Roadmap for OSP’s Summer

Posted on 2013/05/19 by Dougernaut

This week begins my summer OSP series. Usually the articles will come out on Thursdays, but obviously if you’re using an RSS reader you’ll just get the articles when they come out. I’ve decided I can’t do an article per week during the semester, but I’m certain I can do an article a week during the summer.

Here are the article topics currently on the docket (in no particular order).

  1. Tax Consequences of Free Software (Part 1?)
  2. Copyright Chapter 9: Protection of Semiconductor Chip Products
  3. Secrecy vs. Privacy
  4. Patent Act Section 105: Inventions in Outer Space
  5. Does WordPress still have problems?
  6. Blogger has a “Cybersquatting” Problem
  7. Communities on G+ (or How Free Should You Be?)

By my count, there are 14 weeks left during the academic summer (including this week). That means I have 6 more potential article topics. Please let me know if you have topics for suggestions! You can find me on facebook, G+, twitter or status.net. You can also leave us a comment!

Get in Touch

280.status.net: douglasawh
I’m on too many social networks to list them all!

Donate

Flattr
Help Doug get through law school! Buy him a book or food!
You can also donate directly to our hosting cost.

Posted in meta | Leave a comment

Cybercrime 11: Identity Theft

Posted on 2013/05/03 by Dougernaut

This is the last Cybercrime post…maybe ever. I’ve not really gotten any feedback on the previous posts other than the fact that April was a record-breaking month. I wrote a trademarks post in April too, so I don’t know if that provided any sort of bump. As I write this on May 2, we are on pace to almost double our record-breaking April, so maybe that’s something. The fall schedule was supposed to come out yesterday, but it still hasn’t come out. Once I pick classes for the fall, I’ll let everyone know what they can expect on the blog come fall. As for the summer, well, I have 8 drafts in the works, so I suspect I’ll get those out the door. I haven’t thought about a summer theme though. I am up for suggestions.

As to this final Cybercrime post for the semester, our reading actually covered stalking and harassment as well as identity theft. If anyone is interested in an article on those topics, please let me know. For now I am going to sum it up with stalking and harassment are bad, mmkay?

Today’s reading:
Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028
Identity Theft Penalty Enhancement Act, 18 U.S.C. § 1028A
Fraud and Related Activity in Connection With Access Devices, 18 U.S.C. § 1029

Incidentally, identity theft is also bad; you know, if that wasn’t clear from the whole cybercrime motif. Even if some things that are crimes shouldn’t be, like say, violating a contract, they are still bad if you do them and get caught before the EFF and others can convince people to change the laws (and violating a contract is always going to be subject to civil penalties, so it’s just something you shouldn’t do). So, don’t steal people’s identities. I feel pretty confident with that advice, even though I am not a lawyer, but you know, consult an attorney if you have question.

Identity Theft and Assumption Deterrence Act

Sitting down to write this post, I realized that I had a lot less to say than usual. I thought, perhaps, I was just exhausted from finals (I am) and just couldn’t think of anything. However, in a moment of clarity, it occurred to me that we read no case law on the topic of identity theft. We focused exclusively on stalking and harassment. Because of that, there are no judges interpreting the statute in crazy ways. Crazy judges make for easy commentary.

Identity theft prevention and security generally I think are going to be reoccurring topics on OSP, so I think looking at the federal statute can provide important background information, even if this post is going to be on the dry side.

It turns out there are 1799 words (according to LibreOffice) in this section of Title 18, so obviously commenting on all of it would lead to a pretty long article. Since the definitions cover both 1028 and 1028A, I’ll reproduce the definitions here for your perusal.

(d) In this section and section 1028A

(1) the term “authentication feature” means any hologram, watermark, certification, symbol, code, image, sequence of numbers or letters, or other feature that either individually or in combination with another feature is used by the issuing authority on an identification document, document-making implement, or means of identification to determine if the document is counterfeit, altered, or otherwise falsified;

(2) the term “document-making implement” means any implement, impression, template, computer file, computer disc, electronic device, or computer hardware or software, that is specifically configured or primarily used for making an identification document, a false identification document, or another document-making implement;

(3) the term “identification document” means a document made or issued by or under the authority of the United States Government, a State, political subdivision of a State, a sponsoring entity of an event designated as a special event of national significance, a foreign government, political subdivision of a foreign government, an international governmental or an international quasi-governmental organization which, when completed with information concerning a particular individual, is of a type intended or commonly accepted for the purpose of identification of individuals;

(4) the term “false identification document” means a document of a type intended or commonly accepted for the purposes of identification of individuals that—

(A) is not issued by or under the authority of a governmental entity or was issued under the authority of a governmental entity but was subsequently altered for purposes of deceit; and

(B) appears to be issued by or under the authority of the United States Government, a State, a political subdivision of a State, a sponsoring entity of an event designated by the President as a special event of national significance, a foreign government, a political subdivision of a foreign government, or an international governmental or quasi-governmental organization;

(5) the term “false authentication feature” means an authentication feature that—

(A) is genuine in origin, but, without the authorization of the issuing authority, has been tampered with or altered for purposes of deceit;

(B) is genuine, but has been distributed, or is intended for distribution, without the authorization of the issuing authority and not in connection with a lawfully made identification document, document-making implement, or means of identification to which such authentication feature is intended to be affixed or embedded by the respective issuing authority; or

(C) appears to be genuine, but is not;

(6) the term “issuing authority”

(A) means any governmental entity or agency that is authorized to issue identification documents, means of identification, or authentication features; and

(B) includes the United States Government, a State, a political subdivision of a State, a sponsoring entity of an event designated by the President as a special event of national significance, a foreign government, a political subdivision of a foreign government, or an international government or quasi-governmental organization;

(7) the term “means of identification” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any—

(A) name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number;

(B) unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;

(C) unique electronic identification number, address, or routing code; or

(D) telecommunication identifying information or access device (as defined in section 1029 (e));

(8) the term “personal identification card” means an identification document issued by a State or local government solely for the purpose of identification;

(9) the term “produce” includes alter, authenticate, or assemble;

(10) the term “transfer” includes selecting an identification document, false identification document, or document-making implement and placing or directing the placement of such identification document, false identification document, or document-making implement on an online location where it is available to others;

(11) the term “State” includes any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession, or territory of the United States; and

(12) the term “traffic” means—

(A) to transport, transfer, or otherwise dispose of, to another, as consideration for anything of value; or

(B) to make or obtain control of with intent to so transport, transfer, or otherwise dispose of.

One thing I will note is that issuing authorities include other countries, so faking a French passport or something of that nature is going to be a crime.

That finally got me thinking…what if you want to make a movie that include made up individuals and the plot requires identification? According to (a)(1) it is a crime to

knowingly and without lawful authority produces an identification document, authentication feature, or a false identification document;

It’s possible that a First Amendment challenge might work, but this is definitely something on which I would need to do more research. If anyone is curious, let me know and maybe I can do the research this summer!

Identity Theft Penalty Enhancement Act

This shows up in Title 18 as “aggravated identity theft” and that may be more descriptive, as long as you know what “aggravated” means in the law. Basically, if you do bad stuff while impersonating someone else, there are enhanced penalties.

My only real thought about this is that I’d be curious how this interacts with the CFAA. Is sharing a Netflix password identity theft? It is certainly a violation of the Netflix TOS, and thus a violation of the CFAA.

Based on the definition of “means of identification” reproduced above, I suspect it is. Even if sharing a password doesn’t fall into the definitions of (C) and (D), which I suspect it might, the “including” language means that the specified means of identification are not the only possible means of communication.

And, if you do decide to share a password with someone, make sure it’s not a password you reuse for other services. This probably sounds like common sense, but a lot of people throw common sense out the window once they touch a computer.
Fraud and Related Activity in Connection With Access Devices

I always wonder about statutes like this. Fraud is fraud, right? The statute has been cited 8435 times according to Westlaw, so I guess there’s something in there. This statute goes through sub-section (h), so I can only cover a little bit of the act, but let’s see what we’ve got.

Those citations break down like this:

Cases: 1,829
Statutes: 8
Regulations: 5
Administrative Decisions & Guidance: 155
Secondary Sources: 540
Appellate Court Documents: 2,744
Trial Court Documents: 3,154

As it turns out, one of those cases is a SCOTUS case. That case primarily is about 18 U.S.C. § 3583, which brings up a good point. Whenever we discuss statutes on the blog, there may be other statutes that supersede in certain contexts. This is one of the problems with the US criminal code. We are discussing §3583. How is anyone expected to know that many provisions? I’ve been through two years of law school and I’ve barely touched the criminal code. Granted, that has largely been my choice. The school offers 12 criminal classes. Of course, there are other criminal classes out there that UNH doesn’t offer. For example, Vermont offers a course in wildlife crimes.

Of course, the numbers are a bit misleading. There are gaps, but Title 18 also goes up to §6005, so it’s not like §3583 is close to the end.

Obviously with so many cases and secondary sources, there is a lot to be said about fraud and cybercrime. However, I’m currently at 1850+ words, so it’s probably time for you to rest your eyes.

Now that I’m done with my planned Cybercrime series, I must decide how to spend the rest of my scheduled time studying for my Cybercrime final. I may decide to bring you more articles. I may decide to study for my tax final instead. Man, tax is a beast. I’ve already started an article on the tax consequences of free software, but we’ll see when I’m able to get that out.

 

Get in Touch

280.status.net: douglasawh
I’m on too many social networks to list them all!

Donate

Flattr
Help Doug get through law school! Buy him a book or food!
You can also donate directly to our hosting cost.

Posted in Cybercrime, law | Tagged | Leave a comment

Cybercrime 10: Protection of Minors

Posted on 2013/05/02 by Dougernaut

This is a pretty hot-button topic. Free speech and children are two of the things people get most worked up about. If you put them on opposite teams, there is sure to be fireworks. While SCOTUS has put some limits on child protection laws due to the First Amendment, it is important to remember that the First Amendment is not without bounds. Defamation law is one example. Intellectual Property laws are another example. And, of course, you can’t yell “fire” in a movie theater.

My point is that pretty much everyone can agree that children should be protected in some fashion (they are human, after all) and pretty much everyone can agree that at the very least there should not be prior restraints on most speech. I encourage people to keep an open mind about the issue. As long as one side is screaming “baby killer!” and the other side is screaming “NAZI!” we aren’t going to get anywhere on this issue. I’m not suggesting by any stretch that my article holds any sort of magic solution. I mean that people should keep an open mind at all times, not just while reading the article.

Here was today’s assigned reading:

7. Protection of Minors
7.1. Federal Statutes
7.1.1. Sexual Exploitation and Other Abuse of Children, 18 U.S.C. §§ 2251, 2251A, 2252, 2252A, 2252B, 2256, 2257 & 2260
7.2. Case Law
7.2.1. Knowing Possession
7.2.1.1. U.S. v. Tucker, 305 F.3d 1193 (10th Cir. 2002)
7.2.1.2. Commonwealth v. Diodoro, 2006 PA Super 308 (Pa. Super. 2006)
7.2.1.3. State of New Hampshire v. Peter Clark (2008)
7.2.2. Individual Search v. State Action
7.2.2.1. U.S. v. Jarrett, 338 F.3d 339 (4th Cir. 2003)
7.2.2.2. New York v. Emerson, 766 N.Y.S.2d 482 (N.Y. Sup. 2003)

Since I brought up the First Amendment, I think the rest of the post we should probably talk about state action, since state action is a doctrine in the First Amendment as well. I know I do this a lot…start with a broad topic in the title and then narrow it down, but unless you want to read for 12 hours (3 hours of class time plus x3 out of class prep), I’m not going to be able to cover all of the material. I’ve also had other classes that occasionally come up on OSP (I actually started naming the classes that might apply and I realized that I was quickly making a list of every class I’ve had in two years of law school…so the point is, it’s complicated). I do, of course, remain open to suggestions on how best to convey knowledge on the blog.

Anyway…

At it’s core, the state action doctrine in both the 1st and 4th Amendment contexts is pretty simply: the 1st and 4th Amendments only protect you from the government. Other laws, such as trespassing, conversion, theft or any number of other causes of action, might protect you from a non-government actor.

The question becomes, essentially, when does a vigilante become a government actor? We often like to think of Batman as a vigilante, but I’m pretty sure the Bat-signal or Bat-phone turn Batman into a state actor. While the Wikipedia article on state actors is surprisingly short (and doesn’t even mention the 4th Amendment), it’s actually a huge topic and one we can’t cover fully in one article.

In neither of the cases we covered in class where state action was an issue did the judge actually find state action. While a sample set of only two, you might think perhaps that Batman could wiggle out of state action somehow. However, I think the only way that could happen would be if they didn’t use the Bat-signal or Bat-phone. If Batman were to do his thing and the Gotham police sorta just let it happen, then we might be talking. Of course, Batman has been doing his thing since 1939, so aside from the fact that he is pretty old (and I’m aware there are multiple continuities), at some point the reasoning in U.S. v. Jarrett, 338 F.3d 339 (4th Cir. 2003) (didn’t think I was gonna bring it back, did you?) would suggest that he would become a state actor.

Jarrett was a child pornographer. That was not in dispute in the case. What was in dispute was whether the government violated his 4th Amendment rights. The traditional remedy for a violation of the 4th Amendment right is the exclusion of evidence. A lot of people hate the exclusionary rule either because A) it allows criminals to go free (it certainly does) and/or B) the word “exclusion” doesn’t appear in the Constitution. However, it seems to me that the government breaking the law is a pretty clear violation of “due process” which just so happens to be guaranteed by the 5th Amendment. So, I agree with the courts (on the existence of the exclusionary rule). Mark your calendar.

Actually, I’m not entirely sure I disagree with the outcome of Jarrett. There’s really a timing issue. The illegal search (no one disputes it was an illegal search) happened before the government gave the Turkish cracker (the court disputes that the record suggests he is Turkish, but that’s the word on the street) the “wink and nod” on the go-ahead for more cracking. What is terribly distressing though is the 10th Circuit’s U.S. v Souza case, which the court cites as “holding that police are under no duty to discourage citizens from conducting searches of their own volition.” What the hell are you smoking? Apparently whatever you want, because the police are under no obligation to enforce the law. What kind of garbage is this? I mean, I guess as long as the searches are legal searches, then I have no problem with that statement, but the citation is being used to suggest that the government can recruit foreign cyber-criminals through wink and nod transactions.

U.S. v. Jarrett is a 4th Circuit case, which means it doesn’t apply everywhere, but it has been cited 187 times and only three times negatively according to Westlaw. It’s only 8 pages long with footnotes, printed out from Westlaw, so I encourage you all to read it. I’m now well over 1000 words, so it’s probably time to let you get on with your life. Thanks for reading!

Get in Touch

280.status.net: douglasawh
I’m on too many social networks to list them all!

Donate

Flattr
Help Doug get through law school! Buy him a book or food!
You can also donate directly to our hosting cost.

Posted in Cybercrime, law | Tagged , , | Leave a comment

Cybercrime 9: Trade Secret Misappropriation and Other Stolen “Property”

Posted on 2013/05/02 by Dougernaut

Most of you will be glad to know that it was my professor and not me that first included the scare quotes around “property.” He’s an interesting guy. He is/was a Dead Head, but seems like a pro-plaintiff/pro-prosecutor kind of guy for the most part. I guess it’s possible to believe drugs should be legal but that intellectual property (IP) is important. I suspect though that most people that lean left (or libertarian) on drug issues lean similarly on IP issues. I’d be interested in hearing people’s thoughts on the matter.

Here is today’s relevant assigned reading:

5. Trade Secret Misappropriation and Other Stolen “Property”
Economic Espionage Act, 18 U.S.C. §§ 1831-39
National Stolen Property Act, 18 U.S.C. § 2314
Federal Wire Fraud Statute, 18 U.S.C. § 1343
U.S. v. Riggs, 739 F. Supp. 414 (N.D. Ill. 1990)
U.S. v. Schreier, 908 F.2d 645 (10th Cir. 1990)
U.S. v. Brown, 925 F.2d 1301 (10th Cir. 1991)
U.S. v. Martin, 228 F.3d 1 (1st Cir. 2000)

Aside from my wandering intro above, I’m going to try to stay super-focused on the trade secrets issue. It’s hard to talk about trade secrets (particularly in the software context) without also talking about patents, but I’m going to try to keep that for another day.

Of course, as soon as I say that, let me wander a bit…

It’s an interesting question whether case law or statute is easier to change and thus whether I should focus on the three statutes or the four cases for purposes of perpetuity. It’s true that the only thing standing between judges and changing the cases is stare decisis. However, for a variety of reasons, it seems to work. Cases are much more often distinguished than overruled. In fact, two cases that everyone seems to hate, Wickard v Filburn and Korematsu v. United States are still on the books, although Wickard may be a bad example, since at least as recently as 2005, the principles of Wickard were used to justify our increasingly ludicrous drug war.

On the other hand, Congress seems unable or unwilling to get anything done. Whether or not you’d want them to change those particular statutes is, of course, a matter up for debate.

The deciding factor for me to look at the statutes is that the cases only apply in the 10th and 1st circuits. While Riggs has been followed, it’s just a district court case. Since I know we have readers in the 9th Circuit (there are a total of 11 circuits, 13 depending on how you count) it doesn’t make a lot of sense to focus on the case law.

Economic Espionage Act, 18 U.S.C. §§ 1831-39

There are a variety of things in the EEA, which you can read about over at Wikipedia. Here I am only going to focus on 18 U.S.C. §§ 1831-39.

§ 1831. Economic Espionage
§ 1832. Theft of Trade Secrets
§ 1833. Exceptions to Prohibitions
§ 1834. Criminal Forfeiture
§ 1835. Orders to Preserve Confidentiality
§ 1836. Civil Proceedings to Enjoin Violations
§ 1837. Applicability to Conduct Outside the United States
§ 1838. Construction with Other Laws
§ 1839. Definitions

As you can see, we quickly get in to the procedural weeds and thus I want to focus even more closely on §§ 1831-33.

The key to this entire set of sections is the opening to 1831: “Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly….”

You can see why they are using the word espionage. At some level, it is not hyperbole. You have to wonder though, if someone steals code from Microsoft or Oracle and gives it to the public, is that really espionage? Most people would assume that if you post a trade secret publicly that it would help all governments not using FLOSS make their systems more secure.

Maybe, perhaps there is an exception for making stuff publicly available and not simply giving it to a foreign entity? No such luck. The exceptions are pretty sparse:

This chapter does not prohibit–
(1) any otherwise lawful activity conducted by a governmental entity of the United States, a State, or a political subdivision of a State; or
(2) the reporting of a suspected violation of law to any governmental entity of the United States, a State, or a political subdivision of a State, if such entity has lawful authority with respect to that violation.

Of course, posting the trade secrets would likely be a violation of the software agreement or an employment contract, which could very well be a violation of the CFAA, at which point you would end up in jail anyway. So, just yet another law to fix…

National Stolen Property Act, 18 U.S.C. § 2314

Interestingly, this provision was modified in the controversial National Defense Authorization Act. In order to find it in the text, you’ll need to search for “2314.” This particular provision of the NDAA seems innocuous enough. As a general rule, I don’t really like the veteran hero worship (I guess you’ll have to read the text to see why I said). It glorifies war too much. Of course, it is not the soldiers that decide whom we attack, when or with what force to do so. But, you didn’t come here for my views on war, I’m pretty sure.

So, trade secrets and wire fraud (below) would seem very obviously to fit in a Cybercrime course and on OSP, but stolen property? I’m a bit perplexed myself, but I think it is this:

Whoever, with unlawful or fraudulent intent, transports in interstate or foreign commerce, any tool, implement, or thing used or fitted to be used in falsely making, forging, altering, or counterfeiting any security or tax stamps, or any part thereof

You might look at that and think, “woah! that is broad,” but I don’t think it is as broad as it first appears. The key is the unlawful or fraudulent intent. As long as you don’t transport software or general computer hardware with the intent that it be used for making fraudulent securities or tax stamps, you should be good. Obviously, if someone accuses you of violating this provision, consult a lawyer.

Federal Wire Fraud Statute, 18 U.S.C. § 1343

Don’t be confused with what we discussed before, the Wiretap Act.

This is totally different:

Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation occurs in relation to, or involving any benefit authorized, transported, transmitted, transferred, disbursed, or paid in connection with, a presidentially declared major disaster or emergency (as those terms are defined in section 102 of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. 5122)), or affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.

I guess the key take-away is: don’t mess with disaster areas! I don’t want to spend a lot of time on this, because I think it is pretty straight-forward. However, I note that at least one court has found a Constitutional limit on this provision.

 

Of course, all of these statutes have case law interpreting them, but I’m already at +1300 words, so I think it is time to let you go read another article and for me to start the 10th article in the Cybercrime series.

Looking at all of these provisions, you might be wondering about over-criminalization. If so, I encourage you to listen to this Federalist Society Podcast. I don’t tend to agree with a lot of the positions the Federalist Society takes (although, officially, they take no positions being a 501(c)(3)) but they do seem to present a reasonably balanced viewpoint. Since Republicans and Libertarians tend to disagree about things like drugs and war, it’s often not hard for the Fed Soc to present at least a couple of sides.

Get in Touch

280.status.net: douglasawh
I’m on too many social networks to list them all!

Donate

Flattr
Help Doug get through law school! Buy him a book or food!
You can also donate directly to our hosting cost.

Posted in Cybercrime, law | Leave a comment

Cybercrime 8: DMCA Litigation Process

Posted on 2013/05/02 by Dougernaut

Per usual: IANAL/TINLA.

It’s finals time, which means I need to start thinking and synthesizing the Cybercrime material. You’ve already seen that with a bit of flurry of recent activity. That flurry actually lead to a record-breaking April for OSP in terms of site hits.

Today we are going to talk about copyright. There is a lot to say about copyright, and we’ve been discussing it some in the G+ Creative Commons Music Community. Additionally, Brian recently returned to the Music Manumit Lawcast with an article on copyright registration.

Since this is in the Cybercrime series though, today I specifically want to discuss copyright on the Internet. Due to the way the Internet works, Congress has had to cut out specific exceptions for Internet intermediaries. It is one of those specific defenses I will write briefly about in the rest of the post.

Generally speaking, we try to keep Open Source Playground understandable and relevant to the average technology enthusiast. However, today’s topic is admittedly a bit esoteric. The general topic of Internet intermediaries I don’t think is particularly esoteric and is an important concept for any startup Internet company to understand. Specifically, I am going to be focusing on how a plaintiff finds the appropriate defendant before filing a copyright suit.

Today’s topic is one a hope none of you ever need and more so than a lot of other topics, if an issue comes up, you need to speak with an attorney. It’s easy enough to get broad copyright principles from me or from Mike Masnick over at Tech Dirt, but once it’s time to go to court, you need to speak with a professional.

You might be thinking, “I don’t believe in copyright, I believe in sharing” and that’s great. We basically agree with you (if recipes aren’t copyrightable, it doesn’t make any sense for computer programs to be copyrightable, but nonetheless, they most certainly are). However, remember that the GPL is a copyright license. If individuals want to enforce the GPL, then they need to go through the normal copyright litigation procedures.

With that massive introduction to the topic out of the way, here’s Week 8′s reading:

I am primarily going to be focusing on Recording Industry Ass’n of America, Inc. v. Verizon Internet Services, Inc., 351 F.3d 1229 (D.C. Cir. 2003). First off, let me just note that the Verizon is the good guy in this case. Leave it to the RIAA to make Verizon out to be a good guy.

In this case, Verizon is attempting to protect its users (and, incidentally, their bottom line). It does so through the DMCA, or more specifically, 17 USC 512(h), which says:

(h) Subpoena To Identify Infringer.—

(1) Request.— A copyright owner or a person authorized to act on the owner’s behalf may request the clerk of any United States district court to issue a subpoena to a service provider for identification of an alleged infringer in accordance with this subsection.
(2) Contents of request.— The request may be made by filing with the clerk—

(A) a copy of a notification described in subsection (c)(3)(A);
(B) a proposed subpoena; and
(C) a sworn declaration to the effect that the purpose for which the subpoena is sought is to obtain the identity of an alleged infringer and that such information will only be used for the purpose of protecting rights under this title.
(3) Contents of subpoena.— The subpoena shall authorize and order the service provider receiving the notification and the subpoena to expeditiously disclose to the copyright owner or person authorized by the copyright owner information sufficient to identify the alleged infringer of the material described in the notification to the extent such information is available to the service provider.
(4) Basis for granting subpoena.— If the notification filed satisfies the provisions of subsection (c)(3)(A), the proposed subpoena is in proper form, and the accompanying declaration is properly executed, the clerk shall expeditiously issue and sign the proposed subpoena and return it to the requester for delivery to the service provider.
(5) Actions of service provider receiving subpoena.— Upon receipt of the issued subpoena, either accompanying or subsequent to the receipt of a notification described in subsection (c)(3)(A), the service provider shall expeditiously disclose to the copyright owner or person authorized by the copyright owner the information required by the subpoena, notwithstanding any other provision of law and regardless of whether the service provider responds to the notification.
(6) Rules applicable to subpoena.— Unless otherwise provided by this section or by applicable rules of the court, the procedure for issuance and delivery of the subpoena, and the remedies for noncompliance with the subpoena, shall be governed to the greatest extent practicable by those provisions of the Federal Rules of Civil Procedure governing the issuance, service, and enforcement of a subpoena duces tecum.

The DMCA is oft-talked about in the tech press, and with good reason. Both the 512 series and the 12xx provisions have profound implications for copyright law in the US. However, this particular provision doesn’t get a lot of attention because it doesn’t criminalize anything and it doesn’t explicitly grant any exceptions. It is purely about process.

It turns out the provision is exceedingly important for privacy (and incidentally, for keeping ISPs from having to field subpoenas). The key provision here is 512(h)(4) which points to 512(c)(3)(A). Unfortunately for the RIAA, part of 512(c)(3)(A) says

(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.

Since Verizon doesn’t store the material, it is impossible for them to locate it. Well, they might be able to sniff the location and then crack any password protection of the storage location, but that would violate the CFAA.

The case, as printed out through Westlaw is 8.5 pages, so it’s not particularly long. It is long enough though that I don’t think I can run through the entire opinion here. I do want to point out one thing before moving on though. As is the case with most (all?) statutes, the section is not clear without reading the definitions, which are listed in 17 USC 512(k). However, for this case, it does not matter what the definition of a service provider is because even if Verizon is a service provider based on the definition, they still cannot locate the material. I point this out just to leave you with the cautionary note that words in the law do not necessarily mean what they mean in normal speech. Additionally, the same words can mean different things in different statutes (and often do). If you want to figure out the law, ALWAYS read the applicable definitions.

If you would like to know more about the DMCA, you can check out the articles Brian and I wrote over at the Lawcast.

Of course, if you want to avoid the RIAA, ASCAP and the rest of the MAFIAA, just listen to, watch and support Creative Commons music and video.

As usual, if you have any thoughts on future coverage, please let me know. I could easily do case notes on each of the cases, if people would like that. I can also cover more current issues than we have been doing thus far.

Get in Touch

280.status.net: douglasawh
I’m on too many social networks to list them all!

Donate

Flattr
Help Doug get through law school! Buy him a book or food!
You can also donate directly to our hosting cost.

Posted in Cybercrime, law | Tagged | Leave a comment

Anticybersquatting Consumer Protection Act – 15 U.S.C. § 1125(d)(1)

Posted on 2013/04/24 by Dougernaut

As always (though I should probably say it more): IANAL and TINLA!

Domain names, like many broad, introductory issues, are a topic not reasonably covered in a single blog post. My trademarks textbook uses 86 pages to cover the topic plus 38 pages in the yearly case supplement. Those pages do not even cover the new gTLDs, which we spent an entire day on in class. Even just the Anticybersquatting Consumer Protection Act (ACPA) takes up 26 pages of the standard text and 23 pages in the supplement, so we won’t be able to dig into a lot of detail. As always, let me know if you want to know more about domain registration and I can see what we can do.

Unfortunately, there does not appear to be an entry-level trademarks podcast on the web, like there is for copyright and other topics. The Music Manumit Lawcast will be looking to remedy that this summer, but until then you’ll need to rely on text and scattered podcasts around the web.

For now, I guess you can count this amount the text entries, at least as it relates to the ACPA.

Understanding the context of ACPA means understanding, at minimum, that the Uniform Domain-Name Dispute-Resolution Policy (UDRP) exists. The UDRP was created by Internet Corporation for Assigned Names and Numbers (ICANN) and administered by the World Intellectual Property Organization (WIPO). The “UDRP in the U.S. Courts” section in our book takes up 9 pages, so, again, it’s not a topic I can really address in full. I just want people to know when they are doing additional research that they will see domain resolutions not involving the ACPA.

The ACPA modified the Lanham Act, which is the US trademark act. Unlike patents and copyrights, states can have their own trademark law, so don’t get confused between the federal law and the state law. Because trademark lawyers like to confuse people (I can’t really think of any other reason), they generally refer to the Lanham Act sections by their Lanham Act # rather than their # in the U.S. Code. The Lanham Act resides in Title 15, which deals with Commerce and Trade. Specifically, it starts at 15 U.S.C. §1051. and goes to §1141n (don’t worry about the ‘n’. It’s not a typo). The ACPA refers to §1125(d)(1) or §43(d)(1) of the Lanham Act. This section, §43, is actually very important to the Lanham Act generally. It’s where the the causes of action are. If you don’t know what causes of action are, don’t worry about it. Just know that you are going to see §43 thrown around a lot when people are talking trademarks and that, by itself, does not mean there is a domain name involved.

So, the act name uses the word “cybersquatting” but the section in the Lanham uses the word “cyberpiracy.” Don’t ask me. Maybe they Republicans wanted “cyberpiracy” and the Democrats wanted “cybersquatting” so they compromised. Ultimately, it’s unimportant, just don’t be confused.

There are two sub-sections to §43, which are, almost shockingly, labeled (1) and (2). Sub-section (1) tells you what cybersquatting is (obviously important). Sub-section (2) allows for in rem jurisdiction. Unless you are a lawyer, you should never have to worry about jurisdiction, so don’t worry about it. I will say though that normally you need jurisdiction against a person. In rem jurisdiction, on the other hand, is jurisdiction against a thing, in this case, namely, the domain name.

I bet you know what is coming next…sub-section (1). Yeppers. Sub-section one has five sub-parts, (A)-(E). All five parts are important, the bulk of sub-section (1) resides in (A) and (B). I’ll let you read the text for yourself. I’ve said enough about where it is and how you can find it, I think. I do want to point out two things to you though, one in §43(d)(1)(A) and one in (B). In (A), I did a little digging and 220506 refers to the Olympic Committee. In (B), even though there are nine listed factors, those are not the only factors. If you read the starting language in (B)(i) this is clear, but not everyone is a careful reader, so I wanted to point it out.

So, that’s all I’ve got for you today. For a full treatment of the ACPA I’d get into the legislative history and the case law, but we are already up to 828 words, which is probably enough for one sitting. If you’d like to know more about the ACPA (and, incidentally, my personality), you can check out a draft my final exam from December 2011. I’m not sure why I didn’t finalize the document on GDocs. Sometimes GDocs has formatting issues, so maybe that was why. If anyone is curious about the final draft, I will see what I can do in getting it up.

Get in Touch

280.status.net: douglasawh
I’m on too many social networks to list them all!

Donate

Flattr
Help Doug get through law school! Buy him a book or food!
You can also donate directly to our hosting cost.

Posted in Internet Regulation, law | Tagged , | Comments Off

Cybercrime 6: Let’s Talk About the Constitution Baby

Posted on 2013/04/20 by Dougernaut

Ok, maybe the Constitution isn’t as sexy as, well, sex. Still, we need to talk about it.

Back in Week 5, I did a short overview on the ECPA. I mentioned I would be doing a second week, but got no questions, in the two months since that post, so I’ll just chug along with what I want to talk about. Which, as it turns out, is the Constitution. The ECPA and the Constitution are intertwined because the ECPA, at some level, is Congress’ intent to express where they think the boundaries of the 4th Amendment should be. Congress can’t override SCOTUS when it comes to interpreting the Constitution, but still, all three branches have some responsibility to interpret the document. And, considering the words “searches” and “seizures” appear in the 4th Amendment, it shouldn’t be shocking we end up talking about it when discussing materials labeled as “search and seizure.”

Here’s the search and seizure reading:

Commonwealth v. Proetto, 771 A.2d 823 (Pa. Super. Ct. 2001)
U.S. v. Kennedy, 81 F. Supp. 2d 1103 (D. Kan. 2000)
U.S. v. Scarfo, 180 F. Supp. 2d 572 (D.N.J. 2001)

I’ll briefly discuss each case below.

Commonwealth v. Proetto, 771 A.2d 823 (Pa. Super. Ct. 2001)

This case says, among other things, that there is no expectation of privacy in email because people can forward them. Need I say more?

Probably not, but I’m going to anyway. I’d like to chalk this case up to a bad facts equal bad law scenario, but I don’t think I can due to the third-party doctrine. We can talk more about the third-party doctrine another day if people are interested in that.

Secondly, I’m not sure how to square this with things such as attorney-client privilege. I’m guessing the little notices on attorney emails aren’t the magic sauce but rather that attorney-client privilege is rooted in the 5th and 6th Amendments. In light of contract law that says you don’t have to know there is a contract in order to have formed a contract (which is ridiculous!) putting a privacy notice on your email is worth a shot. Remember, I am not a lawyer and this is not legal advice (and I don’t think it will work anyway…better than nothing though).

Anyway, in theory, the Katz test makes sense. The idea that the 4th Amendment protects people and not places makes total sense. However, the Katz test allows judges who presumably know nothing about technology make decisions regarding what people think about those technologies. No evidence is required to prove the public’s expectation. Perhaps survey evidence could work (it seems to work well enough in trademark law)
U.S. v. Kennedy, 81 F. Supp. 2d 1103 (D. Kan. 2000)

This is a child pornography case, which is a bit different from the solicitation involved in Proetto. I didn’t want to mention that in Proetto because most people don’t care what doctrine is used to put child-predators in jail. There are only but so many of these cases you can read before it emotionally wears on you and we’ve read a lot in this class. Just try to keep things in perspective as I discuss these cases on the blog. Even if you think these people are sickos, one day you could be wrongly accused. Public defenders do a great service. I’ll probably never be one of them, so I’m not a part of their “union,” but I say you should thank your local public defender the next time you get a chance. It’s a tough job to defend these people when you don’t necessarily know if they are guilty or innocent and public defenders don’t make much money. I know I’m getting all soap-boxy on you, but I guess that’s how I cope.

Moving on…
U.S. v. Scarfo, 180 F. Supp. 2d 572 (D.N.J. 2001)

Yes, that Scarfo (well, the younger one). This case demonstrates the idiocy of the law and/or the brilliance of law enforcement in compiling with the law. Unlike Proetto, this is definitely a demonstration of the principle that bad facts make bad law (which is apparently a misquote of Holmes, but we’re gonna stick with it).

THE BAD FACT: This dude was a crime boss.

THE BAD LAW: The F.B.I. can circumvent the clear intent of a statute.

If a court wants to get you, they will. It’s cynical, but it’s true. It’s truer in some parts of the law than others. For instance, trademark law is rife with “rat” cases. In criminal cases, it’s generally not the case though due, in part, to the rule of lenity. It also has to do with the traditional common law role of juries in criminal cases. I’ve said it before, but if anyone wants to understand the role of the jury you should check out Lysander Spooner’s “Essay on the Trial By Jury.”

 

We’ve got an entire post on protection of minors coming up, so if you want to know more, just be patient. I know we didn’t really get into the ECPA, but hopefully now you have some background to help you if you decide to go read the cases. If you’d like to know more about the ECPA, just let me know!

Posted in Cybercrime, ECPA, law | Tagged | Comments Off

Cybercrime 4: State Computer Crime Statutes

Posted on 2013/04/20 by Dougernaut

We’re back with actual content! I suppose there’s no better place to start than where I left off.

Reading for the week:

1.7. CFAA: Can a Third Party Be Liable?
1.7.1. Doe v. Dartmouth-Hitchcock Medical Center, 2001 WL 873063 (D.N.H. 2001)
1.7.2. SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d 593 (E.D. Va. 2005)
1.7.3. Charles Schwab & Co., Inc. v. Carter, 2005 WL 2369815 (N.D. Ill. 2005)
1.8. State Computer Crime Statutes
1.8.1. Chapter 15, Part III, §§ 15:18 to 15:25, State Cybercrime Legislation, Data Security and Privacy Law
1.8.2. New Hampshire
1.8.2.1. Revised Statutes Annotated (“RSA”) 638:16 Computer Crime; Definitions
1.8.2.2. RSA 638:17 Computer Related Offenses
1.8.2.3. RSA 638:18 Computer Crime Penalties
2.Sentencing (which humorously [I think] Anonymous took down)
2.1.1. SKIM: Federal Sentencing Guidelines
2.1.1.1. SKIM: § 1B1.1: Application Instructions
2.1.1.2. SKIM: § 1B1.3: Relevant Conduct
2.1.1.3. SKIM: § 2B1.1: Theft, Embezzlement
2.1.1.4. SKIM: § 2B2.3: Trespass
2.1.1.5. SKIM: § 2X1.1: Attempt, Solicitation, or Conspiracy
2.1.1.6. SKIM: § 3B1.3: Special Skill
2.1.1.7. SKIM: Chapter 5, Part A, Sentencing Table

Before I start talking about state computer crime laws, let me first say that the answer to the question posed in 1.7 above is a resounding yes, a third party can be liable. I’m not going to say anything more than that you have to be pretty stupid to think the government is going to let you hire a hitman and walk away unscathed. Obviously there are some cases that walk the line between “aiding and abetting” and “vicarious liability.” As always, this is not legal advice, but use your brain people.

On to state laws…

There was a time when it was thought criminal law was the province of the states*. Whether you date 1937, 1941, 1942 or 1964 as the time when the Feds squashed this idea doesn’t really matter. It’s been a long time. There have been some attempts to curb the Commerce Clause power, but without a Constitutional Amendment, I don’t see any going back. To a certain extent, this makes sense. No one can seriously argue there is not more interstate commerce in 2013 than there was in 1789, or even 1964.

But despite the essentially plenary power of the federal government, and high-profile cases that suggest the contrary, criminal law does primarily unfold at the state level. Part of this is tradition, part of this is resource allocation.

The purpose is not to talk about the why states cover criminal law, so much as to give a brief glimpse of the how, using New Hampshire as a case-study example. New Hampshire is in some ways more like a southern state than a New England state, but it also has a distinct New England feel. Thus, the case-study is more relevant to those states most like New Hampshire. Also, since I know we have California readers, let me say what you probably already know: California is different**.

 

RSA 638:16 Computer Crime; Definitions

I don’t know what to make of the note at NHRSA.org that states that this hasn’t been updated since 1985, especially since the bottom of the same page seems to indicate that revisions went into affect Jan 1, 2003. Regardless, there are some interesting things we can take from the definitions.

First, there is a definition of “access.” This is different from the CFAA, which in relevant part only defines “exceed authorized access” in 18 USC 1030(e)(6). The lack of a definition of access has caused some confusion among courts. I discussed this in greater detail in my Cybercrime Week 2 post, where I discussed a Kansas statute (you know, if you’re looking for state statutes other than New Hampshire).

There are 16 definitions, some of which are rather long, so I don’t think it is worth going through them in detail. If any New Hampshirites would like me to go more in depth, please let me know.

However, before we move on, I do want to deal with the 16th definition, which is that of property. This definition (and definitions like it) will once again be a topic of discussion when I address trade secrets. The term property, as it relates to New Hampshire computer crimes includes:

  • (a) Real property;

  • (b) Computers and computer networks;

  • (c) Financial instruments, computer data, computer programs, computer software and all other personal property regardless of whether they are:

    • (1) Tangible or intangible;

    • (2) In a format readable by humans or by a computer;

    • (3) In transit between computers or within a computer network or between any devices which comprise a computer; or

    • (4) Located on any paper or in any device on which it is stored by a computer or by a human; and

  • (d) Computer services.

The word “includes”, which is in the statute, has a specific legal meaning. The word “includes” is used instead of “means” when someone wants to leave a definition open-ended. Basically, property can mean things not listed. This is the opposite of the definition of access. Things that are similar to the definition of access should not be included as access (theoretically) because the word “means” is used in the access definition. You you take a look at the complete definition section, you will notice that “means” and “includes” are used in various definitions.

RSA 638:17 Computer Related Offenses

This provision defines six computer crimes.

  1. “unauthorized access”
  2. “theft of computer services”
  3. “interruption of computer services”
  4. “misuse of computer or computer network information”
  5. “destruction of computer equipment”
  6. “computer contamination”

Given the proper definitions and thresholds, these all seem pretty reasonable. Much of the kerfuffle about the CFAA is that the definition of unauthorized access can include a breach of contract. Yes, a breach of contract is technically unauthorized, but what sense does it make to criminalize what has for centuries been a private right of action? NONE.

In New Hampshire,

A person is guilty of the computer crime of unauthorized access to a computer or computer network when, knowing that the person is not authorized to do so, he or she knowingly accesses or causes to be accessed any computer or computer network without authorization.

So, it seems to me that if you know the terms of a contract, the violation of a contract (the “terms of service”) could be a crime. Nobody reads those things though, right? Unfortunately, in many cases, that does not seem to matter.

Before moving on, let me be slightly controversial and suggest that the CFAA probably doesn’t need much reform. What needs reform is contract law. Unfortunately, contract law is governed by the 50 states and the territories, so that means 50+ points of attack. Plus, the idea that there is a computer law that hasn’t been updated in ~30 years makes for a good sound bite. So, the CFAA it is, I guess, even if Congress may make it worse.

RSA 638:18 Computer Crime Penalties

This is where the rubber meets the road. Had Aaron Swartz not faced the amount of time in prison that he did, maybe things would have turned out differently (although, I have to admit I don’t understand all the details of the 6-month plea bargain. On the face of things, it seems like that would have been a better choice).

Here, the damage amounts are lower than the CFAA ($1500 < $5000). What this means is that the state laws can easily be more draconian than federal laws (you can imagine other ways in which they could be more draconian as well).

Past that, we are really going to have to start digging into classification of crimes and sentencing guidelines and for an introductory post of state computer crimes, that probably is not warranted. As always, if people would like me to did into sentencing a bit more please let me know. In general, if you’d like to know more about how you, on a personal level, can help stop some of this insanity, I encourage you to check out the “Essay on the Trial By Jury” by Lysander Spponer.

 

 

* incidentally, while I’m writing this article I’m also writing a paper on international intellectual property (specifically the TPP). Some argue there is a lack of sovereignty even at the nation level these days. I’m not going to get into that here, but suffice it to say I felt it was worth a mention. Stay tuned because I’ll be posting the paper here when it is finished.

** I don’t just mean from New Hampshire. I mean from the rest of the country. California is the only state that does not require an ABA-accredited law degree to practice law. California also has rules of Evidence that are codified differently from the federal rules. I’m sure there are other examples, but the point is California law is a world to itself.

 

Get in Touch

280.status.net: douglasawh
I’m on too many social networks to list them all!

Donate

Flattr
Help Doug get through law school! Buy him a book or food!
You can also donate directly to our hosting cost.

 

Posted in Cybercrime, law | Tagged , , , | Comments Off

Looking Ahead

Posted on 2013/04/20 by Dougernaut

I didn’t want another “meta” post, but I was writing this in another post and it just didn’t seem like it made sense to keep it in that post.

Back before I decided to go monthly on the blog for March and April, I had really been thinking about what I can offer through these Cybercrime posts that the EFF doesn’t already offer. The EFF has 41 staff (all of whom I assume are full-time). On the other hand, OSP is two people (one of whom works full time elsewhere and the other of which, me, writes/records for 6 other publications and is a full-time student).

I think the answer might be in the numbers. Aside from all the great legal work EFF does, it also produces a lot of content. It is too much content for a busy person (like myself) to read (particularly with so many of us being cast away from Google Reader). On the Friday I was originally writing this article, for example, EFF produced no less than 5 articles. So, if you don’t have time to read everything the EFF comes out with, follow us and we’ll try to keep you up-to-date.

This, of course, brings up thoughts about what we’ll be doing this summer and next semester. Unfortunately, the UNH fall 2013 course listing is not going to be released until May 1st, so I can’t tell you exactly what is going to be happening next semester. Later this afternoon we are having a big NEF planning meeting, so after that I should know a little more about the summer. Right now it’s looking like there will be a weekly article during the summer. Stay tuned!

Posted in meta | Tagged , | Comments Off

Convention on Cybercrime Presentation

Posted on 2013/04/04 by Dougernaut

First, I’d like to apologize for skipping March. I made my statement about moving monthly early in our “winter break” and a few important things happened both during and after the break that made posting in March impractical. One of the things is that I have been working hard on is a Convention on Cybercrime Presentation, which you can see below.


You can also listen to me doing a run-through of the presentation.

I’d also like to say thanks to Mathew Selan (or perhaps Mathews Elan?) who was our very first Dreamhost donor. Please note that we’re working on our 501(c)(3) status. Until we get that worked out with the IRS, you can still donate to us, or flattr us, you just won’t get a tax deduction. Thanks again Mathew!

Posted in Cybercrime | Tagged , | Comments Off