Tag: EFF

Prison for password sharing? Not likely.

After a ruling by the Ninth Circuit Court of Appeals, a number of blogs and articles appeared with headlines announcing that it is now a federal crime if, for instance, your kid uses your Netflix password.  While that kind of headline is good for traffic and buzz, it’s also typically exaggerated and misleading—at least insofar as this recent decision is concerned.

At the heart of the matter is the Computer Fraud and Abuse Act (CFAA), which has been sharply criticized for years by a number of civil liberties advocates who focus on digital-age issues.  The CFAA may also be referred to generically as the anti-hacking law, and there is perhaps legitimate concern that the language in the statute is overly broad and may therefore be abused by a capricious prosecutor to indict people who commit minor offenses (or non-offenses) under a law written to address serious cyber crimes.

The appeals court decision that ignited the recent flurry of headlines, United States v Nosal, concerns David Nosal, a former employee of the executive search firm Korn/Ferry. After being dismissed from the firm, Nosal “convinced some of  his  former  colleagues  who  were  still  working  for Korn/Ferry  to  help  him  start  a  competing  business.  The employees used  their  log-in  credentials  to  download  source lists, names and contact information from a confidential database  on  the  company’s computer,  and  then  transferred  that information to Nosal.”  This is a partial description of facts as stated in the Ninth Circuit’s en banc opinion issued April 2012 in the same case.

There appears to be no dispute in the matter of Nosal’s criminal liability under several other statutes regarding his unauthorized access of Korn/Ferry’s protected data, but the appeal pertaining to CFAA hinges on what critics—and at least some judges—feel is ambiguity over the meaning of “authority” to access a computer.  Because one of Nosal’s former colleagues still had credentials to log into the firm’s computers and because she voluntarily shared those credentials, can Nosal then be charged with violation of CFAA?  Does authority come from the credential holder or the computer owner?  Right there is where civil libertarians and dissenting judges say the ambiguity in the language could jeopardize you and me and every other citizen who voluntarily shares a password with a friend or family member for innocuous access to our personal accounts.  From the EFF

“Nosals colleagues had the authority of an authorized user, the current employee who lent her credentials. Thus, if authoritycan come from the account holderas with a wife who lends her bank credentials to her husband to pay a bill, a college student who uses a parents Hulu or Amazon password, or someone who checks Facebook for a sick friendthen Nosal and his colleagues did not violate the CFAA.”

I wouldn’t call the distinction irrelevant, but neither would I call this case a particularly good reason for everyone to overreact, which has no doubt already happened on social media threads everywhere.  The employee with “authorized” access to Korn/Ferry’s database may well have given her permission to Nosal and others to use her login credentials, but that in itself was a criminal violation and a permission she had no “authority” to grant under any circumstances.  The majority opinion from the court is extensive on this point and argues that its interpretation of “authority” is both clear and consistent with sister circuit court decisions in precedent cases.

Meanwhile, even a very narrow interpretation of “authority” in Nosal’s case is a far cry from comparing these circumstances to the fact that I have a Netflix account which enables up to four devices simultaneous access to the service and that one of these may be used by my college-student son.  That’s what Netflix expects a family to do with an account that allows multi-device access.  Moreover, unlike Nosal’s “inside woman” at Korn/Ferry, I do have authority to give permission to a friend or spouse to log into my Facebook account.  Neither Facebook nor the federal government can mandate that the account holder has to be the individual who types in the credentials—to say nothing of ever proving such evidence—so it seems like gratuitous hyperbole for EFF and other critics to compare these everyday examples to Nosal.  Still, the three-judge panel had one dissenting opinion, which the EFF describes as follows:

“While the majority opinion said that the facts of this case bear little resemblanceto the kind of password sharing that people often do, Judge Reinhardts dissent notes that it fails to provide an explanation of why that is. Using an analogy in which a woman uses her husbands user credentials to access his bank account to pay bills, Judge Reinhardt noted: So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.As a result, although the majority says otherwise, the court turned anyone who has ever used someone elses password without the approval of the computer owner into a potential felon.”

Indeed, we may now be a nation of felons, and if this is so, then Congress better get on that.  But the fact that we are all guilty is the first reason we might want to calm down a bit before reacting to those scary headlines and getting in a big sweat about it.  Also, while I lack the credentials to argue with an appeals court judge, I’m going to a little because the wife in Judge Reinhardt’s example does have her husband’s permission to access the bank account, and the husband has the authority to grant her that permission. Judge Reinhardt knows this, though, and his point is that the statute ought to reflect the distinction between this common, family banking example and the Nosal case in which the individual with the credentials did not have “authority” to grant access.  Reinhardt writes the following in his dissenting opinion:

“The majority [opinion] does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majoritys world of lawful and unlawful password sharing.”

Perhaps Congress will need to review CFAA, but it seems simple enough to observe that “authority” to grant access will be predicated on the relationship between the login credential holder and the data being accessed. Korn/Ferry owns 100% of the data on its computer servers, its employees may only access that data under the conditions and permissions of the firm, and this access may be revoked at the sole discretion of the firm without question.  In short, nothing in the database belongs to any of the employee/users, who therefore have no authority ever to share access with anyone. In such a scenario, only the computer owner can have the “authority” to grant access.

This is very different from the relationship between a bank and a customer vis-a-vis one’s own account information pertaining to one’s own money. The bank owns the servers and the systems just like the bank owns the vault, but the customer owns the account information and assets in the account and has full discretion to use the information or assets as he sees fit, while the bank has very restricted authority to access or exploit either the data or the assets under management. Reinhardt’s comparison might be more compelling if the wife in the scenario were cheating on her husband and so gave the login credentials to a dashing third party to drain the bank account so they could run off to the Caribbean together.  In this soap opera, could said dashing third party (DTP) be indicted under CFAA in addition to other criminal charges? Arguably, the wife had more authority to grant access to the DTP than the Korn/Ferry employee had to grant access to Nosal, so I imagine CFAA would be an over-reach in this situation.

In the case of a Facebook account, the “ownership” question remains a bit vague. Many social media companies lay claim in their Terms of Service to “ownership” of every word and image we share on their platforms, but does that make these companies the “owners” of the data in the same way that Korn/Ferry owns its data?  I would argue it does not, especially since none of our shared social media data can be called “private” or Facebook’s “trade secrets.” As with the banking example, a social media account involves a shared “authority” to access based on the relationship between the data and the account holder; and this would seem to void any assumed violation of CFAA.  Regardless, it will likely be years before these questions are officially resolved, but I wouldn’t lose years of sleep in the meantime worrying about felony charges for common password sharing.

EFF Launches New TPP Infographic

So, this week, the Electronic Frontier Foundation launched its new infographic (stress on graphic) still pitching the idea that it is the IP provisions in the Trans Pacific Partnership agreement that are of the gravest concern.  The EFF states on their site that the infographics are covered by a Creative Commons license* and that anyone is free to use or remix the assets with attribution.  So, with all due credit to the EFF for the original works, I have taken the liberty of remixing as suggested.  And in the spirit of sharing, feel free to use these on social media with or without attribution.

EFFishTPP01a.001EFFishTPP02EFFishtTPP03

*CC-BY 3.0 https://creativecommons.org/licenses/by/3.0/us/

What Exactly Does the EFF Want?

As stated in my post announcing a voluntary agreement between MPAA and domain-name service Donuts, both rights holders and digital rights proponents should applaud this kind of B2B approach to mitigating online piracy.  That doesn’t mean I thought the latter parties actually would applaud it. And with the stalwart predictability of a honey badger, Mitch Stoltz of the Electronic Frontier Foundation fired off this missive, eager to criticize the agreement just hours after it came out of the shrink wrap.  The conditions of the agreement are so straightforward that it seems to me any honest acknowledgment of its terms might have stayed Stoltz’s hyperbolic pen before describing Donuts in this context as the “copyright police” or before beginning his post as follows:

“The companies and organizations that run the Internet’s domain name system shouldn’t be in the business of policing the contents of websites, or enforcing laws that can impinge on free speech.”

Right off the bat, Stoltz misrepresents the process as described in the agreement.  Donuts will not be “policing” any content at all.  Instead, the agreement outlines very specific conditions under which the MPAA may send a referral, backed by evidence, to Donuts regarding a domain that is “clearly and pervasively” engaged in large-scale piracy. At that point, Donuts has full discretion to choose to investigate further and to consider taking mitigating action consistent with its own Terms of Service.  That’s not quite the same as engaging a private company to “enforce the law” as Stoltz states. It is a voluntary effort by a company to uphold or comply with the law in its practices, which is consistent with the internal policies of corporations all over the world.  So, why is the broader rationale different with a domain name service provider? I know.  Because the Internet is special.

Meanwhile, shutting down, delisting, or blocking sites dedicated to enterprise-scale piracy via court-ordered injunction has occurred repeatedly for at least 15 years, and yet free speech has endured. So, it is hard to imagine how the free speech calculus changes if a private company—which has a clear, vested interest in keeping domains online—decides to not support a specific enterprise engaged large-scale infringement. But as we’ve seen in other contexts, the EFF is a place where imaginations run wild.  For instance, Stoltz writes:

“Taking away a website’s domain name means interrupting all of the speech that takes place on that site. It creates a much greater danger of censorship than suppressing individual pages or files. And the domain name system only works so long as most Internet users trust it to direct them to the websites they ask for, not only those that politically connected companies and repressive governments want them to see. That’s why domain registries and registrars shouldn’t take part in policing the contents of websites and services. And that’s why we’ll continue to fight the website-blocking power grab.”

So, here’s the bottom line of the agreement vis-a-vis Donuts’s role, with some important words in bold:

If Donuts is satisfied that the domain clearly is devoted to clear and pervasive copyright infringement, Donuts may, in its discretion and as permitted under its Acceptable Use and Anti-Abuse Policy, suspend, terminate, or place the domain on registry lock, hold, or similar status as it determines necessary to mitigate the infringement.

I have to admit the ability to translate that into “interrupting speech” or to invoke “repressive governments” is actually something of an art-form.  The EFF should probably give an award for Best Post Making a Mountain out of a Molehill (of course, I’ve never been invited to one of their dinners, so maybe they do).  Anyway, is Stoltz actually suggesting that if Donuts—and by extension other services—were to suspend domains under these types of guidelines, that this is a slippery slope toward censorship by order of a repressive government?  Why? How? Which repressive government?  China?  The Web is already massively censored in China, which is a human rights issue that has nothing to do with the mechanisms in this type of voluntary, anti-piracy initiative.

Here’s a news flash:  free speech doesn’t exist in several other countries.  And where free speech doesn’t exist, it cannot be infringed or chilled; it is instead a right yet to be won—a struggle largely separate from the exigencies of either Hollywood studios or Silicon Valley Internet companies, though both industries have a vested interest in a world where speech ultimately prevails. Meanwhile, in this country, there can be consequences for actually stifling someone’s speech, so Donuts has legal and financial incentive to proceed with due diligence in regard to any referral it receives. Moreover, it will be the case that any domain meeting the standards for referral by the MPAA will be an enterprise-scale infringer operating in a foreign country–not somebody’s blog.

Speech simply does not belong in this discussion, but since it is the perennial excuse for piracy, I think it’s worth mentioning, that piracy champions love to say that no measure can stop the major infringing sites because they will always move around the Web; but this same observation is never made about free speech itself, which is considerably more agile and infinitely larger in scope. The EFF might notice that there are trillions of expressions made every hour on the Internet, and no legislative or private-industry measure—at least in this country—is likely ever going to stop that.

At the same time, we might also keep in mind that the platforms we use for most of this speech–like the one I’m using right now–belong to corporations, and corporations sometimes fail.  In this regard, the EFF might consider that the Internet it so staunchly defends can be corrupted by piracy, which has been linked to malware and other scams that harm users and weaken the faith of advertisers in the digital ecosystem. After all, the major Internet companies don’t have hundred-million-dollar valuations because they’re platforms for free speech; they’re valued in the stratosphere because they are advertising and data mining businesses. And that’s fine, I guess, but let’s shed the illusion that these sites are run on principle.  Wall Street doesn’t invest in principle. They like money.

In this regard, I have to call particular attention to Stoltz’s statement that “the domain name system only works so long as most Internet users trust it to direct them to the websites they ask for ….” Indeed. But it’s disappointing that the EFF does not acknowledge the loss of trust in the system that occurs when search for quality information or legitimate resources yield top results that include piracy and SPAM.  At the very least, the user’s time is wasted; and at most, clicking on these links can expose him to malware leading to identity theft and other hazards. Perhaps more benignly, we know that in walled gardens like Facebook, our feeds are no longer chronological but rather represent what that company’s algorithm has determined we “want” to see.  And similar manipulation of results in Google search “tailored” to our apparent preferences continues to be studied as a means to influence political debate or effect the outcome of an election.  If the EFF wants to fuss about free speech, these seem like far more acute areas of focus than the hypothetical shutting down of a handful of criminal operations.

And so, I return to my lead question:  What in blazes does the EFF want?  They don’t like law-enforcement remedies for online piracy, and they apparently don’t want to see voluntary cooperation between OSPs and rights holders either.  At a certain point, it seems we have to conclude that what they want most of all is to maintain their relevance by constantly finding a problem for every solution.