Saturday, October 07, 2006

Works in progress: Peter Winn

Peter Winn, Unauthorized Access, Computer Trespass and Privacy: Really interesting, though beyond my core field.

Winn is examining the CFAA and Stored Communications Act (federal), plus state and foreign unauthorized access statutes. What is the meaning of “unauthorized access”? The problem is one of overbreadth, as also occurs with concepts of trespass to chattels in cyberspace.

Two approaches: One way is to say that the legislatures were trying to address hackers, outsiders breaking into a computer, like burglary. The other way is to say that the statutes are intended to protect information in the computer system (which means that insiders can violate the law too, like a houseguest who pockets the silver). Many courts have interpreted the statutes the second way.

Very first case in which hacking was addressed, U.S. v. Morris: Morris was a grad student who created one of the first internet worms in the late 1980s. Morris was prosecuted under the 1986 version of the CFAA; Morris’s defense was that as a grad student at Cornell he had privileges to access the internet, and he designed his program to access the other computers in that system just as they were designed to be accessed – just as the code allowed him to do.

It’s a stupid argument at some level: that wasn’t the way they were designed to be accessed, because the programmers didn’t anticipate what he was doing. But from the machine’s viewpoint, there wasn’t any difference. The Second Circuit rejects Morris’s argument. You have to reference something other than the way that the code was designed. The Second Circuit was referencing norms – if Morris had called up the owners of the hardware and said what he planned to do, they probably would have told him “no.”

If we’re working with unwritten norms in the core cases, we get the expansionist cases – mostly civil cases – now companies sue former employees for taking customer lists with them. We’re no longer in the world of hacking, but courts are still applying intent standards and finding unauthorized access. Also with scraping a competitor’s website. Most interesting case: A law firm that issues an overbroad subpoena of an ISP where the opposing party has its email server, and gets the ISP to give them all the email without notice to the opposing party. After the firm was sanctioned, the employees whose emails were obtained filed suit against the person who issued the subpoena, and the 9th Circuit rules they have a cause of action under the CFAA and under the Stored Communications Act.

When courts go beyond hacking, they’re using the idea of trespass in the internet context. Using it against employees subverting confidentiality, hacking, competitors all fits this model. But the employees whose email was searched have no possessory interest in the email stored at the ISP, nor do they have a leasehold, since the lease is their employers’. This is a case about rights in pure information. There’s a long line of 4th Amendment cases recognizing standing for a constitutional trespass based on a purely privacy/information-based interest in not being surveilled, and the 9th Circuit borrows from that line.

Why don’t we have a nightmare of overprotection in the digital world? Indeed, a lot of people who’ve written about this suggest that we’re shutting down the free flow of information. The solution: (1) We’re applying common law trespass to this idea of unauthorized access; let’s look at the common law, not trespass to chattels but trespass to real property and the time when trespass was a general cause of action for what we now call tort. The trespass to real property cases do not allow owners to dictate all terms. Particularly with property like inns that is private but open to the public, it is really very hard to bring a trespass case – a person who goes into the inn intending not to pay for supper is not a trespasser. A federal agent who goes on to private land where the owner is illegally selling liquor out the back is not a trespasser. If there’s a community practice of presumptive consent, then people can come hunt and fish on private land. Courts try to balance property and reasonable, appropriate uses of the property by the public. The common law wants to have it both ways. Posner decides a case about ABC, which promised not to do ambush journalism or hidden cameras and does just that to an opthalmologist who sues for trespass. Even in the face of fraud, there’s no trespass because fraud doesn’t go to the basic interest trespass was designed to protect.

(2) The need to reference something else: if you bring a trespass case, you’re referencing the system of property rights. Courts in expansionist cases are not simply allowing the business owner or the email senders to sue because they don’t like the defendant, but rather because they can find specific common-law torts and trespass is used to translate those into internet law. The proposal to shut down common-law rulemaking is to restrict the meaning of unauthorized access to code-based circumvention: regulation by nerds. Winn thinks instead that we should let the courts work it out. New Zealand has a very tight definition that doesn’t allow common-law rulemaking. But other Commonwealth/US courts are doing a good job of balancing the interests. If you ratchet it down to code-based circumvention, you’re just transferring the decision about what’s authorized to the nerds from the judges. And it means you can’t protect the privacy of third parties as with the email case, because only the owner has the incentives to create a code-based protection. (I’m not sure I buy this, since the owner has incentives to create code-based protections in order to make its hosting more attractive to consumers. And I’m far from certain that it’s a good idea to make competitors liable for scraping a site when it’s not trespass for them to acquire a printed catalog with the same information, even if they acquire that catalog by subterfuge. In other words, “balancing the interests” gives courts another way to go after what they think is unjustified free riding, which they are all too willing to do.)

Winn points out that there are alternate privacy protection regimes: you can put duties on information collectors to manage information responsibly. So we don’t need to do it this way. Right now, he says, third parties don’t have a cause of action against the privacy-violator along with the info-collector who allowed privacy to be violated, but I would find that a much better solution to the problem he cares about than relying on the flexibility of the trespass doctrine, which as he acknowledges is not traditionally about protecting third parties’ interests.

No comments: