We looked earlier at the Computer Fraud and Abuse Act from the standpoint of criminal law, and it seems to be pretty much off the table, from all I can see. But looking at the law from the civil side, the analysis is more complex. I noted several comments on the earlier article that made clear to me that a number of you don't yet understand the implications of the CFAA, so I encourage you to read this article closely.
I asked Jon Stanley, an attorney who is an expert on the CFAA, if he'd be willing to explain the statute to you, looking at the specific SCO v. IBM case as well. What, precisely, triggers a CFAA violation? Is SCO's request to throw out IBM's evidence valid, given the facts as we know them so far? Where did this law come from? Mr. Stanley's Masters Dissertation was on the United States Computer Fraud and Abuse Act and he has spoken about it at numerous panels and seminars, including the RSA Conference last year. He'll speak at their 2005 conference as well. I want to thank Mr. Stanley for taking the time to help us comprehend this statute, and I know you join me in that sentiment. He mentions two cases, EF Cultural v. Zefer and EF Cultural v. Expolorica, and here is where you can read the appeals court decision on EF Cultural v. Zefer and Explorica.
To acclimate you, you may wish to also read an article [PDF] by George L. Lenard, an attorney with the firm of Harris Dowell Fisher & Harris, who specializes in employment law and who examined the statute and case law around it, which was published in "St. Louis Lawyer" and who is editor of George's Employment Blawg. He wasn't a bit surprised to see the "unclean hands" claim, and tells me that he expects to see such claims more frequently when other wrongdoing is alleged, because exceeding authorized access is relatively easy to prove compared to more conventional claims.
Laws aren't written for no reason. Invariably they are drawn up because somebody has been doing something that is harming someone, or the lawmakers perceive it that way. "Due to extensive reliance on electronic information systems and the ever-improving speed and convenience of data copying and transmission, businesses today face a heightened danger that improper competition by former employees will be aided by electronic misappropriation of trade secrets and other confidential information," he writes.
Here are some of the benefits of the CFAA he writes about in his article, from the perspective of its normal use, protecting a company from trade secret theft by former employees, for example:
"In litigating claims against disloyal departing employees, the CFAA typically does not stand alone, but serves as an adjunct to more conventional causes of action such as breach of covenant not to compete, breach of confidentiality agreement, trade secret misappropriation, tortious interference with contract or business expectancy, and breach of fiduciary duty. It is a useful addition because it has several significant advantages over such causes of action, including:
- "Availablity of federal jurisdiction. While other applicable claims involve state law, permitting federal jurisdiction only where diversity requirements are met, the CFAA provides a basis for federal question jurisdiction.
- "Availablity of a variety of relief, including criminal penalties as well as injunctive relief and damages.
- "Improved appeal to the fact finder’s sense of justice and fair play. To a judge or jury, improper conduct involving computers may appear more devious, culpable, and unjustifiable than merely going to work for a competitor, even in violation of a noncompete agreement.
- "Avoiding the need to prove that purloined information rose to the level of a trade secret -- which can be tough, particularly with non-technical information such as customer lists, pricing information, and business strategies.
- "Avoiding defenses such as the overbreadth or invalidity of a noncompete agreement."
If you are interested in case law on the CFAA, the article is a great resource.
However, our interest is specificallly the use by SCO of this statute to claim that IBM's has "unclean hands" for the way it obtained evidence of SCO's copyright infringement. While we don't actually know what IBM saw, what it downloaded, what password protections, if any, were in place that day, etc., the essay will help you to understand the law better, and from my reading of the law, I think everyone needs to know how the statute works. It's very, very broad.
Whose “Hands” are “Unclean?” --
SCO, IBM’s ‘Agents’, and The Computer Fraud and Abuse Act (CFAA)
By Jon Stanley. J.D. LL.M
In its Reply Memorandum, filed Nov. 30th, 2004, SCO presents a rather simplistic section titled “IBM’s Unauthorized Access Into SCO’s Website”. In doing so, SCO, understandably, from their legal perspective, skips over the nuanced and swiftly emerging world of cyberspace jurisprudence. CFAA case law, and particularly its employment of technological language and technological concepts, is not quite so certain, fixed, or agreed upon, as SCO lawyers would have us think.
SCO seeks to have IBM’s evidence thrown out as a result of IBM’s supposed “unclean hands” in obtaining the evidence. SCO’s claim, that agents’ of IBM “improperly” obtained evidence by accessing, in an allegedly unauthorized manner, SCO’s website. This claim illuminates a little known, but vitally important, legal and public policy question. That question is the simple (but by no means easy) query: what, precisely, triggers a CFAA violation? This essay will attempt to answer that question and, in doing so, attempt to ascertain whether SCO’s request to exclude evidence is a valid one.
Initially I focus on a central dynamic in CFAA case law; identifying the contractual ‘instrument’ permitting “authorized access” as that term is defined by CFAA case law. Next I will examine the particular subsection of the CFAA that SCO cites in its Reply Memorandum. Then I will scrutinize the origins of the legal theory enunciated in CFAA cases cited by SCO.
Finally I will examine the two CFAA cases I suggest are most relevant to the dispute here. This examination will reveal that SCO’s allegations, however superficially and simplistically, presented, raise legitimate legal issues that must be addressed by the court.
I have previously argued that, based upon a series of court decisions, the end user’s default status in the digital world, for all practical purposes, is ‘unauthorized’. By that I mean that legal access to ‘cyberspace’ is more often than not governed by some contractual (implicit or explicit) prerequisite that ‘grants’ access. Breech of this contract by the end user renders his or her access unauthorized for purposes of the CFAA.
Case law examples of some of the instruments in question are as follows:
1. Internet Service Provider Terms and Service Agreement
2. Employer Computer Use Guidelines
3. Institutional (i.e. schools, hospitals, library) Computer Use Guidelines
4. Website Terms and Service Agreements
5. “Reasonable expectations” of the website owner
In light of this it is worth examining the specific subsection of the CFAA SCO, apparently, alleges that IBM’s agents violated: (a)(2)(C) which reads:
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains……
(C) information from any protected computer if the conduct involved an interstate or foreign communication [can be liable for a violation of the CFAA]
Congress has, so far, refrained from defining what the word ‘obtains’ means when employed in (a)(2). However, in its Report on the 1996 amendments to the CFAA, the Senate noted that the “premise of this subsection is privacy protection”, which means, “in this context…mere observation of the data” is a violation of (a)(2). [emphasis added]
The Report went on to say that “removal” of the data, or “transcribing” the data need not be proven as an essential element of the violation. This is a unique finding because, as the Report noted, information is, essentially ‘stolen’ without “aspiration”.
Here is an example of how a violation might occur:
1. I access the internet pursuant to my Terms and Service Agreement with my ISP (that I agreed to but given that there are only 48 hours in a weekend, did not read]. This is the contractual instrument that allows my “access” to be “authorized”.
2. Then I violate this instrument’s conditions, and my access, is, at the very moment of the violation, “unauthorized”.
3. And since, given that I’m probably staring at the screen, I am therefore “obtaining”… (viewing) “information from a protected computer…”
4. In theory, we have, a violation of the CFAA.
Please don’t shoot the messenger. Yes, I think this conclusion is absurd and worrisome. And yes, it may very well mean that every time one checks the stock prices (or whatever) at one’s place of employment, and one does so in violation of one’s agreement to only access the internet for the employers’ purposes, technically one is in violation the CFAA. How did we get to this point? Glib answer? Spammers -- and lack of imagination, perhaps, on the part of the judiciary.
AOL v. LCGM, one of the cases SCO cites, is a good starting point on where this unique, and in my opinion, troublesome, theory of CFAA liability began.
LCGM, the defendant, was a purveyor of spam. AOL claimed the defendant sent out huge amounts of spam to AOL customers. AOL claimed this was a violation of AOL’s “Unsolicited Bulk E-Mail Policy”. The court found that this allegation was true. They further concluded that this finding satisfied the necessary elements for a violation of the CFAA, subsection (a)(2)(C). The court wrote that “Defendants’ actions violated AOL’s Terms of Service agreement, and as such was unauthorized” [emphasis added]
This holding was proffered absent any qualifying language addressing the issue of notice, and how it may, or may not pertain to an alleged CFAA violation, triggered by a “Terms of Service” violation.
If America Online, Inc, Plaintiff, v. LCGM, Inc, et al, Defendant heralded the beginning of the breach of contract equals “unauthorized access” theory, as defined in the CFAA, the two AOL v. National Health cases solidified it.
The judge in both those cases went to some detail demonstrating how a Terms of Service Agreement breech could equal a CFAA violation. Once again the defendant was a purveyor of spam. And once again the court held, in both cases, that the violation of AOL’s Terms and Service Agreement equaled a CFAA violation. Now we had three opinions articulating a legal theory that one astute critic called, with good reason, a: “dramatic and potentially unconstitutional expansion of criminal liability in cyberspace.”
And this leads us to the last two cases we will cover in this essay. EF Cultural v. Explorica Inc (EF ), and EF Cultural v. Zefer (Zefer) are cases that may exert the most impact on the dispute at hand. The two cases above are not cited by SCO but, I would argue, are the cases most on point given the fact pattern alleged by SCO.
It should not take much imagination to grasp that if you can have a CFAA violation by violating an ISP’s terms and services agreement you can have the same violation by violating other agreements that ostensibly grant access to networks or cyberspace. EF and Zefer confirmed this premise.
Again, it is beyond the scope of this essay to analyze in great detail, the respective cases. However, I suggest both cases are worth reading in their entirety. They will have, and have had, a significant impact in cyberspace jurisprudence.
EF and Zefer were companion cases.. A former employee (Gormely) of EF Cultural started his own rival company, Explorica. Gormely, in turn, engaged Zefer Inc. to create a scraper tool which Gormely used to search, query, and harvest data, from EF Cultural’s website. This data was intended to be used to allow Explorica to underbid EF Cultural on certain projects both sought.
EF Cultural sued, among others, Gormely, Explorica, and Zefer for, among things, “unauthorized access” to EF Cultural’s website by Gormely’s scraper. The district court granted a preliminarily injunction against Explorica on the grounds that the scraper was used in a manner that exceeded the “reasonable expectations” of EF Cultural, the website owner.
In a supplemental opinion issued by the district court on the controversy the court elaborated on further on its, heretofore, unknown test:
… by noting ‘…that copyright, contractual and technical restraints, sufficiently notified Explorica that its use of scraper would be unauthorized and thus would violate the CFAA.’ The district court first relied on EF’s use of a copyright symbol on one of the pages of its website and a link directing users with questions to contact the company, finding that ‘such a clear statement should have dispelled any notion a reasonable person my have the presumption of open access applied to information on EF’s website [emphasis added]
The 1st circuit court of appeals upheld the injunction but on much narrower grounds than the “reasonable expectations” test. The court decided not to the address the holding of the district court that use of a “warp speed device…” [the scraper] “circumvented the technical restraints” of the website. Nor, did the court express any opinion on the lower court’s holding that the copyright notice on EF’s website served as “clear notice” that any “reasonable person” regarding “open access” to the site. And so, the crucial issues implicit in the district court’s holding lingered; neither upheld nor repudiated. But they did not linger for long.
In the subsequent case it was the turn of maker of the software, defendant Zefer. Zefer, on a technicality, had been detached from EF. In Zefer the 1st circuit affirmed the preliminarily injunction of the district court on very narrow, procedural, technical grounds not relevant to this matter. Because of this finding the court did not have to address any of the vexing substantive issues -- relevant to the SCO allegations -- and raised in EF and in the district court’s injunction. However, that did not stop the Zefer court from leaping into the fray and articulating a legal position enormously critical to a citizen’s access, or lack of access, to information and navigation in the digital world.
The court was obviously uncomfortable with both the district court’s “reasonable expectations” test and the appeals court’s apparent reluctance to repudiate it in EF. The central issue, that the Zefer court wanted to address was “….whether use of the scraper” on EF’s website "exceeded authorized access." The court answer that question in the affirmative, and added, for future reference in these types of cases: “A lack of authorization could be established by an explicit statement on the website restricting access.”
So, it was with an “explicit statement” rule that the court seemed to think it had vanquished the “reasonable expectations” test. And then the court turned right around and brought much of “reasonable expectations test” right back. Because, the court acknowledged, it did agree with the district court that lack of authorization could be “implicit” as opposed to “explicit”.
For example, the court noted:
" . . .password protection itself normally limits authorization by implication (and technology), even without express terms. But we think that in general a reasonable expectations test is not the proper gloss on subsection (a)(4) and we reject it. However useful a reasonable expectations test might be in other contexts where there may be a common understanding underpinning the notion, cf. Terry v. Ohio, 392 U.S. 1, 9, 20 L. Ed. 2d 889, 88 S. Ct. 1868 (1968) (Fourth Amendment), its use in this context is neither [**11] prescribed by the statute nor prudentially sound." [emphasis added]
The court felt the need to further explain its rationale. It wanted to be clear that the basis for the rejection of “reasonable expectations” test is not “as some have urged, that there is a "presumption" of open access to Internet information”. There is not. (Some might call that astounding and disturbing news.)
Indeed, the court goes on to note: “The CFAA, after all, is primarily a statute imposing limits on access and enhancing control by information providers”. And the “website provider can easily spell out explicitly what is forbidden” [emphasis added]. A statement, one might add, that conveys great faith in the drafters of website terms and service agreements.
It is this alleged violation of an “explicit statement”, or “implicit”, as the case may be, that SCO is presenting as a “hack” into a website.
It will be crucial for the court hearing SCO’s claim to ascertain what, if any, terms and conditions governed access to SCO’s site on the day, and time, in question. And depending on what those terms were, SCO’s claims of the “hack”, however farcical in an actual sense, may have more than a grain of validity if the Zefer reasoning stands the test of time.
This observer thinks that Zefer, to the extent it is a precedent, should be overturned. A breach of a contract based access provision should never be the basis for a CFAA violation. It should be the basis for a contract breach. Rather, the basis for CFAA violation should be intentional circumvention of specific, delineated, code based restrictions.
Kathleen Bennett’s Declaration makes no mention of how she accessed the SCO files in question other than to declare she downloaded them from specific SCO sites. However, I have been told by people familiar with Groklaw and familiar with the specific issue in question here that it may have been possible to access at least some of the relevant files by using anonymous as your user id and your email address as your password.
This, so I am told, is a common practice by companies that wish to make their applications, websites, and information available to the public. Further, without having first-hand knowledge of the facts, I have seen posted comments on Groklaw that indicate the relevant files were placed in “public directory”.
If this information and assumption is correct, SCO’s claim that Kathleen Bennett exploited a "bug" and “hacked” into SCO’s computers is specious and should be repudiated by the court on the grounds that what Kathleen Bennett did was exactly what SCO intended an end user to be able to do and what is a common and normal practice in the digital world. It should not been seen as a CFAA violation or as something “improper”.
Jon Stanley is a graduate of University of Maine Law School. He is also a graduate of the University of Strathclyde Law School, UK, where he was granted a Masters of Law in Information Technology and Telecommunications Law. His Masters Dissertation was on the United States Computer Fraud and Abuse Act and is presently being edited and updated for publication. He practices law in Maine, focusing on information security, as well as privacy, cybercrime, cyberspace insurance, and intellectual property issues. Mr. Stanley represented the state of Maine in the Attorney General’s Case against the tobacco industry. Mr. Stanley recently completed a project for the Japanese Government examining the potential liability issues raised by downstream viruses, and information security system breakdowns. He has spoken about the Computer Fraud and Abuse Act at numerous panels and seminars including the RSA Conference 2003, RSA 2004, RSA 2005 (scheduled), Computer Security Institute Conference 2004 and the Maine State Bar Association 2002.
© Copyright 2004 Jon Stanley