http://twitter.com/supernova2008
Yahoo Pipe:
http://pipes.yahoo.com/pipes/pipe.info?_id=055fe30a2c9cbcfc197e494d6db2885a
Supernova 2008
This is the first time I’ve been able to attend Supernova, and it seems like a fine conference. It’s all being made available online:
Conversation Hub:
http://www.conversationhub.com
Live video stream:
http://www.mogulus.com/supernova2008
IRC Chat:
irc://irc.freenode.net/supernova2008
Twitter feed:
http://twitter.com/supernova2008
http://twitter.com/supernova2008
In a back-and-forth this afternoon between David Morin of Facebook and Kevin Marks of Google, Morin said that FB had “turned off” Google’s Friend Connect application because it was a violation of FB’s Terms of Service. Morin also said that that FB wants to make sure that privacy settings applied to FB data travel with that data, even if those settings change. When asked by Marks how the Friend Connect service violated the TOS precisely, Morin declined to respond. The violation was “a legal matter,” he said, and “our representatives are talking.”
Also, this afternoon, Joi Ito made clear that he thinks of Creative Commons as a standard, like TCP/IP. And Chris Sacca of Google made clear that the thing to worry about is the physical infrastructure layer and the control that gatekeepers (increasingly, wireless companies) have - and that we’re asleep at the wheel.
A good day.
Another reason on McCain
About ten days ago, I was a co-moderator (with Ari Schwartz) of a panel at CFP during which surrogates for the Obama and McCain campaigns had a civil and well-informed conversation about tech policy. I was impressed by Chuck Fish, the McCain representative, who did his best to win the respect of the geek crowd in the room. (ArsTechnica report about the panel here.)
In response to a question about immunity for the telcos in connection with their cooperation with the NSA’s warrantless wiretapping program, Fish said that there should be hearings held to figure out what the NSA had been up to. He also (although vaguely) suggested that there should be statutory limits to what the NSA could do, and that the telcos and the NSA should be held to those limits.
Now Wired is reporting that McCain has repudiated Fish’s remarks. (That’s unfortunate, and I think unfair to Fish, who works full-time for the campaign and is clearly a careful guy. He didn’t seem like someone who would make misstatements when he was speaking for the campaign.)
McCain is going with Bush’s Law: No matter what the law or the Constitution says, if the president needs to carry out warrantless surveillance in his capacity as Commander in Chief of the armed forces, he can do it. This is the familiar, overreaching view that Article II essentially trumps everything else. If we’re “in a time of war,” anything goes.
Here is the bottom line: Senator McCain supports the FISA modernization bill passed by the Senate without qualification. He believes no additional steps should be necessary to secure immunity for the telecoms; both the 109th and 110th Congresses have conducted extensive evaluation and examination of this topic and have satisfied the public’s need for appropriate oversight; hearings purportedly designed to ‘get to the bottom of things’ have already occurred; and neither the Administration nor the telecoms need apologize for actions that most people, except for the ACLU and the trial lawyers, understand were Constitutional and appropriate in the wake of the attacks on September 11, 2001.
Senator McCain has never stated, nor does he believe that telecoms should only receive retroactive immunity in exchange for congressional testimony about their actions. We do not know what lies ahead in our nation’s fight against radical Islamic extremists, but John McCain will do everything he can to protect Americans from such threats, including asking the telecoms for appropriate assistance to collect intelligence against foreign threats to the United States as authorized by Article II of the Constitution.
Wired’s Ryan Singel explains that McCain has apparently been pushed into this Curtiss-Wright-So-I’m-Right chest-thumping position by commentary from the National Review Online.
The legal argument is straightforward: in general, domestic eavesdropping without a warrant is illegal. If the government is eavesdropping on “foreign powers” inside the U.S. it can go to a special court, the Foreign Intelligence Surveillance Court, and get an order authorizing the surveillance - or it can start the surveillance and ask for judicial authority afterwards. This allows the President to act in foreign affairs with expedition, but retains judicial supervision.
It’s alarming that McCain says he will be willing to ignore the law on the books if needed. We adopted this structure after evidence of overwhelming domestic surveillance abuse was revealed as part of the Church Committee’s work.
(It’s also alarming that some Democrats are willing to believe that prospective judicial supervision of warrant requests is an outmoded idea - you can see this in the FISA-rewrite debates. At least they seem to believe that the statute would have to be rewritten in order to avoid the current judicial supervision requirement.)
But let’s start with McCain. He’s more alarming. He’s saying he’d be willing to ignore the statute, whatever it says. I don’t think Obama would take this view.
The Computer Fraud and Abuse Act
Last Friday’s news that Lori Drew (neighbor who posed on MySpace as potential teenage boyfriend) was being indicted under the Computer Fraud and Abuse Act represents yet another cyberlaw constitutional moment. Once again, we’re pressing laws intended to address X problem into service mending Y dispute. This time, however, the law is more sweeping than we might like to admit. In fact, courts have already read the CFAA to stretch awfully far - including to violations of agreements *not* found in the Terms of Service on a particular web site. The relevant question: Is this appropriate?
Background: As the news reports make clear, the CFAA was originally designed to address hacking of federal computers or financial industry systems. It was broadened in 1984 to add civil remedies (so anyone can use it, not just prosecutors), broadened again in 1996 to cover any protected computer (which essentially means any computer in interstate commerce - so any computer attached to the internet), and then broadened yet again in 2001 to include any computer outside the US that communicates with the US. So this is a statute that has migrated from protecting government computers to protecting all possible computers.
It’s a violation of the CFAA to (1) intentionally access a protected computer without authorization and (2) cause damage that adds up to at least $5,000. (Take a look at 18 U.S.C. Sec. 1030(a)(5)(A)(iii).) It’s very easy to come up with $5K in damages - you can use fees paid to consultants, or the cost of responding to the offense. Given the attention to the Myspace suicide, the company won’t have a problem showing damages. (I know this seems odd, but the damages don’t have to be directly related to fixing the actual break-in.)
What’s the break-in? The statute was written with classic hacking behavior in mind - guessing passwords, monkeying with files, etc. But here the “hack” is (apparently) to intentionally violate the Terms of Service posted by MySpace, which prohibit users from lying to MySpace or using their accounts to harrass other users. Here, the neighbor arguably breached these terms by saying she was a teenage boy and harrassing her teenage neighbor.
This may seem nuts to you. It does to many of us. A civil litigant can paint his/her opponent as a quasi-*criminal* by showing that he/she has violated some form contract on a site. Even odder things have happened under the CFAA.
For example, in EF Cultural Travel BV v. Explorica, Inc. (2001, 1st Circuit), an incumbent travel site upset that a former employee had scraped the site for pricing information sued under the CFAA, claiming that the former employee’s breach of a broad confidentiality agreement with the incumbent made his access to the site for scraping purposes an act that “exceeded authorized access.”
The argument in this case, as in lots of former-employee cases under the CFAA, is that employees “exceed authorization” to employer databases when they access them for purposes of serving new ventures. In Explorica, the argument seems to reach even further - that access to *public sites* with knowledge of how they work (in this case, where the pricing information is available) may amount to “unauthorized access.”
There’s an AOL Terms of Service case, AOL v. LCGM, Inc. (EDVA 1998), that says that use of an email address extractor program in AOL chat rooms violated the AOL terms and therefore was “unauthorized” under the CFAA.
What a litigation tool! The CFAA is extraordinarily powerful. You can bring a “theft of trade secrets case” under the CFAA without proving that you ever actually had a trade secret (which has to have value because it’s secret). Because everything is now stored on a computer, the CFAA gives a federal forum and a federal claim for an infinite array of disputes. It’s like a civil RICO for our era - expansive and powerful, and now quite popular.
Hard questions. The implications of the CFAA for the free flow of information across a globally-interconnected network are profound. Who gets to decide what “terms” are enforced by using the CFAA? Can a plaintiff just decide who gets to access “his” computer, and for what purposes? Is there any limitation to the coverage of the CFAA - some boundary of “reasonable expectations” of the site “owner”? Here, shouldn’t Myspace have anticipated that people would fudge in setting up their accounts?
Should the CFAA be used to shut down speech, as this indictment suggests?
Unless the CFAA is amended, it will continue to be used in this way. Its definitions are extraordinarily broad. Everything is a “protected computer,” losses of $5K are incredibly easy to prove, and it’s simple to slap up an anti-competitive, anti-speech set of online terms. We need some better legislative explanation of what “unauthorized access” or “exceeding authorization” mean.
This is a “bad facts” case - a suicide, a stunned populace, and a yearning for revenge are shaping interpretation of a broad federal statute. The problem is that some courts have already reached the conclusion that the CFAA can be used for almost any perceived online infraction.