I realized that the public interest in this topic might be quite limited, so when I e-mailed it to the Blog editors on Thursday night, I suggested that they might just want to file this posting directly in the Law & Sports archive.

When I checked this morning, my submission had not yet been posted anywhere on the Faculty Blog.  I did not check again until around 6:30 p.m. CDT.  At that point, I noticed that the post had in fact been placed in the “recent posts” section of the blog.

Out of curiosity, I typed the article title into the Google search box to see if any IP or baseball history sites had set up links to the post.  What I found was truly bizarre.  I found my post, which is devoted to a 1953 intellectual property case that no one knows about, reproduced in whole or in part on several different blogs and webpages.

Only one seemed to be remotely related to the topic.  That was a website entitled Baseball Now where it was placed under the heading “Baseball News” and positioned next to a story about the death of Larry Jansen, the subject of my post.  I had never heard of Baseball Now, and I am not sure that a report of a 1953 court decision counts as “news,” but at least it makes sense that a baseball themed webpage desperate for material would be searching the Internet for stories it could pirate.  To its credit, the Baseball Now page copied only the first five lines of the article.  To read the entire article you had to click through two pages of the website before finally arriving at the MU Faculty Blog where, of course, both the name of the author and the source of the writing are identified.

The other hits turned out to be nothing short of bizarre.

One is Widgetbox, which copied the first part of the post under the heading of politics where it sits next to a post entitled “Same sex couples allowed divorce” which is about a legal case in Texas.  Both my post and the Texas one are underneath a link “Legal advice online.” I also noticed that the page listed a number of other recent posts from the MU Faculty Blog.

If the widget-seeker clicks on the “Legal advice online” link, he or she is taken to a different site called Trafficlegaladvice.com which promises “free legal advice for consumers.”  There, my post is reproduced in its entirety, but without any indication that I am the author or that it is taken from the MU Faculty Blog.  Well, at least the article should come in very handy for any consumer contemplating travelling back in time to 1953 and filing a lawsuit against a company placing photos of major league baseball players in popcorn boxes.

My Google search also found the title of my post on a site called Blogsworld Vox.  The post itself is not there, but attached to the title is a link to an alleged real estate site called The Home For Sale.com.  That site contains only the first paragraph of my article but it is accompanied by a link that would take the curious home purchaser to the MU Law School faculty blog.  I suppose that now that Larry Jansen is dead, his home will be soon coming on to the market.

Incredibly, my post also shows up on a website called Beantown Online:  All about Boston.  There is no reference to Boston whatsoever in my post.  Only the first paragraph is reproduced, and it shows up sandwiched between posts entitled “Plant Decors At Home: Your Own Heaven On Earth”  and “Audit: Mass. home health system leaves vulnerable at risk.”  The latter article does appear to be about Boston, more or less, and it also appears to have been lifted from the Boston Globe’s webpage.

In my story, I mention in passing that in 1946, Larry Jansen won 30 games as a pitcher for the minor league San Francisco Seals of the Pacific Coast League.  Apparently that was enough to get it picked up by http://sanfranciscotaxi.info which includes only part of the first paragraph of the post and omits the part about the San Francisco Seals entirely.  It does, however, provide the viewer with an 800 number which presumably can be used to call a taxi in San Francisco.

I am, however, most proud of the fact that my post was picked up by Linda Nelson Blogsworld.  Linda’s blog appears to pick up about fifty posts every hour from other blogs.  My post on Larry Jansen is limited to the first 10 lines and appears between “REOs in Kuna Idaho Keeping Market Afloat” and “8 Fatal Mistakes Made By Google Adwords Advertisers.”

The best part of Linda’s blog is her photo.

And all of this just in the first few hours after the post was entered on the Marquette Faculty Blog.  I can only imagine how widely it will be distributed 24 hours from now.

Seriously, can anyone explain to me what is going on here?  It is as though robots are being sent out across the Internet to randomly capture posts from other blogs and then bring them back to be posted on completely pointless websites–my apologies to www.baseballnow.com–that should fool no one with an IQ over 40.

What I find intriguing about these responses is that they are all based on analogizing Kindle e-books to physical books located in your house. 

It’s often argued that copyright disputes are primarily, perhaps entirely, due to the fact that large media companies refuse to admit it’s a changed world out there; they just need to adapt. But I think controversies like the one over the Kindle indicate that this problem is universal. Everyone is calibrating their rights by looking backwards; no one likes the future.

David Pogue at the New York Times summed up the conceptual landscape nicely:

As one of my readers noted, it’s like Barnes & Noble sneaking into our homes in the middle of the night, taking some books that we’ve been reading off our nightstands, and leaving us a check on the coffee table.

Jack Balkin adopts this perspective as well. Balkin notes that “[f]or centuries, . . . owning books came with certain rights, including the right to keep what we purchase and to use it, mark it up, and sell it in any way we like.” Among other things, “[b]ecause [an ordinary book] is a physical copy, nobody would think that the publisher of the book would have the rights to enter your house and remove the book.” But “Amazon’s Kindle system upends all of these expectations.”

If Kindle ebooks are basically the same as physical books, then destroying them would seem to violate core expectations we have about retailers and books. But why is that the right analogy? Why aren’t they like websites? If Amazon was providing access to “1984″ on its servers instead of on the Kindle, and suddenly without warning deleted them off the servers, it is doubtful there would be much of any controversy here. That’s true even if the access was supposed to be permanent and was in return for payment of a one-time fee. The only issue would be Amazon’s abruptness in canceling access without sufficient warning to anyone who had taken notes that might be deleted. (Let me be clear: if I was one of those users, I’d be extremely annoyed at how Amazon handles copyright clearance problems.)

The core difference between a website and a Kindle ebook is where we think the object is located. We think of the Kindle as like a book, located in the device in our hands. We think of the website as being located on the server. But this just begs the question: we think of the Kindle as the same as a book because we think of the Kindle as the same as a book. In fact, copies of the information in both cases is located in multiple places: on the Kindle, and on Amazon’s servers; on the web servers, and a temporary cache on the user’s own computer. Physical location is not by itself determinative any more.

Many of the commentators on the Kindle issue have darkly noted the threat ebooks pose to the first-sale doctrine in copyright law—the right of purchasers of a copy of a work to resell that copy without permission from the copyright owner. Works like Kindle ebooks or video games that are tethered to a particular user can’t be sold without the permission of the tethering service.  But the idea that the first sale doctrine is important right worth saving in the first place may be another example of reflexively viewing the future in terms of the past. First sale makes sense in a world of physical books and copies–how else are you going to clear your house of junk you don’t need if you can’t sell it? Even throwing it away could be viewed as a transfer of ownership, and therefore a distribution. Requiring clearances for such sales impinges upon personal space with pointless transaction costs.

But not only is first sale harder with tethered digital works, it’s not clear what the point is. If you’re worried about hard drive space, you can just delete it. The only thing supporting first sale in such a situation is the fact that users have had first sale rights for time immemorial.

Balkin, Zittrain, Pogue’s readers, large media companies, legislators, and others are therefore correct: the networked digital world threatens to upend everything we take for granted about creative expression in the physical world. No one has a monopoly on surprise.

Threat Level was skeptical last week that Conficker would do anything more than send spam. But since then we’ve become aware of dramatic new evidence that reporting on a doomsday worm is good for page views. So welcome to our Conficker War Room! We’ll track this scourge throughout the day, so check back frequently for the latest updates. . . .

12:15 EDT: Felony conviction against Ted “Series of Tubes” Stevens is being thrown out for prosecutorial misconduct. Coincidence? Conficker hates net neutrality.

12:20 EDT: Reader reports, “I just got a message that said, ‘Windows has encountered a problem and will need to shut down’. OMG!!” . . .

3:05 p.m. EDT: CBC reports that attackers could be preparing a new version of Conficker that’s even worse than this one. Checking with art department about getting deadlier graphic.

3:55 p.m. EDT: You can now pre-order the DVD of 60 Minutes’ report on Conficker, The Internet is Infected. It’s just $15.99 on Amazon.com. Do it now, while the internet is still alive.

Here’s the situation: wrongdoing on the Internet is often difficult to track down, because often the only reliable traces a malfeaser leaves behind is their computer’s IP address. It’s a bit like having someone’s phone number show up on caller ID. But unlike phone numbers, IP addresses often change. If the phone company didn’t keep any track of who had what phone numbers, the police or victims of harassment wouldn’t have any way of using the number to track the perpetrator down. It’s the same with IP addresses. Usually internet access providers keep track of who they assign IP addresses to, but there’s no requirement that they do so. There’s also no requirement that they keep such information for any particular length of time—it’s purely up to them, and storing data costs money, so ISPs purge their logs on a regular basis. So suppose a kidnapper logs into Gmail and sends an email with a ransom demand to the victim’s family. If Google chooses not to keep any access logs, there may be no way for the police to track the kidnapper down, even if the kidnapper took no steps to cover his or her tracks.

Enter the Internet SAFETY Act, yet another in the long line of recent Congressional bills with cutesy acronyms.

The Internet SAFETY Act (S.423, H.R.1076) has been bandied around for a while; an early variant was first introduced in 2006. The basic idea is to combat a particular problem—in this case, child pornography—by, in part, imposing a record-keeping requirement on ISPs. Of course, once those records are retained, they can be used for more than just combatting child pornography. They’ll also be useful in investigating other crimes, or even as evidence in civil lawsuits (e.g., copyright infringement suits). As long as there’s sufficient legal process protecting the disclosure of these records, however, that doesn’t seem that troubling to me (your mileage may vary—but that’s not my issue right now).

“That’s great,” you might say, “but what does that have to do with home networks?” The record-keeping requirement would be imposed via an addition to the Stored Communications Act, 18 U.S.C. § 2702. Here’s the new subsection that would get added:

(h) Retention of Certain Records and Information.—A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.

The problem here is in the definitions of “electronic communication service” provider and “remote computing service” provider. Call them “ECS providers” and “RCS providers” for short. These terms aren’t new to the Internet SAFETY Act; they’re from the Electronic Communications Privacy Act, a law passed in 1986, when Congress understandably was a bit foggy on this newfangled Internet technology. (Not that they’re such big experts now, but they had more excuse back then.) It’s clear from the legislative history that Congress envisioned ECS providers and RCS providers as, essentially, big telecommunications companies that provide commercial internet access or data storage/processing service to paying subscribers. Indeed, from the statements of legislators concerning the Internet SAFETY Act quoted in the CNET story, it’s clear that members of Congress still view ECS providers and RCS providers that way.

The problem is that the statutory language doesn’t make that crystal clear. Here’s the definition of an ECS:

(15) “electronic communication service” means any service which provides to users thereof the ability to send or receive wire or electronic communications;

Read broadly, that means that any device that provides to users the ability to send or receive voice or data communications provides an “electronic communication service.” That would include routers, web servers, telephones, fax machines—indeed, every device connected to a telephone or computer network. And since every such device allows other users on the network to “send” communications to that device, then every owner of a networked device is an ECS provider to the public, subject to the nondisclosure requirements of the ECPA in Section 2702—the very same provision that would get the record-keeping obligations above.

That sounds ridiculous, but another portion of the ECPA gives courts a reason to interpret “ECS” broadly, in order to reach certain bad actors. Section 2701 provides that breaking into a “facility” through which ECS is provided in order to obtain electronic communications violates the statute. So, can you break into someone’s home computer to read their email? What if you access the hidden area of a website? Some courts have held that home computers and web servers are ECS facilities, making those unarguably bad actions violations of the statute. But if they are ECS facilities, aren’t their owners ECS providers?

Most courts have rejected the argument that web servers and home computer users are ECS providers, but they’ve never really offered a good explanation of why. One theory that’s been bandied about is the idea that you don’t pay home network or website operators to allow you to send or receive messages. But there’s nothing in the statute that limits ECS’s to commercial services.

A better distinction, it seems to me, hinges on the meaning of the word “provide.” “Providing” a service in this context seems to me to entail providing it directly to someone else. As I’ve written in a treatise chapter on the ECPA, a provider of ECS is therefore someone who provides to someone else the ability to send or receive messages; it’s the next link up from the “user” in the chain from endpoint to endpoint. If you think of a network as being like a spider web, a provider of ECS can only be towards the middle, where several strands come together, and never at the margins, where a single thread ends. A home network is at the edge of the network; although multiple individuals may use a home network, they are all members of a single group (a household), and therefore are not “providing” ECS to anyone. Read this way, the record-keeping requirement above would not apply to home networks.

This creates a tension with the cases saying that businesses provide ECS to their employees, but I’ll save that issue for another day.

Naturally, I had the same reaction to this story that anyone else would: Is that a violation of the Wiretap Act?

It’s pretty well established that you can’t bug a phone, even one that you own and pay for the service on, just to spy on someone. There are countless cases where jealous spouses have gotten hung up on this rule.  And the secret bcc here would seem to qualify as bugging (or, more properly, “acquisition of the contents of a communication”), unless an exception applies.

But I think an exception does apply, although it takes a little work to get there. The Act prohibits “interception,” defined as “acquisition of the contents of [a] communication” through the use of a “device.” The term “device” does not include telephone or telegraph equipment “furnished by [a] subscriber or user [of a wire or electronic communication service] for connection to the facilities of such service and used in the ordinary course of its [the subscriber or user's] business.” 18 U.S.C. § 2510(5)(a)(1). The phone here was “furnished by a subscriber or user” of a communication service, either the original owner or the “finder,” but the phone is not the relevant device, I don’t think — it’s the bcc rule on the phone that is the device doing the intercepting. (If the phone is the relevant device, this would be a huge loophole in the statute, as any bug or secret program installed in such a phone would be within the exception even if the user/subscriber of the phone service didn’t know about it.)  If I’m right and the bcc rule, or perhaps the entire email functionality on the phone, is the relevant device, then that device is telephone or telegraph equipment “furnished by the subscriber . . . for connection to the facilities” of a communication service, and that bcc rule is being used “in the ordinary course of [the subscriber's] business” — namely, finding lost property.

If that doesn’t work, well, there’s always the fact that the acquisition has to be intentional to violate the Wiretap Act. If the original owner of the phone set up the bcc rule for any other purpose — say, just so they would have a copy of all of their emails — then its use in tracking down the possessor of the phone in this case was accidental, not intentional. Hence, no Wiretap Act violation.

Side note: an acquaintance of mine once told me of his experience trying to access the outgoing call log on his own phone, using the account he was paying for, from Verizon, after he had been mugged and his cell phone stolen. Somewhat maddeningly, Verizon Wireless would not give him that information, even though it was arguably customer records pertaining to him.

A Beaver Dam Middle School teacher is on administrative leave after school officials discovered a photo of her with a gun on Facebook.

In the photo, Betsy Ramsdale was training a rifle at the camera.

In an e-mail to WKOW-TV in Madison, Ramsdale said she removed the photo immediately and that she is not “interested in any controversy.”

Schools superintendent Donald Childs says a concerned staff member brought the photo to the district’s attention.

Childs says the use of the photo “appears to be poor judgment” and is unaware of any sinister intent.

So here’s the question to you, my mere blogsters, would  you fire this teacher or give her a second chance?  Is your reason a legal one, policy one, or moral (this story combines two of my great loves – employment law and education law).

Also, just another story about the increasing role Facebook is playing in the lives of people of all ages.

In addition to the ridiculously overbroad nature of the requests (all of the emails in their personal accounts?), J.T. Shannon’s subpoenas ran up against the Stored Communications Act (SCA), Title II of the Electronic Communications Privacy Act. The SCA prohibits a non-party ISP from disclosing emails to litigants in a civil case without the consent of its subscriber. This law may seem counterintuitive to litigation attorneys, who are used to being able to subpoena whomever they want within the scope of the Federal Rules of Civil Procedure. But the SCA is not incredibly onerous; it just means you have to request that the party produce their own emails, not the ISP.

The first case to note this limitation on discovery practice imposed by the SCA was FTC v. Netscape Communications Corp., 196 F.R.D. 559 (N.D. Cal. 2000), but since that was a federal agency enforcement action, it may not have received much attention outside of that context. However, since the California Court of Appeals applied the same reasoning in an ordinary civil case in O’Grady v. Superior Court, 139 Cal. App. 4th 1423 (2006), the SCA’s marker has clearly been placed. I expect a surge of such cases in the future as attorneys unfamiliar with electronic privacy law begin looking for emails in ordinary civil matters.

18 U.S.C. § 2702 limits what an ISP can disclose about their subscribers.  Section 2702(a) provides that neither an “electronic communication service” nor a “remote computing service” to the public may disclose the contents of any communication stored on the provider’s network to any person, with just a few exceptions. One is with the consent of the subscriber, obviously. There are other exceptions for responses to administrative subpoenas, grand jury subpoenas, or trial subpoenas from a “governmental entity.” But there is no exception for ordinary pre-trial discovery.

For reasons that are too complicated to go into here, I think the ISP holding old emails is best viewed as a “remote computing service,” not an “electronic communication service,” under the Act, but it doesn’t matter; in either case, the ISP cannot disclose emails in response to a civil subpoena. The J.T. Shannon court went even further, however, and said that ISPs cannot even disclose customer records to a private litigant, citing Section 2702(c). Customer records include such things as the name and address of the subscriber, a record of access times, and everything other than the contents of communications. But there’s a difference between the two anti-disclosure rules. Section 2702(a)(1) and (2) provide that ISPs cannot disclose the contents of communications to anyone, other than pursuant to an exception. Section 2702(a)(3), however, only prohibits ISPs from disclosing customer records “to any governmental entity.” (See also § 2702(c)(6).) Selling those records to telemarketers, for example, is A-OK, at least under the SCA. And so, it would seem, is responding to a civil subpoena for “non-content” records.

There’s one wrinkle in that argument, which is that attorneys sending a Rule 45 subpoena do so as officers of the court, Fed.R.Civ.P. 45(a)(3), and one might think that the court is a “governmental entity,” so an ISP could not disclose even customer records in response to a civil subpoena. “Governmental entity” is defined in 18 U.S.C. § 2711(4) as “a department or agency of the United States or any State or political subdivision thereof.” Is the judiciary a “department or agency of the United States”? I don’t think so; that sounds like it is referring to executive departments and independent agencies. There have been decisions that have held courts to be “governmental entities,” but those decisions did not discuss the actual definition of the term. The issue does not arise often since most subpoenas will be seeking the contents of emails anyway.

Carolyn Elefant of Legal Blog Watch Blog reports:

These days, Facebook isn’t just a go-to social media application. The Web site’s ubiquitous role in everyday life is also transforming it into a conduit for lawsuits. A few weeks back, I posed about the Australian court that allowed lawyers to serve a couple with lawsuit papers via Facebook. Now, the Calgary Herald reports that a Canadian spa used Facebook to fire an an employee, esthetician Crystal Bell.

Is it illlegal for an employer to fire a worker via Facebook, or just imprudent? Here in the United States where employment is entirely at will, there aren’t any laws, at least as far as I’m aware, that would protect an employee from being fired on Facebook. However, the Supreme Court of Canada, in a 1997 ruling known as the Wallace decision, set out how a firing, if done in a cavalier way, can result in “bad faith”damages in addition to normal severance pay. However, the ruling does not address the issue of whether being fired electronically equates with bad faith. Moreover, at least one lawyer whom Bell contacted advised that she didn’t have much of a case — she’d only been at the spa for two weeks.

Putting aside the merits of this specific case, the cause of action that comes to mind for me is the tort of intentional infliction of emotional distress, since the focus is the manner in which the employee has been fired. Yet, I am not convinced that Facebook firings, which are certainly in bad taste and demonstrate a lack of tact, would probably not meet the standard of extreme outrageousness, which would require the action taken be: “utterly intolerable in a civilized society.”

Indeed, the ubiquity of Facebook and the amount of communications taking place over it might make such electronic terminations seem more conventional than outrageous.

Earlier this year, the Seventh Circuit addressed the question in another enticement case, United States v. Gladish, 536 F.3d 646 (7th Cir. 2008).  Gladish was caught in an Internet sting.  A government agent posing as a fourteen-year-old girl encountered Gladish in an Internet chat room.  After engaging in sexually graphic communications, the two “agreed” to have sex, resulting in Gladish’s arrest.  However, the Seventh Circuit determined that Gladish’s plan did not proceed far enough to support an attempt conviction: despite the agreement to have sex, there was never any specific time or place determined for the tryst.  Without something more than graphic Internet communications and a vague agreement, there was no “substantial step” and, hence, no attempt liability.

The two new opinions, both authored by Judge Wood, elaborate on the meaning of Gladish, but still leave the “substantial step” line more gray than black and white.

The first was United States v. Davey (No. 07-3533).  Davey was caught in an Internet sting much like the one that nabbed Gladish.  Davey encountered an undercover agent posing as a fifteen-year-old girl in a chatroom.  However, their “agreement” to have sex was much more specific than Gladish’s.  Later that day, Davey drove to South Bend, Indiana, where the two were supposed to meet.  He was arrested shortly after calling the undercover agent from a pay phone. 

Davey initially pled guilty to attempted enticement, but then sought to withdraw the plea, asserting that it lacked an adequate basis in fact.  The district court judge denied the motion and sentenced Davey to 126 months in prison.  Davey appealed, arguing (among other things) that he had not taken a substantial step.  In affirming the conviction, though, the Seventh Circuit had little difficulty distinguishing Gladish: Davey’s agreement was not only much more specific than Gladish’s, but he also actually traveled to the intended rendezvous point.

The second case, United States v. Zawada (No. 08-1012), was harder to distinguish.  Like Gladish and Davey, Zawada was caught in an Internet sting.  Like Gladish (and unlike Davey), Zawada did not travel to a rendezvous point and did not even establish a firm time and place for meeting the undercover officer.  However, Zawada did not raise the “substantial step” issue in the district court, and so was found to have forfeited the issue on appeal.  As a result, he could only prevail if the evidence fell so short of the Gladish requirements that his conviction amounted to “plain error.”  Holding that Zawada could not meet this standard, the Seventh Circuit affirmed his conviction.

Because it relied on the highly deferential plain error standard, the court did not have to (and did not) squarely address whether the facts in Zawada were distinguishable from Gladish.  The court indicated that Zawada had at least come “somewhat closer” to a substantial step than Gladish, based on these facts:

Zawada and Kelsey [the undercover cop] had a relatively concrete conversation about making a “date,” and they discussed a specific date and time of day that they thought would work.  Zawada checked on the intimate detail of Kelsey’s birth control practices, and he asked her whether he should bring some kind of protection with him.

“Somewhat closer” to the substantial step line — but over it?  Given the procedural posture of Zawada (plain error review), the answer is still not clear.  Although the court indicated that travel (as in Davey) is not required for an attempt conviction, one wonders if something more than words is still necessary under Gladish, and, if so, what.  For instance, what if Zawada had purchased “protection” — would that be enough?  Gassed up the car in anticipation of a “date”?  Sent Kelsey a gift?  Given the frequency of these Internet sting cases, the Seventh Circuit will likely have to provide clearer answers to such questions before long.

Part 1 of Goldman’s series discusses the possibility that, under the prosecution’s theory, ISPs may lose their Section 230 immunity for the activities of users if those users violate the terms of some other website. Part 2 looks at the question of whether someone who does not actually click on a click-through agreement can nevertheless be bound by it. Courts in the few non-criminal cases to consider this have essentially said “yes.” Part 3 will offer suggestions for drafters of website terms. [Update: Part 3 is now up.]

In other news related to the case, the defense, assisted by George Washington University law professor Orin Kerr, has filed a supplemental brief on its motion to dismiss, on the question of whether violation of contractual terms vitiates consent for purposes of a criminal unauthorized use statute. In true Internet law fashion, they look to the nearest litigated real-world analogues, in this case rental car agreements.

The student emailed a hand-picked group of 391 faculty members (roughly eight percent of the total at M.S.U.), asking them to speak up about a proposal by the school administration to change the calendar.  What is truly mind-boggling about the decision to discipline that student is that the administration had itself solicited comments on the change from the faculty; the email was designed to encourage the faculty to take advantage of that offer.

At least this violation of a network’s terms of use policy wasn’t found criminal.

In the MySpace case, United States v. Morris (No. 08-2329), the defendant attempted to contact a minor through the minor’s MySpace page.  The minor’s mother responded by creating her own MySpace page, in which she posed as a 15 year old, and began a series of communications with the defendant.  After the mom agreed to have sex with him, Morris mailed a bus ticket to her so that they could meet.  The mom reported Morris to the FBI, resulting in his arrest and prosecution.  After his conviction for attempting to transport a minor across state lines to engage in illegal sexual conduct, Morris raised a single issue on appeal: that the person he intended to transport across state lines was neither a minor nor a law enforcement officer posing as a minor, but a private citizen conducting her own sting operation.  However, it is well established in such cases that the defendant has no defense if his intended victim is really an undercover law enforcement officer, and the Seventh Circuit (per Judge Posner) found no basis for distinguishing undercover private citizens: in either situation, the criminal justice system appropriately punishes the defendant for his demonstrated dangerousness. 

The court did recognize, however,

a legitimate concern with vigilantism — with private citizens conducting stings without the knowledge or authorization of the authorities.  The vigilantes’ aim might be to blackmail any offender whom they detect . . . . Or they might botch their investigation, alerting the offender in time for him to elude justice.

The court also observed that the Internet has enabled private stings in new ways, and (citing the group “Perverted Justice”) suggested that they may become more common.  The court concluded, however, that any concerns regarding vigilante abuses should not be addressed by giving their targets defenses, but by imposing criminal liability on the overreaching vigilantes themselves (e.g., through solicitation laws).

In United States v. Hagerman (Nos. 07-3874 & 07-3875), the court decided a novel, if obscure, question of law: what happens if a corporate criminal defendant fires its lawyer after an appeal has been fully briefed and fails to hire a new one?  This is a problem because corporations are not permitted to litigate pro se in federal court.  The Seventh Circuit (per Judge Posner) ruled that the court may, but is not required to, dismiss the appeal under such circumstances.  in this case, since the appeal was already fully briefed and the issues clear, the court chose not to dismiss the appeal, but to decide the case (against the defendants) on the merits.

In United States v. Prieto (Nos. 07-3484 & 07-3485), the court (per Judge Manion) rejected a grab-bag of evidentiary objections made by the defendant meth traffickers.

In United States v. Hearn (No. 07-1613), the court (per Judge Ripple) responded to petitions for rehearing in a case that it decided last summer, denying the defendant’s petition and granting the government’s.  Hearn, convicted of possession of crack with intent to distribute, sought a rehearing as to the use of a prior conviction as evidence against him at trial.  As I observed in a recent post, prior convictions issues have been presented in several recent Seventh Circuit cases, resulting in a series of decisions that are neither entirely satisfactory nor entirely consistent with one another.  In general, though, it seems in the recent cases as if the Seventh Circuit will affirm the use of prior drug trafficking convictions in a new drug trafficking trial as long as there is any plausible basis for concluding that intent was at issue in the new trial.  Thus, in denying Hearn’s petition for rehearing, the court relied mainly on the fact that Hearn’s counsel had “questioned the Government’s proof on the issue of intent on a number of occasions in his opening and closing statements.”  Defense lawyers take note: beware of saying the word “intent” at trial if you hope to keep your client’s criminal history out of the evidence!

In granting the government’s petition for rehearing, the Hearn panel determined that it had incorrectly remanded the case for resentencing the first time around.  As a crack defendant, Hearn sought to take advantage of the Supreme Court’s 2007 decision in Kimbrough v. United States, which held that the crack sentencing guidelines are not binding even in routine cases.  Although the Seventh Circuit has been granting Kimbrough remands as a matter of course in cases in which the issue was properly preserved, the government objected in Hearn’s case because he was sentenced under the career offender guideline, which may trump the crack guideline where it is applicable.  Other Seventh Circuit decisions have denied Kimbrough remands to career offenders, and the Hearn panel, on rehearing, agreed that crack defendants sentenced as career offenders do not generally qualify for resentencing.

Finally, in United States v. Wayland (No. 08-2194), the court addressed another provision of the federal sentencing guidelines, the “sophisticated means” enhancement.  Wayland defrauded Medicaid of a little more than $100,000 through false claims for payment for services purportedly provided to his disabled mother by one Cyril Sturm.  Sturm was actually deceased.  Wayland set up a bank account in Sturm’s name and collected the money paid to Sturm by Medicaid.  At Wayland’s sentencing, the court increased his prison time based on his use of “sophisticated means” to perpetrate the fraud.  Specifically, he set up a bank account and post office box, and then filed tax returns in the dead man’s name so that the IRS would not get suspicious.

To me, it seems a bit of a stretch to characterize this as sophisticated means, defined in the guidelines’ application notes as “especially complex or especially intricate offense conduct.”  This was not Enron — not even close.  Millions of Americans have opened bank accounts, rented post office boxes, and filed tax returns — in contrast to setting up corporate shells and offshore financial accounts (two examples of sophisticated means mentioned in the application notes).  At the least, I am puzzled that the district court judge seemed to treat this as a no-brainer: “If this wasn’t a sophisticated means of perpetrating a fraud, I don’t know what is.”  Once that conclusion was reached, however, reversal in the Seventh Circuit was unlikely, because the determination of sophisticated means is a finding of fact that is reviewed under the deferential clear error standard.  And, indeed, the Seventh Circuit did affirm.

intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer if the conduct involved an interstate or foreign communication.

The indictment can be found here, if anyone is interested in reading it, but the gist of the argument that the AUSAs in California are making is that by giving fictitious profile information, Drew violated Myspace’s Terms of Service, thus “exceeding” the access authorized by Myspace. Then, as she used this fictitious profile to “obtain information” from Myspace’s servers — personal information about Megan, as best as I can tell — to commit the tort of infliction of emotional distress upon Meier, and since to access Myspace’s servers she was required to send packets of data across state lines, she met all the elements of the crime.

Let’s ignore for a moment the “packet hopping” argument; it’s absolutely ridiculous — since I could send an e-mail to a professor at this law school while sitting yards away from him or her and have the packets cross state lines — but it’s a well-accepted way of establishing interstate communication, and in this case the servers were in a different state than Drew anyway. I’d also be willing to concede the “obtaining information” point, though I’d note that I really haven’t seen anything in the published e-mails between the two accounts that suggest any information was obtained that wasn’t immediately obvious to Drew, given that she lived only a few houses up the street from Meier and that the Meier and Drew families were good friends before this incident. Let’s even ignore the fact that the legislative intent of the CFAA was, quite simply, to criminalize hacking into servers to get information the server owners didn’t want a person to have; in fact, the vast majority of cases prosecuted under the CFAA involve exactly that.

But stop and think for a moment about the accusation that Lori Drew exceeded her authorized access of Myspace’s servers by violating its Terms of Service. Or, more accurately, think about the ramifications of the precedent set if the court allows this argument to carry the day. Does that put an end to Dateline NBC’s “To Catch A Predator” series, since the watchdog organization that carries on the chats (Perverted Justice) creates underage profiles and waits for the pedophiles to engage them? For that matter, what about the police stings in which officers have done the same thing? What about the recent Craigslist prostitution stings by the Milwaukee Police Department? And it’s not just deliberate decoy situations that this causes problems for. Marquette’s IT Acceptable Use Policy states that users may not

Send email chain letters or mass mailings for purposes other than official university business.

Engage in activities that harass, degrade, intimidate, demean, slander, defame, interfere with, or threaten others.

Hence, when someone sent a Republican friend of mine a chain letter mocking McCain, and he responded “I’m a diehard Republican, you idiot,” both the sender and the recipient violated the CFAA based on the arguments set forth by the AUSAs in the Drew case; the sender did so by sending the chain letter, and the recipient did so by demeaning the sender in his response. Another friend of mine placed a fake personal ad on Craigslist as a joke, to which she received half a dozen e-mails from local guys infatuated with her based on her (fake) photo. Some gave names, heights, weights, hobbies, etc. Should she be prosecuted? What about anyone who rounds down their weight in an instant message conversation with someone they like? At what point does the slippery slope end?

Let’s be clear for a moment: I find what Lori Drew did to be reprehensible. I don’t know if there’s enough here to warrant a wrongful death suit on behalf of Megan Meier, but I’d certainly support one if it came. But this prosecution under the CFAA reeks of desperation, a spaghetti approach (i.e., “throw everything against the wall and see what sticks”) to prosecution. It’s a crime that doesn’t address anything about the tragic suicide of Meier; in fact, it can’t, as the court ruled today, because evidence of the suicide has nothing to do with the crime charged and is unquestionably prejudicial. It’s time for the AUSAs in California to recognize what the people of Missouri did from the beginning: this was a horrible act, but one that was legal at the time it occurred. The way to keep Megan Meier from having died in vain isn’t to prosecute her offender under anything you can think of, but rather to close the loopholes by passing legislation criminalizing cyberbullying, which Missouri did this past July. To do anything but that is to sacrifice the principles of our criminal justice system for the sake of righting a perceived wrong.

The latest item to set off this thought in my head was this news item from the Wall Street Journal’s Law Blog (essentially a slightly more tony version of Above the Law). As I tell my Internet Law students, there are various ways of controlling a behavior such as forwarding emails. Law is one way, but not a likely one in this case. Informal social norms are another (”Give a hoot! Don’t redistribute!”). That seems unlikely here, too. But a third is some sort of technological solution. And here, I would think a technological solution is at least conceivable: an office network that offers, as an option, blocking redistribution of the content of certain emails.

Assuming employees or students determined to spread gossip, of course, complete security would be impossible. At the very least, those reading the email could paraphrase it from memory. But complete security wouldn’t be necessary to achieve the goal here, which would be to at least stem the flow of such documents in their entirety, which makes it difficult to deny them. Merely blocking forwarding of the email would likely be easily circumvented, however, through use of cut-and-paste. Even blocking cut-and-paste and screenshots would not prevent retyping the entire email or writing it out by hand. Once we get to that level, however, the inconvenience factor has gone up tremendously, possibly enough to deter people from forwarding mildly embarrassing emails like the Michigan career adviser’s.

I should note right off the bat that I am not quite so enamored of form agreements as Judge Easterbrook is. That much I probably share with my fellow copyright specialists. But I’ve come to the tentative conclusion that the case for contracts somehow expanding copyright rights is vastly overstated, and perhaps illusory. ProCD–with the exception of one overlooked wrinkle–is not the threat everyone seems to think it is.

Here’s how scholars typically describe the danger they see in ProCD and its progeny. “You know all of those limitations that exist in copyright law, that prevent overreaching by copyright owners? Like the doctrine that facts are not copyrightable, or that fair uses are permitted, or that a consumer can resell a copyrighted work? Well, after ProCD you can kiss those all goodbye. A copyright owner can now put terms in the license that prohibit you from doing all that. So, a copyright owner can evade the first sale doctrine by saying, ‘No redistribution of this CD is permitted.’ Or evade the copyrightability requirements by putting a ‘No copying’ license term on a telephone book. Or evade fair use by saying ‘You cannot quote this work in order to criticize it.’” (For a recent flare-up of this issue, involving patents rather than copyrights, see this example of a license placing restrictions on a package of grapes bought at the grocery store. More from Mike Madison.)

Well, that all sounds bad. But here’s what I want to know: how are these terms being enforced? Are they being enforced under the Copyright Act, or under contract law? It makes a huge difference. The Copyright Act provides remedies for infringement that include injunctions, statutory damages starting at $750 per work, and attorneys fees. It would certainly be a de facto expansion of copyright law to say that a copyright owner can get infringement damages for the copying of an uncopyrightable work, such as the white pages of a telephone book.

But it’s not clear to me that’s what ProCD and its progeny are doing. Rather, the cases I’ve seen appear to enforce such terms only with the much more limited remedies available under contract law. ProCD used contract law–specifically, UCC § 2-204 (after incorrectly denying the relevance of § 2-207, the infamous “battle of the forms” provision)–to argue that the parties could structure the transaction however they wished, including by providing a fuller statement of the terms after purchase, with a right of return. There’s nothing in the opinion that suggests that Zeidenberg was being held liable under copyright law. Indeed, the Seventh Circuit confirmed this view in Assessment Technologies v. Wiredata a few years ago. The plaintiff, Assessment Technologies (AT), was suing the defendant for attempting to obtain copyrighted databases from a third party in violation of the license terms. But as the Seventh Circuit noted, AT was not suing for breach of contract (there was no contract between plaintiff and defendant) or even tortious interference with contract. Since there was no contractual claim at issue, the Seventh Circuit declared ProCD to be “irrelevant.”

So here’s the situation I see after ProCD: License terms that govern activity within any of the exclusive rights of the copyright owner (and not excluded under any of the restrictions) can be enforced with copyright remedies. License terms governing activity outside of those exclusive rights–including activity falling within an exception, such as fair use or first sale–is governed only by contract law, with its more limited remedies. What’s wrong with that?

One response might be that, even if users don’t face copyright infringement liability for violating license terms, still they face liability of some sort for engaging in behavior that is beyond the scope of the copyright owner’s rights and we shouldn’t allow that. But fair use and the other limitations on copyrights in the Copyright Act are hardly immunities from all law whatsoever; they are only restrictions on the scope of copyright law. This is incredibly obvious when we are not dealing with information goods. For example, nothing in copyright law obligates me to part with my car. But I can enter into an enforceable contract under which I forgo my right not to transfer ownership of my car. The same principle governs non-copyright restrictions on information goods. Nothing in the Copyright Act forbids me from copying Shakespeare, but that doesn’t mean I don’t have to leave the library at closing time. Similarly, even though it’s not protected by copyright law, I can contract not to copy and redistribute the (uncopyrightable) white pages I get from a telephone company.

Another possibility, raised by the defendant in the ProCD case, is that the Copyright Act preempts contractual terms under which parties agree not to act to the full scope of the limits permitted under the Copyright Act. The verbal gymnastics I had to go through to describe that argument, however, should indicate that the right to enforce such a promise under contract law is hardly “equivalent to any of the exclusive rights within the general scope of copyright,” the test for preemption under 17 U.S.C. § 301(a). As the Seventh Circuit held in ProCD, the mere fact that contract requires mutual agreement takes it out of the scope of the Copyright Act, as the right to enforce such a bargain is hardly “exclusive”–it binds only the party that entered into the agreement.

Still, there’s one wrinkle here that gives me pause. It’s not absolutely clear to me that courts appreciate the difference between enforcement of a license as a contract and enforcement of a license under the Copyright Act. As an example, take ProCD itself. The typical remedy for a breach of contract is expectation damages. And lo and behold, in ProCD, the plaintiff actually sold a version of its phone book CD that would have allowed Zeidenberg to do what he did (Zeidenberg had bought the more limited “consumer” version). So the remedy in ProCD is rather obvious: it’s the difference in price between the deluxe version of ProCD’s product and the cheaper consumer version.

But it’s not clear that that’s the remedy that was actually awarded. ProCD had sued in the district court for “injunctive and monetary relief brought pursuant to the federal Copyright Act . . . , the Wisconsin Computer Crimes Act . . . , and Wisconsin contract and tort law.” The district court awarded summary judgement for the defendant on all counts. The Seventh Circuit then “remand[ed] with instructions to enter judgment for the plaintiff” only on the contract claim. What remedies were awarded? The Lexis headnotes suggest that the plaintiff got its injunction, but injunctions–i.e., specific performance–are an unusual contract remedy, entered only in certain circumstances like the sale of unique goods. Since ProCD had already priced the value of unrestricted distribution of its product and was selling that to others, an injunction would not seem appropriate here.

A more interesting question is whether injunctions should issue as a remedy for breaches of contract involving information goods generally, e.g., software programs or databases with no “commercial” license. I haven’t walked all the way through that analysis, and off the top of my head arguments occur to me on both sides. One thing is clear, however, which is that a court should not simply presume that an injunction is an appropriate contract remedy for a breach of a license term that falls outside a copyright owner’s Section 106 rights.

Jaynes argued that Virginia’s anti-spam statute violated the First Amendment. The statute prohibits sending “unsolicited bulk electronic mail” after having intentionally falsified the e-mail header information, i.e., the information indicating the source of the e-mail. That’s a little different than your average spam statute, which typically prohibits only “unsolicited commercial e-mail.” According to the unanimous Virginia Supreme Court (four members of which switched their votes on rehearing), prohibiting non-commercial bulk e-mailers from forging the header information violates the First Amendment right to speak anonymously.

Here’s the key portion of the decision:

[B]ecause e-mail transmission protocol requires entry of an IP address and domain name for the sender, the only way such a speaker can publish an anonymous e-mail is to enter a false IP address or domain name. Therefore, like the registration record on file in the mayor’s office identifying persons who chose to canvass private neighborhoods in Watchtower Bible & Tract Society v. Village of Stratton, 536 U.S. 150 (2002), registered IP addresses and domain names discoverable through searchable data bases and registration documents “necessarily result[ ] in a surrender of [the speaker’s] anonymity.” 536 U.S. at 166. The right to engage in anonymous speech, particularly anonymous political or religious speech, is “an aspect of the freedom of speech protected by the First Amendment.” McIntyre v. Ohio Elections Comm’n, 514 U.S. 334, 342 (1995). By prohibiting false routing information in the dissemination of e-mails, Code § 18.2-152.3:1 infringes on that protected right. The Supreme Court has characterized regulations prohibiting such anonymous speech as “a direct regulation of the content of speech.” Id. at 345.

So there’s a right to be deceptive, which I don’t think you see every day.

Of course, Jaynes himself was not trying to send some sort of religious tract anonymously by e-mail; rather, he was a garden-variety commercial spammer. His argument was that the statute was facially invalid on overbreadth  grounds. Since he himself could not argue that his First Amendment rights were chilled, however, he had to show not only overbreadth, but substantial overbreadth, that is, that the statute chills a considerable amount of protected speech “judged in relation to the statute’s plainly legitimate sweep.” Virginia v. Hicks, 539 U.S. 113, 118-19 (2003).

The Supreme Court held that he could, but its analysis is a little too quick for me.

Applying [the substantial overbreadth] inquiry . . . in this case is relatively straightforward as Code § 18.2-152.3:1 would prohibit all bulk e-mail containing anonymous political, religious, or other expressive speech. For example, were the Federalist Papers just being published today via e-mail, that transmission by Publius would violate the statute. . . . We thus reject the Commonwealth’s argument that Jaynes’ facial challenge to Code § 18.2-152.3:1 must fail because the statute is not “substantially overbroad.”

The problem here is that the court is drawing, I think, too facile an analogy between e-mail and other media, such as pamphlets and handbills. Unless including any amount of “anonymous political, religious, or other expressive speech” within the scope of a prohibition is per se overbroad, it seems to me that we should ask how prevalent such uses are compared to the legitimately regulated behavior. How many anonymous mass political or religious e-mailers are there? I get occasional missives from someone calling himself the “U.S. Artist General,” but for each one of those I get, I’m sure I get 1,000 Viagra e-mails. Contrast that with the leaflets at issue in Watchtower and McIntyre. Although leafletting is sometimes used by non-anonymous commercial vendors, it is also traditionally a forum for minority political or religious views. Even if the statute here is overbroad, it’s not clear to me that it’s substantially overbroad.

The techie blogosphere is abuzz with the news that Michigan amended its private investigator licensing laws in May to add “computer forensics” to the list of activities that require a P.I. license in Michigan. This may not sound like big news, but it raises the possibility that MediaSentry, a company that gathers information on peer-to-peer filesharers for use in the RIAA’s lawsuits against online infringers, may be violating the law in several states. Given the general antipathy to the RIAA among the technorati, suddenly a large number of bloggers are interested in the arcane details of P.I. licensing requirements.

But the issues raised by the law go well beyond the RIAA lawsuits, and potentially affect any investigation of online misbehavior. Any lawsuit against an anonymous online individual begins with an attempt to identify that person. Furthermore, the definition of “computer forensics” in the Act is so broad that it includes printing out a web page for use in a lawsuit. Attorneys need to pay attention here too: the Michigan law exempts attorneys, but only if they are “admitted to practice in this state.” And other states have similar laws. So do you need a P.I. license or a bar admission in all 50 states before you can sue that defamatory blog poster?

I think the answer is no, but we’ll see what position the state regulatory authorities take. The issue raised here is one that comes up in a lot of different contexts in Internet law: where in real space does activity on the Internet occur? The position of the General Counsel of Central Michigan University, who has filed a complaint against MediaSentry, appears to be that private investigation services occur at the site of the computer holding the file or website that is being investigated.

There’s no single answer to the question of where activity occurs on the Internet; rather, in each context, the question is which of the many possible locations at issue (the server, the client, or each jurisdiction the communication passes through) has the better claim to exercise regulatory authority. In the specific context of business licenses, I think it’s a mistake to say that Internet information-gathering services are properly regulated in each forum with a server holding some of the information.

The statute at issue governs, not activities in Michigan per se, but rather the business of being a professional investigator. (”A person, firm, [etc.] shall not engage in the business of professional investigator for hire, fee, or reward, and shall not advertise his or her business to be that of professional investigator or of a professional investigator agency without first obtaining a license from the department.”) That’s wise, because a statute requiring a license to gather any information at all would likely violate the First Amendment. But is a person who gathers information off of an AOL server in Virginia really conducting business in Virginia? Certainly not for personal jurisdiction purposes; even the sale and shipment of a physical automobile on eBay to a California consumer was recently held not to be “doing business” in California. And for sales tax purposes, gathering information off of a server in the forum also wouldn’t be enough to subject the sale of that information elsewhere to sales tax in the forum.

Gathering information available on the Internet from a server in the forum seems too tenuous a connection to make that business (or lawyer) subject to licensing requirements or other business regulations in that forum. MediaSentry is located in Maryland; if Maryland decides MediaSentry needs a license, it would have every right to insist upon it. But until MediaSentry starts sending investigators into Michigan, or directly interacting with Michigan residents somehow, I don’t think the Michigan license requirements apply to it.

If Michigan takes the opposite view, that could well be subject to a dormant commerce clause challenge, as an attempt to effectively regulate behavior taking place wholly outside its borders, and as a local regulation that would have disproportionate negative impact on interstate commerce. Anyone investigating any website where the location of the server was not known would, essentially, need to be licensed everywhere the server could be, which would make garden-variety investigation of websites or emails needlessly cumbersome. And the local benefit from requiring a P.I. license for the gathering of information easily accessible on the Internet is extremely slim. So an attempt by a state to regulate ordinary out-of-state Internet data-gathering activities, carried on in preparation for a yet-to-be-filed lawsuit, should fall afoul of the commerce clause.