 Speaker today is going to be Jennifer Granick. Okay. Hello everybody. Thank you for coming to our talk today. I'm Jennifer Granick. I'm the Civil Liberties Director at the Electronic Frontier Foundation. Thank you very much. It's nice to be back. Very nice. And I'm going to talk to you today about two cases we did having to deal with computer crime in the past year. I'm going to have with me two of the lawyers who have worked on these cases who work with me at the EFF. I have Kurt Oppsall there on the end. He's a senior staff attorney. And Marcia Hoffman, who's a staff attorney with EFF. And they worked on these cases with me. And in fact, one of the cases I'm going to talk about is a case that happened here at DEF CON last year. And Kurt and Marcia were our lawyers here on the ground. So they know everything that happened in this event. And my goal here is to... Okay, this is working. My goal here is to tell, through telling these two stories about these two computer crime cases, to illustrate something to you about the laws that applies to computer crimes. And then also to maybe help draw some lessons so that people can avoid getting themselves in trouble the next time. Because as much as trouble can be fun for lawyers, it's usually not fun for people. And we want to help people save to the extent possible. In order to do this, I'm going to talk a little bit about the computer crime law overall, particularly the federal law. I'm going to talk about the MBTA versus Anderson case, which is a case where the Boston Transit System sued three MIT students who wanted to give a talk here at DEF CON last year. And Kurt and Marcia were lawyers on that case. I'm going to tell you a little bit about the United States versus Lori Drew case, which has been very influential in some other kinds of computer prosecutions. And then I'm going to tell you about another case we did involving a student at Boston College. And then hopefully some lessons. Okay, EFF, we got some applause. We have a short period of time here, so I'm not going to go too far into this. But I do want to say that we have a Ask EFF panel today at 4 o'clock. If you have questions about the work that we do, or if you have questions about the work that you do that are of a non-confidential nature, then I would suggest that you come to that panel and we'll be there to just answer questions and talk about stuff. If you have questions of a confidential nature, you know who we are and we're around to try to help you guys to the extent possible. And if we can't help you, then hopefully we will be able to find you somebody who can. Okay, Computer Fraud and Abuse Act is a kind of long federal statute. It prohibits computer crimes and has several different sections to it. And I'm just showing you what the sections are here. A very interesting aspect of it is it has a civil cause of action. So a lot of the case law in the Computer Fraud and Abuse Act, which is primarily a criminal statute, has developed in the civil context. And I think that that's been a real problem with the statute. It's like people, judges, litigants look at things in a civil context where all at its stake is money, quite a bit different from how we hope that they would look at things and be very rigorous about the application of the law when the law is the difference between freedom and imprisonment. Okay, so a number of different provisions in the statute and I am going to focus on this one and another one. So unauthorized access statute, okay. Basically this is what the section of the statute says. It requires two essential things which are the act that transforms your behavior from legal to illegal. A, you access a computer and B, you do it without authorization or in excess of authorization. And the case law has said that basically anything is accessing a computer. You send it a packet, you look at a web page, whatever it is, you've accessed it. So that's really not a meaningful distinction. It's like you used a computer. So what does it mean without authorization? This is the thing that we should have be the major distinguishing factor then. And the case law, again, is unfortunately really broad about what's authorized and what's not authorized. I mean all of us use computers every day where we don't have any kind of written permission or anything like that. So what does it mean for it to be authorized? And as I said, in these civil cases and some other contexts, the definition has been read very broadly. In some cases it's like these former employees who simply are acting against their employer's best interests when they access their accounts on the computer and the courts have said, well, you know you're not supposed to do it so you are acting without authorization. There's other cases that say the opposite. And then there's the Lori Drew case which we'll talk about in a little bit. So this is one of the major provisions of the federal criminal statute and most of the state statutes mirror the same idea of access without permission or unauthorized access. Every one of the 50 states has a computer crime statute. They all differ really widely. Some are worse than the federal statute, hard to say, and some are a little bit better. Okay, the next important provision of the CFAA is this provision which is about transmission of a program information coder command that causes damage to a computer. Transmission of information. Okay, keep that in mind. So MBTA versus Anderson. Anybody remember this talk from last year? Okay, yeah. So some people wanted to go. It was a talk given by three MIT students. We're really sorry that they couldn't be here today to talk with you guys about their experience. They're off doing other stuff. So that's too bad. But basically what they did was for a class with their professor at MIT, they studied the security of this transit system including a MagStripe card and a RFID stored value card that was being implemented and rolled out in the Boston Transit system. And basically what they did was they totally compromised the MagStripe card and they had some theoretical ways based on the protocol that they thought the RFID card was totally broken too and they did this whole reverse engineering of it and everything. So they wrote a term paper about this for their professor, Ron Rivest, who's a very well-known, very well-respected computer scientist. They got an A. And then they decided, that's important. You'll see why it's important. You know, we know we talk sort of later on because this is the stuff that we need to tell the judge about why these kids are in a bunch of punks that we shouldn't care about and we have to have some respect for what they're actually trying to do here and it shows that their research is sort of legitimate. We'll talk about this more. So then they decided to give their talk here at DEF CON last year and they called their talk Anatomy of a Subway Hack and in the abstract for the talk, they promised to teach DEF CON attendees how to get free subway rides for life. Who wouldn't want that? Okay, one thing that they did do was before the talk they met with the MBTA, that's the Boston Transit system and they told them about what they had found and they met with an engineer there and what the MBTA said was, you know, we really don't like this free subway rides for life part. Can you change it and make the abstract less sensationalistic? So we did that and everything seemed fine and we came here to DEF CON. I was actually here just for Black Hat last year and then I left, but DEF CON started. It was Friday, just like it is today and Marsha and Kurt were there and we'd talked to a lot of people before giving their presentations. We talked to these guys, but we thought basically everything was fine. So if you guys want to take over and tell the story from here, please. So yeah, on Friday afternoon we're thinking all is well. We had a few minor issues that had come up prior to that but we're thinking things were pretty much moving in the clear legally when all of a sudden we found out that a lawsuit had been filed. The lawsuit had been filed that afternoon in Boston, Massachusetts and it was filed at the end of the day there with no notice being provided to the students. We did find out about it ahead of time because MIT had been provided with some notice and they filed a complaint, a temporary restraining order application for declaration, seven exhibits. These are things that take a while to produce. It's not something you sort of decide to do and then half an hour later you're filing it in the courtroom. So there certainly would have been time to give notice but nevertheless no notice was given, no opportunity for any attorneys to represent the students before the court that Friday afternoon. It was filed so late in the day that the duty judge out there in Massachusetts got it. After the court sort of closed for the week, one judge has the short straw. It has to be the duty judge for the weekend in case emergencies came up and the MBTA contended that this was one of those emergencies and they wanted to get a temporary restraining order right then and there on the spot Friday evening. So let me just, they're just to flip over. These are some of the other things they wanted. So they said that this was a violation of the Computer Fraud and Abuse Act, something which is the cyber crime main federal statute. And they also had a claim against MIT saying that MIT had negligently supervised the students. It was a class project and so they felt that MIT was on the hook and the Computer Fraud and Abuse Act claim was sort of the reason that they were in federal court instead of the state court that they had a whole bunch of state claims as well. Yeah. And here's the stuff that they were asking for. Just to sort of point out, they wanted treble damages. They wanted a gag order that would have prevented the students from even saying that the security was compromised. They wanted something where we didn't imply that MIT had approved of the research or the presentation in any way. They certainly didn't want our clients to say free subway rides for life and they wanted the students to be forced to provide their research to the MBTA even though they had had this meeting with them beforehand. Of course they didn't mention the meeting in any of these lawsuit papers that were filed. So you want to talk about maybe the gag order part a little bit? Indeed. So the gag order was very interesting because in addition to saying they couldn't give the talk, it went a little bit further in particular that they couldn't indicate that the security of the subway system had been compromised. So which is kind of an interesting thing because the lawsuit itself indicates that the security has been compromised. So I guess if their gag order had been issued as written, they couldn't even mention to anybody that the suit had been filed. It made no sense. In fact, this was filed on the public docket so anybody who looked at the docket could tell that there was at least a claim that the security had been compromised. So they're like, why did you get sued? And they're like, I can't tell you, man. I'm sorry. But read their papers. So we want to talk a little bit about how you met the students and what happened next. Absolutely. So one thing that we've started to do as part of the Coders Rights Project is to be available to speakers to talk before a presentation is given about some of the legal issues that might arise, talk about some strategies that might be necessary and to sort of get a heads up to where trouble might arise. And that year we talked to a number of different people and we actually were relatively satisfied in this case that it wasn't going to be a big problem because on August 4th, the Monday prior, there had been a meeting that had gone well. Do you want to talk a little bit about the booth or the EFF is in process? Why don't you take it from here because you talked to them first. I'll jump in when I come in. All right. Yeah, so that Friday afternoon, we're tracked down. I believe I was over at the shooting gallery, the EFF fundraiser. You can go shoot at the screen, practice your shots and raise some money for us. Please all go try that. And someone came up to me and said, oh my god, we have an emergency. A lawsuit has been filed. So we immediately began to round up the troops, ended up going up to Marsha's room to have a little bit of privacy and start trying to figure out what's been going on, trying to get a copy of the papers that have been filed. It's actually a fairly difficult thing to do to figure out what's been going on from 3,000 miles away from the courthouse without the papers involved. We already mentioned this, but I just want to underscore the way that we found out about this lawsuit was the general counsel at MIT had apparently been notified by the MBTA that this lawsuit was in the works. And they called the students to let them know. And that was how we found out about it. And at that point, we started trying to reach out to the MBTA to find out what was going on. And it took us quite some time to really get into contact with somebody representing MBTA and to get copies of the papers. We actually had to wait until the papers came up on the court's electronic docket. Yeah, we ended up getting the papers directly from the court. There's an electronic filing system that the federal courts use, very handy stuff so you can get a hold of a docket. And one thing which was really nice, it's on the next slide, was the support that DEFCON provided us. They were able to give us access to what probably was the most secure connection to the internet in the hotel. Thanks a lot. Which we really appreciated. So we got some private space to work in and we're able to get on the internet and be able to do attorney-client-privileged communications and work-product communications in a more secure environment than we might have if we just got on the Wi-Fi here. Yeah. I learned that the year before when somebody sniffed my password during the Mike Lynn case. Thanks. And one thing, so what ended up happening was that the court in Massachusetts was unwilling to issue the gag order immediately. At least wanted to hear from us. So it put off the hearing until 11 o'clock East Coast time the next morning, which was to say 8 a.m. our time. So we had about 12 hours to prepare for our hearing because this was all sort of coming down around 8 in the evening before we sort of got this sorted out. Now that's not a whole lot of time to prepare for a hearing to file some papers to get a briefing. And one of the things that is sort of very nice to do is to tell our side of the story and to tell our side of the story it was helpful to get an expert declaration. Get somebody who is, who are not our clients but a third party who has some expertise in this area of technology to explain to the court. The court doesn't know anything about these sorts of technologies. And to explain to the court a little bit more about what's going on. Ordinarily it would be nigh impossible to find a qualified security expert at 8 o'clock on a Friday night for 8 a.m. Turned out, however, at DEF CON this was not impossible. In fact, we had some really great support. So a lot of thanks to Eric Johansson for providing that expert declaration staying up most of the night with us. Robin Wagner, an attorney, also worked with us and worked with Eric to put together that declaration as we pulled our collective all nighter to prepare for the hearing the next day. You know, that's one of the things just back to the point Kurt made before about how much time it takes to put together a lawsuit like that. I mean, we were up all night trying to, you know, search and brief and get the expert declaration and stuff like that. You multiply that by lawyer's hourly rates. You know, just filing this lawsuit was, you know, a multiple thousand dollar sort of ordeal you think that we would have merited a phone call ahead of time. Okay. So we had a hearing. The hearing was set for Saturday and we had the hearing that morning. I argued it. I appeared by telephone from our office in San Francisco and then we had the students and the other lawyers on the case who all were here. We were in a hotel room huddled around an iPhone listening to it on speaker. So that's a very interesting way to participate in a hearing. Yeah, really being able to like exercise your advocacy skills to great effect under this thing. And of course the Boston people were all there and the judge who was the duty judge decided, okay, well they asked for this really broad gag order. I'm not going to give them that gag order, but I am going to issue a gag order, okay? And then this is the gag order that he issued. So, and here we are. They're like, he's like, I'm not messing with your free speech. Go ahead and give your talk, but just don't do this. So now we're the lawyer. Put yourself in the lawyer's shoes, right? Okay. We definitely don't want our students to violate a federal court order. How do we know what information would assist another in a material way, whatever that means, to circumvent or otherwise attack the security of the fair media system? We have no idea. I mean, just say, yeah. An example of, if it was read broadly, if the students handed out a copy of applied cryptography to somebody, that would be information that could assist in a material way to circumvent a security system. Basic educational tools are information. And while we fundamentally disagreed with the interpretation of the law, and I think we're going to get into this in more detail in a minute, the statute talks about transmission of information. And as it was ordinarily understood, up until this point, that meant sending something over a wire to hack a computer. As the MBTA said that should be understood, that was talking at a conference. And that's a very novel interpretation of it, but if the court ended up agreeing with it, then virtually anything that you might do that could be construed as assisting somebody in figuring out this hack would push and perhaps violate the court's order, presenting a tremendous amount of risk for the students. Yeah. So that seems so obviously wrong, doesn't it? I mean, it just is like the computer crime act just doesn't seem to regulate talks you give at conferences. So how did that happen? What happened? First of all, judges don't know. There's a lot of fear. And you have the MBTA coming in saying, our security's going to be horribly compromised, and you've got these punks who want to give their talk at their little hacker conference, like this is not important. Time's not up the essence. We don't have to worry about this. This is not really important to worry about compared to this danger that could happen to the system. And judges who don't understand have a lot of sympathy for this idea, saying something to the contrary, but this judge on this Saturday said, you know what, you just don't do anything and so we couldn't give the talk. So now we made a motion for reconsideration, saying like, okay, this is clearly wrong. And we tried to sort of further promote the atmospherics of the case by getting a letter from computer scientists saying like, look, this is what is done. You know, this is how things go. We put in a declaration about the fact we had the prior meeting with the MBTA, which they had elided in their earlier papers. The Computer Fraud and Abuse Act doesn't apply. Okay, this was the provision that they sued under. And this is what it says. And as Kurt said, they are arguing that the term transmission includes a verbal communication. And that's, you know... Well, I want to just mention one thing about the prior slide, the letter from the computer scientists. And this was also something that was really handy and really useful to turn around again on very, very short notice and get a really who's who in computer science who was able to sign this letter and show to the court that this wasn't a story about some just kids who were messing around, but this was something that was important to the very science of computers. That people who were respected academics from top institutions in computer science also thought that this was a very important issue and changed the atmosphere of the situation considerably. So we really like to appreciate that the computer science community was able to come together and short notice and help out on this. Okay, so another thing that the MBTA was arguing was they said, look, this isn't a speech issue. This is a responsible disclosure issue. We're not asking you to do anything that's not normally done. It is the common practice in the computer security industry to follow responsible disclosure. And what responsible disclosure means is you don't tell anybody anything until we've had a chance to fix it. And here's just a little snippet of the brief where they argued this. They quoted Microsoft and they quoted Google and they said, look, we're not asking you to do anything that people don't do all the time. There's no idea of the subtlety of responsible disclosure or any of the complexities that have to do with what the issue is or if the vendor can fix or the danger to the community or any of that stuff or a sense of the idea of that responsible disclosure may be a personal practice or a ethical practice or a preferred statement on some of the players in the industry but it's not a crime not to follow it. And it really presents this real disparity or sort of imbalance because we're in a position of if we say anything and the court doesn't think it was in accordance with the court's order our students can be held in contempt whereas the MBTA can file whatever they want on the public docket and it's like whatever. So we were very surprised actually at some of the times at some of the stuff they put in the public docket because it was stuff that we were our students were not going to present during their talk. So we argued certainly we argued the First Amendment and we said look this is a speech case you can't have a prior restraint against speech this isn't just some little thing this is a fundamental constitutional violation and then we were scheduled for a hearing on Thursday, August 14th before the regular judge. So maybe you want to talk a little bit about some of the litigation-y stuff that happened before this hearing. Well and I do want to just mention so the students pulled their talk as most of you know but that gag order was still in place and there were a lot of questions that people had and there were a lot of reporters here who wanted to report on the issue and they were in this position where not only could they not give their talk but moving forward they couldn't talk about this either and so we kept fighting over this and we were working to get the gag lifted and so the second hearing in front of the real judge in the case was how many days later Jennifer? It was the Thursday so it was Saturday to Thursday. So we ended up working extremely hard over the next several days trying to file papers to show the court that the TRO should not have been issued and at this point the gag needed to be lifted and there was a tremendous amount of paperwork filed on both sides. The MBTA was very, very aggressive. We had many, many, many docket entries. Usually when you look at a court docket it takes a long time for the filings to really rack up but we had close to 80 filings over just the course of several days. It would ordinarily take months and months to sort of reach that number of filings we were I think averaging about six filings a day when you might go 20 days to a month between filings in a regularly paced litigation and this is a strategy that sometimes is out there to sort of bury the other side in paperwork or make things very difficult with filings and that actually can be a very effective strategy especially if the defendants are in a position where they have to pay for their counsel and may not be able to afford to have a counsel deal with all this sort of deluge of paper but we provide our legal services pro bono and actually sort of enjoy getting into the trenches and so we were able to round up the troops necessary to deal with this onslaught and push back as hard as we could. It didn't kill us, only made us stronger but the way they were was to be like we'd be on the phone with the main lawyer who was this guy from this outside firm Lord only knows how much he cost Boston and he'd be talking to us like I'm sure we can work it out we can negotiate something it'll all be fine here's our proposal and then of course we're sort of obligated to take proposals to our clients and we're like well we don't think that's going to fly but we'll talk to our clients and we'd hang up the phone and 30 seconds later across the electronic filing there'd be like five new briefs and a whole bunch of arguments they filed stuff half an hour before the hearings they filed it for the last hearing they filed stuff while Marsha and Cindy who were going to argue the case were in the air I mean it was really sort of they were distracting us with the one hand of filing stuff on the other hand we were like okay well that's fine and I'll tell you the paperwork got much easier to deal with when the law firm of Fish and Richardson started to help us out we got some tremendous tremendous help from them again pro bono totally for free even though for most clients they charge hundreds of dollars an hour and they were just instrumental in the case as well yeah absolutely thanks for mentioning them I mean that was really they were super helpful and it made us feel a lot better knowing that there was going to be a team of paralegals who were going to be able to put all our papers together into the right format and get them filed so that was awesome okay so we had the hearing on oh I'm sorry so we had the hearing on Thursday I argued it and the judge was like I really think I need to know more so why don't we let there be more discovery and we'll talk about this another time we'll talk about it on Tuesday and then Marsha went to the hearing on Tuesday with Cindy Cohn who's our legal director so you want to talk a little bit about that yeah absolutely you know again it was a situation where you know we walk into the courtroom and the opposing attorney comes and hands us things that he's already given to the court and you know is hoping we'll be decided right there before we've even had time to read them there was the paper that fortunately you had to stop over on your flight out there so you could read the paper well yeah exactly when Cindy and I were flying out there we had some difficulties and our flight kept getting pushed back we ended up taking basically a red eye out there but the red eye wasn't a direct light we had to stop in like I don't know Phoenix or something and we were actually able to download some papers that they had filed you know an hour or two before to read right there that otherwise we would not have seen until you know we arrived at like six in the morning you know we arrived in you know basically like at basically at dawn and then the hearing was at nine and Cindy was just amazing total champ and she got up there and you know I don't know how many of you have heard Cindy speak but she's you know a wonderful charismatic speaker and she's of course like that in court as well and the judge was very interesting you know he listened to what Cindy had to say he listened to what opposing counsel had to say he really didn't ask any questions and you know they went back and forth and spoke for quite some time and at the end of it it seemed pretty clear to us that he had made his decision before he even walked in the room he seemed to be reading off a piece of paper his decision that in fact what the MBTA was saying violated the law probably didn't and the gag order was not appropriate and he lifted it at that point yeah he lifted the gag order immediately which was great and we were super happy so how did we win this case was it the first amendment that prevailed and all of our glorious arguments about the importance of the Constitution and free speech and academic sharing of information no it was a comma remember the computer fraud and abuse act section that I showed you and there is a comma in it and what we argued was that when Congress wrote this statute and put that comma there what they meant was that the transmission of information and the damage caused must both be to a protected computer the transmission cannot be to an audience or to an unprotected computer or to a dog or whatever because that then this is why you hire a lawyer that would not require that comma and so when Congress put that comma there congress meant that both the transmission and the damage had to be a protected computer and since the conference wasn't a protected computer the CFAA didn't apply okay so so much for the first amendment we won and because they dismissed that case there was no federal claim the motion for the preliminary injunction that they had filed was denied and the gag order was lifted so somebody asked this question at Black Hat so I'm just going to kind of address it here like were we sad that the first amendment hadn't been the vindicator of rights and I think that we get into this because we care about the free speech rights like that's the part that matters to us but this result is actually far more powerful in terms of settling this issue because the first amendment has their standards and you can look at it differently maybe under certain circumstances and there's sort of imminent danger and all of these other stuff other things about first amendment jurisprudence but this is pretty clear giving a talk at a conference is not a transmission to a protected computer CFAA doesn't apply so we were very happy with this result and after that we basically they dismissed the lawsuit the students met with the MPTA and told them everything they know and everybody happily went off into the sunset and there was no further problems to be had so all in all a slog very difficult but a joyous end so okay now I'm going to talk a bit about our Boston College case but before I talk about this case I have to tell you a little bit about the Lori Drew case now this case sometimes people refer to as the Myspace Suicide case so maybe people have read about it in the papers or something Lori Drew is the defendant in this case and basically what happened is this Missouri housewife created an account on Myspace using a false name that purported to be a teenage boy this fake teenage boy through various people had communications with a teenage girl neighbor said her mean and hurtful things and the girl killed herself committed suicide there was no Missouri law that covered this so a prosecutor a United States attorney in Los Angeles brought federal charges criminal charges under the computer fraud and abuse act against the Missouri housewife and had her stand trial there basically what they argued was that Myspace tells you that you can't give false information in their terms of service so when you give false information like your false name or false age or something like that you violated the terms of service and if you're not using the service in accordance with the terms then you are not authorized to use the service and unauthorized use of the service is unauthorized access which violates the federal criminal law okay so this was their argument they filed an amicus brief in this case arguing that that's not what the computer fraud and abuse act is about that violating a terms of service which isn't even really an enforceable contract can't possibly also be a federal crime and the judge the woman was convicted of a misdemeanor and then the judge a couple of weeks ago overturned the conviction but he hasn't issued a written order yet and of course this is a ridiculous type of argument because if you think about the types of terms of service that are out there basically if you use Google and you're under the age of 18 you're committing a computer you're committing a computer crime and then one of the other examples that we gave in the brief was match.com and match.com has this terms of service that says you can't use the service unless you are single or separated from your spouse so I married so I wasn't able to go look this up we had to get another person to go look it up because I don't know or the lawyers were not the clients so I didn't want to get in any kind of trouble but it was like look judge this is ridiculous so it was in this atmosphere of this very loose idea that lots and lots of things are unauthorized access and just not even listening to a terms of service is one that this Boston College case came up and basically a student at Boston College was accused of sending an email about his former roommate claiming that the former was gay and coming out of the closet and the email came from whatever the acronym was for the Boston College Gay, Lesbian Association at yahoo.com here's the email and they did some investigation and thought that they had traced this email to our client Calixte and they sought a search warrant to search his room and the search warrant said you know here we have some reason to believe that he sent this email for other reasons to believe that he is a nefarious computer hacker because he is a computer science major considered master of the trade among his peers he is employed by the IT department so he's a master of trade and they said well you know and it is not uncommon for him to appear with unknown laptop computers he says or given to him for fixing what part of he is employed by the IT department did we miss and then of course the icing on the cake Calixte uses two different operating systems to hide his illegal activities one is the regular BC operating system and the other is a black screen with white font which he uses prompt commands on we can't make this stuff up so you know we were like and I know you know for those of you who followed this case or read slash dot and that sort of thing there was some discussion out there on whether we really misrepresented how ridiculous this was which is one of the reasons why I include the actual snippet from the search warrant this wasn't like oh he's familiar with his computers and he knows he uses Linux or something like that of course he was familiar with the computers they were roommates for a year or something like that this is like look two operating systems hides his illegal activities and one is regular and the other is this suspicious black screen white font thing so I use this so okay and they said sending this email violates the Massachusetts computer crime statute and I hope that this provides a thoughtful counterpoint to what the federal statute is so one of the statutes is obtaining computer services by fraud or misrepresentation you send an email through yahoo not even clear how that could even arguably apply the second statute they claimed it violated with this unauthorized access to a computer system and this is a really interesting counterpoint as you see okay you whoever without authorization access should be is punished and it's a crime and then the statute goes on to say it has this interesting additional sentence which is that the requirements of a password or other authentication to gain access shall constitute notice that access is limited to authorized users well what exactly does this mean this is really interesting and it's not in the federal law basically what we're saying is look the Massachusetts statute requires there to be not some sort of like oh you acted bad or you violated the terms of service or you probably shouldn't have done it or you know your boss wouldn't like it or it wasn't nice or any of this stuff that are this broad interpretation of the computer fraud and abuse act has allowed it to be abused for but is ridiculous to make a crime we said Massachusetts has done much better in the way that they have drafted their statute they've said look we're looking for circumvention of some kind of safeguard something like that and that's what gives the user that's what gives the user notice and they said okay so sending this email from whoever at yahoo.com violated both these statutes and the judge issued the search warrant and the search warrant let them go into his room our clients room and here's what they seized so sending an email let me say a little bit about I know let me say a little bit about search warrants for those who are too familiar with it a search warrant basically is a authorization from a judge that allows law enforcement to go into or invade in some way your expectation of privacy and look for evidence of a crime okay so into your house or you know into your you know into not car because cars are sort of a strange special thing but like to go into your office or that sort of thing and they have to show probable cause that evidence of a crime will be found there and what's probable cause it's probable more likely than not and so the officer files an affidavit explaining the facts about why he thinks it's probable he files it under oath a magistrate some kind of judge or some independent party reviews the affidavit and makes an as purportedly independent decision about whether this is actually something that's worthwhile invading somebody's privacy for it's our constitutional privacy scheme there's other you know statutory basis for privacy and everything but this is basically the thing so in order to go into his room they had to get the search warrant they got the state they filed this ridiculous affidavit the judge signed off on it actually it wasn't even a judge they have these clerks who review the search warrants in Massachusetts who are like commissioned by the judges to look at these and I would love to see the statistics on how many of these they kick back and say to the officer like no I don't think so you didn't do it this time so their hand probably gets very tired from signing these things over and over again and so they said oh yeah sure sees everything and so here's what they see his cell phone his iPod touch his camera like how is evidence of even assuming that sending this email is a crime how are any of those things going to contain evidence of that crime thank you okay ridiculous right and his to linux cd aha there we go because you know what that was for okay so what the government argued the commonwealth of Massachusetts argued here's their portion of the thing but here's what they said sending these emails which purport to be from another individual you could infer that doing that violated the boston college computer use policy we haven't shown you a policy we don't know what the policy says there's nothing but people know this is the kind of thing that you're probably not allowed to do and so when you sent it that probably constituted the crime of unauthorized use of a computer this was their argument so Massachusetts has a really weird procedural thing that allowed us to get before a judge from the highest court in Massachusetts relatively quickly you can appeal and if a single judge of the court wants to take your appeal then they do and here is how the judge you know we argued this and here's how the judge dismissed this this issue and when she says the judge she means the judge the judge below so this is the supreme court judge writing as the judge trial judge observed the sending of emails from public email services does not seem to constitute the crimes of obtaining computer services by fraud or misrepresentation or unauthorized access to a computer system the commonwealth's claim that such an email might be unlawful because it violates a hypothetical internet use policy maintained by bc both goes well beyond the reasonable inferences that may be drawn from the affidavit and would dramatically expand the appropriate scope of the statute okay so what we have here is two grounds a they didn't bring the facts before the court to suggest that this was true or before the person who signed the search warrant and b that's just not what Massachusetts prohibits so a really resounding statement in this published opinion saying Massachusetts computer crime statute no way could you have one of these terms of service type crime prosecutions under this statute so again a major victory for us something we're super happy about because otherwise basically what happens is you put any old thing up in your terms of service and then when a company doesn't like what you did they can just turn around and say okay well that was in our terms of service you didn't do that so we think that you violated the law and we're going to refer you for criminal investigation and potential prosecution and you know for users who want to use the internet and be anonymous and hide themselves from advertising and all of that stuff is just simply not a tenable position alright so what are the lessons that we can learn from both these cases computer fraud and abuse act is dangerous stay away that's why we have the fire extinguisher up here I was talking about the computer fraud abuse act they brought it up because you know okay computer fraud abuse act is dangerous okay I've shown you in these two cases two really kind of scary ways in which the computer crime law has been arguably stretched to cover this stuff and even though we won these cases it can provide a real kind of fear because there's uncertainty and people don't know and it's kind of a chilling effect instructional speech is less likely to be protected by the courts so you know anything that makes the court feel like you're teaching somebody else how to do a bad thing they don't like that and code they feel even more strongly about like if code can execute so it's a little bit like a tool even though we know this is speech and we know that it's useful and code communicates ideas courts are more suspect about instructional speech first contact situations are the hardest I mean a lot of us have followed you know kind of the responsible disclosure debates and all of this stuff and how various software companies have dealt with it over time and I think what we've really seen is that software companies have come to understand that vulnerability disclosure is part and parcel of their business and they need to deal with it whether they let you know even if they don't like it but you get somebody who's never dealt with something like this before like the Boston transit system or the San Francisco Department of Parking and Traffic or you know any one of these RFID card manufacturers or you know any one of these types of companies who haven't really dealt with this all that much and sometimes their first reaction is fear okay atmospheric matter so as we talked about you know there's a lot in the case about these kids and their DEF CON thing and then being punks and not being important and are really trying to counter that with declarations from experts and from computer scientists and academics saying you know this is legitimate research this is speech this is something that we really can care about you know I think that if it you know hadn't been for the free subway rides for life this talk might have raised a lot less hackles in the in the MBTA and and you know this is always a difficult thing when you're a lawyer because you're trying to help your client sort of mitigate risk and I tend to be a little bit on the kind of extreme side of this and you know I think that hyperbole and puffery and making the talk seem fun is a really important part of communicating ideas and I think a really important part of what makes DEF CON really fun on the other hand you know if you say something that's going to freak the judge out and scare the shit out of the company then you're going to be more likely to get unwanted attention so it's always a little bit of a balancing there and we try really hard not to be the Scrooge's who say don't have fun but you know it's choices that people have to make. Litigation can be grueling I mean this two or three weeks in the Boston College in the MIT case was brutal I mean I lost my glasses nobody was sleeping they were on the red eye the students were really it's under a ton of stress for them you know because they need to provide declarations and if there's discovery they need to be around to give us information and stuff if you make the choice and some people here at some point in their lives and their professional careers may if you make the choice that you're going to go ahead and do something that you think is a little bit legally risky and you're ready to deal with the problem of litigation be psychologically prepared to for the litigation and the grueling aspect of it that's going to come later so that you can weather that well the excitement wears off and it becomes a slog which we enjoy but as I said normal people don't and then I think also a little bit about the issue of responsible disclosure being like maybe it's an evolving norm that's subtle and has a lot of aspects to it but but not a legally enforceable requirement backed up by the by the criminal law what can you do don't agree to terms of service if at all possible if you're going to do research or any kind of reverse engineering or that sort of thing get a legitimate non infringing copy of the software you're going to look at from somewhere like ebay or something like that don't don't infringe and try not to click I agree because courts will look at that and say well you clicked I agree so you know you're more likely to be held accountable to the terms of service if possible get permission for your testing if possible test only on your own systems if you can load all the software on computers you own and hack your own computers then you don't have to worry about the computer fraud and abuse act and causing damage to other people's computers and think about you know as you present your research the idea of the atmospherics and making some choices about how you're going to present your research at conferences or what you're going to say about it or that sort of thing knowing that you know subsequently you might be explaining all this to a federal judge later on and like I said you know we try to be enablers you know to help people not only by protecting them from these ridiculous claims but also from by enabling people to go ahead and do the research they want and present it in the way that they want but there's sometimes there's a little bit of trade-offs there work with and educate the vendors I mean I think that you know the fact that they went to MBTA ahead of time was really useful especially once we put that in the record with the judge and we're like you know judge one of the things they didn't tell you is that we did tell them ahead of time and the judge was like I think you know it's sort of like why did they lie I mean we know why they lied about it but the judge was like you know that's not really all that impressive I think the thing that I learned from this case in terms of working with the vendors one of the things I always tell my clients is you know first thing you do is you go to the engineers you know the people who are there who understand the technology who are going to understand what you say and the take away isn't going to be oh my god it's totally broken they're going to steal money from us but you know our implementation needs improvement and that kind of thing the thing I learned from dealing with this case is that you need to get buy in from the higher ups too because even though the engineer was like go with God apparently the policy people at the MBTA were not so optimistic it seemed to be a misunderstanding yeah there was a big misunderstanding so be prepared for litigation right to congress the computer fraud and abuse act was just amended in September of 2008 to make it even broader it will come up for amendments again and when it does we'll write about it in our newsletter and we'll post stuff about it on our web page and hopefully people will call or write their senator and say you know what the computer fraud and abuse act isn't preventing computer crime it doesn't need to be any broader it's actually chilling legitimate research and legitimate speech by computer security people and then finally you know if you are doing something and you have questions about it and you want to protect yourself consult an attorney you can call us you guys know how to get in touch with us if we can help you we can if we can't help you we'll try to find somebody who can and we'll refer you out and that is all so where's our questions we're not going to take questions now we're going to take them in another room right so thank you all for coming we're going to take questions in room 106 so if you have questions we'll see you there and hopefully we'll see you at our talk at four and thank you very much