crime


The House Judiciary Committee is considering a bill (.pdf) to amend the Computer Fraud and Abuse Act, 18 USC 1030. I’ve redlined the current statute (.doc) to show how the law would look should this bill pass, and inserted comments where relevant.

I’ve heard that the bill is intended to fix what’s come to be known as “The Lori Drew Problem“: criminalizing terms of service violations. By my analysis, it does the opposite. The text could clear the way for such prosecutions while introducing new legal uncertainties, expanding the scope of the CFAA and greatly increasing penalties, without resolving the underlying problem, which is that the phrase “exceeds authorized access” — as well as the new phrase “in excess of authorization” in the bill — are subject to conflicting interpretations.

The bill also dramatically increases penalties while introducing new ambiguous language that muddies rather that clarifies the reach of this expansive law in other areas as well. For the reasons set forth in the comments to my attached redline, this legislation needs to be scrapped.

This legislative push comes just a few days following the Ninth Circuit’s opinion in United States v. Nosal. There, the Court sitting en banc reversed the panel decision and held that violations of an employer’s computer use restrictions are not penalized under the statute, because “exceeds authorized access” doesn’t mean merely violating a policy, it means obtaining data you are not allowed to see. While a very welcome decision, this creates a Circuit split with the Fifth, Seventh and Eleventh Circuits. We don’t yet know whether the government will petition for, or the Supreme Court will grant cert in Nosal. What we do know is that if Congress wants to resolve the ambiguity, the current bill will only make matters worse.

The recent Department of Justice decision to indict Megaupload for copyright infringement and related offenses raises some very thorny questions from a criminal law perspective.  A few preliminaries: I’m responsible for the musings below, but I thank Robert Weisberg of Stanford Law School for taking the time to talk through the issues and giving me pointers to some relevant cases. Also, an indictment contains unproven allegations, and the facts may well turn out to be different, or to imply different things in full context.

DMCA SAFE HARBOR: BELIEVE IT AND IT WILL BECOME REAL: As a matter of criminal law, the discussion of whether Megaupload did what it needed to do to qualify for the DMCA Safe Harbor misses the point. Did they register an agent? Did they have a repeat infringer policy? These are all interesting CIVIL questions. But from a criminal law perspective, the important question is did Defendants BELIEVE they were covered by the Safe Harbor? This is because criminal infringement requires a showing of willfulness.  The view of the majority of Federal Courts is that “willfulness” means a desire to violate a known legal duty, not merely the will to make copies.

In other words, for criminal liability, it doesn’t really matter whether the service qualifies, so long as Defendants believed it qualified. If so, they were not intentionally violating a known legal duty, and so their conduct would not satisfy the willfulness element of the offense. For criminal liability after the DMCA safe harbor, as in horseshoes, close may be good enough.

SECONDARY COPYRIGHT LIABILITY AND CRIMINAL LAW:

The heart of this case is whether and when an enterprise can be held criminally liable for the conduct of its users. (For example, both copyright infringement claims (Counts 4 and 5) identify aiding and abetting as a basis for the charge.)

Aiding and abetting is something like the civil liability inducement theory the U.S. Supreme Court created in the 2005 Grokster case.  Experts opine that the indictment makes out a pretty good inducement case against Megaupload. But the first question from a defense perspective has to be “Can the Grokster theory of CIVIL liability even be the basis for CRIMINAL copyright claims?” This has never been decided by any Court.

However, the pending Second Circuit case of Puerto 80 Projects v. USA (“Rojadirecta“), raises the issue squarely. There, the plaintiff is challenging the ICE seizure of its Rojadirecta domain names based on an allegation of criminal copyright infringement. For background on the case, and on the ICE domain seizures, check out Techdirt’s coverage.

Rojadirecta’s lawyers at Durie Tangri have challenged the U.S. Government’s assertion that criminal liability arises from linking to infringing content. The lawyers argue that judge-made secondary infringement liability theories, including Grokster style inducement, cannot be the basis for a criminal copyright violation because the criminal copyright statute doesn’t mention secondary liability. Congress considered and rejected statutes that would have created such liability, in COICA and PROTECT IP. In sum, due process doesn’t allow incarceration under a civil legal theory that the Supreme Court dreamed up in 2005. The issues yet to be decided in Rojadirecta apply to the Megaupload case as well.

AGREEMENT + CIVIL VIOLATION = PRISON?: Count 2 is a conspiracy to commit copyright infringement claim, and references unknown parties as members of the conspiracy. Conspiracy entails an agreement to commit an offense and an overt act in furtherance of that agreement.  The act in furtherance need not itself be illegal, but there must be an agreement to do an illegal act. The list of overt acts show that the object of the conspiracy was infringement by Mega users. If Defendants agreed with each other to induce others to infringe, and Rojadirecta’s lawyers are correct that inducement is not a crime, there’s a conspiracy only to violate a CIVIL law. If the idea is that Mega conspired with its users to infringe, those users may or may not have been criminally infringing copyright. They were located all over the world, and may or may not have acted willfully, i.e. intended to violate U.S. law. Again, the government would basically have alleged an agreement to violate a U.S. CIVIL law, including by many people who are not subject to U.S. rules.

Is it a federal crime to conspire to induce others to violate a U.S. civil law?

The answer to that is an obvious “no”. The conspiracy statute itself makes clear that the object of the conspiracy must be an offense or fraud against the United States, in other words, a federal crime. 18 U.S.C. 371. It is true that Oliver North and John Poindexter were prosecuted for conspiracy to violate Boland Amendment, which prohibited Defense Department spending on the Nicaraguan Contras, but was not itself a crime. And there is a 1979 case (U.S. v. Ruffin, 613 F.2d 408 (2nd cir. 1979), where the defendant was convicted of conspiracy when he convinced an unwitting person to divert federal funds to the defendant’s personal benefit. But both cases constituted fraud involving U.S.taxpayer dollars, which is also a basis for conspiracy liability. Civil violations simply are not.

For these reasons, prosecuting this case against Mega, especially if Defendants get good criminal lawyers who also understand copyright law, is going to be an uphill battle for the government.

A few other points. Some direct infringement convictions look easy, but COUNT 4 IS WEIRDLY INCOMPLETE: I agree with the copyright law experts interviewed by Ars Technica that the most damning allegations in the indictment are the claims of direct infringement, particularly for the prerelease movies. Interestingly, the indictment identifies four films that the defendants supposedly distributed before release: The Green Hornet, Thor, Bad Teacher, Twilight–Breaking Dawn Part 1. But Count 4 only charges one such act of prerelease infringement, the movie Taken.  What about the other films? Why were those not also charged?  

Finally, this case is extremely interesting from a JURISDICTIONAL standpoint. One of the very first issue to be litigated will be extradition to the United States. Does the United States have jurisdiction over anyone who uses a hosting provider in the Eastern District of Virginia? What about over any company that uses PayPal? That’s a very broad claim of power, and I expect it will be vigorously contested.

Isn’t it great that when your car, or phone, or laptop gets lost or stolen, you can use modern technology to find your stuff and get it back? One might think only paranoid Luddites or the thieves themselves would oppose such an innovation. But the joy of a ubiquitous communications/tracking network is tempered by the threat to privacy — and potential liability — for enlisting SkyNet to peer into our cars, purses and bedrooms.

Part One: The Wiretap Act and Find My Computer

Last month, in Clements-Jeffrey v. Springfield, a quirky case involving sex and a stolen laptop, a U.S. District Court judge in Ohio ruled that a laptop-tracking company could be liable for intercepting sexually explicit communications in an effort to identify thieves who stole the computer one plaintiff was using to communicate with the other. …

For more, click here

EFF filed a brief today in U.S. v. Lowson, again arguing that public websites can not decide who is and is not a criminal.

For why you should care about what happens to a bunch of Wiseguys cutting the virtual line for ticket purchases, check out my blog post.

New Research Suggests That Governments May Fake SSL Certificates | Electronic Frontier Foundation.

Prepaid Providers Seek to Put Locks On Your Phone and Their Hands In Your Pocket.

The awesome Ars Technica picks up my deeplink about an important new Ninth Circuit case interpreting the Computer Fraud and Abuse Act.

Are employees who use their workplace computers contrary to the interests of their employers criminals under the Computer Fraud and Abuse Act? Yesterday, the Ninth Circuit Court of Appeals said disloyal keyboarding is not a crime in LVRC Holdings v. Brekka.

Click through for more.

I’m blogging again, starting with this post on EFF Deeplinks about the September 2008 amendments to the Computer Fraud and Abuse Act.

Here’s the upshot:

The amendments broaden the already extensive reach of the law, and fail to clarify the most vexing question about the statute, the definition of “unauthorized access”. However, they do shed some light on the issue of what constitutes the necessary element of “damage”, showing that several cases holding that mere unauthorized viewing of data is sufficient for a CFAA claim were wrongly decided. As a result, the new amendments may give internet innovators, researchers and speakers some arguments that could keep search engines, vulnerability reporting and other legitimate uses of computer systems legal.

Click through for more CFAA wonking out.

My recent post on the EFF blog talks about the difficulty that web security researchers have doing their work, in light of the Computer Fraud and Abuse Act and similar state statutes. While pen testers and other hired security guns can get written authorization to do security audits, members of the public have little leeway to explore the ways a website works or breaks, even when that vulnerability means that customer data is exposed to fraudsters. Read the post –Computer Crime Laws Chill Discovery of Customer Privacy Threats | Electronic Frontier Foundation– for more about the issue.

In yesterday’s Circuit Court column “Free the Spam King” I take on the question of whether criminal prosecutions will stop spam, or are even fair. This one has engendered a lot of hate mail. It seems the only thing people hate more than child porn is spam.

Next Page »