport and Blueport face so much difficulty in establishing they are the legitimate Digital Millennium Copyright holders.)


Also, there is a distinction between torts and criminal cases that may be relevant here. While various provisions wave sovereign immunity to allow one to sue the government for damages, you can't charge it with a crime. I assume that's why the court noted the DMCA is directed at individuals. If this were a case directed at some specific person or persons in the USAF, then maybe DMCA would apply more directly.


Anyway, I certainly can't defend the government here, but I can see why the issue is too cloudy to raise much of a general outcry.

[zuludelta]

Neat points.

I have to admit, I'm fairly out of my depth here... my understanding of the Federal Tort Claims Act (which I believe is the provision that allows a private citizen to file a claim against the US government in defiance of sovereign immunity) is very limited at best... although what you've posted so far seems to be in line with what I think might have happened: Davenport and Blueport attempted to file a DMCA violation suit against the USAF, invoking the Federal Tort Claims Act to allow them to file a tort against the government despite its sovereign immunity, a judge goes over the suit particulars and rules that Davenport and Blueport aren't entitled to the Claims Act's provisions in this case (the burden of proof lies with the plaintiffs, I believe, to prove that the government might be culpable for wrongdoing). Therefore, sovereign immunity still applies, and the case doesn't go forward. 

But, I'm still not sure this is an indication that the federal government has blanket immunity from software copyright cases.

Hmmm... I think the federal government does have blanket immunity from software copyright cases. It's just that plaintiffs can still be allowed to call the government into liability despite sovereign immunity by invoking the Federal Tort Claims Act. A judge presides over whether the plaintiff is entitled to tort law, though.

[stumpy]

Hmmm... I think the federal government does have blanket immunity from software copyright cases. It's just that plaintiffs can still be allowed to call the government into liability despite sovereign immunity by invoking the Federal Tort Claims Act. A judge presides over whether the plaintiff is entitled to tort law, though.

It seems to me that, effectively, that means the government doesn't have blanket immunity from software copyright cases. Blanket immunity (to me) would imply that the ability to file a tort is usually not allowed. But, what we're seeing here is an example of a disallowed tort in a very unusual circumstance.

I mean, if the policy were to regularly deny legal remedy for government piracy, then government departments would start just pirating all their software, which they would have a huge incentive to do since software is a pretty substantial part of their computing budgets (usually more than the hardware). The usual rule for government abuses is that if someone can't be fired for it or if it doesn't cost the department money, expect it to happen regularly. I don't know for sure, but since I haven't heard much about widespread software piracy by the government, my assumption is that the government generally has to buy its software and allows itself to be subject to civil liability if it copies it illegally.