Updates and commentary on the “worst law in technology.” The CFAA is a federal civil and criminal statute (18 U.S.C. § 1030) that prohibits unauthorized access or damage to a computer. Whatever that means. We litigate civil and criminal CFAA cases nationally.
A Cease and Desist Letter Must Specifically Revoke Access to Support a Claim for CFAA Unauthorized Access
On January 31, 2018, in Ticketmaster LLC v. Prestige Entertainment, a federal court in California, dismissed Ticketmaster’s civil CFAA claim against ticket scalpers who used bots to bulk-purchase tickets from Ticketmaster and then resold them at a premium. For some shows, the defendants were buying 30-40% of the available tickets. The court dismissed Ticketmaster’s CFAA claim because its Cease and Desist letter did not explicitly revoke access to its website.
The Takeaway: When sending a Cease and Desist letter to someone you don’t want on your system, explicitly revoke their access or reiterate clearly that they were never authorized to access your system in the first place. A carefully crafted sentence or two may preserve a civil CFAA claim past the motion to dismiss stage and gain you settlement leverage as you head toward summary judgment or trial.
We’re Not Holding our Breath for CFAA Reform
There’s always talk of attempting to reform the notoriously murky CFAA to restrict the leeway it gives the FBI and prosecutors to charge relatively harmless computer behavior as felonies. A recent example of proposed progressive reform was “Aaron’s Law,” a proposed set of amendments to the CFAA named for computer pioneer Aaron Swartz, who committed suicide in the face of a ridiculously draconian federal prosecution for copying academic articles. Aaron’s Law went nowhere. More often than not, proposed CFAA ‘reform” is regressive in that in involves the Department of Justice seeking increased penalties and prosecutorial latitude. The justification for the regressive proposals aren’t based on any clear theory as much as a paranoid zeal to discipline and punish all things perceived as hacking.
Naturally, the current state of the CFAA has chilled the willingness of members of the information security community to report privacy violations and bugs for fear of criminal prosecution. We regularly receive inquiries from information security researchers as to whether some standard practice they are engaged in might be illegal. Usually we have to answer yes. One of our clients was even raided by the FBI after he responsibly disclosed that a company left thousands of unencrypted, unsecured medical records on a public FTP server. The company was embarrassed by the disclosure and accused the infosec researcher of hacking, even though he simply came across the data on the open internet. (Remember that the FBI almost always believes corporations over individuals.) After a year long Kafkaesque nightmare, and two superseding indictments culminating in 5 felony counts, we obtained a misdemeanor plea for our client. We’ve had other clients go through similar experiences.
The Takeaway: Information Security researchers and others (we’re talking to you too, financial services data scrapers and information aggregators) should be legitimately concerned that what they consider routine computer behavior might expose them to felony liability.
Bonus Takeaway: If the FBI does come to your door, don’t try and talk your way out of it. Everyone always tries, and it’s almost always a disaster. It’s a natural impulse and the FBI and other law enforcement officers are trained to exploit it. If you’re getting a visit from the FBI, things are serious, and if you think innocent people don’t get arrested and thrown in jail you’re naive. It’s such a headache for a defense lawyer to deal with all the inadvertently careless things that get said when someone is protesting their innocence to the FBI that we’re thinking about charging extra for cases where people blab to the FBI and giving a discount to those cases where people didn’t. Just kidding. Sort of.
Computer Crime & Procedure
Non-CFAA Computer Crime. You know, identity theft, access device fraud, cyberstalking, internet speech, and the like. It’s the wild wild west out there, and we’ve seen some weird stuff.
On February 21, 2018,I the Third Circuit Federal Court of Appeals issued its opinion in U.S. v. Werdene. In it, the Third Circuit upheld the conviction of a child pornographer even though the FBI violated the Fourth Amendment during its investigation. The court held that the FBI’s use of a “Network Investigative Technique” (NIT) under Federal Criminal Rule of Procedure 41 to catch the child pornographer violated the Fourth Amendment’s search and seizure clause. But the court further held that it didn’t matter because it was a good faith violation and the exclusionary rule didn’t apply. Thus, there would be no suppression of the evidence. For those of you playing the Fourth Amendment home game, the “good faith” violation doctrine is the exception that usually swallows the exclusionary rule. But it is somewhat significant that the Third Circuit held, joining other circuits, that the use of NITs can constitute a Fourth Amendment violation.
NITs, essentially surveillance malware, are widely used by the FBI. A recent change to Federal Rule of Criminal Procedure 41 allows the FBI to install NITs on computers of people who’ve committed no crime, as long as a judge signs off on it. For instance, if a computer, unbeknown to the owner, is infected with a botnet that is used in a DDOS attack, the FBI could theoretically install a NIT on that computer under Rule 41 without the innocent computer owner’s knowledge. But since the FBI has never abused its surveillance powers there probably is little to worry about on this point. We digress.
In Werdene, the FBI NIT would download itself onto the computer of anyone logging on to the notorious child pornography website “Playpen.” The NIT would then transmit identifying information back to the FBI, thus foiling common tools used to mask ones identity on the internet like the Tor browser (no relation). The FBI got into the child pornography business by controversially operating Playpen for a short time after lawfully seizing it based on information provided by “foreign law enforcement.”
In a pretrial suppression motion, Werdene challenged the search warrant that authorized the NIT. He essentially argued that the magistrate judge who issued the warrant wasn’t authorized under Rule 41 because the judge was in Virginia and Werdene was in Pennsylvania. The trial court held that there was no Fourth Amendment violation because the Rule 41 violation was “technical” and denied the suppression motion. Werdene then pled guilty while reserving his right to appeal. That’s a fairly standard procedural move.
The Third Circuit, in a technical analysis worth reading for the summary if you’re a Fourth Amendment geek, affirmed the trial court, but on different grounds. The court held that there was a Fourth Amendment violation because Rule 41 did not allow for extraterritorial warrants. But then it held that the violation didn’t matter because it was done in good faith. Basically, everything was OK because law enforcement didn’t intentionally violate the Fourth Amendment. It was the Magistrate who violated the Fourth Amendment by issuing the warrant improperly. This ignores the pragmatic reality that Magistrate Judges largely rubber stamp warrant applications brought to them by the FBI because there rarely are consequences for it. But that’s a discussion for another day.
The Takeaway: If you are one of the millions of people who are unknowingly hosting a malicious bot on your computer system, you may also be hosting FBI surveillance software. Also, child pornography is ruining Fourth Amendment law because everyone justifiably hates child pornography. So the courts go out of their way to find exceptions to the exclusionary rule in child porn cases that end up eroding our Fourth Amendment rights in general.
BitCoin, Virtual Currencies, and ICOs
The government doesn’t like it when you disrupt their control over money and the markets.
The Treasury Decides Your ICO May be a Felony. Maybe.
In February, the Treasury Department sent a letter to Senator Ron Wyden stating that under certain circumstances the sale or purchase of virtual currencies may be a felony. In the letter, Treasury said that the sale of virtual currencies or tokens in Intial Coin Offerings (ICO’s) may be subject to Treasury regulations- specifically anti-money laundering laws that require registration as a money transmitter. Failure to do so may constitute a felony, depending on the circumstances.
The Takeaway: Proceed with extreme caution when dealing with ICO’s and virtual currencies as you stand a real risk of criminal liability. As the popularity of virtual currencies and ICOs increase, the regulatory noose tightens.
Intellectual Property Law
That’s My Idea!
Can You Register a Trademark WIth the Word FUCK? Should You?
On December 15, 2017, The Court of Appeals for the Federal Circuit held that the United States Patent Trademark Office cannot bar registration of the FUCT trademark on the basis that is “immoral” or “scandalous”. In in re Brunetti, the court held that the statutory bar to registration of immoral and scandalous marks violates the First Amendment.
The decision was unsurprising, given that the Supreme Court held last year that the bar on registration for trademarks “disparaging” to other persons is unconstitutional. That decision, Matal v. Tam, involved an Asian-American rock band called the Slants who adopted a racial slur as it name, to reclaim it. When the USPTO denied a band member’s application to register the trademark, he was denied under Section 2(a) of the federal Lanham Act, which prohibits registration of trademarks that, among other things, are “immoral, deceptive, or scandalous” or “which may disparage or falsely suggest a connection with persons, living or dead, institutions, beliefs, or national symbols, or bring them into contempt, or disrepute.” This is the law that Native Americans activists invoked to cancel registration of the trademark of Washington DC’s NFL team. As a result of the Supreme Court’s decision, that challenge is essentially over and the NFL will keep its trademark registration.
Because the Supreme Court ruled only on the “disparaging” clause of Section 2(a), the issue of whether other provisions of the statute were constitutional remains open. Nevertheless, Matal v. Tam triggered a big rush to the Trademark Office for applicants seeking to register trademarks containing NSFW words. These applications were temporarily suspended as “immoral” or “scandalous” pending the decision in In Re Brunetti. Following that decision, it was expected that the USPTO will let these applications proceed – or, more accurately, not let Section 2(a) get in the way. Instead, the applications are still in f*cking limbo, because the USPTO is seeking a rehearing.
Even if the FUCT trademark prevails and it can be registered, does this mean it’s a good idea to seek registration of an offensive trademark? Not necessarily.
The Supreme Court’s decision means that the USPTO cannot prevent registration of these trademarks solely on the basis that they disparage other persons. But the Supreme Court didn’t create a market for them. Registrability is hardly the best indication of a trademark’s value, and cannot create a demand that otherwise did not exist. Moreover, trademarks are of no value if they aren’t in use for the goods and services for which are claimed. In fact, the USPTO will only register trademarks after the applicant demonstrates that the trademarks are used in commerce for the goods and services applied for. Many of these applicants, quite frankly, haven’t carefully considered what their plans are for use.
The purpose of a trademark is to create a connection between that trademark and the goods or services that you offer. The strength of your trademark depends in large part on how great that connection is in consumers’ minds. Registration of your trademark provides numerous advantages, particular with enforcement, but it won’t create that connection. Moreover, trademark registration doesn’t mean you “own” a word or phrase or purposes. You can’t have a trademark without goods or services. If there’s nothing more than an idea for a trademark, without a plan to provide a good service, then it might not be a plan at all.
I’m getting asked a lot of questions about the Assange indictment because it involves the Computer Fraud and Abuse Act. And extradition. Two things we’ve got some experience with through representing Lauri Love and others.