[ISN] From the Strange File: Archive.org Hacking in Civil Lawsuit?

From: InfoSec News (isn@private)
Date: Tue Jul 13 2004 - 01:28:49 PDT


http://research.yale.edu/lawmeme/modules.php?name=News&file=article&sid=1543

By James Grimmelmann 
July 12, 2004

I'm not really sure what to make of this one. BNA mentioned a case
named Flynn v. Healthcare Advocates (not publicly online yet, but keep
checking here). It's just a garden-variety civil lawsuit around a
business venture that never went anywhere. The plaintiff is accusing
the defendants of using the negotiations as a ploy to ferret out
various trade secrets and other confidential information.

Nothing particularly interesting there: just your normal
run-of-the-mill "unfair competition, trademark/service mark
infringement, violations of the Lanham Act (15 U.S.C.  1125(a)),
breach of contract, unjust enrichment, tortious interference with
existing and prospective contractual relations, conspiracy, fraud,
misappropriation of trade secrets and copyright infringement" claims.  
No, what's strange about this case is that the plaintiff tried to
amend its complaint to accuse on of the defendant's lawyers of hacking
Archive.org.

More details inside . . .

First, the relevant portions of the new complaint (HAS is the
plaintiff, and the Law Firm is representing one of the defendants):

49. Between July 8, 2003, and July 15, 2004, the Law Firm "hacked"  
into [HAS, Inc.'s] archived materials on a website known as
www.archive.org. The forgoing website is effectively a library of all
web pages and other information which appears on the internet. The
website gathers information contained on the internet, which is
thereafter archived by the website and can be searched through search
engines on the website.

50. Not all of the information contained on www.archive.org is
available to the public. Any owner of a website can notify
www.archive.org that it does not want its past website material to be
made public on www.archive.org and, according to the policies and
procedures of the website, as well as the security safeguards
implemented by www.archive.org and each website's owner's terms of
use, such information is not available to the general public.

51. [HAS, Inc.] notified www.archive.org that it wanted its archival
material to remain private and confidential and www.archive.org
complied with [HAS, Inc's] request by blocking access to [HAS, Inc.'s]
archival information.

52. As a result of the security put into place by www.archive.org, any
person attempting to retrieve information regarding [HAS, Inc.]
received a message advising the person attempting to obtain the
information that the owner of the website had elected to deny access
to the site to third parties.

53. The Law Firm attempted to obtain information regarding [HAS, Inc.]
through www.archive.org; however, when it attempted to obtain the
information it received the notice that the information was not
available at the request of the owner.

54. Rather than honor this notice, or the terms of use on [HAS,
Inc.'s] website, or www.archive.org's website, the Law Firm devised a
methodology to defeat the security system that was put into place by
www.archive.org.

55. Computer records demonstrate that between July 8 and July 15,
2003, the Law Firm made approximately 849 attempts to access the
information regarding [HAS, Inc.] through www.archive.org.  
Notwithstanding the fact that the Law Firm knew that security was in
place to prevent it from obtaining access to [HAS, Inc.'s]
information, and the Law Firm actually received notices from
www.archive.org that the information was not available, the Law Firm
devised a methodology, using multiple computers at its offices, to
defeat the security which was put into place by the website for the
benefit of companies like [HAS, Inc.].

56. The Law Firm was successful in breaching the security put into
place by www.archive.org on approximately 112 occasions. From a
technological standpoint, this meant that the Law Firm was also
receiving information directly from [HAS, Inc's] website on each of
these occasions, as www.archive.org retrieved or attempted to retrieve
information from [HAS, Inc.'s] website each time it was successful in
breaching the security. It was a result of this communication between
www.archive.org and [HAS, Inc.'s] website that [HAS, Inc.] obtained
the web logs memorializing the hacking activity. This conduct
constituted unlawful "hacking" activity in violation of both federal
and state law, as described more fully below.

57. The Law Firm was successful in executing old HTML pages from the
[HAS, Inc.] website without authorization from www.archive.org or
[HAS, Inc.], and made copies of the copyrighted materials contained
therein.


As hinted in there, HAS is of the opinion that this behavior was
illegal in five different ways. The court completely ducked the issue
by ruling that even if all of this was true, it wasn't relevant enough
to the original lawsuit to justify hauling the lawyers into court,
too. (Mmm, FRCP 15). As a pragmatic decision, this strikes me as
right, because if yourlawyers become your co-defendants, they can't be
your lawyers any more. In general, the American system bends over
backwards to let people choose the lawyers they want to represent
them, and won't undo that choice without damn good reason.  The issue
may not go away, of course. (Despite the above, lawyers can't just get
away with anything.) It could show up in disciplinary proceedings
against the lawyers, or, more likely, in a motion for sanctions in the
case against the defendants for misconduct, and in a motions to
exclude anything these Archive.org hits turned up. Which means that
the court may well at some point confront the question in my mind as
soon as I saw the case, namely, "What the frick?"

I mean, I think I can tell what was going on. HAS wanted to keep
information that used to be on its web site out of the case, either
because it would hurt HAS's case (by negating the "secret" part of a
trade secret claim, for example) or because it had slipped up and put
something confidential there that it wanted to retract. Therefore, HAS
both changed its site and asked Archive.org to remove them from its
index.

The other side's lawyers wanted to get at this information, presumably
for the same reasons HAS wanted it secret. And then they found some
way to "defeat the security" at Archive.org. By this, I am puzzled.  
Did they actually hack into Archive.org's servers? The complaint seems
to suggest not; rather, it was something involving "multiple
computers" that convinced Archive.org to serve up old HAS pages (while
at the same time making requests for new ones from the HAS servers) I
can't really tell whether this involved exploiting a bug in
Archive.org, or whether HAS simply screwed up and didn't fill out its
robots.txt properly, or something else entirely.

But I can say this: HAS is raising a striking issue here: third party
standing to sue over violation of various computer security statutes.  
Take for example the DMCA claim. It presumably runs something like
this. Access to our copyrighted works (the web pages) is effectively
controlled by the technological measures in place at Archive.org. You
circumvented those measures. We were injured as a result (I can see
copyright infringement, plus possibly some of the other claims from
the underlying lawsuit). Therefore, under sections 1201(a) and 1203(a)  
of the DMCA, you're liable to us. Ka-pow.

In the normal hacking situation where third parties' information is
leaked, two things happen. First, the hackee does what it can to come
down on the hacker like a ton of bricks. And second, the third parties
do what they can to the hackee, a legal fight that usually turns on
terms of service or whatever other legal standard the hackee got the
information in the first place. It's not the norm for the hackee to be
blase in a situation where the third party can find the hacker and
haul him or her into court.

One for the radar screens . . .
 


_________________________________________
Help InfoSec News with a donation: http://www.c4i.org/donation.html



This archive was generated by hypermail 2.1.3 : Tue Jul 13 2004 - 03:53:26 PDT