CFAA only for hacking – at least in the West

In U.S. v. Nosal __ F.3d __ (2012), the Ninth Circuit made clear that it considers the scope of the Computer Fraud and Abuse Act to be focused specifically on computer hacking rather than more broadly related to violations of corporate policies and terms of service agreements.

The case arose out of a minor bit of corporate espionage – and the hubris and stupidity that often accompanies such activities. David Nosal, former employee at the executive search firm of Korn/Ferry, “convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business.”  The Korn/Ferry employees used their access to the system to download confidential information, including source lists, names and contact, which they emailed to Nosal. They were all caught. The government indicted Nosal was on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA.

Although Nosal did not violate the CFAA, he was charged with aiding and abetting those former colleagues who did. The aiding and abetting count rests on whether the conduct of Nosal’s former colleagues violated the CFAA when they used their authorized access to the confidential database to violate the terms of confidentiality and theft of trade secrets.

Writing a clear, rather stinging rebuke of the government’s position, Judge Kozinski explained that the section of the CFAA is limited to computer hacking, not every violation of use.

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).

This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed[] authorized access” if he looks at the customer lists.

Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

… The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. … The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.

… Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. … Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

There are a number of subsections of the CFAA and the government takes the position that the broad interpretation this provision is limited by the need to prove an intent to defraud. In those other sections of the CFAA where intent to defraud is not required, the statute’s scope can still be more limited. But the Ninth Circuit points out that the language of the offense is the same such that a different scope in the same statute for the same phrase is unworkable.

The Ninth Circuit remains at odds with decisions in other circuits. Eventually either Congress or the Supreme Court will need to reconcile this increasingly important tension in the CFAA. For now, one’s exposure to federal criminal prosecution depends, at least in part, on where one accesses the computer.

PROTECT IP Act may be open to some Reasonable Amendments

In response to concerted objections to aspects of the PROTECT IP Act, legislation sponsor Senator Patrick Leahy (D-Vt.) announced by radio and press release that the sponsors may eliminate a controversial provision requiring Internet Service Providers (ISPs) to interfere with the Domain Name System as a technique to prevent consumer access to foreign websites deemed “rogue” or havens for pirated goods.

According to the press release, the Senate is set to hold a procedural vote January 24, 2012. With over 40 co-sponsors of the bill, the position may face internal opposition, but Senator Leahy remains an influential voice on such topics and in the Senate.

According to the press release:

The PROTECT IP Act provides new tools for law enforcement to combat rogue websites that operate outside our borders but target American consumers with stolen American property and counterfeits.  One of those tools enables law enforcement to secure a court order asking Internet Service Providers (ISPs) to use the Domain Name System to prevent consumer access to foreign rogue websites.  This provision was drafted in response to concerns that law enforcement has remedies it can take against domestic websites, but does not currently have the power to stop foreign rogue websites.  I worked closely with the ISPs in drafting this provision to ensure they were comfortable with how it would work, and I appreciate their support. …

I and the bill’s cosponsors have continued to hear concerns about the Domain Name provision from engineers, human rights groups, and others.  …  I remain confident that the ISPs – including the cable industry, which is the largest association of ISPs – would not support the legislation if its enactment created the problems that opponents of this provision suggest.  Nonetheless, this is in fact a highly technical issue, and I am prepared to recommend we give it more study before implementing it.

Though described as a balanced bill, the legislation and SOPA – the even more extreme House legislation – have split the intellectual property industries, with strong support from many in the creative community and nearly unanimous opposition from the tech industries. Even within the media industries, concerns run high and I have spoken to a number of publishers and media representatives who feel that the proposals will do more harm than good.

A hearing on SOPA designed to allow critics of the legislation to be heard is now scheduled for January 18th.

Senator Leahy’s announcement may be the first step towards slowing an otherwise out-of-control legislative disaster.

A New Resource Center to Help Respond to Identity Theft

Identity theft continues to be a significant economic drain and extremely frustrating personal experience. 46 States have data breach notification laws to assist individuals whose data may have been compromised and credit card companies are regularly battling this challenge.

On Sept. 7, 2001,  the Consumer Federation of America unveiled a new website, www.IDTheftInfo.org, which features CFA’s Best Practices for Identity Theft Services  and other resources for consumers and businesses.

“IDTheftInfo.org is an easy-to-use gateway for information about identity theft from Consumer Federation of America and other reputable sources,” said Susan Grant, CFA’s Director of Consumer Protection. Visitors to the site can take quizzes to test their ID theft savvy, learn how to protect themselves, and find information about what to do if they become ID theft victims. Advice for businesses about data security is also provided. The “Latest News” section of the website will keep people informed about identity theft-related issues and developments.

Still, it is important to keep identity theft concerns in context, particularly since other commercial preditors prey on consumer fears to promote unnecessary and expensive remedies. According to a  FTC Consumer Sentinel Network February 2010 report identity theft breaks down as follows:

Credit card fraud (17%) was the most common form of reported identity theft, followed by government documents/benefits fraud (16%), phone or utilities fraud (15%), and employment fraud (13%).  Other significant categories of identity theft reported by victims were bank fraud (10%) and loan fraud (4%).

The Consumer Federation of America has itself warned the public of these concerns. In its own report, it cautions “the claims that some identity theft services make are exaggerated or misleading, and it’s not always easy to tell from their Web sites and advertising exactly how these services work, how much they cost, or what protection or assistance they really offer.” Still, the additional resource can only help simply the process of getting help if identity theft occurs.

Of course, the first line of defense is good planning. Keep a good record of each credit card along with the PIN number, log-in and passwords in a safe, off-line location. Quickly contact the issuer of any credit card that has been compromised and if you use common log-ins, consider having all your other cards reissued before any intrusion spreads. By doing the same with banks and credit reporting agencies if the fraud is severe, you can reduce the impact and help stop the thefts.

17,000 Counterfeit Items Collected in Minnesota Sweep – A Drop added to the Bucket

The Minneapolis Star and Tribune reported this morning that “in a five-day Twin Cities sweep, federal agents seize 17,000 counterfeit items, everything from faux football jerseys to charade Chanel perfume.” In its feature story, “Fake goods, stolen secrets cost Minnesota businesses billions” Jim Spencer identified attacks against companies such as Valspar through industrial espionage of its trade secrets.

The sweep of the goods – and the sheer size of the raid – helps make real what is more often considered an amorphous or even humorous risk. Last month shoppers in China identified a number of counterfeit Apple stores. The ability to create entire stores selling counterfeit goods seems inconceivable, but the public becomes inurned to the fake DVDs sold on street corners and millions illegal of MP3 and DVD downloads.

But in a time of job loss and economic upheaval, the undermining of the U.S. innovation economy remains a serious threat. As the Star Tribune reported:

David Yen Lee, a technical director at Valspar, got caught trying to steal $20 million worth of chemical formulas to give to a Chinese company in exchange for a high-ranking job. Lee got 15 months in jail.

The bust of a group led by a Minnesotan named Charles Thompson led to the arrests of eight people accused of selling $500,000 worth of counterfeit items, said Mike Feinberg, a Minnesota-based agent with ICE. The suspects pleaded guilty and got probation.

Moreover, because the risks of apprehension are low and the consequences tend to result in short jail terms, organized crime realizes this is a very economically efficient market to exploit.

At the same time, however, economic efficiency and rationality must drive the enforcement actions. Congress is quick to draft new laws rather than fund enforcement of laws already perfectly appropriate to stop the illegal conduct. Moreover, the enforcement should be focused on the legitimate industry threats. Like the recent raid, the emphasis must be directed at large scale criminal conduct. Only once the antipiracy efforts become focused on major players (rather than college students and single mothers) and proper resources are invested in defense of these assets can the problem be addressed.