September 25, 2017

Administration Policy On Enforcing the CFAA Should Change

Almost exactly one year ago, Senator Wyden of Oregon and Rep. Lofgren of California introduced “Aaron’s Law” in response to the death of Internet activist and co founder of reddit Aaron Swartz. He committed suicide in January of 2013 at age 26, while under indictment for violating the Computer Fraud and Abuse Act (CFAA) for downloading research materials from an academic website. The publicity in the aftermath of the suicide highlighted many of the problems with the CFAA which has been on the books since 1984, and has grown from a narrowly circumscribed law against computer hacking into a law that under the federal government’s understanding turns breaching a terms of service computer agreement into a felony. Yet despite this harsh criticism Congress has not amended the CFAA reportedly because of opposition by certain technology company or companies. Accordingly, it is time for the Obama Department of Justice to declare that it will no longer seek to prosecute individuals for simply violating a terms of service agreement.

The CFAA was first enacted in 1984 and was quite narrow in scope. The original intent was to prosecute individuals who broke into a computer system and stole valuable data or maliciously caused damage. Since then, however, Congress has amended the CFAA numerous times and not only significantly broadened its scope, but also added a private cause of action. The current version of the CFAA contains seven major provisions that create liability for different types of computer misuse or harm. In addition, the penalties for violating the CFAA have been significantly increased. Misdemeanors have become felonies, two-year felonies have become five-year felonies and so on.

What has been the subject of intense scrutiny since Swartz’s death is the CFAA’s broadest provision, 18 U.S.C. § 1030(a)(2)(c), which makes it a crime to “exceed authorized access, and thereby obtain … information from any protected computer.” The Justice Department has taken the position that “exceeds authorized access” includes violating terms of service policies that are included with nearly all software and Internet services today. As Judge Kosinski of the Ninth Circuit has noted, “minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer use policies, although employees are seldom disciplined for occasional use of work computers for personal computers. Nevertheless, under the [government’s] broad interpretation of the CFAA, such minor dalliances would become federal crimes.” United States v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012).

Most people would probably admit that they never read those  pages of fine print and simply “clicked here” when installing new software in their computer or accessing a new website. However, despite this social norm, the Department of Justice continues to take the position that a user’s breach of terms of service may be a violation of section 1030(a)(2) of the CFAA. For example, in a highly publicized case, the government charged a MySpace user with a crime for having breached MySpace’s Terms of Service.  However, in United States v. Drew, 259 F.R.D. 449, 28 ILR 215 (C.D. Cal. 2009), the U.S. District Court for the Central District of California acquitted the defendant of her misdemeanor conviction for violating section 1030(a)(2), finding that a conviction based solely on a defendant’s intentional violation of a website’s terms of service would violate the void-for-vagueness doctrine. That doctrine requires a penal statute to define the criminal offense with sufficient definiteness that ordinary people can understand what conduct is prohibited and in a manner that does not encourage arbitrary and discriminatory enforcement.  Since breaches of contract are not ordinarily the subject of criminal prosecution, an individual would not be on notice that a breach could be a crime.

In Swartz’s instance, the government charged that he had obtained illegal access to the JSTOR database with the intent to “liberate” the academic journals stored there and to allow everyone to have access to the journals in the database. JSTOR is an organization that sells universities, libraries, and publishers access to a database of over 1,000 academic journals. Before being caught, he succeeded in downloading a major portion of JSTOR’s database.

Since it is the government’s stated position that that breaching the terms of service may constitute a crime under the CFAA, what is it that prevents the federal government from charging a violation almost anytime? The simple answer is that the government does not have the resources to pursue minor cases. But do most Americans really want to leave it for the government to decide what constitutes a “minor case.” Americans want a “government of laws, not men.” After the indictment of Aaron Swartz and the more recent spying by the NSA, giving the government the benefit of the doubt no longer seems to be quite so appealing.

So what should be done? Congress should revise the CFAA so that an individual who breaches a terms of service agreement is not subject to criminal prosecution, or at a minimum should not be subject to felony penalties as required by the current version of the CFAA. Congress should make clear that the CFAA is intended to address true computer hacking and not individuals who simply breach a term of service that they may or may not have read. Only people who actually break into computers by circumventing technical restrictions should be criminally prosecuted. Congress should also recognize that simply increasing the penalty provisions of the CFAA is unlikely to deter computer crime but is more likely to result in unjust harsh treatment of individual defendants. While it seems clear to many people that a fresh legal approach to computer crime is necessary, it is almost impossible to believe that Congress will actually act. Putting aside certain technology industry resistance to amending the CFAA, the odds of getting the greatest do-nothing Congress in history to act seems farfetched, especially since over a year has passed since Swartz’s death. If nothing happened in its immediate aftermath, it is not going to happen now.

So what can be done? Attorney General Holder should announce a change of administration policy so that breaches of terms of service agreements by themselves will no longer be considered criminal. This understanding would be consistent with holdings in the Fourth and Ninth Circuits that the CFAA does not reach the mere misuse of employer information or violations of company use policies. See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). As noted by the en banc Nosal court, the government approach “would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” Nosal, 676 F.3d at 859. Moreover, this approach would be consistent with the common law rule of lenity that provides that ambiguous criminal laws should be construed in favor of the defendant.

President Obama has recently shown that where Congress refuses to act or simply does not act he is willing to do so when he believes that it is the right thing to do. Here there is no doubt that the Computer Fraud and Abuse Act is overbroad in a way that turns ordinary Americans into felons. Congress has not surprisingly abdicated its responsibility by not amending the CFAA in the year since the introduction of Aaron’s law. President Obama should not abdicate his responsibility by letting more time pass before making clear that the Department of Justice will not prosecute individuals whose only “crime” is to breach a terms of service agreement.

Apple-Samsung Round Two: And the Winner ….?

The outcome of the second patent trial of the century between Apple and Samsung which resulted in the jury finding that Samsung must pay Apple $119.6 million and that Apple must pay Samsung $158,400 for its counterclaims of patent infringement has been described as a “mixed verdict” for Apple. Indeed, it was far less than the $2.2 billion in damages sought by Apple and well short of the nearly $1 billion that Apple had been awarded in the first Apple-Samsung patent trial of the century. What went wrong this time around for Apple? Why was Apple awarded far less in damages when it was seeking roughly the same amount as in the first trial? The answers to these questions, in part, may depend on Apple’s difficulty in selling the second jury a story of how Samsung stole its intellectual property and the success of tactical decisions made by Samsung’s attorneys.

Unlike in the most recent trial, Apple was able to turn the first trial into validating Steve Job’s core belief that Apple’s intellectual property was “ripped off” by its competitors. Apple asserted in the first trial that Samsung “systematically copied Apple’s innovative technology and products, features, and designs, and has deluged markets with infringing devices in an effort to usurp market share from Apple.” Because that trial involved design patents and, essentially, the overall similarity of the competing products, Apple was able to turn what otherwise would have been a boring patent trial involving highly technical matters into an inquiry as to whether Samsung flagrantly copied the “look and feel” of the iPhone and iPad. Because the second trial did not involve design patents and focused on whether Samsung infringed highly technical Apple utility patents, the issues confronted by the jury were not as easily understood.

On this point, it is important to understand that there are two very different kinds of patents that can be obtained from the United States Patent and Trademark Office, utility patents and design patents. Utility patents are the most common type of patents and generally involve the manner in which an invention is used and work and may be granted to anyone who invents a new and useful method, process, machine, device, or any new and useful improvement of the same. A utility patent may be awarded for a computer software invention.

In contrast, a design patent protects only the ornamental appearance of an invention, not its utilitarian features. The general test for infringement of a design patent is relatively simple: whether the alleged infringer’s product designs appear substantially the same as the patentee’s designs. While a patentee can buttress its evidence of the similarity of designs through the testimony, for example, of industry observers, consumers, and business partners, the jury can often decide themselves by using their own eyes in a side-by-side comparison if the products are substantially the same. It is far easier for a jury to decide whether a party has infringed a design patent than a utility patent, and certainly does not depend on understanding highly complex technical matters.

The claims of design patent infringement in the first trial gave Apple the opportunity for being able to tell the jury the “story” of how Samsung “ripped off” Apple, and provided the jury with an opportunity to decide with their own eyes whether the products were similar. Given the similarity in appearance between these products and Samsung’s competing products, the Samsung attorneys faced the almost impossible task of convincing the jury that Samsung did slavishly copy Apple’s products.

In comparison, the second trial did not involve allegations that Samsung infringed Apple design patents. Apple asserted that Samsung infringed 5 utility patents for the sale and importation of certain products. All of these patents relate to software features, such as quick-links, universal search, background synching, slide-to-unlock, and automatic word correction. Overall, Apple argued that the patents enable ease of use and make a user interface more engaging. Samsung also alleged that Apple infringed two utility patents for the sale of the iPhone 4, 4S, 5 and two generations of the iPod Touch. The jury determined that certain of Samsung products infringed three of the five patents asserted by Apple and awarded Apple $119.6 million. Apple was ordered to pay Samsung $158,400 for infringing one of Samsung’s patents. Samsung had asked for $6.2 million in damages, and it had argued that even if it had infringed all of Apple’s patents, it only owed $38.4 million.

Because the second trial did not involve claims of design patent infringement, the jury could not decide the matter of infringement based simply on a side by a side comparison, but had to make their determination based on evidence relating to complex technical matters that the jury reportedly used a whiteboard to decipher. Based on this and intricate determination of how to assess damages in a patent infringement matter, it becomes easier to understand why the jury only awarded Apple 6% of what it was seeking.

Apart from the second trial involving more complex technology, Samsung’s attorneys’ litigation strategy in making the trial about something other than Samsung’s infringing acts apparently was also successful. Indeed, the comments from the jurors after the trial made clear that they believed that Google should have been at the defendant’s table as well. Unlike the first litigation which involved Samsung’s own design of phones and tablets, the second case involved patents relating to the Android operating system which Google had provided to Samsung without cost. Apple argued that Samsung’s patent infringement was unrelated to Google and the Android operation system, but it was disclosed at trial, that Google was assisting Samsung with its defense for two of the patents. The story of the second trial was not how Samsung copied Apple’s products but how Google supplied Samsung with allegedly infringing technology and that the real fight should be between Apple and Google. While the jury found that Samsung did not infringe these patents, the jury said it was influenced by information that Goggle was helping Samsung mount and fund its defense. According to press reports, the foreman of the juror, Tom Dundam, a retired IBM software exec, stated after the trial, “I guess if you really feel that Google is something that the cause behind this, as I think everybody observed, then don’t beat around the bust. The fact is Apple has [intellectual property] they believe in. So does Samsung. So does Google. Let the courts decide, but a more direct approach might be something to thing about.” Given this sentiment, the jurors may have felt reluctant to award Apple two billion dollars in damages, when it believed that the dispute was really between Apple and Google and Samsung was simply a stand-in.

Samsung’s trial strategy in seeking to diminish the value of patents in general also was apparently successful. Samsung filed counterclaims against Apple asserting that Apple infringed two of its patents relating to camera and folder organization functionality and video transmission functionality. However, instead of seeking hundred of millions or even billions of dollars in damages for infringement of these patents or asserting other patents that conceivably were worth more, Samsung sought a mere $6.2 million in damages. Putting aside the trial advantages gained by being a counterclaimant as opposed to simply being a defendant, the jury on some level was probably asking themselves why are the Apple patents worth so much more than Samsung’s. While this is an apple to orange comparison, it does tacitly support Samsung’s defense that at most it only owed $38.4 million and not the $2.2 billion sought by Apple.

It is unlikely that the outcome of the most recent trial will have a major impact on the smartphone patent infringement war. In the short term, it is almost certain that both Apple and Samsung will appeal the verdict. Apple will challenge the jury’s verdict to award only $119.6 million in damages and Samsung will likely assert that even that damage award is grossly exaggerated. In the long term, the mixed verdict will likely mean that both Apple and Samsung will use patent litigation as one way to chip at the other’s smartphone market share. However, the settlement between Apple and Google that occurred after the verdict in this case may be the necessary catalyst to push the parties to settle their differences. But since the settlement agreement apparently did not include cross-licensing, the patent war between Apple and Samsung is likely to continue for the foreseeable future.


Your Private Posts are Less Private Then You Think

Your Private Posts are Less Private Then You Think

Imagine that instead of driving in the newest and latest automobile, you are driving a Model-T on the beltway during non-rush hour.  Instead of zipping along at 70 mph, never mind that the speed limit is 55, you have the pedal pushed to the floor and you are doing 30 mph in the third lane.  If you can imagine the absurdity of that situation then you can imagine the state of the law regarding Internet privacy issues.  In fact, Congress has not passed a single major law addressing the protection of privacy on the Internet since 1986 when it passed the Stored Communications Act (SCA) as part of the Electronic Communications Privacy Act (ECPA) that is intended to restrict disclosure of privacy communications by providers of electronic communications services.  At the time, Congress enacted the SCA, most of what we take for granted about the Internet was not even imaginable.  There was no world wide web, the creators of Google had not even entered college and the founder of Facebook was barely out of diapers.

Nowhere in this area do the problems become more obvious than when a party seeks discovery from a non-party service provider through the issuance of a standard third party subpoena.  Whether and to what extent the subpoena must be complied with may depend on whether the service provider can be classified as an remote computing service, “RCS,” or an electronic computing service, “ECS,” and on whether the information is public or private, distinctions that perhaps only law professors can appreciate.

At the time Congress passed the SCA in 1986, there were generally two types of service providers: (1) those that had the capability to send or receive wire or electronic communications and which, Congress called an “electronic communication service” (ECS) and, (2) those that provided computer storage or processing by means of an electronic communications system and were defined as a “remote computing service” (RCS).  The SCA prohibits ECS providers from knowingly divulging the contents of a communication while in “electronic storage” by that service, which includes those messages that are in storage pending transmission, and any communications stored for purposes of back-up protection

In contrast, RCS providers are prohibited from divulging the content of any electronic communication carried or maintained on its service solely for the purpose of providing storage or computer processing services.  For a number of years the distinction between and ECS and a RCS was largely academic because an ECS generally did not offer the services of a RCS and vice-versa.

However, the distinction between an ECS and a RCS has become blurred.  In particular, social media websites offer traditional ECS services such as email and RCS services such as computer storage.  In other words, a social media website may be both an ECS and an RCS depending on the services provided.  To put it simply, there is no good reason why the degree of protection for information should turn on whether the service provider may be classified as an ECS or a RCS.

For example, in a recent case, defendants issued subpoenas to two non-party social networking service providers, Facebook and MySpace, Inc., and to a non-party Web hosting company that provides webmail services.  The subpoenas sought disclosure of plaintiff’s private e-mail and social networking messages, as well as plaintiff’s MySpace comments and Facebook wall postings.  Plaintiff moved to quash the subpoenas, asserting that they were protected under the SCA.

The Court first found that plaintiff has standing to contest the issuance of the subpoena stating that “an individual has a personal right in information in his or her profile and inbox on a social networking site and his or her webmail inbox in the same way that an individual has a personal right in employment and bank records.  As with bank and employment records, this personal right is sufficient to confer standing to move to quash a subpoena seeking such information.” Crispin v. Christian Audiger, 717 F.Supp.2d 965, 975 (C.D.Cal. 2010).

Next, the court determined the Web hosting company is a ECS provider because it provides webmail, a service that users can access remotely to send and receive e-mail messages.  More importantly, the court also held that Facebook and MySpace are also ECS providers in connection with Facebook’s “wall posting” and MySpace’s “comment posting” services.  The court compared the activities in that regard to private electronic bulletin board services (“BBS”).

The Court’s analysis did not end there.  The court then examined the more difficult question whether the postings constitute electronic storage within the meaning of the statute which necessitates determining whether the providers also act as RCS providers with respect to certain stored communications.  On that point, the court determined that when providers allow users to retain opened messages, the providers become RCS providers.  According to the court, after the message has been delivered, the service is no longer electronic communication, but rather data storage.  Thus, while the court quashed the subpoena with regard to wall postings that were clearly marked private, it remanded the matter to the magistrate judge to develop a fuller record regarding plaintiff’s privacy settings and the extent of access allowed to his Facebook and MySpace comments.

Congress has let far too much time lapse since the passage of the SCA.  Technology has simply bypassed the law, “until Congress brings the laws in line with modern technology, protection of the Internet and websites such as [these] will remain [at best] a confusing and uncertain area of the law.”  Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002).


Disciplining Employees for Unapproved Posts

Disciplining Employees for Unapproved Posts

It has become commonplace for companies and employees to use social media to build their businesses and interact with customers.  In fact, more than 500 million people are now using Facebook® and over 175 million are using Twitter(R).  Even if businesses do not have an official social media page, their employees or at least some of them probably maintain their own personal pages.  This may create legal and business risks for companies, especially for those which do not fully understand the use of social media.  Indeed, if such use is not given careful consideration, it can damage and destroy goodwill with partners, investors, and consumers almost overnight.

Social networking’s expansive reach, and its impact on personal and professional communication, has put the traditional notions of privacy and free speech to the test.  Employees routinely post both personal and work-related content for their own purposes and without company consent, which can not only have negative implications for the employee, but the business as well.  For example, if an employee of a cell phone provider posts pictures of the newest 4G phone before it has been released to the public, there is a real risk that such a post can cause fiscal and legal damage to the company.  It has been widely assumed that such posting could be grounds for termination, but a recent case suggests that the answer may not be so black and white.

A complaint issued by the National Labor Relations Board (NLRB)’s Hartford regional office on October 10, 2010 alleges that an ambulance service illegally terminated an employee after that employee posted negative comments about his boss on Facebook ®.  The complaint goes on to allege that the company maintained and enforced an ‘overly broad’ blogging and internet posting policy.  An NLRB investigation found that the employee’s postings constituted protected “concerted activity” of which an employer cannot interfere.

‘Protected concerted activity’ arises when, with respect to working conditions or other matters that are of interest to them, employees generally speak about work issues.   While there are certainly limits to the freedom that employees have to post information about their employers, the outcome of this case could impact how some social media policies are written and enforced going forward, even in non-union companies.

The complaint filed in Hartford is contrary to the decision reached by the NLRB involving a challenge to Sears®’ social media policy.  In that case, the Board denied a claim by a union that a portion of Sears® policy restricted the rights guaranteed under the National Labor Relations Act, which essentially protects an employee’s right to self-organize or form a union.   The NLRB found that Sears’® policy was sufficient for “a reasonable employee to understand that it prohibits the online sharing of confidential intellectual property or egregiously inappropriate language and not Section 7 protected complaints about grievances, on-the-job protests, picketing and strikes.

The uncertainty surrounding what can and should be included in a social media policy does not always mean that a company should not have one, but rather highlights that these policies must constantly be reviewed and updated to reflect  the ever-changing technical and legal landscape.  In addition, banning social media use by employees is not likely to be effective because employees will undoubtedly continue to use it on their own time for personal use. Having a policy is critical both  for companies to avoid the risks associated with the use of Web 2.0 platforms and take advantage of the opportunities to remain competitive.  While it is essential for a policy to be tailor made to reflect the needs and requirements of an individual company and be directed to the protection of the employer’s business, professional reputation and client obligations, a review of policies finds that many of them cover similar topics:

  1. Scope – Employees must understand that they are not necessarily protected by the first amendment and they will face discipline (including termination) for any postings that are injurious to or unapproved by the business.
  2. Affiliation – The policy must make it clear that employees are not permitted to speak on behalf of the company unless authorized to do so.  Thus, postings by employees that are not clearly personal in nature should include a disclaimer that the employee is not expressing the company’s position.
  3. Confidentiality/Use of Intellectual Property – The policy must remind employees of their confidentiality obligations and prohibition against unauthorized use of a company’s intellectual property.  Companies should also use this opportunity to review their policies concerning the handling of intellectual property and confidential information and take steps to better protect such information.
  4. Marketing – The policy should contain clear guidelines on the use of endorsements and testimonials by third parties.  Not only is such transparency required by the Federal Trade Commission but a number of companies have gotten into trouble by failing to disclose that they were responsible for the on-line endorsements.  In other words, the testimonials should come from a legitimate third-party not simply from a friendly co-worker.
  5. Non-disparagement Language – Despite the NLRB complaint discussed above, companies (especially non-union ones), should consider including language requiring that employees not disparage their own company or anything related to the company.

Other issues that a company should consider when crafting its social media policy include required separation of personal and professional accounts and guidelines for social media PR crisis response.  By adopting a comprehensive social media policy that includes the elements set forth above, a company can simultaneously reduce the risks and increase business opportunities, visibility, and engagement that can be created through the use of social media.





Quote 4

Any information may qualify as a trade secret so long as it is used in a business, has some independent economic value and reasonable effort to maintain it’s secrecy.

Quote 3

…Copyright protects almost all works of creative expression so long as they have some modicum of orginality.

Quote 2

…Patents are the law of inventions. Trademark is the law of consumer marketing and advertising.

Quote 1

…Intellectual property is not a single concept, but is composed of four different and distinct areas of the law: copyrights, trademarks, trade secrets, and patents.

Did You KNow?

What’s Going On In The World Of IP?

A new article for a featured IP news item.