Previous Politech message: http://www.politechbot.com/2005/10/19/more-on-barney/ http://www.politechbot.com/2005/10/17/barney-lawyer-recommends/ -------- Original Message -------- Subject: Comments on "Hacker with a White Hat" article Date: Mon, 24 Oct 2005 10:18:28 -0400 From: Ronald D. Coleman <rcoleman@coleman-firm.com> Organization: Coleman Law Firm, a Professional Corporation To: <declan@private> Dear Declan, I notice that, for some cosmic reason, the four-year old article I wrote with Matthew Carlin when I was a partner at Gibney, Anthony (where I am now of counsel) has gotten a little bit of Internet attention. Not surprisingly, though, your correspondents follow the usual Internet custom, particularly dear to the left wing (if you will) in IP and 'Net governance debates, of both failing to read the material closely and, of course, ridiculing ideas they do not agree with. Let me first point out that to my knowledge, since the time this article was published, no one -- including the people at Gibney -- has ever actually asked a court for this extreme relief. We recognized then that it was extreme, and we think any judge would recognize it now. We published the article because it seemed like an interesting idea, not because we want to place Web into the claws of the Evil Purple One. This could be a little messy, but let me try to address some of the comments. Hugh Bower wrote: <<Legitimate ISPs do respond to DMCA takedown notices, although maybe not as fast as some legal eagles would prefer. But if somebody is hosting a web server on their home broadband connection, the ISP can't just turn off the offending website without killing the entire connection. And what should the ISP do if the customer doesn't answer their phone or respond to warning emails?>> Obviously, we're not talking about legitimate ISP's. We know well how to deal with them, and they know the IP bar, too. The problem is the bad actors. The major players in the counterfeiting world are not on home broadband connections. This is a good opportunity to make a point that would not be obvious to non-lawyers, and which in retrospect should have been mentioned in the article just to clarify how the world works. An injunction such as this, even if it were to issue, which almost certainly require the posting of a bond by the party seeking it, which could in theory cover collateral damage costs, though if you made the argument for widespread enough damage, that would not be too compelling. The collateral damage argument is a good point and if I were the judge, I would require a high degree of satisfaction of what measures were being proposed. Jack Lloyd gets at this point, to some extent (i.e., selectivity). <<There is a presumption of innocence here, so should they be killing peoples internet connections every time some trigger-happy litigator sends out a notice?>> We actually never talked about anything happening "every time [we] send[] out a notice." Our article talks about a lengthy process that is usually reached many months, and usually more than a year, of litigation, applications to the court, investigation, second, third and fourth chances given to defendants to cooperate, and extensive expense to our clients. The presumption of innnocence (this is not a criminal proceeding, so let's call it the burden of proof) has long been overcome by then. Brad Trusty wrote: << I would rather see that than a wholesale change in the direction of hack first, prove your case later.>> He read your site but not the article. This is not about hacking after proving your case. It's about what a court can do after you prove your case, either preliminarily or upon the granting of a final judgment. Thomas Leavitt's unnecessarily vitriolic comments deserve more specific responses: <<a) despite what this idiot may imagine, not every site is vulnerable to being "hacked".>> Only an idiot would imagine that we ever said it was. <<b) while it may be true that, with enough processing power, every site is subject to a DOS attack, the side effects (on other sites hosted on the same machine, or network, or on the network between the hacked site and the attack source) of that would probably induce more damage than the "benefit" to be gained by taking the target site offline... in fact, I'd venture to guess that the attacker would assume a rather significant liability risk themselves as a result.>> I agree. <<Would it be legally tenable to cut the power to an entire Mall with eighty stores in it, in order to block sales of "replica watches" from a kiosk inside? I hope not.>> No, Thomas. It would be legally tenable, however, to send the police in to sieze the watches, which you can't do to an online store operating from a server in Kazakhstan. <<c) there are obvious ways around this, anyway... the individuals being attacked could simply set up more sites than could ever be cost-effectively "hacked". I can almost guarantee this is what would happen.>> That could be. You could impose a significant cost on a bad actor that way, however. <<d) there is a failure to understand the nature of the technology involved - if I, as a web hosting provider, host a site that is attacked on a system that serves more than one customer, or that I administer directly, the "attacker" is attacking *MY PROPERTY* and threatening the integrity of *MY MACHINE* - the attack is far more likely to exploit some hole in the general operating system code (although I'd hope my system was up to date and tied down enough to not be vulnerable) than it is to exploit some flaw in the customer's code (if, in fact, they have any)>> That seems like a really good incentive not to ignore judicial orders mandating that you take someone offline. <<If I have a tenant who is selling replica watches from an office inside my building, should the police be able to break in through the property manager's bathroom window in order to get to him?>> If the property manager doesn't open the door, of course the police are permitted to do that. That question is "moronic beyond belief." Jim Davidson writes: << As for this Carlin character's idea of hacking on court orders, one would hope he only hacks within the jurisdiction of the court. Hack offshore in someone else's jurisdiction without a corresponding court order, and there will be trouble. And, of course, he who hacks invites hacking.If Carlin thinks he has trouble keeping his web sites operational *now* boy will he lament it when he starts to attack other people's sites.>> That's a nice point. The problem is not usually one where we can identify a server in a specific lawful jurisdiction, and we wish to do an end-run around that country's laws. No way. Jim's right about that, that would be a really bad idea. <<Given the many difficulties that would likely arise from this "hacking on court orders" proposal, it might be well to take a tip from Hippocrates and say, "First, do no harm." Breaching the security of a third party's web hosting service in order to attack a second party who is selling trademark fakes against the wishes of the first party is no way to uphold the rule of law.>> That's good advice for doctors, what Hippocrates said, but it has little to do with law enforcement, either civil or criminal. All your correspondents seem to be very concerned about the rights of the ISP here, but the scenario in question only contemplates ISP's that do not respond to lawful orders of the court -- which makes them accessories to (in the criminal sense) or contributorily liable (in the civil sense) of the infringement. Ronald D. Coleman Coleman Law Firm A Professional Corporation 1350 Broadway -- Suite 1212 New York, NY 10018 212-752-9500 fax 212-752-9506 - 881 Allwood Road Clifton, NJ 07012 973-471-4010 fax. 973-471-4646 www.coleman-firm.com <http://www.coleman-firm.com/> weblog: www.likelihoodofconfusion.com <http://www.likelihoodofconfusion.com/> _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Mon Oct 24 2005 - 07:57:26 PDT