| |
|
|
 |
 |
5870 West Jefferson Blvd., Suite A
Los Angeles, CA 90016
Tel: 310.815.8855
Fax: 310.815.8808
info@OnlineSecurity.com
© 2008 Online Security
All rights reserved.
|
|
|
Forum| Posted: 04/23/2002 | How to Analyze Whether Your Online Conduct or Code is Illegal
| | By How to Analyze Whether Your Online Conduct or Code is Illegal | There is one thing that most serious Internet users can agree upon: Internet law and its application to online activity is a total mess. Those who operate websites or poke around the fringes of network security are liable for laws they never have heard of, in jurisdictions they can¡¦t locate on a map, and for criminal penalties one normally associates with violent crime. How did we get to this point?
One reason is that Congress passed a series of new Internet-era laws meant to ing commercial, social and criminal order to the Internet. However, prosecutors and civil plaintiffs have been testing the limits of the new laws to see how far and wide they can be applied. To make matters worse, courts have reached different conclusions about the scope and application of the same laws. The result is that depending on which jurisdiction you live in, the particular time frame a perceived wrong is committed, and the direction of the political winds, you may or may not be liable for certain crimes or civil actions. Helpful, eh?
After spending a lot of time over the past several years reading Slashdot, message boards and network security tutorials, it has become apparent that there is an incredible amount of understandable confusion about Internet law, specifically copyright and criminal law. For example, there are many who think that it is okay to download a Blink 182 MP3 on a peer-to-peer network because they are merely ¡§swapping¡¨ the songs without a commercial purpose. Others think that as long as they don¡¦t cause any damage, it is okay to access and explore root levels on third party servers. Another common misconception is that any device that eaks a password or encryption violates the DMCA. Others argue that port scanning it an illegal act, while others think it is safe to link to any program.
This article will attempt to explain a system to follow when assessing the illegality of your online and code-related acts. Hopefully the legal framework guide will allow you to categorize your activity so you have a better idea of atleast which law might be applicable. The following article should be useful to website operators, software programmers, network security professionals and curious hackers/crackers. This article will primarily concern itself with criminal liability, although a person harmed by the criminal conduct can also usually
ing civil actions.
I . The Legal Analysis Charts:
In an attempt to clarify the overall structure of criminal and civil online liability, Chart ¡§A¡¨ will be used as a foundation to explore the various liability anches. Essentially, there are two major bodies of law that you should be familiar with:
1. copyright and
2. computer access.
And there are two major roles that determine which law should be applied:
1. the person who commits a crime because of his actions, and
2. the person who commits a crime because he writes, links, hosts or possess certain banned code. From there, depending upon the Act that is committed, different subsections of each body of law will be triggered. The chart should simplify an otherwise confusing body of law.
A. The Act:
The ¡§Act¡¨ refers to a person¡¦s actions that could point them down a particular legal path. If you look at the chart, the ¡§Act¡¨ is the act of infringing on someone¡¦s copyright (explained later¡K) and the criminal and civil provisions of the copyright act will control. The ¡§Act¡¨ of accessing a computer falls into two types:
1. accessing a protected computer without authorization (outsider), and
2. exceeding one¡¦s authorized access (insider).
B. Tools and Code:
In the Tools and Code section, the crime is committed because of the writing, linking, hosting or possessing code. The difference between ¡§Tools¡¨ and ¡§Act¡¨ can be illustrated by looking a situation where a burglar is walking down a street with a crow bar. Crowbars are legal because they are used to repair flat car tires. However, when the burglar uses the crowbar to force open a door, he has committed an ¡§Act¡¨ of burglary, and the use of the ¡§tool¡¨ now is illegal because it was used in a crime. Another example would be the child pornographer. The Act of molesting a minor is illegal. If one takes pictures of nude kids at the beach, there isn¡¦t necessarily any ¡§molestation¡¨ if the children were not aware of it. However, the creation, distribution and possession of the pictures are illegal.
If you look at Chart ¡§B,¡¨ you will see several relationships to the code that could place you in a different legal status. For example, ¡§Code¡¨ is the liability that faces the person who writes the code. ¡§Hosted¡¨ means the liability of the placing the code on your server for 3rd party downloads. Most of the time, it is irrelevant if the code is accessible to the public or is restricted to certain users. ¡§Link to¡¨ refers to the liability for linking to the code on the ¡§Hosted¡¨ server. And finally, ¡§Download¡¨ relates to the liability for a person who downloads the code and possesses the code.
A good example of the interrelation of these parties is the distribution of child pornography. The person who creates the ¡§code¡¨ for the image is guilty for producing a lascivious photo of an undressed minor. The person who hosts the image is liable for possession and distribution. The person who provides links to the image may be guilty of distribution. And the person who downloads the image is likely to be guilty of possession and receiving.
When analyzing the liability of computer code, you must combine both charts to effectively understand potential crimes. When looking at chart A, you can see that computer code can target copyright material (Function: Copyright) or issue commands to a computer (Function: Commands). It is what the code ultimately does that determines the status. Code that, for example, allows playback of audio files is normally within the authorized protected uses of the copyrighted material (Duplicator). However, the code that is used to playback encrypted audio files by eaking the access control measures (ACM) is likely going to violate the DMCA (Defeats Access Control Measures). All of this will be explained in detail later.
It must be stressed here that in the ¡§Tools & Code Issues¡¨ section, the criminal issue is writing the code, linking to the code, hosting the code and downloading and possessing the code. Under the ¡§Act¡¨ section, the criminal issue is using the code to infringe on someone's copyright or access a computer. Those activities are clearly illegal acts under the Copyright Act and the Computer Fraud and Abuse Act.
The misunderstanding usually results from confusing these important distinctions. For example, if one uses the SubSeven backdoor code to access a computer without authorization, although a tool was used, the criminal act is the access of the computer, not the writing, linking, hosting or downloading of the code. Maybe writing the code, for example, is illegal (which I do not believe it is), but that is different from the criminal act of accessing a protected computer. This is an important distinction because it gets to the heart of the legality of code that is written and hosted on websites.
II. The Legal Analysis Chart:
A. Act: Copyright Issues:
The first thing that a web site operator who is hosting the program, or the software developer who is writing the code, must determine is what the code is intended to do. There are two major categories: copyright law and criminal law. Essentially, if the code involves doing something with someone¡¦s copyrighted material; the code probably involves copyright protections. If the code involves commands that involve the operating system, in the oadest sense, of a personal computer or server, then the code might involve criminal law. Strangely, it is certain ¡§copyright code¡¨ that criminalizes the mere possession, and ¡§command code¡¨ depends on the Act and/or the intent itself. There have been several congressional attempts to criminalize the possession of certain command code, or malicious code. However, as of early 2002, there are too many legitimate uses of most malicious code to ban it. There are also 1st Amendment Free Speech protections that are beyond the scope of this discussion. Suffice it to say that while law enforcement would like to ban the creation and possession of certain code such as destructive worms with only malicious payloads (a good idea), there are significant structural and procedural impediments to such bans.
If you are not interested in some of the finer points of copyright law, then you can skip the below section and begin again at Relevant Copyright Issues.
1. What is a copyright?
Under the 1976 Copyright Act, an author is protected as soon as a work, which is an expression of an original idea, is recorded in some concrete way. With computer code, this is when it is likely saved to the hard drive or floppy drive. Computer code, both object and source code, are protected as the ¡§literary works.¡¨ The copyright owner has exclusive right to make copies of the work, and anyone who reproduces the work without authorization from the author is subject to an infringement suit. The copyright owner also controls derivative works, such as play, and other adaptations of the basic work. The owner also has the right to control the display and performance of the work. The owner of the copyright controls the work for 70 after the death of the author.
Although the copyright owner does not have to register the work with the US Copyright Office, there are certain statutory damage benefits you are entitled to because the registration of the copyright clears away any arguments that the infringer didn¡¦t realize the expression was already protected. So basically, when someone expresses an original idea in some fixed form, he can control whom copies, distributes and performs the work, and can sue anyone who uses the copyright in an unauthorized manner can be sue. Of course, the infringer can raise certain defenses, like he used the work in a protected ¡§fair use¡¨ manner.
Digital forms of copyrighted works have created special problems for copyright owners, because with very little effort, nearly exact duplicates can be made of the work and distributed in infinite amounts. As the Internet made widespread and simultaneous infringement more feasible, it became less feasible to ing infringement actions against those who, for example, traded protected MP3s on peer-to-peer networks.
Several copyright owner groups lobbied Congress not only to increase the penalties on those who infringe their copyrights, but also add a new layer of protection that allowed the owners to wrap their protected content in new technology that would control the access to the protected work. The copyright owner groups argued that if only the Act of infringement, like copying, was illegal, the only way that owners could to protect their work would be to sue the ultimate infringers, in multiple jurisdictions. In addition, some countries don¡¦t even have enforceable copyright laws or procedures. For example, without protecting the access to the work, copyright owners would have to sue potentially millions of people who downloaded and traded MP3s or e-books.
However, if they wrapped their work under a lock and key, and sold the keys to the work, then they would be able to control, in theory, their copyrights. Unfortunately, it would only take one person to crack the lock, and the content would be freed of its access and copy constraints, which led them back to ground zero. However, if they could make the Act of eaking into the locked content, and even include the creation and possession of the tools used to crack the locks, they would have complete legal recourse to control the content. Congress answered their call and wrote the Digital Millenium Copyright Act (¡§DMCA¡¨) in 1998.
2. Criminal copyright:
Normally, copyright infringement actions are
ought by the copyright owner who is defending his rights against an infringer. However, there are occasions when the US government will ing a criminal copyright ¡§action¡¨ against an infringer. This is similar to the government prosecuting someone for stealing personal property.
a. Felony Copyright Infringement:
Under the Copyright Act, criminal copyright infringement can either be a misdemeanor or a felony. There are four essential elements to a charge of felony copyright infringement. The government must demonstrate that:
1. A copyright exists
2. It was infringed by the defendant by reproduction or distribution of the copyrighted work
3. The defendant acted willfully and
4. The defendant infringed at least 10 copies of one or more copyrighted works with a total retail value of more than $2,500 within a 180-day period.
5. And, if proven that the defendant acted "for purposes of commercial advantage or private financial gain," then the statutory maximum prison sentence can rise to 5 years.
b. Misdemeanor Copyright Infringement:
Misdemeanor copyright infringement, for which the maximum penalty is one year in prison and a fine of $100,000, is very similar to felony infringement, except that felony copyright infringement is committed only where the infringement is by reproduction or distribution.
1. A copyright exists
2. It was infringed by the defendant
3. The defendant acted willfully and
4. The infringement was done EITHER
(a) for purposes of commercial advantage or private financial gain OR
(b) by reproduction or distribution of one or more copyrighted works with a total retail value of more than $1,000 within a 180-day period
The burden on the prosecution is much lighter in misdemeanor charges because they don¡¦t have to prove widespread infringement.
The first element in criminal copyright infringement is that there be a ¡§copyright.¡¨ Civil and criminal infringement actions may be
ought only by owners of works that have been registered with the Register of Copyrights. However, several courts have held that technical irregularities in the registration process will not invalidate an otherwise proper registration.
Once the existence of a copyright has been established, then the government must prove that the defendant infringed on the copyright. The copyright code states that "[a]nyone who violates any of the exclusive rights of the copyright owner as provided by 17 USC Secs. 106-121, . . . is an infringer of the copyright." On the Internet, most infringement actions are
ought for unauthorized copying or distribution, which are also the only infringing acts that can be a felony. The Act of copying does not have to be a copy of a stolen work, but can also be an unauthorized copy of a work that the infringer legally possessed.
There are two narrow exceptions permitted under copyright law for software: the "archival" exception and the "essential step" exception. According to the Justice Department¡¦s Guidebook for Prosecuting Criminal Copyright Infringement, ¡§the ¡¥archival¡¦ exception permits a lawful owner to make one backup software copy against the risk of destruction of the original by disk failure, system crash, or other mechanical or electrical failure. See 17 USC Sec. 117(a)(2). The "essential step" exception permits a person who lawfully owns one copy of the software to load the program into a computer for use, thus creating a second copy, without infringing the copyright. See 17 USC Sec. 117(a)(1). When there is no actual evidence that the defendant copied the work, then the prosecution may use circumstantial evidence to prove that (1) the defendant had access to the copyrighted work and (2) that defendant's work is substantially similar to the copyrighted material.
After the prosecution has established that there was a valid copyright, and that it was infringed by the defendant, then it must be proven that the defendant did so willfully. Congress did not include a definition of willful, and the courts have been divided. However, there have been several actions that have been shown to constitute willfulness. First, evidence that the defendant was aware of other people who were prosecuted for similar types of infringement. Also, evidence that the defendant was informed or admitted that his acts were illegal also can show willfulness. For example, interviews, website posting and e-mailed comments to clients have been used to show that the defendant was aware of the potential illegality of his acts. That is why it is so important to pull potentially infringing material from a website once you have been put on notice.
The last element of 1 or more copies is fairly straightforward. Congress wanted to set a higher number of copies for felony infringement so that casual copiers and distributors wouldn¡¦t be sucked into draconian punishments. But they also wanted to ensure that there was atleast a misdemeanor criminal penalty for making even one copy. For felony convictions, the prosecution must also show that the retail value of the infringed goods was atleast $2,500.
One of the most misunderstood aspects of copyright infringement is that the infringer does not have to make a profit to be penalized. Many people think that it is legal to make copies of your material and share them with friends, whether it is software, MP3s, or images. However, merely the willful copying of the work without a profit motive is still infringing.
Posting copyrighted material on a website for others to download without authorization is a severe form of infringement, and well-funded copyright owners will likely press charges, and seek civil damages. In order to establish felony copyright infringement, the prosecution still has to show that 10 unauthorized copies were made within a 180 day period, and that the loss was over $2,500. That can be difficult if a website, for example, only has 3 unauthorized programs stored on the server. They would have to access the server logs to determine whether 10 downloads were recorded. Recently, some courts have held that to show distribution, ¡§it is not necessary to prove that others actually copied or used the work, only that the defendant knowingly made it available to the public.¡¨
The government must also link the defendant to the infringing website and show that he had some form of knowing control over the contents of the website. This can be a significant hurdle for the prosecution if the domain information is bogus. They must then seek the server logs, ISP logs, etc¡K to make a circumstantial case of control by the defendant.
3. Relevant Copyright Issues:
a. Warnings and Disclaimers:
Many websites use disclaimers to help shield them from criminal copyright liability by arguing that it is the visitors who violated the established policy of the website. For example, one well-known cracking site has a policy that reads:
So current site webmaster or organization hosting this site takes no responsibility for the way you will use information from this site. If you`re a member of any anti-piracy or related group or organization you cannot enter this site and view any of site contents. If you enter this site and do not agree with current terms you can not provide any treatment of our hosting ISPs, organization or any persons storing this site information because your actions will be estimated as violation code no. 431.322.12 of the Internet Privacy Act from 1995.
The Justice Department handbook
states:
"Although such disclaimers could conceivably be evidence of the operator's good faith, in many cases they can actually be helpful evidence of the defendant's awareness of the law, and thus be used to establishing willfulness.¡¨
b. Liability for Serial Number and Cracking Programs:
As of early 2002, there have been very few legal cases where the court determined the legal status of ¡§cracking¡¨ software. Once such case was Wilcom Pty. Ltd. v. Endless Visions, 128 F.Supp.2d 1027 (E.D.Mich.,1998). The plaintiff sold commercial software that used a ¡§dongle,¡¨ or a security device, to control various levels of access to the software, depending on the version of the software that the user purchased. The defendants sold a ¡§dongle cracker¡¨ patches over the Internet to people who wanted to bypass the security controls, which would allow the complete access to the software¡¦s features. Essentially, a ¡§patch is nearly an exact copy of the main file of the computer program that contains the part of the code that interacts with the security device¡K The custom patches sold by the defendants [were] nearly an exact copy of the code with a small segment of the code altered. Altering the code allow[ed] the program to run without a security device. When the customer replace[d] the plaintiff¡¦s program with the defendant's patch, the program operates normally, without a security device.¡¨ The patched program was then able to run, duplicate and distribute unauthorized copies of copyrighted programs without a security device.
The court held that the defendant was liable for copyright infringement because the he copied the program code without authorization to create the patch, and the underlying patch code was nearly identical to the original program, which circumstantially proved that he infringed on the plaintiff¡¦s code. The court also alluded that the use of the patch program infringes on the owner¡¦s right to control distribution and use of the software. Also, since the person using the patch did not have authorization to access certain parts of the program, any copies made on the hard drive could also infringe on his rights.
A quote from a cracking tutorial states a very common perception: ¡§So cracking is modifying your programs, and making them work they way you want them to. U can get a free demo program, crack it, and use it. BUT!!!! I repeat, if you crack a program, and start selling the cracked version or even offering it for free, it is a crime!¡¨
While he is correct in saying that selling or offering for free the cracked version of the software is a crime, he is wrong with the demo software. If you follow the logic of the court, and apply the copyright act in the same way that US Attorneys have been instructed as discussed above, then you will understand, hopefully, that cracking a demo program is taking more control of the program than the license gives, which is infringement. If the license says ¡§You are granted the right to use this program for 30 days, and after which time you must purchase a license,¡¨ by cracking the program you are infringing on one of the express reservations placed in the license. Period.
c. Reverse Engineering and Software Licenses:
Copyright law provides for some very limited fair uses of reverse engineering. For example, the DMCA actually allows lawfully acquired software to be reverse engineered to make the software interoperable between operating systems. Mostly, however, the US is a very hostile place for the necessary procedure of reverse engineering.
Recently the courts have enforced the anti-reverse engineering license provisions. Mattel recently sued two non-US resident who reverse-engineered the CyberPatrol Web filtering program and created a tool that allowed revealed the access control password and displayed a list of the blocked sites. The court held that the reverse engineering was illegal because it was prohibited on the software's shrink-wrap license. Mattel also was allowed to issue e-mail subpoenas against mirror sites that posted the software.
On a side note, this case is far more interesting because the defendant¡¦s signed over their rights they had to ¡§cphack¡¨, which was the program used to defeat CyberPartrol. However, because cphack was developed under a GNU General Public License, which is an open-source license that permits anyone who receives a copy to modify and distribute it as they wish. What ownership interest did Mattel actually acquire to control the downstream uses of the program under a GNU? But that issue is beyond the scope of this article.
4. Copyright Issues - Facilitator:
On Chart A, you will see that a ¡§facilitator¡¨ can be found on the ¡§Copyright Issues¡¨ and ¡§Function: Copyright¡¨anches. A facilitator is an entity that ¡§facilitates¡¨ the communication between two networked computers. The difference between the two anches is whether the person is facilitating communication, or is providing the ¡§software¡¨ to facilitate the communication. In this article, facilitators will primarily refer to Internet Service Providers (¡§ISP¡¨) and Peer to Peer (¡§P2¡¨) network ¡§operators.¡¨
With an ISP, a client accesses the Internet through the ISP¡¦s servers, and the ISP provides some form of IP addresses to its client so it can communicate with other networked computers and servers. A P2P network ultimately involves two end-users, or remote peers, in direct TCP/IP contact with each other where they download and upload between each other.
The DMCA has several specific safe harbor provisions for ISPs that limit their liability for the acts of third parties who are communicating on the Internet. Most of the high profile litigation today involves the status of the P2P facilitators. There are several different P2P architectures that determine how the peers are to contact and search each other¡¦s directories. Napster required peers to log on through their servers and inform Napster of the MP3 files it is willing to share with other Napster users. Freenet, on the other hand, is a highly uncentralized network that operates with ¡§nodes¡¨ that spreads the content around the network. There is no central database that a court can shut down as a contributory infringer. In the middle are P2P networks like Gnutella and FastTrack. FastTrack uses small peer-to-peer network of supernodes, each of which in turn functions as a miniature central server for hundreds of other users. As in Napster and Gnutella, file transfers in the FastTrack system are purely peer-to-peer, and involve neither the central server nor any supernode.
a. The Act: Contributory and Vicarious Infringement ¡V P2P
It is important to continue to maintain the distinction between Acts and Tools. In this section, we are looking at the criminal and civil liability of how an entity ¡§uses¡¨ the tool, not the creation of the tool itself. FastTrack, for example, developed the network architecture for their P2P system and licensed the technology to several companies, like Grokster, KaZaA and Music City, who have developed programs to access the FastTrack network. This involves both the creation of software, and an ¡§Act¡¨ that uses the software. In other words, they go beyond merely developing, linking, or hosting the code. They are involved in facilitating what goes on in the network because they are in the business of putting two or more peers together who are likely to share copyrighted material. It is that involvement that would subject them to charges of contributory copyright infringement.
In the Napster trial, Judge Patel held that liability for contributory infringement attaches to "one who, with knowledge of the infringing activity, induces, causes or materially contributes to the infringing conduct of another . . . [L]iability exists if the defendant engages in personal conduct that encourages or assists the infringement." Copyright owners would argue that KaZaA, for example, would be liable for contributory infringement because they have knowledge of infringing activity on the network because they have made admissions in writing and statements to several copyright owner organizations.
The plaintiff has to prove the knowledge, and defendants should be very careful about attempts to negotiate license agreements, receiving notice from the copyright holders that their activity is infringing, issuing statements, and interviews with the press. The plaintiff also has to prove a ¡§material contribution¡¨ to the infringing Act. FastTrack, for example, licenses the access software, controls the communication encryption, and provides a dynamic list of supernode IP addresses. The plaintiffs would argue that this is a material act that contributes to the infringement.
The plaintiff would also try to allege vicarious copyright infringement, in which the Napster trial noted that the defendant "has the right and ability to supervise the infringing activity and also has a direct financial interest in such activities." The court is going to look at the level of control the defendant has over the system, such as whether it can filter infringing material, eliminate users who infringe, and limit certain file characteristics, such as file bitrates. The court would also look at any revenue generated directly (from banner ads, etc.), or indirectly (goodwill value, high traffic volume).
b. The Act: Contributory and Vicarious Infringement ¡V ISP
In the Napster trial, Napster attempted, unsuccessfully, to hide behind the DMCA¡¦s ISP safe harbor provisions. Essentially, the ISP safe harbor allows intermediaries to step out of the way in a fight between copyright owners and infringers if they follow certain procedures. Congress was concerned that the Internet would cease to function if ISP¡¦s could be held liable for copyright infringement for transitory or hosted copies located on their servers. Section 512 of Title 17 provides the details for the notification, take down and reinstatement provisions.
B. The Act: Access a Protected Computer
The other serious Internet crime ¡§Act¡¨ is accessing a protected computer without authorization or exceeding authorized access. The primary cybercrime statute is generally referred to as the Computer Fraud and Abuse Act (¡§CFAA¡¨), located at 18 USC Sec. 1030(a). There are 7 subsections to the CFAA. The first five subsections are the subsections that prohibit certain actions when one accesses a protected computer without authorization, or exceeds his authorized access. Those certain ¡§actions¡¨ are accessing government or private information, committing fraud, and most seriously, causing damage with varying degrees of intent.
However, it is important to note the distinction between the ¡§Act¡¨ of hacking or cracking, and the creation, linking, hosting and possession of hacking tools. Sometimes, they are one and the same. For example, Robert Morris released the worlds first know Internet worm after he wrote some malicious code that brought down several University computers. He wrote the code, and caused the damage by ¡§causing the transmission of code.¡¨ However, he was only prosecuted for the ¡§Act¡¨ of releasing the code, not writing it.
1. The Act: Combined Copyright and ¡§Cracking¡¨ Crimes
It is possible to be prosecuted for both a CFAA and a copyright crime. It all depends on the status of the target and what type of information was obtained. The CFAA punishes the unauthorized access to information, as well as damage, to a protected computer. However, what if the information is copyrighted material or protected trade secrets? For example, if one were to access a protected computer and download any material that contains an original expression, such as written documents, MP3s, images, computer code, etc¡K, he could be liable for copyright infringement as well as Section 1030(a).
For the criminal count, if there is no evidence he damaged the computer, but accessed and downloaded the information, the court would look to see if he merely obtained the information for his own use (misdemeanor 1030(a)(2)), obtained the information for commercial purposes or private financial gain (felony 1030(a)(2)), or accessed the computer with the intent to defraud and obtained anything of value (felony 1030(a)(4)). For the copyright count, the court look to see if the defendant downloaded at least 10 copies of one or more copyrighted works with a total retail value of more than $2,500 for "for purposes of commercial advantage or private financial gain."
An interesting side note is the holding in US v. Czubinski. 106 F.3d 1069 (1st Cir. 1997), where a politically active IRS employee accessed the IRS tax return database to look at the returns of political enemies. There is no evidence that he did anything more than view the information on the monitor. He supposedly did not print out the information, nor pass the information on to political allies. However, at trial he was convicted of various wire fraud crimes and computer fraud (Sec. 1030(a)(4)), which requires the knowledge and intent to defraud, as well as ¡§obtaining anything of value.¡¨ The appellate court held that the prosecution did not prove he obtain anything of value.
The court concluded that:
¡§his searches of taxpayer return information did not satisfy the statutory requirement that he obtain "anything of value." The value of information is relative to one's needs and objectives; here, the government had to show that the information was valuable to Czubinski in light of a fraudulent scheme. The government failed, however, to prove that Czubinski intended anything more than to satisfy idle curiosity.
¡§The plain language of section 1030(a)(4) emphasizes that more than mere unauthorized use is required: the "thing obtained" may not merely be the unauthorized use. It is the showing of some additional end -- to which the unauthorized access is a means -- which is lacking here. The evidence did not show that Czubinski's end was anything more than to satisfy his curiosity by viewing information about friends, acquaintances, and political rivals. No evidence suggests that he printed out, recorded, or used the information he owsed. No rational jury could conclude beyond a reasonable doubt that Czubinski intended to use or disclose that information, and merely viewing information cannot be deemed the same as obtaining something of value for the purposes of this statute.¡¨
II. Tools and Code Issues:
As explained above, there are two substantive analytical areas that must be considered separately in order to determine the legality of acts and tools on the Internet. The Tools and Code analysis involves two steps to determine the legal status of the defendant: Chart A and Chart B.
A. Tools - Function Copyright: The Legal Liability of Writing, Hosting and Linking to Copyright Tools
In Chart A, there are three possible areas of copyright that might get Chart B parties (writer, linker, hoster or possessor of code) into trouble: Access Control Measures, Duplicators, and Facilitators.
1. Tools - Function Copyright ¡V Defeats Access Control Measures:
The Anti-circumvention subsection of the DMCA is one of the most controversial copyright issues. The anti-DMCA campaign has even made regular headlines in local papers. Dmitry Sklyarov, Shawn Reimerdes, 2600, Professor Edward Felten, Jon Johansen, the teen DeCSS hacker, etc¡K The anti-circumvention controversy can be explained in with a simple example. Image you own a book that is copyrighted. If someone who legally bought the book ings it down to Kinkos and copies it, he is guilty of copyright infringement because he copied the book without your permission.
Now assume you place the book in a lock box and require people to use a key to access their book, but doesn¡¦t allow them to remove the book from the box because you are afraid people will copy it. Remember that the person owns the book, but is now restricted in how he can use it. Now say the person wants to pick the lock on the box to access the work to make an illegal copy of the book, which would still constitute infringement. Your rights are protected.
But what if you could make the Act of picking the lock illegal? Not only that, but what if you could outlaw not only the use of the lockpicking set, but the manufacture and distribution of the lockpicking set? What if he wanted to read an excerpt of the book to his class but couldn¡¦t because the box made it practically impossible? In other words, the crime has been expanded from the "Act¡¨ to the ¡§Tools and Code¡¨ section of Chart A.
Some would say that it is the right of the copyright owner to absolutely control all uses of the book. But copyright law is a delicate compromise that grants a limited monopoly for certain fair public uses of the book. The DMCA has essentially granted absolute control over their content that exceeds the original intent of the Constitution. As Lawrence Lessig says, never before in history since the founding of the printing press by Gutenberg have content owners had such absolute control over their content. The DMCA has banned the Act of circumventing an access control measure that protects the digital content and the manufacture of the tools used to circumvent.
Perhaps someday the DMCA will be held unconstitutional. The Sklyarov/Elcomsoft case appears headed for the High Court unless there is an earlier settlement. Nevertheless, as long as the DMCA is valid law, code writers, linkers, hosters, and users must be very careful about tripping over its prickly provisions.
In Universal v. Reimerdes, the court essentially held that any code that is primarily used to circumvent an access control measure can not be written, hosted or linked to on the website. Reimerdes originally hosted a program called DeCSS on 2600.com, until he was enjoined from hosting it. He then created links to DeCSS to mirrors sites out of US jurisdiction as an Act of civil disobedience. The trial and appellate courts in New York held that he could not link to the programs because such links also constituted infringement because he trafficked in the contraband.
Specifically, writing the code can trigger Sec. 1201(a)(2) of the DMCA that bans the ¡§manufacture. .. [of] any technology ¡K that is primarily designed ¡Kfor the purpose of circumventing a technological measure that effectively controls access to a work protected.¡¨ Hosting the code may trigger the part of Sec. 1201(a)(2) than states that ¡§No person shall ¡K offer to the public ¡K any technology ¡K that is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected.¡¨
Finally, the person who downloads the contraband software is not likely to be prosecuted for possessing the software, unlike the child pornography example above. Rather, Section 1201(a)(1)(A) bans the Act of the downloader using the program to circumvent a protective measure. Essentially, it is almost an Act of infringement because the person is accessing protected material. So it isn¡¦t the tool that gets him in trouble, but rather his actions. If you look at Chart B, you¡¦ll see that the Act of violating Section 1201(a)(1)(A) falls under the Copyright Infringement Act because it wasn¡¦t the use or creation of the tool that is penalized.
How do you know if you are involved with code that might violate the DMCA¡¦s anti-circumvention provisions? One way is to read the statute and try to make sense of the legalese. However, it is a notoriously poorly written statute. Here are a few definitions that might be helpful. To ¡§circumvent a technological measure means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.¡¨ So what is a technological measure? The statute states that a ¡§technological measure 'effectively controls access to a work¡¦' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.¡¨
Looking at Chart A, Access Control Measure circumvention is the only area that involves code that you can be strictly liable for creating the code, linking to it, and hosting it. Specifically, you may not manufacture, import, offer to the public, provide, or otherwise traffic in the ¡§offensive code.¡¨ However, the law does not appear to proscribe the possession of the code.
It must be stated that there are several uses that are protected under Section 1201. The most relevant to the networking community are the exclusions for reverse engineering and encryption research. Section 1201(f)(1) states that you can create tools to defeat access control measures if it is for the ¡§sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs.¡¨ Also, Section 1201(g) states that certain encryption research is permissible to ¡§develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research.¡¨
The bottom line is that if you do not fall within one of the above Section 1201 exceptions, as of early 2002, you should not develop, link, or host to any code that ¡§is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under [the Copyright Act]. If you receive a notice that you are hosting or linking to a Section 1201 device, it is wise to comply with the notice if you are in a US jurisdiction or are subject to US jurisdiction. (See my article Write Code, Go to Jail). If you are beyond the reach of US jurisdiction, take note of how and why the Russian software developer Elcomsoft is facing serious criminal charges in a US courtroom. If you are located in the European Union, keep an eye out for changes to The European Copyright Directive (¡§EUCD¡¨) states that member nations must enact some form of anti-circumvention agreement. Article 6 of the EUCD states that ¡§Member States shall provide adequate legal protection against the circumvention of any effective technological measures, which the person concerned carries out in the knowledge, or with reasonable grounds to know, that he or she is pursuing that objective.¡¨ A "technological measures" means ¡§any technology, device or component that, in the normal course of its operation, is designed to prevent or restrict acts, in respect of works or other subject-matter, which are not authorised by the rightholder of any copyright.¡¨ So if you are in Europe, a DMCA-like law could be coming to a courtroom near you. It will also make cross-border enforcement of anti-circumvention laws easier, allowing local prosecution for acts ¡§committed¡¨ in a foreign jurisdiction or extradition to the foreign jurisdiction.
2. Tools - Function Copyright - Duplicator Tools
Duplicator code is code that makes digital copies of copyrighted material. CD Rippers and other audio utilities duplicate copyrighted and other digital media with nearly 100% perfect reproduction. This is one of the areas that it is the Act of infringing, not the tools used to infringe because there are so many non-infringing uses of the programs. For example, in the Sony Betamax case of 1994, Sony was found not guilty of copyright infringement, because even though a video tape recorder could be used for infringing purposes, it also has legal purposes and the court found that Sony should not be held liable for any form of infringement.
As David Boies argued in the Napster trial, "If you make something that has unlawful and lawful uses, you don't want to ban it. The courts have a strong reluctance to interfere in a new technology."
Duplicators should be legal to create, host, link and possess. However, that does not mean that you can use the tools to make copies of copyrighted material and share them on a peer-to-peer network. That would be distributing copyrighted material without authorization. Judge Patel held that Napster users were guilty of direct copyright infringement.
3. Tools - Function Copyright - Facilitator Tools
As discussed above, a facilitator is one who facilitates the communication between parties who may be infringing on another¡¦s copyrights. The ¡§Act¡¨ of facilitating can ing contributory or vicarious infringement actions against the ISP or P2P entity. The ¡§Tools¡¨ used to facilitate are most likely legal because the copyright laws require some level of active involvement with the underlying copyright infringement going on by others. Merely writing software, with nothing more, is not an Act of infringement. The bottom line is that the courts are going to look to the level of control the facilitator maintains over the swapping of copyrighted material.
The lesson for P2P coders is to write P2P programs that remove any level of centralized control over the network. The more centralized ability that is maintained, such as the ability to filter content or users, increases the likelihood of contributory or vicarious infringement. The concept is that ¡§control¡¨ moves the defendant from the Tools and Code category to the Act category on Chart A. It is ironic, and very short-sighted, that the recording industry, for example, is pursuing legal strategies that is going to chase P2P users to networks that are completely autonomous. The strategy will also scare legitimate P2P networks from even attempting to negotiate licensing agreements because the copyright owners will use that as evidence of the ¡§knowledge¡¨ element for contributory infringement.
B. Tools - Function Commands: The Legal Liability of Writing, Hosting and Linking to Malicious Code:
The area of legal liability for writing, hosting and linking to malicious code is potentially a very uncertain area of law. Currently, in the US malicious code is legal until an Act pushes it up to the ¡§Act¡¨ section of Chart A. However, there have been those in law enforcement and Congress who advocate making the creation and trafficking in strictly malicious code a punishable offense.
The criminality of malicious code is often confusing in the minds of attorneys and professionals alike. When one speaks of criminality for authoring an Internet worm, it is the Act of launching the code, rather than the development of the code that is criminal. For example, there is a law review article entitled ¡§Prosecuting Computer virus Authors: The Need for an Adequate and Immediate International Solution.¡¨ However, the author assumes that Authors and those who launch the code are one in the same. This is an important distinction because if merely writing the program were illegal, then linking and hosting the program would also likely be illegal. The author, Kelly Cesare, even admits in the article that in ¡§the United States, merely writing a piece of malicious code is not a crime without the necessary intent to access an unauthorized computer.¡¨
A simple government definition of ¡§malicious code,¡¨ or ¡§malcode,¡¨ is ¡§software that capable of performing an unauthorized function on an information system.¡¨ One should begin the legal analysis by identifying the legal category malcode falls into: copyright or command code? Although some worms can extract and disseminate protected material from the victim¡¦s computer, for now we¡¦ll assume the malcode carries a destructive payload that launches a series of commands without the authorization of the victim. This would fall under the criminal code of 18 USC Sec. 1030(a). There are two elements to the main anti-hacking subsection of Sec.1030(a)(5)(A), which requires both the Act of knowingly causing the code to be sent, and that there be an intent to harm the computer. All of the anti-cybercrime subsections require the defendant to ¡§access¡¨ a protected computer.
1. Tools - Function Commands - Malcode:
As you can see from the two prongs of the anti-hacking law, the defendant has to send the code to the victim¡¦s computer, as well as intend to harm to the victim¡¦s computer. However, a person who merely writes the code might not have any criminal liability because he has not ¡§sent¡¨ the code to anyone¡¦s computer with the intent of harming someone. If he posted the code up on the Internet for others to download, he has still not ¡§accessed¡¨ any computers to trigger Sec. 1030(a). Nearly every criminal case involving malcode writer¡¦s focus on the access and damage of his actions, not the creation of the tool used to cause the damage.
Unfortunately, the lines between the commands a programmer writes and the commands that cause a computer to react are becoming blurred. It is possible for code to cross over the line from ¡§Tools and Code¡¨ to ¡§Act¡¨ when the code itself exceeds its authorized access on a computer where it is installed. This is an important concept for programmers to understand. For example, in contract law, computer ¡§agents¡¨ that are pre-programmed to accept and reject automated offers are binding on the owner of the computer because the party programmed the agent with instructions and parameters, just as it would do with an employee. It is unclear when a programmer can become liable for the actions of his code after he posts the code on the network.
For example, in Starrett v. Real Networks, the plaintiffs were arguing that RealNetwork, owner of the popular media player Real Player, violated Sec. 1030(a)(2) because their program gathered information on the user¡¦s computer that exceeded authorization by the user. Specifically, the plaintiffs claimed RealNetworks intentionally placed cookies on Plaintiffs' computers, the cookies allegedly allowed Defendant to retrieve data from Plaintiffs' computers and retrieved the data for the purpose of monitoring Plaintiffs' web activity. However, in order to ing a civil action under this criminal code, the plaintiff must suffer ¡§damage.¡¨ The court held that damages are defined as losses ¡§aggregating at least $5,000 in value during any 1-year period to one or more individuals,¡¨ impairs a medical treatment, causes physical injury to a person, or threatens public safety. The case was essentially dropped because the plaintiffs could not prove those charges under a civil action.
Congress reacted to a wave of Section 1030 civil law suits against software manufacturers by enacting the USA Patriot Act in late 2002. Congress created a safe harbor for ¡§the negligent design or manufacture of computer hardware, computer software, or firmware.¡¨ This appears to shield software developers from Section 1030 civil suits if they negligently cause harm to a computer or obtain unauthorized information. Generally, a person could be negligent for the development of software if he fails to be aware of a substantial and unjustifiable risk, and such failure constitutes a substantial deviation from the standard of care that a reasonable software developer would exercise under the circumstances.
This does not protect developers whom purposefully (intentionally), knowingly or recklessly designs software to access unauthorized information. The statute must specify the mental component of a criminal offense. The CFAA are all ¡§specific intent¡¨ to access the computer, but with different levels of intent to damage a computer under Section 1030(a)(5). So for example, Section 1030(a)(5)(A) requires the defendant to intentionally access the computer, and a felony anyone intentionally damages a computer. However, only unauthorized persons commit a felony when they recklessly damage a computer, which is he consciously disregards a substantial or unjustifiable risk the disregard constitutes a gross deviation from the standard of care. And finally, an unauthorized person can commit a misdemeanor when he causes negligent damage.
What does all this mean to software developers and people who link to or host code that may be perceived to damage a computer or access a computer and obtain information without authorization or exceeding its reasonable authorization?
One issue of concern is whether the courts will find that coding a program to instruct a computer to damage itself or reveal unauthorized information is an ¡§Act.¡¨ Also, will the courts hold that malicious code with no other reasonable legitimate use can be considered contraband and therefore a form of knowing or reckless behavior?
a. European Liability for Writing, Hosting or Possessing ¡§Cracking¡¨ Code:
In Europe, the final version of Article 6 in the European Treaty on Cybercrime contains a clause that makes it a crime to create, possess or acquire any computer program designed to crack or disrupt systems illegally. Article 6 criminalizes the ¡§production, sale, ¡K import, distribution or otherwise making available of ¡K a device, including a computer program, designed or adapted primarily for the purpose¡¨ access, intercept, or interfere with computers ¡§without right.¡¨ Basically, under Chart B, the Council of Europe has banned writing the code, linking to the code, and hosting the code. But the Treaty also goes further than even the DMCA by banning the ¡§possession¡¨ of the illegal code. Article 6(b) bans the ¡§possession of an item¡¨ a device, including a computer program, designed or adapted primarily for the purpose¡¨ access, intercept, or interfere with computers ¡§without right¡¨ as long as the defendant has the intent that the program be used to access, intercept or interfere without right.
So, if you were to apply Chart A in a country that had already implemented Article 6 into its national criminal code, then Malcode, Gray Zone and perhaps White Zone Tools and Commands would be illegal.
But if you are in the US, should you be concerned? The Treaty on Cybercrime is an open treaty that any nation can sign. In fact, the US government was a party to the drafting of the treaty to ensure that the US national security interests, as well as code harmonization, were advanced.
Essentially, Article 6 can be summarized as follows:
States shall make it a crime when a person, intentionally and without right, produces, sells, imports, distributes or otherwise makes available a program, whose primary purpose is to access or interfere with a computer.
Also, states shall make it a crime when a person possesses such a program with the intent that it be used for the purposes of committing the cybercrimes.
But it is okay of the program is produced, sold, imported, distributed or made available when the purpose is not to commit an cybercrime offence, such as for the authorised testing or protection of a computer system.
The distinction between the illegal and legal development of programs that can, for example, ¡§access¡¨ a computer revolves around the ¡§intent¡¨ - the intent to write or distribute the harmful code. Essentially, the programs are illegal, unless you can show that the purpose was not to commit a cybercrime offense. But try to apply the law in a real situation. Suppose a developer was going to write a program that tests network systems for vulnerabilities. Penetration testing is a critical function in securing networks from unauthorized access. But how is the programmer to know how the program is going to be used in the wrong hands? By applying the law, the programmer intentionally made the program, and its primary purpose is to access a computer. Assume someone takes the program and uses it to find the same vulnerabilities in a network and access the network ¡§without right.¡¨ How is the court going to get inside the head of the programmer to determine if, at the time he made the program, its purpose was not to commit a cybercrime offense? What if someone merely provides a hyperlink to a contraband program? Hyperlinks do not have a purpose. Supposedly, the hyperlink is okay if its purpose is not to commit a cybercrime offense, but the hyperlink is illegal when its purpose is to commit a cybercrime.
I point this out in detail because the Department of Justice has expressed support for Article 6 and, presumably, has lobbied for a similar ban on production, sale, distribution and possession of ¡§cybercrime¡¨ code. In a July 10, 2001 ¡§Frequently Asked Questions About the European Cybercrime Treaty¡¨ article, the Justice Department (¡§DOJ¡¨) cites is support for Article 6 and dismisses the concern over the application of the tool ban.
Nothing in the draft Convention suggests that states should criminalize the legitimate use of network security and diagnostic tools. On the contrary, Article 6 obligates parties to criminalize the trafficking and possession of ¡§hacker¡¨ tools only where such conduct is (i) intentional, (ii) "without right", and (iii) done with the intent to commit an offense of the type described in Articles 2-5 of the Convention. Because of the criminal intent element, fears that such laws would criminalize legitimate computer security, research, or education practices are unfounded.
Essentially, the DOJ is saying that linking to hacking tools is criminal only when the link is intentional, without right and done with the intent to commit an offense. They would have to show that there was a criminal intent behind the link or the development of the program. In US v. Reimerdes, the prosecution argued that Reimerdes had a criminal intent for linking to the banned DeCSS because he advocated civil disobedience. If Article 6 were enacted, as the US government wants, then websites would be restrained from exercising their disapproval of the law when they provide links to programs they feel have legitimate uses.
But the DOJ¡¦s reading of the Cybercrime Treaty is highly misleading. The DOJ states that trafficking in the ¡§cybercrime code¡¨ is illegal only if it is ¡§done with the intent to commit an offense.¡¨ This infers that the person must use the code with the intent to commit a crime. However, the Cybercrime Treaty states that it is a crime to distribute or write the code with intent that it be used for the purpose of committing any of the offences. The difference could be huge. Under Article 6, it is a crime to write or distribute code that can be used to commit a cybercrime, as opposed to intending to commit the crime yourself.
For example, suppose you had a network security website with links to programs that could be ¡§cybercrime¡¨ tools. The court would probably look at the ¡§context¡¨ in which the link was provided to determine if there was any intent that the code be used in a specific manner. There is a huge chance that it would suppress criticism of the law because wise website owners would be chilled out of expressing such statements in order to provide the code in a neutral environment.
The government seems to be confusing the important distinction outlined in Chart A, that there are crimes for taking a tool and using it to commit a crime, and there is the DMCA crime for creating and linking to banned circumvention code. If Article 6 were enacted in the form that the DOJ wants, then another entire classification of code would be criminalized in Chart A, and all of the parties in Chart B would be subject to criminal prosecution.
b. Application of Drug Paraphernalia Bans to Malcode and Hacking Code Bans:
A good analogy to the banning of malcode and hacking code could be the federal government¡¦s ban on drug paraphernalia. Section 863 of Title 21 makes it illegal for anyone to sell, transport or import/export ¡§drug paraphernalia,¡¨ which is defined as a ¡§product¡K which is primarily intended or designed for use in manufacturing, ¡K concealing, producing, processing, preparing, injecting, ingesting, inhaling, or otherwise introducing into the human body a controlled substance, possession of which is unlawful under this subchapter.¡¨ Most ¡§hacking¡¨ code and drug paraphernalia are similar in that both can have legitimate uses. As with lockpicking sets and crowbars, the intent to commit a crime should determine whether the possession is a crime. In Posters N¡¦ Things, Ltd. V. US, the US Supreme Court held that ¡§items, including bongs, cocaine freebase kits, and certain kinds of pipes, have no other use besides contrived ones (such as use of a bong as a flower vase). Items that meet the "designed for use" standard constitute drug paraphernalia irrespective of the knowledge or intent of one who sells or transports them.¡¨ In other words, the court held that products ¡§designed for use¡¨ and "primarily intended . . . for use" could be criminalized, regardless of the intent of the seller. The high court also held that if the law required the prosecution prove that the seller himself was aware that the items were used for drugs, then they could just pretend it was for tobacco and get around the law. The court was determined to prevent t his. The court held that if the statute ¡§required a purpose that the items be used with illegal drugs, individuals could avoid liability for selling bongs and cocaine freebase kits simply by establishing that they lacked the "conscious object" that the items be used with illegal drugs.¡¨
I raise the issue of drug paraphernalia to emphasize that the US Supreme Court has upheld a law that criminalizes the sale of items that could have other uses, regardless of the intent to use in a criminal manner. When Congress can do that for bongs, one can imagine how easy it would be to try to ban malicious code, and perhaps ¡§hacking¡¨ programs.
Overall, it would be a very bad development for the courts to start deciding which programs are valuable network security programs and malicious code. Like other dangerous instruments (guns, crowbars, dynamite, etc¡K) the law looks to the ¡§Act¡¨ that makes the possession and sue unlawful. Similarly, the law should punish the illegal ¡§Act¡¨ or ¡§Use¡¨ of the code, not the code itself. Others might argue that guns, crowbars and dynamite have legitimate other uses and malicious code is only meant to damage computers with no legitimate other use. They would also argue that guns and dynamite are regulated, whereas malicious code can not be regulated, so the mere possession or development of such code should be criminalized. So far, law enforcement has been overwhelmed with pursuing the perpetrators of cybercrimes and have not begun to deal with the problems of trying to squeeze malicious code writers into the CFAA box.
c. Alternative Criminal Theories - Accomplice Liability and Malicious Mischief:
An ambitious prosecutor might try to charge a malcode writer as an accomplice to a Sec. 1030(a)(5)(A) crime. Under most accomplice liability crimes, an accomplice is one who, with the intent that the crime be committed, aids, counsels or encourages the principal actor before the commission of the crime. In other words, the prosecutor would argue that the malcode author aided the worm or virus sender by creating the program that caused the damage, and because the code only carries a harmful payload, he had the requisite intent to aid in the commission of the crime. However, the level of intent required by the courts under accomplice liability is often higher than the type argued by the prosecution. Most courts hold that mere knowledge that a crime would result from the use of the program is insufficient for accomplice liability.
Another potential crime that a virus writer could be charged with is ¡§malicious mischief.¡¨ Under most statutes, malicious mischief consists of malicious intent that damage or destruction to property is intended or contemplated by the defendant. Depending upon the nature of the code, and public statements made by the author, this would be a difficult crime to assert.
The prosecution could also try to ing charges of criminal negligence against a malcode writer. Essentially, a person owes a reasonable duty of care to act as an ordinary, prudent and reasonable person would to foreseeable victims. It could be argued that writing malcode is not a reasonable activity, and damage to a victim¡¦s computer is foreseeable. If he writes such a program, he has eached his duty of care to act reasonably and could be liable if the damage caused to the victim was a direct result of his program. In criminal negligence, the code writer must have taken a very unreasonable risk in light of the usefulness of his conduct, his knowledge of the facts that such programs can spread rapidly and the extent of harm that can be caused by his program.
|
|
|
|
|
