The Volokh Conspiracy

I’ve blogged a lot about the Ninth Circuit’s en banc case in United States v. Nosal, on the scope of the Computer Fraud and Abuse Act — and more specifically, on whether it’s a federal crime to violate an express written restriction on using a computer. You can watch last Thursday’s oral argument in the case here:

Chief Judge Kozinski presided, and he seemed pretty clearly on the side that I’ve been advocating here at the blog, in the Drew case, in my recent testimony, and in my law review articles. I was very pleased to see that, although I wasn’t surprised in light of Judge Kozinski’s libertarian streak. At the same time, I don’t think we have enough information to count votes accurately, as only about four judges spoke in ways that might have indicated their views (two for Nosal, two for the United States, I believe). I’m cautiously optimistic, but we’ll have to see how the votes shake out in the end.

I’ll hide my more detailed reactions below the break for the handful of CFAA nerds in the VC readership …..

Continue reading ‘Thoughts on the Oral Arguments in United States v. Nosal’ »

I recently read Popular Mechanics’ riveting article reconstructing the last minutes Air France 447, which in 2009 disappeared without explanation over the Atlantic between Rio and Paris. Using the cockpit transcript, the article reveals that the pilots essentially flew a fully functioning passenger jet into the sea. Why?  It appears that a temporary loss of flight speed data and then the disconnection of autopilot systems panicked a copilot into lifting the nose of the plane.  He then more or less kept the stick pulled all the way back as the plane lost forward speed and plunged into the ocean, paying no attention to dozens of blared stall warnings. Here’s a bit of the transcript and Popular Mechanics’ commentary:

02:10:55 (Robert) Putain!
Damn it!
Another of the pitot tubes begins to function once more. The cockpit’s avionics are now all functioning normally. The flight crew has all the information that they need to fly safely, and all the systems are fully functional. The problems that occur from this point forward are entirely due to human error.
02:11:03 (Bonin) Je suis en TOGA, hein?
I’m in TOGA, huh?
Bonin’s statement here offers a crucial window onto his reasoning. TOGA is an acronym for Take Off, Go Around. When a plane is taking off or aborting a landing—”going around”—it must gain both speed and altitude as efficiently as possible. At this critical phase of flight, pilots are trained to increase engine speed to the TOGA level and raise the nose to a certain pitch angle.
Clearly, here Bonin is trying to achieve the same effect: He wants to increase speed and to climb away from danger. But he is not at sea level; he is in the far thinner air of 37,500 feet. The engines generate less thrust here, and the wings generate less lift. Raising the nose to a certain angle of pitch does not result in the same angle of climb, but far less. Indeed, it can—and will—result in a descent.
While Bonin’s behavior is irrational, it is not inexplicable. Intense psychological stress tends to shut down the part of the brain responsible for innovative, creative thought. Instead, we tend to revert to the familiar and the well-rehearsed. Though pilots are required to practice hand-flying their aircraft during all phases of flight as part of recurrent training, in their daily routine they do most of their hand-flying at low altitude—while taking off, landing, and maneuvering. It’s not surprising, then, that amid the frightening disorientation of the thunderstorm, Bonin reverted to flying the plane as if it had been close to the ground, even though this response was totally ill-suited to the situation.

The article offers a final observation on what things were like in that cockpit, minutes from the crash:

Over the decades, airliners have been built with increasingly automated flight-control functions. These have the potential to remove a great deal of uncertainty and danger from aviation. But they also remove important information from the attention of the flight crew. While the airplane’s avionics track crucial parameters such as location, speed, and heading, the human beings can pay attention to something else. But when trouble suddenly springs up and the computer decides that it can no longer cope—on a dark night, perhaps, in turbulence, far from land—the humans might find themselves with a very incomplete notion of what’s going on. They’ll wonder: What instruments are reliable, and which can’t be trusted? What’s the most pressing threat? What’s going on? Unfortunately, the vast majority of pilots will have little experience in finding the answers.

That all sounds right.  But like everything else these days, it made me think about cyberwar.  Some of the most effective tactics used by our adversaries have a social engineering component.  That is, they know how humans react to certain situations and take advantage of that reaction to gain control of our computers.  They know we’re likely to open messages and click on links sent by superiors in our organization. They know we will accept friend requests from people who are already connected to a lot of our friends.  Stuxnet took advantage of social engineering of a sort by making sure that the systems reported normal activity to the humans in the control center while sending abnormal requests to the machines.  The humans believed what their controls told them.

What does this have to do with the crash of AF447?  The reaction of the AF447 pilots was tragically human.  Once we lose faith in computer systems, especially in an emergency, all of us are likely to ask, “What instruments are reliable, and which can’t be trusted? What’s the most pressing threat? What’s going on?” And if we have only minutes to make a decision, we’re likely to lock on a fragment of our training and keep trying it. The evidence that we’re failing disastrously just makes us pull harder on the stick.

So:  Why can’t that reaction be engineered? Put another way, could a hacker have caused the AF447 crash, not by directly overriding the pilots but by manipulating their very human reactions? I should stress that I don’t believe a hacker did that.  Quite the reverse. I’m asking whether future cyberattacks will try to manipulate the human beings behind the computers.

On reflection, the answer is obvious.  All of war is an effort to manipulate the opponent into a different, defeated frame of mind. But the logical conclusions are pretty troubling. Even as we begin to deploy automated defenses against remote sabotage, attackers will turn to social engineering to defeat them. Once again, this gives the offense far more options than the defense.

Thus, imagine that we decide to improve our cyberdefenses by redesigning critical military or civilian systems so that computers alone cannot cause catastrophic missteps. That’s good, but it simply challenges the attacker to find a way to influence not just the computers but also the humans – to panic the humans into a catastrophic misstep. Even if the attacker can’t fly our planes into the sea, maybe he can get our pilots to do it for him. Even if he can’t cross the air gap to bring down our nuclear plants, he might be able to fake an emergency in the operations center that leads to the same outcome.

As AF447 shows, the key to such an attack is to create doubts about what is true in a situation where decisions must be made in minutes.  Then, as AF447 shows, humans revert to muscle memory and to training, which in some cases can lead rather predictably to disaster.

We’re already seeing rudimentary social engineering in cyberattacks.  We need to get ready for something a lot more sophisticated.

Law.com has reprinted this helpful story on the Ninth Circuit en banc arguments to be held later this week in United States v. Nosal.

In a recently-filed amicus brief submitted by Oracle America Inc. before the en banc Ninth Circuit in United States v. Nosal, the important Computer Fraud and Abuse Act case I have blogged a lot about, Oracle makes the following argument about interpreting “access” and “authorization” in the context of the CFAA. The CFAA’s prohibition on exceeding authorized access and access without authorization is modeled on trespass principles, the brief reasons, so the scope of the CFAA should be interpreted by reference to the trespass principles articulated in the Restatement (Second) of Torts. According to the Oracle brief, this means that (a) computer owners can condition access to their computers using express restrictions like Terms of Service, but (b) express restrictions are only enforceable in some circumstances. The brief summarizes when express restrictions can be enforced under the tort of trespass as follows:

[Whether a written access restriction can be enforced by trespass law is a] fact-dependent conclusion drawn from the totality of the circumstances, and “it may be manifested by action or inaction and need not be communicated to the actor.” [Restatement (Second) Torts § 892(1) (1979).] see id. § 892 cmt. c. Accordingly, courts sometimes find that a written or posted access restriction has been overridden or lifted.

This common-law principle takes several forms. One is the doctrine of apparent or implied consent; another is estoppel or waiver. Courts are suspicious of posted access restrictions that by their terms apply to everyone but that in fact have been selectively enforced “against some members of the public as opposed to others”; when the signals conflict, courts may find a posted restriction ineffective. Winn, The Guilty Eye, 62 Bus. Law. at 1424. Similarly, a property owner who knowingly acquiesces in a person’s course of access may waive the right to call it a trespass. See id.; see also 75 Am. Jur. 2d, Trespass § 67 (estoppel defense). When an owner has “actual knowledge” of repeated trespasses, the owner’s “habitual acquiescence … may constitute a license for persons to enter the land, if the tolerance is so pronounced as to be tantamount to permission.” 75 Am. Jur. 2d, Trespass § 73. Community custom is especially relevant in determining apparent consent. See Restatement (Second) Torts § 892 cmt. d; cf. McKee v. Gratz, 260 U.S. 127, 136 (1922) (“A license may be implied from the habits of the country.”). Above all, commonsense and reasonableness are the guides, as they are with all totality-of-the-circumstances inquiries.

Like other established doctrines of the common law of trespass, the reasonable approach to judging posted access restrictions applies to the CFAA. And it easily answers Nosal’s policy concerns. If, as Nosal posits, it is well known that millions of employees and Internet users actually violate posted restrictions on computer and information access every day, chances are good that those restrictions are not bona fide.

I considered this argument when I was writing my Cybercrime’s Scope article in 2003, but I concluded that it’s not persuasive. The problem is that the principles of interpreting common law torts are pretty different from the principles of interpreting criminal law statutes. The CFAA is a criminal statute: Although Congress later added some civil remedies to it, the statute is primarily a criminal statute and its basic prohibitions need to be interpreted accordingly. So while it’s true that the CFAA harnesses the basic concept of a trespass, I don’t see a good reason to adopt the details of the trespass tort when interpreting the CFAA.

The void for vagueness doctrine demonstrates the problem. The scope of common law tort liability is not subject to vagueness challenges. As a result, the scope of common law tort liability can be quite unclear. That’s fine in the tort context: It’s not a big deal if a person who may be trespassing isn’t entirely sure if the posted notice is enforceable. But the void for vagueness doctrine requires at least some degree of clarity in the criminal context. Hinging criminal liability on whether the term of service violated is one that is violated as a “habit[] of the country” and for which there is “habitual acquiescence ” is just too unclear. No one really knows how that would be applied.

The difference between trespass onto physical land and access into a computer is a significant part of the problem. In the case of a physical trespass, we can get a sense of social norms by observing what notices are enforced. We know where we are on physical land, and can only be in one place at a time. We visually observe enforcement, and we visually observe if notices are ignored. But it’s hard to obtain knowledge as to how seriously a particular computer provider takes each provision in the Terms of Service. Users can’t generally know what Terms are are meant to be taken seriously and which aren’t. Plus, a computer user might be accessing several different computers at the same time. Users don’t have obvious ways of determining which of the dozens or even hundreds of written restrictions that might apply to them at any given time are really intended to be taken seriously. How does a computer user know which terms are violated as a “habit of the country”?

Continue reading ‘The Trespass Tort Versus the CFAA: A Response to the Oracle Amicus Brief in Nosal’ »

Many readers know that I am the author of a law school casebook on computer crime law: Computer Crime Law, published by West, now in its second edition.

I’m pleased to announce the publication of another casebook on computer crime law, Thomas K. Clancy’s Cyber Crime and Digital Evidence: Materials and Cases, published by Lexis-Nexis. Professor Clancy teaches at the University of Mississippi Law School (no, not that Tom Clancy), where he is the Director of the “National Center for Justice and the Rule of Law” — a center that among other things has a Cyber Crime initiative largely focused on state and local law enforcement and judicial training.

By my count, Professor Clancy’s book will become the third computer crime law casebook, although only the second that is updated regularly.  In 2003, Carolina Academic Press published David Loundy’s casebook, Computer Crime, Information Warfare, & Economic Espionage, although I believe it has not been updated since its initial publication.

Tomorrow morning at 10am, I will be testifying before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security about the need to narrow the Computer Fraud and Abuse Act. I have submitted my written testimony, and it is available here. It begins:

The current version of the Computer Fraud and Abuse Act (CFAA) poses a threat to the civil liberties of the millions of Americans who use computers and the Internet. As interpreted by the Justice Department, many if not most computer users violate the CFAA on a regular basis. Any of them could face arrest and criminal prosecution.

In the Justice Department’s view, the CFAA criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable. Routine computer use should not be a crime. Any cybersecurity legislation that this Congress passes should reject the extraordinarily broad interpretations endorsed by the United States Department of Justice.

In my testimony, I want to explain why the CFAA presents a significant threat to civil liberties. I want to then offer two narrow and simple ways to amend the CFAA to respond to these problems. I will conclude by responding to arguments I anticipate the Justice Department officials might make in defense of the current statute.

The three other witnesses appearing at the hearing will be James Baker, the Associate Deputy Attorney General; my old friend and colleague Richard Downing, a Deputy Chief of the Computer Crime and Intellectual Property Section at DOJ; and Michael Chertoff, the former Secretary of Homeland Security. For those interested in attending, the hearing will be at 10 am in Room 2141 of the Rayburn House Office Building.

As a specialist in computer crime law, I am occasionally asked how to find a good defense lawyer in a computer crime case. If you’re a defendant who has been charged in a computer crime case, or you know someone who has been so charged, how do you pick a lawyer? I get this question often enough that I figured I would blog it, in part because I suspect people googling around for a computer crime lawyer might stumble across the post in their search.

The problem with finding a good defense lawyer for a computer crime case is that most defense lawyers are generalists. Defense lawyers often have solo practices, or work in small firms, and they take a very wide range of cases. They specialize in defending individuals against criminal charges, not in particular types of crimes. As a result, it is very hard to find a criminal defense lawyer with genuine expertise and experience in litigating computer crime cases — someone who can handle the statutory issues, knows how to handle expert witnesses, can raise needed Fourth Amendment challenges, and the like. Jennifer Granick comes to mind as one, but there are few others. (Some defense lawyers have websites proclaiming themselves as expert computer crime lawyers, but I would be skeptical about those claims.)

As a result, I think the best path for many defendants is just to hire a good defense lawyer with a good reputation, regardless of expertise in computer issues, and then to consider supplementing that lawyer by discussing the case with a subject-matter expert who can flag some of the issues in the case that a generalist would likely miss. I’ve served as such a subject-matter expert before, and I think it has worked out pretty well. The basic idea is to have an expert look over the case and spot issues and provide strategic advice, even though they are not hired as the primary lawyer in the case. Depending on the case, you may be able to find experts who will provide that advice pro bono; in other cases, you might have to pay them for a few hours’ worth of consulting work. But my sense is that this sort of combination of generalist doing most of the work and an outside expert providing strategic advice is pretty effective.

Cool.

I’ve just finished a longish piece on cyberwar and the role of lawyers, published in Foreign Policy magazine.  Here’s how it begins:

Lawyers don’t win wars. But can they lose one?

We’re likely to find out, and soon. Lawyers across the U.S. government have raised so many show-stopping legal questions about cyberwar that they’ve left the military unable to fight or even plan for a war in cyberspace.

…

And here’s the part that inspired the title of this post:

By the 1930s, everyone saw that aerial bombing would have the capacity to reduce cities to rubble in the next war. Just a few years earlier, the hellish slaughter in the trenches of World War I had destroyed the Victorian world; now air power promised to bring the same carnage to soldiers’ homes, wives, and children.

In Britain, some leaders expressed hardheaded realism about this grim possibility. Former Prime Minister Stanley Baldwin, summing up his country’s strategic position in 1932, showed a candor no recent American leader has dared to match. “There is no power on Earth that can protect [British citizens] from being bombed,” he said. “The bomber will always get through…. The only defense is in offense, which means that you have got to kill more women and children more quickly than the enemy if you want to save yourselves.”

The Americans, however, still hoped to head off the nightmare. Their tool of choice was international law. (Some things never change.) When war broke out in Europe on Sept. 1, 1939, President Franklin D. Roosevelt sent a cable to all the combatants seeking express limits on the use of air power. Citing the potential horrors of aerial bombardment, he called on all combatants to publicly affirm that their armed forces “shall in no event, and under no circumstances, undertake the bombardment from the air of civilian populations or of unfortified cities.”

Roosevelt had a pretty good legal case. The 1899 Hague conventions on the laws of war, adopted just two years after the Wright brothers’ first flight, declared that in bombardments, “all necessary steps should be taken to spare as far as possible edifices devoted to religion, art, science, and charity, hospitals, and places where the sick and wounded are collected, provided they are not used at the same time for military purposes.” The League of Nations had also declared that in air war, “the intentional bombing of civilian populations is illegal.”

But FDR didn’t rely just on law. He asked for a public pledge that would bind all sides in the new war — and, remarkably, he got it. The horror at aerial bombardment of civilians ran so deep in that era that Britain, France, Germany, and Poland all agreed to FDR’s bargain, before nightfall on Sept. 1, 1939.

Nearly a year later, with the Battle of Britain raging in the air, the Luftwaffe was still threatening to discipline any pilot who bombed civilian targets. The deal had held. FDR’s accomplishment began to look like a great victory for the international law of war — exactly what the lawyers and diplomats now dealing with cyberwar hope to achieve.

But that’s not how this story ends.

…

Kashmir Hill writes at her Forbes blog on the good news from yesterday’s Senate Judiciary Committee hearing markup of amendments to the Computer Fraud and Abuse Act: No, Faking Your Name On Facebook Will Not Be A Felony.

Legal scholar Orin Kerr wrote an alarming op-ed in the Wall Street Journal yesterday, warning people that “faking your name on Facebook could be a felony” when the law is changed. But a lot changed since yesterday morning. An amendment was added to the bill during a Senate Judiciary Committee hearing Thursday morning, so that people who violate website’s terms of service are not considered felons.

Senators Al Franken and Chuck Grassley proposed new language for the bill (thanks in part to Kerr’s urging) to exempt those guilty only of TOS violations. Franken, in urging his fellow senators to adopt the amendment, said that without it, the following people would be felons: “A father who uses his son’s Facebook password to log into his Facebook account to check his messages and photos” (ed. note: Creepy and invasive but not criminal); “a 17 year-old who claims she is 18 in order to sell her knitted scarves on Etsy,” and “a struggling businessowner who secretly creates a Yelp account to give his restaurants favorable reviews” (ed. note: Again, uncool and deceptive, but not felony behavior).

The Committee then added an amendment to the bill that specifies that felony-level unauthorized access not “include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.” The bill will now move forward to be considered by the Senate.

The amendment it here. It would amend the definition of “exceeds authorized access” in the CFAA, to the following, with the new language in bold:

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.

I think this is a very good fix, and would be a very important addition to the CFAA. As I read this, the language says that mere breach of a contract or warning such as a Terms of Service cannot be the basis for liability in three instances: with websites, ISPs ,and non-government employers. So the government could still prosecute government employees who misused sensitive government databases, such as by accessing tax or social security databases for personal or nefarious reasons. On the other hand, the Government could not prosecute private sector employees for breaching private sector employer computer use restictions (as they’re trying to do in United States v. Nosal, still pending in the Ninth Circuit) and they could not prosecute Internet users for Terms of Service violations (as they tried to do in United States v. Drew). The language isn’t exactly perfect, as there are some minor definitional questions. But this is really a very strong effort, and I’m just delighted that the Judiciary Committee passed this.

Of course, the fact that it’s out of Committee doesn’t mean it has passed into law. DOJ may target this provision along the way, and there are still a number of hurdles to pass. But this is a very promising step.

The Obama Administration’s legislative proposals on cybersecurity are a distinctly mixed bag.  But probably the worst ideas are those put forward by the Justice Department, which last week testified about the need to update the Computer Fraud and Abuse Act.

Again.

In fact, for the eleventh time since it was adopted in the 1980s.  We’ve seen this movie. Every time Congress gets exercised about cybersecurity, the Justice Department claims that the CFAA needs to be updated.  But “updated” almost always turns out to be a euphemism for “made more prosecutor-friendly.”

Justice’s latest proposals fit squarely into this mold.  Justice wants to create a new crime, hacking a critical infrastructure computer, with a mandatory minimum sentence of three years.  It wants to impose the same penalties on conspiracies and attempts as on successfully completed crimes.  It would get rid of first-time offender provisions in sentencing, increase sentences in general, allow civil forfeiture of hackers’ real estate, and make violation of the CFAA a RICO predicate, which would allow heightened penalties and private civil suits against violators.

Well, you might ask, why not get tough with hackers?  Surely we shouldn’t be playing pattycake with Anonymous and Lulzsec, let alone the foreign hackers endangering our national security.  That’s true, but the problem we have with those hackers is not the weakness of our criminal penalties but the fact that, most of the time, we can’t find them.  Until we do a better job of breaking the anonymity that protects them, increasing penalties for criminals we don’t catch will not make much difference.

Take a look at the website where Justice maintains a representative list of its most significant prosecutions.  What’s striking is how few prosecutions it has to brag about – less than 50 – and how few of those (maybe half) represent cases in which we actually caught the kind of remote hackers we’re most threatened by. I’m willing to bet that there is no other federal criminal law that has been amended so often in prosecutors’ favor with so few successful prosecutions to show for it.

The latest amendments are more of the same:  Shooting in the dark with a bigger gun. As protections against cyberattack, these amendments are useless.  They are added to the administration’s package mainly to give it the appearance of heft.

They are the legislative equivalent of Hamburger Helper.

Actually, they’re worse than that.  The RICO provision is far more dangerous than it first appears. To explain, I’ll need to repeat some of what Orin Kerr has been saying for years, so if you’re already familiar with that, you can skip the next ten paragraphs.

***

As I’ve said, the remarkable growth in cyberattacks over the last quarter century has enabled Justice to turn the CFAA into what may be the most prosecutor-friendly criminal statute on the books.  What does “prosecutor-friendly” mean in practice?  That any competent prosecutor can find a way to indict and convict anyone who does anything Really Bad with a computer.

With the CFAA, that’s mission accomplished:  The law imposes harsh criminal penalties on anyone who accesses a protected computer “without” or “in excess of” authorization.  The definition of a “protected computer” has been expanded until it covers any computer used in interstate or foreign communication, which in the Internet age is, well, every computer. As a practical matter, then, you can be indicted any time you do something on a computer that isn’t authorized. That term isn’t defined, but you can bet that if you do something Really Bad with a computer, it will turn out to be unauthorized.

Take Lori Drew, an overprotective, nasty mother who created a fake teenage-boy identity on MySpace in an effort to humiliate her daughter’s teenaged frenemy.  The scheme worked so well that the teen killed herself.  There’s no doubt that Lori Drew’s behavior was Really Bad, and it involved computers, so federal prosecutors decided it must violate the CFAA. And, mirabile dictu, it did.  By using a fake identity, Drew had violated MySpace’s terms of service, which meant that she had accessed a MySpace computer “in excess of” authorization. Drew was convicted, although in the end, with Orin Kerr’s help, the guilty verdict was overturned.

This kind of prosecutorial overreach is an inherent risk of the CFAA, given its reliance on the slippery concept of authorization.  As some civil liberties groups recently pointed out, the CFAA at its heart makes it a federal crime to violate a private contract, even a contract of adhesion like a social network’s terms of use:

If, for example, an employee photocopies an employer’s document to give to a friend without that employer’s permission, there is no federal crime (though there may be, for example, a contractual violation).  However, if an employee emails that document, there may be a CFAA violation.  If a person assumes a fictitious identity at a party, there is no federal crime.  Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation.

I don’t want to be too hard on the drafters of the CFAA;  they faced a tough drafting problem.  Hackers cause terrible harm, but the things they do aren’t all that different from the things legitimate users do.  Legitimate users open files, modify code, install programs, and send data to remote sites.  So do hackers.  We know the difference between the two, but it’s not easy to express that difference without falling back on the notion that the good guys are authorized to do those things and the bad guys aren’t.

I think this means that any statute that criminalizes hacking is likely to be either too broad or not broad enough.  Congress chose broad language to make sure that hackers couldn’t get off on a technicality, but in the process it gave Justice enormous prosecutorial discretion. Justice Department official James Baker gave a persuasive defense of the “authorization” test in last week’s testimony.  But the Department’s misuse of its broad discretion in the Lori Drew case suggests a need for greater accountability and discipline within the Department.  Requiring that the head of the Criminal Division sign off on all such cases — and take the blame if they turn out badly — may be a more workable solution than taking away the prosecutors’ discretion by changing the law.

Remarkably, though, that isn’t even the worst problem created by the CFAA.  The law also creates a private cause of action, handing a big legal weapon to everyone from the RIAA to the Church of Scientology.  And private parties aren’t exactly showing a lot of restraint.  According to the Center for Democracy and Technology, at least one company has brought a CFAA counterclaim in a pregnancy discrimination case, seeking damages under the Act because its employee acted in excess of authorization on the corporate network.  What did she do?  She violated a corporate proscription on “excessive Internet use.”  Equally abusive is a case that Orin Kerr has pointed out – Sony’s threat to sue PS3 hackers because they used their own computers in violation of Sony’s licensing restrictions.

Maybe back in the 1980s, Congress thought that creating a civil action would unleash the plaintiff’s bar on real hackers.  If so, Congress was deluded.

Civil CFAA lawsuits have proliferated but by and large they aren’t being filed against people who hack into systems.  Instead, they’re being brought by corporations against employees thought to have downloaded too much information from the corporate network before quitting.  They’re being brought by websites to keep competitors from using “scraper” software to collect their pricing data. Maybe those are bad things.  If so, they’re probably already torts under state law, and it’s hard to see why the cases should be in federal court.  And if they aren’t torts under state law, well, it’s even harder to see why they should be in federal court.  It’s the law of unintended consequences run amok.

***

OK, that’s the Gospel According to Orin Kerr. Now back to the latest proposal from Justice.

Justice wants to make the CFAA one of the federal crimes that qualify as “racketeering activity” under the Racketeer Influenced and Corrupt Organizations Act, or RICO.  This would add RICO prosecutions to the long list of get-tough measures that Justice rarely uses against actual hackers because, well, because it can’t catch most actual hackers.

But that doesn’t mean the amendment would have no effect.  Because, like the CFAA, RICO creates a private cause of action against RICO violators.  Actually it’s not just a private cause of action.  It’s a bonanza. Plaintiffs can recover treble damages plus attorney’s fees by bringing suit against “racketeers.” And what do you know, just like CFAA civil suits, it turns out that most RICO civil suits have been brought against ordinary businessmen, “rather than against the archetypal, intimidating mobster,” according to the Supreme Court.

The Supreme Court and Congress have struggled for decades to curb abuses of civil RICO.  Now, almost casually, the Justice Department proposes to open another can of RICO liability for unintended defendants.

How would that happen?  First, treble damages under civil RICO can be claimed by any person “injured in his business or property by reason of” a RICO violation.  18 U.S.C. § 1964(c).    A violation of RICO occurs, inter alia, when a “person employed by or associated with any enterprise engaged in” interstate or foreign commerce participates, “directly or indirectly, in the conduct of such enterprise’s affairs through a pattern of racketeering activity.”  (Sorry for the dense language; it may help to parse the language by thinking of a mobster who acquires partial ownership of a legitimate “enterprise” through threats of violence. He would be squarely covered by the provision, as long as he committed a  pattern of racketeering activity –- that is, more than one predicate crime.  But the words will sweep in far more conduct than classic mobster tactics, especially if Justice gets its way and violating the CFAA becomes a predicate offense.)

Pulling these elements together, let’s look at what the Justice Department’s proposal would mean for some of the unnecessary federal litigation now being brought under the CFAA.  We can start with the employer lawsuits against departing employees.  Employers who want to turn their CFAA claims into much more potent RICO claims would have to show that the departing employee committed two CFAA violations, which should be easy, since every unauthorized download is a new offense.  And, they’d have to show that they were injured in their business by reason of the racketeering; this they can do by showing the same damages that supported the CFAA case.  In short, on a quick look, the Justice Department seems to have created a massive incentive for companies to sue departing employees, and perhaps the companies they join, as racketeers.  Anyone who has a plausible CFAA case today will have a plausible RICO case once Justice gets its amendment.

Okay, another one: How about CDT’s favorite case – the pregnant worker accused of a CFAA violation because of excessive Internet use?  Well, she probably violated the rule on Internet use more than once, which makes for a pattern of racketeering, and she’s employed by an enterprise, in whose affairs she participated by misusing its computers.  The enterprise has been injured, too, by virtue of not getting her full attention at work.  What do you know? She sounds like a racketeer too!  It would be malpractice not to hit her with a counterclaim for treble damages and attorneys’ fees.

(At this point, you may be wondering why the Obama administration, of all administrations, wants to give employers even heavier litigation weapons to use against their employees. Beats me.  Maybe it has something to do with trial lawyers.  Maybe it’s just prosecutorial myopia.  James Baker’s testimony doesn’t even acknowledge the issue.)

OK, let’s try a harder problem.  You’re a copyright holder — Jon Stewart, say — and you’d like faster takedowns and more respect from YouTube.  Posting copyrighted material on YouTube is a violation of law and can lead to termination of your YouTube account.  The Lori Drew case tells us that the people who post clips in violation of that policy are using YouTube’s computers “in excess of authorization.” That’s a CFAA violation.  Do it twice and it becomes a pattern of racketeering, at least if Justice gets its way.  Now, the people doing the posting aren’t employees of YouTube, but they are “associated with” the YouTube enterprise, and they are participating indirectly in the conduct of YouTube’s affairs by virtue of their shocking CFAA violations.  What’s more, the Daily Show can claim injury in its business because it has lost viewers and ad revenue.  Presto!  Another racketeer takes the fall.  Maybe they’ll name YouTube’s parent, Google, as a co-conspirator just to keep it on its toes.

Oh, and what about you, dear reader?  Have you ever violated the terms of service on a website?  Hell, have you ever read them?  C’mon, I’ve seen the comments on my privacy and TSA posts. Are you sure yours didn’t violate the site’s proscription on “abusive or denigrating comments”?  Cause if you did it twice, that’s a predicate, and VC is an interstate enterprise that you are associated with and in whose affairs you are participating by virtue of your appalling violations of the terms of use and thus of the CFAA.  Best of all, VC has what strikes me as a pretty upscale readership.  Treble damages and attorney’s fees would go a long way toward finally monetizing my blogging habit.

(Had you going there, huh?  Actually, as far as I know, VC doesn’t have any terms of use for commenters, so fire away. You’re safe.)

I’m not a RICO lawyer, thank God, so maybe I’m oversimplifying what it takes to make out a civil RICO suit.  But, what the hell, the lawyers representing departing or pregnant employees aren’t RICO lawyers either.  If the claim against them is plausible on its face, they will face overwhelming pressure to settle, quite possibly by abandoning good claims, especially if their next employer is dragged in as a co-conspirator.  Ditto for the YouTube uploaders.

And in exchange for all this uncertainty and injustice, what benefit can we expect in fighting actual criminals?  About as much as we’ve gotten from the CFAA’s private right of action, which is nothing, and from RICO’s private right of action, which is less than nothing.

This is Hamburger Helper with a dose of cyanide.

UPDATE: Clarified with a reference to Google’s ownership of YouTube

Photo credits:

http://www.flickr.com/photos/arkangl/with/4709166389/

http://www.flickr.com/photos/like_the_grand_canyon/3853938360/lightbox/

I’m trying to identify the law schools that offer courses in Computer Crime Law — a course which may also be called “Cybercrime,” “Cybercrime Law,” or “Internet Crime Law.” It can be either a seminar or a full class, but I am looking for courses that are focused on the criminal law aspects of Internet/computer/cyber law rather than survey courses in computer law that dabble in some criminal-law issues. Just to start somewhere, I started off by looking at the Top 10 school according to the latest U.S. News. Of those ten, I identified seven schools that offer the course:

Harvard
Stanford
Columbia
Chicago
Penn
Berkeley
Virginia

I also know that Yale once offered the course, when now-Acting Solicitor General Neal Katyal taught it as a visiting professor a few years ago, but I don’t know if it has been offered since. As far as I can tell from their websites, neither NYU nor Michigan offer the course.

Here’s the question for which I need your help: What other law schools offer the course, either regularly or semi-regularly? I can think of a few examples off the top of my head based on professors I know that teach it — such as Colorado, North Carolina, Georgetown, Dayton, Widener, and of course, GW — but I really need help identifying other schools that offer it. If you took such a class, or you know it is offered at your school, please post a comment or send me an e-mail (okerr at law.gwu.edu). Thanks!

P.S. Some readers may remember that I asked this question a few years ago, but my sense is that many course offerings have changed since then.

Certainly a cell phone counts, the Eighth Circuit correctly concludes, at least when it comes to the definition of “computer” in 18 U.S.C. 1030(e)(1) of the Computer Fraud and Abuse Act.   Hat tip: FourthAmendment.com

Last week, the Eleventh Circuit decided an important case, United States v. Rodriguez, on the computer crime statute known as the Computer Fraud and Abuse Act, 18 U.S.C. 1030. The decision by Judge Pryor touches on the same issue that was in play in the Lori Drew case: When does violating express conditions on computer use constitute a crime? The court’s conclusion seems right on its specific facts, but I worry that it will be construed as adopting a very broad theory that would be quite troubling. So I want to introduce the legal issue, then talk about the Rodriguez case, and then return to the legal issue and talk about how it might apply going forward.

I. The Prohibition on Unauthorized Access

First, some context. Federal law makes it a crime to “exceed authorized access” to a “protected computer” and thereby obtain “information.” 18 U.S.C. 1030(a)(2)(C). Essentially everything on the planet Earth that contains a microchip is a “protected computer”; any data at all counts as “information”; and merely reading information counts as “obtaining” it. As a result, whenever you’re using a computer, the line between computer use that is legal and computer use that can have you arrested and thrown in jail hinges almost entirely on what makes computer use “exceed authorized access.”

The phrase “exceed authorized access” is a defined phrase, but unfortunately the definition is circular. According to 18 U.S.C. 1030(e)(6), “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.” That’s not a very helpful definition, if you think about it. Entitlement and authorization mean the same thing. As a result, the definition just says that you exceed authorized access when you have authorization but then you, well, exceed it, by doing something you’re not authorized to do. Gee, thanks. The missing aspect of the definition is what principle governs authorization (or entitlement, if you prefer). Is it just the computer owner’s say so? Does it require the computer owner to put up some sort of password gate that limits authorization? How do you know what you’re entitled to do for purposes of the criminal law?

This is a really hard question, I think. To see why it’s hard, consider the following eight scenarios. Specifically, consider which of the people in these scenarios “exceeded authorized access” to a computer in violation of federal law:

1) A government employee who has access to a sensitive national security database that he is only permitted to use for official reasons instead uses the database in order to collect private data and sell it to the Chinese government.
2) A Social Security Administration employee who has access to a Social Security database that he is only permitted to use for official reasons instead uses the database just to check out private information on friends and others for purely personal reasons.
3) An associate of a consulting company who is told that he can only access his employer’s computer files for work-related reasons instead looks through the employer’s files because he is thinking of leaving to start a competitor business and is looking for ideas of future clients and services.
4) A city employee who is told that he can only access the city’s computer for work-related reasons instead spends five minutes a day surfing the Internet for pornography.
5) A mother who signs up for a MySpace account that the Terms of Service condition on being entirely truthful in setting up a profile instead lies on the profile and uses the MySpace account anyway.
6) A law student who is forbidden by law school policy to access the law school network during class decides to do so anyway to check his e-mail during a particularly boring lecture.
7) The New York Times reports that there is a website set up at www.dontvisitthiswebsite.com that has some incredible pictures posted. But there’s a catch: The Terms of Service of the website clearly and unambiguously say that no one is allowed to visit the website. A reader of the Times wants to see the pictures anyway and visits the website from his home Internet connection.
8) The Volokh Conspiracy announces a new rule that you are only allowed to the visit the blog is your goal in doing so is to further libertarianism. Someone visits the blog to post comments criticizing libertarianism.

So which of these eight scenarios violate the federal criminal law prohibiting exceeding authorized access to a computer? In my experience, almost everyone says that the first scenario does. Most say that the second does, too. Scenarios #3, #4, and #5 draw a mixed reaction. Finally, most people think #6 isn’t a crime, and pretty much everyone agrees it would be utterly ridiculous for #7 or #8 to be a crime.

The problem is that the statute doesn’t provide an obvious way to get to these intuitive results. The intuitive results are based on intuitions of harm. We instinctively think that harmful things should be a crime, while entirely innocuous things shouldn’t be. But the prohibition on unauthorized access does not include a harm element. The statute prohibits exceeding authorized access in the model of a trespass statute, not exceeding authorized access in a way that is likely to cause a lot of harm. (Harm matters to get to the felony provisions, but not the misdemeanor provisions.) All eight scenarios listed above are variations on the same basic theme: In each case, the person was told by the owner/operator of the computer that they were not permitted to use the computer in that way or for that reason — but they did so anyway. All of which raises a profoundly important question: What principle governs when the announced restrictions on using a computer triggers criminal liability?

II. United States v. Rodriguez

The new case, United States v. Rodriguez, involved Scenario #2. Rodriguez was a Social Security Administration employee who used the SSA computers for purely personal reasons. The opinion explains:

From 1995 to 2009, Roberto Rodriguez worked as a TeleService representative for the Social Security Administration. Rodriguez’s duties included answering questions of the general public about social security benefits over the telephone. As a part of his duties, Rodriguez had access to Administration databases that contained sensitive personal information, including any person’s social security number, address, date of birth, father’s name, mother’s maiden name, amount and type of social security benefit received, and annual income.

The Administration established a policy that prohibits an employee from obtaining information from its databases without a business reason. The Administration informed its TeleService employees about its policy through mandatory training sessions, notices posted in the office, and a banner that appeared on every computer screen daily. The Administration also required TeleService employees annually to sign acknowledgment forms after receiving the policies in writing. The Administration warned employees that they faced criminal penalties if they violated policies on unauthorized use of databases. From 2006 to 2008, Rodriguez refused to sign the acknowledgment forms. He asked a supervisor rhetorically, “Why give the government rope to hang me?” To monitor access and prevent unauthorized use, the Administration issued unique personal identification numbers and passwords to each TeleService employee and reviewed usage of the databases.

Continue reading ‘Eleventh Circuit Holds That It is a Federal Crime For an Employee To Use His Employer’s Computer For “Non Business Reasons” After Receiving Clear Instruction From Employer Not to Do So’ »

From the Detroit Free Press:

Oakland County prosecutors, relying on a Michigan statute typically used to prosecute crimes such as identity theft or stealing trade secrets, have charged Leon Walker, 33, with a felony after he logged onto a laptop in the home he shared with his wife, Clara Walker.

Using her password, he accessed her Gmail account and learned she was having an affair. He now is facing a Feb. 7 trial. She filed for divorce, which was finalized earlier this month.

Legal experts say it’s the first time the statute has been used in a domestic case, and it might be hard to prove….

Frederick Lane, a Vermont attorney and nationally recognized expert who has published five books on electronic privacy[, said that t]he fact that the two still were living together, and that Leon Walker had routine access to the computer, may help him …..

“I would guess there is enough gray area to suggest that she could not have an absolute expectation of privacy,” he said.

The Michigan statute provides, in relevant part,

A person shall not intentionally and without authorization or by exceeding valid authorization … [a]ccess or cause access to be made to a computer program, computer, computer system, or computer network to acquire, alter, damage, delete, or destroy property or otherwise use the service of a computer program, computer, computer system, or computer network.

In principle, it’s just as illegal for a husband to access his wife’s e-mail without permission as it is for him to access someone else’s e-mail without permission. The question is whether the wife had expressly or implicitly authorized the husband to access her e-mail. If she hadn’t, then I suspect the husband’s behavior would violate the statute, because it involves access to Google’s computers in a way that exceeds the husband’s authorization — we are all allowed to access Google’s computers through our Gmail accounts, through Google searches, and so on, but not through the Gmail account of another person without that person’s authorization. That result might not be completely obvious from the statutory text, partly because the statute speaks in terms of unauthorized access to computers (likely because it was enacted in 1979), and not unauthorized access to data; things would be clearer if the statute specifically barred access to data on a computer without the authorization of the person who is properly considered the owner of the data. But as I understand it statutes such as the Michigan one have generally been read to cover such unauthorized access to others’ e-mails on third-party computers.

I’m going to leave it to Co-Conspirator Stewart and other cybersecurity legal experts to discuss the legal issues, but regarding the recent Stuxnet worm that Iran reports infected its computers and, we are told, particularly its nuclear program, the New York Times says …

Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.

Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.

The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

The new forensic work narrows the range of targets and deciphers the worm’s plan of attack. Computer analysts say Stuxnet does its damage by making quick changes in the rotational speed of motors, shifting them rapidly up and down.

The final version of my latest article, Ex Ante Regulation of Computer Search and Seizure, 96 Va. L. Rev. 1241 (2010), has now been posted on the Virginia Law Review‘s website.

The case is Facebook, Inc. v. Power Ventures, Inc., 2010 WL 3291750 (N.D. Cal 2010) (Ware, J.), handed down July 20. It’s largely a replay of the legal issues raised by the Lori Drew case but under the California computer crime statute, Cal. Penal Code Sec. 502. In the case, Facebook sued a company (Power Ventures) for having accessed Facebook in ways that are prohibited by Facebook’s Terms of Use. Facebook argued that the Terms of Use violation violated the state statute, which punishes one who “knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network.” The Electronic Frontier Foundation filed an amicus brief arguing that the court had to construe the state statute narrowly to exclude TOU violations under the void for vagueness doctrine. The District Court agreed, and held that the statute is violated only when some sort of technical barrier is breached. The court’s analysis after the jump:

Continue reading ‘District Court Adopts “Technical Barriers” Approach to California Computer Crime Law’ »

This week’s The New Republic features a cover story by Harvard Law School’s Jack Goldsmith on cyberwar.  (June 24, 2010.)  It’s a long, serious review essay, using Richard A. Clarke and Robert K. Knake’s new book, Cyber War, as the hook.  But Jack goes well beyond a book review into the rapidly expanding literature on the subject – expanding across technical computer science and engineering, software, security, strategic, and legal lines.  Terrifically well written and intelligent, I strongly recommend it (full disclosure: I haven’t read the book under review) – whether you know the field or are looking to get an overview of it.  One thing is clear, it is not going away.

Years ago I decided my inner geek comparative advantage was in robotics, but I read this essay with particular attention to its discussion of complexity of systems, and just how hard it is to get a handle on cyber systems, and their diffuse, distributed natures:

Many factors make computer systems vulnerable, but the most fundamental factor is their extraordinary complexity. Most computers connected to the Internet are general-purpose machines designed to perform multiple tasks. The operating-system software that manages these tasks–as well as the computer’s relationship to the user–typically has tens of millions, and sometimes more than one hundred million, lines of operating instructions, or code. It is practically impossible to identify and to analyze all the different ways these lines of code can interact or might fail to operate as expected. And when the operating-system software interfaces with computer processors, various software applications, Web browsers, and the endless and endlessly complex pieces of hardware and software that constitute the computer and telecommunications networks that make up the Internet, the potential for unforeseen mistakes or failures becomes unfathomably large.

The complexity of computer systems often leads to accidental mistakes or failures. We have all suffered computer crashes, and sometimes these crashes cause serious problems. Last year the Internet in Germany and Sweden went down for several hours due to errors in the domain name system that identifies computers on the Internet. In January of this year, a software problem in the Pentagon’s global positioning system network prevented the Air Force from locking onto satellite signals on which they depend for many tasks. The accident on the Washington Metro last summer, which killed nine people and injured dozens, was probably caused by a malfunction in the computer system that controls train movements. Three years ago, six stealth F-22 Raptor jets on their maiden flights were barely able to return to base when their onboard computers crashed.

The same complexity that leads to such malfunctions also creates vulnerabilities that human agents can use to make computer systems operate in unintended ways. Such cyber threats come in two forms. A cyber attack is an act that alters, degrades, or destroys adversary computer systems or the information in or transiting through those systems. Cyber attacks are disruptive activities. Examples include the manipulation of a computer system to take over an electricity grid, or to block military communications, or to scramble or erase banking data. Cyber exploitations, by contrast, involve no disruption, but merely monitoring and related espionage on computer systems, as well as the copying of data that is on those systems. Examples include the theft of credit card information, trade secrets, health records, or weapons software, and the interception of vital business, military, and intelligence communications.

This drew my attention in part because of my interest in complexity and complex systems interacting one another in another part of my work – finance and financial regulation.  Duke’s Steve Schwarcz and I are doing a book on financial regulation reform, and our approach – in a field currently getting saturated with books on this very topic – is to offer pragmatic, basic heuristics, rules of thumb, really, for how financial regulation needs to be designed.  Not some super deep conceptualization, but something much more practical.

The same pragmatic assessment applies to diagnosing What Went Wrong, so to speak, in financial regulation.  We have settled on the three homely, but still useful, categories of complexity, complacence, and conflicts (cupidity we take for granted).  They’re useful because they’re homely.  Complexity hides conflicts that undermine basic duties of loyalty, and breeds complacency that undermines basic duties of care, and they feed back into the development of more complexity.  They stoke each other.

Professor Schwarcz has a Washington University Law Review paper on the issue of regulating complexity in finance and financial regulation, from which we are drawing for the book.  I recommend it, partly for those interested in financial regulation issues and complexity – but I also recommend it as a way of thinking comparatively about complexity in other settings that cross-weave technological and legal-regulatory divides.

Defense attorney and blogger Rick Horowitz has posted an extended two-part response to my new law review article, Applying the Fourth Amendment to the Internet: A General Approach, 62 Stan. L. Rev. 1005 (2010). His posts are here:

1. Orin Kerr’s Fourth Amendment & The Internet: Foundations

2. What’s Wrong With Orin Kerr’s Technology Neutrality

Horowitz’s major objection to my approach is that he opposes “technology neutrality” as a basic principle of applying the Fourth Amendment to the Internet. As I explain in my article, the basic goal of technology neutrality is to develop Fourth Amendment principles that roughly replicate the function of the Fourth Amendment offline in the online environment. Put simply, the Fourth Amendment should do for cyberspace what it does for realspace.

Horowitz disagrees. In his view, the Supreme Court has gotten the Fourth Amendment horribly wrong in realspace: Its protections are not nearly strong as they should be, reflecting decades’ worth of constitutional mistakes. He argues that the goal of applying the Fourth Amendment should be to be true to the real Fourth Amendment, which (as best I can tell) he sees as imposing a warrant requirement for essentially every step the government takes, a position he sees rooted in the Fourth Amendment’s textual protection of “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” Horowitz writes:

Ultimately, the problem with keeping the Constitution — and thus the Fourth Amendment — alive today is not to extend some near-dead version of it to what is believed to be another new and necessary arena of governmental intrusion into the lives of the citizens whose liberties it was formed to protect, but to recognize that the damn thing is barely holding onto life as it is, and to revitalize it.

Kerr’s suggested approach fails to recognize this. Kerr’s constitutional amnesia assumes there is nothing wrong with the destruction of the Fourth Amendment — in fact, he does not even recognize it has been destroyed. Instead, he ratifies its wounds and suggests furthering the damage by extending its lack of protection to a new arena.

In response, I think Horowitz’s argument is less about applying the Fourth Amendment to the Internet than it is about the different question of applying the Fourth Amendment in the initial case of the physical world. As a result, I’m not sure my article and his response are necessarily in conflict.

That may sound weird at first. Certainly, if you read Horowitz’s posts, it sounds like his views conflict with those in my article. But my article is really about the conceptual problem of translating privacy rules developed for physical space to a communications network. The key issue is how you make the physical-space-to-communications-network conversion. I’m really not that concerned in this article with what the particular rules are that are being translated. If you want to change those rules, I could change a few pages of the article just to adjust. The article would otherwise be the same.

At bottom, I think Horowitz and I are interested in two very different questions. I’m interested in developing a theory of applying the Fourth Amendment in response to changing technology, and then applying that theory to the new case of the Internet. In contrast, Horowitz is interested in using the unanswered question of how the Fourth Amendment applies to the Internet to establish a sort of beachhead for how he thinks the Fourth Amendment should be applied. Given those two very different goals, it’s not surprising that we look at the issues so differently.

It appears that an Apple employee with a top-secret next-generation iPhone prototype lost the phone at a bar.

The folks at Gizmodo paid $5,000 to get the phone from the guy who recovered it. They then disassembled the phone to see what made it tick before contacting Apple to have Apple request the return of the phone (and thereby confirm that the phone is indeed an iPhone prototype).

The result is a major news story, with tons of people going to the Gizmodo site to see what the new iPhone will look like and what features it has, long before Apple is ready to make that information public.

It’s exam season at law schools around the country, so for today’s exam, analyze whether this stunt violated the federal Economic Espionage Act, 18 U.S.C. 1832; the Computer Fraud and Abuse Act, 18 U.S.C. 1030, or California’s computer crime statute, Penal Code Section 502.

I’m pleased to say that the final version of my latest law review article is now online: Applying the Fourth Amendment to the Internet: A General Approach, 62 Stan. L. Rev. 1005 (2010). The abstract:

This Article offers a general framework for applying the Fourth Amendment to the Internet. It assumes that courts will seek a technology-neutral translation of Fourth Amendment principles from physical space to cyberspace, and it considers what new distinctions in the online setting can reflect the function of Fourth Amendment protections designed for the physical world. It reaches two major conclusions. First, the traditional physical distinction between inside and outside should be replaced with the online distinction between content and non-content information. Second, courts should require a search warrant that is particularized to individuals rather than Internet accounts to collect the contents of protected Internet communications. These two principles point the way to a technology-neutral translation of the Fourth Amendment from physical space to cyberspace.

I wrote about the dispute on Wednesday. I commented at the time:

This is big news, and not just because it was mentioned on the Drudge Report. DOJ and some of the ISPs have been disagreeing about this issue quietly for years. What makes this case unusual is that the two sides have decided to litigate it in open court. Assuming the parties are litigating this for keeps, it should at least work its way up to the Tenth Circuit. Further, the decision might very well create a split or invalidate a federal statute in a way that prompts Supreme Court review. So stay tuned: This is an important case to watch.

Scratch that. Today DOJ pulled the plug on its motion to compel, ending the dispute rather than litigating it. Rats! This issue has been a major question mark for at least a dozen years, and it’s high time the courts provided a definitive answer to it. Anyway, I hope the ISPs will continue to challenge the issue and that we’ll get a definitive ruling eventually. (C’mon, DOJ, what are ya, chicken? ;-))

There’s an important e-mail privacy dispute brewing in Colorado: DOJ and Yahoo are clashing in court on the ground that the Ninth Circuit covered in its very weird opinion in Theofel v. Farey-Jones (2004), on whether the federal privacy law known as the Stored Communications Act allows the government to compel opened e-mail from an ISP with less process than a probable cause warrant. You can find Declan McCullagh’s news report here, and the briefs here.

This is big news, and not just because it was mentioned on the Drudge Report. DOJ and some of the ISPs have been disagreeing about this issue quietly for years. What makes this case unusual is that the two sides have decided to litigate it in open court. Assuming the parties are litigating this for keeps, it should at least work its way up to the Tenth Circuit. Further, the decision might very well create a split or invalidate a federal statute in a way that prompts Supreme Court review. So stay tuned: This is an important case to watch.

My own view on the law here is a bit nuanced. On one hand, I think Theofel was wrong as a matter of statutory construction. The statute does in fact allow it DOJ to compel the opened e-mail with less than a warrant, for reasons explored in this article. On the other hand, I think that it will usually violate the Fourth Amendment to compel e-mail with less than a warrant, so the statute that allows this is unconstitutional, for reasons explored in this article. (The final version of the article, out in a week or two, has a more detailed analysis of the unconstitutionality of this aspect of the statute than did the draft of it.) So I think DOJ is right as a matter of statutory interpretation, but Yahoo is right about the Constitution.

“Yes,” says Judge Maurice Paul in United States v. Durdley, 2010 WL 916107 (N.D. Fla. 2010), handed down on March 11. I haven’t seen any cases quite like this, but I tend to think the decision is wrong. In this post, I wanted to explain the decision and then say why I find its reasoning rather unpersuasive.

Durdley was an emergency paramedic for the local county who was at work using a shared computer. When he was done using the shared computer, he forgot to take away the thumb drive had attached to one of the computer’s USB ports. Later on, a captain of the paramedic team named Johnson, was using the computer and saw the thumb drive attached. Johnson decided to see what was on the thumb drive, so he double-clicked on the “my computer” icon, double-clicked on the thumb drive icon to see the list of files, and then double-clicked on some files to see what they contained. Johnson found child pornography files on the thumb drive, leading to charges against Durdley.

The district court held that attaching the thumb drive to the USB port of a shared computer waived a reasonable expectation of privacy in the contents:

In the instant case it is undisputed that Durdley inadvertently shared his files with all the users of the public computer. Durdley’s files were exposed to anyone who sat down at the computer station who used the traditional means for opening and viewing files (such as Windows Explorer and the My Computer icon). Johnson encountered the files without employing any special means or intruding into any area which Durdley could reasonably expect to remain private once he left the drive attached to the common-use computer. The Court concludes, therefore, that Mr. Durdley had no . . . reasonable expectation of privacy in the contents of the thumb drive once he attached it to the common-use computer[.]

The Court was persuaded by the analogy between Durdley’s case and United States v. King, 509 F.3d 1338, 1341-42 (11th Cir. 2007), in which King placed a file into his “shared drive” on a laptop that was connected to the network of a military base used by thousands of people. Another user of the network was looking for music files on the network and saw the file on King’s shared drive. The file turned out to be child pornography, leading to charges against King. The Eleventh Circuit ruled that King did not have a reasonable expectation of privacy on the files he had placed in his shared drive connected to the network:

It is undisputed that King’s files were “shared” over the entire base network, and that everyone on the network had access to all of his files and could observe them in exactly the same manner as the computer specialist did. As the district court observed, rather than analyzing the military official’s actions as a search of King’s personal computer in his private dorm room, it is more accurate to say that the authorities conducted a search of the military network, and King’s computer files were a part of that network. King’s files were exposed to thousands of individuals with network access, and the military authorities encountered the files without employing any special means or intruding into any area which King could reasonably expect would remain private. The contents of his computer’s hard drive were akin to items stored in the unsecured common areas of a multi-unit apartment building or put in a dumpster accessible to the public

In Durdley, the district court ruled that Durdley’s case was just like King:

King accidentally allowed others to have access to his files. Instead of leaving a thumb drive accidentally plugging in to a physical computer tower, King left a folder accidentally “plugged in” to a computer network, by failing to turn off sharing for that folder.

In the instant case it is undisputed that Durdley inadvertently shared his files with all the users of the public computer. Durdley’s files were exposed to anyone who sat down at the computer station who used the traditional means for opening and viewing files (such as Windows Explorer and the My Computer icon). Johnson encountered the files without employing any special means or intruding into any area which Durdley could reasonably expect to remain private once he left the drive attached to the common-use computer. The Court concludes, therefore, that Mr. Durdley had no more reasonable expectation of privacy in the contents of the thumb drive once he attached it to the common-use computer than the defendant in King did in his drive once he attached it to the airbase network.

I tend to think that King is right and Durdley is wrong. The operating principle here is that effectively exposing information to the public, based on prevailing social norms, eliminates any Fourth Amendment reasonable expectation of privacy in that information. I can see that in King. When you put a file in a place that is understood to make it shared with others, and you connect to a network with thousands of other users, you are effectively exposing that file to the public.

But I think that’s different from leaving a thumb drive in a laptop USB port in two critical ways. First, it seems that the only person who could access the files in the thumb drive was one other person who happened to sit down to use that particular laptop. It’s hard to see exposure to one person as the same as exposure to the public. And I don’t think there were any facts in the record as to how often the laptops were used, either.

Second, I think the social norm is that when you see a private person’s thumb drive on a shared-use computer, it’s understood that you’re invading that person’s privacy if you start clicking around to see what the files are. It’s kind of like someone leaving their luggage in the waiting room of a bus station. If the owner leaves the luggage behind for some reason, no one would see that as a waiver of privacy rights in the luggage or an invitation to unzip the luggage and look around.

To be clear, it usually won’t violate the Fourth Amendment for another government employee to click through a government employee’s thumb drive connected to a shared work computer. If the search is a reasonable work-related search, no warrant is required under O’Connor v. Ortega. But that’s a separate question of whether it’s a reasonable or unreasonable search. In contrast, the court here ruled that Johnson’s double-clicking on the thumb drive files wasn’t a search at all.

UPDATE: It occurs to me that the answer in this case may hinge on whether you see this case as involving a private sector workplace or a public sector workplace. If it’s a private sector workplace, the operating Fourth Amendment principle is the one I stated: effectively exposing information to the public, based on prevailing social norms, eliminates any Fourth Amendment reasonable expectation of privacy in that information. On the other hand, if you see the case as a government workplace search case, then the operating Fourth Amendment principle is different: As I explained here, in that setting, sharing the space with another government employee eliminates Fourth Amendment protection in that information. In that case, I think it would be fair to say that connecting the thumb drive to the shared computer does share the space. This post treated the case as a private workplace case because the opinion treats it that way, but I think that question may make all the difference in the right answer.