Special 301: The Politics of Listings

Gabriel J. Michael / gmichael at gwu dot edu

As I mentioned in a previous post, decisions about which countries get listed on each year’s Special 301 Report are highly politicized.

To begin with, and somewhat at odds with its statutory basis, Special 301 reports only selectively identify countries that “deny adequate and effective protection of intellectual property rights.” There are a large number of countries that very clearly do not offer adequate and effective protection, yet are never identified in Special 301 reports because USTR and industry stakeholders do not consider these countries politically or economically important enough to warrant mention.

In fact, by some measures, the mean level of IP protection in cited countries is actually higher than the mean level of IP protection in countries that do not appear on the list. For example, the following figure plots the mean Park-Ginarte index in cited and non-cited countries for the years 1990, 1995, 2000, and 2005 (the years the index is available).

Special 301 and IP ProtectionNo one can fault USTR for focusing its efforts on political or economically important countries, but this means that listings should not necessarily be taken as indications of countries that have weak intellectual property rights, a point which I made in a previous post by noting that USTR has in the past placed the European Union on the Watch List.

Along the same lines, USTR placed Canada on the Priority Watch List every year from 2009 to 2012, alongside countries like India, Indonesia, Pakistan, and Russia. Israel has called USTR citations of the country “confusing” given the level of protection in Israel compared to most other Priority Watch List countries.

Clearly, what gets a country listed can vary tremendously. Often, though, deciding whether and where to place a country in the Special 301 report is driven primarily by political considerations rather than objective assessments of the level of IP protection in a country. Wikileaks cables demonstrate this quite clearly. Recall that in addition to input from stakeholders, USTR collects input from embassies around the world when preparing the Special 301 report. Among the quarter-million leaked Wikileaks cables, over 300 cables originating from more than 90 U.S. embassies and consulates deal primarily with Special 301. These cables are concentrated early in each year, since they tend to provide input to USTR prior to the April publication of the report, or alternatively provide reactions immediately following the publication of the report:

Wikileaks Cables and Special 301The contents of these cables are telling. Embassies frequently recommend that countries’ Special 301 status be raised, lowered, or stay the same based on political considerations. In some cases, embassy staff mention how non-IP issues affect countries’ Special 301 status. Recommendations for listing make references to exerting “pressure” and concerns about maintaining the “credibility” of the process. In the following sections, I briefly discuss cables from Taiwan, Saudi Arabia, Bolivia, and Norway.


In a cable from the American Institute in Taiwan, dated December 13, 2004, the author argues that downgrading Taiwan from the Priority Watch List to the Watch List will have important “public relations” effects, and notes that although pharmaceutical data exclusivity is an outstanding IP issue, Special 301 will have no effect on the Taiwanese government’s position; thus, the author cautions against conditioning Taiwan’s Special 301 listing on this issue:

AIT/T [American Institute in Taiwan/Taipei] supports downgrading Taiwan from the Priority Watch List to the Watch List in the current out of cycle review. Doing so will reinforce Taiwan’s reorientation towards protecting intellectual property and provide a timely public relations victory for advocates of strong IPR protection within the government. Failure to move Taiwan from the PWL to the WL will devalue the 301 process in the eyes of Taiwan officials and will not lead to improved protection of intellectual property, including pharmaceutical data…

Taiwan’s Special 301 status will not significantly influence the government in its decision whether to lobby strongly for early passage of the DE [data exclusivity] bill…  The DOH [Department of Health] is not motivated by international perceptions of Taiwan’s intellectual property regime… Conditioning Taiwan’s 301 status on the passage of the DE bill by the date of the regular cycle review is unlikely to prove a successful strategy.

A second cable from Taiwan, dated January 12, 2009, reveals that unspecified members of a U.S. Trade Policy Review Group wanted to make Taiwan’s Special 301 listing contingent on other issues unrelated to intellectual property:

I am disappointed that factors unrelated to IPR protection have delayed completion of the review.  With the review poised for final interagency review, I would like to stress the critical importance of maintaining the integrity of the Special 301 IPR process.  Allowing issues unrelated to IPR to affect the Special 301 review would, in my view, threaten the efficacy of what has thus far proved our most potent means of advancing a major bilateral trade priority… In view of this reality, we must ensure that the Special 301 mechanism remains a viable tool for advancing our interests.  Linking 301 to unrelated issues, however important, risks  undermining our credibility while limiting our future options for achieving progress on this and other priorities.  I hope every member of the TPRG [Trade Policy Review Group] will put the decision on the pending out-of-cycle review within this broader context, and remove Taiwan now from the Special 301 Watch List.

Saudi Arabia

On January 6, 2009, the U.S. Embassy in Riyadh sent a cable reporting on discussions between embassy staff and an industry trade group. Each year, several trade groups provide detailed recommendations to USTR about where they believe countries should be placed in the Special 301 report. As this cable shows, even these recommendations can be finagled. The trade group was concerned that too severe a designation would backfire. As a result, the group discusses a quid pro quo: if the Saudi Arabian government engages in specified actions, the group will offer a less severe recommendation:

Although the International Intellectual Property Alliance (IIPA) is preparing to recommend that Saudi Arabia be placed on the Special 301 Priority Watchlist, representatives in Riyadh said they feel “handcuffed” into this  recommendation, and would prefer to recommend a more favorable rating… However, as the SAG [Saudi Arabian Government] has gained momentum and motivation to combat IPR violations in recent months, IIPA fears that a negative recommendation, while “required” under their methodology, will do more harm than good…

Butler said IIPA is looking for ways to positively reinforce SAG efforts while still maintaining its institutionalized standards.  To that end, he described to Econoff [the embassy’s economic section] an action plan that, in IIPA’s view, might result in a better ranking for Saudi Arabia.  According to Butler, if the SAG took action against street vendors and fully populated the website of ongoing cases maintained by the Ministry of Culture and Information (MOCI) (ref B), the IIPA would be prepared to offer a recommendation that Saudi Arabia remain on the Watchlist.


In this cable from April 30, 2007, the U.S. Embassy in La Paz recommends against placing Bolivia on the Priority Watch List because of the “damage” such an action might cause. The author notes that a more severe listing would not have any positive effect:

Piracy and counterfeiting are serious problems, existing intellectual property rights (IPR) legislation is weak, and enforcement is inadequate. Post believes prospects for improvement are slim, especially given the Morales’s administration’s inattention to IPR. Post does not recommend any stronger steps against Bolivia at this time, however, as such an action could encourage anti-American actions and damage ongoing efforts to educate the Bolivian public on IPR…

While the IPR situation in Bolivia merits continued standing on the Watch List, Post recommends against any stronger action at this time.  Placement of Bolivia on the Priority Watch List would have no positive practical result, and the effectiveness of any future IPR education and outreach would be damaged by Bolivian government outrage at a change in Special 301 status.  For these reasons, Post recommends no change to Bolivia’s Special 301 Watch List status.


In a cable from the U.S. Embassy in Oslo, dated March 17, 2009, the author makes references to discussions of “relabeling” IP deficiencies in Norway as market access issues. The author also notes that a Special 301 listing provides U.S. negotiators with “leverage,” and indicates that the loss of such leverage is a good reason to keep Norway listed:

Post understands that there is consideration of delisting Norway, relabeling the pharma situation as “market access issues” rather than deficiencies (Ref B).  Doing so would produce real, unintended negative consequences for the USG [U.S. government]…

We believe that the increased leverage we have seen with the GON [Government of  Norway] as a result of the listing will immediately disappear if Norway is delisted.  Quite simply, re-characterizing the listing as an issue affecting market access carries much less influence, and clout, and Norway will take it as a sign we no longer really care about the matter.

I’ve only touched on a few of the hundreds of cables dealing with Special 301, but by now it should be quite clear that designations are far from an objective, technical process. Rather, USTR and U.S. embassies around the world consider listing, removing, upgrading, and downgrading countries for a variety of political reasons: public relations, linkage to unrelated non-IP issues, bargaining leverage, concern about whether listings will be effective or backfire, etc. Even whether an IP issue is considered a “deficiency” or a “market access” issue is a political decision.

The other major point to take away from these cables is the significant influence that key stakeholders, like industry trade groups, have on both embassy recommendations and USTR decisions. Embassy staff regularly speak with representatives of the IIPA, MPAA, IFPI, PhRMA, and BSA. These trade groups do not represent the full spectrum of views about appropriate intellectual property policy; to the extent that they wield a disproportionate amount of influence on the Special 301 process, that process is necessarily biased.

This post is licensed CC BY-SA 4.0, and may be shared and reposted with attribution. Please include a link back to this page, which will contain the most up-to-date version.

Posted in General | Tagged , , , , , , | 1 Comment

Special 301: Replicating Riker (2012)

Gabriel J. Michael / gmichael at gwu dot edu

A previous post discussed Riker’s 2012 article, “Special 301 and Royalty Receipts from U.S. Trade Partners,” published in the International Trade Journal. I mentioned that I was trying to replicate his results. Apart from the problems I discussed before (choice of dependent variable, endogeneity, and limited data coverage), my attempt at replication uncovered additional problems.

First, the article incorrectly claims that Hong Kong was designated a Special 301 priority in every year between 2001 and 2007. In fact, Hong Kong has never been designated a Priority Foreign Country, has never appeared on the Priority Watch List, and has never been subject to Section 306 monitoring. Indeed, Hong Kong is only rarely mentioned in Special 301 reports throughout the years. It appeared on the Watch List in 1997 and 1998, and underwent an out-of-cycle review in 1999.

This error does affect the coefficient estimates in the article, although not significantly. On the other hand, it causes Riker to overstate his estimated dollar value impact of Special 301 designations by $650 million.

Riker uses three sources of data to construct his econometric models: GDP, BEA data on IP royalties, and Special 301 designations. GDP data is widely available from sources such as the World Bank and International Monetary Fund. Both sources yield comparable results. The article does not clearly indicate that the models used inflation adjusted data, but I assumed that they did, although using nominal GDP yields comparable results. The BEA data can be obtained online, although it required some piecing together to get all 33 countries over the time period used in the models. The BEA data appear to report nominal values, so I adjusted them for inflation, though as before, using nominal values yields comparable results. I already had a Special 301 dataset which I have used in other research. Apart from the Hong Kong error in Riker’s article (described above), my Special 301 dataset appears to match the one used in the article.

Riker’s article reports the results of three different models. Each model uses the year-over-year change in logged IP royalty receipts as the dependent variable. Models 1 and 2 use “priority designation” (defined as either being a Priority Foreign Country, being on the Priority Watch List, or being under Section 306 monitoring) as the key explanatory variable. Model 3 separates countries designated in every year from countries designated only in some years. All three models include year fixed effects, and Model 1 also includes country fixed effects. Based on F tests, Riker concludes Model 1 is the most appropriate. For reference, I have included the original regression results reported in the article:

Riker RegressionsThe following table presents the results of my regressions, which attempt to replicate the regressions in the article as closely as possible. As you can see, I use the same panel structure of 33 countries and 7 years, producing 231 observations. My estimates of the effects of changes in GDP were larger than in article, but my estimates of the effects of priority designation closely match the article. Given the errors in the original dataset, updated GDP data, and differing implementations used by various statistical software packages, some discrepancies are expected. Overall, though, I was largely able to replicate Riker’s original findings:

Michael Replicated RegressionsBeyond simply replicating these results, I also wanted to modify the models and see how these modifications affected the results. Importantly, Riker excludes Watch List designations, but does not explain why. Watch List designations might have a less pronounced effect than the more severe Priority Foreign Country and Priority Watch List designations, but if one believes that Special 301 is effective at all, there is little reason to draw the line at the Watch List. Thus, I wanted to include Watch List designations.

Furthermore, two years have elapsed since Riker’s article was published, so I have the benefit of additional data. I wanted to include additional years of data to see if Riker’s original results still held.

The following table presents three modifications of Riker’s original Model 1. In each case, the statistical significance of the Special 301 explanatory variable disappears. Model 1.1 retains the original 231 observation dataset, but redefines the designation variable to include Watch List designations. In doing so, the designation variable becomes insignificant—its effect is indistinguishable from zero. Model 1.2 retains Riker’s original Special 301 variable, but expands the dataset by six years (covering 2000-2012, rather than 2002-2008). Thus, Model 1.2 is identical to Model 1 in the previous two tables; the only difference is that it includes more data. As you can see, the Priority Designation variable is no longer significant. Model 1.3 uses the redefined designation variable of Model 1.1 in conjunction with the expanded dataset; again, the Special 301 variable is insignificant.

Michael Extended RegressionsTo summarize, while I was able to replicate Riker’s results, simply including additional years of data causes his findings of significance to disappear. Likewise, even in his original dataset and models, if Watch List designations are included, the findings of significance disappear.

Ultimately, these results lead me to conclude that Riker’s 2012 article is both theoretically and empirically flawed. It cannot support the conclusion that Special 301 designations are correlated with increased IP royalties from designated countries in subsequent years. Even if it did, this would be an inappropriate measure of Special 301’s effectiveness. In a future post, I plan to test Special 301’s effectiveness using a more appropriate measure: changes in an index of IP rights.

This post is licensed CC BY-SA 4.0, and may be shared and reposted with attribution. Please include a link back to this page, which will contain the most up-to-date version.

Posted in General | Tagged , , , , , , , , | Leave a comment

Special 301: Is it Effective?

Gabriel J. Michael / gmichael at gwu dot edu

My previous post discussed how Special 301’s enforcement mechanism has rarely been used, and is even less likely to be used in the future. But the frequency with which an enforcement mechanism is used is not a measure of effectiveness. We don’t measure the effectiveness of criminal justice systems by the number of people in jail (at least, we shouldn’t). Perhaps Special 301 is effective in accomplishing its goals even without resort to its enforcement mechanism.

What are Special 301’s goals? According to USTR’s discussion of its statutory mandate, there are two different motivating concerns: Special 301 must 1) identify countries “that deny adequate and effective protection of intellectual property rights,” and 2) identify countries that “deny fair and equitable market access to United States persons that rely upon intellectual property protection.”

These two goals are very different. A country with very high standards of protection for intellectual property might nonetheless be considered to deny market access to U.S. persons. For example, by any reasonably objective standard, the European Union offers very high levels of IP protection. Yet as recently as 2006, Special 301 listed the European Union on its watch list, citing “concerns” about the EU’s geographical indication (GI) regime. Given that GIs are a form of intellectual property, USTR essentially placed the EU on its watch list for offering too much IP—or, if you prefer, the wrong kind of IP. Interestingly, this is a tacit admission by the U.S. that at least some kinds of IP can act as trade barriers.

Special 301 reports tend to focus more on the first issue than the second; that is, countries are more often cited for their failure to offer U.S.-approved levels of IP protection rather than for market access issues. Furthermore, most of the academic literature on Special 301 tends to focus on the “adequate and effective protection” part. Thus, this is where I’ll focus my attention as well. That said, it would be worth trying to evaluate whether Special 301 is effective in improving market access at some point.

Obviously Special 301’s goal isn’t just to identify countries, but also to increase the level of protection these countries offer. As a result, it’s possible to evaluate the performance of Special 301 by measuring the degree to which cited countries’ IP protections increase.

Of course, it’s not quite that simple—one needs to control for other factors that might be responsible for increasing levels of IP protection. After all, the general level of IP protection around the world has been creeping upwards for a long time. In the graph below, I plot the Park-Ginarte index of patent rights (Ginarte & Park, 1997; Park, 2008) for all available countries and years, along with the mean world value (the black dots). Obviously patents aren’t the only IP at issue, but given the upward trend in copyright terms, accessions to the WIPO Internet Treaties, and implementation of TRIPS, it would be tough to argue that worldwide levels of copyright protection haven’t also been increasing in a similar fashion.

Increasing Levels of IP Protection WorldwideThus, in order to determine if Special 301 is effective, one would have to compare the increase in IP protection of cited countries against the increase in IP protection of non-cited countries while controlling for other factors associated with increasing IP protection, such as the level of economic development or whether a country has joined the WTO and implemented TRIPS.

A lot of the research on Special 301’s effectiveness uses single case studies and is rather dated, focusing on the early years of the process. I’ve only been able to identify one recent study that tries to take the approach I’ve outlined above: Riker (2012) published an article entitled “Special 301 and Royalty Receipts from U.S. Trade Partners” in the International Trade Journal. He concludes that “priority designations between 2001 and 2007 are associated with a cumulative $5.4 billion increase in annual U.S. royalty receipts.” Riker speaks of the “economic consequences” of Special 301 designations, implying that a causal relationship exists between designation and increases in U.S. IP royalties.

I’m working on trying to replicate his results, but there are a number of problems with the article. First is the selection of the dependent variable: Riker chooses to use BEA data on IP royalties received by the U.S. from other countries. However, the stated goal of Special 301 isn’t to increase the level of royalties received by the U.S., but to increase the level of IP protection foreign countries offer. Riker chooses to treat the level of IP protection as a latent variable, and rejects using the Park-Ginarte index since it is only available in five-year increments. This strikes me as odd; first, since the Park-Ginarte index is available for 1990, 1995, 2000, and 2005, one could test to see whether Special 301 designations have any effect on the measure in these years. Second, the Park-Ginarte index isn’t the only measure of IP protection with wide coverage. The World Economic Forum produces a measure of IP protection, currently available for the years 2006-2013. (Though to be fair, the WEF data probably wasn’t available when Riker was writing the paper). Third, the World Bank produces data on royalty receipts and payments with wider coverage than the BEA data; this data might capture increased royalties that flow to countries besides the U.S. as a result of Special 301 designations. After all, there’s no logical reason to expect the benefits of increased IP protection in foreign countries to accrue solely to the U.S.

In fact, using BEA’s royalty data as a dependent variable would probably be a far better choice for evaluating Special 301’s progress towards its other goal—increasing market access for U.S. persons. But Riker’s models don’t include any measure of market access.

The next big problem with Riker’s article is its relatively limited data coverage. Special 301 has been around since 1989, yet he examines only the period between 2001 and 2008. Furthermore, because of his choice of dependent variable, he is forced to limit his analysis to the 33 countries for which the BEA provides IP royalty receipt data. Of these 33 countries, only 14 were designated as Special 301 priorities. In contrast, by 2007, Special 301 had over its lifetime designated a total of 87 countries.

Part of the problem is that Riker limits what he counts as Special 301 “designations” to Priority Foreign Countries, Priority Watch List members, and countries undergoing Section 306 monitoring. There is no logical reason to exclude countries on the Watch List, yet Riker ignores these designations. Perhaps he assumes simple Watch List designations will not have any effect on royalties; if so, that assumption should have been tested, as the answer would have been illuminating. Still, between 2001 and 2007 (Riker’s range of Special 301 data) there were 30 countries that meet his criteria for designation, but his dependent variable only allows him to include less than half that number in the analysis. There is no way to know if his results would hold when extended beyond his minority of selected countries.

Finally, Riker assumes “that the Special 301 priority designations are exogenous determinants of U.S. royalty receipts from the prioritized countries.” That is, Riker assumes that there is no way priority designations could be affected by royalty receipts. This is an unjustified assumption. In fact, one could reasonably assume endogeneity here: priority designations might be focused on countries with increasing royalty receipts, since these are precisely the countries that matter most to USTR and private stakeholders.

To wrap up, the only large-N quantitative study assessing the effectiveness of Special 301 suffers from a less-than-ideal choice of dependent variable, very limited data, and implausible assumptions about how Special 301 works. It cannot be used to conclude that Special 301 is generally effective in increasing the level of IP protection in cited countries.

Contrary to Riker’s description of Special 301 designations as a “technical assessment,” Special 301 is a highly politicized process. As Flynn (2010) notes, most of the recommendations made by powerful private stakeholders find their way into the final report. My next post will address the politicization of Special 301; for now, it suffices to say that there is very strong evidence that Special 301 designations are anything but “technical assessments.”

This post is licensed CC BY-SA 4.0, and may be shared and reposted with attribution. Please include a link back to this page, which will contain the most up-to-date version.

Posted in General | Tagged , , , , , | 3 Comments

Special 301: What’s the Point?

Gabriel J. Michael / gmichael at gwu dot edu

This year marks 25 years of Special 301 reports. Most readers are probably familiar with the annual process, in which the Office of the United States Trade Representative (USTR) spends about four months collecting input from embassies, soliciting comments from stakeholders, and holding hearings, culminating in the release of a report that places a number of countries on lists of various severity for perceived failures relating to intellectual property policy.

It’s an important event in the DC IP community. The big IP trade groups submit comments and testify in person, as do various consumer and advocacy groups. Sometimes embassy staff from foreign countries testify. In other words, a lot of effort goes into Special 301, both from the agency and from private groups.

In fact, the sheer size of the reports has been increasing over the years. The earliest reports were less than 10 pages, whereas recent reports have been longer than 50 pages. At the same time, however, the number of countries cited in the report peaked in 2000, and has generally declined since then.

This is interesting, since it seems to suggest that more effort (or at least more detail) is being put into the Special 301 process, but that the process is focusing on fewer countries.

Special 301 Report DetailsAt the same time, however, the primary enforcement mechanism of Special 301 has essentially disappeared over the past 20 years. In theory, when the U.S. designates a country as a priority foreign country (PFC, the most severe designation), this can lead to suspension of trade benefits and even imposition of tariffs as punishment. In practice, this has only rarely happened, and is even less likely to happen in the future.

Flynn (2010) notes that the U.S. revoked GSP benefits for Brazil in 1988, Thailand in 1989, and India in 1992, all due to disagreements over pharmaceutical patents. More recently, the U.S. suspended Ukraine’s GSP benefits in 2001, citing inadequate intellectual property protections. Critically, none of these countries were WTO members at the time of GSP revocation. The WTO did not exist prior to 1995, and Ukraine did not join until 2008. Thus, there is no instance in which a Special 301 designation as a priority foreign country has resulted in GSP revocation for a WTO member. The number of non-WTO members cited by Special 301 peaked in 2000 at 16, and has been declining since then. For example, the 2014 report lists just four non-WTO members: Algeria, Lebanon, Turkmenistan, and Uzbekistan. These are the only four countries that the U.S. could conceivably revoke GSP benefits from over IP issues, and none of them are (or ever have been) priority foreign countries.

Thus, unless the U.S. takes the unprecedented step of revoking the GSP benefits of a WTO member on the basis of a Special 301 designation, Special 301 has no real teeth. It is a process without an effective enforcement mechanism.

Special 301 WTO MembershipThis leads me to two related questions. First, if Special 301 designations can’t really be enforced, what is the point of the process? Second, if Special 301 designations can’t really be enforced, why do both public and private actors devote significant, and even increasing, resources to the process? There are various theories floating around, but in my opinion they’re not entirely convincing. I’ll address some of them and offer my own take in a future post.

This post is licensed CC BY-SA 4.0, and may be shared and reposted with attribution. Please include a link back to this page, which will contain the most up-to-date version.

Posted in General | Tagged , , , , , , | 2 Comments

The University of Maryland Data Breach: Insights and Questions

Wow, that brings back memories!

Wow, that brings back memories!

Gabriel J. Michael / gmichael at gwu dot edu

Yesterday evening, the University of Maryland announced that it had suffered a data breach exposing personally identifiable information of approximately 309,079 individuals, including current and former students, current and former faculty and staff, administration, and affiliated personnel.

Specifically, the University is reporting that attackers were able to copy a database containing the full names, Social Security Numbers (SSNs), birth dates, and University ID numbers (UIDs) of everyone issued a university ID since 1998.

The University’s response so far has been reasonable. The breach is thought to have occurred early Tuesday morning, and the University began notifying the public Wednesday evening, less than 48 hours later. Outside investigators are being brought in to examine what exactly happened.

However, there remain several serious issues that must be addressed by the University within the coming days and weeks to ensure an adequate and appropriate response to this incident. As an alumnus with some knowledge of the University’s security practices in the past, here are my thoughts.

The University Must Immediately Address Related Security Issues

I attended the University of Maryland, College Park, between 2003 and 2007. This morning, I logged into the Testudo registrar system using my Student ID number (SID) and PIN. As the Testudo website helpfully notes, your “Student ID, in most cases, will be your Social Security Number” and “Your PIN is originally set to your six (6) digit birth date (e.g. mmddyy or 012585).

In my case, both these statements were accurate, and I was able to log in and access the transcript request service using my SSN and birth date. I suspect this is the case for large numbers of alumni, if not current students. I vaguely remember changing this PIN while I attended the University, but even if I wanted to now, there is no obvious way to do so.

This means that the attackers (or more likely, anyone they have sold the data to) can currently request academic transcripts for any current or former student. Apart from the actual breach itself, this is almost certainly a separate FERPA violation. Unscrupulous individuals could use these transcripts in a variety of interesting ways.

If it has not already done so, the University should immediately begin monitoring the transcript request service and other related services that rely on the SID/PIN combination to prevent fraudulent access, and perhaps impose additional informational requirements before granting access to these services. The University should also advise affected individuals how they may change their PIN.

One Year of Free Credit Monitoring is Inadequate

As part of its response, the University has committed to providing “one year of free credit monitoring” through an as-yet unspecified company to those affected. While better than nothing, this is inadequate. Unlike data breaches involving credit or debit card numbers, which can be reissued, this breach released SSNs which are extremely difficult to change.

I was affected by the recent Target data breach, which exposed my credit card number to the attackers. However, my credit card company is issuing a new card with a new number, making the old card information useless. In contrast, the information obtained from the UMD data breach will remain valuable for decades to come. In fact, it will become even more valuable in a year when the free credit monitoring has expired.

The University Must Disclose the Technical Details of What Happened

So far, we know virtually nothing about the technical details of the attack. Given that the attack is still under investigation, this is understandable. However, when the investigation is complete, or at least when enough detail has been uncovered, the University must disclose the technical details of what exactly happened. There are several reasons why such disclosure is important.

First, it provides a valuable public service. If other organizations rely on similar security measures or software packages, they should have the opportunity to address the security flaws that affected the University. By not releasing details of the attack, the University would be ensuring that such attacks could be repeated in the future against other organizations.

Second, it allows us to verify University statements. The University is currently describing this incident as “sophisticated computer security attack.” The Diamondback is calling it a “massive cyberattack.” The University’s Chief Information Officer is saying ‘The hacker or hackers must have had a “very significant understanding” of how the school’s data are designed and protected… in contrast with typical attacks,’ claiming “These people picked through several locks to get to this data.”

Perhaps these statements are true, but given my previous experience with UMD’s security practices (discussed below), I have my doubts. The Target breach was a relatively sophisticated attack. Without any technical details, we don’t know if the UMD breach was due to carelessness, negligence, an honest mistake, or whether appropriate measures were actually in place and were simply defeated.

Third, by releasing the technical details of the attack, the University will be forced to discuss how they have responded to the attack to prevent its recurrence. Knowledgeable members of the public can then assess the response to see if it is adequate. In the past, the University has responded to security problems with a rushed and inappropriate response, creating further problems down the road (discussed below).

Could the Breach Have Been Easily Avoided?

Without technical details, there is no way to answer this question with any certainty. However, my previous experience with security practices at UMD gives me pause.

I attended UMD between 2003 and 2007. Between at least 2003 and 2006 (and probably earlier), the University used students’ SSN as their primary identifier. In order to get a transcript or interact with the registrar, you provided your SSN. If you lost your ID card, or forgot it when you went to the gym, a helpful student worker would ask, “What’s your soc?” (pronounced “sōsh”). Several times I remember having to write my SSN on the cover page of academic documents.

The SSN was also stored on the magnetic stripe of every students’ University ID card, although the number was not printed anywhere on the card.

This was a bad practice, and eventually the University began to transition from using SSNs to University ID numbers (UIDs). It also re-issued ID cards to the entire university population. This latter decision was at least in part prompted by the work of a group of students who were studying the University’s security and access protocols. I was informally involved with this group. For a detailed overview of their work (minus some redactions), read this paper.

Unfortunately, in its haste remove SSNs from ID cards and despite being warned about the problems it could cause, the University made the poor decision to replace the SSN with the UID. This presented a problem, since the UID was publicly accessible for the entire student/faculty/staff population on an LDAP directory server. This meant that a malicious individual could look up the UID of any individual, and create an ID card that would allow them physical access to any location the individual could normally access.

The university eventually rectified this mistake, if I recall correctly, by re-encoding the recently re-issued ID cards with a meaningless identifying number that was not publicly accessible, as they should have done in the first place.

I could go into much more detail about the above, but it is mostly technical and not necessarily related to the data breach. Along the same lines, when students discovered that the University was storing location access information from their ID cards, and even using this information in police investigations, the University initially denied this was the case.

I hope UMD does better this time. Perhaps there have been significant changes in the past seven years. But I’ll note that the transition away from SSNs was approved in back in 2005, and here we are, 9 years later, facing this breach.

Organizations Must Take Steps to Limit the Collection and Retention of Unnecessary Data

In closing, this incident highlights the danger of the collection and retention of unnecessary data. Note that I am not saying that this particular database should not have included the information it did. There are many valid reasons for the University to have a database with this kind of information; e.g., alumni from years past need to be able to access records, and the school needs a way of identifying that they are who they say they are. (Technically this can be accomplished without storing the actual SSN, but see the addendum below for why this approach might not work).

However, I think this kind of incident should lead us to think carefully before we assemble large databases of information that we do not necessarily need. For example, many states and localities are using license plate readers to collect location and timing information of cars. Very few police departments using this technology have developed rules or guidelines about who can access the data, how long it will be retained, for what purposes it can be used, and with what other organizations it can be shared. These are the sorts of things that should be thought about before collection begins, and not after a breach has occurred.

Addendum: One Facebook commenter asked why UMD couldn’t have simply used a hash function to avoid storing the SSN at all. Obviously it wouldn’t work for current students, since they need to issue W-2s, 1098-Ts and other tax documents, etc., that include the SSN, but why not for alumni?

There’s probably no good answer for why this wasn’t done, but there are probably many bad answers. E.g., there are probably reporting requirements to the state, IRS, law enforcement, etc. that might require the university to produce the SSNs of former students. Also, even if they did hash the SSNs, an attacker could easily brute force the relatively limited number of SSNs (9 digits, so 1 million combinations without considering rules which significantly reduce the search space) for each student unless the hashes had been salted, etc.. Now maybe that problem could have been solved by encryption rather than hashing. But given that this database might have been structured in 1998 or even earlier, it’s possible no one was thinking along high security lines back then.

Posted in General | Tagged , , , , | 1 Comment

Nicolas Rapold and Why the Public Domain Sucks

By now, most of you have probably read Nicolas Rapold’s New York Times piece on film and the public domain. Apart from demonstrating what seems to be an almost willful misunderstanding of how the public domain functions (e.g., there’s no mystery as to why Birth of a Nation is no longer under copyright), Rapold refers to the public domain as “purgatory” for film.

I don’t know why he didn’t simply call it “hell,” since purgatory implies that films will languish for a period of time before being restored to holiness of copyright protection.

Yes, the article is bad. It places the blame for poor quality releases at the feet of the public domain, without noting that the alternative is not high quality releases, but nothing. It suggests that the low prices of “discount DVD bins” are somehow a bad thing. It notes but does not engage the fact that in some cases, were films still under copyright, their directors would choose to keep them locked away from us. It fails to point to research indicating that copyright protection actually decreases the availability of older works.

All that being said, as it is, the public domain sucks.

It’s old. The rule of thumb is that works made prior to 1923 are in the public domain. This rule is inaccurate in both directions, since unpublished works made prior to 1923 might still be under copyright, and many works made after 1923 are in the public domain for a variety of reasons, such as their owners not renewing the copyright or failing to observe formalities. But all those exceptions are too complicated for normal people, so the pre-1923 rule of thumb abounds in the United States.

Because it’s so old, it’s often hard to use, outdated, offensive, or simply inaccurate. For example, Wikipedia incorporates some content from the 1911 edition of the Encyclopædia Britannica, but has a long list of caveats for contributors relying on the work.

And it’s boring. American Dad did a good send-up of the public domain in an episode where Roger explains that he and his band “cover public domain songs… Camptown Races, Baa Baa Black Sheep” before playing a rock version of “London Bridge.” Later in the episode, the audience is thoroughly unimpressed with their rendition of “Blue Tail Fly/Jimmy Crack Corn” (note the crickets at the end of the clip).

While this is a somewhat facetious example, the point remains. Public domain works are often out of style and not attractive or interesting to modern audiences, in large part due to their age.

Of course, the reason why the public domain is full of old and boring material is because copyrights have been repeatedly retroactively extended, ensuring that virtually nothing of any substantial economic value falls out of copyright protection. This is a vicious circle: the longer copyrights are extended, the less relevant the public domain seems. The less relevant it seems, the more writers like Rapold can call it “purgatory” with a straight face. The more writers like Rapold call it “purgatory,” the easier it is for people to claim the public domain isn’t valuable. And the less perceived value the public domain holds, the easier it is to argue for longer copyrights.

The public domain could be awesome. Every year, James Boyle’s outfit at Duke celebrates Public Domain Day, showcasing what could have entered the public domain were it not for retroactive copyright extensions. And not everything has to age out of copyright to enter the public domain: projects like Musopen aim to create modern, copyright-free recordings of classical music, and many classic works of literature and art were never copyrighted to begin with.

But apart from the gems (distinguished by their rarity), the public domain is mostly not awesome. There’s been suspicion for years that copyrights will be extended yet again to prevent anything from entering the public domain (in 2019, works from 1923 will finally fall out of copyright). I suspect this won’t happen, in part because there’s more political resistance to copyright maximalism today than during the last copyright term extension, but also because nothing of economic value will be lost when century-old works lose copyright protection.

Maybe I’ll get taken to task by people pointing out that Shakespeare, Les Misérables, and the Bible are all in the public domain. Fair enough. But what about the vast majority of copyrighted works that don’t or won’t stand the test of time? What value do they add to the public domain when they enter it a century after their creation? Little to none. Their value is largely confined to a contemporaneous audience. By extending copyright protection beyond this period of value, we ensure that even when they do lose copyright protection, we gain nothing.

So congratulations to the copyright lobby. You’ve successfully eviscerated the public domain to the point that you no longer need to ask for copyright term extensions.

Posted in General | Tagged , , | 2 Comments

The US Does Not Have the Highest IP Protection in the World


We’re #1 in IP! But that doesn’t mean we have the “highest” protections.

Gabriel J. Michael / gmichael at gwu dot edu

The text of this post is licensed CC BY-SA 4.0, and may be shared and reposted with attribution. Please include a link back to this page, which will contain the most up-to-date version.

Public figures like to claim that the United States has the “highest” intellectual property (IP) protections in the world. For example, as Simon Lester over at Cato recently noted, in introducing the U.S. Department of Commerce’s Global Intellectual Property Center index, Senator Orrin Hatch claimed “The U.S. has the highest intellectual property rights standards in the world.”

Many other senators feel similarly. Back in 2011, 28 senators (including Hatch) wrote a letter to President Obama urging him “to preserve the highest standards of protection for intellectual property rights in the Trans-Pacific Partnership (TPP) Trade Agreement.”

Like many political claims, it’s not clear that these statements are even falsifiable. After all, what exactly does it mean to have the “highest” IP protections? How do we compare the “height” of IP protections across different areas like patents, copyrights, and trademarks?

But to the extent that such claims might be falsifiable, let’s take a look at the facts. It turns out that if you actually compare the “height” of various IP protections around the world, the U.S. frequently does not have the “highest” protections. In some cases, the U.S. doesn’t have any protections at all. Consider the following areas:

Copyright Terms

In the U.S., the normal copyright term for a natural person’s published work is the life of the author plus 70 years (terms are different for corporate works, unpublished works, etc., but let’s just consider the basic term).

  • Mexico’s comparable term is the life of the author plus 100 years. Note that this means in the ongoing Trans-Pacific Partnership negotiations, the United States is proposing a shorter copyright term than Mexico.
  • Côte d’Ivoire offers a term of life plus 99 years.
  • In Spain and Colombia, the basic term is the life of the author plus 80 years.
  • In Guatemala, Honduras, and Samoa, it’s life plus 75 years.

Data Exclusivity for Pharmaceutical Clinical Trial Data

Data exclusivity refers to intellectual property protection for the clinical trial data submitted by pharmaceutical firms to regulatory authorities in order to gain regulatory approval for drugs. Data exclusivity protection is separate from patent protection, and is generally automatic (i.e., it does not depend on novelty, etc.). Data exclusivity can create an effective monopoly for a drug in the absence of a patent, and even if a patent for a drug is invalidated. Data exclusivity is a sui generis form of intellectual property, first adopted in its current form in the U.S. in 1984. About 73 countries around the world offer U.S.-style data exclusivity.

  • Excluding biologics, the U.S. offers 5 years of data exclusivity.
  • In contrast, the European Union’s original data exclusivity law mandated a minimum of 6 years of protection. The current law mandates a minimum of 10 years.
  • Both Russia and China were obliged to offer 6 years of data exclusivity as part of their WTO accession agreements.
  • At one point, Guatemala offered 15 years of data exclusivity, although this was later rolled back.

Utility Models

Some U.S. readers may not even be aware that a significant number of countries around the world offer protection for utility models, a.k.a. “petty patents,” which are designed to protect incremental innovations, and thus have a lower threshold to obtain.

  • Over 60 countries offer protection for utility models, generally lasting from 7 to 10 years.
  • The U.S. does not offer any comparable protection (design patents are altogether different).

Surgical Patents

Many countries around the world do not allow surgical methods or procedures to be patented; alternatively, some countries allow such methods or procedures to be patented, but do not allow the patents to be enforced.

  • The U.S. takes the latter approach. In 1996, President Clinton signed an omnibus appropriations bill that included a rider prohibiting patent infringement suits against medical practitioners for potentially infringing medical or surgical procedures.
  • In contrast, Australia explicitly considered enacting a U.S.-style medical treatment defense to patent infringement, and rejected it.

Geographical Indications

This was Simon Lester’s example. Practically speaking, the United States offers roughly comparable protection to geographical indications in the form of collective and certification marks; specifically for wines, there are also American Viticultural Areas. However, the transatlantic dispute between the U.S. and the European Union is not so much over the failure of the U.S. to provide an adequate form of protection as it is over the failure of the U.S. to adequately protect European geographical indications.

  • While the EU-U.S. Wine Accord of 2006 resolved a number of long-standing issues, the EU had to accept the continued use of “semi-generic” names by U.S. winemakers. The most famous is of course Champagne, but other familiar names include Burgundy, Claret, Chablis, Port, and Sherry. U.S. winemakers must disclose the actual origin of the wine, but in practice this ends up looking like this:

In order to legally free-ride on centuries of French tradition, just include “American” in really small font. For good measure, add in accented characters and other French words.

  • It’s also worth noting that in Europe, and increasingly in other parts of the world, geographical indications protect far more than just wine, e.g., spirits, cheeses, meats, coffees, teas, honey, and crystal. I find it amusing that I can walk into a supermarket and buy “Greek yogurt” and “Swiss cheese” that contains not a single ingredient from those countries. The U.K. did not find this amusing, and last year banned Chobani from selling “Greek yogurt” in England and Wales. U.S. firm Chobani bizarrely claimed that “Greek yogurt” was not defined by a reference to its place of origin.

Moral Rights

Moral rights include the right of attribution and artistic integrity, inter alia, and are often perpetual and inalienable. Technically the U.S. offers some moral rights to some creators under the Visual Artists Rights Act, but the scope is far more limited than in many other countries. For example, the VARA does not apply to musical or literary works.

Traditional Knowledge

I’m not going to get into the details of a fairly complex topic, but suffice it to say that the U.S. has no interest in protecting traditional knowledge through intellectual property law, and opposes other countries’ attempts to do so in discussions at the World Intellectual Property Organization.

Here’s a map of what countries currently protect traditional knowledge via intellectual property law:


Author’s data, collected mainly from WIPO Lex.

Fashion Design Protection

The U.S. has repeatedly failed to adopt fashion design protections similar to those offered in Europe.

Fair Use

Apart from shorter copyright and data exclusivity terms than many countries, the U.S.’s most egregious weakness in intellectual property protection is its broad fair use laws. Unlike the vast majority of countries in the world, which offer an exhaustive list of precisely defined limitation and exceptions to copyright, the U.S. fair use doctrine is so vague and abstract as to permit completely unforeseen uses of copyrighted works without requiring any license or permission from the copyright holder.

For example, such fair uses include time-shifting by reproducing entire video recordings, the digitization of entire printed works, and the copying of images and text to be used in search engine caches.

Best ≠ Highest

I know we're Americans, but even for us bigger isn't always better.

I know we’re Americans, but even for us bigger isn’t always better.

The implication of Hatch et al.’s statements, of course, is that not only does the U.S. have the “highest” intellectual property protection, it also has the best. That’s certainly what the Commerce Department believes.

But there’s a contradiction here: as I’ve shown above, the U.S. does not in fact have the “highest” intellectual property protection in many areas. Thus, if the U.S. does have the “best” IP protection in the world, this means that the best protection is not the highest protection.

Posted in General | Tagged , , , , , , , , , , , | Leave a comment