The Volokh Conspiracy - Password Disclosure:

News.com reports:

A popular computer security Web site was abruptly yanked offline this week by MySpace.com and GoDaddy, the world's largest domain name registrar, raising questions about free speech and Internet governance.

MySpace demanded that GoDaddy pull the plug on Seclists.org, which hosts some 250,000 pages of mailing list archives and other resources, because a list of thousands of MySpace usernames and passwords was archived on the site....

In a move that Seclists.org owner Fyodor Vaskovich said happened with no prior notice, the company [GoDaddy] deleted his domain name--causing his site to be effectively unreachable for about seven hours on Wednesday until he found out what was happening and removed the password list.

"They didn't tell me why they removed the site," Vaskovich, creator of the popular Nmap security auditing utility, said in a phone interview. "At a very minimum, we should get warning." ...

For her part, GoDaddy general counsel Christine Jones defended the abrupt deletion, saying: "We tried to contact the registrant, but they were not available at the time. To protect the MySpace users from potentially having private information revealed, we removed the site." ...

Jones and Vaskovich, however, tell substantially different versions of exactly what happened.... Vaskovich provided CNET News.com with a log of correspondence from GoDaddy that corroborates his version of the story.... GoDaddy did not immediately respond to follow-up questions....

"Some people might feel safer with a registrar that's a little more pro-customer," [Miami lawprof Michael] Froomkin said.

There's certainly an important customer service question here; but I should also note that there's an interesting underlying First Amendment question that could have arisen in another context. Several states expressly outlaw the disclosure of computer passwords, even if the disclosure is done without the intention of helping criminals (and here it seems that Vaskovich didn't intend to help criminals, though when he learned of the post he probably realized that it may have the effect of helping some criminals):

Ark. Code § 5-41-206(a). A person commits computer password disclosure [generally a misdemeanor] if the person purposely and without authorization discloses a number, code, password, or other means of access to a computer or computer network that is subsequently used to access a computer or computer network.

Ga. Code § 16-9-93(e). Any person who discloses a number, code, password, or other means of access to a computer or computer network knowing that such disclosure is without authority and which results in damages (including the fair market value of any services used and victim expenditure) to the owner of the computer or computer network in excess of $500.00 shall be guilty of the [misdemeanor] crime of computer password disclosure [and shall be civilly liable to injured parties].

Kan. Stat. § 21-3755(c)(1). Computer password disclosure [a misdemeanor] is the unauthorized and intentional disclosure of a number, code, password or other means of access to a computer or computer network.

Minn. Stat. 609.8913. A person is guilty of a gross misdemeanor if the person knows or has reason to know that by facilitating access to a computer security system the person is aiding another who intends to commit a crime and in fact commits a crime. For purposes of this section, "facilitating access" includes the intentional disclosure of a computer password, identifying code, personal information number, or other confidential information about a computer security system which provides a person with the means or opportunity for the commission of a crime.Miss. Code § 97-45-5 (1). An offense against computer users [a misdemeanor] is the intentional ... (b) Use or disclosure to another, without consent, of the numbers, codes, passwords or other means of access to a computer, a computer system, a computer network or computer services.

Penn. Cons. Stat. § 7611(a). A person commits the offense of unlawful use of a computer if he ... (3) intentionally or knowingly and without authorization gives or publishes a password, identifying code, personal identification number or other confidential information about a computer, computer system, computer network, computer database, World Wide Web site or telecommunication device.

S.D. Codified Laws § 43-43B-1. A person is guilty of unlawful use of a computer system, software, or data if the person ... (3) Knowingly ... uses or discloses to another, or attempts to use or disclose to another, the numbers, codes, passwords, or other means of access to a computer system without the consent of the owner....

W. Va. Code § 61-3C-10. Any person who knowingly, willfully and without authorization discloses a password, identifying code, personal identification number or other confidential information about a computer security system to another person shall be guilty of a misdemeanor ....

If one of the states had jurisdiction over Seclists.org, and Vaskovich had kept the password list on the computer even after he knew it was there, would he be guilty under the relevant statute? Would the First Amendment protect his continued retention of the data on his computer? (I tend to think that the First Amendment would not protect this, for reasons discussed in Crime-Facilitating Speech, 57 Stanford Law Review 1095 (2005), but courts have not yet confronted the question.)

Thanks to BNA's Internet Law News for the pointer.

	[Eugene Volokh, January 26, 2007 at 12:24pm] Trackbacks Password Disclosure: News.com reports: A popular computer security Web site was abruptly yanked offline this week by MySpace.com and GoDaddy, the world's largest domain name registrar, raising questions about free speech and Internet governance. MySpace demanded that GoDaddy pull the plug on Seclists.org, which hosts some 250,000 pages of mailing list archives and other resources, because a list of thousands of MySpace usernames and passwords was archived on the site.... In a move that Seclists.org owner Fyodor Vaskovich said happened with no prior notice, the company [GoDaddy] deleted his domain name--causing his site to be effectively unreachable for about seven hours on Wednesday until he found out what was happening and removed the password list. "They didn't tell me why they removed the site," Vaskovich, creator of the popular Nmap security auditing utility, said in a phone interview. "At a very minimum, we should get warning." ... For her part, GoDaddy general counsel Christine Jones defended the abrupt deletion, saying: "We tried to contact the registrant, but they were not available at the time. To protect the MySpace users from potentially having private information revealed, we removed the site." ... Jones and Vaskovich, however, tell substantially different versions of exactly what happened.... Vaskovich provided CNET News.com with a log of correspondence from GoDaddy that corroborates his version of the story.... GoDaddy did not immediately respond to follow-up questions.... "Some people might feel safer with a registrar that's a little more pro-customer," [Miami lawprof Michael] Froomkin said. There's certainly an important customer service question here; but I should also note that there's an interesting underlying First Amendment question that could have arisen in another context. Several states expressly outlaw the disclosure of computer passwords, even if the disclosure is done without the intention of helping criminals (and here it seems that Vaskovich didn't intend to help criminals, though when he learned of the post he probably realized that it may have the effect of helping some criminals): Ark. Code § 5-41-206(a). A person commits computer password disclosure [generally a misdemeanor] if the person purposely and without authorization discloses a number, code, password, or other means of access to a computer or computer network that is subsequently used to access a computer or computer network. Ga. Code § 16-9-93(e). Any person who discloses a number, code, password, or other means of access to a computer or computer network knowing that such disclosure is without authority and which results in damages (including the fair market value of any services used and victim expenditure) to the owner of the computer or computer network in excess of $500.00 shall be guilty of the [misdemeanor] crime of computer password disclosure [and shall be civilly liable to injured parties]. Kan. Stat. § 21-3755(c)(1). Computer password disclosure [a misdemeanor] is the unauthorized and intentional disclosure of a number, code, password or other means of access to a computer or computer network. Minn. Stat. 609.8913. A person is guilty of a gross misdemeanor if the person knows or has reason to know that by facilitating access to a computer security system the person is aiding another who intends to commit a crime and in fact commits a crime. For purposes of this section, "facilitating access" includes the intentional disclosure of a computer password, identifying code, personal information number, or other confidential information about a computer security system which provides a person with the means or opportunity for the commission of a crime.Miss. Code § 97-45-5 (1). An offense against computer users [a misdemeanor] is the intentional ... (b) Use or disclosure to another, without consent, of the numbers, codes, passwords or other means of access to a computer, a computer system, a computer network or computer services. Penn. Cons. Stat. § 7611(a). A person commits the offense of unlawful use of a computer if he ... (3) intentionally or knowingly and without authorization gives or publishes a password, identifying code, personal identification number or other confidential information about a computer, computer system, computer network, computer database, World Wide Web site or telecommunication device. S.D. Codified Laws § 43-43B-1. A person is guilty of unlawful use of a computer system, software, or data if the person ... (3) Knowingly ... uses or discloses to another, or attempts to use or disclose to another, the numbers, codes, passwords, or other means of access to a computer system without the consent of the owner.... W. Va. Code § 61-3C-10. Any person who knowingly, willfully and without authorization discloses a password, identifying code, personal identification number or other confidential information about a computer security system to another person shall be guilty of a misdemeanor .... If one of the states had jurisdiction over Seclists.org, and Vaskovich had kept the password list on the computer even after he knew it was there, would he be guilty under the relevant statute? Would the First Amendment protect his continued retention of the data on his computer? (I tend to think that the First Amendment would not protect this, for reasons discussed in Crime-Facilitating Speech, 57 Stanford Law Review 1095 (2005), but courts have not yet confronted the question.) Thanks to BNA's Internet Law News for the pointer.