As of March 1, 2009, The MTTLR Blog is migrating to http://www.mttlrblog.org. All new updates will be posted at the new location.

Thursday, November 27, 2008

Be Thankful For Less Spam, But Probably Not For Long – Link roundup on activities of questionable legality online

by: Michael Schultz, Associate Editor, MTTLR

You (or your IT staff) may have been thankful to find that spam traffic has been a bit lighter in the last few weeks, after the recent shutdown of a major spam hub that, by some estimates, was responsible for as much as 75 percent of the world’s junk mail. You might have expected the company facilitating all of that spam – not to mention illegally gathered credit card information and child pornography – would have chosen to operate from the relative obscurity of an offshore hosting service. Instead, McColo Corporation set up shop in San Jose, California in a “top-level modern [...] IT center.” To be clear, McColo is merely the “virtual host” for those that are actually sending the spam; something akin to a landlord of an apartment building in which most, if not all, of the apartments are being used for illegal activity.

In an interesting twist, it wasn’t U.S. authorities that shut down the hub – instead the companies that provided internet connection for McColo decided to cut ties. This leaves open the possibility of McColo finding another internet provider – or the individual sites being hosted by McColo to disperse, making them harder to track and shut down. In fact, only two weeks after the shutdown, spam levels are reported to already be back to two-thirds of their previous levels.

Brian Krebs of the Washington Post, who is credited with the initial investigation and breaking the story, writes that “Multiple security researchers have recently published data naming McColo as the host for all of the top robot networks or "botnets," which are vast collections of hacked computers that are networked together to blast out spam or attack others online. These include SecureWorks, FireEye and ThreatExpert.” According to Mr. Krebs, “[what is] unclear is the extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law.”

So what is the law (and what should it be?) in this murky, seedy area of the internet? Below is a roundup of various links that may help to address that question:

FBI wants widespread monitoring of 'illegal' Internet activity
Illegal Internet Activity a Growing Concern for Enterprise Organizations
Using the Law to Address Illegal Activity on the Internet
Employer responsibility to report illegal activities established by Court
FBI Internet Crime Complaint Center

Labels: , , , , ,

Sunday, November 23, 2008

Google Book Search Settlement - What Will Google Deliver?

by Lauren Strandbergh, MTTLR Associate Editor

Image The Search by Robert S.. Used under a Creative Commons BY-NC-SA 2.0 license.
On October 28, 2008, Google reached a settlement with The Authors Guild and the Association of American Publishers (AAP) after two years of negotiations.1 The agreement would resolve the class-action lawsuit brought by the Authors Guild and book authors against Google, in addition to another lawsuit brought by five publishing companies as representatives of the AAP’s membership.2 Although Judge John Sprizzo has given preliminary approval, the settlement is still subject to final court approval following a June hearing, which "will determine whether the agreement is fair, reasonable, and adequate." 3

According to Google, the agreement would provide increased access to out-of-print books, additional ways to purchase copyrighted books online, institutional subscriptions, free access from public and university libraries in the United States, and compensation and improved control to authors and publishers.4 This last would be made possible by the Book Rights Registry, a new development that is one of the more important aspects of the settlement.5

Under the settlement agreement, Google would pay $125 million to be used to create the Book Rights Registry, cover legal fees, and resolve existing claims.6 The independent, non-profit Book Rights Registry would distribute “payments earned from online access provided by Google and, prospectively, from similar programs that may be established by other providers” and “locate rightsholders, collect and maintain accurate rightsholder information, and provide a way for rightsholders to request inclusion in or exclusion from the project.”7

The new Registry would be similar to the American Society of Composers, Authors and Publishers (ASCAP), which monitors and compensates individuals in the music industry.8 As one blogger put it in a somewhat sarcastic post, Google and the Registry are bringing “the Dewey Decimal System into the digital age.”9 The Registry will keep track of books and inserts, as well as the respective authors, publishers, and other rightsholders.10

The Registry will do much more than serve as an information depository, though; it will also be responsible for contracts and payments. The settlement provides for a board of directors with equal representation of the author sub-class and publisher sub-class.11 A majority of the directors, including at least one from each sub-class, is required for the Board to act.12 This will presumably help to protect both the authors’ and publishers’ rights in their dealings with Google, and possibly other providers somewhere down the line.

Google and the Registry will determine the subscription prices.13 This basically amounts to Google proposing prices, and the Registry board approving or denying, thus acting as a check on Google.14 The settlement claims that Google and the Registry will attempt to base subscription prices on two factors: “the realization of revenue at market rates for each Book and license on behalf of Rightsholders” and “the realization of broad access to the Books by the public, including institutions of higher education.”15 These are worthy guidelines if followed. Ideally, the first goal (and the cost of corporate profit) will not make the second impossible. The legal databases provided by LexisNexis and Westlaw are examples of digital libraries that are unavailable to the masses due to high cost.

Rather than litigating the fair use question at issue in these lawsuits, Google settled for a large sum of money. This means that the legal standard is no better understood, and the price for using this material is high—$125 million in this case. Microsoft already bowed out of the competition for creating a searchable library database last spring.16 This could make it far more difficult for others interested in creating digital libraries or databases to acquire rights to the media, perhaps harming some of the smaller scale enterprises that have recently been appearing on library websites.17

What does all of this mean for the average Google user? Whether or not this settlement and the new Book Rights Registry will make a real positive difference for individuals and libraries across the country is somewhat uncertain. Search capabilities will definitely increase, which is Google’s main goal behind this expensive effort. But will people have access to content as they would at a library, or will the Google Books site simply become a mammoth bookstore, crowding out Amazon and other on-line retailers? The settlement only provides for public libraries to have one terminal where users may, one at a time, view out-of-print books and print them, for a per-page fee of course.18 This does not appear to be an exceptionally user friendly model.

Whether or not institutions will subscribe to this database and individuals purchase books will depend on multiple factors. Two of the most important may be price and ease of use. Even if an institution purchases a subscription or an individual buys a particular book, they are still restricted to printing or viewing the book on the website.19 This is rather limiting and may make sense only when discussing out-of-print materials. Hopefully Google will use some of the creativity they frequently display, and work with the Author’s Guild, and AAP to engineer a system that will be accessible to everyone.

1 Press Release, Google, Authors, Publishers, and Google Reach Landmark Settlement (Oct. 28, 2008).
2 Id.
3 Erica Sadun, Google copyright deal moves forward, Ars Technica, Nov. 19, 2008.
4 Press Release, supra note 1.
5 Id.
6 Id.
7 Id.
8 Reyhan Harmanci, Google, book trade groups settle lawsuits, S.F. Chron., Oct. 29, 2008.
9 Elie Mystal, Thank God For Good Lawyers: Google Destroys Libraries, Not The Law, Above The Law, Oct. 29, 2008.
10 Authors Guild, Inc. v. Google Inc, No. 05-CV-8136, at 65 (S.D.N.Y. Oct.28, 2008), (hereafter “Settlement Agreement”), available at http://books.google.com/booksrightsholders/.
11 Id.
12 Id.
13 Id. at 42.
14 Id. at 44. The registry is allowed to propose adjustments to Google. Id. at 45.
15 Id. at 42.
16 Miguel Helft, Microsoft Will Shut Down Book Search Program, N.Y. Times, May 24, 2008.
17 Many Michigan libraries are a part of the Michigan Library Consortium, provided through OverDrive digital media services, which allows card-holders to download eBooks and Audio books to personal computers for a limited amount of time. It is similar to a standard library in that there are limited “copies” of each book available at one time and a patron must wait on a list for the next available copy if all are “checked out.” Michigan Library Consortium Home Page.
18 Settlement Agreement, supra note 10, at 60.
19 Id. at 47-48.

Labels: , ,

Friday, November 21, 2008

Dilemmas in Electronic Voting: An Example from the Garden State

by Ryan Walden, MTTLR Associate Editor

Image I Voted? by Kenn Wilson. Used under a Creative Commons BY-NC 2.0 license.
Today’s voters are more likely than ever to read online blogs for political news and views, use candidate websites to examine their stances on the issues, and then make donations to their favored candidates online. Today’s voters are also more likely to cast their vote using an electronic voting machine, but not all consider that a welcome change. Just ask the plaintiffs in a New Jersey case challenging the use of electronic voting machines.

Last month, Andrew Appel, a computer science professor at Princeton, released a report of findings on the security of the Sequoia AVC Advantage voting machines (executive summary | pdf report). This report was submitted to the New Jersey Superior Court in support of the plaintiffs in Gusciora v. Corzine, a lawsuit alleging that the use of the AVC Advantage voting machines violates the state constitution’s guarantee to count every vote due to the possibility of fraud. The report finds that the machines, used in 18 of New Jersey’s 21 counties, can be hacked in as little as seven minutes by installing a new program into the computer to change vote totals. Appel demonstrates how the machines can be hacked in this (90 minute) video.

To combat possible fraud, Appel recommends voter verified paper trails, which would entail “an individual paper record of each vote cast, seen and verified by the voter at the time the vote is cast, collected in a ballot box so that it can be recounted by hand if necessary.” Voter verified paper trails is not a new idea – proposed legislation from Congressman Rush Holt (also of New Jersey) would mandate voter verified paper trails in federal elections. Even with voter verified paper trails, there must be a way to properly audit paper records to ensure no misconduct has occurred. The Brennan Center for Justice at NYU School of Law has released a report (pdf file) with recommendations for such audit mechanisms.

For their part, Sequoia Voting Systems, which makes the AVC Advantage voting machines, has rebutted the Appel report with a report of its own (pdf report | press release). Sequoia argues that the study was not conducted under real world settings, where detection of tampering is very likely. Sequoia also argues that the AVC Advantage machines were evaluated under “inappropriate standards” - noting that the Appel report’s assertion that the machines “must be correct in all circumstances” is an impossible standard to meet for any sort of voting system.

Ultimately, the arguments on both sides prompt the question: If we can’t have 100% accuracy, what level of inaccuracy is permissible? Sequoia is certainly right that no system will be correct in all circumstances, but if the Appel report is correct with regards to the sheer ease of changing votes, then that is not a sufficient rebuttal. Technology makes voting and counting votes easier, but it may also make voter fraud easier. Do the benefits outweigh the costs? A New York Times article notes that two-thirds of voters in the recent election were anticipated to vote by paper, with some states, including Florida, having switched back from electronic voting machines. Virginia and Maryland will switch back to paper ballots for the 2010 election. As for New Jersey? In light of this controversy, at least one Garden State political blogger suggests a decidedly un-21st century method of voting: through the U.S. Mail with an absentee ballot.

Labels: , ,

Saturday, November 15, 2008

Terminating Early Termination Fees

by: Brian Savage, Associate Editor, MTTLR

Two former Qwest customers have filed a putative class action lawsuit against Qwest seeking to end termination fees for broadband Internet subscribers. This is one of the first challenges to broadband service termination fees. Both former customers were charged 200 dollars when they canceled their broadband service. One customer, Rory Durkin, intended to cancel service but decided to continue paying for monthly broadband service when he learned of the termination fee - even though he did not have a working computer.

The other customer, Robin Vernon, allegedly called to cancel service, was told on the phone by a Qwest customer service representative that there was no fee to cancel, but later received a bill for a 200 dollar early termination fee (ETF). When Vernon demanded to see a contract, Qwest informed her that the contract was made orally on the telephone by Mrs. Vernon's husband and that neither a written copy of a contract nor a recording of the telephone conversation was available. Shortly thereafter, she started receiving calls from a collection agency.

Qwest markets its broadband services as requiring a two-year commitment, but customers do not agree to this in a contract. Customers typically order the broadband service over the telephone. After becoming a subscriber, Qwest mails a "Subscriber Agreement" to the new customer that is not signed by Qwest or the customer. The Subscriber Agreement states "IF YOU ORDER SERVICE WITH A TERM COMMITMENT, YOU AGREE TO MAINTAIN THAT SERVICE FOR THE ENTIRE TERM COMMITMENT PERIOD." The Subscriber Agreement, however, does not mention an ETF and the only term of service mentioned is a month-to-month commitment.

The complaint alleges that the ETF is an unlawful penalty under common law contract principles because "(a) it is wholly disproportionate to the harm, if any, that early cancellation may cause Qwest; (b) it is not based on a bona fide reasonable estimate of the damages, if any, that Qwest incurs from an early cancellation; and (c) the actual damage, if any, Qwest may suffer as a result of early termination is not difficult to ascertain." The complaint also asserts an unjust enrichment claim and other state law claims.

So, what is the likelihood of success in this action and what could this mean for you as a broadband subscriber? Other recent challenges to termination fees in a cellular phone context suggest that if this action against Qwest is successful, customers will likely be able to choose monthly plans without ETFs.

Verizon Wireless agreed to a 21 million dollar settlement in a California class action suit regarding ETFs and now offers plans with month-to-month commitments. Customers can still choose to pay a lower price for the phone and enter into a long-term contract, or the customer can choose to pay full price for the phone without a long-term contract and its accompanying ETF. A California judge also ordered Sprint Communications to pay back 18 million to customers who had paid ETFs. Many phone companies (Sprint, AT&T) are now adjusting their plans by either offering prorated termination fees, so that customers pay less if they cancel later in their agreement, or offering monthly plans like Verizon.

The plaintiffs' successes in the cell phone cases suggests that the broadband case will be successful as well. Cell phone carriers, because they offer cheaper handsets when customers enter into a long-term contract, can argue that the ETF is appropriate since customers keep their phones after cancelling service. The argument for overturning broadband termination fees is arguably stronger because former broadband customers do not keep anything from the company. The end of broadband termination fees, therefore, may be near.

Allowing customers to cancel their service at any time without an ETF and to switch providers may allow for smaller companies with competitively priced plans to more easily build a customer base and compete with the larger companies. This could result in lower prices for everyone.

Labels: , , , ,

Monday, November 10, 2008

The PRO-IP Act

by Holly Lance, MTTLR Associate Editor

It may be time to quit that nasty BitTorrent habit. On October 13th, President Bush signed into law the PRO-IP Act (Prioritizing Resources and Organization for Intellectual Property Act of 2008), which greatly increases the power of the federal government to protect copyright and trademark owners.
Some of the big changes coming down the pipe:
  1. A court can take away your computer if you download illegally - §102 of the Act specifies that during a civil action, a Court may order the impoundment of all copyrighted material and the means by which the material can be reproduced, as well as all documentation regarding the creation, sale, or receipt of these materials.
  2. Counterfeiters could pay up to $2 million in damages - §103 raises the range of statutory damages available considerably, with the new maximum fine being $2 million, doubling the current $1 million max.
  3. Harsher criminal penalties for infringement - §205 punishes infringers with jail time (up to life) if someone is seriously injured or dies as a result of the trafficking of counterfeit goods or services.
  4. There will be an “IP Czar” - §301 creates the position of an Intellectual Property Enforcement Coordinator (appointed by the President and confirmed by the Senate), who will be in charge of an interagency intellectual property enforcement committee and will help facilitate coordination between agencies.

The law originated in the House last December (introduced by Rep. John Conyers (D-MI)), and passed in the House by a very large margin in May. A similar bill was introduced in the Senate by Senator Patrick Leahy (D-VT), and passed in the Senate unanimously and the House by a large margin (90.3% by both Democrats and Republicans). While many criticize the PRO-IP Act as harsh, the version that Bush signed has actually been toned down considerably, as previous proposals included much higher statutory damages, creation of a new federal agency, and giving authority to the DOJ to sue on behalf of copyright holders.

Young 1920's-era woman dressed as a pirate
Image Pirate Mona by Kim P. Used under a Creative Commons BY-NC-SA 2.0 license.
As expected, the RIAA and MPAA are quite pleased with the new law. The National Association of Manufacturers is happy too, and President John Engler calls the PRO-IP Act “a shining example of a bicameral, bipartisan effort to advance legislation to protect our consumers, jobs and businesses from intellectual-property piracy and counterfeiting.” Copyright infringement and counterfeiting are serious problems, and this Act represents a major step by the government in protecting IP owners. The RIAA and MPAA have been particularly concerned about P2P networks for several years, and if this Act is strongly enforced, it will give owners more tools for suing infringers and provide more federal oversight. In a tough economy like this, the Act can serve to bolster U.S. businesses, which lose $200-$250 billion and 750,000 jobs annually due to infringement and counterfeiting (or maybe not).

Not everyone is happy about the PRO-IP Act. Public interest groups like the Electronic Frontier Foundation and Public Knowledge criticize that the Act “amplifies copyright without protecting innovators or technology users” and “adds more imbalance to a copyright law that favors large media companies.” These groups are worried that the Act is unnecessary, will curtail legitimate fair use, and impose fines and seizures that are much too severe. Even the DOJ expressed its concern about the creation of an “IP Czar” and felt that such an enforcer would undermine the DOJ's independence.

It is hard to say at this point what will become of the PRO-IP Act. Obviously a lot will depend on who is to become the first “IP Czar”, which will likely be decided by the next president. Obama’s campaign plan already included the creation of a “Chief Technology Officer”. This Business Week article speculates that possible candidates for the position include Vint Cerf, Steve Ballmer, Jeffrey Bezos, Ed Felten, while the Wall Street Journal shows that some believe Google Chief Executive Eric Schmidt wants the job. One factor that may influence the decision is Obama’s recent battle against major copyright holder NBC, which took down a popular YouTube video mocking a McCain victory. His official stance is that there is a “need to update and reform our copyright and patent systems to promote civic discourse, innovation and investment, while ensuring that intellectual property owners are fairly treated.” John McCain also seems to have a personal sympathy for fair use of copyright materials, as evidenced by this letter from his campaign to YouTube, which bemoans the “overreaching copyright claims” that have “silenc[ed] political speech” and wants to give campaigns special treatment. Ironically, the letter is dated October 13, 2008, the same day that Bush signed the Act. McCain also openly “supports efforts to crack down on piracy, both on the Internet and off.” While it seems like Obama may be more friendly to reform, keep in mind that it was Democrats who initiated the bills in both the House and the Senate. Obama will likely present a more “fair use”-friendly “IP Czar”, but the real question may be if he or she can get past the Senate.

Labels: , , ,

Friday, November 7, 2008

Reproducing the Presidential Debates: Should Fair Use Govern?

by Dororthy Eshelman, MTTLR Associate Editor


Millions of viewers have tuned in to watch the presidential and vice-presidential candidates debate pressing issues before heading to the polls earlier this week.1 A growing number of Americans, however, get their political information from online sources and search YouTube, political blogs and other non-traditional sources for debate coverage. In this most recent election, but even more so in those to come, the issue of who has what rights to use, remix, and distribute that content has been and will be an essential concern of participatory democracy. and upcoming elections.

Some networks have sought to encourage political participation and voter awareness by making their debate footage freely available to the public despite potential copyright violations.2 But not all networks chose to make their debate footage available for widespread dissemination. Fox News was heavily criticized when it sent cease and desist notices to candidates using debate clips from the Fox-sponsored Republican primary events.3 Senator McCain, in particular, faced the brunt of Fox’s wrath when he aired a television ad entitled “Tied Up” that was approximately 30 seconds in length, most of which came from a Fox debate, as evidenced by the Fox logo clearly visible in the lower corner of the screen.4 Although Fox News claimed exclusive rights to the footage, Senator McCain argued that his use of the clip was within his fair use rights to his own statements during the debate.5 Since the issue was not litigated, but still is of primary importance for later debates, this post will discuss whether the “fair use” exception can be invoked to justify using both small and substantial portions of the debate in later reproductions.

Is Reproducing Copyrighted Debate Footage a "Fair Use"?

When confronted with legal action, Senator McCain argued that his use of the 30 second clip of Fox News footage constituted a fair use of copyrighted material as provided for in 17 U.S.C. §107. This section of the Copyright Act details the fair use limitations on exclusive copyrights, as determined by an analysis of four factors
(1) the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and (4) the effect of the use upon the potential market for or value of the copyrighted work.”6

The fair use exception represents a balance between the copyright owner’s exclusive rights and the public’s interest in the wide availability of information that affects “areas of universal concern.”7

Where, as here, the “purpose and character of the use” is primarily political in nature, courts are inclined to classify it as a fair use. Important first amendment implications cannot guarantee a fair use defense, but “when an act of copying occurs in the course of a political, social or moral debate, the public interest in free expression is one factor favoring a finding of fair use.”8 Likewise, because the original work is political and made for the benefit of the public, the second prong also counsels in favor of fair use.9

Although the contested McCain advertisement used just a small portion of the Fox debate footage and so it would likely have no problems with the third and fourth prongs of the fair use guidelines, individuals that post more substantial portions of a debate may run afoul of those factors, as well. When the 11th Circuit evaluated whether the fair use defense allowed the duplication of entire news stories (albeit for commercial sale), the court concluded that the substantiality of the copied segment and the commercial purpose of the copy nullified the defense even though the news station did not “actively market copies of the news programs” for its own profit.10 Posting substantial portions of the copyrighted debates may be problematic if based only upon the fair use exception to the exclusive rights of the broadcasting networks.

The Public Domain as an Alternative to Fair Use

Because of the legal uncertainty over whether fair use protects candidates and the public when posting debate footage, a number of online activists across the political spectrum (including Professor Lessig of Stanford Law, Craig Newmark, founder of Craigslist and Jimmy Wales, founder of Wikipedia) are calling for networks to release their footage to the public domain.11 According to this bi-partisan group, the presidential debates are held for the benefit of the public, and so “the right to speak about the debates ought to be ‘owned’ by the public.”12 Since the candidates themselves largely control the terms under which they debate, Professor Lessig believes that they should take a more direct stand on the issue and insist that the networks release the debate footage.13 Although networks certainly have an interest in maintaining their copyrights to political debates, perhaps Professor Lessig is correct in his observation that “[c]opyright, in my view, is essential and important, in some places. This isn't one."14

1 Steve Gorman, Palin-Biden Debate Sets TV Ratings Record, Reuters, Oct. 3, 2008.
2 See Detailed Usage Guidelines, msnbc.com. (“After the live debate has concluded, non-NBC media and individuals, including blogs and Internet media, may make unlimited use of the debate and excerpts, with appropriate credit to MSNBC, for the purpose of analyzing, reporting on, or commenting on the debate.”). See also CNN: No restrictions on presidential debate footage, cnn.com, May 5, 2007.
3 Jon Stokes, Fox News Faces Wrath from Right and Left over Debate Footage Stance, arstechnica.com, Nov. 1, 2007.
4 Tied Up (John McCain 2008, 2007).
5 Jim Rutenberg, Fox Orders Halt to McCain Ad, The New York Times Politics Blog (Caucus) (Oct. 25, 2007).
6 17 U.S.C. § 107 (2000).
7 Meeropol v. Nizer, 560 F.2d 1061, 1068 (2d Cir. 1977).
8 Hustler Magazine, Inc. v. Moral Majority, Inc., 606 F. Supp. 1526, 1536 (C.D. Cal. 1985)
9 Keep Thomson Governor Comm. v. Citizens for Gallen Comm., 457 F. Supp. 957, 961 (D.N.H. 1978)
10 Pacific & Southern Co. v. Duncan, 744 F.2d 1490, 1496 (11th Cir. 1984).
11 Julian Sanchez, Bipartisan Coalition: Debate Footage Must be Public Domain, arstechnica.com, Sept. 26, 2008.
12 Letter from Open Debate Coalition to Senator McCain and Senator Obama.
13 Id.
14 Andrew Malcom, Diverse Web Coalition asks McCain, Obama to Alter Debates, Los Angeles Times Blogs (Top of the Ticket), Sept. 25, 2008.

Labels: , , ,

Wednesday, November 5, 2008

Palin Email Hack - Time to Update and Expand the Computer Fraud and Abuse Act?

by: Sherri Nazarian, Associate Editor, MTTLR

Editor: This post is part of a short MTTLR Blog series on the Computer Fraud and Abuse Act - Part one argues that the CFAA should not be expanded to address the problem of online bullying. Part two (this post) looks to the Sarah Palin email hacking case to call for a review and possible expansion of the CFAA's provisions.

padlock and latch
Image Security by David Goehring. Used under a Creative Commons BY 2.0 license.
It has been over two decades since David Lightman, a scrawny Seattle high school boy, stole our hearts when he almost started World War III by hacking into the North American Aerospace Defense computer system in the 1983 movie Wargames. David Kernell, a modern day hacker, who allegedly broke into Sarah Palin’s personal Yahoo e-mail account certainly generated the same amount of attention, but he may not have elicited the same emotions.

The hacker impersonated Palin and used three pieces of readily available personal information in order to change the account’s password and get access to her e-mails. Palin’s e-mail contents, including some personal family pictures, went online overnight and in the process raised not only questions about internet security and personal privacy on the web, but also about whether Palin was deliberately attempting to hide public records by using a personal e-mail account to conduct state business.

This high-profile incident suggests it may be time to revisit the available legal tools to prosecute cyber crimes. The primary statute used to incriminate hackers is the Computer Fraud and Abuse Act (CFAA)—originally enacted in 1984. The statute makes it illegal for a person to “intentionally access[] a computer without authorization or exceed[] authorized access and thereby obtain[] … information from any protected computer ….” However, the statute does not make it easy for a prosecutor to charge Palin’s hacker with a felony, unless other conditions are met. Former Justice Department computer crime Prosecutor Mark Rasch anticipates that the hacker could be charged with as little as a misdemeanor and face “little, if any, jail time.” The statute calls for a felony charge if, inter alia, the value of the information the hacker obtains exceeds $5000, or if the hacking was “committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” It is not clear that Palin’s hacker falls under any of these categories.

According to computer experts, Palin’s hacker used a domestic proxy server in order to transmit the images to websites, which led to his arrest. One of the bigger problems stemming from advances in internet technology is the difficulty in tracking down hackers who leave little or no trace behind. One such dilemma results when a hacker cleverly uses a proxy server located in a foreign country, where potentially the United States has no jurisdiction (or means via a treaty) to subpoena the log entry. The need for more domestic and international protection remains a salient need of our society.

Even though Palin’s e-mail hacking incident is no inauguration of World War III, it is a wake up call to officials—who hopefully have checked their e-mail security by now—and legislators in charge of amending the laws. Today’s fast-paced technological society and the borderless world of the internet make us aware of the need for more protection against cyber criminals through broader statutes with provisions that cover not just hackers, but facilitators as well. The possibility of cyber crimes pushing countries into ratifying treaties like the Convention on Cybercrime, is, to say the least, a rational expectation.

Labels: , ,

Tuesday, November 4, 2008

Taking Down a Bully, But Taking the Computer Fraud and Abuse Act Too Far?

by: Teresa Lin, Associate Editor, MTTLR

Editor: This post is part of a short MTTLR Blog series on the Computer Fraud and Abuse Act - Part one (this post) argues that the CFAA should not be expanded to address the problem of online bullying. Part two looks to the Sarah Palin email hacking case to call for a review and possible expansion of the CFAA's provisions.

Image Instant Messaging by Eric Bartholomew. Used under a Creative Commons BY 2.0 license.
Bullies. They’re an unattractive staple of childhood. Most of us have either been one, encountered one, or observed one in action. But, alas, gone are the good old days of schoolyard bullies, where our homes were still places of refuge from schoolyard threats and teases. A new era of bullying has arrived – cyberbullying.

If you’re reading this blog, then you might have already heard of the MySpace suicide case often used in awareness campaigns against cyberbullying. For those that haven’t, here’s a quick recap:

In November of 2007, Lori Drew was accused of helping her minor daughter create a fake MySpace account to lure, ridicule, and taunt her daughter’s ex-friend and neighbor, Megan Meier. Megan, at age 13, committed suicide as a result of the online bullying. While Missouri prosecutors were unable to find anything in the books to charge Lori Drew for criminal wrongdoing relating to Megan’s death, federal prosecutors in Los Angeles did not. This May, Drew was indicted by a grand jury in Los Angeles for conspiracy to commit a federal crime under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. While the trial was scheduled to begin on October 7th, it has not proceeded, and Drew’s defense attorney believes that the trial might be pushed further into December.

For a more thorough account of the story, see this New Yorker article, or follow the case on the Wall Street Journal Law Blog.

The question now is whether District Court Judge Wu should dismiss Drew’s indictments under the CFAA. And if so, what then for the morally reprehensible behavior of Lori Drew, an adult who instigated and heightened a game of child’s play that lead to a young girl’s suicide?

Let’s begin by examining the textual problems with charging Drew under § 1030(a)(2)(c). This subsection of the statute makes it a federal crime for anyone to intentionally access a computer without, or in excess of, authorization to obtain information from a protected computer, if the conduct involved an interstate or foreign communication. The Congressional intent of this statute was not to give federal jurisdiction over all circumstances in which someone unlawfully obtains information via a computer or the internet. Rather, subsection 1030(a)(2)(C) was amended in 1996 with the intent to use the CFAA to “protect against the interstate or foreign theft of information by computer.” The purpose of this subsection is clear: CFAA is meant to punish those who ‘steal’ information (whether tangible or intangible) through computers. What interstate theft was involved in the MySpace suicide? Even if we’re wildly assuming that juicy teen gossip can be considered an intangible good that the Drews ‘stole’ from Megan, where is the interstate connection? All the parties involved in this case resided in Missouri during the entire episode. The only interstate medium remotely applicable is MySpace. MySpace and its servers are in Beverly Hills, California, a subsidiary of Fox Interactive Media. But the communications exchanged were still between people within Missouri.

Furthermore, the statute has been historically applied to mostly internet hacking cases; if the prosecution is allowed to continue under CFAA, it’s a daunting expansion of the federal government’s jurisdiction into unchartered and unintended territories. When Drew and her daughter registered the MySpace account under a fake identity, Drew agreed to the website’s terms of service (TOS). (MySpace updated their TOS in February 2008; this linked version may be different from the one Drew and her daughter agreed to in 2007). The TOS required Drew to register the account based on truthful and accurate information, to refrain from promoting false or misleading information, and to refrain from using MySpace to harass, abuse, or harm other people. The prosecution claimed that Drew and her daughter conspired to violate MySpace’s TOS when they set up their hoax account based on a fraudulent identify to use it for tortious actions against Megan Meier. Thus, according to the indictment, they violated provisions of the CFAA by intentionally accessing a computer without and in excess of authorization to obtain information from Megan over the internet.

Lawmakers and lawyers alike may feel their hair rise to hear the CFAA applied so broadly. What would it mean for users for the federal government to be able to broadly apply the CFAA to all users who register accounts under false information? For security purposes, I purposely register all my accounts under different date of births so that my personal information is not readily available on the web. Of course, the government won’t prosecute everyone that commits fraudulent registrations, right? But if not, how does the government decide who should be prosecuted, and will they be allowed to exercise such discriminatory selection? Allowing the prosecution to continue under the CFAA statute clearly raises issues related to social networking generally. It might not hurt to start reviewing some of the TOS you may have agreed to already, such as for Facebook, Twitter, Habbo, Friendster, or Orkut.

Justice Oliver Wendell Holmes said it best in his dissent in Northern Securities Co. v. United States: hard cases make bad law. What happened to Megan was a hard case – a life prematurely thrown away due to an immature prank by an adult. This awful tragedy draws on our innate social emotions to want to connect a law that can severely punish Lori Drew for her actions. But, as loud as society is screaming for justice, expanding the CFAA to such an extent is clearly bad law.

For those unsatisfied with the conclusions drawn above, here’s a tidbit to console if Drew avoids legal prosecution. While the court battles the legal dilemma of how to prosecute Lori Drew, if at all, the blogging community has been alive with their own sort of virtual vigilante justice. In mid November of 2007, when the story exploded over national television, video clips from CNN and Fox News, and even the original Suburban Journals article that first ran the story, all refrained from revealing the identify of Lori Drew to the public out of concern for her minor daughter. Repulsed by Drew’s action, the internet community was not so kind. By November 17, 2007, bloggers broadcast and posted Lori Drew’s name, police report, personal address, business information, phone number, and her husband’s employment information. Drew, who owned an advertising business, was rumored to have closed down her business and relocated due to her notoriety. Drew is sure to be haunted by her actions for a very long time. But is this form of virtual vigilante justice satisfying? Is it commendable or condemnable? The lines between the vigilante response and the original abuses grow increasingly unclear.

Though virtual vigilantism is a debatable sort of justice, the community at large has been taking a more definite form of justice – legislation. Numbers of states have either proposed or already enacted legislation that prohibits cyberbullying. See examples from New York, California, Illinois, and Missouri. Congress has also gotten involved, drafting a bill to make cyberbullying a federal crime, also known as the Megan Meier Cyberbullying Prevention Act.

Labels: ,