Reader technofear was the first of a few of you to send over variations on the story that Lily Allen is allegedly suing Apple to force the company to help her figure out who hacked into her laptop. At least that's about all I can figure out from the various press reports. I've read about a dozen at this point, and all of them are incredibly vague. There's a hacked laptop. There's a request to Apple, which was refused, and then there was a "lawsuit." While I'm not sure how UK law works on this topic, if it were in the US, it sounds more like a situation where she's seeking someone's IP address, and is filing for a subpoena (or something like it) to compel Apple to reveal certain information which may identify who was involved. That's not quite "suing Apple," but again, the details are vague. It's also not clear what "hacked her laptop" means... or why Apple would have the details. Is there anyone out there who has actual details beyond the absolutely awful press reports?
We've been covering the ridiculous lawsuit that Facebook has been pursuing against Power.com for a while now, specifically worrying about how, if Facebook prevailed, it could mean that violating an online terms of service in accessing your own data, could make you a criminal. That outcome seemed ridiculous, but the way Facebook read federal computer fraud statutes, it was possible. Thankfully, the court has shot down that argument.
But it's not all good news. In the same ruling, the court did say that Power.com (an aggregator of data from various social networks) still may have violated computer hacking laws by changing its IP address. That's because Facebook had blocked Power.com's old IP address to try to block the site from accessing user account data. As the EFF explains:
In other words, it may be a crime to circumvent technological barriers imposed by a website, even if those measures are taken only to enforce the terms of service through code. There's nothing inherently wrong or unlawful about avoiding IP address blocking, and there are valid reasons why someone might choose to do so, including to sidestep anticompetitive behavior by other Internet services. As long as an end user is authorized to access a computer and the way she chooses doesn't cause harm, she should be able to access the computer any way she likes without committing a crime.
Of course, given the way the DMCA handles circumvention for copyright (it's not legal even if for legal uses), perhaps there's some precedent for this kind of ridiculous, totally counter-intuitive outcome.
There have been an awful lot of similar stories lately, but it is really quite troubling just how much the Computer Fraud and Abuse Act (CFAA) is being abused to turn actions like not reading a website's terms of service into a criminal offense. We had just recently discussed how this was playing out in a lawsuit involving Facebook and Power.com, but it's showing up elsewhere as well. In fact, the judge in the Facebook/Power.com case apparently based the decision on an earlier case involving Ticketmaster and a ticket reseller which used automated means to order tickets, that it could then resell.
In a similar case, it appears that there has been a criminal indictment of the company Wiseguy Tickets, who similarly automated ticket purchases from Ticketmaster's website. This isn't to say that ticket scalpers and resellers who buy up all the tickets aren't necessarily a problem, but should they be criminally liable because they violate a website's terms of service? The EFF and some others have now filed an amicus brief in the case, suggesting that this is a ridiculous outcome. No one should be criminally liable for not obeying the terms of service on a website. If that's the case, it's easy to make anyone a criminal. I could just quickly put up a terms of service that says something as ridiculous as "you must be 8 feet tall to read this website." And, if you're not, you've then violated the terms, and are guilty of criminal hacking under the CFAA -- which could potentially result in jail time. That makes no sense, and the EFF is hoping the judge recognizes this:
"Under the government's theory, anyone who disregards -- or doesn't read -- the terms of service on any website could face computer crime charges," said EFF Civil Liberties Director Jennifer Granick. "That gives Ticketmaster and other online services extraordinary power over their users: the power to decide what is criminal behavior and what is not. Price comparison services, social network aggregators, and users who skim a few years off their ages could all be criminals if the government prevails."
We've been following the rather bizarre and dangerous lawsuit filed by Facebook against Power.com, an online service that tries to let users aggregate various social networking activity into a single service. All Power.com does is let a willing user have Power.com's tools log into Facebook and reuse/reformat the data within its own framework. From a user's perspective, this could be quite useful. From Facebook's perspective this is both a violation of copyright law and a violation of computer hacking laws. Why? Because Facebook says so. That is, it says so in its terms of service, and it's arguing that in ignoring the terms of service, Power.com is criminally hacking.
The EFF has filed a new amici brief in the case pointing out the logical problems with this argument. It's saying that if a user chooses to access his or her own data that is stored in Facebook, using a tool of his or her own choice... that can open themselves up to criminal liability, just because it violates some random term in Facebook's terms of service. That clearly seems to go way beyond the purpose of anti-computer hacking laws:
This is not an esoteric business issue, because the legal theories Facebook is pushing forward would make it a crime not to comply with terms of service. People have already faced criminal charges for violating a site's terms of use policy. For example, in United States v. Lori Drew, a woman was charged with violating the federal computer crime law for creating a false profile that was used to communicate inappropriately with a teenager who eventually committed suicide. EFF filed an amicus brief in that case arguing that terms of service do not define criminal behavior, and the charges were eventually dismissed. We also defended Boston College computer science student Riccardo Calixte, whose computers, cellphone and iPod were seized by local police who claimed that he violated criminal law by giving a fake name on his Yahoo account profile. A justice of the Massachusetts Supreme Judicial Court ordered police to return the property after finding there was no probable cause to search the room in the first place.
Using criminal law to enforce private website operators' terms of use puts immense coercive power behind measures that may be contrary to the interests of consumers and the public. EFF believes that users have the right to choose how they access their own data, and that services like Power's give users more options. So long as the add-on service does not access off-limits information and is not harmful to server functionality, authorized users who choose add-on technologies like Power's commit no crime. Frighteningly, under Facebook's theory, millions of Californians who disregard or don't read terms of service on the websites they visit would risk criminal liability.
We were recently tipped off to a case in the federal courts that raises all sorts of legal issues about some questionable interpretations of the law -- many of which we've discussed here recently. It involves a Utah company, named Public Engines, suing a competitor, named Report See. Public Engines, it appears, contracts with various police departments around the country to get crime data from them, and then they put that data online in various formats. Its main business tends to be working with law enforcement and providing them software and services around that data. But, it also presents the data publicly on the site CrimeReports.com. Apparently, law enforcement agencies pay Public Engines to provide data to the site. Public Engines claims it does work on that data, to "de-identify" it and make it appear in a more user-friendly format. As the company notes, it does not add any editorial on the site and does not include any advertising or seek any additional business from users. The service is basically provided totally free of all that -- but the company makes money from the law enforcement agencies, who pay to take part and to use Public Engines' software.
Along comes Report See. It operates a similar site, called SpotCrime.com. However, its business model is different. It seeks to get the data for free -- combing various other sources and working out deals with law enforcement itself. Its business model is to sell advertising on the site, as well as to work out partnerships with different media properties, who wish to use the data SpotCrime has collected.
You can probably see where this is headed. Report See, not surprisingly, found the publicly available CrimeReports site to be a treasure trove of good data, and began scraping it to include in CrimeSpot. Public Engines took issue with this and demanded Report See stop. Apparently, the company initially agreed to do so, but then soon began scraping the site again. From there a technical one-upmanship battle appears to have ensued. Public Engines kept trying to block the CrimeSpot scraper, and Report See kept adapting its scraper. Also, somewhere along the way, Report See started going to the same law enforcement groups that Public Engines worked with, asking for access to the same data, and pointing out that, as public records, the data should be available under various public records access laws.
And, now, we get to the lawsuit. Public Engines pretty much tries to throw everything at Report See, some of which seems pretty questionable. The one thing that surprised me, actually, was that Public Engines didn't toss in a copyright claim. Thankfully, it seems to have realized that would have gone way too far. But it's other arguments are still pretty problematic.
First, Public Engines pulls out a Computer Fraud and Abuse Act claim. This is the anti-hacking law that we recently discussed, as many lawsuits (and a few judges) have tried to stretch way beyond its intended purpose. The CFAA is supposed to deal with actual malicious hacking -- that is breaking in to a computer system that has been secured. This is a public website we're talking about here. Claiming a CFAA violation is silly and an attempt to extend the law well beyond what it was intended to cover. Allowing CFAA claims on public websites is really problematic.
Second, Public Engines says there's a breach of contract. But, you might point out, Report See and Public Engines have no contract. Indeed. But Public Engines claims that the terms of service on its website represent a valid contract. Again, it seems like Public Engines is stretching the law to claim that a contract has been made here. Even though it notes there's a link to the terms on every page, it never made Report See agree to the contract, and even so there are still some questions about whether or not any "clickthrough" agreement is really binding.
Third, Public Engines pulls out a Utah statute on "anti-cyberterrorism." No, I'm not kidding. Apparently, Public Engines is claiming that by accessing the website without authorization (see the two points above) and then "obtaining CrimeReports.com's intellectual property" in a way that "led to a material diminution in the value of Public Engines' intellectual property," Report See is violating this anti-cyberterrorism law. My question: what intellectual property? Remember, Public Engines knew better than to include a copyright claim. And that's because it holds no copyright on the data. So what intellectual property has actually been obtained here? Public Engines skips over that.
Fourth, Public Engines pulls out a Lanham Act false advertising claim. Again, this appears to be a stretch of the law's purpose. The point of this law is to stop someone from advertising a product as being from Coca-Cola, when it's really Bob's soda. That's to avoid harm to the consumers (remember, the Lanham Act is really about consumer protection) who bought Bob's soda thinking it's Coca-Cola. But here, there's no "confusion" or issue where consumers are likely to be tricked in a damaging way. The data is the same. There's no harm done. The "data" is not "owned" by Public Engines or CrimeReports. It's factual data.
Given all of these points, you had to guess that the next claim from Public Reports was (you guessed it!) our favorite insanity and recently back-from-the-dead legal craze: hot news, which is showing up in all sorts of lawsuits these days, and is an incredibly troubling restriction on free speech and freedom of the press. Remember, Public Reports knows that it has no copyright claim on this data. It's factual data from public agencies about crime. It would have an incredible chilling effect to suggest that such data is covered by the hot news doctrine.
Public Engines still isn't done yet. Its sixth claim is for "interference with a contract," because of Report See's attempts to go to police agencies directly. This, again, seems silly and beyond the scope of the law. It's perfectly normal and basic competition to approach customers of competitors and to try to get deals yourself. That's how business works. Claiming that no one else can try to get this data from law enforcement agencies is ridiculous.
Honestly, the only legal claim that I thought the company might have that made any sense at all, was about the claim that Report See had promised to stop scraping its site, and then changed its mind. But even that might be a tough sell. Of course, we've seen judges make all sorts of crazy rulings on nearly every one of the issues above, and given that it's a local court (Public Engines filed it in its home court), who knows what might happen. But if the court buys any of these arguments it could set really bad and chilling precedents.
Now, you may ask, what should Public Engines be doing in this situation, since it clearly is going through a lot of effort to collect and format this data. That's all true, but it can still compete pretty easily against Report See. If you compare CrimeReports to SpotCrime, you'll quickly realize that CrimeReports is much nicer and much more user-friendly. It's also not weighed down with annoying advertisements everywhere. Anyone who is interested in using such a tool would almost certainly gravitate to CrimeReports over time. It's just a better site, and since it apparently gets the data first, you'd figure it's also more up-to-date.
In other words, CrimeReports should be able to compete effectively in the marketplace. It's disappointing that rather than doing so, it broke out the lawyers.
Separately, this is now the second case we've seen in just the past few weeks that has tried to combine both a hot news claim and a CFAA claim -- and in both cases, these were attempts to stretch the doctrines and the law well beyond intended purposes. It would be nice if the courts quickly realized what's happening and fixed things (either that or Congress came in and got rid of hot news and clearly limited the CFAA -- but don't expect that to happen).
In the end, though, this really does come down to a simple question. Just because one company went through the trouble of collecting factual data from public agencies can it stop others from using it? The US has, on purpose, rejected any sort of "sweat of the brow" concept for protecting intellectual property. It does not, for the most part, recognize "database rights" for this reason. Public Engines is basically trying to replicate a database right by misusing a variety of other laws and doctrines. If we're serious about protecting First Amendment rights, it would be good to see the courts smack down such attempts to stretch the law.
A few years ago, the story broke about how TJX, the corporate parent of a series of retail stores, including TJ Maxx and Marshalls, had suffered a huge data breach, after some hackers had accessed its computer network via an insecure wireless connection at one of the stores. A year and a half later, we wrote about the arrests of some of those involved. The following year, we wrote about another hack, at Heartland Payment Systems, that had the potential to surpass the TJX hack as "the largest ever" in terms of the number of records accessed. It later came to light that both hacks were actually done by the same guys, supposedly led by Albert Gonzalez, a hacker who was actually on the government payroll at the time (after turning informant upon being caught a few years earlier standing in front of an ATM with a handful of fake ATM cards).
Back in March, Gonzalez received a twenty year sentence for the crime -- the longest sentence for "hacking"-related crime in the US. Others involved in the deal have been sentenced to shorter terms recently as well. Now, Danielle Alvarez, from the Miami New Times, points us to an article written by the paper that details the story behind the hacking, and the folks involved -- including the news (which I hadn't seen elsewhere in following this story -- Update: a few people have pointed to this story that Wired had last year, which I had not seen before) that one suspect end up killing himself after hearing of Gonzalez's arrest. It's a long story, but reads like something that will get turned into a movie at some point. Of course, the study plays down the security flaws at the companies, like TJX, which sent unencrypted credit card data over its network (a point Gonzalez's legal team tried to make in properly calculating how much "damage" he did). Still, it's a fascinating story about a group of young hackers, who wanted to "get rich or die trying," and how at least one of them succeeded at the latter.
Remember a few months ago when a disgruntled ex-employee from a car dealer was able to login to the dealer's computer system and remotely disable over 100 cars? And, of course, there have been concerns over the ability to use systems like OnStar to remotely disable cars as well, with concerns about what would happen if malicious hackers were able to get their hands on the controls. Now, to add to those concerns, some researchers are reporting that modern day car computing is vulnerable to malicious hacks that could put drivers in danger.
The scientists say that they were able to remotely control braking and other functions, and that the car industry was running the risk of repeating the security mistakes of the PC industry....
The researchers, financed by the National Science Foundation, tested two versions of a late-model car in both laboratory and field settings. They did not identify the maker or the brand of the car, but said they believed they were representative of the computer network control systems that have proliferated in most cars today.
The researchers asked what could happen if a hacker could gain access to the network of a car, said Tadayoshi Kohno, a University of Washington computer scientist. He said the research teams were able to demonstrate their ability to circumvent a wide variety of systems critical to the safety of drivers and passengers.
They also demonstrated what they described as "composite attacks" that showed their ability to insert malicious software and then erase any evidence of tampering after a crash.
The researchers were able to activate dozens of functions and almost all of them while the car was in motion.
Happy driving, everyone...
To be fair, the researchers admit that they did not look at what kinds of "defense" the car might have to block such attacks, but they do point out that those developing car computing systems probably don't have as much experience or concern in the security realm. For the most part, this sounds like it's not a problem that anyone's going to face in the short-term. If anything, I'm guessing we'll have a lot more moral panic stories about what will happen before any reports of something bad actually happening. However, at some point, it seems likely that these sorts of stories will pass over from the hypothetical into the real world, and at that point, I'll be looking for a car that runs on open source software.
In the last year, there's been a sudden resurgence in interest in the concept of "hot news," a doctrine that most people thought was dead and buried, which allowed a judicially-created form of intellectual property on factual information that was deemed to be "hot news." There's no statute that covers this. Just a court decision. And that was a century or so ago. But... the concept started showing back up in court recently, and in March a ruling came down, blocking a website from reporting on news for two hours, using this doctrine. With that on the books, other "hot news" lawsuits were quickly filed.
However, one such recent lawsuit seems to stretch the concept of hot news so far that you can only sit back and admire the audacity of including it in the lawsuit, while fearing the results should a court actually buy it. Thomas O'Toole has the details of what is likely to be a very interesting lawsuit on a few different factors, beyond just the hot news claim (but we'll get to those other issues, so read on...).
The case apparently involves an employee at Goldman Sachs (or potentially multiple employees) who got the username and password of another account holder on a database put together by a company called Ipreo Networks, called "Bigdough." Bigdough is apparently a database of contact info on 80,000 financial industry people. The Goldman Sachs employee(s) logged in with someone else's username/password and downloaded a bunch of information.
This sort of thing happens all of the time. People share logins all of the time. Violating it is basically a terms of service violation, but here the company has broken out the big guns. Yes, it's claiming that the contact info in its database represents "hot news," and Goldman accessing it is a violation of the "hot news" doctrine. Think about that for a second. Contact information. "Hot news?" And, of course, the whole purpose of the "hot news" doctrine is about another publisher republishing the information -- something that Goldman Sachs didn't do here at all. The whole "hot news" claim here seems to stretch the (already questionable) concept way past the breaking point. Hopefully that part gets tossed quickly. Otherwise, imagine what else will suddenly be called "hot news."
But that's not all that's interesting in this case. As O'Toole notes in his report, there are two other interesting legal questions, having to do with the use of someone else's login. First, there's the question of whether or not Goldman Sachs is liable here, even if the actions are just that of a rogue employee (or group of employees). O'Toole points out that the legal standard to get GS on the hook here is pretty damn high. The second question, of course, is whether or not just using a login that someone shared with you is a violation of the Computer Fraud and Abuse Act (CFAA). We recently discussed how there are also a growing series of cases trying to stretch the CFAA to make all sorts of activities classified as "unauthorized access." CFAA was really designed as an anti-hacking law -- which was about people really breaking in to a computer system. If someone simply shares their login credentials with you, does that really count as criminal hacking? If that's the case, an awful lot of people may be guilty of doing so.
So, this should be a fun one to follow. Three separate interesting legal questions, and in all three cases, Ipreo appears to be trying to stretch the law beyond its intentions, so hopefully the court recognizes this. If you want to see the full filing, it's below:
We noted recently that the courts (and plaintiffs in lawsuits) have been stretching computer hacking laws in dangerous ways. The laws that were clearly intended to cover situations of malicious hackers breaking into a computer system they have no right to be in are being twisted around, such that contractual language is being used to make all sorts of access "unauthorized" under the terms of the law. For example, we noted a case where using an employer's computer to access information for personal use... could be seen as "unauthorized access" and, thus, criminal computer hacking.
Last year, we wrote about a bizarre lawsuit where Facebook sued Power.com, a website that tried to aggregate various social networks into a single interface. That could be pretty useful. Facebook didn't like it and sued. But just because Facebook doesn't like something, it doesn't make it illegal. What if users want to access Facebook that way? Facebook tossed out a variety of legal theories, including the idea that this was criminal hacking, because it was unauthorized access. How is it unauthorized? Well, here Facebook got creative. It has, hidden within its terms of service the note that accessing Facebook through "automatic means" is forbidden. Facebook says that Power.com's aggregator is "automatic means" (which seems questionable), and thus accessing Facebook via Power.com is no longer authorized. Since the access is not authorized, then it's... unauthorized access, aka hacking, and a crime under California's computer crime statute.
"California's computer crime law is aimed at penalizing computer trespassers," said EFF Civil Liberties Director Jennifer Granick. "Users who choose to give their usernames and passwords to aggregators like Power Ventures are not trespassing. Under Facebook's theory, millions of Californians who disregard or don't read terms of service on the websites they visit could face criminal liability. Also, any Internet company could use this argument as a hammer to prevent its users from easily leaving the service as well as to shut down innovators and competitors."
Even the simple use of the automatic login feature of most browsers would constitute a violation under Facebook's theory, since those services are "automatic means" for logging in. But the risk for users is even broader. If any violation of terms of use is criminal, users who shave a few years off their age in their profile, claim to be single when they are married, or change jobs or addresses without updating Facebook right away would also have violated the criminal law.
Michael Scott points us to a very interesting analysis of how to different appeals courts have very different interpretations of our federal anti-hacking law. The Computer Fraud and Abuse Act was passed by Congress to create criminal sanctions for malicious computer hacking. The problem, of course, is that whenever you have politicians passing laws about technology, they may be a bit vague. So, the way hacking was defined was effectively to say that the perpetrator accessed info "without authorization" or (more troubling) that the activity "exceeds authorized access." Now, it's pretty obvious what's meant by this. If you're breaking into parts of a computer system where you don't belong for nefarious purposes, you're probably violating this law.
But that's not how all courts are interpreting it. The article notes that the Seventh Circuit, in International Airport Centers, LLC v. Citrin, found that an employee violated this law by deleting information on his laptop (which would have presented evidence of a breach of contract by the guy), after he had resigned. Obviously, that's a totally different situation than what the CFAA was intended to cover, but the court found that once he quit, he was no longer authorized to use the laptop, and doing so was effectively hacking. That seems like an extreme stretch of the law. But at least some other courts are following suit:
For example, in a case in the U. S. District Court for the Eastern District of Missouri, the district court relied upon the Citrin decision and held that, even if employees were authorized to access their employer's computer records, they cannot use such authorization (and, hence, their access can become "unauthorized"), if they use the information for their own interests.... The court concluded that the employer sufficiently alleged that the employees "acted without authorization when they obtained [the employer's] information for their personal use and in contravention of their fiduciary duty to their employer."
Yes, you read that right. If you use your employer's computer simply to access the company's data for your personal use, you may be guilty of computer hacking. That's quite clearly not what the law was intended to cover.
Thankfully, the Ninth Circuit (which all too often comes out with weird decisions) seems to have gotten this one right:
In declining to adopt the Seventh Circuit's interpretation of "without authorization," the court held that a "person uses a computer 'without authorization'... [only] [1] when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or [2] when the employer has rescinded to access the computer and the defendant uses the computer anyway."... The Ninth Circuit declined to hold that the "defendant's authorization to obtain information stored in a company computer is 'exceeded' if the defendant breaches a state law duty of loyalty to an employer" because no such language was found in the CFAA.... The Ninth Circuit noted that because the CFAA was "primarily a criminal statute," and because there was ambiguity as to the meaning of the phrase "without authorization," it would construe any ambiguity against the government....
Obviously, I agree that this is the proper interpretation of the law -- and stretching the definition of criminal hacking "without authorization" to things like accessing personal information on an employer's computer is dangerous. Of course, with the split rulings, it's likely that eventually this will get to the Supreme Court to sort out, and hopefully they get it right. Or, in the meantime, Congress could clarify the law -- but chances are they'd just make it worse.
