No doubt you, like me, were a bit surprised and maybe even disgusted to see SCO accusing IBM, in SCO's Memorandum in Opposition to IBM's Motion for Partial Summary Judgment on its Counterclaim for Copyright Infringement (Eighth Counterclaim), of "hacking" their website, under the Computer Fraud and Abuse Act, no less, when all IBM did was download Linux, GPL'd software SCO has made available to the public for years at no cost, from SCO's website, some of which software IBM wrote itself, during an IBM investigation into SCO's infringement of IBM's copyrights.
Is anything too low for SCO, I asked myself?
And my next question was, Is this going to fly? What happens now? How bad could it get? Why would SCO do this? In litigation, nausea at the loathsome tactics of others is useless. You have to answer everything successfully. So, despite my feeling that SCO should be ashamed of itself for even raising the issue, what about that statute?
I have never done criminal law, so I was totally in the dark. I therefore decided it made sense to ask Webster Knight, because he's an attorney who does criminal law, if he'd explain the Computer Fraud and Abuse Act to me. This is both a civil and a criminal statute, so Webster explained the statute from the criminal aspect. And we have some references to help us understand. A later article by another attorney will talk about the statute's use in civil litigation.
His initial opinion, based only on facts that are currently available, is that it has no prosecutorial merit as a criminal offense, as a felony. For that matter, no criminal action has been brought to date that we've heard about. Webster doesn't believe there ever will be either, for reasons you'll see as we go along. SCO didn't ask to add a new cause of action for hacking under this statute either. All SCO did so far was tell the judge that the evidence of SCO's infringement that IBM found and presented to the court shouldn't be considered because IBM allegedly has "unclean hands" for finding it the way they did.
Unclean hands is an affirmative defense, meaning if someone accuses you of something, if you can show the accuser has unclean hands by virtue of doing something unethical related to the claim, then the complaint can be dismissed or the accuser denied judgment. So, SCO isn't asking that IBM be arrested and plopped in jail for years as punishment. They are using an affirmative defense to try to escape being found guilty of infringing IBM's copyright.
You can read the Declaration of Kathleen Bennett, presented in support of IBM's Redacted Memorandum in Support of IBM's Motion for Partial Summary Judgment on Counterclaim for Copyright Infringement (8th Counterclaim), to refresh your memory on IBM's downloading of the files in question. Here is the pertinent section:
"10. Also under my direction, our team of programmers compared the IBM Copyrighted Works to code we found available for download on SCO's website. On January 9, 2004, I observed while a member of my team accessed via the Internet the following four SCO web pages, and downloaded code from these web pages:
(3) http://linuxupdate.sco.com/scolinux/update/RPMS.scolinux; and
"11. The code posted and made available for download via the Internet from SCO's website included verbatim copies of files from the IBM Copyrighted Works appearing at Exhibits 5.1 through 20.1 of the accompanying Sorenson Declaration. The files from SCO's website that are verbatim copies of files within the IBM Copyrighted Works comprise approximately 783,000 lines of code, and appear at Exhibits 5.3 through 20.3 of the Sorenson Declaration.
"12. My team and I accessed SCO's website from the Internet, using a standard computer and web browser. Any person with access to the Internet, a standard web browser and a personal computer or laptop could access SCO's website and download Linux code, just as my team and I did. No special expertise would be necessary.
"13. On August 4, 2004, my team again visited the SCO web pages listed in Paragraph 10, and confirmed that all of the code attached as Exhibits 5.3 through 20.3 of the Sorenson Declaration was still available for download from SCO's website."
In this account, the files seem to have been freely available. Of course, no one but IBM can know what they saw on the screen on the dates in question or what steps they took, but from the description, it sounds like anyone and their mom could access the files and download them. No special skills needed. She doesn't specify if they downloaded only IBM's code or other code as well. She doesn't indicate there was any password or any other access prevention mechanism.
Out of this, here is what SCO morphed it into, in its Memorandum in Opposition to IBM's 8th Counterclaim re copyright infringement:
"B. IBM's Unauthorized Access Into SCO's Website
"Another well-established basis for the application of the doctrine in the context of the Copyright Act arises when the claimant has obtained evidence by improper means.6
"SCO provided its customers who purchased SCO Server 4.O with a password to enter at a log-in screen so that only they could access source code via the internet. Sontag Decl. ¶17-19. After news of a bug in the website's security system was reported on internet websites, IBM exploited the bug to bypass SCO's security system, hack into SCO's computers, and download the very files IBM has now attached to its motion. Id. ¶¶20-27.
"The Computer Fraud and Abuse Act, 18 U.S.C. §1030(a)(2)(C), makes it a felony for any person to access another person's computer, via the internet or otherwise, unless authorized to do so. See, e.g., Creative Computing v. GetLoaded.com, LLC, 386 F.3d 930 (9th Cir. 2004); I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info Sys., Inc., 307 F. Supp. 2d 521, 523-24, 526 (S.D.N.Y. 2004) (citing cases); AOL, Inc. v. LCGM, Inc., 46 F.Supp. 2d 444, 450 (E.D. Va. 1998). By improperly obtaining the evidence assertedly in support of its counterclaim and instant motion, IBM comes to the Court with unclean hands. . . .
6 "See, e.g., Fleming v. Miles, 181 F. Supp. 2d 1143, 1154 (D. Or. 2001) (holding copyright registrant who denied existence of competing registration in his registration application could not recover damages for alleged infringement by competing registrant);Russ Berrie & Co. v. Jerry Elsner Co., 482 F. Supp. 980, 987-88 (S.D.N.Y. 1980) (declining to enforce copyright because the owner's knowing failure to disclose material facts in registration applications constituted 'reason for holding the registration invalid and thus incapable of supporting an infringement action, or denying enforcement'); Rixon, Inc. v. Racal-Milgo, Inc., 551 F. Supp. 163, 171 (D. Del. 1982) ('Unclean hands in the procurement of a patent from the Patent and Trademark Office or in prior enforcement action, for example, may render the patent unenforceable.'); see also Nimmer, supra, §13.09[B] (the doctrine applies where the claimant 'obtained information as to the nature of defendant's work through unfair means'); see also Gemveto Jewelry Co., Inc. v. Lambert Bros., Inc. , S42 F. Supp. 933, 939 (S.D.N.Y. 1982)."
As you can see, the two accounts don't match at all. I don't think their description of the statute, 18 U.S.C. §1030(a)(2)(C), is accurate, from what I've had explained to me, because their wording ("§1030(a)(2)(C), makes it a felony for any person to access another person's computer, via the internet or otherwise, unless authorized to do so") stops without mentioning the remaining elements needed to reach the status of a felony, perhaps because from what we currently know, IBM seems not to have matched those elements. Where, for example, is there a $5,000 loss to SCO?
What really doesn't match in my eyes is the alleged offense -- in its worst possible light, from SCO's description -- and what the Department of Justice says were the kinds of situations the law, as amended (it originally applied only to government computers), was designed to address. Because this is such a long section, I have made it colored text, so you don't get confused about where it begins and ends:
Subsection (a)(2) is, in the truest sense, a provision designed to protect the confidentiality of computer data. As was noted in 1986 by the Senate Judiciary Committee,[t]he premise of 18 U.S.C. 1030(a)(2) will remain the protection, for privacy reasons, of computerized credit records and computerized information relating to customers' relationships with financial institutions. . . . Because the premise of this subsection is privacy protection, the Committee wishes to make clear that 'obtaining information' in this context includes mere observation of the data.S. Rep. No. 99-432 at 6.
With the continued evolution of the National Information Infrastructure (NII), however, Congress has come to recognize that not only financial records and credit information warrant federal protection. As noted in the commentary to the Draft Principles, "with the NII, the assumption is that large amounts of sensitive information will be on line, and can be accessed, perhaps without authority, by a large number of network users." 59 Fed. Reg. at 27207. Moreover, "the NII will only achieve its full potential if individual privacy is properly protected." Id. Therefore, the new subsection 1030(a)(2) is designed to insure that it is punishable to misuse computers to obtain government information and, where appropriate, information held by the private sector. Moreover, the provision has been restructured so that different paragraphs protect different types of information, thus allowing easy additions or modifications to offenses if events require.
Certainly not all computer misuse warrants federal criminal sanctions. The problem is that no litmus test can accurately segregate important from unimportant information, and any legislation may therefore be under- or over-inclusive. For example, a frequent test for determining the appropriateness of federal jurisdiction--a monetary amount--does not work well when protecting information. The theft from a computer of a judge's draft opinion in a sensitive case or the copying of medical records might not meet such a monetary threshold, but clearly such information should be protected. Therefore, the act of taking all of this kind of information is now criminalized. Even so, it is important to remember that the elements of the offense include not just taking the information, but abusing one's computer authorization to do so.
The need to protect information is highlighted by recent studies indicating that people are increasingly misusing computers to obtain information. In 1993, the General Accounting Office (GAO) presented testimony before the House Government Operations Committee, Subcommittee on Information, Justice, Agriculture, and Transportation, on the abuse of National Crime Information Center (NCIC) information. The testimony stated that, following an investigation, GAO determined that (1) NCIC information is valuable, (2) such information has been misused by "insiders" (individuals with authorized access), (3) this misuse included selling NCIC information to outsiders and determining whether friends and relatives had criminal records, and (4) incentives for misuse outweighed potential penalties. Statement of Laurie E. Ekstrand, July 28, 1993, p. 6 [hereinafter "Ekstrand Statement"]. The GAO found that some of this misuse jeopardized the safety of citizens and potentially jeopardized law enforcement personnel. Id. at 16. Moreover, because there were no federal or state laws specifically directed at NCIC misuse, most abusers of NCIC were not criminally prosecuted. Id. at 17. GAO concluded that Congress should enact legislation with strong criminal sanctions specifically directed at the misuse of NCIC. Id. at 20.
Of course, protecting only NCIC data (or, more broadly, criminal history information), would be underinclusive, because other types of sensitive data are clearly at risk. For example, during Operation Desert Storm, it was widely reported that hackers accessed sensitive but unclassified data regarding personnel performance reports, weapons development information, and logistics information regarding the movement of equipment and personnel. . . .
The seriousness of a breach in confidentiality depends, in considerable part, on either the value of the information or the defendant's motive in taking it. Thus, the statutory penalties are structured so that merely obtaining information of minimal value is only a misdemeanor, but certain aggravating factors make the crime a felony. More specifically, the crime becomes a felony if the offense was committed for purposes of commercial advantage or private financial gain, for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State, or if the value of the information obtained exceeds $5,000.
As for enhancements not based on the value of the property obtained, recent documented cases indicate that individuals misuse information for a variety of unacceptable purposes. The terms "for purposes of commercial advantage or private financial gain" and "for the purpose of committing any criminal or tortious act" are taken from the copyright statute (17 U.S.C. § 506(a)) and wiretap statute (18 U.S.C. § 2511(1)(d)) respectively.
As for the monetary threshold, any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs, or the value of the property "in the thieves' market," can be used to meet the $5,000 valuation. See, e.g., United States v. Stegora, 849 F.2d 291, 292 (8th Cir. 1988).
The relationship between the existing § 1030(a)(3) provision and the newly amended § 1030(a)(2) merits some discussion. Section 1030(a)(3) protects the computer from outsiders, even if the hacker obtains no information. Thus, an intruder who violates the integrity of a government machine to gain network access is nonetheless liable for trespass even when he has not jeopardized the confidentiality of data. Section 1030(a)(2), on the other hand, protects the confidentiality of data, even from intentional misuse by insiders. Additionally, although a first violation of § 1030(a)(3) is always a misdemeanor, a § 1030(a)(2) violation may constitute a felony if the information taken is valuable or sufficiently misused. See § 1030(c)(2)(B)(raising the offense to felony level based upon the value or intended use of the improperly acquired data). Although a single act may violate both provisions, the provisions protect against different harms and, in any event, the actor's conduct would be aggregated for the purposes of sentencing. . . .
Hackers, for example, have broken into Cray supercomputers for the purpose of running password cracking programs, sometimes amassing computer time worth far in excess of $5,000. In light of the large expense to the victim caused by some of these trespassing incidents, it is more appropriate to except from the felony provisions of subsection 1030(a)(4) only cases involving no more than $5,000 of computer use during any one-year period.
So, as you can see, the law was intended to take into account both the value of any loss and the intent behind the access. "Certainly not all computer misuse warrants federal criminal sanctions," they say. Was IBM breaking into Cray computers to run password cracking programs? So even the DOJ is saying that there is a reasonableness standard they were striving for as far as the felony aspect of the statute was concerned.
But, having said that, what about the civil side? You need to read the statute, and when you do, I think your hair will stand on end. The statute is so broad in its wording, when it comes to civil litigation, it's hard to imagine what *wouldn't* qualify as "hacking", if someone was determined to make it seem so. SCO is alleging an offense under 18 U.S.C. §1030(a)(2)(C), and Webster has made the important parts red, just for ease of comprehension, not to make your hair stand on end. It'll do that altogether on its own. Here's just the (a)(2)(C) part, to start us off:
(a) Whoever—(1) having knowingly accessed a computer without(2) intentionally
authorization or exceeding authorized access, and by means of such
conduct having obtained information that has been determined by the
United States Government pursuant to an Executive order or statute to
require protection against unauthorized disclosure for reasons of
national defense or foreign relations, or any restricted data, as
defined in paragraph y. of section 11 of the Atomic Energy Act of 1954,
with reason to believe that such information so obtained could be used
to the injury of the United States, or to the advantage of any foreign
nation willfully communicates, delivers, transmits, or causes to be
communicated, delivered, or transmitted, or attempts to communicate,
deliver, transmit or cause to be communicated, delivered, or
transmitted the same to any person not entitled to receive it, or
willfully retains the same and fails to deliver it to the officer or
employee of the United States entitled to receive it;
accesses a computer without authorization or exceeds authorized access,
and thereby obtains—(A) information contained in a financial record of a(C) information from any protected computer if the
financial institution, or of a card issuer as defined in section 1602 (n) of title 15,
or contained in a file of a consumer reporting agency on a consumer, as
such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
conduct involved an interstate or foreign communication;
It seems to say that mere access, even if all you do is read, is verboten if you don't have authorized access or exceed your authorized access. You might also like to read an analysis of the law, and the article also explains how the law has been interpreted in what the author calls "an expansive, and perhaps mildly startling, fashion". A bit more on how it was used to retaliate in a trade secrets theft case a few years ago. We'll have much more about this in the followup article. The bad thing about laws that are written badly is that some ethically-challenged entity will try to use them to fight dirty, and if a law is written badly enough, they might do some damage with it.
The good thing about laws that are vague and badly written is, they usually can't stand up to scrutiny in the courts longterm, or the law gets tweaked until it is better, or judges find a way to say to an overreaching plaintiff trying to take advantage of a law's flaws to do harm in a particular case, in effect, "This is silly." But for now, we'll have to assume that this vague statute says what it means and isn't unconstitutional, and so let's analyze the situation with that assumption.
First, SCO mentions the word felony, so we'll assume they are alleging both loss, over $5,000, and bad intent/unauthorized access, or as the DOJ explanation put it, "committed for purposes of commercial advantage or private financial gain, for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State, or if the value of the information obtained exceeds $5,000." Right. Does that sound like IBM to you? Hardly. Is it all starting to feel ridiculous and a bit icky too?
Here is a simple explanation of the difference between criminal and civil, and as you will see, in a civil case, the wronged party, or the party imagining himself wronged, brings the action. In a criminal case, it's up to the law enforcement entities to decide whether to bring a case or not. If they do, they represent the people, and hence the allegedly wronged individual. So, here, it means that unless somebody actually brings a criminal action under the Computer Fraud and Abuse Act, IBM is not actually, officially accused of anything criminal, let alone found guilty of anything. It's an accusation, and as nauseating as it must be for IBM to have to answer something like this, the bottom line is that it's an unproven allegation. From SCO.
Webster has highlighted the statute in red to show us the parts that matter here, and his remarks are in blue, but remember, his remarks are his notes on the criminal aspects here, not the civil. The bottom line in his view? It's nonsense, in his opinion, that isn't going anywhere as far as criminal law is concerned. Of course, there is another side to the law, the civil side, which we'll talk about in the later article. And Webster is analyzing this just to give us a feel for the statute. We don't, after all, actually know what IBM saw on the screen, whether there really was a password set up, whether it was a bug in the code as SCO says or whether they just didn't get around to setting up an actual password-only access mechanism. There are four sites listed in the Bennett declaration and two dates, and while we've certainly heard plenty of eyewitness accounts, there is no single account and without knowing exactly what IBM saw and did, we can only analyze so far and will have to wait for IBM's answer for the rest. So, with that disclaimer, and for educational purposes only, here is the statute, marked by Webster for clarity.
Section 1030. Fraud and related activity in connection with computers
(a) Whoever - (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains - (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); (B) information from any department or agency of the United States; or (C) information from any protected computer if the conduct involved an interstate or foreign communication;
[This is too broad and does not exclude innocent, accidental, ignorant conduct.]
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States; (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; (5)(A)(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and (B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused) - (i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; (ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (iii) physical injury to any person; (iv) a threat to public health or safety; or (v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security; (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if - (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; (FOOTNOTE 1) (FOOTNOTE 1) So in original. Probably should be followed by ''or''. (7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection (c) of this section. (b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section. (c) The punishment for an offense under subsection (a) or (b) of this section is - (1)(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; (2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2),
[This is a misdemeanor only]
(a)(3), (a)(5)(A)(iii), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; (B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if - (i) the offense was committed for purposes of commercial advantage or private financial gain;
[It was done just for information and evidence, legal reasons. IBM has so many arguments against this.]
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or
[I'm sure SCO can argue something, but SCO can't really argue loss until they prove their case.]
(iii) the value of the information obtained exceeds $5,000; and (C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; (3)(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A)(iii), or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; (4)(A) except as provided in paragraph (5), a fine under this title, imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(5)(A)(i), or an attempt to commit an offense punishable under that subsection; (B) a fine under this title, imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(5)(A)(ii), or an attempt to commit an offense punishable under that subsection; (C) except as provided in paragraph (5), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A)(i) or (a)(5)(A)(ii), or an attempt to commit an offense punishable under either subsection, that occurs after a conviction for another offense under this section; and (5)(A) if the offender knowingly or recklessly causes or attempts to cause serious bodily injury from conduct in violation of subsection (a)(5)(A)(i), a fine under this title or imprisonment for not more than 20 years, or both; and (B) if the offender knowingly or recklessly causes or attempts to cause death from conduct in violation of subsection (a)(5)(A)(i), a fine under this title or imprisonment for any term of years or for life, or both. (d)(1) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section. (2) The Federal Bureau of Investigation shall have primary authority to investigate offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title. (3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General. (e) As used in this section - (1) the term ''computer'' means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device; (2) the term ''protected computer'' means a computer - (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; (3) the term ''State'' includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States; (4) the term ''financial institution'' means - (A) an institution, with deposits insured by the Federal Deposit Insurance Corporation; (B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank; (C) a credit union with accounts insured by the National Credit Union Administration; (D) a member of the Federal home loan bank system and any home loan bank; (E) any institution of the Farm Credit System under the Farm Credit Act of 1971; (F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934; (G) the Securities Investor Protection Corporation; (H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and (I) an organization operating under section 25 or section 25(a) (FOOTNOTE 2) of the Federal Reserve Act; (FOOTNOTE 2) See References in Text note below. (5) the term ''financial record'' means information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution; (6) the term ''exceeds authorized access'' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
[IBM can say they are entitled by the mere access or were accidently misled by such.]
(7) the term ''department of the United States'' means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5; (8) the term ''damage'' means any impairment to the integrity or availability of data, a program, a system, or information;
[If appropriate, IBM can say there was no damage.]
(9) the term ''government entity'' includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country; (10) the term ''conviction'' shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer; (11) the term ''loss'' means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and
[IBM can argue that they caused absolutely no loss.]
(12) the term ''person'' means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity. (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States. (g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
[Bingo. IBM will argue this too, "SCO negligence". How does that sound?]
(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).
[If you get these reports, I doubt you'll see any misdemeanors. They can't claim computer fraud until they win their case and thereby claim loss. They can't claim unclean hands until it is a crime. It can't be prosecuted until they can say it was their code alone to hide. They first then have to convince some prosecutor to charge a crime and then win a conviction. No prosecutor will because there is no apparent loss and there are too many potential defenses, SCO negligence being one, and he has better things to do. IBM can say they were just investigating someone abusing their copyrighted material. SCO then has to prove it is their copyrighted material to advance their criminal accusation and found their "unclean hands" claim. This of course is the ball game. Note that if they were to get someone to prosecute IBM, IBM gets the right to discover what is called "Brady" material, evidence favorable to the defense in the possession of the prosecutor. It's the endless, begging the question, who's-on-first, lift-oneself-by-bootstrap, cart-before-the-horse argument that SCO makes: They stole our code. No, it's their code. Yes, because they stole it. Where? In there. Where in there? We don't know, they haven't told us yet. Make them tell us. There is no loss that I can see. They are saying IBM took the code long ago before they filed suit. This supposed hack adds nothing. SCO can be accused of having "unclean hands" in that they want to hide their copyright violations of distributing IBM copyrighted materials. IBM will likely slam them back with this. Mutual unproved accusations are a wash. It has no prosecutorial merit, in my opinion.]