jp morgan – Techdirt (original) (raw)

Stories about: "jp morgan"

Stupid Patent Of The Month: JP Morgan Patents Interapp Permissions

from the do-patent-agents-not-have-smartphones? dept

We have often criticized the Patent Office for issuing broad software patents that cover obvious processes. Instead of promoting innovation in software, the patent system places landmines for developers who wish to use basic and fundamental tools. This month’s stupid patent, which covers user permissions for mobile applications, is a classic example.

On August 29, 2017, the Patent Office issued U.S. Patent No. 9,747,468 (the ‘468 patent) to JP Morgan Chase Bank, titled “System and Method for Communication Among Mobile Applications.” The patent covers the simple idea of a user giving a mobile application permission to communicate with another application. This idea was obvious when JP Morgan applied for the patent in June 2013. Even worse, it had already been implemented by numerous mobile applications. The Patent Office handed out a broad software monopoly while ignoring both common sense and the real world.

The full text of Claim 1 of the ‘468 patent is as follows:

A method for a first mobile application and a second mobile application on a mobile device to share information, comprising:

the first mobile application executed by a computer processor on a mobile device determining that the second mobile application is present on the mobile device;

receiving, from a user, permission for the first mobile application to access data from the second mobile application;

the first mobile application executed by the computer processor requesting data from the second mobile application; and

the first mobile application receiving the requested data from the second mobile application.

That’s it. The claim simply covers having an app check to see if another app is on the phone, getting the user’s permission to access data from the second app, then accessing that data.

The ‘468 patent goes out of its way to make clear that this supposed invention can be practiced on any kind of mobile device. The specification helpfully explains that “the invention or portions of the system of the invention may be in the form of a ‘processing machine,’ such as a general purpose computer, for example.” The patent also emphasizes that the invention can be practiced on any kind of mobile operating system and using applications written in any programming language.

How was such a broad and obvious idea allowed to be patented? As we have explained many times before, the Patent Office seems to operate in an alternate universe where the only evidence of the state of the art in software is found in patents. Indeed, the examiner considered only patents and patent applications when reviewing JP Morgan’s application. It’s no wonder the office gets it so wrong.

What would the examiner have found if he had looked beyond patents? It’s true that in mid-2013, when the application was originally filed, mobile systems generally asked for permissions up front when installing applications rather than interposing more fine-grained requests. But having more specific requests was a straightforward security and user-interface decision, not an invention. Structures for inter-app communication and permissions had been discussed for years (such as here, here, and here). No person working in application development in 2013 would have looked at Claim 1 of the ‘468 patent and think it was non-obvious to a person of ordinary skill.

JP Morgan’s “invention” was not just obvious, it had been implemented in practice. At least some mobile applications already followed the basic system claimed by the ‘468 patent. In early 2012, after Apple was criticized for allowing apps to access contact data on the iPhone, some apps began requesting user permission before accessing that data. Similarly, Twitter asked for user permission as early as 2011, including on “feature phones”, before allowing other apps access to its data. Since it didn’t consider any real world software, the Patent Office missed these examples.

The Patent Office does a terrible job reviewing software patent applications. Meanwhile, some in the patent lobby are pushing to make it even easier to get broad and abstract software patents. We need real reform that reduces the flood of bad software patents that fuels patent trolling.

Reposted from EFF’s Stupid Patent of the Month series.

Filed Under: obviousness, patents, permissions, prior art, stupid patent of the month, uspto
Companies: jp morgan

FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks

from the dangerous-ideas dept

It’s no secret that some in the computer security world like the idea of being able to “hack back” against online attacks. The simplest form of this idea is that if you’re a company under a denial-of-service attack, should you be able to “hack” a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services. Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such “hack backs” because, among other things, CISPA would grant immunity to companies “for decisions made based on cyber threat information.” Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker.

A new article from Bloomberg suggests that companies are still quite eager to get involved in hacking back, and the FBI (which supported CISPA) is investigating some such cases where it may have happened. However, companies like JP Morgan still love the idea:

In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.

The article notes, of course, that such attacks likely violate the CFAA (Computer Fraud and Abuse Act) (which is why some want immunity for hack backs). But, it’s a bad idea not just because it likely breaks the law, but because it’s stupid and dangerous. First, accurately determining who is behind a hack is quite difficult — as we’re seeing lately with all the recent skepticism about the FBI’s claim that North Korea was responsible for the Sony Hack. Launching a counterattack against the wrong party can have serious consequences — even more so when those counterattacks might target actual nation states, rather than just a group of script kiddies.

On top of that, the article notes, the hack back attempt could make the situation even worse:

Efforts to retaliate can make things worse, [Kevin Mandia] said, because attackers who aren?t purged from the network could escalate the assault or ramp up attacks on other companies targeted by the same group.

And, of course, the very real possibility that the wrong party is targeted in the hack back can create all sorts of collateral damage. Remember when Microsoft took down many thousands of sites by mistargeting a court order? Imagine that without any court even being involved.

Finally, think through the obvious consequences of this. If you’re a malicious hacker, it suddenly becomes a great opportunity. Pick two separate targets you want to harm — then attack one and make it appear like the attack is coming from the other. Then sit back and watch the two of them duke it out while you laugh away.

Hacking back is a vigilante Hollywood movie-style idea that pays no attention to the realities of the technology or the consequences of the actions. Hopefully companies are smart enough not to follow through — and lawmakers prevent it from being protected by law.

Filed Under: cybersecurity, fbi, hack back, hackback, vigilantes
Companies: jp morgan

Politicians Cynically Using JP Morgan Hack To Try To Pass Laws To Diminish Your Privacy

from the you're-doing-it-wrong dept

So, as you probably heard last week, JP Morgan revealed more details of how it had been hacked, noting that the number of households impacted shot up to 76 million, thus impacting a pretty large percentage of Americans. The hack involved getting access to customer names, addresses, phone numbers and emails. It doesn’t appear to have gotten anything else, but that’s plenty of information to run some sophisticated phishing attacks that could lead to some serious problems. It’s expected that the fallout from this could be quite long lasting.

Almost immediately, politicians leapt into action… but not in any good way. They’re cynically using this as an excuse to push questionable cybersecurity legislation. Specifically, Senator Angus King used it to push CISA, a bill that actually undermines privacy, rather than protect it, by giving companies incentives to share info more freely, opening up greater opportunities for leaks and breaches. CISA gives those companies a blanket get-out-of-jail-free card by taking away any liability in sharing such info.

What no one explains is how something like CISA would actually have helped stop the JP Morgan hack. That’s because it wouldn’t have helped. Congressional supporters of cybersecurity legislation keep playing the “something must be done!” card, without ever bothering to explain how the something (CISA) will actually help. They just make vague promises that by somehow letting companies share info without liability, we’ll magically all be better protected. Given the recent revelations about how government has regularly abused access to information, it’s hard to accept the “just trust us” explanation for why companies should just hand over more information.

Even worse is that King went for the FUD-based “cyber Pearl Harbor” claim — one that’s been trotted out regularly, usually by intelligence community folks who just want access to your data, when the reality is that even James Clapper has admitted that there’s little real chance of such a thing happened. But that doesn’t stop King:

?Congress must work to pass legislation that will improve our capabilities and protect us against more attacks like these,? King added. ?The next Pearl Harbor will be cyber, and shame on us if we’re not prepared for it.?

Okay, sure. Shame on us if we’re not prepared, but how will this law help us prepare for it? This is a question that no one in Congress seems willing to answer. They just insist we have to “do something.”

King wasn’t the only one:

Sen. Ed Markey called the hack ?yet another example of how Americans? most sensitive personal information is in danger.?

“It is time to pass legislation to protect Americans against these massive data breaches,? he added.

Rep. Yvette Clarke tweeted that the U.S. ?must keep up on cybersecurity.?

Right, but again, how will the proposed law actually help? The problem is that no one answers because the truth is that it’s unlikely to actually help keep companies and your data secure, though it might just make it easier for the intelligence community to get their hands on your data.

Filed Under: angus king, cisa, congress, cybersecurity, hacking, privacy
Companies: jp morgan

Bloomberg Reporters Had Full Access To Customer Usage Logs, Including Help Transcript Logs

from the privacy-policy dept

This one is fairly incredible. Bloomberg LP’s main business is selling ridiculously expensive terminals to Wall Street/financial folks for tracking market information. While I understood why they were able to succeed early on, I’ve been shocked that the internet hasn’t seriously disrupted their business over the past decade or so. However, the company also has a pretty big journalism business as well (even owning Business Week, which it bought for pennies a few years ago). Now it’s coming out that the journalists at Bloomberg had all sorts of access to how customers use the terminals.

Until recently, all Bloomberg employees could access information about when and how terminals were used by any customer. But after complaints by Goldman Sachs and JP Morgan, Bloomberg says its 2,000 or so journalists no longer have access to that information, though other staff still do. Bloomberg has more than 15,000 employees.

The banks were concerned that Bloomberg News was keeping tabs on terminal usage in order to aid its reporting. JP Morgan specifically cited coverage of the bank’s disastrous derivatives trading, known as the “London Whale,” which Bloomberg was the first to reveal.

Incredibly, the reporters also had access to “help” transcripts of any customer and could call them at will, which apparently some of them did for fun.

Several former Bloomberg employees say colleagues would look up chat transcripts of famous customers, like Alan Greenspan, for amusement on slow workdays. The transcripts were typically mundane and hardly incriminating, but who wouldn’t enjoy watching a former US Treasury secretary struggle to use a computer? And, in theory, the substance of someone’s query to customer service could reveal specific information that he’s interested in, tipping off a reporter to a story.

These are the kinds of things that small companies sometimes screw up with poor controls over information. But a massive company like Bloomberg — especially when it deals with critical financial information — you would think would have much tighter controls on information. I’d be curious if this violates whatever privacy policies Bloomberg has with its customers. At the very least, it should make Bloomberg customers pretty damn skeptical of continuing to use their terminals. Seems like a huge opportunity for competitors with better controls to step in.

Filed Under: bloomberg terminals, controls, information, journalism, privacy, reporters
Companies: bloomberg, goldman sachs, jp morgan

Store Payment Info In Your Online Store? Watch Out For Patent Infringement Lawsuits

from the pay-now dept

Bill Squier alerts us to the news that a bunch of companies have been sued for daring to store consumer payment information and allow either stored value payments or one-click payments on their site. The article linked here focuses on Apple as a defendant, and notes 14 other companies were sued as well, but in researching this, I found that Joe Mullin actually wrote about another batch of companies (20 of them) that were sued back in April. The earlier lawsuit included Google, Wal-Mart, Bank of America, Capital One, JP Morgan Chase, Mastercard, Visa, Vivendi, Disney and Western Union among others. The more recent lawsuit has (as mentioned) Apple, Best Buy, Amazon, American Express, Barnes & Noble, Citigroup and eBay among others. So… basically any online e-commerce site, credit card company or big bank.

As for the patents in question, they’re all a variation on a “method and apparatus for conducting electronic commerce transactions using electronic tokens.” The specific patents are 7,376,621, 7,249,099, 7,328,189 and 7,177,838. Reading through the claims, this seems like an incredibly typical online system for storing payment info and seeing if the person can actually pay. Since the patent system defenders among our readers get quite upset whenever I say something seems “obvious” to me, let’s flip this around. Can anyone explain how these concepts were not obvious at the time of filing?

Not surprisingly, the cases have been filed in Marshall, Texas… and as Joe Mullin figured out, the guy who is running “Actus” is a lawyer known for representing some infamous patent hoarding companies. He also discovered that the lawyer representing Actus in these lawsuits appears to share an office (or at least the same address) with the son (who is also a patent attorney) of the judge handling the case. At some point, do people start questioning whether or not there’s a conflict of interest there?

Filed Under: patents, payment
Companies: actus, amazon, american express, apple, bank of america, barnes & noble, best buy, capital one, citigroup, disney, ebay, google, jp morgan, mastercard, visa, vivendi, wal-mart, western union

JP Morgan Buys Bear Stearns For Pennies On The Dollar; What's It Mean For Tech?

from the bubble-bursting-or-economic-collapse? dept

While not strictly a technology story, JPMorgan’s buyout of Bear Stearns on Sunday is worth looking at in the larger context of the tech industry. As you hopefully know by now, JPMorgan picked up Bear Stearns for 2/share,atotalof2/share, a total of 2/share,atotalof236 million, which is (quite literally) pennies on the dollar for a firm that not so long ago was valued at 170/shareandonFridayalonehadtumbledfromabout170/share and on Friday alone had tumbled from about 170/shareandonFridayalonehadtumbledfromabout55/share to $30/share. On Friday, of course, the Fed stepped in to keep Bear Stearns alive (through JPMorgan) and the weekend was spent trying to figure out options before the Asian markets could open late Sunday night (US time). There will be plenty of Monday-morning quarterbacking on this deal (so it’s fitting that it all played out on a Sunday), but the discussions about the impact on the tech world has been mixed if anything. It would be great to get the perspective of some readers on how this is likely to play out for tech companies (both big and small). While many may be somewhat isolated from a meltdown on Wall Street, there certainly are some important indirect connections. From what I’ve seen, it doesn’t seem like there will be much short-term impact, but the longer-term issues could be worth watching out for.

Filed Under: bailouts, failures, financial services, panic, wall street
Companies: bear stearns, jp morgan