Computer Fraud and Abuse Act
Updates and commentary on the “worst law in technology.” The CFAA is a federal civil and criminal statute (18 U.S.C. § 1030) that prohibits unauthorized access or damage to a computer. Whatever that means. We litigate civil and criminal CFAA cases nationally.
In a First, a Federal Court Holds that There’s a First Amendment Right to Access Information on the Internet
On March 30, 2018, in what appears to be a first, a federal court in Washington, D.C. allowed to proceed pass the motion to dismiss stage a pre-enforcement “as applied” First Amendment challenge against the CFAA’s unauthorized access provision in 18 U.S.C. § 1030(a)(2)(C).
On behalf of a group of university computer researchers, the flag burning hippies at the ACLU filed the suit against Attorney General Jefferson Beauregard Sessions. They argued that the CFAA chilled the researchers’ speech because it criminalizes legitimate computer research. It was a “preenforcement” lawsuit because the Department of Justice (DOJ) hasn’t yet prosecuted the researchers for anything. But, the researchers argued, they worried that the DOJ might prosecute them under the CFAA for computer research that involved data scraping done for legitimate research purposes.
In a nutshell, the researchers claimed a First Amendment right to scrape data manually, and with bots, from websites in order to publish public interest research. An example would be scraping data from a real estate site to show discriminatory behavior in violation of federal law. The researchers argued that the CFAA’s criminal prohibition against unauthorized access chilled their ability to access this information and speak publicly about it.
The DOJ moved to dismiss, essentially arguing that the researchers couldn’t legitimately bring the suit because: (1) They hadn’t been arrested; (2) The First Amendment only applies to government actors and not private websites; and (3) There is no First Amendment right of special access to information.
The court disagreed with the government. It did dismiss the researchers’ other claims but not their “as applied” First Amendment challenge to the CFAA’s unauthorized access provision in 18 U.S.C. § 1030(a)(2)(C). In essence, the court held that at this early stage of the litigation, the researchers had made a plausible claim that “as applied” to their particular situation, the CFAA violated their First Amendment rights because it potentially criminalized access to information on the internet that the researchers had a right to access.
This holding could change as the litigation develops, but it’s significant because it appears to be the first time a court has held, in the criminal context, that there’s a First Amendment right to access information on the internet. This could be a piffle, or it could open the flood gates to First Amendment defenses to criminal prosecutions under the CFAA. We will be monitoring this case closely and will keep you posted.
When faced with a CFAA unauthorized access charge, seriously consider a First Amendment challenge.
: Sandvig v. Sessions
, Civ. No. 16–1368 (JDB), 2018 WL 1568881 (D.D.C. March 30, 2018). Click here
for a link to the decision.
In more mundane CFAA news
Potential Class Action Claim that HP violated the CFAA by Disabling Third Party Ink Cartridges through Firmware Update Survives a Motion to Dismiss
On March 29, 2018, a federal court in the Northern District of California denied HP’s Motion to Dismiss a 18 U.S.C. § 1030(a)(5)(A) CFAA claim against HP. Plaintiffs alleged that HP’s auto-installing Firmware update disabled third party ink cartridges the plaintiffs were using on their HP printers. Section 1030(a)(5)(A) prohibits, and we paraphrase, knowing transmission of a code the resulting conduct of which intentionally damages a computer. Damage under the CFAA is defined as, and again we paraphrase, any impairment to the integrity or availability of the data. Because this definition arguably includes a Firmware update that changes hardware functionality, the court allowed the claim to proceed. Helpfully for plaintiffs, the HP Firmware update posted a message on the printer’s screen when the plaintiffs tried to use the third party cartridges that said that the cartridges were “damaged.” The court also upheld a similar claim under California State Penal Code § 502. Kudos to the Plaintiff’s bar for this creative use of the CFAA. We look forward to future developments in this case.
: Be careful what your software update does to your client’s computer. HP’s troubles could have been avoided with a little front end legal engineering. Instead, they’re paying on the back end.
CITATION: Richard San Miguel, et. al., v. HP INC
., No. 5:16-CV-05820-EJD, 2018 WL 1536766 (N.D. Ca., Mar. 29, 2018)
CFAA Counter-Claim Dismissed for Failure to Properly Plead Computer was a “Protected Computer.”
On March, 29, 2018, a federal court in the Eastern District of Pennsylvania dismissed a defendant’s civil CFAA counterclaim, with prejudice, for failing to properly plead that the computer in question was a “Protected Computer” in interstate commerce. This reflects the Third Circuit’s practice of requiring more than a recitation of the CFAA’s definition of a “Protected Computer” in a complaint in order to survive a Motion to Dismiss under Twombly and Iqbal
You just can’t phone in a CFAA complaint. Usually, a “protected computer” is a gimme, but this just shows that making assumptions can be dangerous in legal pleadings.
CITATION: Christina v. Lannett Co., Inc.
, No. 16-963 (CDJ), 2018 WL 1536766 (E.D. Pa., March 29, 2018).
The State of Georgia Passes Controversial Unauthorized Access Bill
On March 29, 2018, the Georgia General Assembly passed a bill making it a crime to intentionally access a computer knowing your access is unauthorized. The bill was passed in response to a security researcher discovering cyber security flaws with state voting machines. Prior to this, Georgia was one of two states that didn’t yet have a CFAA analog of some kind on their books. The bill has yet to be signed by the governor, and is receiving significant criticism
from the information security community because of its potential impact on legitimate information security research. It has always been our position that you cannot secure the internet through criminal law.
Computer Crime & Procedure
Non-CFAA Computer Crime. You know, identity theft, access device fraud, cyberstalking, internet speech, and the like. It’s the wild wild west out there, and we’ve seen some weird stuff.
VICTORY! FROM FIVE FELONY COUNTS DOWN TO A MISDEMEANOR
On March 22, 2018, after a year long ordeal at the hands of the FBI and DOJ which culminated in a five felony count indictment for cyberstalking and threatening and FBI agent, our client Justin Shafer walked out of Federal Court in Dallas a free man. Mr. Shafer accepted a misdemeanor plea deal with no jail time after the Judge in the case told the government, two weeks before trial, that (we paraphrase without the transcript in front of us) “perhaps you should seek a non-criminal disposition to the case.” The judge said this after reading our Motion to Dismiss on First Amendment and other grounds arguing that it was an abusive and misguided prosecution.
Shout to local counsel Jay Cohen
of Blass Law PLLC in Houston for his excellent work on the case.
for the Dallas Morning News Article with the details..
Even when the law is onon your side, the government can still make your life a living hell until justice prevails, if it ever does.
Cybersecurity and Data Breaches
The onslaught of ransomware and data breaches continues. We have trouble keeping up. In our experience, most of the problems involving cyber security and data breaches are behavioral rather than technical. Behavioral mistakes like failure to routinely update software, failure to take a multilayered approach to cyber-security, flat footed responses due to a lack of planning, and finger pointing.
Atlanta has spent the last couple of weeks recovering from a ransomware attack
that could have been avoided by routine updates.
Rotten to the Core
Roughly 5 million Android phones may be preinstalled with malware. Here’s a link for info
and how to check to see if your Android phone is infected.
Business Data Breaches
leaked customer data in plain text for months until it was pointed out to them. And even then, they didn’t take it seriously at first.
Saks Fifth Avenue got hacked
by a sophisticated, professional hacking crew that made off with about 5 million credit and debit card numbers. The hackers installed surveillance malware on Saks’ card readers to pull off their heist.
T-Mobile Austria admitted on social media
that it stores at least part, possibly all, of its user passwords in plaintext, justifying that terrible policy with claims their security is “amazingly good.” LOL! Information security researchers were quick to point out
that claim was inaccurate.
Grindr stopped sharing its users HIV status
, phone IDs, and other data to two analytics companies after its practice was exposed.
And everyone already knows about Facebook and Cambridge Analytics data scandal. All we have to say about that is this:
BitCoin, Virtual Currencies, and ICOs
The government doesn’t like it when you disrupt their control over money and the markets.
Court Upholds CFTC’s Power to Regulate Virtual Currencies as a Commodity
On March 6, 2018, the legendary Senior District Judge Jack B. Weinstein held that the Commodity and Futures Trading Commission is within its powers to regulate BitCoin as a commodity.
The days of the wild west when it comes to virtual currencies is over. The government has arrived at the party, so party on at your own risk. CITATION: CFTC v. McDonnell
, No. 18-CV-361-JBW, 2018 WL 1175156 (E.D.N.Y., March 6, 2019)
Intellectual Property Law
That’s My Idea!
Copyright, “Fair Use” and Computer Code
On Monday, March 27, 2018 the Court of Appeals for the Federal Circuit overruled a federal jury’s decision in an important software copyright case. Oracle had sued Google for, among other things, copyright infringement for Google’s use of Java APIs in Google’s Android OS. At trial, the jury found in Google’s favor by finding Google’s utilization of Oracle’s Java API’s was “fair use.” The Court of Appeals chose to nullify the jury’s verdict on this point, concluding that Google’s use was not “fair use,” and sent the matter back for a trial as to the damages Google owes Oracle. As far as we can tell, no appellate court has overturned a jury verdict in a fair use case prior to this.
The decision reintroduces uncertainty about when, whether, and how code structure can be used without fear of infringing copyright. OS and API developers may be liable for copyright infringement when using verbatim snippets or sections of code that reside under a restrictive or proprietary license, even where that use seems purely functional.
Don’t assume that “Fair Use” makes it safe to use that snippet of code or functional architecture.
CITATION: Oracle America, Inc. v. Google LLC
, No. 2017-1118, 2017-1202 (Fed. Cir. Mar. 27, 2018)
for the decision.
Trademark Office Launches Pilot Program to Reduce Fraud
The Trademark Office recently launched a “Pilot Program” that allows anyone to submit evidence to the office that a registered trademark is not in use and that the specimen filed by the trademark owner is false.
Submission of a “specimen”, a depiction of a trademark in its use its goods or services, is a requirement for trademark
registration. It is more than a mere formality. It’s proof to a government office, and to the general public, or actual trademark use.
Submission of a specimen manipulated to depict use could possibly be fraud on the trademark office.
Additionally, when opposing another person’s trademark registration because it’s confusingly similar to yours, keep in mind that there may be other grounds for refusal, such as a false specimen.
The Trademark office takes fraud seriously and is expanding its efforts to police it.
for information on the program.