Attorney Evan Brown

May 28, 2010 Computer Crime

That bogus social networking profile can send you to jail

Clear v. Superior Court, 2010 WL 2029016 (Cal.App. 4 Dist. May 24, 2010)

The California Court of Appeal has held that a man who set up a bogus MySpace profile of his former church pastor can stand trial for criminal “personation.”

The defendant’s alleged conduct that might really put him on the hook is what he did after setting up the profile: he posted content that suggested the pastor used drugs and was gay. Because this could have resulted in the pastor losing his job, the court found the statute prohibiting personation of another might have been violated (that question will be resolved at trial unless there’s a plea deal).

The criminal personation statute (Penal Code Sec. 529) has an intriguing framework for liability. Apparently it’s not enough just to say you’re someone else. To be liable you’ve got to actually do something while assuming that persona that would subject your target to some kind of legal harm.

For example, just saying to the cops that you’re someone else, that you have that persons birthday and even responding affirmatively to whether you have their middle name apparently isn’t enough to violate the statute. People v. Cole, 23 Cal.App.4th 1672 (1994).

But using your sister’s name when you get a traffic ticket and also forging her signature on the citation isn’t allowed. People v. Chardon, 77 Cal.App.4th 205 (1999).

All the reason not to set up that Facebook profile of your boss and populate it with tales of drugs and other shenanigans.

Image by Balakov under this Creative Commons license.

May 25, 2010 Anonymity, Copyright

Anonymous accused Bittorrent user moves to quash subpoena using real name

Worldwide Film Entertainment, LLC v. Does 1-749, 2010 WL 2011306 (D.D.C. May 20, 2009)

Some have already commented on their scruples arising from the large economies of scale approach to copyright litigation that’s being undertaken by lawyers with the U.S. Copyright Group to go after Bittorrent movie sharers. See, for example, what Mike Masnick and Eriq Gardner have had to say. And the ISPs aren’t all that happy about the work required to respond to a bunch of subpoenas.

So no one should be surprised if some interesting little internet law vignettes play out along the way. One of those vignettes is wrapping up in federal court in Washington D.C. It has to do with anonymity.

Worldwide Film Entertainment has sued over 700 anonymous Bittorrent users over the 2007 film The Gray Man. As with any case of this sort (like the numerous RIAA lawsuits), the plaintiff doesn’t know the identity of the various defendants when the lawsuit starts. All it has is an IP address for each alleged infringement, so it has to go to the ISP to link that IP address with an individual’s name and physical address. Then the plaintiff will know who to list as a defendant.

But most ISPs won’t turn over subscriber information without a subpoena. So Worldwide Film Entertainment had a subpoena issue to Comcast, the ISP for the IP address associated with one of the alleged infringements. Under the Cable Communications Policy Act of 1984 (at 47 USC 551), providers like Comcast have to notify their subscriber before turning over the subscriber’s information.

Comcast notified its subscriber in this case, one Mr. Simko, of Worldwide Film Entertainment’s efforts to learn Mr. Simko’s identity.

And here’s the part that makes this little vignette so charming: rather than challenge the plaintiff’s efforts to unmask his identity, Mr. Simko filed a motion to quash the subpoena USING HIS REAL NAME.

The court denied the motion to quash. The basis for denying the motion is kind of an aside (the motion to quash phase was not the right time to challenge venue or knowledge of the infringement).

What’s noteworthy about the case is Mr. Simko’s decision to voluntarily waive his anonymity. Not only did he challenge the subpoena using his own name, he filed as an exhibit the letter he got from Comcast notifying him of the subpoena. Right there, in all caps and as plain as day were Simko’s name and address for all to see.

Photo courtesy Flickr user pourmecoffee.

May 24, 2010 Podcasts

Video of This Week in Law Episode 61

Most Friday afternoons you can find me on This Week in Law. We record at 1pm Central and the video is available live here, archived here, and audio is available here. This past week was lots of fun talking with Fred von Lohmann from the EFF. Host Denise Howell always does a great job, and I also enjoyed talking with guest Jeff Richardson. Hope you’ll tune in from time to time.

May 15, 2010 Anonymity, First Amendment

Troubling decision in matter involving anonymous bloggers

20/20 Financial Consulting, Inc. v. Does 1-5, 2010 WL 1904530 (D.Colo. May 11, 2010) [Opinion embedded below.]

A financial consulting company has filed a lawsuit in federal court in Colorado alleging that certain anonymous web users have posted defamatory statements about the plaintiff on blogs and in message forums. The plaintiff asked the court for an order permitting it to serve subpoenas (apparently to the host and/or the ISP) to uncover the identity of the anonymous bloggers.

With essentially no analysis of the rights of the “John Doe” defendants, the court ordered that the discovery be permitted. This ruling is troubling for a couple of reasons.

There’s an important potential First Amendment issue here over which the court appears to have run roughshod. Each one of us has the constitutional right to speak anonymously. And courts need to be careful not to breach that right when asked to order that anonymous speakers be identified. Responsible courts give this constitutional interest the appropriate treatment by requiring that a certain showing by the plaintiff be made before the unmasking is permitted. See this page for a whole host of court opinions addressing that balancing test.

If the court went through that analysis in this case, it sure does not show up in the opinion.

One big troubling aspect is that the court compared the present situation to one in an earlier copyright infringement case brought by the RIAA. That comparison is not quite valid. In copyright cases, unlike defamation cases, the nature of what the plaintiff pleads is necessarily different — you have to plead a valid copyright registration as half of your prima facie case of copyright infringement. That means you already have the Copyright Office’s stamp of approval, so to speak, that the rights you are asserting are valid. In defamation cases there’s nothing equivalent to a copyright registration certificate. The plaintiff just says the offending statements are defamatory, and that has to be proven later. Simply stated, a claim for copyright infringement, properly pled, will be stronger, and will tend to suggest more clearly, that something actionable has occurred, than will mere assertions of defamation.

Apart from cursorily comparing this case to an unmasking in a copyright infringement case, the court does not mention the potential First Amendment concern of the anonymous defendants, nor does it mention the strength of the plaintiff’s allegations of defamation. The court simply says, “[b]ecause it appears likely that Plaintiff will continue to be thwarted in its attempts to identify Defendants without the benefit of formal discovery mechanisms, the court finds that Plaintiff should be permitted to conduct expedited discovery.” Such a reasoning would suggest anyone sued as a John Doe for defamation should be unmasked pretty much as a matter of course. That’s dangerous.

Anonymous photo courtesy Flickr user Neil Carey under this Creative Commons license.

cod-03902818228

May 12, 2010 Cybersquatting, Trademarks

Trademark holder not entitled to domain name registered years before

Arizona State Trailer Sales, Inc. d/b/a Little Dealer Little Prices RV v. World Wide RV, No. FA1003001315658 (Nat’l Arb. Forum, May 7, 2010)

Startups in the process of selecting a company or product name are often frustrated to see that someone else, years ago, registered the .com version of their newly thought-of name. Similarly, companies that have acquired a trademark registration wonder whether they can use their crisp new registration certificate to stomp out someone else who has been using a domain name similar to the company’s new mark.

A recent case arising under the Uniform Domain Name Dispute Resolution Policy (UDRP for short) shows us that the earlier domain name registration is usually going to be on solid ground against a later-arriving trademark owner.

In the case of Arizona State Trailer Sales, Inc. d/b/a Little Dealer Little Prices RV v. World Wide RV, a National Arbitration Forum panelist denied the trademark owner’s cybersquatting claim against another company who had registered the domain name version of the trademark in 2006.

To be successful under the UDRP, the complainant would have had to show:

the domain name registered by the respondent was identical or confusingly similar to a trademark or service mark in which the complainint had rights;
the respondent had no rights or legitimate interests in respect of the domain name; and
the domain name had been registered and was being used in bad faith.

The complaint failed on the first of these three elements. The panel found that the requirement of being identical or confusingly similiar “necessarily implies that Complainant’s rights must predate the registration of Registrant’s domain name.” Since the domain name in this case was registered years before, there was no relief to be had. The request to transfer the domain name was denied.

May 4, 2010 Computer Crime, Employment, Privacy

Judge: the concept of internet privacy is a fallacy upon which no one should rely

People v. Klapper, — N.Y.S.2d —, 2010 WL 1704796 (N.Y.City Crim.Ct., April 28, 2010)

Let’s hope that’s an overstatement.

A recent case from a criminal court in New York dealt with whether an employer violated the state’s law prohibiting unauthorized use of a computer (Penal Law 156.05). Though the court probably came to the right decision in dismissing the case, it said some puzzling things along the way about internet privacy.

The defendant-boss was alleged to have installed keylogging software on his employee’s work-issued computer. Through those means he acquired the password for the employee’s “personal” email account, and copied some messages from that account.

The court dismissed the case, finding that the prosecution had not alleged that defendant, the computer owner, had notice of any limited access to the computer or the email account. (After all, it was the employer’s computer.) The allegations further failed to allege that the employee had installed a security device to prevent unauthorized access or use.

That last part is a bit puzzling (wouldn’t the password protection on the “personal” email account satisfy that point?). But the real puzzling part of the opinion is how the court essentially destroyed the idea that there’s any hope for an expectation of privacy in internet communications.

Here’s the first paragraph of the opinion:

In this day of wide dissemination of thoughts and messages through transmissions which are vulnerable to interception and readable by unintended parties, armed with software, spyware, viruses and cookies spreading capacity; the concept of internet privacy is a fallacy upon which no one should rely.

Apart from grossly overstating the death of a reasonable expectation of privacy in internet communications, the pronouncement was not needed to dispose of the case. The matter only dealt tangentially with whether the victim had any privacy rights violated. The real analysis was on whether the defendant had notice that access to his employee’s email account was unauthorized.

Though the court was correct on focusing its analysis on that point, i.e., whether the access was authorized, the more general obituary of internet privacy would seem to elminate the need for that proper analysis.

If there’s no internet privacy, why should we even bother to ask ourselves whether access to an account is authorized? If the concept of internet privacy is a “fallacy,” as the court declared, aren’t all our communications open for inspection and review by anyone?

Privacy photo courtesy Flickr user rpongsaj under this Creative Commons license.

April 21, 2010 DMCA

Pro-DRM decision under DMCA

Actuate Corp. v. IBM Corp., No. 09-5892 (N.D. Cal. April 5, 2010) [Scroll down for opinion]

Distribution of software license keys on the internet may constitute trafficking in circumvention technology, which is prohibited under the Digital Millennium Copyright Act (“DMCA”)

Plaintiff software licensor sued defendant for, among other things, violation of the anticircumvention provisions of the DMCA found at 17 USC 1201. Plaintiff alleged that defendant posted license keys on the internet, which purportedly would enable plaintiff’s software to be “installed on an unlimited basis.”

Defendant moved to dismiss, pointing to a line of cases including I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Information Systems, Inc. and Egilman v. Keller & Heckman, LLP [see this old blog post about Egilman].

The I.M.S. line of cases hold that the use of a password issued by the copyright holder does not amount to “circumvention” under the DMCA. Under this thinking, the use of an issued password, even if done without authority, does not result in the “avoiding, bypassing, removing, deactivating, or otherwise impairing [of] a technological measure.”

But another line of cases, headed by 321 Studios v. MGM Studios, Inc. suggests differently. The court in 321 Studios reasoned that unauthorized use of a decryption code (the same one issued by the manufacturer) to bypass the encryption on a DVD served to avoid and bypass the encryption.

In this case, despite both parties’ attempts to show the compatibility of the lines of cases, the court found them to be irreconcilable. It sided with the thinking behind the 321 Studios line, finding no support for a distinction between passwords and other types of code that might be used for decryption.

Here’s the opinion:

Skeleton key photo courtesy Flickr user theogeo under this Creative Commons license.

April 20, 2010 First Amendment

Ohio internet obscenity statute constitutional

American Booksellers Foundation for Free Expression v. Strickland, — F.3d —, 2010 WL 1488123 (6th Cir. April 15, 2010)

Court holds that statute prohibiting distribution of material harmful to minors directly via the internet is not overly broad and therefore not unconstitutional.

Ohio has a statute that criminalizes sending juveniles material that is harmful to those juveniles (ORC 2907.31). Section D of that statute specifically addresses communications “by means of an electronic method of remotely transmitting information.”

A group of booksellers and publishers challenged this statute on First Amendmendment grounds, arguing that the provisions are overly broad. After a complex procedural journey that began in 2002, the Sixth Circuit Court of Appeals has held that the statute is not unconstitutional.

The court held that the statute was not overly broad because it only apllies to personally directed communications. For that reason, the plaintiffs were unable to demonstrate from the text of the statute that a “substantial number of instances exist in which the law cannot be applied constitutionally.”

Unlike a typical First Amendment case, the court did not apply the “strict scrutiny” test for constitutionality, because the statute does not affect protected speech among adults. But the court noted that even if that test applied, it would have survived strict scrutiny, given the compelling interests in protecting children from predators.

(Photo: Derived from an image licensed under a Creative Commons Attribution Share-Alike (2.0) from iboy’s photostream)

How Twitter’s grant to the Library of Congress could be copyright-okay

Twitter is giving a copy of the archive of all tweets from the beginning of time to the Library of Congress. The inevitable outrage has ensued. One big concern is privacy. You gotta admit it’s creepy (and evokes Big Brother) to know that all your tweets will belong to the feds.

The other outrage-catalyst is copyright, and the possible violation of the license that one grants to Twitter via the terms of service.

Venkat and I exchanged some email earlier today on this topic. What if you delete your tweets? Doesn’t that terminate the license you gave to Twitter to store and share your content? How can the Library of Congress still keep its copy if the original license has ended? Fred Stutzman has also asked these kinds of questions.

These objections seem to presume that if one were to remove his or her tweets from Twitter, the license would be revoked, and any subsequent display by Twitter would be an infringement. I imagine that’s true in relation to Twitter, but I’m not so convinced when it comes to the Library of Congress. They’d likely fall under Section 108 of the Copyright Act.

Section 108 (17 USC 108) says that it’s not an infringement for a library to make a copy or distribute a work if (1) it’s not for commercial advantage, (2) the collections of the library are open to the public or available to all researchers in a particular field, and (3) the notice of copyright in the original work remains intact or if no notice can be found, there’s a legend stating that it may be protected under copyright.

You see what I’m saying? The Library of Congress would appear to have the right to archive one’s Twitter stream regardless of any assitance on Twitter’s part. In other words, by providing the archive, Twitter is just helping the LOC do something it’s entitled to do anyway.

What do you think?