TechLaw

The small body of law pertaining to hyperlinks grew a little last week with a military appellate court's decision that the act of distributing a hyperlink to an online source of child pornography did not subject the defendant to criminal liability for distributing the child pornography available at that address.

The court's decision was interesting for its discussion of the differences between transmitting a computer file and transmitting a pointer to that file's location, and whether different legal consequences should attach to these scenarios. Hyperlinks are valuable currency on the Web 2.0 Internet. I came away from this case with the sense that the criminal code, at least some portions of it, has yet to recognize this fact.

The decision was a close one, a 3-2 vote, where the majority based its ruling on the plain language of the statute. Child pornography is a visual depiction of a minor engaging in sexually explicit conduct. A "visual depiction," as defined by 18 U.S.C. 2256(5), "includes ... data stored on a computer disk or by electronic means which is capable of conversion into a visual image[.]"

The defendant was alleged to have transmitted to an undercover law enforcement agent a hyperlink pointing to a Yahoo! Briefcase server containing images of child pornography. The court rejected the government's argument that a hyperlink to child pornography meets the statutory definition of a "visual depiction" of child pornography. "The data contained in a hyperlink is not capable of conversion into any type of visual image," it said. The court said that a hyperlink was a shortcut to a particular location on the Internet--not child pornography itself or data capable of conversion into child pornography.

Two dissenters argued that there is little difference--a few extra mouseclicks, at most--between the distribution of a hyperlink to child pornography and distribution of the child pornography itself. They relied on language in Universal City Studios Inc. v. Corley, No. 00-9185 (2d Cir., Nov. 28, 2001), a copyright infringement case, in which the Second Circuit found infringement liability because the hyperlinks published by the defendant had the "functional capacity" to deliver infringing content instantaneously to an Internet user's computer. Building on Corley, the dissenters would have affirmed the defendant's conviction. "The recipient's ability to access and use images transmitted by hyperlink is functionally indistinguishable from the ability to access and use images transmitted as individually saved files," they wrote.

The case is United States v. Navrestad, No. 07-0199 (C.A.A.F., May 14, 2008).

Imagine you're on a flight from Seattle to New York. Your eyes wander over to the laptop screen of the passenger sitting next to you. Imagine (you have quite an imagination) your brief glimpse of the screen reveals the details of one software company's not-yet-public offer to purchase a leading online property. Assume this information is very valuable. Have you, in that moment, violated the Computer Fraud and Abuse Act?

Possibly. There are quite a few ways to violate the CFAA, but a garden variety violation requires proof that the defendant "accessed" a "protected computer" without authorization or in excess of authorized access and thereby obtained information (a criminal offense under 18 U.S.C. 1030(a)(2)(C)) or "anything of value" (a criminal offense under 18 U.S.C. 1030(a)(4) if done with intent to defraud) or caused damage and loss of at least $5,000 (a civil offense under 18 U.S.C. 1030(g)).

Thanks to the Internet, nearly every computer is a "protected computer." The hard part of the analysis is deciding whether you have "accessed" your flight companion's laptop and whether that access was unauthorized. The statute is no help here. Congress failed to define either "access" or "authorization" in the CFAA (though it did define "computer").

My dictionary defines the verb "access" as "to gain or have access to; esp., to retrieve data from, or add data to, a database [branch officials can access the central database]." With this definition in mind, it's certainly plausible to argue that your glance "accessed" that laptop.

Which brings us to the final inquiry: Was your access of the laptop unauthorized? Certainly the laptop owner did not want you to read that top-secret, super-valuable information he was so carelessly perusing. Is that enough to establish a lack of authorization? Is there a requirement that the laptop's owner first inform you that you do not have permission to read over his shoulder? Would it matter if you were a former employee at the laptop owner's company and thus you knew immediately that you did not have permission to read the information on the screen? Would it matter if you had signed a confidentiality agreement while working at the company?

There really are no solid answers to these questions. Congress' decision to add a civil remedy to the CFAA in 1994 and its later decision to drape CFAA liability over the entire Internet by extending the CFAA to any computer used in interstate commerce have combined to create a vast new expanse of computer fraud liability that laywers and courts are only now beginning to explore. And while there are several murky corners of the CFAA (such as what constitutes damage and/or loss), the area receiving the most attention right now is the idea of which kinds of computer accesses are "unauthorized" or "exceeds authorized access."

Several courts have given an expansive reading to these terms, commonly in cases in which access is initially authorized or conditionally authorized, but the information taken is later put to an unauthorized use. Here are a few leading cases supporting a broad reading of unauthorized access.

In America Online Inc. v. LCGM Inc., 46 F. Supp.2d 444 (E.D. Va. 1998), a court held that an AOL user who harvested e-mail addresses of other AOL users made an unauthorized access of AOL's computer network because such use violated the AOL terms of use, which he had assented to via a mouseclick.

In EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577 (1st Cir. 2003), the court held that the a datamining tool to collect publicly available pricing information was unauthorized because it violated a confidentiality agreement signed by the defendant, a former employee of the plaintiff.

In Register.com v. Verio, 126 F. Supp.2d 238 (S.D.N.Y. 2000), the court held that a competitor's use of repeated database queries, in violation of Web site terms of use, and after objection by Web site owner, was unauthorized under the CFAA.

In International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006), the court imported common law agency principles to conclude that an employee's otherwise-authorized use of the employer's computer network becomes unauthorized when the employee acts against the interests of the employer.

Citrin is a controversial decision, and some courts have rejected it. Nevertheless, Citrin gets you into court with a plausible (decisive in the Seventh Circuit) argument that your company was the victim of federal computer fraud when employees take valuable information on their way out the door.

These cases have generated a lot of interest from companies who incur business losses when employees depart to work for competitors. The tactical advantages of a CFAA cause of action against departing employees are discussed by technology law experts here and here. The availability of a federal forum, the ability to protect information that does not qualify for copyright or trade secret protection, and the availability of injunctive relief, are just three reasons for increasing interest in the CFAA's civil remedies.

Later this week, on May 23, ALI-ABA is conducting an online seminar on civil uses of the CFAA in these situations.

Finally, there is the case of Lori Drew, a Missouri woman who has been indicted for violating the CFAA's criminal provisions, arising from her alleged use of the MySpace.com Web site in violation of its terms of service. This prosecution holds out the possibility that a CFAA criminal prosecution for "unauthorized" accesses could include any violation of a Web site's terms of use. Hard to imagine.

Daniel J. Solove at Concurring Opinions and Orin Kerr at the Volokh Conspiracy have commentaries on the case here and here.

The Securities and Exchange Commission's bid to establish a cause of action for "hacking and trading" under Section 10(b) of the Exchange Act suffered a setback earlier this week, when Judge Naomi Reice Buchwald held that there could be no violation of the insider trading statute without proof that the defendant breached a fiduciary or similar duty in obtaining the information he traded on.

The court rejected the SEC's argument that Section 10(b) reached conduct that could be considered deceptive, or manipulative, of otherwise fraudulent.

Oleksandr Dorozhko was alleged to have hacked into a computer network operated by Thomson Financial, a publisher of business information that is also in the business of hosting investor relations Web sites.  Sometime between the time that IMS Health Inc. uploaded an unfavorable earnings announcement to Thomson Financial's servers (appox. 2:01 p.m.) and the publicly announced release time (5 p.m.), Dorozhko  hacked into the Thomson Financial server, obtained the earnings report, and began to make trades based on the assumption that IMS Health's stock price would plummet in the wake of the public release of the earnings report. Dorozhko was right: The market reacted negatively to the IMS numbers, and Dorozhko made a $286,456.59 profit overnight. His initial investment was roughly $40,000 in put options.

Judge Buchwald remarked that securities markets not only need, but require, informational disparities in order to operate. Moreover, Congress has rejected fairness-based regulation of the securities markets. The task of the judiciary, Judge Buchwald wrote, is to decide how to draw the line separating "proper and improper informational disparities in the securities markets." After a thoughtful and scholarly review of the available court opinions and law review articles that populate this murky area of the law, Judge Buchwald concluded that the existence of a fiduciary duty establishes the line between lawful and unlawful conduct.

"[T]here are policy considerations that weigh ... against discarding the fiduciary requirement and/or extending the SEC's jurisdiction to cover `hacking and trading.' As discussed above, In regulating insider trading, at the margins it becomes difficult to distinguish information that is properly obtained from that which is improperly obtained. The fiduciary requirement serves as an important delineation, a kind of shorthand that courts, market  participants, and regulators may use to make that distinction. The presence of a fiduciary relationship ensures that the traded on information is available only to insiders. Without the fiduciary requirement, the question of when market participants may trade on information disparities becomes much more difficult."

Judge Buchwald stayed the effect of her order until Jan. 14, to allow the SEC time to seek a stay pending appeal from the Second Circuit.

I wonder (at the risk of exposing an unforgivable ignorance of these things) whether or not Thomson Financial or IMS Health have potential liability for negligently safeguarding the IMS Health earnings report in advance of its public release. Does either company owe a duty of care to IMS Health shareholders? Have IMS Health shareholders suffered the kind of loss that would support a negligence claim? Certainly they have suffered more of a loss than the mere-fear-of-identity-theft that courts in prior data breach cases have found insufficient to support a cause of action. The SEC might have regulations that cover information security practices for this situation, but I am not aware of them.

The case is Securities and Exchange Commission v. Dorozhko, No. 07 Civ. 9606 (S.D.N.Y., Jan. 7, 2008)

A significant number of important countries have yet to ratify the Council of Europe's Convention on Cybercrime, a treaty intended to strengthen law enforcement's hand against computer crimes.

Of the 43 countries that signed the treaty back in 2001, 21 -- not quite half -- have ratified it to date. Among the European holdouts are Germany, Spain, the United Kingdom, Ireland and Italy. Important non-CoE member signatories who have yet to ratify are Canada, Japan, Mexico and South Africa.

Next week in Strasbourg the CoE is holding a two-day conference to help revive sagging momentum in the ratification process. Conference sponsors say the event is "aimed at encouraging as many countries as possible" to ratify the treaty.

As far as we know, Internet access providers don't guarantee uninterrupted or quality service. Here in the Washington, D.C., area, the most subscribers can expect is a modest credit on the next month's bill when service is entirely unavailable for more than 24 hours.

Apparently the situation is different when the balky connection is caused by a hacker. The Seventh Circuit, in a criminal case brought under the Computer Fraud and Abuse Act, affirmed a $6,014  restitution award to compensate a business for "lost productivity" attributable to the defendant's disruption of the company's wireless Internet connection.

The court's opinion is not clear on how this sum was calculated. The victim was a small manufacturing company that accessed the Internet through a wireless provider. The defendant, a recently fired computer technician, made unauthorized use of the company's wireless account, preventing the victim's employees from accessing the Internet at the same time. The victim's loss is twice described as "lost productivity” and once as "lost productivity for approximately five days." The court remarks elsewhere that the defendant's conduct “adversely affected their productivity.”

The victim's characterization of its loss, submitted in the form of an affidavit by the president of the company, mentions just $164 in actual losses. However, the affidavit also claims 144 hours (@ $65/hour) of lost productivity. These lost hours are attributed to the need to burn files to disc and overnight them to customers, plus "customer visits," "loss of customer confidence," and "unable to communicate with customers." None of these losses were quantified or documented. 

The case appears to be first to treat this sort of "loss" as something protected by the CFAA. The statute, at 18 U.S.C. 1030(e)(11), defines "loss" as

any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service;

The federal Sentencing Guidelines, Section 2B1.1, Application Note 3, advise that for CFAA offenses, "actual loss" means

pecuniary harm, regardless of whether such pecuniary harm was reasonably foreseeable: any reasonable cost to the victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other damages incurred because of interruption of service.

While it is certainly possible to make a reasoned argument that "lost productivity" is a valid CFAA loss -- for example, by building on the expansive language used by the court in EF Cultural v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001), the trial court and the Seventh Circuit clearly seem to be breaking new ground here.

Unlike lost revenue, which is mentioned in the CFAA, lost productivity,  which is not, is very difficult to substantiate. Did the victim have an alternative means of accessing the Internet? Did the victim pay overtime to compensate for the diminished productivity of its workers? Did the defendant's conduct affect the victim's revenues or expenses at all?

Consideration of "lost productivity" in this case yield a 15-month prison term for the defendant plus $6,014 restitution for the victim. The same harm, if caused by an Internet access provider, would have been worth about $20 off the next month's bill.

The case is United States v. Schuster, No. 05-4244 (7th Cir., Oct. 27, 2006).