Trade secrets charges for anti-copyright infringement software leak

A former Microsoft employee (Russian national Alex Kibkalo) admitted to investigators that he provided confidential company documents and information to a blogger in France.  Kibkalo had previously worked in the Microsoft offices in Lebanon and Russia.  An email from Kibkalo was found in the blogger’s Hotmail account.  The blogger, who was not identified, admitted to posting information on Twitter and his websites and selling Windows Server activation keys on eBay.  A Microsoft team named “Trustworthy Computing Investigations” tracked the blogger down.  In various email exchanges, Kibkalo apparently was also bragging about breaking into Microsoft’s corporate college and university schools, on the Redmond campus, and copying a server.

Microsoft accessed the blogger’s private Hotmail account to trace the identity of the leaker, and that the company deemed this to be legal. The move raises concerns about Hotmail user privacy, although Microsoft’s privacy policy states that the company may access a Hotmail (now Outlook.com) account’s contents.

Microsoft responded with the following statement to The Verge:

During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.

As part of the investigation, we took the step of a limited review of this third party’s Microsoft operated accounts. While Microsoft’s terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.

Based on his LinkedIn account, Kibkalo had relocated to Russia and was working for another U.S.-based technology company with offices in Moscow and St. Petersburg.  Kibkalo was charged with the federal crime of stealing trade secrets, including an interesting code for a program to protect against copyright infringement.  The case was filed in the U.S. District Court for the Western District of Washington at Seattle: U.S. v. Kibkalo, Case No 2:14-mj-00114-MAT.

Advertisements

D.C. Appeals court strikes down Net Neutrality

We will cover Net Neutrality in class this semester, but an important case came down today that will fundamentally affect the very basis of Net Neutrality, so I was compelled to comment before our class discussion.

The basis for Net neutrality is based on an old legal concept known as “common carriage.” While it has developed to cover telecommunications, its main thrust was to ensure that the public retained access to fundamental services that use public rights of way, including, in a modern context, the Internet infrastructure used to deliver Web pages, streaming, and other Internet content, over broadband networks.

For example, the definition applied to any commercial enterprise that held itself out to the public as offering to transport freight or passengers for a fee.  A common carrier is generally required by law to transport freight or passengers, without refusal, if a reasonable fare or fee is paid.  Ferries, freight trains, commuter buses, and more have been found to be common carriers. (c.f. Massachusetts courts have held “the statutory definition of ‘common carrier’ typically applies only to private or moneyed corporations and not to public or municipal corporations or quasi-corporations,” thereby declaring the MBTA not to be a common carrier. Massachusetts Bay Transp. Auth. v. City of Somerville, 451 Mass. 80 (2008)).

In The Elements of Jurisprudence (1924), author Thomas Holland stated“[A] ‘common carrier’ is bound to take all goods of the kind which he usually carries, unless his conveyance is full, or the goods be specially dangerous; but may charge different rates to different customers.”  Throughout the development of the common law in the U.S., this concept was adapted to many technological improvements, most importantly telecommunications.  This was to similarly ensure that phone companies, which use public rights of way to string wires and cables, serve all customers equally, without refusal.

Enter broadband services: many legal experts thought why should this be regulated differently? Is it like a traditional telecommunications service subject to the “common carrier” regulation? Others thought it should be classified separately, thereby avoiding the requirements of common carriers.

In 2005, the Supreme Court issued its opinion Nat’l Cable & Telecommunications Ass’n v. Brand X Internet Servs., 545 U.S. 967 (2005) upholding the Federal Communications Commission’s (FCC) determination that cable broadband internet access service is an “information service.” (And therefore reversed the judgment of the 9th Circuit).  The reasoning was plain: Broadband is not a telecommunications service, therefore broadband providers’ infrastructure is not considered a public right of way, and should not be regulated under the common carrier concept.  Reasoning follows then that broadband providers could discriminate and block traffic, and the FCC had no authority to prevent those actions.

The FCC wasn’t about to let this go: as an independent U.S. government agency, the FCC regulates interstate and international communications by radio, television, wire, satellite and cable in all 50 states, the District of Columbia and U.S. territories; they are the U.S.’s “primary authority for communications law, regulation and technological innovation;” they were not about to sit back and let private broadband companies potentially discriminate against each other, discriminate against types of service, technologies, or uses – all to the U.S. broadband customer’s loss. [For example, Comcast could arbitrarily block transmission of any peer-to-peer and collaborative software content, such as BitTorrent, Gnutella, Lotus Notes, or Google applications]

In 2011 the FCC published the final rules for its Net Neutrality policy [which barely made it through – one of the FCC Commissioners who initially voted against the rules, stepped down and now works for Comcast <raise eyebrows here>].  The rules are intended to provide certainty and predictability to all Internet stakeholders, including content and service providers as well as consumers. They are the result of an effort to bring government policy into line with the open technology that has allowed the Internet to develop rapidly.

The three underlying principles of the Net Neutrality rules were “transparency,” “no blocking,” and “no unreasonable discrimination.” In effect, the FCC was applying the “common carrier” standards to the Broadband services through regulatory authority with these Net Neutrality rules: Broadband providers may not block lawful content, applications, services, or block applications that compete with their voice or video telephony services, and broadband providers may not unreasonably discriminate in transmitting lawful network traffic.

Verizon challenged these rules, sued, and, after oral arguments in September, a three judge panel of the D.C. Circuit Court of Appeals today sided with Verizon, saying the FCC acted outside its authority by enacting the rules. [full text opinion].  After the oral argument (which I procured a transcript of in less than 36 hours – thanks Internet!), many commentators anticipated that the D.C. Circuit would strike down at least part of the Net Neutrality rules. However, the current opinion goes even farther than expected, throwing out both the anti-discrimination and anti-blocking provisions.  Because the FCC chose to classify Broadband Internet as an “information service” it therefore lacks the authority to impose “common carrier” obligations on it, even in the form of Net Neutrality rules.

What could happen as a result? Internet providers could soon start charging websites like Google, Facebook and Netflix to reach users. Internet providers could auction off priority traffic rights to one site over another, or impose tolls for high-bandwidth sites such as video streamers (as in: You pay more if you are streaming Netflix, Hulu, Amazon, etc.).  “Pay for Tier” service.  Discriminatory bandwidth for certain files. The destruction of collaborative software traffic (throttling BitTorrent traffic, anyone?)

I had to dig, but there may be some scraps of silver lining in the decision.  But “only for those with true grit. And we were chock full of that.”― quoting Hunter S. Thompson, Fear and Loathing in Las Vegas.  And in this case, the five current FCC commissioners are those that need to be chocked full of true grit.

hstnn

The court left part of the Net Neutrality rules intact [the transparency rules requiring disclosure of information about network management practices] saying that the FCC still has “general authority” to regulate how broadband providers treat traffic.  The D.C. court stated: “[T]he [FCC] has established that section 706 of the Telecommunications Act of 1996 vests it with affirmative authority to enact measures encouraging the deployment of broadband infrastructure. The [FCC], we further hold, has reasonably interpreted section 706 to empower it to promulgate rules governing broadband providers’ treatment of Internet traffic, and its justification for the specific rules at issue here—that they will preserve and facilitate the “virtuous circle” of innovation that has driven the explosive growth of the Internet—is reasonable and supported by substantial evidence….”

FCC Chairman Tom Wheeler said the commission might appeal the ruling. “The DC Circuit has correctly held that ‘Section 706 . . . vests [the Commission] with affirmative authority to enact measures encouraging the deployment of broadband infrastructure’ and therefore may ‘promulgate rules governing broadband providers’ treatment of Internet traffic.'”

So the authority exists, but will require some crafty wording in the next attempt at regulation.  Because the FCC chose to classify Broadband providers as “information services” in 2005, that exempted them from treatment as traditional “common carriers” in the future.  Therefore the FCC can’t attempt regulate them with common carrier-like rules.  What new rules will the FCC be able to develop that will still serve the “no blocking” and “no unreasonable discrimination” portions of the Net Neutrality rules?  It’s hard to tell.  Regulation is coming, for sure.  The court did agree with the FCC’s opinion that without Net Neutrality rules, “broadband providers may be motivated to discriminate against and among edge providers.”

One controversial option is for the FCC to simply reclassify the broadband services as a common carriage service.  The D.C. court was clear: it is ultimately up to the FCC to make its own decision on classification.  Julius Genachowski, the FCC chairman at the time Net Neutrality was enacted, didn’t take the classification path.  Why not?  There was, at the time, some limited bi-partisan pressure from Congress on the new FCC classification.  Will present chairman Tom Wheeler want to go through the process?  Many advocate groups like Public Knowledge,

If the reclassification is done, there will definitely be another lawsuit.  But perhaps, in this scenario, the D.C. court would see this as well within the FCC’s authority to “promulgate rules governing broadband providers’ treatment of Internet traffic….”  The U.S. citizens will have to wait and see if the FCC appeals the present decision or “start over” with a new classification in the future.

Do Not Track Working Group Consensus – More Work Ahead

W3C working group that has struggled to reach agreement on industry “Do Not Track Rules” made progress in some areas issuing a consensus document during a May meeting in California.  W3C develops internet standards worldwide. The working group will proceed toward a “last call” July deadline to issue draft standards for public comment.

The issue before the group is the practice of behavioral advertising, which involves the tracking of consumers’ online activities for targeted marketing purposes.  The working group is trying to create voluntary “Do Not Track” standards by allowing consumers to make “Do Not Track” choices through their web browser settings.

Consumer advocates and the online advertising industry have clashed over how far “Do Not Track: standards should go.  Last year, Microsoft stymied the process by deciding to roll out a new IE 10 browser with a default “Do Not Track” setting.  The Digital Advertising Alliance (DAA), a consortium of marketing industry groups, objected.  They claimed that its members “will not be required to honor such a default approach because it reflects the choice of the browser manufacturer instead of the consumer and is inconsistent with industry standards.”

At an April 24 hearing before the Senate, the DAA accused Microsoft (and Mozilla) of failing to honor its commitment to cooperate with the “Do Not Track” effort. After the hearing, Senate Committee Chairman John D. Rockefeller IV (D-W.Va.) reintroduced bill S. 418 “Do-Not-Track Online Act of 2013” to create mandatory Do Not Track rules, enforceable by the Federal Trade Commission.

Stay tuned for more information from the W3C Working Group and about Senate bill S. 418.

Pentagon Expanding Cybersecurity Force to Protect Networks Against Attacks

We will cover information security and, specifically, cyber-warfare near the end of the semester, but I thought this was of interest to the class:

“The Pentagon is moving toward a major expansion of its cybersecurity force to counter increasing attacks on the nation’s computer networks, as well as to expand offensive computer operations on foreign adversaries, defense officials said Sunday.”

See the full text of the article: http://nyti.ms/X6HAds 

Data Privacy Day

Today is Data Privacy Day, and, although we are covering privacy in later classes this semester  I wanted to share the following statement from the National Cyber Security Alliance (www.staysafeonline.org):

“Data Privacy Day is an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone’s priority.  Data Privacy Day began in the United States and Canada in January 2008, as an extension of the Data Protection Day celebration in Europe. The Day commemorates the 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.  Data Privacy Day is a celebration for everyone and held on January 28th every year.

In our online world, data is free flowing.  All of us – from home computer users to the largest corporations – need to be aware of the personal and private data others have entrusted to us and remain vigilant and proactive about protecting it.  Being a good digital citizen means being a good steward of data.  Data Privacy Day is an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone’s priority.  Data Privacy Day is led by the National Cyber Security Alliance, a non-profit, public private partnership focused on cyber security education for all online citizens.”

CT Court Has Jurisdiction Over Canadian Employee

The Second Circuit Court of Appeals has reversed a Connecticut federal court’s order dismissing for lack of personal jurisdiction a Connecticut corporation’s complaint for misappropriation of trade secrets by a Canadian employee of the plaintiff’s Canadian subsidiary. In MacDermid, Inc. v. Dieter (full text) MacDermid Chemicals, Inc claimed Dieter improperly forwarded confidential business information before her termination. The conduct occurred in Canada.  The jurisdictional wrinkle was that MacDermid maintained its data on servers in Waterbury, Connecticut. The suit was based on Connecticut’s trade secret statute and their state long arm statute.

At the district court level district court, Dieter noted that she did not work in the U.S. and that she had no reason to expect that a suit against her would be heard anywhere other than in Canada.  However, the 2nd Circuit Court of Appeal thought better of that argument.  In examining Connecticut’s long-arm statute the court found that, that a non-resident is subject to the state’s jurisdiction for lawsuits alleging misuse of “a computer, as defined . . . located within the state.” The statutory definition of the word “computer” includes “an electronic . . . device . . . that, pursuant to . . . human instruction . . . can automatically perform computer operations with . . . computer data and can communicate the results to another computer or to a person [or is a] connected or directly related device . . . that enables the computer to store, retrieve or communicate . . . computer data . . . to or from a person, another computer or another device.”  The Second Circuit concluded, “a computer server meets the Connecticut long-arm statute’s definition of computer.”  Dieter’s defense to jurisdiction – that she did nothing in the United States, no longer held any validity by the court’s precise reading of the statute.

According to the court, it was not critical that Dieter was “outside of Connecticut when she accessed the Waterbury servers. The statute requires only that the computer . . ., not the user, be located in Connecticut” (emphasis added). While recognizing that many internet users probably do not know the location of servers where emails are stored, Dieter, as an employee of the company for many years, was aware that the servers were in Connecticut.

As we read throughout the semester, we will find that many courts have a public interest in finding jurisdiction for cases where a local company or public interest is a factor.  Here is no different:  the court was defending a company with its principal place of business in Connecticut.  Public interest, “efficiency and social policies against computer-based theft are generally served by adjudication in the state from which computer files have been misappropriated.”  Therefore, they ruled, the Connecticut federal court could properly exercise jurisdiction.

Note that this decision, and others, clearly states that no matter where a defendant downloads misappropriated emails or files, he or she may be sued in a state with a similar statute, where the emails/files are stored on servers in the forum state.  And, as evidenced in MacDermid, Inc. v. Dieter, particularly if the plaintiff does business in that state and the defendant is alleged to have known the location of the servers.

5th Circuit: SCA does not apply to data stored on a cell phone

A federal appeals court ruled Wednesday that federal law didn’t protect text messages and pictures stored on a Texas woman’s personal phone from the preying eyes of her employers.  The U.S. Court of Appeals for the Fifth Circuit held that the Stored Communications Act (SCA), a federal law aimed at guarding against intrusions on individual privacy, doesn’t apply to data stored on a cell phone.

The case was titled Garcia v. City of San Laredo, (full text here)and involved a former police dispatcher in Laredo, Texas, who was fired after her superiors reviewed text messages and images on her phone that revealed an extramarital affair.  The ruling held that personal cell phones are not “facilities” under text of the SCA.

As we will discuss in class, to be liable under the SCA, a defendant must have gained unauthorized access to a facility through which an electronic communication service is provided and must thereby have accessed electronic communications while held in electronic storage.  The court looked closely at persuasive authority from the 11th circuit, notably United States v. Steiger, which held that a hacker’s access of an individual’s hard drive was beyond the reach of the SCA.  The court quoted from Steiger, stating that the SCA does not “appear to apply to the source’s hacking into [a] computer to download images and identifying information stored on his hard-drive.”

We will talk more about this case and the SCA during this year, but Garcia represents a continued path of litigation for the SCA in other courts that have reached the same conclusion.