UK firm accused of bullying small businesses with CSP patent infringement letters backtracks

3 years ago 265
BOOK THIS SPACE FOR AD
ARTICLE AD

John Leyden 25 August 2021 at 16:10 UTC

Datawing disavows CSP nonce legal offensive

UK firm Datawing has backtracked after sending letters alleging patent infringement

A UK firm has backtracked after sending letters alleging patent infringement to a set of small businesses who had enabled the CSP nonces web security feature.

Content Security Policy (CSP) in general is a technology geared towards mitigating cross-site scripting (XSS) attacks.

CSP nonces offer an extension to the technology, introduced five years ago with CSP version 2, and supported by the Nginx web server and Cloudflare Workers, among others.

Patent trolling?

UK firm Datawing claims that the technology is covered by US and UK patents it holds.

The UK patent had lapsed but was renewed in May 2021 just weeks before Datawing sent out a legal nastygram to small UK-based companies, a small subset of the organizations that it claims were violating its patent.

Websites turning on security features in the browser are being informed of alleged patent infringement and told they ought to license Datawing’s Scriptlock product, software designed to prevent the unauthorised execution of JavaScript.

A copy of the contentious letter can be found here.

Catch up on the latest security-related legal news

The legal offensive was spotted by prominent UK security researcher Scott Helme, who questioned the applicability of the patent to a broadly used web security technology. Helme did not receive a letter himself but does run a website, Report URI, that users CSP nonces.

Helme slammed Datawing as acting like a patent troll in a detailed blog post on the topic.

The security researcher told The Daily Swig that Datawing had set about targeting “smaller organizations that are likely to be intimidated by these letters and pay the license fee”.

Meanwhile the Public Interest Patent Law Institute offered support to organizations that had received letters from Datawing, a move that greatly reduced its prospects of extracting a licensing fee from letter recipients.

Datawing takes fright

In the face of this opposition, Datawing decided to abandon its licensing campaign, admitting that its letters were “ill advised” and apologizing for any upset it had caused.

William Coppock, managing director of Datawing, told The Daily Swig: "In short I was ill advised, and the letters were a complete error in judgement.

“I’m truly sorry to have caused upset over this. I’ll be writing to the 25 companies concerned to apologise for the upset caused.”

Datawing bristles at criticism that its letters were threatening.

Coppock concluded: “I did not intend for my letters to be interpreted as a threat. The intention was only to explain the situation in an open and neutral manner and ask for support.”

The Daily Swig also approached the Public Interest Patent Law Institute for comment. We'll update this story as and when more information comes to hand.

READ Citrix quietly restores vulnerability credits to Positive Technologies researchers after Russian infosec firm’s erasure

Read Entire Article