Monday, May 30, 2011

Exceeding Authorized Access and the Kochind.com Mockup

As I’ve noted in earlier posts, federal and state “hacking” statutes criminalize two distinct types of unauthorized access: One is the “outsider” crime, in which the person was not authorized to have any access to the computer system at issue; the other is the “insider” crime, in which the person was authorized to access the computer system for certain purposes but (allegedly) exceeded the scope of the authorization in ways that violate the criminal statute at issue.


As I’ve also noted, the general federal computer crime statute – 18 U.S. Code § 1030 – creates a civil cause of action for those who have been injured by someone’s gaining unauthorized access to their computer system or someone exceeding the scope of their authorized access to such a system. Section 1030(g) says “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief”.


This post is about a civil suit a corporation brought against certain defendants, alleging, among other things, that they either (i) gained unauthorized access to the company’s website or (ii) exceeded their authorized access to the site. The case is Koch Industries, Inc., v. Does, 2011 WL 1775765 (U.S. District Court for the District of Utah 2011). This, according to the opinion, is how the lawsuit came about:


Koch Industries is a Kansas corporation that owns multiple companies involved in a wide variety of industries, including oil, coal, chemicals, fibers, pollution control equipment, forest and consumer products, and commodity trading. . . .


Koch maintains a website under the domain name kochind.com. In addition to describing its companies, Koch's website expresses Koch's policy viewpoints on several political issues. The website also includes periodic editorials taking issue with such things as the conclusions of scientists regarding climate change and the Obama administration's environmental policies. Furthermore, Koch uses its website to respond to critics of its political viewpoints. Because of the nature of Koch's businesses, the website provides only information and there are no products for sale on the website.


During . . . this litigation, Defendants identified themselves as anonymous members of Youth for Climate Truth, a group concerned about global climate change. This case arises from a press release created by Defendants purporting to announce a decision by Koch Industries to stop funding organizations that deny climate change. The press release was emailed to various new organizations and included a link to a website created by Defendants, www.koch-inc.com.


Defendants' site had the same look as the actual Koch Industries site but included the fake press release. Defendants' site also contained a link to the actual Koch website.


Defendants' press release announced that Koch would `restructure its support for organizations that undertake climate change research and advocacy.’ The release claimed the company would withdraw funding from groups `whose positions on climate change could jeopardize America's continued global competitiveness in the energy and chemical sectors.’ Such sentiments were in stark contrast to the policy viewpoints usually expressed by Koch. The press release and website were designed to appear as though they were created by Koch and did not mention the name of Youth for Climate Truth or any of its members.


Koch Industries, Inc. v. Does, supra.


The opinion notes that the Does’ “fake website at www.koch-inc.com was up for a few hours” but still “drew a fair amount of media attention.” Koch Industries, Inc. v. Does, supra. It also notes that the New York Times and The Hill “wrote articles identifying the press release and website as hoaxes”, as did other print and online sources. Koch Industries, Inc. v. Does, supra. Although, according to the opinion, there is “no evidence any media organization was fooled” by the Does’ actions, Koch Industries sued, alleging various causes of action. Koch Industries, Inc. v. Does, supra.


You may wonder who these “Does” are. When Koch Industries filed the lawsuit, it didn’t know their names, so it used the “John Doe” procedure. As you can read in this short online article about drafting a federal complaint, plaintiffs who want to sue someone but don’t know their identity can file a complaint naming John Doe (or John Doe #1, John Doe #2, John Doe #3, etc.) as the defendant(s). Once the plaintiff finds out the identity or identities of the defendant(s), he/she/it can then amend the caption of the complaint to add their real names.


That is what Koch Industries did here:


After filing the Complaint, Koch filed an ex parte motion for accelerated discovery to seek the identity of the anonymous Defendants. Koch sought to serve subpoenas on Fast Domain, the domain registration company Defendants used to register the domain name koch-inc.com, and BlueHost.com, the web-hosting company Defendants used to set up the fake website. This court granted Koch's motion and the subpoenas were served.


Because of the media's coverage of the court's order allowing the issuance of subpoenas to uncover the identity of the Defendants, [they] learned of the lawsuit and filed the present motion. In filing the motion, Defendants disclosed the name of the group behind the fake press release and website. . . . [but] seek to keep the names of the individuals involved anonymous. Although the web companies complied with the subpoenas, the identities of individuals who may have been disclosed through such compliance have not been disclosed publicly or to the court.


Koch Industries, Inc. v. Does, supra.


The “motion” the court refers to is the Does’ “Motion to Quash Subpoenas, Issue Protective Order, and Dismiss Complaint.” Koch Industries, Inc. v. Does, supra.


The parts that sought the protective order and the quashing of the subpoenas were obviously intended to preserve the anonymity of the various Does. The motion to dismiss the complaint was a direct attack on the lawsuit, which is why the district court judge addressed it first.


Koch Industries asserted three causes of action: trademark infringement and unfair competition; a violation of the Anticybersquatting Consumer Protection Act; and, as noted above, a violation of 18 U.S. Code § 1030. Koch Industries, Inc. v. Does, supra.


I’m not going to deal with the first two because it would take too long and because they don’t implicate criminal law as directly as the § 1030 claim. If you want to read about how the judge dealt with them, you can find the opinion here.


To prevail in a claim under 18 U.S. Code § 1030(g), the plaintiff has to prove that the defendant committed a computer crime, i.e., violated the criminal provisions of § 1030. The plaintiff, of course, seeks damages and other civil relief, not the incarceration or other punishment of the defendant.


In its § 1030(g) claim, Koch Industries seems to have alleged that the Does committed either or both of the crimes I described above:


Koch asserts that in creating the fake website Defendants acted without authorization and inconsistent with the company's grant of access. Even if Defendants had some limited authorization, Koch contends that they acted beyond the authorization granted by breaching its website's Terms of Use. Accordingly, Koch's [§ 1030] theory is [based on Koch’s claim] that Defendants agreed to the Terms of Use by using Koch's website.


Koch Industries, Inc. v. Does, supra.


The district court judge didn’t buy either theory:


To state a plausible claim under § 1030, one must be guilty of gaining `unauthorized access’ or `exceeding authorized access’ to a protected computer system. But in this case, Defendants created a mockup of Koch's website using information Koch made `publicly available on the Internet, without requiring any login, password, or other individualized grant of access.’ Cvent, Inc. v. Eventbrite, Inc., 739 F.Supp.2d 927 (E.D. Va. 2010). `By definition, therefore, [the defendants] could not have ‘exceeded’ [their] authority to access that data.’


Koch Industries, Inc. v. Does, supra. The judge noted that in Cevent,


as with Koch's website, the defendant took `no affirmative steps’ to prevent such access. The website was `not password-protected, nor [were] users of the website required to manifest assent to the Terms of Use, such as by clicking “I agree” before gaining access to the database. Rather, anyone . . . [could] access and search [the] information at will.’ Like Koch's website, the Terms of Use did `not appear in the body of the first page’ of the website; instead “`t]he link to access the Terms [was] buried at the bottom of the first page.’ Accordingly, the site was `not protected in any meaningful sense by its Terms of Use or otherwise.’


Koch Industries, Inc. v. Does, supra.


The district court judge therefore found that the Does were given


unimpeded access to the information on Koch's public website. Koch's complaint is not that Defendants obtained the information without authorization, but rather that they ultimately used the information in an unwanted manner. [Section 1030] addresses only the act of trespassing or breaking into a protected computer system; it does not purport to regulate the various uses to which information may be put.


Koch Industries, Inc. v. Does, supra.


Finally, the judge explained that while this was a civil suit under § 1030, his conclusion as to the extent of the


conduct prohibited by [§ 1030] `is equally applicable in the criminal context’ and must be interpreted consistent with the `rule of lenity,’ avoiding `surprising and novel’ interpretations that `impose unexpected burdens on defendants.’ LVRC Holdings LLC, 581 F.3d 1127 (9th Cir. 2009). If Koch's legal theory is correct, any violation of its Terms of Use -- that is, any use of its website's content of which Koch does not approve -- could expose a political critic to criminal prosecution. Such a result is clearly beyond Congress' intent in passing [18 U.S. Code § 1030].


Koch Industries, Inc. v. Does, supra.


The judge therefore dismissed Koch’s § 1030 claim, along with the other claims it asserted in the complaint. Koch Industries, Inc. v. Does, supra. And that, of course, mooted the Does’ requests to quash the subpoenas Koch had issues and to have the court issue a protective order safeguarding their identities. Koch Industries, Inc. v. Does, supra. By granting the motion to dismiss, the judge ended the lawsuit. Koch Industries, Inc. v. Does, supra.

No comments: