http://research.yale.edu/lawmeme/modules.php?name=News&file=article&sid=1543 By James Grimmelmann July 12, 2004 I'm not really sure what to make of this one. BNA mentioned a case named Flynn v. Healthcare Advocates (not publicly online yet, but keep checking here). It's just a garden-variety civil lawsuit around a business venture that never went anywhere. The plaintiff is accusing the defendants of using the negotiations as a ploy to ferret out various trade secrets and other confidential information. Nothing particularly interesting there: just your normal run-of-the-mill "unfair competition, trademark/service mark infringement, violations of the Lanham Act (15 U.S.C. § 1125(a)), breach of contract, unjust enrichment, tortious interference with existing and prospective contractual relations, conspiracy, fraud, misappropriation of trade secrets and copyright infringement" claims. No, what's strange about this case is that the plaintiff tried to amend its complaint to accuse on of the defendant's lawyers of hacking Archive.org. More details inside . . . First, the relevant portions of the new complaint (HAS is the plaintiff, and the Law Firm is representing one of the defendants): 49. Between July 8, 2003, and July 15, 2004, the Law Firm "hacked" into [HAS, Inc.'s] archived materials on a website known as www.archive.org. The forgoing website is effectively a library of all web pages and other information which appears on the internet. The website gathers information contained on the internet, which is thereafter archived by the website and can be searched through search engines on the website. 50. Not all of the information contained on www.archive.org is available to the public. Any owner of a website can notify www.archive.org that it does not want its past website material to be made public on www.archive.org and, according to the policies and procedures of the website, as well as the security safeguards implemented by www.archive.org and each website's owner's terms of use, such information is not available to the general public. 51. [HAS, Inc.] notified www.archive.org that it wanted its archival material to remain private and confidential and www.archive.org complied with [HAS, Inc's] request by blocking access to [HAS, Inc.'s] archival information. 52. As a result of the security put into place by www.archive.org, any person attempting to retrieve information regarding [HAS, Inc.] received a message advising the person attempting to obtain the information that the owner of the website had elected to deny access to the site to third parties. 53. The Law Firm attempted to obtain information regarding [HAS, Inc.] through www.archive.org; however, when it attempted to obtain the information it received the notice that the information was not available at the request of the owner. 54. Rather than honor this notice, or the terms of use on [HAS, Inc.'s] website, or www.archive.org's website, the Law Firm devised a methodology to defeat the security system that was put into place by www.archive.org. 55. Computer records demonstrate that between July 8 and July 15, 2003, the Law Firm made approximately 849 attempts to access the information regarding [HAS, Inc.] through www.archive.org. Notwithstanding the fact that the Law Firm knew that security was in place to prevent it from obtaining access to [HAS, Inc.'s] information, and the Law Firm actually received notices from www.archive.org that the information was not available, the Law Firm devised a methodology, using multiple computers at its offices, to defeat the security which was put into place by the website for the benefit of companies like [HAS, Inc.]. 56. The Law Firm was successful in breaching the security put into place by www.archive.org on approximately 112 occasions. From a technological standpoint, this meant that the Law Firm was also receiving information directly from [HAS, Inc's] website on each of these occasions, as www.archive.org retrieved or attempted to retrieve information from [HAS, Inc.'s] website each time it was successful in breaching the security. It was a result of this communication between www.archive.org and [HAS, Inc.'s] website that [HAS, Inc.] obtained the web logs memorializing the hacking activity. This conduct constituted unlawful "hacking" activity in violation of both federal and state law, as described more fully below. 57. The Law Firm was successful in executing old HTML pages from the [HAS, Inc.] website without authorization from www.archive.org or [HAS, Inc.], and made copies of the copyrighted materials contained therein. As hinted in there, HAS is of the opinion that this behavior was illegal in five different ways. The court completely ducked the issue by ruling that even if all of this was true, it wasn't relevant enough to the original lawsuit to justify hauling the lawyers into court, too. (Mmm, FRCP 15). As a pragmatic decision, this strikes me as right, because if yourlawyers become your co-defendants, they can't be your lawyers any more. In general, the American system bends over backwards to let people choose the lawyers they want to represent them, and won't undo that choice without damn good reason. The issue may not go away, of course. (Despite the above, lawyers can't just get away with anything.) It could show up in disciplinary proceedings against the lawyers, or, more likely, in a motion for sanctions in the case against the defendants for misconduct, and in a motions to exclude anything these Archive.org hits turned up. Which means that the court may well at some point confront the question in my mind as soon as I saw the case, namely, "What the frick?" I mean, I think I can tell what was going on. HAS wanted to keep information that used to be on its web site out of the case, either because it would hurt HAS's case (by negating the "secret" part of a trade secret claim, for example) or because it had slipped up and put something confidential there that it wanted to retract. Therefore, HAS both changed its site and asked Archive.org to remove them from its index. The other side's lawyers wanted to get at this information, presumably for the same reasons HAS wanted it secret. And then they found some way to "defeat the security" at Archive.org. By this, I am puzzled. Did they actually hack into Archive.org's servers? The complaint seems to suggest not; rather, it was something involving "multiple computers" that convinced Archive.org to serve up old HAS pages (while at the same time making requests for new ones from the HAS servers) I can't really tell whether this involved exploiting a bug in Archive.org, or whether HAS simply screwed up and didn't fill out its robots.txt properly, or something else entirely. But I can say this: HAS is raising a striking issue here: third party standing to sue over violation of various computer security statutes. Take for example the DMCA claim. It presumably runs something like this. Access to our copyrighted works (the web pages) is effectively controlled by the technological measures in place at Archive.org. You circumvented those measures. We were injured as a result (I can see copyright infringement, plus possibly some of the other claims from the underlying lawsuit). Therefore, under sections 1201(a) and 1203(a) of the DMCA, you're liable to us. Ka-pow. In the normal hacking situation where third parties' information is leaked, two things happen. First, the hackee does what it can to come down on the hacker like a ton of bricks. And second, the third parties do what they can to the hackee, a legal fight that usually turns on terms of service or whatever other legal standard the hackee got the information in the first place. It's not the norm for the hackee to be blase in a situation where the third party can find the hacker and haul him or her into court. One for the radar screens . . . _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html
This archive was generated by hypermail 2.1.3 : Tue Jul 13 2004 - 03:53:26 PDT