The Volokh Conspiracy

Not all legal scholarship is irrelevant twaddle; some of it addresses emerging legal questions that will indeed require answers in the real world.  This student Comment, “What Happens to Our Facebook Accounts When We Die?: Probate Versus Policy and the Fate of Social-Media Assets Postmortem,” by Kristina Sherry, appears in the December 2012 Pepperdine Law Review (40 Pepp. L. Rev. 185 (2012).  Given how much commerce now takes place through social media – Facebook, LinkedIn, Twitter, etc. – the legal questions are not just about dear old Mom or Dad and their photos of the grandkids (though those personal accounts also raise issues).  Here is the abstract (HT @GregoryMcNeal, via ... Twitter):

More than 580,000 Facebook users in the U.S. will die this year, raising numerous legal questions as to the disposition of their Facebook pages and similar “digital assets” left in a state of legal limbo.  While access to and ownership of decedents’ email accounts has been philosophized for nearly a decade, this Comment focuses on the additional legal uncertainties posed by “digital death” in the more amorphous realm of “social media.” Part II explores the implications of digital death by conceptualizing digital assets and surveying the underlying legal principles of contractual policies, probate, property, and privacy concerns. Part III surveys current law surrounding digital death, emphasizing a 2010 Oklahoma statute granting executors and administrators power over decedents’ “social networking” accounts. Parts III and IV consider what the current state of the law means for individuals facing death (i.e. everyone) as social media interacts with both (1) probate law and (2) social-media services’ policies as reflected in their terms of service. Part V explores how the law and proposed solutions may address the salient policy goals of honoring decedents’ postmortem wishes while meanwhile respecting privacy; preserving digital assets; and minimizing probate, litigation and other paperwork-type hassles. Ultimately this Comment suggests while state or even federal legislation may call attention to the importance of digital estate planning, a better solution likely lies between the two extremes of the probate-versus-policy power struggle, and that social-media services themselves may be in the better position to quell the perfect storm of legal uncertainty that looms.

The latest draft cybersecurity bill contains information sharing provisions that were heavily negotiated between the Obama administration and privacy groups. This effort at compromise has yielded the usual ambiguous praise from privacy groups. The Electronic Frontier Foundation pronounced itself “pleased” but then complained that the measure still “contains broad language around the ability for companies to use security as a reason to partake in ‘nearly unlimited’ data monitoring of users.”

In fact, the privacy groups have added so much baggage to the information sharing provisions that the new law is nearly useless to private sector companies who want to improve cybersecurity.  And it may actually impose an entire new regulatory and liability yoke on companies that treat cybersecurity seriously.

It’s worth remembering why the information sharing provisions are necessary. The reason is that, with the support of privacy groups in years past, Congress prohibited many companies from sharing customer information with the government in the absence of a subpoena. Congress also authorized states to adopt “two-party consent” restrictions on interception of communications. In an age of widespread network intrusions, both of these laws have the effect of protecting hackers and spies.

How so? Controlling spearphishing requires that incoming packets be monitored for malware; and that in turn means intercepting the communications. Since it’s unlikely the attacker who is sending malware will consent to such monitoring, this monitoring creates legal risks in two-party consent states. Similarly, unless private companies can tell the government in real time which of their customers are sending malware, the government cannot protect itself. All of the bills pending in Congress override these poorly conceived and overbroad privacy provisions.

Privacy groups don’t like to be reminded that privacy laws they supported are now protecting bad guys, so it’s no surprise that they aren’t comfortable with the new bills. I suspect they’d rather have no bill at all than admit that the old privacy laws contributed to the fix we’re in. 

If that was their goal, they’ve just about managed to achieve it. They’ve made information sharing so complex that it’s nearly impossible to do. Indeed, there’s a real risk that the new provisions will end up creating new limitations on information sharing, new liabilities for security officers, and new legal protections for the people breaking into our networks.

To see how, let’s take a simple example. A company, US Petroleum, asks its ISP to monitor incoming messages for malware. A week later, the ISP tells US Petroleum that it has detected malware that it attributes to the Peoples Liberation Army. In fact, because it exchanges information with other companies and the government, it can name the unit and perhaps even the individuals who launched the attack; it further assesses based on those sources that the intrusion was aimed at helping Chinese state oil companies outbid US Petroleum on crucial offshore tracts.

US Petroleum decides not to take this lying down. It prepares a press release denouncing the PLA’s intrusions and asks its lawyers whether it can sue its bid-stealing Chinese competitor. Then its lawyers reread the information sharing provisions of the 2012 cybersecurity bill. Sections 701 and 702 both say that private companies who obtain threat indicators of this sort under the law must “make reasonable efforts to safeguard … information that can be used to identify specific persons from unauthorized access or acquisition.” And section 702 further says that a private entity may not disclose threat indicators to a private entity that is “reasonably likely to violate” the elaborate restrictions imposed on the use of threat indicators.

On its face, then, the new law prohibits US Petroleum from using the information it obtained from its ISP to name and shame the attacker. After all, publicly releasing the attacker’s name is not a “reasonable effort to safeguard” the attacker’s identity, and public disclosure of the data by definition supplies the information to parties who will not abide by the law’s restrictions on handling such information.

In short, the new provisions demanded by the privacy groups could just as easily be called the “Hacker Protection Act of 2012.”

The price of eliminating two unfortunate laws that protect hackers, it turns out, is a new and far more elaborate scheme for regulating how private entities handle and publicize attacks on their system — a scheme that also protects hackers.

To add to the irony, the new law creates special first amendment protections for critical infrastructure companies at the same time that it imposes sweeping, direct and burdensome restrictions on the first amendment rights of US Petroleum.

The one saving grace is that the new legislation only regulates information obtained “under” the legislation. Under section 707(a), information obtained lawfully in some other way is not supposed to be regulated. But this is a dubious protection for US Petroleum, which cannot be sure it didn’t obtain the information that way. After all, it’s quite possible that some of the ISP’s monitoring occurred in a two-party consent state; if so, that information was likely obtained “under” section 702. Or the ISP may have picked up clues about the attacker’s identity “under” section 701(b) by participating in an exchange of information with the government. Uncertainty about the source of such information means that the protection the new law gives to attackers may actually be wider than existing law.

That’s true not just because the definition of protected “threat indicator” is quite broad but also because the new law is so affirmative and sweeping in laying down rules for handling such information. While the legislation doesn’t in so many words give the PLA a cause of action against US Petroleum for its planned press release, anyone reading the law could reasonably fear that a court would say, “Congress clearly prohibited certain actions, and we cannot presume that it meant its rules to be ignored without penalty. Therefore, we will allow lawsuits to enforce the rules that Congress set.”

To counter this inclination, US Petroleum cannot point to a single law expressly allowing it to gather information on its network, or to authorize monitoring by its ISP (in fact, in a two party consent state, that authorization itself may create liability), or to speak openly about the attack. All the company can say in its defense is that no law prohibited it from speaking out before the new bill passed. A prudent lawyer might conclude that, in lawsuits as in life, nothing rarely beats something.

The new privacy provisions, in short, make the task of sharing information to defeat hackers harder than it is today. In place of two bad privacy laws – one of which only restricts the flow of data to the government – the new bill creates an entire regime of restrictions on private handling of private data, a regime whose scope is indeterminable but whose deterrent effect on information sharing will be great.

The privacy groups that demanded this as the price for correcting their old errors have outdone themselves.

The Second Circuit has finally released its long-awaited decision in the appeal of the Viacom v. Youtube lawsuit, about which I’ve blogged a great deal [starting here, here, here, and here]  over the past couple of years.  Viacom “won” — in that they got the reversal of the district court’s comprehensive judgment in YouTube’s favor — but notwithstanding the considerable hand-wringing already underway about how terrible a result this is, I’m here to tell you:  It ain’t so bad.  In fact, I think it’s a pretty sensible opinion that clarifies the law surrounding service provider immunity in some very helpful ways and, most importantly, does no significant damage at all to the underlying immunity principles that have been so profoundly important for the development of the Net over the past decade.

Here are some of the key points.   [my emphasis throughout] [My apologies if you're unfamiliar with the basic layout of the case -- see the above links for the basic background]

1. “[A] finding of safe harbor application necessarily protects a defendant from all affirmative claims for monetary relief.”

That’s good — Viacom and allies had argued that the 512 immunities don’t cover any claims for contributory infringement, vicarious infringement, or inducement of infringement.  It was an odd theory, and the court shoots it down, correctly, in no uncertain terms.
2.  “[T]he ‘right and ability to control’ infringing activity under § 512(c)(1)(B) requires something more than the ability to remove or block access to materials posted on a service provider’s website.”

That’s good, too.  The statute says a service provider is not immune from claims if it has the “right and ability to control” the infringing conduct (and derives a “financial benefit” from the infringements).  Viacom advanced a plausible argument that, because YouTube (and virtually all content-hosting sites, including the Volokh conspiracy) can throw people off the site if they violate the terms of service, or because they have the technical capability to delete individual postings, that that constitutes a “right and ability to control” the infringements.  This interpretation would have gutted the 512 protections and, again, the court strikes it down.

3.  The court makes it clear that “the basic operation of § 512(c) requires knowledge or awareness of specific infringing activity.”

This is a really important holding, and a really good one.  The battle over service provider copyright infringement liability (including this lawsuit) has always been focused on one central question:  Given that everyone with a brain in his/her head knows that there’s infringing material out there, who has the duty to uncover it?  And when does that duty arise?

Ever since the Napster decision back in 2001 (another decision that most people, incorrectly, viewed as a big win for the content providers), courts have consistently held:  the burden is squarely on the copyright holders, not the service providers.  If copyright holders identify specific infringing files (and give the service provider notice of where those files are located), the service provider “retains safe-harbor protection if it ‘acts expeditiously to remove, or disable access to, the material.’ ”   But the service provider – even if it has “generalized knowledge” that there’s infringing content on its site — need not take any affirmative steps to find that material and remove it without notice from the copyright holders.

The court reaffims this in no uncertain terms.

“[A service] provider that gains knowledge or awareness of infringing activity retains safe-harbor protection if it ‘acts expeditiously to remove, or disable access to, the material.’  Thus, the nature of the removal obligation itself contemplates knowledge or awareness of specific infringing material, because expeditious removal is possible only if the service provider knows with particularity which items to remove.”

This is a strong affirmation of what I regard as the key component to the whole 512 safe-harbor:  the “knowledge” that disqualifies a service provider from the safe-harbor is knowledge that file X, residing on the service at specific location Y, is infringing; and the service provider has no duty to monitor to find those files.  (“ DMCA  safe  harbor  protection
cannot be conditioned on affirmative monitoring by a service provider.”)

So what did Viacom get out of all this?  The court reverses and remands for the district court to consider 2 things:  First, taking Viacom’s factual allegations as true (because the district court had granted summary judgment for YouTube), there’s evidence in the record that YouTube had, at least with respect to some specifically identified postings, “actual knowledge” that those were infringing.  And second, the court articulates a “willful blindness” exception to the safe-harbor:  if YouTube’s lack of “actual knowledge” of “specific infringing files” was due to their own acts of “willful blindness” — a “deliberate effort to avoid [obtaining] guilty knowledge” — they can’t assert the immunity.

We’ll see how that last one plays out.  The devil, as always, is in the details.  An overly-expansive definition of what constitutes “willful blindness” could lead to trouble – but I am pretty optimistic that courts will be able to define it in such a way that it disqualifies only truly egregious conduct (and that service providers will, as a consequence, be less likely to engage in egregious conduct) while placing a high enough bar in the way of those trying to prove the egregiousness of the conduct that it only gets the really bad actors and leaves the vast majority of service providers unaffected.

As I’ve said before, the Supreme Court has never decided whether K-12 schools may remove books from school libraries based on their viewpoints, or may filter out Web sites based on their viewpoints. The Court’s cases dealing with this question, Board of Ed. v. Pico and U.S. v. American Library Ass’n were badly splintered and provided basically no majority on the subject.

Pico, for instance, split 4-4 on the book removal issue, with the deciding vote (Justice White) expressing no opinion and sending the case down for more factfinding. (“The plurality seems compelled to go further and issue a dissertation on the extent to which the First Amendment limits the discretion of the school board to remove books from the school library. I see no necessity for doing so at this point. When findings of fact and conclusions of law are made by the District Court, that may end the case.”) Likewise, ALA yielded no useful conclusion.

This makes yesterday’s Parents, Families & Friends of Lesbians & Gays, Inc. (PFLAG) v. Camdenton R-III School Dist. (C.D. Mo. Jan. 15, 2012) especially interesting: The court issued a preliminary injunction against a school district’s use of a filter that apparently generally filtered out pro-homosexuality sites — including ones that weren’t sexually explicited — but not anti-homosexuality sites. (“URL Blacklist systematically allows access to websites expressing a negative viewpoint toward LGBT individuals by categorizing them as ‘religion’, but filters out positive viewpoints toward LGBT issues by categorizing them as ‘sexuality’.”) The court held that government’s continued use of this filter, especially given the availability of other filters that did better both at blocking outright porn and at not blocking commentary on homosexualiy, was likely viewpoint discriminatory and therefore unconstitutional, which led it to issue a preliminary injunction. The standard for issuing such an injunction was (in part) that plaintiffs showed “a ‘fair chance’ that [their claim] will succeed on the merits”; but the court’s reasoning suggests that the court is even more persuaded on the merits than that.

This might prove to be the correct result, but the court’s reasoning strikes me as conclusory. Here, as best I can tell, is the heart of the court’s analysis:

Camdenton’s internet access system in its library is neither a traditional nor a designated public forum. United States v. Am. Library Ass’n (“ALA”), 539 U.S. 194, 205 (2003) (plurality opinion) (internal quotes omitted). It is a nonpublic for[um]. “Control over access to a nonpublic forum can be based on subject matter and speaker identity so long as the distinctions drawn are reasonable in light of the purpose served by the forum and viewpoint neutral.” Cornelius v. NAACP Legal Defense & Ed. Fund, Inc., 473 U.S. 788, 806 (1985). But “the government violates the First Amendment when it denies access to a speaker solely to suppress the point of view he espouses on an otherwise includible subject.” Id.

Yet the statement that the system “is a nonpublic forum” is unsupported. School-provided Internet access indeed isn’t a traditional or designated public forum, but that just means that it’s either a nonpublic forum or not a forum at all. This last category, described in Arkansas Educ. Television Comm’n v. Forbes, involves situations where the government chooses to use its property to present speech that it likes and not speech that it dislikes. A government-run public television station, for instance, may air anti-racism programs but not pro-racism programs without violating the First Amendment; a school-provided bulletin board can display messages the school favors but not ones the school opposes; the government may accept for park display monuments that celebrate some things but not others.

Now the scope of this not-a-forum-at-all doctrine is not clear, and it might be that when it comes to government provision of access to a vast range of others’ material, in a situation where few people would see the government as endorsing all that material, the “nonpublic forum” category — with its prohibition on viewpoint discrimination — is more fitting than a “not a forum at all” category. But that conclusion has to be supported; as best I can tell, the district court instead just asserts it.

The district court does cite to Pratt v. Indep. School. Dist. No. 831 (8th Cir. 1982), which held unconstitutional the exclusion of material even from a school curriculum — given this, exclusion of material from library access would be even more clearly unconstitutional. But Pratt (which strikes me as very badly wrong) seems to me not to survive Hazelwood School Dist. v. Kuhlmeier (1988), which held that the government had very broad control over school curriculum. That control (controversially, though I think correctly) was held to include control over a student newspaper produced as part of a journalism class. Even more clearly, it would include control over what movies are shown as part of the school curriculum, the issue in Pratt. So while Hazelwood doesn’t dispose of the library filtering question, since it’s not clear whether it should be treated as a “curriculum” matter, Hazelwood does mean that Pratt is no longer a viable precedent.

Finally, one twist: According to the court in PFLAG, the school denied that it was engaged in viewpoint discrimination, and thus didn’t argue that the viewpoint discrimination was justifiable. “Camdenton has repeatedly said that its goal is not to protect its students from websites expressing a positive view toward LGBT individuals, or that such websites interfere with the requirements of appropriate discipline. Rather, Camdenton has argued that its internet-filter system does not discriminate based on viewpoint.” So perhaps the case could be decided just on that ground — but the court’s reasoning, as I understand it, goes further and says that all viewpoint discrimination in library filtering is presumptively unconstitutional, whether or not it is a deliberate and substantively defended decision on the school’s part. The case thus strikes me as an interesting and important decision, though vulnerable on the grounds I mentioned.

The Senate’s big cybersecurity bill has finally surfaced officially, and the hearing will be tomorrow at 2:30 DC time in front of the Homeland Security and Government Affairs Committee. After Sen. Rockefeller and Sec. Napolitano, I’ll be part of a panel that includes Gov. Tom Ridge, Scott Charney of Microsoft, and Jim Lewis of the Center for Strategic and International Studies.

Here’s the first few pages of my prepared testimony. The rest is up on Skating on Stilts, for those who just have to see my take on how to draft cybersecurity emergency authorities.

Mr. Chairman, Ranking Member Collins, members of the committee, it is an honor to testify before you on such a vitally important topic. I have been concerned with cybersecurity for two decades, both in my private practice and in my public service career, as general counsel to the National Security Agency and, later, to the Robb-Silberman commission that assessed U.S. intelligence capabilities on weapons of mass destruction, and, more recently, as assistant secretary for policy at the Department of Homeland Security. In those two decades, security holes in computer networks have evolved from occasionally interesting intelligence opportunities into a full-fledged counterintelligence crisis. Today, network insecurity is not just an intelligence concern. It could easily cause the United States to lose its next serious military confrontation.

Moore’s Outlaws: The Exponential Growth of the Cybersecurity Threat-

Our vulnerabilities, and their consequences, are growing at an exponential rate. We’ve all heard of Moore’s Law. What we face today, though, are Moore’s outlaws: criminals and spies whose ability to penetrate networks and to cause damage is increasing exponentially thanks to the growing complexity, vulnerability, and ubiquity of insecure networks. If we don’t do something, and soon, we will suffer network failures that dramatically change our lives and futures, both as individuals and as a nation.

It doesn’t take a high security clearance or great technical expertise to understand this threat. It follows from two or three simple facts.

Fact One. Breaking into computer networks to steal secrets has never been easier, despite all the security measures we encounter on those networks.

Why do I say that? Simple. In recent months, we have learned that some of the most security-conscious institutions on the planet have been compromised. HBGary, RSA, Verisign, and DigiNotar are all in the network security business; they understand how to protect secrets on line — if anyone does. But RSA was electronically attacked and its most important business secrets, the keys to its security business, were stolen. HBGary lost control of its CEO’s email correspondence to a group of online vigilantes, and its CEO lost his job as a result. DigiNotar, a Dutch entity that issues online credentials, was compromised by a hacker working with Iranian security forces. Six weeks after the breach became public, DigiNotar was out of business. I think it’s fair to say that these security-conscious companies would have done whatever they could to prevent these disclosures, but they failed. They were unable to secure their networks.

Actually, the same is true for governments. The Defense Department used to say that attacks on its systems had never penetrated the classified networks. Now it has disclosed that this is no longer true. Defense contractors have also been compromised, and with them, the designs for our most recent weapons systems.

That is the first fact: No network, no matter how important its secrets and no matter how security conscious its owner, can be seen as secure in today’s world. Attackers have an excellent chance of breaking in and stealing secrets. And here is the second:

Fact Two. Once the attackers are in, they don’t have to stop at stealing secrets. They can cause severe physical damage just by manipulating the digital systems they have compromised.

When I was at DHS, we demonstrated that hackers could cause a large generator to self-destruct, just by sending the generator commands over the network. More recently, the Stuxnet malware is believed to have crippled Iran’s uranium enrichment efforts for months, simply by infecting the computerized industrial control system responsible for Iran’s centrifuges. That was good news for people who think that Iran’s nuclear program is dangerous. But Stuxnet was also a proof of concept, showing that network flaws can be used to cause massive damage to any machinery that relies on computerized industrial controls.

And what machinery runs on such controls? Pretty much everything necessary to sustain our society: refineries, pipelines, electric power, water, and sewage systems. Worse, the industrial control systems that run these necessities are not really designed with cybersecurity in mind. In fact, there is reason to believe that Windows networks running on the Internet are much more secure than industrial control systems. At a minimum, we can say with confidence that industrial control systems are no better protected than the systems that failed at RSA, Verisign, HBGary, and DigiNotar.

Cyberweapons pose a real threat to the United States. Those two facts lead to a third, common-sense conclusion: Any nation that feels the need to prepare for a military confrontation with the United States has already begun developing cyberweapons. Cyberweapons are especially potent against the United States. That’s because they are deniable; figuring out who has launched a cyberattack will be very difficult, making our other military assets less useful in deterring attacks. Cyberweapons are also asymmetric; they cause more harm in developed nations than in less advanced societies. And perhaps most importantly, such weapons can overturn the American war experience of the last sixty years – that conflicts will be fought far away, at a time and place of our choosing. Any nation expecting a conflict with the American military would be enthusiastic about developing a weapon that can cause massive civilian suffering on our home front before a single shot has been fired on the battle lines.

Now that such a weapon is within their reach, the impact could be unprecedented. We have no experience with losing large parts of our power, refinery, water and sewage systems all at once. The closest we’ve come was New Orleans after Katrina. And there, everyone knew beforehand that the disaster was coming. Preparations had been made, and most people left the city well in advance. They went to places where the infrastructure still worked, while organized military and civilian relief efforts rapidly moved in to help those who remained. Even so, the breakdown in order and the human suffering was extreme.

Thanks to growing cyber insecurity, all Americans now live in a digital New Orleans, with Katrina just offshore. And not one Katrina, but many. Computer exploits that we once thought were the work of large nations such as Russia or China now seem to be within the capability of countries like Iran and North Korea. If I am right that computer insecurity continues to grow worse each year, then the sophistication needed to launch a cyberattack will continue to decline, and soon such attacks will be within the capability of criminal gangs and online vigilantes like Anonymous.

Disaster is not inevitable. We can head this threat off if we treat it seriously. We may have years before suffering an attack of this kind. We do not have decades. We must begin now to protect our critical infrastructure from attack. And so far, we have done little.

...

Another source of resistance comes from advocates who claim that this bill is somehow similar to the Stop Online Piracy Act, or SOPA. If the bill reaches the floor, they threaten, it will meet the same fate as SOPA.

Well, to paraphrase Sen. Bentsen in the 1988 vice-presidential debate, I knew SOPA, I opposed SOPA, and Mr. Chairman, this bill is no SOPA.

I took a very early stand against SOPA, and I’m proud to have played a role in forcing its reconsideration. SOPA was a bad idea because it would have given a little help to one industry while making everyone who uses the Internet much less secure. That criticism of SOPA struck a chord with Americans because we all use the Internet with a nagging fear that our security is at risk. That security concern was at the heart of the early opposition to SOPA. This bill, in a real sense, is the opposite of SOPA. It addresses the entirely justified security concerns of ordinary users.

There is another reason not to heed the advocates who oppose this title. They’re the guys who got us into this fix.

...

I blogged about the case a year ago, and now there’s an appellate court decision in it, People v. Walker (Mich. Ct. App. Dec. 27, 2011). An excerpt:

[T]he charge against defendant arises from his alleged unauthorized access to the password-protected email account of his estranged wife, Clara Elizabeth Walker, from July 2009 through August 2009. At the preliminary exam, Clara testified that she filed for divorce from defendant on June 5, 2009, and that defendant had been served with the divorce papers by July 2009. Clara and defendant continued to live in the same home through August 2009. During this time period, Clara had a personal email account through Gmail and another email account through Yahoo. Clara never shared her passwords for these email accounts with defendant, nor did she ever give defendant permission to access those accounts....

Clara testified that she used a computer that defendant bought her for her use. Defendant set up the computer for her, but Clara set up the Gmail and Yahoo accounts herself. Although Clara had previously written passwords in an address book, she has not used the address book for passwords in many years and never provided defendant with those passwords. Clara testified that she had never written a pass code for defendant on a sticky note, and that she allowed defendant to use her computer only when it needed a repair. Defendant had two computers of his own at home, and Clara did not know the passwords for defendant’s computers....

[D]efendant argues that the circuit court erred in denying his motion to quash the charge alleging unauthorized access of a computer, MCL 752.795....

[T]here was evidence that defendant acted without authorization when he accessed his estranged wife’s Gmail account. Defendant’s wife testified that her Gmail account was a personal account and that she never shared her passwords for the account with defendant or granted him permission to access the account. Further, she allowed defendant to use her computer only when it needed a repair. Defendant admitted to the police that he accessed his wife’s Gmail account by guessing her password. These facts support a reasonable inference that defendant lacked authorization for his access of his wife’s Gmail account....

[Moreover,] the prosecutor presented evidence that defendant acquired, altered, damaged, deleted, or destroyed property or otherwise used the service of a computer program, computer, computer system, or computer network. Defendant used the services of Gmail when he gained access to his estranged wife’s account, viewed her emails, and printed them to distribute to a third party. Further, by viewing, printing, and distributing the emails, defendant acquired his wife’s property, i.e., her password-protected emails containing restricted personal information or other tangible or intangible items of value....

Contrary to defendant’s argument, nothing in the statutory text suggests that spouses, estranged spouses, or parties to a divorce proceeding are immune from prosecution under the act.

The case can therefore proceed to trial. Thanks to Michael Smith for the pointer.

The Kindle Fire is a remarkable innovation in the Apple mold:  taking a bunch of components that are pretty well known and combining them into a powerful new experience.  But unlike Apple, Amazon’s integrating vision isn’t visual design or even user delight.  Instead it’s far more ambitious — a new vision of the entire Internet ecosystem.

OK, let me try that again without the Valley babble.  The Kindle Fire forks Android into an Amazon-designed and Amazon–controlled operating system.  So far, no surprises. Amazon owns and subsidizes the hardware, too, so it can design features that integrate operating system and processor tightly.  Again, nothing that Apple can’t do.  But then comes the clever, almost-new idea:  Fire uses its own browser, called Silk, which is designed to work with Amazon’s massive cloud computer. So instead of downloading web pages one after the other and opening them on your computer, Amazon’s cloud stores and even opens them, sending you the end result.  This allows speedier downloads for a couple of reasons:  Caching of popular pages (or even parts of pages) avoids download delays when the original source is overloaded; and Amazon’s cloud can handle even the most processor-intense pages instantaneously, far faster than your wheezing desktop machine.  In short, your Internet experience on the Fire ought to be lightning quick.

There’s another advantage to this new vision of what might be called the Bezosnet.  The Bezosnet ought to be a lot more secure.  One way that hackers compromise your machine is by getting you to go to malware infected sites.  Just visiting the site triggers routines that take over the visitor’s computer.  But if the routine runs, not on a visitor’s computer but in a virtual environment at Amazon’s data center, the attacker’s code isn’t likely to work.

In fact, it looks to me as though Amazon has a remarkable security opportunity here.  It controls the Fire hardware, the Fire operating system, and the Fire user’s internet connection. If a Fire tablet joins a botnet, Amazon will know immediately. It can quarantine the tablet and alert the owner.  Indeed, it can go further, performing diagnostics to figure out and remedy the security flaw the botnet exploited. If a Fire tablet starts sending beacons or massive encrypted data files to a Chinese controller site, Amazon can spot the pattern and alert the user or even block the transmissions.  No one else, not even Apple, maybe not even DoD, will have the same ability to drive security into all parts of the Internet ecosystem.

If Amazon exploits its security opportunity, this could be transformative for users. To take one example, most people are, or should be, wary about Internet financial transactions.  Small businesses that do electronic funds transfers are at enormous risk today.  Like consumers, their machines are easily compromised, but unlike consumers, their losses to hackers are not underwritten by the banks.  That’s costing them easily hundreds of millions of dollars a year. As small businesses come to appreciate the risk, Amazon has a chance to persuade them that a dirt-cheap Amazon Fire tablet is the only safe way to access their funds.

Competitively, that could put Amazon squarely in the stream of high-value Internet transactions.  Maybe it becomes a bank.  Maybe it forces Mastercard and Visa to give it a discount because fraud on Amazon-mediated transactions is lower. Maybe it takes on Google’s relationship with advertisers, since now Amazon has insight into information advertisers really want:  what are consumers actually buying and how much are they paying? Maybe it kills the prospects of ISPs and telcos hoping to transcend dumb pipe status and exploit their direct connection to consumers; that connection won’t be much use if Amazon controls and can encrypt the entire stream of communication.

For consumers, the Fire opens up a prospect of feudal security on the Internet.  We already know that we can’t protect our own machines from attack. For all the talk of insecurity in the cloud, it’s almost certainly more secure than the decentralized system we have now. To take one example, I have a lot more faith in Google’s ability to protect my gmail account than in the ability of my system administrator to do the same for my corporate account.  And I have more faith in Amazon’s ability to spot malware infested websites than in my ability to do the same, even with help from Google and antivirus software. Yes, you’re putting all your eggs in one basket, but you’re also hiring someone to guard that basket while you get on with life. Sooner or later, to get security, it looks as though we’re all going to have to pick a liege lord and shelter under his castle walls. And now Amazon has an chance to build the first string of forts and castles across the most desirable territory.

Of course, where there’s feudalism, there’s droit de seigneur. The price for security will be, probably must be, a loss of privacy, anonymity, and control to Amazon.  Right now, Amazon’s terms of service provide some contractual anonymity to users, but as a technical matter Amazon has total visibility into everything that happens on a Fire tablet.  That visibility is very likely necessary for security, and it is damn sure valuable for commercial purposes.  So it’s hard to imagine that it won’t be used for both purposes.

I can hear the privacy Luddites cranking up their outrage machinery now.  As usual, they’ll be a day late.  But they’ll also be a dollar short, at least if I’m right that the alternative to sheltering under Amazon’s walls is living out on the plains alone, at the mercy of marauders. No one will thank the data protection authority that saves us from Amazon by pushing us into the arms of the Russian Business Network. What the authorities can do is police Amazon’s terms of service and perhaps hold Amazon to any promises of security with tough new liability rules.  But, like Regulation Z, which declares that credit card fraud can’t cost US consumers more than $50, a rule imposing liability on Amazon for Internet security breaches could turn out to be an enormous market advantage (not to mention a tough barrier to entry for imitators).

All in all, then, the Fire Tablet is potentially a very big deal.  Too bad I’m too cheap to buy one.

(As always when I get into the details of security technology, I do so with considerable humility about my grasp of, well, actual technical details. This is technology poetry, not prose, and a first draft of the poetry at that. I welcome technical corrections. )

So begins T.V. v. Smith-Green Community School Corp. (N.D. Ind. Aug. 10), which (1) holds that a high school violated plaintiffs’ First Amendment rights when it suspended them from the volleyball team because they had posted a raunchy video of themselves on the Internet, and (2) holds that the school’s code of conduct allowing suspensions for “act[ing] in a manner in school or out of school that brings discredit or dishonor upon yourself or your school” is unconstitutionally vague and overbroad. (Both holdings, I think, are correct, given the Court’s precedents; I briefly explain my thinking at the end of the post.) Here are the relevant facts about the speech involved:

[D]uring the summer of 2009, T.V. and M.K. were both entering the 10th grade at Churubusco High School, a public high school of approximately 400 students. Both T.V. and M.K. were members of the high school’s volleyball team, an extracurricular activity, and M.K. was also a member of the cheerleading squad, also an extracurricular activity, as well as the show choir, which is a cocurricular activity. [Obligatory Glee reference.-EV] Cocurricular activities provide for academic credit but also involve activities that take place outside the normal school day.

Try-outs for the volleyball team for the coming year would occur in July. A couple of weeks prior to the tryouts, T.V., M.K. and a number of their friends had sleepovers at M.K.’s house. Prior to the first sleepover, the girls bought phallic-shaped rainbow colored lollipops. During the first sleepover, the girls took a number of photographs of themselves sucking on the lollipops. In one, three girls are pictured and M.K. added the caption “Wanna suck on my cock.” In another photograph, a fully-clothed M.K. is sucking on one lollipop while another lollipop is positioned between her legs and a fully-clothed T.V. is pretending to suck on it.

During another sleepover, T.V. took a picture of M.K. and another girl pretending to kiss each other. At a final slumber party, more pictures were taken with M.K. wearing lingerie and the other girls in pajamas. One of these pictures shows M.K. standing talking on the phone while another girl holds one of her legs up in the air, with T.V. holding a toy trident as if protruding from her crotch and pointing between M.K.’s legs. In another, T.V. is shown bent over with M.K. poking the trident between her buttocks. A third picture shows T.V. positioned behind another kneeling girl as if engaging in anal sex. In another picture, M.K. poses with money stuck into her lingerie — stripper-style.

T.V. posted most of the pictures on her MySpace or Facebook accounts, where they were accessible to persons she had granted “Friend” status. Some of the photos involving the lollipops were also posted on Photo Bucket, where a password is necessary for viewing. None of the images identify the girls as students at Churubusco High School. Neither T.V. nor M.K. ever brought the images to school either in digital or any other format. In their depositions, both T.V. and M.K. characterized what they did as “just joking around” and disclaimed that the images conveyed any scientific, literary or artistic value or message, but testified that the photos were taken and were shared on the internet because the girls thought what they had done was funny and “wanted to share with [their] friends how funny it was.”

The school got wind of this, and suspended the girls “from extracurricular and cocurricular activities for a calendar year,” though the punishment was later reduced to a six-game suspension for T.V., and a suspension from “five games and a show choir performance” for M.K. The girls sued, claiming the suspension violated the First Amendment. Here’s what the court held:

Continue reading ‘“Not Much Good Takes Place at Slumber Parties for High School Kids, and This Case Proves the Point”’ »

Last week, the Federalist Society hosted a symposium on cybersecurity that you can watch here (morning panel, focused on national security issues), here (lunch address), and here (afternoon panel, focused on business and criminal law issues).

Two VC bloggers participated in the symposium. Stewart Baker gave the lunchtime keynote address, which you can watch here:

I gave a few comments criticizing the Obama Administration’s proposals to expand the Computer Fraud and Abuse Act, which you can watch here:

My friend Jennifer Granick points me to an interesting new case, Hubbard v. Myspace (S.D.N.Y. June 1, 2011), that touches on a fascinating Fourth Amendment question: What are the territorial limits of search warrants for Fourth Amendment purposes? To be clear, the Hubbard case itself involved a statutory challenge, not a constitutional one. The plaintiff sued MySpace for complying in California with a state warrant issued in Georgia that was faxed to MySpace in California on the ground tat the Stored Communications Act, 18 U.S.C. 2703, did not allow MySpace to comply with the out-of-state warrant. As a statutory claim, the argument was pretty clearly incorrect. But at the end of his opinion (p.11) Judge Kaplan touches on a really interesting issue: What about the Fourth Amendment?

Specifically, the interesting issue is this: If the Fourth Amendment imposes a warrant requirement on government access to an e-mail account, which I think it does and the Sixth Circuit has expressly so held, is the warrant requirement satisfied by an out-of-state warrant from a jurisdiction far away with no authority to actually compel compliance with the warrant? Or is the warrant requirement only satisfied by a warrant issued locally, or at least in the same state or federal district? This issue generally doesn’t come up in traditional physical investigations because the police will get a local warrant to physically search a local location, and arrests generally don’t require warrants. But warrants for e-mail accounts are unusual: The police obtain the warrant and fax it to the ISP, and the Stored Communications Act contemplates out of state warrants. ISPs usually don’t have to comply with out of state warrants, as they are out of state and not binding on them: But the question I’m interested in here is, does the out of state warrant satisfy the warrant requirement?

I would think the best answer is that the warrant requirement does not have a territorial limit: For Fourth Amendment purposes, the warrant requirement is satisfied so long as a neutral and detached magistrate somewhere has found probable cause, established particularity, and signed the warrant authorizing the disclosure. I think that for a few reasons. First, the Eighth Circuit has expressly approved of the constitutionality of an out-of-state e-mail warrant in one case, United States v. Bach, which involved a Minnesota state warrant for an e-mail account that was faxed to Yahoo in California. Although Bach did not discuss the extraterritorial nature of the warrant, the approval of the facts of that case hints that the extraterritorial nature of the warrant doesn’t matter. Second, I think the territorial limits of courts to issue warrants is at least arguably the kind of statutory limit on state power that the Supreme Court has said is irrelevant to Fourth Amendment reasonableness in Virginia v. Moore, 128 S.Ct. 1598 (2008). Third, cases from the wiretapping context have held that judges in one district can authorize intercepts in other districts. See, e.g., United States v. Ramirez, 112 F.3d 849 (7th Cir. 1997) (Posner, J.)

Finally, if warrants do have territorial limits for purposes of the warrant clause, we need a theory for what those limits are, and figuring that out is actually kind of tricky. For example, imagine the rule is that the warrant requirement is satisfied only if the issuing judge’s power to issue warrants includes that physical location under the statutory warrant rules. That would mean that whether the warrant requirement is satisfied is only a matter of legislative grace, which seems arbitrary: Fiddling with the statutes would change the constitutionality of the search. Alternatively, you might try to argue that the territoriality is state by state, such that each magistrate has some implicit power to issue warrants in the state that authorizes the judge’s commission (or perhaps nationwide in the case of federal warrants). That’s a theory, but I don’t think it has much in the way of a constitutional basis. So putting the pieces together, I would say that the Fourth Amendment warrant requirement is satisfied by a warrant being issued somewhere, independently of whether it was issued in a particular state or district.

Evidence law has special rules that require someone who wants to introduce a document to first introduce “foundation” evidence that shows the document was indeed written by the person who supposedly wrote it; this is called “authentication.” Griffin v. State, decided by Maryland’s highest court on April 28, has an interesting discussion of how those rules play out with regard to online sources. The case itself involved the authentication of a MySpace Web page, but the discussion can apply to many other online sources as well.

Note that this is a different matter than deciding the reliability of an online source, or the admissibility in other respects of an online source (e.g., whether the source contains inadmissible hearsay). It is also a different matter than deciding the factual authenticity of the source given a dispute about the foundation evidence (e.g., if A denies that he wrote a Web page, but B testifies that he had heard A say he did write the Web page). The question is simply what factual foundation — however disputed that factual foundation might be — has to be presented before the document can even be introduced into evidence. It would then be up to the jury to resolve any factual disputes related to that foundation evidence.

Here’s the court’s discussion of some ways that Web page such as a Myspace page can be authenticated in the legal sense, so that the sites’ contents can be introduced as evidence:

The first, and perhaps most obvious method would be to ask the purported creator if she indeed created the profile and also if she added the posting in question, i.e. “[t]estimony of a witness with knowledge that the offered evidence is what it is claimed to be.” The second option may be to search the computer of the person who allegedly created the profile and posting and examine the computer’s internet history and hard drive to determine whether that computer was used to originate the social networking profile and posting in question.... A third method may be to obtain information directly from the social networking website that links the establishment of the profile to the person who allegedly created it and also links the posting sought to be introduced to the person who initiated it....

Simply observing that the page contains a good deal of personally identifying information about the ostensible author is not enough. “[T]he picture of Ms. Barber, coupled with her birth date and location, were not sufficient ‘distinctive characteristics’ on a MySpace profile to authenticate its printout, given the prospect that someone other than Ms. Barber could have not only created the site, but also posted the ‘snitches get stitches’ comment. The potential for abuse and manipulation of a social networking site by someone other than its purported creator and/or user leads to our conclusion that a printout of an image from such a site requires a greater degree of authentication than merely identifying the date of birth of the creator and her visage in a photograph on the site in order to reflect that Ms. Barber was its creator and the author of the ‘snitches get stitches’ language.”

So argued Kenneth M. Stern, a California lawyer; no dice, said the district court in Stern v. Does (C.D. Cal., decided Feb. 10, 2011 but just now made available on Westlaw). No dice, said the court, concluding that the message lacked the modicum of creativity required for copyright protection — because it was so short and dictated by functional considerations — and that the copying was a fair use. Both conclusions seem right to me, though the fair use conclusion is especially clear, given the utter lack of any likely effect on the value of plaintiff’s work.

In fact, the court said that the plaintiff’s claims were frivolous enough to warrant requiring plaintiff to pay attorneys’ fees — a remedy that the Copyright Act allows. (The court concluded that the defendants’ request for fees were insufficiently specific to support an immediate award, but allowed the defendants to refile their request.) The plaintiff is appealing.

Here’s an excerpt from the case, though if you’re interested in the court’s reasoning you should read the whole thing:

Plaintiff is an attorney. In September 2006, Plaintiff retained the forensic accounting firm White, Zuckerman, Warsavsky, Luna, Wolf & Hunt L.L.P. (“White Zuckerman”) to perform a mathematical calculation on behalf of one of his clients. In March 2007, after receiving a bill from White Zuckerman for this work, Plaintiff became concerned that the billed hours were excessive and that White Zuckerman had been churning his client’s file.

Continue reading ‘Forwarding a Sentence-Long Message from a Listserv = Copyright Infringement?’ »

I’m going to leave it to Co-Conspirator Stewart and other cybersecurity legal experts to discuss the legal issues, but regarding the recent Stuxnet worm that Iran reports infected its computers and, we are told, particularly its nuclear program, the New York Times says …

Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.

Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.

The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

The new forensic work narrows the range of targets and deciphers the worm’s plan of attack. Computer analysts say Stuxnet does its damage by making quick changes in the rotational speed of motors, shifting them rapidly up and down.

It sounds like a good Civ Pro 101 (or, perhaps, Cyberlaw 101) exam hypothetical :

“Your client, Scott Roberts, a Virginia resident, purchased a Pontiac engine block from Kauffman Racing Equipment, L.L.C., an Ohio-based company that builds automotive equipment and sells it to the public. Roberts purchased the engine block after viewing it on Kauffman’s website. Roberts did not travel to Ohio; indeed, he has never been to that State. After Roberts received the engine, he found it defective, but after various exchanges of communications between Roberts and Kauffman, Kauffman refused to refund Roberts’ purchase price. Roberts then began a campaign of posting comments criticizing Kaufmann on several websites related to automotive equipment. Kauffman alleges that these comments constitute defamation and intentional interference with contracts and business relationships. Question: Based on these facts alone, and assuming no other contacts between Roberts and the state of Ohio, can an Ohio state court exercise personal jurisdiction over Roberts?”

It’s not a hypothetical, but a real case, and Ohio Supreme Court answered in the affirmative, relying on my 3rd-least-favorite Supreme Court case of all time, Calder v. Jones. In Calder, the Court allowed a California court to exercise personal jurisdiction over the authors of an article that a California resident, Shirley Jones, alleged to be defamatory. The authors of the article lived in Florida, and had no contacts with the State of California other than (a) the “knowledge” that Ms. Jones lived in California (and that therefore the “harm” would be felt in California) and (b) the distribution of the allegedly defamatory comments in California.

It’s absurd. A doctrine that allows a finding that you have had the requisite “minimum contacts” with New Mexico sufficient to satisfy the Due Process Clause simply on the grounds that you have said nasty things – even defamatory things – about someone whom you happen to know lives in New Mexico has always struck me as profoundly odd and misguided, and it has given lower courts fits over the years. Among other peculiarities, basing the inquiry on what the defendant does or does not know brings you into a hopeless swamp of uncertainty; it’s fair to haul me into a New Mexico court if I know that the mail order place where I buy my guitar strings is located in New Mexico, but not if I don’t know that? And that makes sense because . . .?

It would be nice to take Calder out of its misery once and for all. The folks over at Mayer Brown, with the Yale Supreme Court clinic, are (more or less) trying to do that; they have submitted a petition for certiorari in the Roberts v. Kauffman case. The petition’s a nice piece of work – if any of you happen to be studying these issues for that Civ Pro 101 or Cyberlaw exam, you could do a lot worse than reading it over for a very clear statement of what the law in this area looks like. I’m not enough of a Court-watcher to know whether the Court would, if it grants cert, do the sensible thing and overrule (or at least narrow into non-existence) the Calder doctrine – the prospect of the Court hearing the case and re-affirming (or even, heaven forbid, strengthening) the doctrine does, I admit, make me a little nervous (though maybe someone who knows the predilections of our Justices better than I do can reassure me on that score).

So holds Amazon.com v. Lay (W.D. Wash., decided yesterday):

Amazon pursues summary judgment as to its First Amendment claim that the DOR’s request for all information related to Amazon’s sales to North Carolina residents violates the First Amendment. The Court agrees and GRANTS the motion.

The First Amendment protects a buyer from having the expressive content of her purchase of books, music, and audiovisual materials disclosed to the government. Citizens are entitled to receive information and ideas through books, films, and other expressive materials anonymously. In the context of distribution of handbills, the Supreme Court held that anonymity “exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular.” McIntyre v. Ohio Elections Comm’n, 514 U.S. 334, 357 (1995); Talley v. California, 362 U.S. 60, 64 (1960) (protecting anonymity in handing out campaign literature). The fear of government tracking and censoring one’s reading, listening, and viewing choices chills the exercise of First Amendment rights. In a concurring opinion, Justice Douglas highlighted the deleterious effect of governmental meddling in the reading habits of its citizens: “Some will fear to read what is unpopular what the powers-that-be dislike. When the light of publicity may reach any student, any teacher, inquiry will be discouraged.” United States v. Rumely, 345 U.S. 41, 57-58 (1953) (Douglas, J., concurring).

Continue reading ‘North Carolina Department of Revenue’s Demand for Amazon Customer Records Violates the First Amendment’ »