Archive | Cyberspace Law

Brady Campaign Lawsuit Against Armslist Dismissed

The decision is Vesely v. Armslist, LLC (N.D. Ill. July 29, 2013) (thanks to the Media Law Resource Center for the pointer). Here’s the Brady Campaign’s theory:

On April 13, 2011, Jitka Vesel, a 36-year-old immigrant from the Czech Republic was shot and killed by Demetry Smirnov, a Russian immigrant residing in Canada who had met Jitka online a few years earlier. Smirnov stalked her to her workplace parking lot where he shot her 11-12 times with a .40-caliber handgun….

The complaint alleges that [Smirnov] illegally purchased from a private seller whom he located through, an online gun auction site owned by defendant Armslist, LLC. The complaint alleges that the website’s design facilitates illegal gun sales to unlawful gun buyers with no background checks and no questions asked, and encourages and enables users to evade laws that allow private sellers to sell firearms only to residents of their own state by enticing prospective buyers to search for and find gun sellers throughout all 50 states….

I argued when the lawsuit was filed that it was preempted by 47 U.S.C. § 230, which generally bars lawsuits against Web sites for material posted by their users. I still think that’s so, but the court didn’t reach that theory, because it concluded that the lawsuit was unfounded under Illinois tort law. A key excerpt (paragraph break added):

To determine whether a duty exists, in light of public policy, the Court considers four factors: “(1) the reasonable foreseeability of the injury; (2) the likelihood of the injury; (3) the magnitude of the burden of guarding against the injury; and (4) the consequences of placing that burden on the defendant.” City of Chi. v. Beretta U.S.A. Corp., 821 N.E. 2d 1099, 1125 (Ill. 2004) (citing Bajwa v. Metro. Life Ins. Co., 804 N.E.2d

Continue Reading 0

I Should Not Have Opined About Facebook’s TOS and its Relationship to the CFAA

Some commenters on Stewart Baker’s, Orin Kerr’s, and my own recent posts on the Obama 2012 campaign’s possible violation of the Computer Fraud and Abuse Act argue that, even if the CFAA does criminalize use of websites in violation of their terms of service, the Obama campaign did not in fact violate Facebook’s TOS, as argued by cyberlaw expert Michael Vatis. The point at issue, as I now understand it, is that FB may have different terms of access for apps as opposed to individuals, and that the Obama campaign’s intervention may have been limited to the former.

The main point of my post was not to argue this issue, but to note that even if the Obama campaign did violate the CFAA, the violation 1) did not determine the outcome of the election, and 2) should not be prosecuted. At the same time, I did say in an update that I thought Vatis’ analysis was correct, and I did implicitly endorse his conclusions elsewhere in the post. At this point, I’m not sure whether Vatis is right or whether his critics in the VC commentariat are. But I do know enough to say that there is a serious debate here, and that I should not have opined on it given my own lack of relevant knowledge. I’m not a cyberlaw specialist. And – although I use Facebook extensively – I don’t pay much attention to its TOS because I don’t think it’s likely to pose a problem for any of my uses of the site. My initial judgment was based on deference to Vatis’ expertise, combined with the fact that he is a former Clinton administration official and not likely to err on this subject out of hostility to Obama. Deference to expert opinion is often [...]

Continue Reading 0

What (Legally) Happens to Our Social Media Accounts When We Die?

Not all legal scholarship is irrelevant twaddle; some of it addresses emerging legal questions that will indeed require answers in the real world.  This student Comment, “What Happens to Our Facebook Accounts When We Die?: Probate Versus Policy and the Fate of Social-Media Assets Postmortem,” by Kristina Sherry, appears in the December 2012 Pepperdine Law Review (40 Pepp. L. Rev. 185 (2012).  Given how much commerce now takes place through social media – Facebook, LinkedIn, Twitter, etc. – the legal questions are not just about dear old Mom or Dad and their photos of the grandkids (though those personal accounts also raise issues).  Here is the abstract (HT @GregoryMcNeal, via … Twitter):

More than 580,000 Facebook users in the U.S. will die this year, raising numerous legal questions as to the disposition of their Facebook pages and similar “digital assets” left in a state of legal limbo.  While access to and ownership of decedents’ email accounts has been philosophized for nearly a decade, this Comment focuses on the additional legal uncertainties posed by “digital death” in the more amorphous realm of “social media.” Part II explores the implications of digital death by conceptualizing digital assets and surveying the underlying legal principles of contractual policies, probate, property, and privacy concerns. Part III surveys current law surrounding digital death, emphasizing a 2010 Oklahoma statute granting executors and administrators power over decedents’ “social networking” accounts. Parts III and IV consider what the current state of the law means for individuals facing death (i.e. everyone) as social media interacts with both (1) probate law and (2) social-media services’ policies as reflected in their terms of service. Part V explores how the law and proposed solutions may address the salient policy goals of honoring decedents’ postmortem wishes while meanwhile respecting privacy; preserving digital assets; and

Continue Reading

The Hacker Protection Act of 2012

The latest draft cybersecurity bill contains information sharing provisions that were heavily negotiated between the Obama administration and privacy groups. This effort at compromise has yielded the usual ambiguous praise from privacy groups. The Electronic Frontier Foundation pronounced itself “pleased” but then complained that the measure still “contains broad language around the ability for companies to use security as a reason to partake in ‘nearly unlimited’ data monitoring of users.”

In fact, the privacy groups have added so much baggage to the information sharing provisions that the new law is nearly useless to private sector companies who want to improve cybersecurity.  And it may actually impose an entire new regulatory and liability yoke on companies that treat cybersecurity seriously.

It’s worth remembering why the information sharing provisions are necessary. The reason is that, with the support of privacy groups in years past, Congress prohibited many companies from sharing customer information with the government in the absence of a subpoena. Congress also authorized states to adopt “two-party consent” restrictions on interception of communications. In an age of widespread network intrusions, both of these laws have the effect of protecting hackers and spies.

How so? Controlling spearphishing requires that incoming packets be monitored for malware; and that in turn means intercepting the communications. Since it’s unlikely the attacker who is sending malware will consent to such monitoring, this monitoring creates legal risks in two-party consent states. Similarly, unless private companies can tell the government in real time which of their customers are sending malware, the government cannot protect itself. All of the bills pending in Congress override these poorly conceived and overbroad privacy provisions.

Privacy groups don’t like to be reminded that privacy laws they supported are now protecting bad guys, so it’s no surprise that they aren’t comfortable with the new [...]

Continue Reading 0

Viacom v Youtube Decision – Not as Bad as All That

The Second Circuit has finally released its long-awaited decision in the appeal of the Viacom v. Youtube lawsuit, about which I’ve blogged a great deal [starting here, here, here, and here]  over the past couple of years.  Viacom “won” — in that they got the reversal of the district court’s comprehensive judgment in YouTube’s favor — but notwithstanding the considerable hand-wringing already underway about how terrible a result this is, I’m here to tell you:  It ain’t so bad.  In fact, I think it’s a pretty sensible opinion that clarifies the law surrounding service provider immunity in some very helpful ways and, most importantly, does no significant damage at all to the underlying immunity principles that have been so profoundly important for the development of the Net over the past decade.

Here are some of the key points.   [my emphasis throughout] [My apologies if you’re unfamiliar with the basic layout of the case — see the above links for the basic background]

1. “[A] finding of safe harbor application necessarily protects a defendant from all affirmative claims for monetary relief.”

That’s good — Viacom and allies had argued that the 512 immunities don’t cover any claims for contributory infringement, vicarious infringement, or inducement of infringement.  It was an odd theory, and the court shoots it down, correctly, in no uncertain terms.
2.  “[T]he ‘right and ability to control’ infringing activity under § 512(c)(1)(B) requires something more than the ability to remove or block access to materials posted on a service provider’s website.”

That’s good, too.  The statute says a service provider is not immune from claims if it has the “right and ability to control” the infringing conduct (and derives a “financial benefit” from the infringements).  Viacom advanced a plausible argument that, because YouTube (and [...]

Continue Reading 0

Viewpoint Discrimination in K-12 School Library Filtering

As I’ve said before, the Supreme Court has never decided whether K-12 schools may remove books from school libraries based on their viewpoints, or may filter out Web sites based on their viewpoints. The Court’s cases dealing with this question, Board of Ed. v. Pico and U.S. v. American Library Ass’n were badly splintered and provided basically no majority on the subject.

Pico, for instance, split 4-4 on the book removal issue, with the deciding vote (Justice White) expressing no opinion and sending the case down for more factfinding. (“The plurality seems compelled to go further and issue a dissertation on the extent to which the First Amendment limits the discretion of the school board to remove books from the school library. I see no necessity for doing so at this point. When findings of fact and conclusions of law are made by the District Court, that may end the case.”) Likewise, ALA yielded no useful conclusion.

This makes yesterday’s Parents, Families & Friends of Lesbians & Gays, Inc. (PFLAG) v. Camdenton R-III School Dist. (C.D. Mo. Jan. 15, 2012) especially interesting: The court issued a preliminary injunction against a school district’s use of a filter that apparently generally filtered out pro-homosexuality sites — including ones that weren’t sexually explicited — but not anti-homosexuality sites. (“URL Blacklist systematically allows access to websites expressing a negative viewpoint toward LGBT individuals by categorizing them as ‘religion’, but filters out positive viewpoints toward LGBT issues by categorizing them as ‘sexuality’.”) The court held that government’s continued use of this filter, especially given the availability of other filters that did better both at blocking outright porn and at not blocking commentary on homosexualiy, was likely viewpoint discriminatory and therefore unconstitutional, which led it to issue a preliminary injunction. The standard for issuing [...]

Continue Reading 31

Testifying on Cybersecurity Legislation

The Senate’s big cybersecurity bill has finally surfaced officially, and the hearing will be tomorrow at 2:30 DC time in front of the Homeland Security and Government Affairs Committee. After Sen. Rockefeller and Sec. Napolitano, I’ll be part of a panel that includes Gov. Tom Ridge, Scott Charney of Microsoft, and Jim Lewis of the Center for Strategic and International Studies.

Here’s the first few pages of my prepared testimony. The rest is up on Skating on Stilts, for those who just have to see my take on how to draft cybersecurity emergency authorities.

Mr. Chairman, Ranking Member Collins, members of the committee, it is an honor to testify before you on such a vitally important topic. I have been concerned with cybersecurity for two decades, both in my private practice and in my public service career, as general counsel to the National Security Agency and, later, to the Robb-Silberman commission that assessed U.S. intelligence capabilities on weapons of mass destruction, and, more recently, as assistant secretary for policy at the Department of Homeland Security. In those two decades, security holes in computer networks have evolved from occasionally interesting intelligence opportunities into a full-fledged counterintelligence crisis. Today, network insecurity is not just an intelligence concern. It could easily cause the United States to lose its next serious military confrontation.

Moore’s Outlaws: The Exponential Growth of the Cybersecurity Threat

Our vulnerabilities, and their consequences, are growing at an exponential rate. We’ve all heard of Moore’s Law. What we face today, though, are Moore’s outlaws: criminals and spies whose ability to penetrate networks and to cause damage is increasing exponentially thanks to the growing complexity, vulnerability, and ubiquity of insecure networks. If we don’t do something, and soon, we will suffer network failures that dramatically change our lives and futures, [...]

Continue Reading 29

Court of Appeals Approves Prosecution of Man for Reading Estranged Wife’s E-Mail Without Her Authorization

I blogged about the case a year ago, and now there’s an appellate court decision in it, People v. Walker (Mich. Ct. App. Dec. 27, 2011). An excerpt:

[T]he charge against defendant arises from his alleged unauthorized access to the password-protected email account of his estranged wife, Clara Elizabeth Walker, from July 2009 through August 2009. At the preliminary exam, Clara testified that she filed for divorce from defendant on June 5, 2009, and that defendant had been served with the divorce papers by July 2009. Clara and defendant continued to live in the same home through August 2009. During this time period, Clara had a personal email account through Gmail and another email account through Yahoo. Clara never shared her passwords for these email accounts with defendant, nor did she ever give defendant permission to access those accounts….

Clara testified that she used a computer that defendant bought her for her use. Defendant set up the computer for her, but Clara set up the Gmail and Yahoo accounts herself. Although Clara had previously written passwords in an address book, she has not used the address book for passwords in many years and never provided defendant with those passwords. Clara testified that she had never written a pass code for defendant on a sticky note, and that she allowed defendant to use her computer only when it needed a repair. Defendant had two computers of his own at home, and Clara did not know the passwords for defendant’s computers….

[D]efendant argues that the circuit court erred in denying his motion to quash the charge alleging unauthorized access of a computer, MCL 752.795….

[T]here was evidence that defendant acted without authorization when he accessed his estranged wife’s Gmail account. Defendant’s wife testified that her Gmail account was a personal

Continue Reading 21

Will Jeff Bezos Bring Feudal Security to the Net?

The Kindle Fire is a remarkable innovation in the Apple mold:  taking a bunch of components that are pretty well known and combining them into a powerful new experience.  But unlike Apple, Amazon’s integrating vision isn’t visual design or even user delight.  Instead it’s far more ambitious — a new vision of the entire Internet ecosystem.

OK, let me try that again without the Valley babble.  The Kindle Fire forks Android into an Amazon-designed and Amazon–controlled operating system.  So far, no surprises. Amazon owns and subsidizes the hardware, too, so it can design features that integrate operating system and processor tightly.  Again, nothing that Apple can’t do.  But then comes the clever, almost-new idea:  Fire uses its own browser, called Silk, which is designed to work with Amazon’s massive cloud computer. So instead of downloading web pages one after the other and opening them on your computer, Amazon’s cloud stores and even opens them, sending you the end result.  This allows speedier downloads for a couple of reasons:  Caching of popular pages (or even parts of pages) avoids download delays when the original source is overloaded; and Amazon’s cloud can handle even the most processor-intense pages instantaneously, far faster than your wheezing desktop machine.  In short, your Internet experience on the Fire ought to be lightning quick.

castle_StefanThere’s another advantage to this new vision of what might be called the Bezosnet.  The Bezosnet ought to be a lot more secure.  One way that hackers compromise your machine is by getting you to go to malware infected sites.  Just visiting the site triggers routines that take over the visitor’s computer.  But if the routine runs, not on a visitor’s computer but in a virtual environment at Amazon’s data center, the attacker’s code isn’t likely to work.

In fact, it looks to [...]

Continue Reading 79

“Not Much Good Takes Place at Slumber Parties for High School Kids, and This Case Proves the Point”

So begins T.V. v. Smith-Green Community School Corp. (N.D. Ind. Aug. 10), which (1) holds that a high school violated plaintiffs’ First Amendment rights when it suspended them from the volleyball team because they had posted a raunchy video of themselves on the Internet, and (2) holds that the school’s code of conduct allowing suspensions for “act[ing] in a manner in school or out of school that brings discredit or dishonor upon yourself or your school” is unconstitutionally vague and overbroad. (Both holdings, I think, are correct, given the Court’s precedents; I briefly explain my thinking at the end of the post.) Here are the relevant facts about the speech involved:

[D]uring the summer of 2009, T.V. and M.K. were both entering the 10th grade at Churubusco High School, a public high school of approximately 400 students. Both T.V. and M.K. were members of the high school’s volleyball team, an extracurricular activity, and M.K. was also a member of the cheerleading squad, also an extracurricular activity, as well as the show choir, which is a cocurricular activity. [Obligatory Glee reference.-EV] Cocurricular activities provide for academic credit but also involve activities that take place outside the normal school day.

Try-outs for the volleyball team for the coming year would occur in July. A couple of weeks prior to the tryouts, T.V., M.K. and a number of their friends had sleepovers at M.K.’s house. Prior to the first sleepover, the girls bought phallic-shaped rainbow colored lollipops. During the first sleepover, the girls took a number of photographs of themselves sucking on the lollipops. In one, three girls are pictured and M.K. added the caption “Wanna suck on my cock.” In another photograph, a fully-clothed M.K. is sucking on one lollipop while another lollipop is positioned between her legs and a fully-clothed

Continue Reading 376

Federalist Society Symposium on Cybersecurity

Last week, the Federalist Society hosted a symposium on cybersecurity that you can watch here (morning panel, focused on national security issues), here (lunch address), and here (afternoon panel, focused on business and criminal law issues).

Two VC bloggers participated in the symposium. Stewart Baker gave the lunchtime keynote address, which you can watch here:

I gave a few comments criticizing the Obama Administration’s proposals to expand the Computer Fraud and Abuse Act, which you can watch here:


Continue Reading 7

E-Mail Accounts, The Warrant Requirement, and the Territorial Limits of Court Orders

My friend Jennifer Granick points me to an interesting new case, Hubbard v. Myspace (S.D.N.Y. June 1, 2011), that touches on a fascinating Fourth Amendment question: What are the territorial limits of search warrants for Fourth Amendment purposes? To be clear, the Hubbard case itself involved a statutory challenge, not a constitutional one. The plaintiff sued MySpace for complying in California with a state warrant issued in Georgia that was faxed to MySpace in California on the ground tat the Stored Communications Act, 18 U.S.C. 2703, did not allow MySpace to comply with the out-of-state warrant. As a statutory claim, the argument was pretty clearly incorrect. But at the end of his opinion (p.11) Judge Kaplan touches on a really interesting issue: What about the Fourth Amendment?

Specifically, the interesting issue is this: If the Fourth Amendment imposes a warrant requirement on government access to an e-mail account, which I think it does and the Sixth Circuit has expressly so held, is the warrant requirement satisfied by an out-of-state warrant from a jurisdiction far away with no authority to actually compel compliance with the warrant? Or is the warrant requirement only satisfied by a warrant issued locally, or at least in the same state or federal district? This issue generally doesn’t come up in traditional physical investigations because the police will get a local warrant to physically search a local location, and arrests generally don’t require warrants. But warrants for e-mail accounts are unusual: The police obtain the warrant and fax it to the ISP, and the Stored Communications Act contemplates out of state warrants. ISPs usually don’t have to comply with out of state warrants, as they are out of state and not binding on them: But the question I’m interested in here is, does the out [...]

Continue Reading 27

Applying the Rules of Evidence Related to Authentication to Online Sources

Evidence law has special rules that require someone who wants to introduce a document to first introduce “foundation” evidence that shows the document was indeed written by the person who supposedly wrote it; this is called “authentication.” Griffin v. State, decided by Maryland’s highest court on April 28, has an interesting discussion of how those rules play out with regard to online sources. The case itself involved the authentication of a MySpace Web page, but the discussion can apply to many other online sources as well.

Note that this is a different matter than deciding the reliability of an online source, or the admissibility in other respects of an online source (e.g., whether the source contains inadmissible hearsay). It is also a different matter than deciding the factual authenticity of the source given a dispute about the foundation evidence (e.g., if A denies that he wrote a Web page, but B testifies that he had heard A say he did write the Web page). The question is simply what factual foundation — however disputed that factual foundation might be — has to be presented before the document can even be introduced into evidence. It would then be up to the jury to resolve any factual disputes related to that foundation evidence.

Here’s the court’s discussion of some ways that Web page such as a Myspace page can be authenticated in the legal sense, so that the sites’ contents can be introduced as evidence:

The first, and perhaps most obvious method would be to ask the purported creator if she indeed created the profile and also if she added the posting in question, i.e. “[t]estimony of a witness with knowledge that the offered evidence is what it is claimed to be.” The second option may be to search the computer

Continue Reading 18

Forwarding a Sentence-Long Message from a Listserv = Copyright Infringement?

So argued Kenneth M. Stern, a California lawyer; no dice, said the district court in Stern v. Does (C.D. Cal., decided Feb. 10, 2011 but just now made available on Westlaw). No dice, said the court, concluding that the message lacked the modicum of creativity required for copyright protection — because it was so short and dictated by functional considerations — and that the copying was a fair use. Both conclusions seem right to me, though the fair use conclusion is especially clear, given the utter lack of any likely effect on the value of plaintiff’s work.

In fact, the court said that the plaintiff’s claims were frivolous enough to warrant requiring plaintiff to pay attorneys’ fees — a remedy that the Copyright Act allows. (The court concluded that the defendants’ request for fees were insufficiently specific to support an immediate award, but allowed the defendants to refile their request.) The plaintiff is appealing.

Here’s an excerpt from the case, though if you’re interested in the court’s reasoning you should read the whole thing:

Plaintiff is an attorney. In September 2006, Plaintiff retained the forensic accounting firm White, Zuckerman, Warsavsky, Luna, Wolf & Hunt L.L.P. (“White Zuckerman”) to perform a mathematical calculation on behalf of one of his clients. In March 2007, after receiving a bill from White Zuckerman for this work, Plaintiff became concerned that the billed hours were excessive and that White Zuckerman had been churning his client’s file.

Continue Reading 33

Is Israel Behind the Stuxnet Cyberattack on Iran?

I’m going to leave it to Co-Conspirator Stewart and other cybersecurity legal experts to discuss the legal issues, but regarding the recent Stuxnet worm that Iran reports infected its computers and, we are told, particularly its nuclear program, the New York Times says

Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.

Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.

The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

The new forensic work narrows the range of targets and deciphers the worm’s plan of attack. Computer analysts say Stuxnet does its damage by making quick changes in the rotational speed of motors, shifting them rapidly up and down.

Continue Reading 88