With all the banter about Wikileaks and the reports of attempted DDoS attacks, I thought this might be a good time to explore some of the legal issues that can follow DoS activity. As usual, this isn’t meant to be a comprehensive practice guide or constitute advice.
First, for a primer on denial-of-service (DoS) and distributed-denial-of-service (DDoS) attacks, read the Wikipedia article — it’s easy to follow. In the simplest terms, a successfully orchestrated DoS or DDoS attack results in an overloaded network device (e.g., a webserver) such that the device ceases responding to requests for activity or functions intermittently for the duration of the attack.
In the United States, participants in these attacks can run into a number of legal problems at the Federal level, both criminally and civilly. For our purposes, there is no need to distinguish the “distributed” form of the attack from the singular (i.e., DDoS vs. DoS), since, as you will see below, a culpable person is one who merely directs the attack at a target.
In terms of criminal violations, there’s the Computer Fraud and Abuse Act (the “CFAA”), which prohibits a person from “knowingly caus[ing] the transmission of a program, information code, or command, and as a result of such conduct, intentionally causes damages without authorization to a protected computer” (see 18 U.S.C. § 1030(a)(5)(A)). The requisite “damage” element under the CFAA is “any impairment to the integrity or availability of data, a program, a system, or information” (see 18 U.S.C. § 1030(e)(8)) and a “protected computer” is defined as a computer “which is used in or affecting interstate or foreign commerce, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication” (see 18 U.S.C. § 1030(e)(2)(B)).
DoS attacks almost unquestionably fall under the broadly-worded prohibited activity in this portion of the CFAA (“transmitting … information, code, or command”) and would likely meet the low standard of damage (“any impairment to the integrity or availability of data, program, system, or information”). The CFAA may also apply to unsuccessful attempts (see 18 U.S.C. § 1030(b)).
The CFAA also has a civil component that permits “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunction relief.” In other words, the target of the DoS attack can sue the individual(s) who were responsible for the damages incurred as a result of the attack (e.g., server downtime, costs to repair, and in some lost revenue (see 18 U.S.C. § 1030(g)). There is a limitation that requires the damages exceed $5,000; however, some courts have liberally construed its calculation to include consultation services (e.g., IT/security persons) used to assess the extent of damage caused by the attack. Also, this provision does not require that a person ever be convicted before being sued for damages.
Private parties that are an intermediary along the vector of attack (e.g., an ISP) may also have additional legal options available at the state court level. Since most U.S. homes connect to the internet through an ISP, like Comcast, their usage of Comcast’s services are likely subject to a “terms of service” agreement that prohibits DoS attacks and other illicit activities. For instance, the Comcast Terms prohibits “undertak[ing] or accomplish[ing] any unlawful purpose” including “interfer[ing] with computer networking or telecommunications services service to any user, host or network, including, without limitation, denial of service attacks, flooding of a network, overloading a service, improper seizing and abusing operator privileges, and attempts to ‘crash’ a host.” Since these terms are a legal contract, it is possible for an ISP to sue a subscribe/user for breach of contract. Similarly, if the target of a DoS attack is a website, website visitors may also have their own terms of service agreement with similar contractual prohibitions. For instance, PayPal’s terms prohibit users from “tak[ing] any action that imposes an unreasonable or disproportionately large load on our infrastructure” under the “Restricted Activities” section. The PayPal terms also list a number of potential remedies that the company may pursue legal action for violations — which might include a lawsuit for breach of contract or even on a “trespass to chattels” theory.
Finally, one last point, social websites like Facebook also contain provisions within their terms of service agreement that prohibit certain types of unlawful activity (e.g., “you will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory”). Although it would be unlikely for a company to be charged with a crime under the CFAA (at common law corporations usually lack the requisite criminal intent) for unknowingly hosting a group that encourages participation in DoS attacks, once aware, they most certainly do not want to find themselves defending their lack-of-action to an unlawful situation or face a civil lawsuit filed by the target website (though, it would probably take very unique facts to be successful on the merits). So, it comes at no surprise that Facebook took the risk-averse approach this week by terminating groups that encouraged participation in DoS attacks.
I hope this post clears up some of the misconceptions I’ve heard in passing this week.
Comments Off Posted in: Commentary on December 12, 2010
Jonathan Zittrain and Molly Sauter posted a great “Wikileaks FAQ” on JZ’s Future of the Internet blog. A portion of the FAQ was also published in MIT’s Technology Review earlier today. Both are interesting reads.
Also circulating in the tech news sphere is that Wikileaks’ payment company, Datacell, is planning on suing Visa and Mastercard after cutting off Wikileaks’ ability to make payments. Of course, this news comes after a number of US-based tech companies terminated or denied various services for Wikileaks after citing terms of service violations. More details available from Mike Masnick at TechDirt.
Comments Off Posted in: Links on December 9, 2010
Remember Mr. and Mrs. Boring? The Pennsylvanian couple making headlines? … no?
In 2008, they found out that Google Street View allowed users to see into their property from a private drive next to their home. In response, they sued Google for invasion of privacy and trespass. This week, they’re back in the news again.
For the last two and half years, the case has crawled through the legal system. In February 2009, the District Court for the Western District of Pennsylvania granted a 12(b)(6) motion to dismiss in favor of Google (read the order here), for failure to state a claim. The Boring’s invasion of privacy claims were rather dubious from the start. A plaintiff generally needs to establish that the invasive act caused “mental shame, suffering, or humiliation” that a person of “ordinary sensibilities” would have suffered in the same instance. Without this, a mere photograph of a residential structure, even when taken from private property, without any visible persons, is not likely to pass the threshold motion to dismiss stage of a lawsuit.
The Borings appealed the dismissal to the 3rd Circuit, which partially reversed the District Court’s ruling in February 2010. However, the only claim reversed was the trespass claim. Common law trespass is a tort that governs interference with rights associated with real property, personal property, and certain personal rights. The Borings’ best claim here is that the Google car with the mounted camera committed trespass to land when it snapped the photographs. In fact, the photographs appear to offer strong evidence in support of this theory since it would have been difficult for the photographs to have been taken by the vehicle from any area other than the private drive. As I noted last February at the Citizen Media Law Blog, trespass to land claims aren’t much of a risk to the longevity of Google Street View, so long as Google cars aren’t driving across everyone’s front yard.
Trespass to land is simple to understand; it only requires that a person voluntarily enter the property of another without consent. But, just because the Borings might have a “good case” on a trespass to land theory, it doesn’t mean they are entitled to millions of dollars. The trespass by the Google car didn’t appear to have caused any actual harm to the property, structures or items on the property, or persons. Also, since the Borings couldn’t establish that they any suffered mental shame, suffering, and humiliation, the fact that the Google car may have been trespassing on private property while capturing images doesn’t revive the invasion of privacy claims.
In these cases, if you really feel strongly about the “principle of the matter” as the Borings seem to, it’s possible to be awarded “nominal damages,” which is akin to saying: “yes, you’re technically correct, but you haven’t suffered any harm worthy of compensation, so here’s a token for the violation of your right.” Considering how expensive it is to obtain a lawyer, file a lawsuit, and pay the associated costs of the filing the suit, it’s not very surprising that you don’t often hear about nominal damages being awarded these days.
One last thing. The award of $1 in this case was actually a “consent judgment” which is procedurally distinct from the damage awards issued by juries that you probably hear about on the news. Consent judgments are usually negotiated settlements between the parties that are adopted by the judge and recorded as part of the case. One purpose of doing this is to bind the parties to the judgment and invoke res judicata on the claims — which prevents the Borings from suing Google again with identical legal claims based on the same facts.
On that note … I should get back to scanning for more sidewalk baby births caught by Google cameras while I finish lunch. Happy Friday.
On Tuesday, November 30, 2010, the Apple v. Psystar case was argued before the 9th Circuit. Groklaw continued its excellent coverage with another post which includes a link to an audio recording (file hosted by 9th Circuit) of the arguments by Kiwi Camara (on behalf of Psystar) and George Riley (on behalf of Apple).
In case you’ve forgotten, Apple filed this suit against Psystar for copyright infringement and breach of contract (among several other claims) after Psystar began marketing hackintosh PCs with OS X pre-installed on the hardware in 2008. Apple’s EULA expressly prohibits using OS X on any non-Apple hardware.
This is one of 3 Psystar cases going on across the nation. The case at hand was originally filed in the N.D. California District court, another case was filed in the S.D. Florida District court by Psystar against Apple, and Psystar also filed for bankruptcy in the U.S. Bankruptcy court in Florida. Groklaw has neatly organized documents from all the cases here.
It will be some time before the 9th Circuit issues an opinion on the case. It’s worth noting that the arguments before the 9th Circuit are limited only to whether the District Court was correct to reject Psystar’s affirmative defense of copyright misuse. Psystar’s opening brief was filed under seal, but Apple’s answering brief, and a reply from Psystar are available to catch you up on some of the arguments.
Here’s an interesting factoid to chew on while listening to the recording. According to info on their respective bio pages, Apple’s attorney graduated law school prior to the year Psystar’s attorney was born. Yikes!
Comments Off Posted in: Links on December 2, 2010