A crimeless victim

 Analysis/commentary, Criminal IP Enforcement  No Responses »
Jun 172013
 

Many posts here talk about laws criminalizing technology use and development. But what happens when there is no law criminalizing that use or development, but it is nonetheless prosecuted? We are seeing that happen in California with state Attorney General Kamala Harris proudly crowing about the arrest and indictment of three brothers for “conspiracy,” “receiving stolen property,” and “grand theft” as a result of running a website that allegedly allowed users to watch movies and TV shows. The only problem: there is no law in California empowering Harris to prosecute any of what she claims the brothers did. There is no law anywhere that does.

True, California has laws on the books regarding conspiracy, receiving stolen property, and grand theft, but they still don’t enable this prosecution, and a big reason for that is because nothing was actually stolen. It is always a mistake to use the word “theft” to describe what is at most copyright infringement. Theft is a word best left to the actual deprivation of tangible things, not non-rivalrous goods like digital works that, even when “stolen,” are never actually taken away from anyone.

But even if we were to describe the making infringing copies of digital works as “theft,” only federal law can speak to the consequences of having made (or enabled the making of) these infringing copies. This is because the federal law is not actually designating something as property, of the sort which could then be stolen, but instead is granting a series of exclusive rights recognized under federal law that could potentially be infringed, as defined by that same federal law. With only a few narrow exceptions inapplicable here, the establishment, reach, and protection of these rights falls entirely within the purview of the federal government to both establish and enforce, and, moreover, that same federal law explicitly pre-empts any attempts by the states to do the same.

As attorney general, Harris is charged with enforcing California’s laws, but her enforcement powers are inherently limited to those laws. She has no power to make up laws not put on the books by the California legislature (either because it didn’t, or, as discussed above vis a vis pre-emption, because it constitutionally couldn’t) and then go out and enforce them. But that’s what she’s done here. She might as well have arrested these two men for breathing, which there’s no law in California prohibiting either. Despite there being no law for her to enforce, she nonetheless had these people arrested, seized their actual, tangible property, destroyed their business in a way arguably no law, but especially not California law, would permit, and upended their lives and the lives of their families by throwing them into this Kafkaesque prosecutorial nightmare. What makes it so especially troubling was that even if these brothers had sought counsel from qualified attorneys before engaging in the acts for which they are now being prosecuted, no attorney would ever have been able to have advised them of such prosecution ever being a risk. The criminality Harris is pursuing is born entirely of her imagination, not through the legislative machinations of our representative democracy, thereby leading to a state of affairs that is incompatible with the notions of due process and fair play our system of justice is supposed to preserve.

Even more unseemly, her press release openly admits to her having pursued these men in conjunction with and at the behest of the Motion Picture Association of American (MPAA), thus making her wrongful exercise of prosecutorial power even more abusive. If what these men were doing were truly wrongful as recognized by copyright law, the MPAA was fully capable of seeking the civil remedy for this potential wrongfulness that copyright law allowed. It did not need to wield the enormous power of the state against these people, and it was chillingly inappropriate for them to have attempted it and even more chillingly appropriate for the state to have allowed it. Yes, there are certain situations where we do allow private injuries to be pursued and punished by state organs (see, e.g., actual theft of actual property) but copyright infringement has never, for very good historical and policy reasons, been one of those alleged injuries where we left it to the government to seek redress, except in very narrow circumstances. And even then, the power to prosecute was left to the federal prosecutors, not every politically ambitious state attorney general eager to score points with future campaign funders rather than adhere to her constitutional limits with a power-grabbing act ultimately more harmful to society than anything alleged to have happened here.

A shielding law (cross-post)

 Analysis/commentary, Judicial process, Privacy from government, Regulating speech  No Responses »
Jun 162013
 

While originally I intended this blog to focus only on issues where cyberlaw collided with criminal law, I’ve come to realize that this sort of analysis is advanced by discussion of the underlying issues separately, even when they don’t implicate either criminal law or even technology. For example, discussions about how copyright infringement is being criminally prosecuted is aided by discussion on copyright policy generally. Similarly, discussions about shield laws for bloggers are advanced by discussions of shield laws generally, so I’ve decided to import one I wrote recently on my personal blog for readers of this one:

Both Ken @ Popehat and “Gideon” at his blog have posts on the position reporter Jana Winter finds herself in. To briefly summarize, the contents of the diary of the alleged Aurora, CO, shooter ended up in her possession, ostensibly given to her by a law enforcement officer with access to it and in violation of judicial orders forbidding its disclosure. She then reported on those contents. She is not in trouble for having done the reporting; the problem is, the investigation into who broke the law by providing the information to her in the first place has reached an apparent dead end, and thus the judge in the case wants to compel her, under penalty of contempt that might include jailing, to disclose the source who provided it, despite her having promised to protect the source’s identity.

In his post Gideon make a compelling case for the due process issues at stake here. What’s especially notable about this situation is that the investigation isn’t just an investigation into some general wrongdoing; it’s wrongdoing by police that threatens to compromise the accused’s right to a fair trial. However you might feel about him and the crimes for which he’s charged, the very fact that you might have such strong feelings is exactly why the court was motivated to impose a gag order preventing the disclosure of such sensitive information: to attempt to preserve an unbiased jury who could judge him fairly, a right he is entitled to by the Constitution, irrespective of his ultimate innocence or guilt, which the police have no business trying to undermine.

Ken goes even further, noting the incredible danger to everyone when police and journalists become too chummy, as perhaps happened in the case here. Police power is power, and left unchecked it can often become tyrannically abusive. Journalists are supposed to help be that check, and when they are not, when they become little but the PR arm for the police, we are all less safe from the inherent danger that police power poses.

But that is why, as Ken and Gideon wrestle with the values of the First Amendment versus the values of the Fifth and Sixth the answer MUST resolve in favor of the First. There is no way to split the baby such that we can vindicate the latter interests here while not inadvertently jeopardizing these and other important interests further in the future. Continue reading »

Pervasive surveillance

 Analysis/commentary, Privacy from government  No Responses »
May 142013
 

This specific blog post has been prompted by news that the Department of Justice had subpoenaed the phone records of the Associated Press. Many are concerned about this news for many reasons, not the least of which being that this revelation suggests that, at minimum, the Department of Justice violated many of its own rules in how it did so (ie, it should have reported the existence of the subpoena within 45 days, maybe 90 on the outside, but here it seems to have delayed a year). The subpoena of the phone records of a news organization also threatens to chill newsgathering generally, for what sources would want to speak to a reporter if the government could be presumed to know that these communications had been taking place? For reasons discussed in the context of shield laws, reporters can’t do their information-gathering-and-sharing job if the people they get their information from are too frightened to share it. Even if one were to think that in some situations loose lips do indeed sink ships and it’s sometimes bad for people to share information, there’s no way the law can differentiate which situations are bad and which are good presumptively or prospectively. In order to for the good situations to happen – for journalists to help serve as a check on power — the law needs to give them a free hand to discover the information they need to do that.

But the above discussion is largely tangential to the point of this post. The biggest problem with the story of the subpoena is not *that* it happened but that, for all intents and purposes, it *could* happen, and not just because of how it affected the targeted journalists but because of how it would affect anyone subject to a similar subpoena for any reason. Subpoenas are not search warrants, where a neutral arbiter ensures that the government has a proper reason to access the information it seeks. Subpoenas are simply the form by which the government demands the information it wants, and as long as the government only has to face what amounts to a clerical hurdle to get these sorts of communications records there are simply not enough legal barriers to protect the privacy of the people who made them. Continue reading »

Deal v. Spears

 Analysis/commentary, Privacy from government, Privacy from private parties  1 Response »
May 132013
 

One of the cases I came across when I was writing an article about Internet surveillance was Deal v. Spears, 980 F. 2d 1153 (8th Cir. 1992), a case involving the interception of phone calls that was arguably prohibited by the Wiretap Act (18 U.S.C. § 2511 et seq.). The Wiretap Act, for some context, is a 1968 statute that applied Fourth Amendment privacy values to telephones, and in a way that prohibited both the government and private parties from intercepting the contents of conversations taking place through the telephone network. That prohibition is fairly strong: while there are certain types of interceptions that are exempted from it, these exemptions have not necessarily been interpreted generously, and Deal v. Spears was one of those cases where the interception was found to have run afoul of the prohibition.

It’s an interesting case for several reasons, one being that it upheld the privacy rights of an apparent bad actor (of course, so does the Fourth Amendment generally). In this case the defendants owned a store that employed the plaintiff, whom the defendants strongly suspected – potentially correctly – was stealing from them. In order to catch the plaintiff in the act, the defendants availed themselves of the phone extension in their adjacent house to intercept the calls the plaintiff made on the store’s business line to further her crimes. Ostensibly such an interception could be exempted by the Wiretap Act: the business extension exemption generally allows for business proprietors to listen in to calls made in the ordinary course of business. (See 18 U.S.C. § 2510(5)(a)(i)). But here the defendants didn’t just listen in to business calls; they recorded *all* calls that the plaintiff made, regardless of whether they related to the business or not, and, by virtue of being automatically recorded, without the telltale “click” one hears when an actual phone extension is picked up, thereby putting the callers on notice that someone is listening in. This silent, pervasive monitoring of the contents of all communications put the monitoring well-beyond the statutory exception that might otherwise have permitted a more limited interception.

[T]he [defendants] recorded twenty-two hours of calls, and […] listened to all of them without regard to their relation to his business interests. Granted, [plaintiff] might have mentioned the burglary at any time during the conversations, but we do not believe that the [defendants'] suspicions justified the extent of the intrusion.

For a similar view, see US v. Jones, 542 F. 2d 661 (6th Cir. 1976):

[T]here is a vast difference between overhearing someone on an extension and installing an electronic listening device to monitor all incoming and outgoing telephone calls.

And so the defendants, hapless victims though they seemed to have been in their own right, were found to have violated the Wiretap Act.

But Deal v. Spears is a telephone case, and telephone cases are fairly straight forward. The statutory language clearly reaches the contents of those communications made with that technology, and all that’s really been left for courts to decide is how broad to construe the few exemptions the statute articulates. What has been much harder is figuring out how to extend the Wiretap Act’s prohibitions against surveillance to those communications made via other technologies (ie, the Internet), or to aspects of those communications that seem to apply more to how they should be routed than their underlying message. However privacy interests are privacy interests, and no amount of legal hairsplitting alleviates the harm that can result when any identifiable aspect of someone’s communications can be surveilled. There is a lot that the Wiretap Act, both in terms of its statutory history and subsequent case law, can teach us about surveillance policy, and we would be foolish not to heed those lessons.

More on them later.

Prenda Law and the CFAA

 Analysis/commentary, Unauthorized access  1 Response »
Apr 112013
 

The Computer Fraud and Abuse Act is no stranger to these pages.  The tragic suicide of Aaron Swartz at the beginning of the year following the relentless pursuit of the Department of Justice against him for his downloading of the JSTOR archive has galvanized a reform movement to overhaul – or at least ameliorate – some of the most troublesome provisions of the CFAA.

One such provision can be found at 18 U.S.C. § 1030(g), which creates a civil cause of action for a party claiming to be aggrieved by the purported wrongdoings described in subsection (a).  While civil causes of action are generally beyond the scope of this blog, having a civil cause of action buried in a statute designed to enable criminal prosecutions can be problematic for defendants facing the latter because the civil litigation, as it explores the contours of the statute and its internal definitions, tends to leave in its wake precedent that prosecutors can later use.  Which is unfortunate, because how the statute may be interpreted in a civil context – which inherently can only reflect the particular dynamics of the particular civil dispute between these particular private parties – reshapes how the statute will be interpreted in a criminal context.  Especially with a law like the CFAA, whose language always tempts excessive application, these civil precedents can vastly expand the government’s prosecutorial power over people’s technology use, and easily in a way Congress never intended.  One should also never presume that the outcome of a civil dispute correlates to a result that is truly fair and just; miscarriages of justice happen all the time, often simply because it is often so difficult and expensive to properly defend against a lawsuit, especially one asserting a claim from such an imprecisely-drafted and overly broad statute like the CFAA.

The reality is that plaintiffs often abuse the judicial process to bully defendants, and that brings us to the second subject of this post, Prenda Law, which is currently being exposed, judicially and publicly  as one of the biggest bullies on the block.  But why should we care here?  Because although Prenda has most notoriously exploited the Copyright Act for its legal attacks, it has also showed itself ready, willing, and able to abuse the easily-abusable CFAA in order to enrich itself as well. Continue reading »

Follow, not lead

 Analysis/commentary, Intermediary liability, Privacy from government, Privacy from private parties, Unauthorized access  No Responses »
Feb 202013
 

At an event on CFAA reform last night I heard Brewster Kahle say what to my ears sounded like, “Law that follows technology tends to be ok. Law that tries to lead it is not.”

His comment came after an earlier tweet I’d made:

I think we need a per se rule that any law governing technology that was enacted more than 10 years ago is inherently invalid.

In posting that tweet I was thinking about two horrible laws in particular, the Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA). The former attempts to forbid “hacking,” and the second ostensibly tried to update 1968’s Wiretap Act to cover information technology. In both instances the laws as drafted generally incorporated the attitude that technology as understood then would be the technology the world would have forever hence, a prediction that has obviously been false. But we are nonetheless left with laws like these on the books, laws that hobble further innovation by how they’ve enshrined in our legal code what is right and wrong when it comes to our computer code, as we understood it in 1986, regardless of whether, if considered afresh and applied to today’s technology, we would still think so.

To my tweet a friend did challenge me, however, “What about Section 230? (47 U.S.C. § 230).” This is a law from 1996, and he has a point. Section 230 is a piece of legislation that largely immunizes Internet service providers for liability in content posted on their systems by their users – and let’s face it: the very operational essence of the Internet is all about people posting content on other people’s systems. However, unlike the CFAA and ECPA, Section 230 has enabled technology to flourish, mostly by purposefully getting the law itself out of the way of the technology.

The above are just a few examples of some laws that have either served technology well – or served to hamper it. There are certainly more, and some laws might ultimately do a bit of both. But the general point is sound: law that is too specific is often too stifling. Innovation needs to be able to happen however it needs to, without undue hindrance caused by legislators who could not even begin to imagine what that innovation might look like so many years before. After all, if they could imagine it then, it would not be so innovative now.

Copyright history reading list

 Analysis/commentary, Criminal IP Enforcement  No Responses »
Feb 182013
 

It’s become clear that I will need to talk more about copyright policy in general on these pages, even if in a not-particularly-criminal-law context.  As we evaluate criminalizing acts involving technology that cause “harm,” and since some of that notion of harm is predicated on our notion of copyright, it’s important that we truly understand where the concept of copyright comes from and what policy objective it is supposed to achieve.  Particularly because it’s a fair question as to whether modern copyright law still achieves those objectives, or instead potentially represents its own harm. Continue reading »

More like trespass than theft

 Analysis/commentary, Criminal IP Enforcement, Intermediary liability  No Responses »
Feb 092013
 

The following case, Twentieth Century Fox v. Harris, is not a criminal matter.  But I want to include it here nonetheless in part because it’s important to talk about copyright policy generally, particularly given the increasing trend for it to be criminalized.  And partly because, in this case, hardly two weeks after I asserted that copyright infringement analogized more to trespass than to theft, a court independently reached the same conclusion. Continue reading »

The Knowledge Gap

 Analysis/commentary, Other regulation  No Responses »
Feb 082013
 

This article on TechDirt summarizes a recent brouhaha that recently broke out in a corner of the Internet I tend to haunt with other lawyers and cyberlaw professionals and has started to percolate into the mainstream.  The upshot is that someone is upset that other people have reposted her tweets without her permission and control, and she is convinced this is legally wrongful.  So convinced is she, in fact, that she keeps threatening to sue a number of them who have used these tweets to comment on her erroneous legal theory, which only stokes further interest in criticizing her as even more observers come to note that the law is not, in fact, on her side.  (TechDirt’s analysis does a decent job explaining why.)

It is easy to be tempted to join in the mocking of this person’s very public tantrums, and to be sure, threatening litigation is not to be taken lightly.  Doing so, particularly when cloaked in legal ignorance, is ripe for justifiable criticism.

But while the exhibition of personal arrogance begs the schadenfreude of public censure, the underlying problem it can reveal is not.  The reality is that for me and my cyberlaw peers, we are so inured to how this area of law “works” (to the extent that it does) we tend to forget how foreign it is to most laypeople (and even many other lawyers), for whom its mystical mechanations can be really terrifying.  This sort of knowledge gap isn’t good for anyone.  That’s how we end up with bad law.

The answer naturally cannot be to modify the law to fit its common misperceptions.  Sometimes the law is what it is for very good reasons, or at least reasons that cannot simply be discounted, even if those reasons aren’t intuitively obvious to a layperson.  We can’t use common misapprehensions as the pillars upon which law should be based.  In fact, when we have done so in recent years, often in response to technology (another complex system that can be scary to those who don’t understand it), the end result has been law that so overreacts that it creates more problems while failing to properly solve any.

At the same time, however, rather than mocking those who don’t understand the law, those who do understand it should be endeavoring to explain it.  Let’s get everyone on the same page to understand how law works and why, so we can all work together to fix it when it doesn’t.  After all, in a democracy law should belong to everyone, not just the rarified few specially trained to understand it.

Of course, the above sympathetic sentiment is directed at those who would be willing to learn.  It’s not a moral failing to not know everything about the law, but it is to not care whether one does or not before proceeding with bumptious legal threats or dangerously inapt policy advocacy.  Those who would seek to use the law as a weapon without bothering to learn how it operates are justly entitled to whatever chastisement they get.

The illegality of unlocking your cell phone (and more)

 Analysis/commentary, Criminal IP Enforcement, Unauthorized access  No Responses »
Jan 292013
 

In 1998 the Digital Millennium Copyright Act amended U.S. copyright law in a few key ways.  Of most relevance here is the additions it made to 17 U.S.C. §§1201 et seq., which includes the provision:

“No person shall circumvent a technological measure that effectively controls access to a work protected under this title.”  §1201(a)(1)(A)

If one does, they can be liable for damages, §1203(c), or, more saliently for this blog, fines of $500,000 and/or 5 years imprisonment for the first offense and $1,000,000 and/or 10 years for subsequent ones.  §1204(a).

The question here is, why?

Continue reading »

 Older Entries