Damages in Internet Law and Technology
an interview with Jennifer Stisa Granick of Stanford Law School
Vol. 4
December 2003
Page
Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime, national security and constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.
Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.
Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.1
The McDanel Case:
On appeal in this case, Granick and the Cyberlaw Clinic successfully argued on behalf of their client McDanel. This Ninth Circuit appeal challenged a man's criminal conviction for informing by email customers of Los Angeles-based Tornado instant messaging company of a security flaw in the company's web mail service in 2000. At trial the prosecution successfully argued that by reporting the flaw, the defendant impaired the security (integrity) of the Tornado system because third parties might be able to use the information to obtain unauthorized access, and caused damage because the company had to respond to customer concerns and improve the web mail security. On appeal, the clinic argued that reporting security flaws did not impair the integrity of a system, and that the First Amendment protects such security advisories. On October 14, 2003 the Government conceded the issues in Granick's appeal and moved to dismiss the case.2
Q: The current Federal standard establishing damage and loss is U.S.C. 1030(a)(5)(A). It prohibits transmitting information with the intent to cause damage to a protected computer. "Damage" includes impairment to the integrity of the computer or data residing there. The integrity of a computer is impaired when an intruder infiltrates the computer network, and obtains access to information there, even if no data was physically changed or erased. Do you buy into the standard (access equaling impairment) that the government is using for damage and loss?
A: There are two main things I strongly disagree with about the way that the current computer crime statutes are interpreted. One is the concept of "unauthorized access." That has been interpreted as any access or use that the owner of the system doesn't like or wouldn't agree to. That results in an extremely broad application of the law…and there have been many civil cases that interpret that and those cases say that sending SPAM is unauthorized access. I had another case…where using a spider search bot is unauthorized access. I think that is wrong. That is not what the statute is about and those things should not be criminal.
The second part of the statute…that I find really problematic is the concept of damage. In order for there to be a cause of action….or a criminal offense, there has to be $5000 worth of damage. Damage … can include the cost of investigating and the cost of putting the system back the way it was. In practice, that assessment of the value of the loss is very manipulatable by the victim and by the government so that it is almost always easy to come up with $5,000 worth of loss, and that they are not rigorous about what the definition of what loss means. The problem with that is there is no uniformity across the board. Instead you're saying we're just going to throw the book at you. The other side of that, is that even if you think there is not $5,000 worth of loss, the government can just act the victim to come up with more losses and then we're add on more charges, and it hangs over the persons head…creating an incentive for an innocent person to plead guilty because the risk is huge because the way loss is defined is very vague.
(For further information, see comments to the United States Sentencing Commission on behalf of the National Association of Criminal Defense Lawyers.)3
Q: How do you feel about unauthorized access without harm being criminal?
A. Basically, you are saying there is an absolute right to exclude any undesirable uses of this computer, and I think that…is a big mistake, because if you have that rule that the owner of the server can exclude any uses they want, there are all sorts of negative social effects that come as a result. All the way from negative free speech effects…to anti-competitive effects. In another case there was a "web scraper" price comparison shopping "bot." It would search all the airline web sites for web fares and return all the fares sorted according to whatever the user wanted, allowing users to comparison shop. American Airlines sued saying that it did not want the company to sell the software because it did not want travel agents to know its webfares. It wanted travel agents to have to pay it to get access to its web fares. But, If you had an absolute right to exclude…companies would be able to hide their price data from competitors and consumers and that is not how capitalism works. It works when consumers are able to compare and contrast prices for products and services.
Similar to copyright, you can have information that you are not allowed to copyright like pure data, or something important for people to know like how the government operates, and you can then put it on a web server and say you're not allowed to look at it, and then citizens are deprived of the use of information that they are otherwise entitled to use and those are all public tragedies. So, this idea that the company should have this absolute right to exclude people from their web server gives them property rights in all these other types of things, particularly information, that we don't want, and we've already decided not to allow. So, I'm totally against it.
Q: With regard to how insignificant the actual damages were in the case, is it odd that McDanel was charged criminally?
A: It was odd and I think it was a case that was just really wrong. It's too bad that it happened. I can't say something like this will never happen again. This is one of the problems when you have a statute that is so overly broad. You have these prosecutors who are exercising their discretion in interpreting it, and this is the problem with prosecutorial discretion. This is why you need a statute that is more specific about what we want to be illegal. That having been said, I do think that the prosecution was pretty anomalous because it was so clearly wrong. Even though I'm saying that, the Los Angeles office and two prosecutors and a judge all bought this theory. I'm hoping now that this has happened, the Department of Justice will either pressure Congress to change the statute, making it more narrow or will issue internal guidelines, which will explain to their line prosecutors when to prosecute a case like this and when not to. I think the latter is much more likely because the federal government has no interest in making the kinds of mistakes that were made in McDanel.
Q: Did the government drop their case for failure to prove it?
A: Basically, the government is saying that their theory of the case; "that you impair the integrity of a computer, merely, by revealing truthful information about its state of security" was an invalid theory. There is a theory…by which revealing information could be an impairment of the integrity…if you have the intent that somebody take advantage of the information in order to perform an attack and to actually damage it, but since none of that evidence existed, they failed to meet their burden of proof. Essentially, this was an admission by the government that their theory was wrong.
Q: Were you surprised by the outcome of the case?
A: Totally surprised. I had never heard of the government giving in. They had gained a conviction and the defendant had served his time, and then the government changed their mind and said that it was not valid, I've never heard of anything like that and nobody I know has ever heard of something like that. Obviously, it had happened before, but not in my experience…I had a good feeling about the case, but I thought that we would have to argue it in the 9th circuit.
Summary of the "Grokster" Cases
This case has been decided in several separate rulings throughout 2003. Our discussion focuses on the portion of the case decided on April 25, 2003, wherein organizations in the motion picture and music recording industries sued Internet software distributors for contributory and vicarious copyright infringement. On cross-motions for summary judgment, the District Court held that (1) distributors were not liable for contributory infringement absent a showing that they had any material involvement in users conduct, and (2) distributors were not liable for vicarious infringement absent a showing that they had any right or ability to supervise users' conduct.4
Q: With regard to the MGM v. Grokster cases, what do you think are the significant aspects of the case? Were you happy with the result?
A: Well, I think the important thing in the case is the idea that we're going to protect technology, that it has substantial non-infringing uses, if those uses are future uses, or whatever the potentiality of the uses may be. We're not going to be blinded by the fact that people are currently using it for illegal purposes. It is a freedom to innovate question. I think that is the really important part of the case, and that principal is preserved by the ruling. Think about all of the devices that contribute to the unlawful copying of music: computer, hard drive, telephone line, cd burner, cd … there are all these things and they're all usable for non-infringing uses. So, peer-to-peer file sharing software is usable for all kinds of things. For example, I had an interview earlier on the radio and the woman is going to send me an MP3 of it. I can share my speeches if I want over peer-to-peer. There are all sorts of things I can do with it, and it has all of these non-infringing. We can't regulate technology or civil liberties, and can't impinge on that because of a worst case scenario.
Q: Regarding unfair business practices: the Court left open the possibility of future action to protect Grokster's ability to operate its business?
A: That is recognition that legislating or making decisions in this area can squelch innovations. Look at the innovations that the copyright industry would have liked to have squelched: player piano, VCR, radio … and then think about what life would be like if you didn't have these things and how great they are. Sensitivity or caution in terms of squelching new technologies is really warranted. There was the digital audio tape. We could have gotten that years ago, but we didn't get digital audio tape because of copyright concerns. Basically, business models are going to change and technology is going to change. We're not going to have Vaudeville anymore, now we're going to have movies…that's part of economic progress. I think there is generally a feeling that is desirable, and I am not some kind of psycho fan of technology, I have somewhat of a Luddite streak, but, generally in the scheme of things, let's see what progress has wrought before we get rid of it.
Q: Do you think that entities like Grokster, whose products allow other communication to occur are unique?
A: In some ways it is different because we are talking about a great deal of power in the hands of the users. One of the things that digital technology has brought us which is special, is that it puts the power of the decision making, recreating, mixing, and all of that in the hands of the person who used to just be the passive consumer. That is a big change and something to really be valued.
Q: One of the main arguments of defenders of peer-to-peer companies is that the record industry is monopolistic, do you think there is any validity to that claim?
A: During the time that the lawsuit against Napster was filed there was also a settlement with the Federal Trade Commission over price fixing for cd's. I think that there is certainly a demand for music to be distributed digitally and quickly and instantaneously. The record industry likes to say that the problem that they have is they are trying to compete with free, and they just can't compete. I think in truth that's not the case. What people really are going for is the instantaneousness of it, and the ability to get what they want, at a reasonable price, when they want it. The music industry was very slow to embrace that, and as a result, people have just had a whole different kind of experience shopping for music. I think people will pay for music that they like, look at I-Tunes and how successful that's been. There are other values that the record industry can provide to customers, whether it is in cover art, lyrics, touring, or helping people select what bands you are going to like…The value just simply isn't in the physical cd that is shipped to the store.
Q: Defenders of peer-to-peer have also argued that music downloaded over the internet is likely to increase sales of music in general because it will bring in a larger audience because it will create a larger fan base to purchase music and other products than the music industry could offer?
A: In the beginning there was definitely an argument that people who used file sharing technology purchased more cd's. Now people seem to agree that there is a decline in the revenue of the record industry, and I don't know how that is exactly going to shake out. It may be that there revenues go down, and it may be in the long run that their revenues from selling music go down and they'll need to find other ways to make their revenues go up elsewhere. There is pressure on them to change the way they're doing business. As I said there's other values they can provide, but the production and distribution of the disk is no longer gong to be one of them, and that needs to be realized and adapted to. I am not saying they have to adapt to a world of copyright infringement, but they have to adapt to a world in which people are used to getting and want to have and can have the music they like, and only the music they like, instantaneously.
Q: Generally, are there any changes you'd like to see made in Internet law?
A: I'd like to see the computer crime statutes amended…and more guidelines given. In particular, the guidelines describing unauthorized access should be redefined to mean circumventing some kind of security measure as opposed to simply going against the desires or the imagined wishes of the owner. I'd like to see damages and loss defined better. I would like to see something in terms of pure trespass to chattels where there has to be harm to the server or some sort of balancing of harm to the server with the rights of the public and the users. I'd like the Internet to be treated as, what it is, a hybrid of private property and a commons, a public commons and a public resource and that our rules about information should be such that we're going to retain the rights that we had previously in terms of fair use, archiving, price comparisons and all those kinds of rights that we had before, plus also be able to reap the benefits of digital technology in terms of the consumer being able to be a creator, the speed of communication, instantaneous access to information and that kind of thing. To get what we always had plus, let's get the benefits from the new technologies.
Citation
4 U.C. Davis Bus. L.J. 5 (2003)
Copyright
Copr. © Jacob Chachkin & Jonathan Kaplan, 2003. All Rights Reserved.
an interview with Jennifer Stisa Granick of Stanford Law School
Vol. 4
December 2003
Page
Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime, national security and constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.
Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.
Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.1
The McDanel Case:
On appeal in this case, Granick and the Cyberlaw Clinic successfully argued on behalf of their client McDanel. This Ninth Circuit appeal challenged a man's criminal conviction for informing by email customers of Los Angeles-based Tornado instant messaging company of a security flaw in the company's web mail service in 2000. At trial the prosecution successfully argued that by reporting the flaw, the defendant impaired the security (integrity) of the Tornado system because third parties might be able to use the information to obtain unauthorized access, and caused damage because the company had to respond to customer concerns and improve the web mail security. On appeal, the clinic argued that reporting security flaws did not impair the integrity of a system, and that the First Amendment protects such security advisories. On October 14, 2003 the Government conceded the issues in Granick's appeal and moved to dismiss the case.2
Q: The current Federal standard establishing damage and loss is U.S.C. 1030(a)(5)(A). It prohibits transmitting information with the intent to cause damage to a protected computer. "Damage" includes impairment to the integrity of the computer or data residing there. The integrity of a computer is impaired when an intruder infiltrates the computer network, and obtains access to information there, even if no data was physically changed or erased. Do you buy into the standard (access equaling impairment) that the government is using for damage and loss?
A: There are two main things I strongly disagree with about the way that the current computer crime statutes are interpreted. One is the concept of "unauthorized access." That has been interpreted as any access or use that the owner of the system doesn't like or wouldn't agree to. That results in an extremely broad application of the law…and there have been many civil cases that interpret that and those cases say that sending SPAM is unauthorized access. I had another case…where using a spider search bot is unauthorized access. I think that is wrong. That is not what the statute is about and those things should not be criminal.
The second part of the statute…that I find really problematic is the concept of damage. In order for there to be a cause of action….or a criminal offense, there has to be $5000 worth of damage. Damage … can include the cost of investigating and the cost of putting the system back the way it was. In practice, that assessment of the value of the loss is very manipulatable by the victim and by the government so that it is almost always easy to come up with $5,000 worth of loss, and that they are not rigorous about what the definition of what loss means. The problem with that is there is no uniformity across the board. Instead you're saying we're just going to throw the book at you. The other side of that, is that even if you think there is not $5,000 worth of loss, the government can just act the victim to come up with more losses and then we're add on more charges, and it hangs over the persons head…creating an incentive for an innocent person to plead guilty because the risk is huge because the way loss is defined is very vague.
(For further information, see comments to the United States Sentencing Commission on behalf of the National Association of Criminal Defense Lawyers.)3
Q: How do you feel about unauthorized access without harm being criminal?
A. Basically, you are saying there is an absolute right to exclude any undesirable uses of this computer, and I think that…is a big mistake, because if you have that rule that the owner of the server can exclude any uses they want, there are all sorts of negative social effects that come as a result. All the way from negative free speech effects…to anti-competitive effects. In another case there was a "web scraper" price comparison shopping "bot." It would search all the airline web sites for web fares and return all the fares sorted according to whatever the user wanted, allowing users to comparison shop. American Airlines sued saying that it did not want the company to sell the software because it did not want travel agents to know its webfares. It wanted travel agents to have to pay it to get access to its web fares. But, If you had an absolute right to exclude…companies would be able to hide their price data from competitors and consumers and that is not how capitalism works. It works when consumers are able to compare and contrast prices for products and services.
Similar to copyright, you can have information that you are not allowed to copyright like pure data, or something important for people to know like how the government operates, and you can then put it on a web server and say you're not allowed to look at it, and then citizens are deprived of the use of information that they are otherwise entitled to use and those are all public tragedies. So, this idea that the company should have this absolute right to exclude people from their web server gives them property rights in all these other types of things, particularly information, that we don't want, and we've already decided not to allow. So, I'm totally against it.
Q: With regard to how insignificant the actual damages were in the case, is it odd that McDanel was charged criminally?
A: It was odd and I think it was a case that was just really wrong. It's too bad that it happened. I can't say something like this will never happen again. This is one of the problems when you have a statute that is so overly broad. You have these prosecutors who are exercising their discretion in interpreting it, and this is the problem with prosecutorial discretion. This is why you need a statute that is more specific about what we want to be illegal. That having been said, I do think that the prosecution was pretty anomalous because it was so clearly wrong. Even though I'm saying that, the Los Angeles office and two prosecutors and a judge all bought this theory. I'm hoping now that this has happened, the Department of Justice will either pressure Congress to change the statute, making it more narrow or will issue internal guidelines, which will explain to their line prosecutors when to prosecute a case like this and when not to. I think the latter is much more likely because the federal government has no interest in making the kinds of mistakes that were made in McDanel.
Q: Did the government drop their case for failure to prove it?
A: Basically, the government is saying that their theory of the case; "that you impair the integrity of a computer, merely, by revealing truthful information about its state of security" was an invalid theory. There is a theory…by which revealing information could be an impairment of the integrity…if you have the intent that somebody take advantage of the information in order to perform an attack and to actually damage it, but since none of that evidence existed, they failed to meet their burden of proof. Essentially, this was an admission by the government that their theory was wrong.
Q: Were you surprised by the outcome of the case?
A: Totally surprised. I had never heard of the government giving in. They had gained a conviction and the defendant had served his time, and then the government changed their mind and said that it was not valid, I've never heard of anything like that and nobody I know has ever heard of something like that. Obviously, it had happened before, but not in my experience…I had a good feeling about the case, but I thought that we would have to argue it in the 9th circuit.
Summary of the "Grokster" Cases
This case has been decided in several separate rulings throughout 2003. Our discussion focuses on the portion of the case decided on April 25, 2003, wherein organizations in the motion picture and music recording industries sued Internet software distributors for contributory and vicarious copyright infringement. On cross-motions for summary judgment, the District Court held that (1) distributors were not liable for contributory infringement absent a showing that they had any material involvement in users conduct, and (2) distributors were not liable for vicarious infringement absent a showing that they had any right or ability to supervise users' conduct.4
Q: With regard to the MGM v. Grokster cases, what do you think are the significant aspects of the case? Were you happy with the result?
A: Well, I think the important thing in the case is the idea that we're going to protect technology, that it has substantial non-infringing uses, if those uses are future uses, or whatever the potentiality of the uses may be. We're not going to be blinded by the fact that people are currently using it for illegal purposes. It is a freedom to innovate question. I think that is the really important part of the case, and that principal is preserved by the ruling. Think about all of the devices that contribute to the unlawful copying of music: computer, hard drive, telephone line, cd burner, cd … there are all these things and they're all usable for non-infringing uses. So, peer-to-peer file sharing software is usable for all kinds of things. For example, I had an interview earlier on the radio and the woman is going to send me an MP3 of it. I can share my speeches if I want over peer-to-peer. There are all sorts of things I can do with it, and it has all of these non-infringing. We can't regulate technology or civil liberties, and can't impinge on that because of a worst case scenario.
Q: Regarding unfair business practices: the Court left open the possibility of future action to protect Grokster's ability to operate its business?
A: That is recognition that legislating or making decisions in this area can squelch innovations. Look at the innovations that the copyright industry would have liked to have squelched: player piano, VCR, radio … and then think about what life would be like if you didn't have these things and how great they are. Sensitivity or caution in terms of squelching new technologies is really warranted. There was the digital audio tape. We could have gotten that years ago, but we didn't get digital audio tape because of copyright concerns. Basically, business models are going to change and technology is going to change. We're not going to have Vaudeville anymore, now we're going to have movies…that's part of economic progress. I think there is generally a feeling that is desirable, and I am not some kind of psycho fan of technology, I have somewhat of a Luddite streak, but, generally in the scheme of things, let's see what progress has wrought before we get rid of it.
Q: Do you think that entities like Grokster, whose products allow other communication to occur are unique?
A: In some ways it is different because we are talking about a great deal of power in the hands of the users. One of the things that digital technology has brought us which is special, is that it puts the power of the decision making, recreating, mixing, and all of that in the hands of the person who used to just be the passive consumer. That is a big change and something to really be valued.
Q: One of the main arguments of defenders of peer-to-peer companies is that the record industry is monopolistic, do you think there is any validity to that claim?
A: During the time that the lawsuit against Napster was filed there was also a settlement with the Federal Trade Commission over price fixing for cd's. I think that there is certainly a demand for music to be distributed digitally and quickly and instantaneously. The record industry likes to say that the problem that they have is they are trying to compete with free, and they just can't compete. I think in truth that's not the case. What people really are going for is the instantaneousness of it, and the ability to get what they want, at a reasonable price, when they want it. The music industry was very slow to embrace that, and as a result, people have just had a whole different kind of experience shopping for music. I think people will pay for music that they like, look at I-Tunes and how successful that's been. There are other values that the record industry can provide to customers, whether it is in cover art, lyrics, touring, or helping people select what bands you are going to like…The value just simply isn't in the physical cd that is shipped to the store.
Q: Defenders of peer-to-peer have also argued that music downloaded over the internet is likely to increase sales of music in general because it will bring in a larger audience because it will create a larger fan base to purchase music and other products than the music industry could offer?
A: In the beginning there was definitely an argument that people who used file sharing technology purchased more cd's. Now people seem to agree that there is a decline in the revenue of the record industry, and I don't know how that is exactly going to shake out. It may be that there revenues go down, and it may be in the long run that their revenues from selling music go down and they'll need to find other ways to make their revenues go up elsewhere. There is pressure on them to change the way they're doing business. As I said there's other values they can provide, but the production and distribution of the disk is no longer gong to be one of them, and that needs to be realized and adapted to. I am not saying they have to adapt to a world of copyright infringement, but they have to adapt to a world in which people are used to getting and want to have and can have the music they like, and only the music they like, instantaneously.
Q: Generally, are there any changes you'd like to see made in Internet law?
A: I'd like to see the computer crime statutes amended…and more guidelines given. In particular, the guidelines describing unauthorized access should be redefined to mean circumventing some kind of security measure as opposed to simply going against the desires or the imagined wishes of the owner. I'd like to see damages and loss defined better. I would like to see something in terms of pure trespass to chattels where there has to be harm to the server or some sort of balancing of harm to the server with the rights of the public and the users. I'd like the Internet to be treated as, what it is, a hybrid of private property and a commons, a public commons and a public resource and that our rules about information should be such that we're going to retain the rights that we had previously in terms of fair use, archiving, price comparisons and all those kinds of rights that we had before, plus also be able to reap the benefits of digital technology in terms of the consumer being able to be a creator, the speed of communication, instantaneous access to information and that kind of thing. To get what we always had plus, let's get the benefits from the new technologies.
Citation
4 U.C. Davis Bus. L.J. 5 (2003)
Copyright
Copr. © Jacob Chachkin & Jonathan Kaplan, 2003. All Rights Reserved.