348 lines
21 KiB
Plaintext
348 lines
21 KiB
Plaintext
Newsgroups: misc.legal,comp.orf.eff.talk
|
|
From: mnemonic@eff.org (Mike Godwin)
|
|
Subject: Cardozo Law Forum article on the Craig Neidorf Computer-Crime
|
|
Message-ID: <1992Dec1.155823.27405@eff.org>
|
|
Organization: Electronic Frontier Foundation
|
|
Date: Tue, 1 Dec 1992 15:58:23 GMT
|
|
Lines: 339
|
|
|
|
Readers of misc.legal and comp.org.eff.talk may be interested in
|
|
the following article, which addresses the intersection of
|
|
intellectual-property law and criminal law in a computer-crime case.
|
|
The article first appeared in September in the Cardozo Law Forum at
|
|
Cardozo Law School in New York City.
|
|
|
|
----------
|
|
|
|
Some "Property" Problems in a Computer Crime Prosecution
|
|
By Mike Godwin
|
|
|
|
The spread and pervasiveness of computer technology create the
|
|
potential both for new kinds of crimes and for new variations of
|
|
traditional crimes. Law enforcement, the judiciary, and the legislature
|
|
can respond to these potentials in two ways: by seeking new laws to
|
|
address new problems, or by attempting to apply old laws (and traditional
|
|
notions of crime) in new and unforeseen situations. This article concerns
|
|
what hazards may face prosecutors and judges when law enforcement chooses
|
|
the latter tactic. In particular, it shows what can happen when
|
|
prosecutors uncritically apply intellectual property notions in
|
|
prosecuting a defendant under laws passed to protect tangible property.
|
|
|
|
The government stumbles in a "hacker" case.
|
|
|
|
In the recent case of U.S. v. Riggs, the Chicago U.S. Attorney's
|
|
office prosecuted two young men, Robert Riggs and Craig Neidorf, on counts
|
|
of wire fraud (18 U.S.C. 1343), interstate transportation of stolen
|
|
property (18 U.S.C. 2314) and computer fraud (18 U.S.C. 1030). Of these
|
|
statutes, only the last was passed specifically to address the problems of
|
|
unauthorized computer intrusion; the other two are "general purpose"
|
|
federal criminal statutes that are used by the government in a wide range
|
|
of criminal prosecutions. The wire fraud statute includes as an element
|
|
the taking (by fraudulent means) of "money or property," while the
|
|
interstate-transportation-of-stolen-property (ITSP) statute requires,
|
|
naturally enough, the element of "goods, wares, merchandise, securities or
|
|
money, of the value of $5,000 or more." (I do not address here the extent
|
|
to which the notions of "property" differ between these two federal
|
|
statutes. It is certain that they do differ to some extent, and the
|
|
interests protected by the wire-fraud statute were expanded in the 1980s
|
|
by Congress to include "the intangible right to honest services." 18
|
|
U.S.C. 1346.. Even so, the prosecution in the Riggs case relies not on
|
|
1346, but on intellectual-property notions, which are the focus of this
|
|
article.) The 18 U.S.C. 1030 counts against Neidorf were dropped in the
|
|
government's June 1990 superseding indictment, the indictment actually
|
|
used at Neidorf's trial in July 1990.
|
|
The Riggs case is based on the following facts: Robert Riggs, a
|
|
computer "hacker" in his early '20s, discovered that he could easily gain
|
|
access to an account on a computer belonging to Bell South, one of the
|
|
Regional Bell Operating Companies (RBOCs). The account was highly
|
|
insecure--access to it did not require a password (a standard, if not
|
|
always effective, security precaution). While exploring this account,
|
|
Riggs discovered a word-processing document detailing procedures and
|
|
definitions of terms relating the Emergency 911 system ("E911 system").
|
|
Like many hackers, Riggs had a deep curiosity about the workings of this
|
|
country's telephone system. (This curiosity among young hackers is a
|
|
social phenomenon that has been documented for more than 20 years. See,
|
|
e.g., Rosenbaum, "Secrets of the Little Blue Box," Esquire, October 1971;
|
|
and Barlow, "Crime and Puzzlement: In Advance of the Law on the Electronic
|
|
Frontier," Whole Earth Review, September 1990.)
|
|
Riggs knew that his discovery would be of interest to Craig Neidorf,
|
|
a Missouri college student who, while not a hacker himself, was an amateur
|
|
journalist whose electronically distributed publication, Phrack, was
|
|
devoted to articles of interest to computer hackers. Riggs sent a copy of
|
|
the E911 document to Neidorf over the telephone line--using computer and
|
|
modem--and Neidorf edited the copy to conceal its origin. Among other
|
|
things, Neidorf removed the statements that the information contained in
|
|
the document was proprietary and not for distribution. Neidorf then sent
|
|
the edited copy back to Riggs for the latter's review; following Riggs's
|
|
approval of the edited copy, Neidorf published the E911 document in the
|
|
February 24, 1989, issue of Phrack. Some months following publication of
|
|
the document in Phrack, both Riggs and Neidorf were caught and questioned
|
|
by the Secret Service, and all systems that might contain the E911
|
|
document were seized pursuant to evidentiary search warrants.
|
|
Riggs and Neidorf were indicted on the counts discussed supra; Riggs,
|
|
whose unauthorized access to the BellSouth computer was difficult to
|
|
dispute, later pled guilty to wire fraud for that conduct. Neidorf pled
|
|
innocent on all counts, arguing, inter alia, that his conduct was
|
|
protected by the First Amendment, and that he had not deprived Bell South
|
|
of property as that notion is defined for the purposes of the wire fraud
|
|
and ITSP statutes.
|
|
The two defenses are closely related. Under the First Amendment, the
|
|
presumption is that information is free, and that it can readily be
|
|
published and republished. For this reason, information gives rise to a
|
|
property interest only if it passes certain legal tests. Law enforcement
|
|
cannot simply assume that whenever information has been copied from a
|
|
private computer system a theft has taken place.
|
|
In Neidorf's case, as it turns out, this is essentially what the
|
|
Secret Service and the U.S. Attorney's office did assume. The assumption
|
|
came back to haunt the government when it was revealed during trial that
|
|
the information contained within the E911 document did not meet any of the
|
|
relevant legal tests to be established as a property interest.
|
|
|
|
How information becomes stealable property.
|
|
|
|
In order for information to be stolen property, it must first be
|
|
property. There are only a few ways that information can qualify as a
|
|
property interest, and two of these--patent law and copyright law--are
|
|
creatures of federal statute, pursuant to an express Constitutional grant
|
|
of legislative authority. (U.S. Constitution, Article I, Sec. 8, clause
|
|
8.) Patent protections were clearly inapplicable in the Neidorf case; the
|
|
E911 document, a list of definitions and procedures, did not constitute an
|
|
invention or otherwise patentable process or method. Copyright law might
|
|
have looked more promising to Neidorf's prosecutors, since it is well
|
|
established that copyrights qualify as property interests in some contexts
|
|
(e.g., the law of inheritance).
|
|
Unfortunately for the government, the Supreme Court has explicitly
|
|
stated that copyrighted material is not property for the purposes of the
|
|
ITSP statute. In Dowling v. United States, 473 U.S. 207 (1985), the Court
|
|
held that interests in copyright are outside the scope of the ITSP
|
|
statute. (Dowling involved a prosecution for interstate shipments of
|
|
pirated Elvis Presley recordings.) In reaching its decision, the Court
|
|
held, inter alia, that 18 U.S.C. $ 2314 contemplates "a physical identity
|
|
between the items unlawfully obtained and those eventually transported,
|
|
and hence some prior physical taking of the subject goods." Unauthorized
|
|
copies of copyrighted material do not meet this "physical identity"
|
|
requirement.
|
|
The Court also reasoned that intellectual property is different in
|
|
character from property protected by generic theft statutes: "The
|
|
copyright owner, however, holds no ordinary chattel. A copyright, like
|
|
other intellectual property, comprises a series of carefully defined and
|
|
carefully delimited interests to which the law affords correspondingly
|
|
exact protections." The Court went on to note that a special term of art,
|
|
"infringement," is used in reference to violations of copyright
|
|
interests--thus undercutting any easy equation between unauthorized copying
|
|
and "stealing" or "theft."
|
|
It is clear, then, that in order for the government to prosecute the
|
|
unauthorized copying of computerized information as a theft, it must rely
|
|
on other theories of information-as-property. Trade secret law is one
|
|
well-established legal theory of this sort. Another is the
|
|
breach-of-confidence theory articulated recently by the Supreme Court in
|
|
Carpenter v. United States, 108 S.Ct. 316 (1987). I will discuss each
|
|
theory in turn below.
|
|
|
|
Trade Secrets
|
|
|
|
Trade secrets are generally creatures of state law, and most
|
|
jurisdictions have laws that criminalize the violations of a trade-secret
|
|
holder's rights in the secret. There is no general federal definition of
|
|
what a trade secret is, but there have been federal cases in which
|
|
trade-secret information has been used to establish the property element
|
|
of a federal property crime. See, e.g., United States v. Bottone, 365 F.2d
|
|
389 (2d Cir.), cert denied, 385 U.S. 974 (1966), affirming ITSP
|
|
convictions in a case involving a conspiracy to steal drug-manufacturing
|
|
bacterial cultures and related documents from a pharmaceutical company and
|
|
sell them in foreign markets. (In Bottone, a pre-Dowling appellate court
|
|
expressed a willingness to interpret 18 U.S.C. $ 2314 as encompassing the
|
|
interstate transportation of copies of documents detailing the
|
|
drug-manufacturing process, i.e., it did not require the "physical
|
|
identity" element discussed supra. Recognizing possible problems with this
|
|
approach, however, the appellate court reasoned in the alternative that
|
|
the bacterial cultures themselves provided a sufficient nexus of a
|
|
tangible property interest to justify application of the ITSP statute;
|
|
this alternative analysis may render Bottone consistent with Dowling. It
|
|
should be noted that the post-Dowling judge in Riggs expressed, in his
|
|
denial of a motion to dismiss, 739 F.Supp. 414 (N.D.Ill, 1990), a similar
|
|
willingness not to require actual physical identity as a predicate for
|
|
ITSP. An appellate court later criticized this decision. U.S. v. Brown,
|
|
925 F.2d 1301 (1991).)
|
|
The problem in using a trade secret to establish the property element
|
|
of a theft crime is that, unlike traditional property, information has to
|
|
leap several hurdles in order to be established as a trade secret.
|
|
Trade secret definitions vary somewhat from state to state, but the
|
|
varying definitions typically have most elements in common. One good
|
|
definition of "trade secret" is outlined by the Supreme Court in Kewanee
|
|
Oil Co. v. Bicron Corp., 416 U.S. 470 (1974): "a trade secret may consist
|
|
of any formula, pattern, device or compilation of information which is
|
|
used in one's business, and which gives one an opportunity to obtain an
|
|
advantage over competitors who do not know or use it. It may be a formula
|
|
for a chemical compound, a process of manufacturing, treating or
|
|
preserving materials, a pattern for a machine or other device, or a list
|
|
of customers." The Court went further and listed the particular
|
|
attributes of a trade secret
|
|
* The information must, in fact, be secret--"not of public knowledge
|
|
or of general knowledge in the trade or business."
|
|
* A trade secret remains a secret if it is revealed in confidence to
|
|
someone who is under a contractual or fiduciary obligation, express or
|
|
implied, not to reveal it.
|
|
* A trade secret is protected against those who acquire via
|
|
unauthorized disclosure, violation of contractual duty of confidentiality,
|
|
or through "improper means." ("Improper means" includes such things as
|
|
theft, bribery, burglary, or trespass. The Restatement of Torts at 757
|
|
defines such means as follows: "In general they are means which fall below
|
|
the generally accepted standards of commercial morality and reasonable
|
|
conduct.")
|
|
* A court will allow a trade secret to be used by someone who
|
|
discovered or developed the trade secret independently (that is, without
|
|
taking it in some way from the holder), or if the holder does not take
|
|
adequate precautions to protect the secret.
|
|
* An employee or contractor who, while working for a company,
|
|
develops or discovers a trade secret, generally creates trade secret
|
|
rights in the company.
|
|
|
|
The holder of a trade secret may take a number of steps to meet its
|
|
obligation to keep the trade secret a secret. These may include:
|
|
a) Labelling documents containing the trade secret "proprietary" or
|
|
"confidential" or "trade secret" or "not for distribution to the public;"
|
|
b) Requiring employees and contractors to sign agreements not to
|
|
disclose whatever trade secrets they come in contact with;
|
|
c) destroying or rendering illegible discarded documents containing
|
|
parts or all of the secret, and;
|
|
d) restricting access to areas in the company where a nonemployee, or
|
|
an employee without a clear obligation to keep the information secret,
|
|
might encounter the secret. Dan Greenwood's Information Protection
|
|
Advisor, April 1992, page 5.
|
|
|
|
Breach-of-confidence
|
|
|
|
Even if information is not protected under the federal patent and
|
|
copyright schemes, or under state-law trade-secret provisions, it is
|
|
possible, according to the Supreme Court in Carpenter, for such
|
|
information to give rise to a property interest when its unauthorized
|
|
disclosure occurs via the breach of confidential or fiduciary
|
|
relationship. In Carpenter, R. Foster Winans, a Wall Street Journal
|
|
reporter who contributed to the Journal's "Heard on the Street" column,
|
|
conspired with Carpenter and others to reveal the contents of the column
|
|
before it was printed in the Journal, thus allowing the conspirators to
|
|
buy and sell stock with the foreknowledge that stock prices would be
|
|
affected by publication of the column. Winans and others were convicted
|
|
of wire fraud; they appealed the wire-fraud convictions on the grounds
|
|
that had not deprived the Journal of any money or property.
|
|
It should be noted that this is not an "insider trading" case, since
|
|
Winans was no corporate insider, nor was it alleged that he had received
|
|
illegal insider tips. The "Heard on the Street" column published
|
|
information about companies and stocks that would be available to anyone
|
|
who did the requisite research into publicly available materials. Since
|
|
the information reported in the columns did not itself belong to the
|
|
Journal, and since the Journal planned to publish the information for a
|
|
general readership, traditional trade secret notions did not apply. Where
|
|
was the property interest necessary for a wire-fraud conviction?
|
|
The Supreme Court reasoned that although the facts being reported in
|
|
the column were not exclusive to the Journal, the Journal's
|
|
right--presumably based in contract--to Winans' keeping the information
|
|
confidential gave rise to a property interest adequate to support a
|
|
wire-fraud conviction. Once the Court reached this conclusion, upholding
|
|
the convictions of the other defendants followed: even if one does not
|
|
have a direct fiduciary duty to protect a trade secret or confidential
|
|
information, one can become civilly or criminally liable if one conspires
|
|
with, solicits, or aids and abets a fiduciary to disclose such information
|
|
in violation of that person's duty. The Court's decision in Carpenter has
|
|
received significant criticism in the academic community for its expansion
|
|
of the contours of "intangible property," but it remains good law today.
|
|
|
|
How the theories didn't fit
|
|
|
|
With these two legal approaches--trade secrets and breach of
|
|
confidence--in mind, we can turn back to the facts of the Riggs case and
|
|
see how well, or how poorly, the theories applied in the case of Craig
|
|
Neidorf.
|
|
With regard to any trade-secret theory, it is worth noting first of
|
|
all that the alleged victim, BellSouth, is a Regional Bell Operating
|
|
Company--a monopoly telephone-service provider for a geographic region in
|
|
the United States. Recall the observation in Kewanee Oil, supra, that a
|
|
trade secret "gives one an opportunity to obtain an advantage over
|
|
competitors who do not know or use it." There are strong arguments
|
|
that--at least so far as the provision of Emergency 911 service
|
|
goes--BellSouth has no "competitors" within any normal meaning of the term.
|
|
And even if BellSouth did have competitors, it is likely that they would
|
|
both know and use the E911 information, since the specifications of this
|
|
particular phone service are standardized among the regional Bells.
|
|
Moreover, as became clear in the course of the Neidorf trial, the
|
|
information contained in the E911 document was available to the general
|
|
public as well, for a nominal fee. (One of the dramatic developments at
|
|
trial occurred during the cross-examination of a BellSouth witness who had
|
|
testified that the E911 document was worth nearly $80,000. Neidorf's
|
|
counsel showed her a publication containing substantially the same
|
|
information that was available from a regional Bell or from Bellcore, the
|
|
Bells' research arm, for $13 to any member of the public that ordered it
|
|
over an 800 number.) Under the circumstances, if the Bells wanted to
|
|
maintain the E911 information as a trade secret, they hadn't taken the
|
|
kind of steps one might normally think a keeper of a secret would take.
|
|
|
|
BellSouth had, however, taken the step of labelling the E911 document
|
|
as "NOT TO BE DISCLOSED OUTSIDE OF BELLSOUTH OR ITS SUBSIDIARIES" (it was
|
|
this kind of labelling that Neidorf attempted to remove as he edited the
|
|
document for publication in Phrack). This fact may have been responsible
|
|
for the federal prosecutors' oversight in not determining prior to trial
|
|
whethe E911 document met the tests of trade-secret law. It is possible
|
|
that prosecutors, unfamiliar with the nuances of trade-secret law, read
|
|
the "proprietary" warnings and, reasonining backwards, concluded that the
|
|
information thus labelled must be trade-secret information. If so, this
|
|
was a fatal error on the government's part. In the face of strong
|
|
evidence that the E911 document was neither secret nor competitively or
|
|
financially very valuable, any hope the government had of proving the
|
|
document to be a trade secret evaporated. (Alternatively, the government
|
|
may have reasoned that the E911 information could be used by malicious
|
|
hackers to damage the telephone system in some way. The trial transcript
|
|
shows instances in which the government attempted to elicit information of
|
|
this sort. It should be noted, however, that even if the information did
|
|
lend itself to abuse and vandalism, this fact alone does not bring it
|
|
within the scope of trade-secret law.)
|
|
|
|
Nor did the facts lend themselves to a Carpenter-like theory based on
|
|
breach of confidence; Neidorf had no duties to BellSouth not to disclose
|
|
its information. Neither did Riggs, from whom Neidorf acquired a copy of
|
|
the document. The Riggs case lacks the linchpin necessary for a
|
|
conviction based on Carpenter--in order for nonfiduciaries to be convicted,
|
|
there must be a breaching fiduciary involved in the scheme in some way.
|
|
There can be no breach of a duty of confidence when there is no duty to be
|
|
breached.
|
|
Thus, when its trade-secret theory of the E911 document was
|
|
demolished in mid-trial, the government had no fall-back theory to rely on
|
|
with regard to its property-crime counts, and the prosecution quickly
|
|
sought a settlement on terms favorable to Neidorf, dropping prosecution of
|
|
the case in return for Neidorf's agreement to a pre-trial diversion on one
|
|
minor count.
|
|
The lesson to be learned from Riggs is that it is no easy task to
|
|
establish the elements of a theft crime when the property in question is
|
|
information. There are good reasons, in a free society, that this should
|
|
be so--the proper functioning of free speech and a free press require that
|
|
information be presumptively protected from regulation by government or by
|
|
private entities invoking the civil or criminal law property protections.
|
|
The government in Riggs failed in its duty to recognize this presumption
|
|
by failing to make the necessary effort to understand the intellectual
|
|
property issues of the case. Had it done so, Neidorf might have been
|
|
spared an expensive and painful trial, and the government might have been
|
|
spared a black eye.*
|
|
|
|
------
|
|
|
|
*See, e.g., "Score One for the Hackers of America," NEWSWEEK, Aug. 6
|
|
1990, page 48, and "Dial 1-800 ... for BellSouth 'Secrets',"
|
|
COMPUTERWORLD, Aug. 6, 1990, page 8.
|
|
|
|
_______________________________________________
|
|
|
|
Mike Godwin, a 1990 guaduate of the University to Texas School of
|
|
Law, is staff counsel for the Electronic Frontier Foundation. EFF filed an
|
|
amicus curiae brief in the Neidorf case, arguing that Neidorf's attempted
|
|
publication of the E911 document was protected speech under the First
|
|
Amendment. Godwin received a B.A. in liberal arts from the University of
|
|
Texas at Austin in 1980. Prior to law school, Godwin worked as a
|
|
journalist and as a computer consultant.
|
|
|
|
|
|
--
|
|
Mike Godwin, |"Doubt isn't the opposite of faith; it is an
|
|
mnemonic@eff.org| element of faith."
|
|
(617) 864-0665 |
|
|
EFF, Cambridge | --Paul Tillich
|