Microsoft, Yahoo, Amazon Join Opposition to Google Settlement

The New York Times reports that Microsoft, Yahoo, and Amazon have joined library associations, nonprofits, and individuals in opposing the Google Books settlement in The Authors Guild v. Google. The settlement, which would allow Google to provide digital versions of millions of books, still requires court approval and remains the subject of a Department of Justice antitrust investigation. The opposition group, tentatively called the Open Book Alliance, will argue to the Department of Justice that the settlement agreement is anticompetitive.

Internet Law Group Brings Suit Against Unidentified Hackers

“John Doe” suits brought against unidentified Eastern European hackers may offer a glimpse of the hackers’ targets and techniques through subpoenas against defrauded banks. However, the banks may challenge the subpoenas in order to protect customer privacy. Unspam Technologies, a group that recently filed suit against bank hackers in the Eastern District of Virginia, hopes to improve bank security and potentially identify the hackers. The New York Times outlines the stakes and key players in the case, Project Honey Pot v. Does.

Mozilla Versus Microsoft in EU Browser Investigation

Ryan Paul at Ars Technica criticizes Mozilla’s complaints regarding Microsoft’s Internet Explorer bundling and default-setting practices. Paul not only argues that many of Mozilla’s complaints “lack substance,” but also claims that the European Union has no business intervening to encourage competition because Mozilla’s Firefox browser has a 22 percent market share “amidst an increasingly competitive browser market.” In contrast, Mitchell Baker of Mozilla argues that the Firefox browser is at a disadvantage because Internet Explorer has a “uniquely privileged position on Windows installations.”

Cyberattack on U.S. and South Korean Governments Stymies Investigators

Law enforcement officials are still investigating the cyberattacks that hobbled some U.S. and South Korean government websites for five days beginning July 4, the New York Times reports. The distributed denial of service attack caused 50,000 to 65,000 infected computers to jam websites of government agencies such as the Federal Trade Commission and the Secret Service with an extraordinary amount of traffic. Although independent and government investigations have led to computers in Miami, Florida, and the U.K., some experts think finding the ultimate source of the “amateurish” attack may prove to be impossible.

Microsoft Convinces Court IP Addresses Are Not Personally Identifiable Information

MediaPost News reports that in a recent class action case against Microsoft, a federal district court in Seattle held that IP addresses do not count as “personally identifiable information” (PII), a term regularly used in user agreements and online privacy policies. The June 23 opinion granted Microsoft’s motion for summary judgment on charges that it had violated its user agreement by collecting IP addresses during automatic software updates. Judge Richard Jones held that in order to be PII, a piece of data must directly identify “a person,” rather than “a computer,” as an IP address does. The decision is in tension with recent E.U. regulatory findings and a 2008 opinion from the New Jersey Supreme Court, according to MediaPost.

New Zealand Takes Second Swing at “Three Strikes”

On July 14, New Zealand’s Ministry of Economic Development introduced a revised version of its “three strikes” copyright provision aimed at curbing online infringement, Ars Technica and Billboard report. The original bill, which provided for the termination of internet service provider subscribers’ accounts as a penalty for repeat copyright infringement, was scrapped in March after public outcry and industry disagreement. The new version addresses due process concerns by allowing alleged infringers to respond to notices of infringement and to have their cases mediated before trial. Termination of infringers’ internet accounts remains a possible penalty under the revised law.

A federal jury convicted Lori Drew on November 26th on three of four misdemeanor counts of unauthorized computer access under the Computer Fraud and Abuse Act (”CFAA”), 18 U.S.C. § 1030, for violating the MySpace terms of service. Drew was acquitted of three felony counts of accessing computers without authorization to inflict emotional harm under the same act. The case has raised widespread objection to the use of criminal liability for violating website terms of service.

The case revolves around the 2006 suicide of 13-year-old Megan Meier following an argument she had on MySpace with “Josh Evans,” a fictional 16-year-old boy whose profile was created under the supervision of Lori Drew. During the 28 days that the account was active, “Josh” established an online relationship with Meier that ended with harsh words and the involvement of other MySpace users. Creation of the fictional account using false information was a violation of the MySpace terms of service, which served as the basis for the computer fraud charges. The prosecution argued, and the jury found, that Drew’s subsequent visits to the MySpace site, in violation of the terms of service, were “unauthorized access” under the terms of the CFAA. Critics point out that this is a very creative use of the CFAA, which is typically used to target hacking and trademark theft. This is the first time it has been used in this fashion.

The New York Times describes the trial outcome, building on an earlier piece from 2007 that gives more factual background on the events. Court documents for the case are hosted on Citizen Media Law Project.

Kim Zetter, at Wired: Threat Level, has covered the trial exhaustively, including the most recent revelation from Valentina Kunasz, the jury foreman that the jury would have convicted Drew on the felony charges if the prosecution had been able to introduce more evidence.

The jury found that Drew did not act with malicious intent; but it found that a violation of a website’s terms of service alone is a tortuous act, even if only done indirectly. Though she encouraged the creation and was present for 50% of the communications from “Josh Evans,” Drew did not create the fictional account. It was proposed and created by Ashley Grills, an 18-year-old former employee of Drew’s (who was granted immunity to testify for the prosecution), with Drew and her then 13-year-old daughter watching. Thus, many critics have pointed out, Drew was convicted of criminally violating a terms of service agreement that she never read or agreed to.

Previously, the violation of terms of service would have been entirely the realm of contract law. Groklaw has posted an amicus brief with extensive commentary on the potential ramifications of website authors having the power to “make criminal law” by writing terms of service that unwitting visitors may violate. Orin Kerr, a GW law professor and formal federal prosecutor, joined Drew’s defense team in order to combat what he considers a misuse of the CFAA. Kerr claims the verdict is “strikingly broad and can’t possibly be what Congress intended with the statute,” and has stated that it is unlikely to survive appellate review. Kerr, speaking on Volokh Conspiracy, illustrates the extent to which this ruling would expose almost all Internet users to criminal liability under the CFAA by changing the terms of service.

Drew’s defense attorney, H. Dean Steward, is waiting for presiding Judge George Wu to decide an outstanding motion for a directed acquittal before filing an appeal with the 9th U.S. Circuit Court. Drew must appear before the court again on December 29th, where she could face a maximum sentence of a year in jail and $100,000 for each of the three misdemeanor counts.

United States v. Kernell
E.D. Tenn., October 7, 2008, No. 3:08-CR-142
Indictment

On October 7, 2008 a Tennessee grand jury charged David C. Kernell with violating 18 U.S.C. § 2701 (part of the Stored Communications Act) and 18 U.S.C § 1030(a)(2) (a subsection of the Computer Fraud and Abuse Act) for allegedly accessing the Yahoo e-mail account of Alaska Governor Sarah Palin, the Republican vice-presidential nominee, without authorization. Images and information from Gov. Palin’s e-mail account first hit the Internet on September 17^th, and began making headlines shortly thereafter. Several websites, including Wikileaks.org and popular blog network Gawker.com, posted screen shots and content from the hacked e-mail account.

Professor Orin S. Kerr, of the George Washington University Law School and the Volokh Conspiracy blog, sees a potential problem with the indictment. He notes that in order to charge the case as a felony, the government must claim Kernell accessed the account “to further criminal or tortuous activity.” According to Kerr, however,

[T]he indictment doesn’t exactly state what the crime or tort is that the intrusion was designed to further. It just states that the intrusion was “in furtherance of the commission of a criminal act in violation of the laws of the United States, including 18 U.S.C. Section 2701 and 18 U.S.C. Section 1030(a)(2)” But Section 2701 and Section 1030 are the intrusion statutes themselves! It makes no sense to allow a felony enhancement for a crime committed in furtherance of the crime itself . . . .

Info/Law draws parallels between this case and the Lori Drew MySpace case.

Professor Paul Ohm, of Colorado Law, believes that the breach of Gov. Palin’s e-mail account will be a “watershed event” in Internet privacy law. He notes that historically, privacy protection legislation follows on the heels of “sensationalized” privacy breaches. Furthermore, he predicts a “fierce First Amendment debate” arising from both Gawker.com and Wikileaks’ involvement in disseminating the hacked e-mail content.

Kernell, the son of a Democratic Tennessee state legislator, plead not guilty on Thursday, October 9^th, and was released without bond. If convicted, he faces up to five years in jail and $250,000 in fines. Trial is set to begin December 16^th.

Mass. Bay Transp. Auth. v. Anderson
D. Mass., August 9th, 2008, No. 08-11364-GAO
Temporary Restraining Order (Hosted by EFF)  

On August 9th, Judge Woodlock of the U.S. District Court, District of Massachusetts granted the Massachusetts Bay Transportation Authority (”MBTA”) a temporary restraining order against Zack Anderson, RJ Ryan, and Alessandro Chiesa, undergraduates at the Massachusetts Institute of Technology (”MIT”). The order “enjoined and restrained” the undergraduates from “providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security” of the MBTA fare system’s CharlieCard and CharlieTicket.  CharlieCards are reusable stored-value cards, which allow Boston subway riders access at ticket terminals by waiving the card over a designated reader. The system operates wirelessly, and allows riders to add money to their cards both at subway terminals and through online accounts. 

Anderson, Ryan and Chiesa reportedly uncovered several vulnerabilities with the MTBA’s CharlieTicket system while doing research for a Computer and Network Security class. Using this research, the students devised a way in which the CharlieCards can be reprogrammed using $200 worth of equipment; theoretically, this method could increase the stored-value on a card   to more than $600.  The students also discovered that the CharlieCards, which store balance and other information internally, can be read using non-MTBA wireless equipment. Furthermore, according to documents on their research, the three had written software capable of generating and analyzing CharlieCards in order to crack the card’s encryption. 

The MIT students were scheduled to present their research at DEFCON, “one of the oldest running hacker conventions around.” It was this presentation which prompted the August 8th complaint filed by the MBTA against Anderson, Ryan and Chiesa and MIT. The complaint alleges that the students

“(i) claim to have circumvented the security features of the MBTA’s computerized CharlieTicket and CharlieCard fare media systems; (ii) publicly offered ‘free subway rides for life‘ to interested parties over the Internet; and (iii) plan to allow others to duplicate their claimed ‘breaking’ of the Fare Media’s security systems by presenting a paper, releasing software tools, and giving demonstrations at the DEFCON hackers convention this Sunday, August 10, in Las Vegas.”

The complaint further alleges that the students did not provide information regarding how they circumvented the security system to the MBTA and that public dissemination of the information before the MBTA has had an opportunity to correct the flaws will cause “significant damage to the MBTA’s transit system.”  

The MIT Tech covers the story, noting that while  the presentation at DEFCON was cancelled, the presentation slides and confidential vulnerability report the students wrote for the MBTA “are widely available online.” The Tech further reports that the students are being represented by the Electronic Frontier Foundation (EFF) and not by MIT’s lawyers.

In an August 9th press release, the EFF called the restraining order a violation of the students’ “First Amendment right to discuss their important research” and “blatantly unconstitutional.” According to the release, the students had planned to withhold a “key detail” of their results so that their research could not be used for malicious purposes.

A fact sheet released by the MBTA Press Office states 

“The MBTA does not wish to detract from the MIT Undergrads First Amendment Rights or academic freedom. The principle that the MBTA seeks to enforce here is the principle of ‘responsible disclosure.’”

The MBTA describes “responsible disclosure” as an “industry accepted practice” where, when a computer security vulnerability is discovered, the vendor of the vulnerable system is first informed of the vulnerability and then given an opportunity to repair the vulnerability before the information is made public.

The MBTA fact sheet is available via the MIT Tech here, along with all court documents and the slides from the students’ presentation. 

Parallel hosting of relevant documents by EFF available here.

Update: 

Upon review before the district court on August 14th, Judge O’Toole left the restraining order in place, and ordered Anderson, Ryan and Chisea to turn over additional documents to help the court evaluate whether the students could discuss their research publicly. The court continued the scheduled hearing until Tuesday, August 19th in order to consider this new information. 

The Boston Globe reports on the case, including comments by both parties as well as background on the CharlieCard system.