[Politech] Lawyerhacking defended: Co-author of copyright hacking article replies to Politech [ip]

From: Declan McCullagh (declan@private)
Date: Mon Oct 24 2005 - 07:32:17 PDT

Previous Politech message:

-------- Original Message --------
Subject: Comments on "Hacker with a White Hat" article
Date: Mon, 24 Oct 2005 10:18:28 -0400
From: Ronald D. Coleman <rcoleman@coleman-firm.com>
Organization: Coleman Law Firm, a Professional Corporation
To: <declan@private>

Dear Declan,

I notice that, for some cosmic reason, the four-year old article I wrote
with Matthew Carlin when I was a partner at Gibney, Anthony (where I am now
of counsel) has gotten a little bit of Internet attention.  Not
surprisingly, though, your correspondents follow the usual Internet custom,
particularly dear to the left wing (if you will) in IP and 'Net governance
debates, of both failing to read the material closely and, of course,
ridiculing ideas they do not agree with.

Let me first point out that to my knowledge, since the time this article was
published, no one -- including the people at Gibney -- has ever actually
asked a court for this extreme relief.  We recognized then that it was
extreme, and we think any judge would recognize it now.  We published the
article because it seemed like an interesting idea, not because we want to
place Web into the claws of the Evil Purple One.

This could be a little messy, but let me try to address some of the

Hugh Bower wrote:

<<Legitimate ISPs do respond to DMCA takedown notices, although maybe not as
fast as some legal eagles would prefer.  But if somebody is hosting a web
server on their home broadband connection, the ISP can't just turn off the
offending website without killing the entire connection.  And what should
the ISP do if the customer doesn't answer their phone or respond to warning

Obviously, we're not talking about legitimate ISP's.  We know well how to
deal with them, and they know the IP bar, too.  The problem is the bad
actors.  The major players in the counterfeiting world are not on home
broadband connections.  This is a good opportunity to make a point that
would not be obvious to non-lawyers, and which in retrospect should have
been mentioned in the article just to clarify how the world works.  An
injunction such as this, even if it were to issue, which almost certainly
require the posting of a bond by the party seeking it, which could in theory
cover collateral damage costs, though if you made the argument for
widespread enough damage, that would not be too compelling.  The collateral
damage argument is a good point and if I were the judge, I would require a
high degree of satisfaction of what measures were being proposed.  Jack
Lloyd gets at this point, to some extent (i.e., selectivity).

<<There is a presumption of innocence here, so should they be killing
peoples internet connections every time some trigger-happy litigator sends
out a notice?>>

We actually never talked about anything happening "every time [we] send[]
out a notice."  Our article talks about a lengthy process that is usually
reached many months, and usually more than a year, of litigation,
applications to the court, investigation, second, third and fourth chances
given to defendants to cooperate, and extensive expense to our clients.

The presumption of innnocence (this is not a criminal proceeding, so let's
call it the burden of proof) has long been overcome by then.

Brad Trusty wrote:

<< I would rather see that than a wholesale change in the direction of hack
first, prove your case later.>>

He read your site but not the article.  This is not about hacking after
proving your case.  It's about what a court can do after you prove your
case, either preliminarily or upon the granting of a final judgment.

Thomas Leavitt's unnecessarily vitriolic comments deserve more specific

  <<a) despite what this idiot may imagine, not every site is vulnerable to
being "hacked".>>

Only an idiot would imagine that we ever said it was.

<<b) while it may be true that, with enough processing power, every site is
subject to a DOS attack, the side effects (on other sites hosted on
the same machine, or network, or on the network between the hacked site and
the attack source) of that would probably induce more damage than
the "benefit" to be gained by taking the target site offline... in fact, I'd
venture to guess that the attacker would assume a rather significant
liability risk themselves as a result.>>

I agree.

<<Would it be legally tenable to cut the power to an entire Mall with eighty
stores in it, in order to block sales of "replica watches" from a kiosk
inside? I hope not.>>

No, Thomas.  It would be legally tenable, however, to send the police in to
sieze the watches, which you can't do to an online store operating from a
server in Kazakhstan.

<<c) there are obvious ways around this, anyway... the individuals being
attacked could simply set up more sites than could ever be
cost-effectively "hacked". I can almost guarantee this is what would

That could be.  You could impose a significant cost on a bad actor that way,

<<d) there is a failure to understand the nature of the technology involved
- if I, as a web hosting provider, host a site that is attacked
on a system that serves more than one customer, or that I administer
directly, the "attacker" is attacking *MY PROPERTY* and threatening the
integrity of *MY MACHINE* - the attack is far more likely to exploit some
hole in the general operating system code (although I'd hope my
system was up to date and tied down enough to not be vulnerable) than it is
to exploit some flaw in the customer's code (if, in fact, they have

That seems like a really good incentive not to ignore judicial orders
mandating that you take someone offline.

<<If I have a tenant who is selling replica watches from an office inside my
building, should the police be able to break in through the property
manager's bathroom window in order to get to him?>>

If the property manager doesn't open the door, of course the police are
permitted to do that.  That question is "moronic beyond belief."

Jim Davidson writes:

<< As for this Carlin character's idea of hacking on court orders, one would
hope he only hacks within the jurisdiction of the court.  Hack offshore in
someone else's jurisdiction without a corresponding court order, and there
will be trouble.  And, of course, he who hacks invites hacking.If Carlin
thinks he has trouble keeping his web sites operational *now* boy will he
lament it when he starts to attack other people's sites.>>

That's a nice point.  The problem is not usually one where we can identify a
server in a specific lawful jurisdiction, and we wish to do an end-run
around that country's laws.  No way.  Jim's right about that, that would be
a really bad idea.

<<Given the many difficulties that would likely arise from this "hacking on
court orders" proposal, it might be well to take a tip from Hippocrates and
say, "First, do no
harm."  Breaching the security of a third party's web hosting service in
order to attack a second party who is selling trademark fakes against the
wishes of the first
party is no way to uphold the rule of law.>>

That's good advice for doctors, what Hippocrates said, but it has little to
do with law enforcement, either civil or criminal.  All your correspondents
seem to be very concerned about the rights of the ISP here, but the scenario
in question only contemplates ISP's that do not respond to lawful orders of
the court -- which makes them accessories to (in the criminal sense) or
contributorily liable (in the civil sense) of the infringement.

Ronald D. Coleman
Coleman Law Firm
A Professional Corporation
1350 Broadway -- Suite 1212
New York, NY  10018
fax 212-752-9506
881 Allwood Road
Clifton, NJ  07012
fax. 973-471-4646

www.coleman-firm.com <http://www.coleman-firm.com/>
weblog:  www.likelihoodofconfusion.com

Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)

This archive was generated by hypermail 2.1.3 : Mon Oct 24 2005 - 07:57:26 PDT