May 23, 2017

Archives for June 2009

CITP Announces 2009-10 Visitors

Today, I’m pleased to announce CITP’s visitors for the upcoming academic year.

Deven R. Desai, Visiting Fellow: Deven is an Associate Professor of Law at the Thomas Jefferson School of Law, and a permanent blogger at Concurring Opinions. Professor Desai’s scholarship centers on intellectual property, information theory, and Internet-related law. He plans to work on a major project exploring the ways trademark law can foster, or limit, online innovation.

James Katz, Visiting Fellow. Jim is Professor, Chair of the Department of Communication, and Director of the Center for Mobile Communication Studies at Rutgers, where he holds the University’s highest professorial rank. He has devoted much of his career to exploring the social consequences of new communication technology, especially the mobile phone and Internet. Currently he is looking at how personal communication technologies can be used by teens from urban environments to engage in informal science and health learning. This research is being carried out through an NSF-sponsored project with New Jersey’s Liberty Science Center.

Rebecca MacKinnon, Visiting Fellow (spring term): Rebecca is an Assistant Professor at the University of Hong Kong’s Journalism and Media Studies Centre. She is currently on leave, as an Open Society Fellow, to work on a book tentatively titled “Internet Freedom and Control: Lessons from China for the World.” She will spend the spring 2010 semester at CITP, continuing to work on the book. Rebecca is a cofounder of Global Voices, a founding member of the Global Network Initiative, and a former television journalist, having served as CNN’s bureau chief in Beijing and, later, Tokyo.

Jens Grossklags, Postdoctoral Research Associate: Jens, a new PhD from the UC Berkeley School of Information, studies information economics and technology policy. He focuses on the intersection of privacy, security, and network systems. His approach is highly interdisciplinary, combining economics, computer science, and public policy. Currently, he is investigating the ways institutions and end users make decisions about complex computer security risks under conditions of uncertainty and limited information.

Joseph Lorenzo Hall, Visiting Postdoctoral Research Associate: Joe, whose work is supported by the NSF ACCURATE Center, also earned his PhD from the UC Berkeley School of Information. His dissertation examined public policy mechanisms for making computerized voting systems more transparent. He continues to work along the same lines, drawing lessons from voting machines, gaming machines and other technologies on how to best protect users from error and malicious activity.

In addition to these full time appointments, the Center will also welcome two Visiting Research Collaborators on an occasional basis: Alex Halderman, an Assistant Professor of Computer Science at the University of Michigan (and recently in the news for his research group’s analysis of China’s Green Dam software), and David Lukens, an attorney who has been collaborating on the Center’s transparency work.

Did the Sanford E-Mail Tipster or the Newspaper Break the Law?

Part of me doesn’t want to comment on the Mark Sanford news, because it’s all so tawdry and inconsistent with the respectable, family-friendly tone of Freedom to Tinker. But since everybody from the Gray Lady on down is plastering the web with stories, and because all of this reporting is leaving unanalyzed some Internet law questions, let me offer this:

On Wednesday, after Sanford’s confessional press conference, The State, the largest newspaper in South Carolina, posted email messages appearing to be love letters between the Governor and his mistress. (The paper obscured the name of the mistress, calling her only “Maria.”) The paper explained in a related news story that they had received these messages from an anonymous tipster back in December, but until yesterday’s unexpected corroboration of their likely authenticity, they had just sat on them.

Did the anonymous tipster break the law by obtaining or disclosing the email messages? Did the paper break the law by publishing them? After the jump, I’ll offer my take on these questions.

Three disclaimers: First, the paper has not yet revealed (and may not even know) most of the important facts I would need to know to thoroughly analyze whether a law has been broken. Like a first year law student, I am trying to spot legal issues that will turn on what might be the facts. Second, I know nothing about the law of South Carolina (or, for that matter, Argentina). I am analyzing three specific federal laws with which I am very familiar. Third, I am barely scratching the surface of some very complex laws.

The Anonymous Tipster

Let’s start with the anonymous tipster (AT). AT might have broken three federal laws, depending on who AT is and how he or she obtained the messages. First, the Stored Communications Act (SCA) prohibits unauthorized access to a “facility through which an electronic communication service is provided” to obtain messages “in electronic storage.” In a separate provision, the SCA prohibits providers from disclosing the content of user communications. Second, the Wiretap Act prohibits the interception of electronic communications and the disclosure and use of illegally intercepted communications. Third, the Computer Fraud and Abuse Act (CFAA) prohibits certain types of unauthorized conduct on computers and computer networks.

All three of these laws provide both civil remedies (Maria, Sanford, or an affected ISP can sue the anonymous tipster for damages) and criminal prohibitions. So should AT worry about jail or a hefty fine? Probably not, but it turns on who AT turns out to be.

What if AT turns out to be Maria herself? Even putting to one side whether these laws apply outside the U.S., she almost certainly would not have broken any of them. Each of these laws provides an exception or defense for consent of the communicating party or authorization of the email account owner. To take one example, under the SCA it is not illegal for the owner of an email account to access or disclose his or her email messages.

These defenses would also protect AT if he turns out, in a bizarre twist, to be Sanford himself.

For the same reasons, AT probably did not break these laws if it turns out Maria or Sanford intentionally disclosed the email messages to AT, perhaps a friend or acquaintance or employee, who then passed them on to the newspaper. This is probably true even if Maria or Sanford asked AT to promise to protect the secret. As in other parts of the law, misplaced trust is no defense under these three laws.

But now we get to more difficult cases. What if AT is a friend or acquaintance or employee of Maria or Sanford who had access to Maria’s or Sanford’s email account, but did not have specific permission to access these particular messages? For example, what if AT was Sanford’s secretary, a person likely to have permission to view his inbox? On these facts, the case against AT would turn on hard questions of authorization. Did Sanford or Maria limit AT’s authorized access to the inbox? If so, how? With written rules, technological access controls, or vague admonitions? Courts have interpreted the word “authorization” in the CFAA, in particular, quite narrowly, ruling that otherwise-authorized users may no longer act with authorization once they violate rules or contractual promises. (This is the legal theory being advanced by DOJ in the Lori Drew CFAA prosecution.)

Next, what if AT works for an ISP—perhaps on the IT staff for the State of South Carolina or for a commercial email provider? In this case, AT should worry a little more. Although ISPs tend to have many legal reasons to access the content of communications stored on their servers or passing through their wires, this authority is not unlimited, as I have written about elsewhere. The ISP employee’s liability or culpability will turn on factors like terms of service and motive. For example, if the employee stumbled upon the messages during routine server maintenance, there may be a good defense.

The Newspaper

Lastly, let’s turn to the newspaper, The State. First, if AT did not break any of these laws by obtaining or disclosing the messages, then the newspaper likewise did not break any of these laws by publishing them.

Even if AT has broken the CFAA or SCA, the newspaper probably has no downstream liability for its subsequent publication. These two laws focus on initial access or disclosure, not on subsequent, downstream uses and disclosures.

The Wiretap Act, on the other hand, restricts the downstream use and disclosure of illegally intercepted communications. Here, however, the First Amendment probably provides a defense.

In Bartnicki v. Vopper, the Supreme Court held that the First Amendment shields the media from liability for the publication of content illegally intercepted under the Wiretap Act if the content is “about a matter of public concern.” Granted, the private communications in Bartnicki—a phone call between a union negotiator and the union’s president about the status of negotiations—seem more a matter of public concern and less private than the intimate love letters between a politician and his mistress. But, I am no First Amendment expert, so I will leave it to others to decide how these facts fare under Bartnicki. To my nonexpert eye, given the sweeping language both in Bartnicki and in the cases cited by Bartnicki (starting with New York Times v. Sullivan), it seems that the First Amendment shield applies here.

Final Thought: So, Who is the Tipster?

Finally, Sanford or Maria might sue the newspaper and AT (as a so-called “John Doe” defendant) in order to discover AT’s identity. A plaintiff in a civil lawsuit can ask a judge to order a subpoena to discover an unknown defendant’s identity. No doubt, the newspaper would fight such a subpoena vigorously, but whether or not it would succeed is a topic for another day.

U.S. Objects to China's Mandatory Green Dam Censorware

Yesterday, the U.S. Commerce Secretary and Trade Representative sent a letter to China’s government, objecting to China’s order, effective July 1, to require that all new PCs sold in China have preinstalled the Green Dam Youth Escort censorware program.

Here’s today’s New York Times:

Chinese officials have said that the filtering software, known as Green Dam-Youth Escort, is meant to block pornography and other “unhealthy information.”

In part, the American officials’ complaint framed this as a trade issue, objecting to the burden put on computer makers to install the software with little notice. But it also raised broader questions about whether the software would lead to more censorship of the Internet in China and restrict freedom of expression.

The Green Dam requirement puts U.S.-based PC companies, such as HP and Dell, in a tough spot: if they don’t comply they won’t be able to sell PCs in China; but if they do comply they will be censoring their customers’ Internet use and exposing customers to serious security risks.

There are at least two interesting new angles here. The first is the U.S. claim that China’s action violates free trade agreements. The U.S. has generally refrained from treating China’s Internet censorship as a trade issue, even though U.S. companies have often found themselves censored at times when competing Chinese companies were not. This unequal treatment, coupled with the Chinese government’s reported failure to define clearly which actions trigger censorship, looks like a trade barrier — but the U.S. hasn’t said much about it up to now.

The other interesting angle is the direct U.S. objection to censorship of political speech. For some time, the U.S. has tolerated China’s government blocking certain political speech in the network, via the “Great Firewall“. It’s not clear exactly how this objection is framed — the U.S. letter is not public — but news reports imply that political censorship itself, or possibly the requirement that U.S. companies participate in it, is a kind of improper trade barrier.

We’re heading toward an interesting showdown as the July 1 date approaches. Will U.S. companies ship machines with Green Dam? According to the New York Times, HP hasn’t decided, and Dell is dodging the question. The companies don’t want to lose access to the China market — but if U.S. companies participate so directly in political censorship, they would be setting a very bad precedent.