Monday morning's voicemail included a courtesy call from FTC Complaint Counsel Geoffrey Oliver, letting me know that the Federal Trade Commission had just issued its ruling in the penalty phase of its prosecution of memory technology company Rambus, Inc. (the reason for the call is that I had previously filed pro bono amicus curiae – or "friend of the court" – briefs with the Commission during both the trial and the penalty phases). The full Board of Commissioners had earlier found, on appeal from a holding in favor of Rambus by an FTC Administrative Law Judge in 2004, that Rambus had illegally created a monopoly in certain technology by abusing the JEDEC standard setting process in the early 1990s.
That opinion was handed down last summer, together with the announcement by the Commissioners that they would hold further hearings with FTC Complaint Counsel and Rambus, and would welcome industry input, before determining what penalties would be appropriate to levy against Rambus on account of its conduct. Several industry groups filed amicus briefs as well, urging the Commissioners to impose stiff penalties. My own brief urged the FTC to include a punitive element, in order to emphasize that abuse of the standard setting process would result in dire results. Most obviously, such an element would be to bar Rambus from charging any royalties at all from those that wished to implement the standard at issue.
For Rambus, the stakes were high, and would go beyond the direct economic impact of whatever the FTC would impose, due to the multiple private cases that are ongoing between Rambus and various semiconductor companies that have refused to pay royalties to Rambus. These royalties relate to patents that the FTC has held were illegally hidden by Rambus from its fellow working group members in JEDEC who created the SDRAM standard at issue. At least one judge has delayed further action in one of these cases, in order to learn what penalty the FTC would conclude would be appropriate under the circumstances.
Most of the attention this week relating to open document standards is focused on what responses ISO/IEC JTC 1 will have received before the February 5 deadline for submission of "contradictions" involving the Microsoft OOXML formats. I just posted this entry on that score, reporting that a total of nineteen national bodies have filed contradictions, complaints or other comments as part of the contradictions process.
But while this global drama has been playing out, I've learned that a third US state is considering requiring use of open document formats by government agencies (Massachusetts and Minnesota are the other two to date). That state is Texas, where a bill has been introduced to require that only "open document formats" should be permitted. The bill is designated SB 446, and was filed on February 5 (the full text is reproduced at the end of this blog entry).
How does the Texas bill define an open document format? As stated in the bill, such a format would need to be based upon Extensible Markup Language, would need to have been previously approved, and would be required to meet the following criteria:
Last week I reported that the United States body reviewing OOXML had decided to take a conservative approach to defining what "contradiction" should mean under the ISO/IEC process. Since then, a few stories have appeared indicating that Great Britain and Malaysia would each identify at least one contradiction in their response. The actual results would only become known after the deadline had passed on February 5.
In that first blog entry, I concluded that Microsoft had won the first point in the contest over whether its document format would become a global standard or not. With the deadline past, who would be found to have won the next?
Well the results are in, and an unprecedented nineteen* countries have responded during the contradictions phase - most or all lodging formal contradictions with Joint Technical Committee 1 (JTC), the ISO/IEC body that is managing the Fast Track process under which OOXML (now Ecma 376) has been submitted. This may not only be the largest number of countries that have ever submitted contradictions in the ISO/IEC process, but nineteen responses is greater than the total number of national bodies that often bother to vote on a proposed standard at all.
[*Update: make that twenty]
When it is recalled that any national body responding would first have had to wade through the entire 6,039 pages of the specification itself, and then compose, debate and approve its response in only 30 days, this result is nothing less than astonishing. Truly, I think that this demonstrates the degree to which the world has come to appreciate the importance of ensuring the long-term accessibility of its historical record, as well as the inadvisability of entrusting that heritage to a single vendor or software program.
The countries that chose to respond on this expedited schedule are as follows:
Australia
Canada
Czech Republic
Denmark
Finland
France
Germany
Hungary
India
Italy [later added]
Japan
Kenya
Malaysia
Netherlands
New Zealand
Norway
Romania
Singapore
Sweden
UK
In all (to quote Monty Python once again), "Rather a lot, actually."
Three and a half years after 9/11, I remain astonished at how few of the comparatively easy and essential defensive tasks we've accomplished, in comparison to the vastly expensive (and often unsuccessful) initiatives that we have mounted. One shining example is the failure to create and deploy a suite of effective first responder standards to enable those whose peak performance would be most essential in the case of a new disaster to even communicate effectively with each other. Another is to put in place the necessary technical, procedural and regulatory controls needed to protect sensitive personal information.
I have two consortium clients dedicated to information security, and both have found it necessary to issue statements recently to highlight gaps in our cyber defenses. The first was a terse statement issued on January 18 by PCI Security Standards Council, LLC, an organization formed by the major credit card payment brands (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) to create and administer global security standards up and down the credit card payment chain. The statement was occasioned by news of the latest in an ongoing series of breaches of consumer financial records, in this case involving millions of customer records maintained by retialer Target Corporation.
A story that aired on the NBC evening news recently highlighted an even more appalling situation – focusing on county and other governments that had placed records on their Websites that included the social security numbers, names and birth dates of individuals. These sites, of course, provide a gold mine for identity theft.
And then there is a press release issued two days ago by the Cybersecurity Industry Alliance (CSIA), whose top-level membership includes all of the major and anti-virus and other security vendors. It's sober reading.
As those who are following Microsoft's OOXML formats through the standardization process will know, those formats (now officially known as Ecma 376, following the favorable adoption vote in Ecma on December 7 of last year) are now in the "contradiction" phase in JTC 1 at ISO/IEC. Or, so it would seem, they are in the "so, what is a contradiction, anyway?" phase.
Microsoft has won the first point in this match (on which more below), as national bodies around the world wrestle with this question. But first, some context on what's going on, and why it matters.
The question of what a "contradiction" may be under the ISO/IEC rules is of more than passing interest. On the most basic level, the question is legitimate, since ISO/IEC apparently do not supply a precise definition, even though one out of the six months in the ISO/IEC Fast Track process is allocated to the submission of contradictions by the 60-odd Principal and Observer members of these global standards organizations that are entitled to respond during this phase.
How does a national body submit what one must first define? And why should ISO/IEC ask its members to submit contractions until ISO/IEC has taken the trouble to define what they are? Or perhaps ISO/IEC in fact have provided adequate guidance, and the battle between ODF and OOXML has simply escalated to the point where anything and everything will be taken to the barricades, regardless?
The answer to that last question, it appears, is "yes - regardless."
With the full specification in that state, the PDF formats will once and for all abandon the rather confusing, schizophrenic existence that they have maintained to date. Over time, more and more (but not all) of the specification had …
It's been an unusually active week in the contest between already ISO-adopted ODF and OOXML, as the latter moves through the first step of the ISO the adoption process. More specifically, Ecma submitted OOXML to the ISO/IEC Joint Technical Committee 1 (JTC1) on January 5, starting the clock on the traditional one-month "contradictions" period that begins the "fast track" process in the JTC1. However, OOXML is no traditional specification, weighing in at over 6,000 pages. During this phase, eligible JTC1 members can note ways in which the proposed standard overlaps other standards, fails to incorporate available ISO standards, or otherwise does not meet ISO rules (a second, five month period will begin on February 5, during which technical and other objections may be raised).
With OOXML formally launched within the JTC1, both sides have pulled out all the stops to influence the national bodies eligible to participate, as well as the public at large. Here's a chronology of the principle events of just the last seven days, and how they fit into the overall scheme of things:
I'm pleased to share some news that I expect you'll be reading about in lots of other places today: Open Source Development Labs (OSDL) and the Free Standards Group (FSG) signed an agreement yesterday providing for the two groups to combine forces to form a new organization – The Linux Foundation. The result of this consolidation will be to dedicate the resources of the combined membership to "accelerate the growth of Linux by providing a comprehensive set of services to compete effectively with closed platforms." You can read the press release here, as well a detailed article by Steve Lohr of the New York Times here (the article will appear in Monday's print edition of the NYT).
Jim Zemlin, currently the Executive Director of FSG, will lead the new organization, which will include as members every major company in the Linux industry, including Fujitsu, Hitachi, HP, IBM, Intel, NEC, Novell, Oracle and Red Hat, as well as many community groups, universities and industry end users. The necessary member votes are currently being taken by OSDL and FSG, and the transaction is expected to be finalized on or about February 2, 2007. (Disclosure: I am a director of, and my firm is legal counsel to, FSG.)
Starting with the somewhat silly, OOXML does not conform to ISO 8601:2004 “Representation of Dates and Times.” Instead, OOXML section 3.17.4.1, “Date Representation,” on page 3305, requires that implementations replicate a Microsoft bug that dictates that 1900 is a …
Three news clips I posted yesterday highlight the disorderly, but ultimately productive, way in which products and standards evolve in tandem during times of innovation.
The first clip is a press release announcing the completion of a new USB connector design standard. A really small connector design. How small? That large object to the left of the connector in this picture looks like a flat camera battery to me. The reason for creating the new standard is because mobile devices are getting smaller at the same time that more and more features (camera, video, music, wireless, etc.) are being crammed inside a single mobile device.
The second article provides an update on a delayed wireless USB standard that would eliminate the need for a connector at all. And the third announces the completion of a new WiFi-compatible standard to make mobile security as easy to set up as the push of a button – whether you are accessing data wirelessly or physically, using a USB connector. As the standard is extended, other wireless standards (like Near Field Communications – a very short range standard) will be supported as well.
You can expect that the devices you buy in the next year or two will use one, two or even all three of these standards. Or you might see completely different connection and data-transfer standards in use, all chosen from what might be called a "swarm" of overlapping standards that are continuously being developed around mobile devices. Logically, you might wonder whether this is a good thing, or simply yet another case of too many standards being created to do the same job.
In this case, I think it's the former rather than the latter. Let's see if evolution in the physical world provides an example of why this would be so.