Texas Lawyer
January 10, 2000
PCS FROM COMMERCIAL SNOOPING
BODY:
They seem like strange bedfellows, but 37-year-old computer hacker Kevin Mitnick
and $ 11 billion software giant RealNetworks Inc. have one thing in common. They
both were alleged to have violated the relatively obscure Computer Fraud and
Abuse Act. Mitnick was brought up on federal charges, recently pleaded guilty
and is serving jail time. RealNetworks has just been sued in a civil class
action, and its outcome is anyone's guess. Yet the two cases raise questions
about whether commonly accepted commercial snooping practices on the Internet
are any different from those for which individuals have gone to prison.
When originally passed in 1984, the Computer Fraud and Abuse Act, 18 U.S.C.
§1030, was aimed narrowly at those who hacked into the computer systems of the
federal government or major financial institutions. Hacking is the unauthorized
access of a remote computer. The act protected such computers by making
unauthorized access to them a federal crime, and permitting civil actions.
But in 1996, to protect the integrity of what was then called the "national
information infrastructure," the reach of the act was broadened substantially.
It now applies to virtually any computer connected to the Internet, including
home computers like yours. Subsection (a)(2) makes it unlawful to intentionally
access a protected computer without authorization, or to exceed authorized
access, and thereby obtain information. And a protected computer means any
computer "used in interstate or foreign commerce."
The law also proscribes unauthorized access of a protected computer that causes
damage and any access that is gained with the intent and effect to defraud.
Congress clearly intended the law to apply to people like Mitnick. He went on a
2-and-a-half-year hacking spree and received a four-year sentence. According to
a Justice Department press release: "Kevin Mitnick admitted that he broke into a
number of computer systems and stole proprietary software belonging to Motorola,
Novell, Fujitsu, Sun Microsystems and other companies."
Less clear is how Congress wanted the law applied to commercial enterprises like
RealNetworks. Plaintiffs in the class action - Starrett, Johns, Meyers, et al.
v. RealNetworks Inc. (U.S.D.C. Eastern District, Pa. Nov. 9, 1999) - allege that
the company's RealJukebox software, which plays music on a computer, snooped on
them once they installed it on their computers, and it reported back to the
company over the Internet:
Each time a Class member ran the RealJukebox Soft-ware program during the Class
period, information from the Class member's personal computer was furnished
surreptitiously to RealNetworks' computers. Such information included the type
of computer format the music is stored in; the quality level of the recordings;
the Class member's musical preferences; and the type of portable music player,
if any, the Class member has connected to the computer.
RealNetworks has not yet filed an answer to these allegations.
RealNetworks isn't the only company alleged to have peddled software that
snooped on home users surreptitiously. According to The New York Times of Nov.
29, 1999, the free cursor software distributed by Comet Systems Inc. reported
back to the company each time the user visited any of 60,000 Web sites.
Data Privacy
But is such snooping the same as hacking, and did Congress really intend to
equate a Kevin Mitnick with a RealNetworks?
Certainly the language of Subsection (a)(2) applies without regard to whether
the computer that is accessed is a Defense Department computer with missile
launch codes or a home computer with a record of what country-and-western songs
were played. If an interstate or foreign communications is used, e.g., if the
Internet is involved, then it is a federal crime to access even a home computer
without authorization.
Granted, the image of a hacker may be that of a teen-age computer geek who sits
in his bedroom and uses special tricks to break into big computer systems for
mischievous reasons. He may gain unauthorized access by, for example, exploiting
a flaw in the remote server's software or by unauthorized use of a password. But
the act doesn't criminalize stereotypes. It criminalizes the unauthorized access
of information on a computer. Thus, commercial snooping into files on home
computers is also unlawful.
The privacy implications of Subsection (a)(2) were not entirely overlooked when
the 1996 amendments were drafted. A legislative analysis by the Department of
Justice characterizes the important Subsection (a)(2) as "in the truest sense, a
provision designed to protect the confidentiality of computer data."
Referring to a National Information Infrastructure study of the mid-1990s, the
DOJ's analysis quotes from the NII's Draft Principles:
[T]he assumption is that large amounts of sensitive information will be on line,
and can be accessed, perhaps without authority, by a large number of network
users. . . . [T]he NII will only achieve its full potential if individual
privacy is properly protected. . . . Therefore, the new subsection 1030(a)(2) is
designed to insure that it is punishable to misuse computers to obtain
government information and, where appropriate, information held by the private
sector.
The fact that the act protects data privacy, rather than individual privacy, has
an important ramification. The law does not require proof that personal privacy
was invaded. The act may be violated, for example, if data of any nature are
removed from a protected computer. It is no defense to argue, as some commercial
snoopers have done publicly, that the data are not of a personal nature or that
they do not identify the individual from whom they were taken. Just as the
hacker may be convicted without showing he actually invaded someone's privacy,
it is not necessary to show that unauthorized collection of information from a
user's computer invaded anyone's privacy.
Everybody Snoops
But even if the language of the act applies literally to snooping, and even if
there is legislative history to support converting the law into a privacy
statute, there is a problem in construing it to bar commercial snooping. On the
commercial Web, everyone snoops. Web site owners, for example, want to get as
much information as they can about their visitors. For this purpose, most use
"cookies" Whenever you visit that Web site or move around within it, the site
will interrogate your computer to obtain its identity. Thus, the cookie permits
the Web site to monitor you for at least as long as you are connected to it.
Indeed, you can't visit many commercial sites unless you accept a cookie.
Yet cookies would seem to violate the Computer Fraud and Abuse Act, for they
involve the remote computer reading the cookie file on your computer via
interstate communications.
An argument can be made that cookies are an authorized access under the act,
although the argument is not completely convincing. A Web site can place a
cookie on your computer only if you either configure your browser to accept
cookies automatically or if you accept each cookie as it is presented. Thus,
according to this view, a cookie allows access only if the user authorizes it.
But this argument is strained. The authorization in such instances is implicit
at best. What if the user doesn't understand what cookies are, or what if he
doesn't know he can turn them off? What if his computer software was
preconfigured to allow cookies? Indeed, the average user probably doesn't even
know what a cookie is, much less that it allows Web sites to access data on his
computer. The law normally requires that an authorization be by affirmative act.
Besides, construing the act to allow implicit authorizations opens up
possibilities for all sorts of legal mischief. If the fine print in the Web
site's privacy policy recites that it may access files on your computer, have
you authorized the snoop by going to the Web site? What if the license agreement
for the software you download from the Internet mentions that the software will
snoop, should you be deemed to have authorized wholesale access to your computer
by installing the software? Do one-sided, take-it-or-leave-it boilerplate
approaches constitute authorization under the act?
That the act should be interpreted to require affirmative authorization
certainly seems clear in cases where access to a business or government computer
is sought. Suppose a law firm's computer allows lawyers to retrieve files from
home, but the firm's security is so sloppy that it doesn't require passwords.
Can a hacker who breaks in and steals client files claim that the lack of
security was implicit authorization? Or can he say that he didn't know the law
firm objected? Suppose a contractor installs software on a nonpublic government
computer system and continues to access the system long after the contract is
completed. Must the government expressly notify the contractor that his access
is terminated before he can be sued under the act?
The Computer Fraud and Abuse Act appears to limit commercial snooping on the
Internet, but it will be up to the courts to decide what constitutes authorized
access in the commercial cases. Hopefully, the courts will be consistent in
their interpretations, so that the results are the same when hackers break into
business computers and when billion-dollar corporations snoop into home
computers - particularly mine and yours.
Washington, D.C., solo practitioner James H. Johnston is a frequent contributor
to Texas