From the NewsFeed on my ADSK v ODA web site:

"The court today issued an order denying Autodesk's motion to dismiss the charges in the Vernor lawsuit. Normally such a denial is perfunctory and mundane, but in this ruling the court performs a breathtaking analysis of whether the AutoCAD software was a sale or a license, and reaches conclusions that, if not reversed, are certain to change the face of software sales in the USA. Technically, the scope of this order is limited to simply refusing to grant Autodesk's motion to dismiss the lawsuit, but the implications of the judge's analysis are almost stunning in their rejection of Autodesk's legal claims. I'm sure you will be hearing much more about this order in the coming weeks, as the entire software industry will certainly take notice of this case."

Labels: Autodesk, CAD Industry, legal

We use digital signatures every time we visit a secure web site. Visiting a secure web site involves an authentication process that includes verifying the identity of the server by ensuring that its digital certificate, or "server certificate", is signed by a trusted certificate authority. This verification process might involve verifying an entire chain of certificates from the actual server certificate up through one or more intermediate certificate authorities and ending with a trusted root certificate authority. This all takes place quickly and automatically before the web page is displayed in your web browser because the web browser includes built in logic to do this work without any user interaction. More importantly, the web browser warns us when the server certificate is expired or invalid.

The biggest obstacle when using digital certificates in a CAD environment today is not creating them, but easily and automatically verifying them at the receiving end. Even in a completely digital distribution system where everybody works from the CAD model, the various software tools we use to view and work with the model do not handle digital signature verification automatically in a standardized way. As long as downstream consumers of CAD data cannot easily and automatically ensure the trustworthiness of digital data, they will continue to rely on handwritten signatures on paper.

A second obstacle to the use of digital signatures is the difficulty in accepting that digitally signed data is only trustworthy while it remains in digital format, and therefore the digital file is the "record" document. There is substantial social inertia that must be overcome before a digital document can gain the same amount of trust as a paper document. Engineers and architects must deal with the specter of previously hidden meta data in their CAD models becoming part of their signed document, thereby exposing them to new liabilities that don't exist with paper drawings. Construction supervisors must learn to refer to the CAD model instead of relying on hardcopy blueprints when resolving disputes or establishing responsibility for errors. Here I think it should be noted that the use of a digitally signed model does not preclude the creation of hardcopy blueprints. Those can be created and "wet stamped" separately at the same time the CAD model is signed digitally; or they can be created in the field for reference without any signature at all.

AutoCAD has supported digital signatures for several years, but using the built in functionality is limited to only individual DWG files, lacks support for co-signing (more than one person signing), and forces the signed document to remain in the proprietary DWG format or lose its signature. These problems can be worked around by using third party tools, but doing so requires recipients to use the same tools.

Over the past few years, many government plan review bodies have amended laws and administrative rules to accommodate digital signatures as part of the plan review process. Without standardization, however, organizations still struggle to effect the necessary changes in their workflow. A lack of uniformity in terminology from one set of regulations to another adds to the confusion. If you are involved in amending or creating rules or regulations that enable the use of digital signatures, you should use generic and well defined terms of art in the regulations, but supplement these with practical guidelines that mention specific technologies, software tools, and file formats that will meet the legal requirements and that you are capable of working with.

If you are an architect, engineer, or CAD manager working to implement digital signatures into your firm's workflow, there are some concrete steps you can take to make the task easier. Start by segregating your distribution network into "digital-only" and "hardcopy" classes of downstream users. Begin the transition with the digital-only part of the network (perhaps only the plan reviewing authority, for example). Next, decide which file format to use for your digital "documents". Rather than signing CAD files, many companies start by signing 2D output files such as PDF, DWFx, or XPS. These files are essentially digital versions of the hardcopy documents, so they are more familiar to a wider audience and avoid some of the liability issues of exposing formerly hidden metadata that lives within the CAD model files.

You'll need to obtain a digital ID and establish internal policies for storing and accessing the digital ID so that only the owner of the digital ID ever has access to the private key. Windows includes a built in certificate manager that you can use to view and manage your digital IDs. To start the certificate manager, run the certmgr.msc management console by entering its name in the Start -> Run command window. Your digital certificate will be installed in your personal certificates folder along with a link to the private key stored in the Windows secure key repository. Make a backup of the digital ID by exporting it to a password protected PFX file. Once a backup is made, the private key should be marked as not exportable to further secure it.

If you want to create digitally signed AutoCAD DWG files, you can use the digital signature feature of AutoCAD to sign a drawing file either while saving it or after it is saved. You should also consider subscribing to a commercial time service (see What time is it?) to ensure that your signatures are accompanied by a reliable time stamp in case your digital ID becomes compromised at some point in the future. Third party tools like CADVault for AutoCAD even make it possible for different people to sign different parts of the CAD model, but such advanced functionality is not needed in most cases.

If you use different CAD software that does not support digital signatures natively, or if you choose to sign only the secondary files produced by exporting your CAD model to a different format, then you will need to use either tools specific to that format or third party tools that work with files of any format. Adobe Acrobat (PDF) and Microsoft's free XPS Viewer both provide integrated digital signature tools that use the same digital IDs that you would use in AutoCAD, Internet Explorer, or Outlook/Windows Mail, and both applications are easy for recipients to obtain and use.

Another popular tool for managing digital IDs and signing files is an open source tool called GnuPG. GnuPG utilizes encryption and key storage standards called OpenPGP. OpenPGP is not compatible with the X.509 standard used by Windows and many other encryption tools, however it is an attractive alternative when cost or closed source tools are a prohibitive barrier. There are many other digital signature resources available on the internet for those wanting more information, or needing specialized tools.

Unfortunately, no matter what software tools or file formats you use, today's CAD software and document viewers still do not provide the user experience that web browsers do when it comes to digital signatures. These problems can be overcome by end users, but ultimately they need to be addressed by the makers of the software tools we use. Software for handling digital data will need better user interfaces that allow users to easily specify which digital signatures should be trusted for which purposes, and provide requisite warnings when a document should not be trusted. I am confident that these improvements will come in the future, especially as more companies begin to use digital signatures in their workflow and demand for better digital signature support rises.

If you already use digital signatures with your CAD related documents, I would like to hear about it. Please leave a comment about your experiences, whether good or bad!

Labels: AutoCAD, digital signature, DWF, file formats, legal, PDF, XPS

AutoCAD 2004 introduced the ability to digitally sign drawing files when they are saved, but very few people use this feature. Even fewer use the time stamp feature that goes along with it. Time stamping a digital signature is important when it's not only important to know *who* signed it, but also *when* they signed it.

For time stamping to be reliable and trustworthy, you need an independent (and trustworthy) third party to provide the time stamp, along with a verifiable receipt so that anyone can verify the authenticity of a claimed time stamp in the event of a future dispute.

Since the inception of the digital signature feature, AutoCAD has included three default time servers for this purpose. Unfortunately, none of the three are accessible any more. If you need to digitally sign drawing files with a time stamp, you'll have to modify this list of time servers.

The list of time servers is maintained in a file named timesrvr.txt in the AutoCAD installation folder. You can edit the file with notepad, and the format is obvious and straightforward when you view the file.

If you just want to play around with time stamps, try adding the following to the end of the file (you do not need to restart AutoCAD to see the new servers):
NIST A [Maryland] (time-a.nist.gov)
NIST B [Maryland] (time-b.nist.gov)

As of this writing, both of these NIST servers are available and working, but you get what you pay for. For officially incorporating time stamped digital signatures into your workflow, I recommend subscribing to a commercial time service with guaranteed uptime and a web based time stamp verification console. I can't recommend one, because I have never used a commercial time service myself, but a good place to start is the list of public time servers maintained by NTP.org at http://support.ntp.org/bin/view/Servers/.

Labels: AutoCAD, digital signature, legal

No, Microsoft didn't really try to patent photons, but check out the the ironic twists described in this account of a recent US Supreme Court hearing. Here's a summary (exaggerated a bit for effect):
1. Microsoft argues that software is not patentable, therefore it is not guilty of patent infringement.
2. The US Government argues on Microsoft's behalf that software is patentable, but photons are not.

Labels: legal, Microsoft

The title sums up the puzzling conclusion in a recent 6th Circuit Court of Appeals ruling (CA6 Grusenmeyer Decision.pdf) in a decision about a copyright infringement claim filed by Cleveland architect Jeffrey Grusenmeyer.

Grusenmeyer had contracted to provide a "master plan" for Magnificat High School. The master plan was provided to Magnificat in hardcopy format, Magnificat paid the architect $15,000 as agreed in the contract, and the project was apparently concluded. Some time later, a Magnificat facility manager requested DWG files for "personal use". Grusenmeyer asserted at the time that he retained all rights to the DWG files but agreed to provide them on the condition they only be used internally and not be further distributed.

Fast forward to the eventual "request for proposal" for an anticipated new building at the school. Upon request, Magnificat provided the Grusenmeyer files to the defendants (a competing architectural firm), who then used portions of the files in their winning proposal. The defendants were aware that Grusenmeyer claimed copyrights to the files, but they used the files anyway. The appeals court notes that "[a]ccording to the individual DSC architects, such reliance on drawings of existing conditions is routine in the industry."

In affirming the district court's summary judgement in favor of the defendants, the appeals court noted that the contract between Grusenmeyer and his client (Magificat High School) provided that Grusenmeyer would "provide a master plan for the implementation of the capital improvements program, including plans, renderings, and perspectives suitable for use in presentation and future reference during master plan implementation." They concluded that this "plain language" gave Magnificat permission to send the AutoCAD DWG files to Grusenmeyer's competitor.

The district court had previously ruled that Grusenmeyer's drawings were not sufficiently original to warrant copyright protection, but the appeals court did not address the copyrightability issue at all, dismissing the infringement claim out of hand with their opinion that Grusenmeyer had already given Magnificat carte blanche copyrights to the files vis a vis the quoted clause in their contract -- even though the files were never provided as part of the contract!

I think the court erred in determining that the DWG files were subject to the terms of the master plan contract (its incorrect interpretation of the contract notwithstanding), but what I find really surprising in the ruling is the appellate court's complete disregard of the plaintiff's claimed and federally registered copyrights.

The moral of the story
If you are providing electronic files, don't rely on copyright law alone to protect your intellectual property. This case reinforces the 3 C's for protecting AutoCAD DWG files: copyright, contract, and CADLock.

Update
William Patry (Senior Copyright Counsel, Google Inc.) writes about this case at The Patry Copyright Blog: Make Sure the Contract is Signed.

Labels: AutoCAD, CADVault, legal, protection

The recently filed lawsuit has been a hot topic lately, and I've been following it along with everyone else. As a little side project, I decided to create a parallel blog dedicated to the ongoing battle between Autodesk and ODA. The new blog is at http://www.ADSKvODA.com.

The site is still a work in progress, but I hope you'll check it out, and offer suggestions for improvements. Click on the Lawsuit Tracker link to view all the court documents in the case, and subscribe to the site's feed to stay informed of new developments.

Labels: Autodesk, legal, ODA