The Law Developer

     I was going to post on the conviction of Terry Childs, the San Francisco network administrator who locked out all of the other network administrators and then quit his job. He refused to give up his username and password and was finally convicted of felony computer tampering. It’s a pretty interesting story. He claims that he did it to show the weaknesses in the city’s network security. Considering the city was locked out of its own system for 12 days, he may have made his point.

     But overshadowing the story is the completely baseless fear-mongering by InfoWorld’s Paul Venezia. In discussing the conviction, he states:

“[S]houldn’t the letter of the law be applied to other “denial of service” problems caused by the city while they pursued this case? In particular, the person or persons who released hundreds passwords in public court filings in 2008 be tried for causing a denial of service for the city’s widespread VPN services? … You may argue that the release of those documents was a mistake, but people go to prison for mistakes all the time. Negligence is not a defense. … If so, there are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.”

     Wow, this guy writes for a major Internet news site. It did take me five minutes to find, but I looked up the law that Childs was convicted under, California Penal Code Section 502. I won’t quote the whole section here, but “Knowingly accessed” or “Knowingly … used” are requirements for all of the violations. So, despite Mr. Venezia’s baseless assertions, negligence is a defense, thousands of IT workers are not suddenly felons, and the letter of the law is correct.

     A person must have a “guilty mind” (mens rea) to be convicted of most crimes. The level of guilt is also important. Many states recognize four levels of mens rea: purposefully, knowingly, recklessly, negligently. Those are listed descending order. Therefore, if a law requires a “knowingly” level of mens rea, people who negligently commit the same action are not guilty of violating the law. You would think that the staff at InfoWorld would put in a little research effort before they start telling IT workers that they are possible felons.

     What makes this worse is that Mr. Venezia has a much larger audience than I do AND he was linked by Slashdot.org. Literally millions of people will read his article and think that the law is criminalizing mistakes by IT administrators. Maybe I should start making baseless, fear-mongering accusations too. Stay tuned for tomorrow’s post where I will discuss how SQL queries violate the Patriot Act.

Stephen Burch

Tweet This Post

     I finished my Florida Civil Practice exam today and wrote my first Android application. Good times. Now to study for Business Organizations and Internet Law. With all of that said, I can relate to this former law student.

Stephen Burch

Tweet This Post

     This article discusses the new technologies available for doctors and patients to communicate electronically, dubbed e-Care. I believe that this technology can change the world for the better. Monitoring medicine intake, sensors that can detect for falls, using the Internet to communicate with patients, all of these will allow for doctors to better monitor patients and do so in a cheaper and more convenient manner. Using technology to make life better is the future. Unlike some people who fear technology intruding into their life, I welcome it. What I fear is the way Government will use the technology.

     Scott Adams, the creator of Dilbert, has discussed how his health insurance plan includes an email option. This option allowed him to communicate via email with his doctor to diagnose and treat small ailments. This sounds great. No driving to the doctor while sick, or even worse siting in a waiting room with a bunch of people who are more sick than you while waiting for the doctor. My problem is this: according to the 11th Circuit, there is no expectation of privacy in sent email. What does that mean to non-legal types? It means that the police can read your emails sent to your doctor without a warrant. Maybe email sent to a doctor would be treated differently by the court, but who knows. Right now, courts are still unsure of what gets 4th Amendment protection when it comes to electronic communications. Until this issue is sorted out, I don’t want my medical information being discussed via email.

     A quick tangent about “reasonable expectation of privacy”. That language is nowhere in the 4th Amendment. The 4th Amendment guarantees the right to be free from searches and seizures without a warrant. The courts then added an exception to things that are in the public view. For example, a police officer won’t have to get a warrant to search the contents of my blog because this blog is visible to the public. This exception made sense. But like all exceptions, its scope began to creep. Shortly thereafter bank records and cell-phone records were no longer protected by the 4th Amendment. Why? Because apparently you don’t have a reasonable expectation of privacy in those things. (Hey, don’t get mad at me. I don’t make the law, I just talk about it.) Now some people don’t even have a reasonable expectation of privacy in emails that are stored on their own email servers. The Supreme Court needs to rein in this exception. If the police can’t see the information without having to ask someone else to give it to them, then it should not be considered in the public view, there is an expectation of privacy, and a warrant is needed to search it.

     The other worry I have is that the information recorded will be used against patients. Most new cars have a black box that records driving information. After a crash, the insurance companies and police are scrambling to get that information. The black box in the car was paid for by the owner. Yet after a crash, that information is taken from the owner and used against him. Now imagine that same scenario in a health care situation with the insurance company knowing every thing that you did. Did you follow the doctors orders exactly? The insurance company would know. Maybe it would adjust your premiums based on how well you follow directions. Or maybe it will decide what care to cover based on how well you followed doctor’s orders.

     E-Care is coming. There is nothing anyone can do stop it, nor should they. People should do their best to make sure that before these new rules and regulations are put in place, the Government has implemented adequate privacy protections. The problem, of course, is what they put in place now can be taken away in the future. Until then, I suggest wearing two hospital gowns (one open in the front, the other in the back) to protect your privacy. Unless, of course, you like the exposure.

Stephen Burch

Tweet This Post

     I spent the whole weekend working on my Immigration Law exam. This might seem topical to some people given Arizona’s new immigration law and the renewed calls for immigration reform. Some people are discussing the pros and cons of immigration reform, but all I can think is that if they change the immigration laws, then everything I learned over the past 13 weeks is now bunk.
     Oh well. I did read this article about a new Massachusetts law. This law requires companies that store personally identifiable information about MA residents to encrypt the data, both in transit and in the database. While this law may be hard for some smaller companies to implement, I think it is a step in the right direction. If companies want to compete on the Internet, they need to take some basic, appropriate steps to ensure that customer data is safe. It is not often that I welcome new government regulations, but I think I’ll make an exception for this one.

Stephen Burch

Tweet This Post

     That’s the question posed by this Washington Post article, after a nine-year-old hacked into his school’s computer system. I am a senior software engineer, and I’m not sure I would know how to hack into a computer system. I am certain that at the age of nine, I didn’t even know what hacking into a computer system meant. But the world is changing. My kids have a hard time understanding why we can’t fast-forward through commercials when we’re watching live TV. They use my iPhone to get on the Internet while we are on road trips. They are immersed in technology. While older people are frightened of new technology, kids embrace it. It makes me feel old (well, that and being old). But the best news from the story, since the kid didn’t do any real damage, the police aren’t going to press charges.

Stephen Burch

Tweet This Post

     A Maryland man, Anthony Graber, decided to drive his motorcycle at reckless speeds down public streets and, in a stroke of genius, decided to record his antics from his helmet camera for later viewing on YouTube. Fortunately for the other drivers of Maryland, a police officer caught Mr. Graber and arrested him. And, thanks to Mr. Graber’s helmet camera, we can watch it all on YouTube.

     Happy ending, right? Unfortunately, no. Mr. Graber had his computer confiscated and is now being charged with violating Maryland’s wiretapping law for recording the conversation between him and the police officer. Here is the relevant section of the statute:

§ 10-402.

(a) Except as otherwise specifically provided in this subtitle it is unlawful for any person to:

(1) Wilfully intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;

(2) Wilfully disclose, or endeavor to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subtitle;

     Based on a plain reading of the statute, it appears as though Mr. Graber violated the law, but a plain reading of the statute would most likely violate the First Amendment. A Maryland appellate court, however, has determined that the “oral communication” portion of the statute requires “factual finding[s] of reasonable expectations of privacy.” In other words, if there is no expectation of privacy in the communication, there is no violation of the statute when applied to oral communications.

     Let’s take a step back and discuss Miranda warnings. Miranda warnings are required to be given to a person who has been taken into custody by the police. Yet, courts have held that when a person is in the custody of police officer during a traffic stop, the police do not have to read the Miranda warnings. This was decided in the case Berkemer v. McCarty, in which the U.S. Supreme Court held that people pulled over during a traffic stop are in temporary police custody, but because (among other reasons) the stop occurs in public view, Miranda warnings are not necessary. The Court believes that because the public is viewing the stop, the police cannot be as coercive as they would be during a normal custodial interrogation.

      Most of you know where I’m going with this. If Miranda warnings are not necessary during a traffic stop because it occurs in the public view, the police officer who pulled over Mr. Graber could not have had a reasonable expectation of privacy during this traffic stop. The police want it both ways. Traffic stops are in the public view when the question is whether or not to read Miranda warnings, but the police expect privacy during the traffic stop when it comes to detainees taping their actions. Leave it to the cops to take any good will they earned by arresting a self-centered jerk who threatens the lives of everyone on the street and throw it away by going overboard and violating the guy’s First Amendment rights. Hopefully, this guy will have the charges dropped and maybe even win some money in a civil rights suit against the police.

     One last thing before I wrap this up, the article tries to paint the officer who pulled over Mr. Graber as reckless and overzealous. I just don’t see it. The officer did pull his gun, but practiced excellent muzzle control. Given the circumstances, pulling a gun doesn’t seem that out of line. The writer also tries to fault the officer for waiting a few seconds to announce himself as an officer (he was a plain clothes officer). Watching the video, the officer secured the situation and then announced himself. I am as critical of the police as anybody, but I just don’t see an issue here. The officer acted the way that I would expect an officer to act under the circumstances.

     This whole thing puts me in a weird position. I have to defend the first arresting officer because the article writer tries to fault him in the situation. Then I have to defend the attention-seeking jerk because other police officers violate his First Amendment rights. Defending a police officer and a narcissist all in the same post makes me feel dirty. I guess if I want to be a lawyer I better get used to that dirty feeling.

via TechDirt

Stephen Burch

Tweet This Post

     With State budgets coming up short, legislators in many states are looking for more tax revenue. North Carolina is no exception. After passing a law that forced Amazon to either end its affiliate program or pay state taxes, Amazon cut off any of its ties to the state. This ingenious act of forethought cut off a revenue stream for many people – people who pay taxes, live, and vote in the state. Not to fear, North Carolina has another plan to squeeze more money out of its constituents.

     This plan involves demanding that Amazon provide the name and address of all customers residing in North Carolina along with the items that they purchased. What is the point of all of this? To collect sales tax money from Amazon customers who paid no state sales tax when they purchased the goods from Amazon. What could possibly go wrong? Well, for starters, it very likely violates the law. The article points to two court cases that have held that a person’s book purchases are both private and protected by the First Amendment. It also points to the Video Privacy Protection Act which makes disclosing people’s video purchases illegal.

     Amazon is holding firm that it does not have to release this data. While Amazon does sell more than just books and movies, I hope that this case makes it far enough to declare that everybody’s purchases, regardless of the type of product, are to remain private information. In any event, this is overshadowed by a bigger issue – why are the constituents of North Carolina allowing their elected officials to violate their privacy? Worst of all, this type of behavior isn’t just isolated to North Carolina. People from all over the United States allow their elected officials to do things that negatively affect them. North Carolina has already cost its citizens money by forcing Amazon to discontinue the affiliate program in the state. Now it wants Amazon to reveal purchase information for all of North Carolina. No one would ever expect this type of disclosure from a brick and mortar store. In fact, those types of stores don’t even collect or store that kind of information. Amazon shouldn’t be forced to violate its customer’s privacy just so tax collectors can then use that information to harass its customers. Then again, they are tax collectors. Violating privacy and shaking people people down for money seems to be their M.O.

Stephen Burch

Tweet This Post

     In my first post about UbiSoft’s DRM failure, I came to the conclusion that there was most likely no real legal recourse for affected users. This was based on my assumption that the DRM server outage was an isolated incident. You know what they say about assumptions. Well, apparently the problem is ongoing, which changes my analysis:

     The first issue is monetary damages. As I previously stated, a single outage of a few hours caused by outside hackers probably wouldn’t yield any damages. However, users constantly being denied access to their game will yield a different result. With the current situation, there may be enough damages for a lawyer to pick this up as a class action. The problem with a class action for affected users is that they probably won’t ever see much money from a settlement. But the lure of a large contingency fee could entice a lawyer to take the case. And with a lawyer on the case, affected users can seek a recourse that will actually address their problem.

     That recourse is an equitable injunction. Injunctions are only issued when monetary damages are not adequate. In this case, even if UbiSoft compensated its users for playing time lost, that would not prevent users from any losses going forward. An injunction would resolve this problem. The lawyer could ask the judge to force UbiSoft to change its DRM to allow the game to play even if the Internet connection is lost or the DRM server does not respond. If the injunction allows UbiSoft to require DRM authentication upon installation, subsequent failures of the authentication server or lack of Internet connection shouldn’t prevent the user from playing. This would be enough to prevent the casual user from pirating the software. Meanwhile, more hardcore pirates, who aren’t even deterred by the current system, would just continue to download the cracked version (which doesn’t use the DRM authentication anyways). This injunction would allow UbiSoft to continue to protect its intellectual property while keeping it from denying users access to their purchased property.

     Every contract has an implied covenant of good faith and fair dealing. While I believe DRM is a bad business move, it is certainly legal. But when a company’s DRM is so poorly executed that users are unable to play their games, the company has breached its good faith duty to provide a stable DRM server. I still stand by my first post though- the best way to stop DRM is to not buy games with DRM. Money always talks and the courts are usually not the best outlet to make companies change their business practices. As a future lawyer, I welcome the challenge of being utilized to accomplish, well, pretty much anything… Especially if the people wanting the change have money for my retainer.

Stephen Burch

Tweet This Post

     Enemies of the United States use a myriad of techniques when it comes to attacking us. These attacks range from low-tech suicide bombings to high-tech cyber attacks. To combat the latter, the Pentagon has created a U.S. Cyber Command to coordinate all of the military’s online activities. The threat from cyber attacks is real and with an increasing dependence on the Internet, even for government and military uses, the need for a dedicated team to defend the U.S. from cyber attacks is long overdue.

     What I fear from all of this, however, is the over-expansion of the role of the Cyber Command and definition of cyber attack. To illustrate my point, look at this article from Revere, MA. A man running for city council had an unknown person threaten to post pornography on a website baring the candidates name if the candidate didn’t pay him money. This is a simple case of extortion, but the headline from the article: ‘Revere candidate target of cyber attack’. Despite their ubiquity in modern life, computers and the Internet are still like magic to many people. When the Government and news outlets start drumming up fear of cyber attacks, it causes people to get very skittish. Skittish and fearful people look for a protector and the Government is all too happy to expand its role to ‘protect’ the people. With this new increase in power, comes new laws and decreases in privacy and freedom.

     When Paul Revere made his famous ride warning the people of the invasion of the British, he did so to increase the liberty of the people and remove the chains of an oppressive government. Now, when the Government warns of impending invasions, it is to increase government power and decrease liberty. Don’t let new technology and new technical terms scare you. Be wary of a government that uses fear to increase its power. In my Internet Law class, one of the reoccurring themes is that existing laws are more than adequate in dealing with legal issues (criminal, tort, property, contracts, etc.) that occur on the Internet. In the Revere article, existing extortion laws can adequately handle the issue. But there have been some attempts to create new laws to handle online activity, e.g. Lori Drew (who was eventually acquitted) and a horde of cyberbullying laws. These laws aim to limit First Amendment rights while trying to solve a problem already addressed by existing law. These laws have traction because they play off of fear. Don’t let your lizard brain succumb to these fears. Remember, the only things we have to fear are spiders, snakes, werewolves, sharks, dying alone, zombies, clowns, heights, big dogs, robots with human brains, Johnson’s wife, and fear itself! (link)

Stephen Burch

Tweet This Post

     Apparently Florida isn’t the only state where people lacking in customer service like to sue their customers when they complain. T&J Towing decided to sue a Western Michigan University student who started a Kalamazoo Residents against T&J Towing Facebook page. The student asserts that nothing he said was untrue, but the towing company is still suing for $75,000. This lawsuit is nothing more than an attempt to shut down free speech. I’ll let Cooley Law Professor Curt Benson summarize the towing company’s case:

“So frankly, he’s got an awfully hard lawsuit to win here and frankly, I get the impression it’s more like him sending a message to the community, ‘don’t say anything negative against me because I’ll file a lawsuit against you.’”

     Maybe I should start a Facebook Group called ‘Jerks who File SLAPP Suits’. I wonder if that would be considered defamation?

     As a follow up to my Viacom v. YouTube post in which I discussed how Google was in the right and how I hoped it would prevail in its copyright infringement suit, now I’m not so sure. Viacom has released some more information that makes me think that Google may not be as innocent as I had originally believed. It made public Google’s analysis of YouTube when Google Video was a competitor of YouTube. Below are three of the statements included in the analysis:

  * “YouTube’s business model is completely sustained by pirated content.”

  * “YouTube’s content is all free, and much of it is highly sought after pirated clips.”

  * “[W]e should beat YouTube by improving features and user experience, not being a ‘rogue enabler’ of content theft.”

     That doesn’t sound good. It purchased a company that it knew was built and sustained by piracy. Viacom also disclosed bullet points from a slide that Google created to determine how to handle companies like Viacom. The most interesting of which is “Set up ‘play first, deal later’ around ‘hot content.’” Basically Google is saying that its strategy for dealing with pirated content is to put it on its site first and deal with any consequences later. Well, the consequences may be… (*puts pinky finger on edge of my mouth) ONE BILLION DOLLARS!

     I think it would be a good business decision for movie and TV studios to allow their videos to appear on YouTube. But it should be their decision. If a company like YouTube purposefully seeks out to obtain and display content that it does not have rights to show, it should face consequences. Google’s analysis of YouTube shows that it understood that YouTube was popular because it had pirated content, yet Google still bought it. The Google slide clearly demonstrates that Google itself wasn’t worried about violating the rights of copyright holders. Now Google has definitely changed its ways. It has an incredibly sophisticated content detection system that allows it to notify copyright holders when their videos appear on YouTube. Apparently though, Google wasn’t always as diligent in preventing pirated videos from appearing on its site. And by not as diligent I mean it actively sought out and displayed pirated videos.

h/t Ben Sheffner for the Google vs Viacom articles.

Have a Good Weekend.

Stephen Burch

Tweet This Post