Newsgroups: misc.legal,comp.orf.eff.talk From: mnemonic@eff.org (Mike Godwin) Subject: Cardozo Law Forum article on the Craig Neidorf Computer-Crime Message-ID: <1992Dec1.155823.27405@eff.org> Organization: Electronic Frontier Foundation Date: Tue, 1 Dec 1992 15:58:23 GMT Lines: 339 Readers of misc.legal and comp.org.eff.talk may be interested in the following article, which addresses the intersection of intellectual-property law and criminal law in a computer-crime case. The article first appeared in September in the Cardozo Law Forum at Cardozo Law School in New York City. ---------- Some "Property" Problems in a Computer Crime Prosecution By Mike Godwin The spread and pervasiveness of computer technology create the potential both for new kinds of crimes and for new variations of traditional crimes. Law enforcement, the judiciary, and the legislature can respond to these potentials in two ways: by seeking new laws to address new problems, or by attempting to apply old laws (and traditional notions of crime) in new and unforeseen situations. This article concerns what hazards may face prosecutors and judges when law enforcement chooses the latter tactic. In particular, it shows what can happen when prosecutors uncritically apply intellectual property notions in prosecuting a defendant under laws passed to protect tangible property. The government stumbles in a "hacker" case. In the recent case of U.S. v. Riggs, the Chicago U.S. Attorney's office prosecuted two young men, Robert Riggs and Craig Neidorf, on counts of wire fraud (18 U.S.C. 1343), interstate transportation of stolen property (18 U.S.C. 2314) and computer fraud (18 U.S.C. 1030). Of these statutes, only the last was passed specifically to address the problems of unauthorized computer intrusion; the other two are "general purpose" federal criminal statutes that are used by the government in a wide range of criminal prosecutions. The wire fraud statute includes as an element the taking (by fraudulent means) of "money or property," while the interstate-transportation-of-stolen-property (ITSP) statute requires, naturally enough, the element of "goods, wares, merchandise, securities or money, of the value of $5,000 or more." (I do not address here the extent to which the notions of "property" differ between these two federal statutes. It is certain that they do differ to some extent, and the interests protected by the wire-fraud statute were expanded in the 1980s by Congress to include "the intangible right to honest services." 18 U.S.C. 1346.. Even so, the prosecution in the Riggs case relies not on 1346, but on intellectual-property notions, which are the focus of this article.) The 18 U.S.C. 1030 counts against Neidorf were dropped in the government's June 1990 superseding indictment, the indictment actually used at Neidorf's trial in July 1990. The Riggs case is based on the following facts: Robert Riggs, a computer "hacker" in his early '20s, discovered that he could easily gain access to an account on a computer belonging to Bell South, one of the Regional Bell Operating Companies (RBOCs). The account was highly insecure--access to it did not require a password (a standard, if not always effective, security precaution). While exploring this account, Riggs discovered a word-processing document detailing procedures and definitions of terms relating the Emergency 911 system ("E911 system"). Like many hackers, Riggs had a deep curiosity about the workings of this country's telephone system. (This curiosity among young hackers is a social phenomenon that has been documented for more than 20 years. See, e.g., Rosenbaum, "Secrets of the Little Blue Box," Esquire, October 1971; and Barlow, "Crime and Puzzlement: In Advance of the Law on the Electronic Frontier," Whole Earth Review, September 1990.) Riggs knew that his discovery would be of interest to Craig Neidorf, a Missouri college student who, while not a hacker himself, was an amateur journalist whose electronically distributed publication, Phrack, was devoted to articles of interest to computer hackers. Riggs sent a copy of the E911 document to Neidorf over the telephone line--using computer and modem--and Neidorf edited the copy to conceal its origin. Among other things, Neidorf removed the statements that the information contained in the document was proprietary and not for distribution. Neidorf then sent the edited copy back to Riggs for the latter's review; following Riggs's approval of the edited copy, Neidorf published the E911 document in the February 24, 1989, issue of Phrack. Some months following publication of the document in Phrack, both Riggs and Neidorf were caught and questioned by the Secret Service, and all systems that might contain the E911 document were seized pursuant to evidentiary search warrants. Riggs and Neidorf were indicted on the counts discussed supra; Riggs, whose unauthorized access to the BellSouth computer was difficult to dispute, later pled guilty to wire fraud for that conduct. Neidorf pled innocent on all counts, arguing, inter alia, that his conduct was protected by the First Amendment, and that he had not deprived Bell South of property as that notion is defined for the purposes of the wire fraud and ITSP statutes. The two defenses are closely related. Under the First Amendment, the presumption is that information is free, and that it can readily be published and republished. For this reason, information gives rise to a property interest only if it passes certain legal tests. Law enforcement cannot simply assume that whenever information has been copied from a private computer system a theft has taken place. In Neidorf's case, as it turns out, this is essentially what the Secret Service and the U.S. Attorney's office did assume. The assumption came back to haunt the government when it was revealed during trial that the information contained within the E911 document did not meet any of the relevant legal tests to be established as a property interest. How information becomes stealable property. In order for information to be stolen property, it must first be property. There are only a few ways that information can qualify as a property interest, and two of these--patent law and copyright law--are creatures of federal statute, pursuant to an express Constitutional grant of legislative authority. (U.S. Constitution, Article I, Sec. 8, clause 8.) Patent protections were clearly inapplicable in the Neidorf case; the E911 document, a list of definitions and procedures, did not constitute an invention or otherwise patentable process or method. Copyright law might have looked more promising to Neidorf's prosecutors, since it is well established that copyrights qualify as property interests in some contexts (e.g., the law of inheritance). Unfortunately for the government, the Supreme Court has explicitly stated that copyrighted material is not property for the purposes of the ITSP statute. In Dowling v. United States, 473 U.S. 207 (1985), the Court held that interests in copyright are outside the scope of the ITSP statute. (Dowling involved a prosecution for interstate shipments of pirated Elvis Presley recordings.) In reaching its decision, the Court held, inter alia, that 18 U.S.C. $ 2314 contemplates "a physical identity between the items unlawfully obtained and those eventually transported, and hence some prior physical taking of the subject goods." Unauthorized copies of copyrighted material do not meet this "physical identity" requirement. The Court also reasoned that intellectual property is different in character from property protected by generic theft statutes: "The copyright owner, however, holds no ordinary chattel. A copyright, like other intellectual property, comprises a series of carefully defined and carefully delimited interests to which the law affords correspondingly exact protections." The Court went on to note that a special term of art, "infringement," is used in reference to violations of copyright interests--thus undercutting any easy equation between unauthorized copying and "stealing" or "theft." It is clear, then, that in order for the government to prosecute the unauthorized copying of computerized information as a theft, it must rely on other theories of information-as-property. Trade secret law is one well-established legal theory of this sort. Another is the breach-of-confidence theory articulated recently by the Supreme Court in Carpenter v. United States, 108 S.Ct. 316 (1987). I will discuss each theory in turn below. Trade Secrets Trade secrets are generally creatures of state law, and most jurisdictions have laws that criminalize the violations of a trade-secret holder's rights in the secret. There is no general federal definition of what a trade secret is, but there have been federal cases in which trade-secret information has been used to establish the property element of a federal property crime. See, e.g., United States v. Bottone, 365 F.2d 389 (2d Cir.), cert denied, 385 U.S. 974 (1966), affirming ITSP convictions in a case involving a conspiracy to steal drug-manufacturing bacterial cultures and related documents from a pharmaceutical company and sell them in foreign markets. (In Bottone, a pre-Dowling appellate court expressed a willingness to interpret 18 U.S.C. $ 2314 as encompassing the interstate transportation of copies of documents detailing the drug-manufacturing process, i.e., it did not require the "physical identity" element discussed supra. Recognizing possible problems with this approach, however, the appellate court reasoned in the alternative that the bacterial cultures themselves provided a sufficient nexus of a tangible property interest to justify application of the ITSP statute; this alternative analysis may render Bottone consistent with Dowling. It should be noted that the post-Dowling judge in Riggs expressed, in his denial of a motion to dismiss, 739 F.Supp. 414 (N.D.Ill, 1990), a similar willingness not to require actual physical identity as a predicate for ITSP. An appellate court later criticized this decision. U.S. v. Brown, 925 F.2d 1301 (1991).) The problem in using a trade secret to establish the property element of a theft crime is that, unlike traditional property, information has to leap several hurdles in order to be established as a trade secret. Trade secret definitions vary somewhat from state to state, but the varying definitions typically have most elements in common. One good definition of "trade secret" is outlined by the Supreme Court in Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 (1974): "a trade secret may consist of any formula, pattern, device or compilation of information which is used in one's business, and which gives one an opportunity to obtain an advantage over competitors who do not know or use it. It may be a formula for a chemical compound, a process of manufacturing, treating or preserving materials, a pattern for a machine or other device, or a list of customers." The Court went further and listed the particular attributes of a trade secret * The information must, in fact, be secret--"not of public knowledge or of general knowledge in the trade or business." * A trade secret remains a secret if it is revealed in confidence to someone who is under a contractual or fiduciary obligation, express or implied, not to reveal it. * A trade secret is protected against those who acquire via unauthorized disclosure, violation of contractual duty of confidentiality, or through "improper means." ("Improper means" includes such things as theft, bribery, burglary, or trespass. The Restatement of Torts at 757 defines such means as follows: "In general they are means which fall below the generally accepted standards of commercial morality and reasonable conduct.") * A court will allow a trade secret to be used by someone who discovered or developed the trade secret independently (that is, without taking it in some way from the holder), or if the holder does not take adequate precautions to protect the secret. * An employee or contractor who, while working for a company, develops or discovers a trade secret, generally creates trade secret rights in the company. The holder of a trade secret may take a number of steps to meet its obligation to keep the trade secret a secret. These may include: a) Labelling documents containing the trade secret "proprietary" or "confidential" or "trade secret" or "not for distribution to the public;" b) Requiring employees and contractors to sign agreements not to disclose whatever trade secrets they come in contact with; c) destroying or rendering illegible discarded documents containing parts or all of the secret, and; d) restricting access to areas in the company where a nonemployee, or an employee without a clear obligation to keep the information secret, might encounter the secret. Dan Greenwood's Information Protection Advisor, April 1992, page 5. Breach-of-confidence Even if information is not protected under the federal patent and copyright schemes, or under state-law trade-secret provisions, it is possible, according to the Supreme Court in Carpenter, for such information to give rise to a property interest when its unauthorized disclosure occurs via the breach of confidential or fiduciary relationship. In Carpenter, R. Foster Winans, a Wall Street Journal reporter who contributed to the Journal's "Heard on the Street" column, conspired with Carpenter and others to reveal the contents of the column before it was printed in the Journal, thus allowing the conspirators to buy and sell stock with the foreknowledge that stock prices would be affected by publication of the column. Winans and others were convicted of wire fraud; they appealed the wire-fraud convictions on the grounds that had not deprived the Journal of any money or property. It should be noted that this is not an "insider trading" case, since Winans was no corporate insider, nor was it alleged that he had received illegal insider tips. The "Heard on the Street" column published information about companies and stocks that would be available to anyone who did the requisite research into publicly available materials. Since the information reported in the columns did not itself belong to the Journal, and since the Journal planned to publish the information for a general readership, traditional trade secret notions did not apply. Where was the property interest necessary for a wire-fraud conviction? The Supreme Court reasoned that although the facts being reported in the column were not exclusive to the Journal, the Journal's right--presumably based in contract--to Winans' keeping the information confidential gave rise to a property interest adequate to support a wire-fraud conviction. Once the Court reached this conclusion, upholding the convictions of the other defendants followed: even if one does not have a direct fiduciary duty to protect a trade secret or confidential information, one can become civilly or criminally liable if one conspires with, solicits, or aids and abets a fiduciary to disclose such information in violation of that person's duty. The Court's decision in Carpenter has received significant criticism in the academic community for its expansion of the contours of "intangible property," but it remains good law today. How the theories didn't fit With these two legal approaches--trade secrets and breach of confidence--in mind, we can turn back to the facts of the Riggs case and see how well, or how poorly, the theories applied in the case of Craig Neidorf. With regard to any trade-secret theory, it is worth noting first of all that the alleged victim, BellSouth, is a Regional Bell Operating Company--a monopoly telephone-service provider for a geographic region in the United States. Recall the observation in Kewanee Oil, supra, that a trade secret "gives one an opportunity to obtain an advantage over competitors who do not know or use it." There are strong arguments that--at least so far as the provision of Emergency 911 service goes--BellSouth has no "competitors" within any normal meaning of the term. And even if BellSouth did have competitors, it is likely that they would both know and use the E911 information, since the specifications of this particular phone service are standardized among the regional Bells. Moreover, as became clear in the course of the Neidorf trial, the information contained in the E911 document was available to the general public as well, for a nominal fee. (One of the dramatic developments at trial occurred during the cross-examination of a BellSouth witness who had testified that the E911 document was worth nearly $80,000. Neidorf's counsel showed her a publication containing substantially the same information that was available from a regional Bell or from Bellcore, the Bells' research arm, for $13 to any member of the public that ordered it over an 800 number.) Under the circumstances, if the Bells wanted to maintain the E911 information as a trade secret, they hadn't taken the kind of steps one might normally think a keeper of a secret would take. BellSouth had, however, taken the step of labelling the E911 document as "NOT TO BE DISCLOSED OUTSIDE OF BELLSOUTH OR ITS SUBSIDIARIES" (it was this kind of labelling that Neidorf attempted to remove as he edited the document for publication in Phrack). This fact may have been responsible for the federal prosecutors' oversight in not determining prior to trial whethe E911 document met the tests of trade-secret law. It is possible that prosecutors, unfamiliar with the nuances of trade-secret law, read the "proprietary" warnings and, reasonining backwards, concluded that the information thus labelled must be trade-secret information. If so, this was a fatal error on the government's part. In the face of strong evidence that the E911 document was neither secret nor competitively or financially very valuable, any hope the government had of proving the document to be a trade secret evaporated. (Alternatively, the government may have reasoned that the E911 information could be used by malicious hackers to damage the telephone system in some way. The trial transcript shows instances in which the government attempted to elicit information of this sort. It should be noted, however, that even if the information did lend itself to abuse and vandalism, this fact alone does not bring it within the scope of trade-secret law.) Nor did the facts lend themselves to a Carpenter-like theory based on breach of confidence; Neidorf had no duties to BellSouth not to disclose its information. Neither did Riggs, from whom Neidorf acquired a copy of the document. The Riggs case lacks the linchpin necessary for a conviction based on Carpenter--in order for nonfiduciaries to be convicted, there must be a breaching fiduciary involved in the scheme in some way. There can be no breach of a duty of confidence when there is no duty to be breached. Thus, when its trade-secret theory of the E911 document was demolished in mid-trial, the government had no fall-back theory to rely on with regard to its property-crime counts, and the prosecution quickly sought a settlement on terms favorable to Neidorf, dropping prosecution of the case in return for Neidorf's agreement to a pre-trial diversion on one minor count. The lesson to be learned from Riggs is that it is no easy task to establish the elements of a theft crime when the property in question is information. There are good reasons, in a free society, that this should be so--the proper functioning of free speech and a free press require that information be presumptively protected from regulation by government or by private entities invoking the civil or criminal law property protections. The government in Riggs failed in its duty to recognize this presumption by failing to make the necessary effort to understand the intellectual property issues of the case. Had it done so, Neidorf might have been spared an expensive and painful trial, and the government might have been spared a black eye.* ------ *See, e.g., "Score One for the Hackers of America," NEWSWEEK, Aug. 6 1990, page 48, and "Dial 1-800 ... for BellSouth 'Secrets'," COMPUTERWORLD, Aug. 6, 1990, page 8. _______________________________________________ Mike Godwin, a 1990 guaduate of the University to Texas School of Law, is staff counsel for the Electronic Frontier Foundation. EFF filed an amicus curiae brief in the Neidorf case, arguing that Neidorf's attempted publication of the E911 document was protected speech under the First Amendment. Godwin received a B.A. in liberal arts from the University of Texas at Austin in 1980. Prior to law school, Godwin worked as a journalist and as a computer consultant. -- Mike Godwin, |"Doubt isn't the opposite of faith; it is an mnemonic@eff.org| element of faith." (617) 864-0665 | EFF, Cambridge | --Paul Tillich .