Saturday, July 29, 2006
Hacking and Access
“Hacking” is probably the best-known type of cybercrime, so I want to write a bit about it, from two perspectives: terminology and law.
Terminology is important because we really do not have settled terms in this area. As I suspect most people know, hacking is an ambivalent term: Historically – twenty, thirty, even forty years ago – the term “hacker” denoted someone who was intelligent, creative and resourceful and who “hacked,” i.e., explored computers and computer systems to see how they worked and how one could “access” (more on that in a minute”) a closed system. Hacking was an intellectual exercise, a constructive exercise because what someone learned by hacking often helped improve how computer systems functioned.
The terms “hacker” and “hacking” then went through an intermediate stage, one in which they began to take on negative connotations. “Hacker” began to become synonymous with “intruder,” or “burglar” (since burglars “break in” to places where they are not supposed to be). During this period, distinctions arose between “white hat hackers” (who engaged in hacking as a constructive exercise) and “black hat hackers” (who hacked for illegitimate reasons). There was also (still is, I guess?) the notion of the “grey hat hacker” whose activities fell in between, were a mix of constructive and illegitimate.
When I speak on cybercrimes, I sometimes use the term “hacker” and sometimes get grief for doing so because the term necessarily encompasses all three categories. I get grief (when I do) from people who point out that hacking is not always a “bad” thing and, historically, began as a “good” thing. I do not disagree. I simply explain that I need a term to use to refer to people who break into systems, and hacker is all I have.
And I think the notion of white hat hacker may be declining, at least in the popular consciousness. I think that, for many people, “hacker” has become synonymous with “criminal.”
Why is that? I think it’s due to an interaction between law and how computer technology evolved over the last two decades or so. As far as I can tell, the concept of hacking as constructive intellectual exercise prevailed pretty much unchallenged when computers were mainframes and even after they began to evolve into smaller versions, precursors of the desktop PC. The concept of “black hat hacker” emerged and began to dominate with the proliferation of desktop PC’s for at least a couple of reasons. One was that the attendant development of the Internet made it possible for a lot more people to be able to explore computer systems; and many of them were not motivated by the intellectual curiosity that prompted the original hackers to explore computer systems. The other reason is that as desktop PC’s (and analogues) proliferated, businesses and other likely targets of financial crimes came to rely upon them; this, of course, created an incentive for people to “hack” for purely criminal purposes.
Okay, that’s a brief history (hopefully fairly accurate) of hacking as terminology. Now I want to talk about law and hacking.
The U.S. federal government, every U.S. state and many other countries have laws that make “hacking” illegal. How do they do this? They do it by making it a crime to “access” a computer or computer system without being “authorized” to do so. These statues will provide that it is a crime (of varying levels) intentionally (or knowingly) to “access” a computer, computer network or computer system (they do tend to use all three) without being “authorized” to do so. In the world of the law, this means that it must either be your goal (your intent) to gain access to a system without being authorized to do so, or you must do this knowing that you are not authorized to do so. (Acting intentionally is usually seen as more “wrong” than merely acting knowingly, but that is not always true – it depends on the jurisdiction.)
Okay, the crime popularly known as “hacking” consists of “accessing” a system without authorization. The “without authorization” part is pretty easy, conceptually, because it’s analogous to burglary (entering someone else’s property without their consent). Police find me in a house that does not belong to me; I broke a window to get inside and I have a pillowcase filled with stuff from the house. My entry is “without authorization” because (i) the owner of the house didn’t give me permission to enter and (ii) I clearly know that.
The problem is “access.” What does it mean to “access” a computer system? Hacking is analogous to burglary in that you do something you’re not supposed to do, but you do not physically enter a computer system. You do . . . something else.
The federal hacking statute (18 U.S. Code § 1030) does not define “access.” Many state statutes do, and they usually say something like this: “`Access’ means to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system, or computer network.” (Florida Statutes § 815.03).
There are very few cases that deal with what “access” is, in practice. The one that is most often cited is from Kansas: State v. Allen, 917 P.2d 848 (Kan. Sup. Ct. 1996). In the Allen case, the defendant was war-dialing – using a dial-up modem to repeatedly contact the computer system at the Southwestern Bell Company. If a dial-in connected with the Southwestern Bell system, he hung up. He was apparently exploring the possibility of connecting to the system and interacting with it, but never got that far. The Kansas Supreme Court threw out the hacking (unauthorized access) charge against him because it said he had not “accessed” the system: “Until Allen . . . entered appropriate passwords, he could not be said to have had the ability to make use of Southwestern Bell's computers or obtain anything. Therefore, he cannot be said to have gained access to Southwestern Bell's computer systems”.
Most of the time, “access” is not a real problem because the perpetrator (the “hacker”) does communicate with the system and usually goes further by copying or deleting data, say. Access becomes problematic when, for example, someone is port scanning a system. There is only one federal case on port scanning and that court, like the Allen court, said that it was not access . . . which means it may not be a crime. (It is also a crime to attempt to gain access, but I have not seen any prosecutions for that.)
“Access” is particularly problematic when it comes to wireless systems: If I am in public, find an unsecured wireless network and use it (free-ride on it), have I illegally “accessed” that system? I don’t think so, based on the cases I note above and on common sense. Many people agree, but some disagree. Indeed, this post was prompted by an email I got today from a friend in Europe, where they are debating this.
I think the free-riding on a wireless system might well be prosecutable as theft of services (like stealing electricity) because you know you are getting something you paid for. On the other hand, though, there are intentionally free wireless systems out there, so you may not actually know that.
You would think law would have figured all this out by now, wouldn’t you?
Thursday, July 27, 2006
Statute Used to Get Emails Held Unconstitutional
Last week, an Ohio federal district court issued a decision that could have major repercussions for law enforcement's ability to investigate cybercrme cases.
The case is Steven Warshak v. United States (Southern District of Ohio Case No. 1:06-cv-357). The opinion was issued on July 21 by Judge Susan Dlott, who sits in Cincinnati.
The case is a civil suit: Warshak sued the U.S. government, claiming that it violated "the Fourth Amendment to the United States Constitution by directing two" Internet Service Providers "to produce . . . electronic mail (`email') of Warshak's from their servers pursuant to warrantless search orders issued under" 18 U.S. Code section 2703(d). He then filed a motion asking the court "to prospectively enjoin the United States from obtaining and enforcing any future 2703(d) orders."
According to the opinion, last year federal agents were investigating "allegations of mail and wire fraud, money laundering, and other federal offenses in connection with the operations of Berkeley Premium Nutraceuticals, Inc. . . . a company owned by Warshak." As part of that investigation, the agents obtained section 2703(d)orders from a federal magistrate; the orders directed two Internet Service Providers (Yahoo! and NuVox Communications) to turn over information about Warshak's emails and email account. The ISP's complied, and turned the information over last year. Warshak was informed of all this on May 31, 2006, after the federal unsealed the orders to the ISP's. This prompted his lawsuit, which had two claims; we will only focus on one, the Fourth Amendment issue, because this is the issue on which he prevailed.
Section 2703(d) lets a court issue an order, like the orders above, that require an ISP to produce emails if officers offer "specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication. . . are relevant and material to an ongoing criminal investigation." According to the opinion, the agents met this requirement, and so obtained the orders seeking Warshak's emails.
Now, as the opinion correctly notes, this "reasonable grounds to believe that the contents" of email "are relevant and material to an ongoing criminal investigation" standard is a lower standard than the probable cause standard included in the Fourth Amendment. The Fourth Amendment states that "no warrants shall issue but upon probable cause", which means the government must show probable cause to believe that a crime has been committed and that evidence of the crime will be found in the place to be searched. While probable cause has not been quantified, it is clear that "reasonable grounds" is a less demanding requirement than "probable cause." And the government conceded that in this case.
This, then, is the issue: The statute lets the government use a sub-Fourth Amendment standard to obtain email. This will be permissible if the Fourth Amendment does not encompass email stored on an ISP; it will not be permissible if the Fourth Amendment does encompass email stored on an ISP.
The Supreme Court held about 150 years ago that we have a Fourth Amendment expectation of privacy in sealed letters and packages sent via snail mail. The Supreme Court held about 30 years ago that we do not have a Fourth Amendment expectation of privacy in the numbers we dial from a telephone, even a telephone in our own home, because we have "voluntarily shared" that information with the phone company; since, according to this logic, we voluntarily shared the information with the phone company, they can give it to the government, without a warrant, if they like. (We will assume here that the Supreme Court was correct when it held that we have no Fourth Amendment expectation of privacy in dialed phone numbers; I do not think the Court was correct, but we will not go into that here.)
Warshak argued that "emails stored on the servers of commercial ISPs" are more analogous to sealed letters sent via snail mail than they are to the phone numbers we dial. This is his theory:
"[I]n the case of email, the subscriber perhaps maintains more control over the email lettter than in any other traditional third party carrier context. . . . [T]he sender or receiver of a closed letter or package actually relinquishes control of the container and cannot immediately repossess the letter or package -- it is in the physical possession of the postal carrier and/or common carrier outside the dominion and control of the sender or recipient. In the email context, the owner of the email can repossess a read-and-then-closed email at any moment, without any notice or permission from the ISP, can retake the email, delete the email from his mailbox, or do what she wants to do with the email. . . ."
Steven Warshak v. United States.
Judge Dlott agreed, at least conditionally: "While the Court is prepared to reconsider its views upon the presentation of further evidence . . . it is not persuaded . . . that an individual surrenders his reasonable expectation of privacy in his personal emails once he allows those emails . . . to be stored on a subscriber account maintained on the server of a commercial ISP." The judge therefore issued a preliminary injunction barring the United States government from using a section 2703(d) order to obtain "the contents of any personal email account maintained by" an ISP "in the name of any resident of the Southern District of Ohio, including but not limited to Steve Warshak."
The injunction is limited to the Southern District of Ohio (which encompasses the southern half of the state, including Columbus, Cincinnati and Dayton) because this is the scope of this federal court's jurisdiction. If, however, Judge Dlott stands by her decision (the Department of Justice will certainly ask her to reconsider), then this opinion would become a firmly-established precedent. (Right now, it is a precedent, but unless and until she rejects a motion to reconsider it at least has the potential to become an altered, or even an erased, precedent.)
If she were to do that, then I am sure the Department of Justice would appeal her decision to the Sixth Circuit Court of Appeals (the federal court of appeals that hears cases from Ohio), because it effectively nullifies the government's ability to use section 2703(d) to obtain emails and email information from ISPs. The even greater concern for the Department of Justice, though, is that this decision will establish the general principle of 2703(d) is unconstitional because it violates the Fourth Amendment. If that principle stands, then the statute will be unenforceable in any state in the United States. The Fourth Amendment, after all, applies everywhere, not just in the Southern District of Ohio.
Steven Warshak v. United States.
Judge Dlott agreed, at least conditionally: "While the Court is prepared to reconsider its views upon the presentation of further evidence . . . it is not persuaded . . . that an individual surrenders his reasonable expectation of privacy in his personal emails once he allows those emails . . . to be stored on a subscriber account maintained on the server of a commercial ISP." The judge therefore issued a preliminary injunction barring the United States government from using a section 2703(d) order to obtain "the contents of any personal email account maintained by" an ISP "in the name of any resident of the Southern District of Ohio, including but not limited to Steve Warshak."
The injunction is limited to the Southern District of Ohio (which encompasses the southern half of the state, including Columbus, Cincinnati and Dayton) because this is the scope of this federal court's jurisdiction. If, however, Judge Dlott stands by her decision (the Department of Justice will certainly ask her to reconsider), then this opinion would become a firmly-established precedent. (Right now, it is a precedent, but unless and until she rejects a motion to reconsider it at least has the potential to become an altered, or even an erased, precedent.)
If she were to do that, then I am sure the Department of Justice would appeal her decision to the Sixth Circuit Court of Appeals (the federal court of appeals that hears cases from Ohio), because it effectively nullifies the government's ability to use section 2703(d) to obtain emails and email information from ISPs. The even greater concern for the Department of Justice, though, is that this decision will establish the general principle of 2703(d) is unconstitional because it violates the Fourth Amendment. If that principle stands, then the statute will be unenforceable in any state in the United States. The Fourth Amendment, after all, applies everywhere, not just in the Southern District of Ohio.
Sunday, July 23, 2006
Automating Law Enforcement in Cyberspace . . .
I’ve written before, here and elsewhere, about how and why our migration into cyberspace challenges law enforcement’s ability to arrest and otherwise discourage criminals.
As I’ve explained, cyberspace introduces various elements (automated crime, anonymity and transborder crime, to note the more important) that make the application of the model of law enforcement we use in the real, physical world problematic for online crime. In law review articles, I’ve explained how I think we can tinker with the model so it becomes a more effective way of dealing with cybercrime.
Having written about all that, I’m not going to belabor the point further in this post. It is about a rather different take on how we can improve law enforcement’s ability to deal with online crime.
In 1997, Kevin Manson presented what I think was a very insightful, very creative paper at a meeting of the Academy of Criminal Justice Science. Entitled “Robots, Wanderers, Spiders and Avatars: The Virtual Investigator and Community Policing Behind the Thin Digital Blue Line,” it said many of the things I would later say about how cyberspace challenges law enforcement. It also, however, speculated a bit on the possibility of automating at least part of law enforcement’s presence online (hence the title).
After tracing the development of intelligent agents, Manson notes that they “give new meaning to how investigations can be conducted on distributed systems like the Internet. Investigative agents could be . . . launched . . . to ferret out information while cybercops are . . . engaged in other activities and have the results of such virtual investigations reported back . . . to the `supervising’ agent on a periodic basis.” He suggests that these agents can become the backbone of a new online enforcement strategy that links a “trans-national virtual network” of intelligent agents, computer forensics experts and “cybercops.”
Manson notes that this approach would have to be implemented cautiously, to avoid a backlash from the public: “If law enforcement rapidly moves to implement the use of robots . . . without an appreciation of the culture within which they are to be used, there is a great risk that the community will move to completely remove such tools from law enforcement's investigative arsenal.” He suggests that “netizen” discomfort with the use of automated policing agents could results in Congress’ taking action to restrict or even outlaw their use.
I don’t mean to be critical of Kevin’s article. I think it was amazingly prescient when it was written, and I think its basic premises are very much still valid. (I do take issue with some of his observations on law, but what can you expect from a law professor?) I think it is surprising that, as far as I can tell, no one has followed up on Kevin’s ideas. Maybe they are seen as too controversial, or maybe they have just been overlooked as our experience with cyberspace has evolved.
It seems there is absolutely no move to implement automated policing on the Internet. (I distinguish the very active, investigatorial model Kevin outlined from the more passive surveillance technologies that are definitely in use today). On the chance that such a effort may surface (or maybe just because I find this conceptually interesting), I want to speculate a bit about legal issues automated online policing might raise.
The most obvious issue is privacy. How would we feel if we knew automated police agents were cruising the Internet in a fashion analogous to how human officers cruise Interstate highways in police cruisers? Like “regular” officers, the agent-officers would presumably operate only in “public” areas . . . but what would that mean? Obviously, it should be permissible for agent-officers to surf the web, checking out websites, news feeds, etc. . . . most anything that is offered for public viewing and consumption. I wonder, though, how deeply, how intensely the agent-officers would patrol these public areas of cyberspace?
The issue doesn’t come up in the real-world, because privacy is pretty much a zero-sum notion here: You are either in “public” (e.g., on the street, on a highway, in a public square, in a public establishment like a restaurant or bar, etc.) or in “private” (e.g., in someone’s home, in someone’s “private” office, etc.) Since the agent-officers are software programs, I assume they would have the ability to cruise the public areas of cyberspace with an intensity not possible for humans, or at least for most of us humans. Could they, for example, investigate the code that creates and/or sustains a website? Could they check out its Internet traffic, to see who is visiting, where they are from (IP addresses, etc.)? If they could do any of this, then I think that would raise some difficult issues about how the Fourth Amendment applies (or not) to their activities.
On the one hand, one might argue that their doing any or all of this is analogous to a police officer’s entering a “public” space (like a bar or restaurant) and walking around to check out how the internal space is configured, who patronizes the place, what they do while they’re there, etc., all of which are clearly “public” activities. The response to this argument would be that all of these are clearly “public” activities because they occur in a public space and because they can be carried out by any member of the public; any of us can go into a restaurant or bar and check out what goes on inside. As I noted before, however, I suspect that these agent-officers would have the capacity to subject a website to a level of technical scrutiny that would be completely beyond me, and beyond most people.
What else might they do? What about online vendors? Vendor sites are obviously “public” places (online analogues of real-world stores), and therefore outside the Fourth Amendment as far as the site itself is concerned. Could the agent-officers monitor traffic to the site, both in terms of who visits the site and what the visitors purchase? If they were to do this, I assume they would do it technologically, by monitoring site traffic and purchases. Could they do this without having obtained a search warrant beforehand? In the real-world a human officer needs a warrant to gain access to a business’ customer records, which would be the best way to track purchases.
What about non-public areas of the Internet? Could the agent-officers create accounts on password-accessible sites and enter the sites to observe what goes on “inside”? If a human officer could do this without violating the Fourth Amendment (which I think he/she could do, at least in most instances) then the agent-officers should be able to do this, as well.
Another interesting issue the use of these agent-officers might raise is, for lack of a better word, the jurisdictional etiquette involved. Could, say, U.S. agent-officers be sent out to “patrol” all areas of cyberspace, including websites maintained in other countries? I assume so; indeed, I assume they would not be of much use if we tried to restrict their use to websites hosted in the U.S. (and also, maybe, websites hosted elsewhere that were created and are maintained by U.S. citizens).
I wonder if that would not give rise to comity issues, i.e., to issues concerning the relationships between different countries. Our agent-officers would, after all, be “spying” on websites and website patrons located in other countries (and vice versa). We are not used to that kind of experience. We tend to assume we will be monitored, if at all, only by U.S. law enforcement officers when we’re in the U.S., only by French officers when we’re in France, only by Dubai officers when we’re in Dubai, and so on. If this approach were to be implemented by many countries, we would have to assume that our online activities were being scrutinized by agent-officers from several countries. (This also gives rise to the rather interesting possibility that agent-officers from, say, the U.S. could be scrutinizing the online activities of agent-officers from Korea.)
I still think it is a very interesting idea. I wonder if it will ever be implemented.
Saturday, July 22, 2006
IBM Sued for Hacking?
D.C. Law Firm Claims IBM Worker Hacked Its Computers by Paul McDougall
InformationWeek (Jul 14, 2006)
A Washington, D.C., law firm says it's the victim of a computer hacker, but it claims the perpetrator isn't some nerdy cyberpunk. . . .Rather, the firm says its computers are under attack by tech giant IBM.
Attorneys at Butera & Andrews claim an unidentified hacker working within IBM's WebSphere services facility in Durham, N.C., secretly dropped malicious code into the firm's e-mail server, giving him or her unauthorized access to the system. The IBM worker "initiated, directed and managed this attack from the Durham, North Carolina facility," Butera & Andrews claims in a lawsuit. The firm says its servers were hit by the assailant's code more than 40,000 times throughout 2005. . . .
Butera & Andrews also charges IBM with maintaining lax security procedures at the Durham facility, thus making it easier for would-be hackers to carry out their work undetected. The lawsuit states that IBM last year implemented a policy under which all computer user logs at the facility are wiped clean after 24 hours. The policy "assures anonymity for any wrongdoer," the firm charges.
In the paragraphs below, I’m going to speculate a bit about the legal premises and viability of the Butera & Andrews suit. I’m speculating because I haven’t seen the complaint, can’t find it online and can’t find any more information about the suit than is in this article.
First possible premise: 18 USC § 1030.
Section 1030 of Title 18 of the U.S. Code is the basic federal cybercrime provision. It defines a number of computer-related offenses, e.g., hacking, cracking, virus dissemination, fraud, password trafficking, and extortion. It was added to the federal criminal code in 1984, substantially revised in 1986 and has been amended a number of times since.
Section 1030: Provisions and sentencing
Section 1030(a) reaches conduct directed at a “protected computer.” A “protected computer” is one that falls into either of two categories: (1) a computer that is used exclusively by a financial institution or the federal government or that is used, albeit nonexclusively, by a financial institution or the federal government but the conduct constituting the offense affects that use; or (2) a computer that is used in interstate or foreign commerce or communication. 18 U.S. Code § 1030(e)(2)
The concept of basing liability on conduct targeting “protected computers” was introduced by a 1996 amendment; until then, § 1030 only reached conduct targeting “federal interest computers,” e.g., computers used by the federal government or computers located in more than one state. As a result of the 1996 amendment, the statute now reaches conduct directed at any computer connected to the Internet, regardless of whether the computers involved are located in the same state.
Section 1030(a) makes it a federal crime to do any of the following:
Section 1030: B&A (possible) civil claim
Section 1030 also creates a civil cause of action. Since the cause of action is created by a federal statute, a federal court has jurisdiction over the case (which means it will be heard by a federal court).
Section 1030(g) states that any “person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” The statute also provides that “a civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B).” These are the factors set out above: cause or attempt to cause physical injury, the modification of a medical diagnosis, financial loss aggregating $5,000 in one year period, threat to public health or safety or damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national security or national defense. Suits for financial loss are limited to the recovery of damages.
It looks to me like B&A may well be bringing a civil suit under section 1030. This fits with their claim that the IBM employee gained unauthorized access to the system. So let’s assume that, and analyze the viability of their claim against IBM.
To prevail in a civil action of this sort, the plaintiff essentially has to prove a criminal case under section 1030, though they only have to prove it by a preponderance of the evidence (not the beyond a reasonable doubt standard used in criminal cases).
Here, if we assume the allegations in the complaint are true and that B&A can prove them, they would clearly have a viable civil claim against the IBM employee who is alleged to have gained unlawful access to their system. The problem is holding IBM liable.
Assuming, again, that the allegations in the complaint are true and B&A can prove them, IBM’s should be, basically, “so what?” Hence the motion to dismiss: IBM can only be held liable if it can be shown to be responsible, in some way, for what the employee did. At this point, we’re talking about holding him criminally responsible; I’ll talk about civil liability in a minute.
Holding IBM liable for what the employee did requires imputing the employee’s criminal conduct to IBM, and the only way to do that is with one – maybe two – criminal doctrines.
The first is accomplice liability: If I aid and abet your commission of a crime, then I become guilty as an accomplice, which basically means that I, too, stand in your shoes. I can be convicted of the crime just as if I committed it personally. To be an accomplice, one must, basically, either encourage or facilitate the commission of the crime. I see no indication B&A claims IBM encouraged the crime, and I doubt that very much, so we’ll try the other option.
It looks to me like B&A may be claiming IBM facilitated the commission of the crime by maintaining lax security procedures which made it possible/easy for the IBM employee to hack B&A’s system. There’s a problem with that, in terms of imposing accomplice liability on IBM: Courts almost entirely agree that to be an accomplice you must have acted with the purpose of facilitating the target crime (here, the hacking), though some have held that acting knowingly is enough. I don’t see how B&A is going to be able to show IBM either acted with the purpose of facilitating this crime (it would have had to be their intent to see that the crime was committed) or with the knowledge that the employee was going to use its lax security to commit the crime. It looks to me very much like B&A are claiming IBM was negligent, and that just won’t fly in terms of accomplice liability.
There is a possible other way to impute the employee’s conduct to IBM, though I don’t think it would work either. This is to claim IBM conspired with the employee for the commission of the crime (hacking B&A); in the federal system, a principle known as the Pinkerton doctrine holds conspirators (like IBM in this hypothetical) liable for crimes that are committed by other members of the conspiracy (IBM’s employee) as long as they are a foreseeable consequence of the conspiracy. What seems to me the obvious problem with this theory is that you’d have to show IBM conspired for the commission of the hacking crime, and that, again, requires that you show IBM intended (has as its purpose) the commission of that crime. It doesn’t look to me like B&A is alleging that, and I doubt they could.
So, if this is a section 1030(g) claim, I don’t think it works.
Second possible premise: Negligence
B&A might be asserting a basic negligence claim, using diversity of citizenship between it and IBM to establish federal jurisdiction (and therefore get into federal court).
The essential elements of a civil tort action for negligence are (i) a duty to the injured party (B&A), (ii) breach of that duty (iii) which caused (iv) injury to the plaintiff (B&A). Here, B&A’s theory could be that IBM is liable because it breached a duty to supervise its employees, and the breach of that duty caused injury to B&A. It would, though, probably be difficult for B&A to establish such a claim.
Courts have imposed a duty on companies to supervise their employees, though this obligation usually extends only to actions that are within the scope of the employee’s job-performance. At least one federal court declined to apply this principle to federal employees who committed crimes for their own benefit:
The criminal conduct at issue in the instant case was clearly prompted by purely personal motives and was not related to the accomplishment of objectives within the line of any Customs Service duties. The former agents' outrageous . . . conduct was in no sense rationally connected to the subject matter which formed the basis of the respondeat superior relationship existing between them and the Customs Service. These individuals had no desire to serve the government's interest and had indisputably stepped outside the scope of their employment in committing intentional criminal acts against the plaintiffs. . . .
Attalah v. United States, 758 F.Supp.81 (D.P.R. 1991), affirmed 955 F.2d 776 (1st Cir. 1992). I suspect a similar rule would apply here, since it seem that the IBM employee was acting entirely out of personal motivation and that what he did was way, way outside the scope of his employment with IBM.
Even if B&A can show that what the employee did was sufficiently within the scope of his employment to have triggered the duty to supervise, there might well be a question as to whether the duty that arose extended to B&A. Usually, the duty to supervise extends to the employer’s customers and others who can foreseeably be harmed by an employee’s negligence, malpractice, etc. If B&A was not a customer of IBM, then it seems IBM could credibly argue that, even assuming it breached a duty to supervise this employee, the duty did not extend to B&A, so it cannot complain about the employee’s actions.
InformationWeek (Jul 14, 2006)
A Washington, D.C., law firm says it's the victim of a computer hacker, but it claims the perpetrator isn't some nerdy cyberpunk. . . .Rather, the firm says its computers are under attack by tech giant IBM.
Attorneys at Butera & Andrews claim an unidentified hacker working within IBM's WebSphere services facility in Durham, N.C., secretly dropped malicious code into the firm's e-mail server, giving him or her unauthorized access to the system. The IBM worker "initiated, directed and managed this attack from the Durham, North Carolina facility," Butera & Andrews claims in a lawsuit. The firm says its servers were hit by the assailant's code more than 40,000 times throughout 2005. . . .
Butera & Andrews also charges IBM with maintaining lax security procedures at the Durham facility, thus making it easier for would-be hackers to carry out their work undetected. The lawsuit states that IBM last year implemented a policy under which all computer user logs at the facility are wiped clean after 24 hours. The policy "assures anonymity for any wrongdoer," the firm charges.
In the paragraphs below, I’m going to speculate a bit about the legal premises and viability of the Butera & Andrews suit. I’m speculating because I haven’t seen the complaint, can’t find it online and can’t find any more information about the suit than is in this article.
First possible premise: 18 USC § 1030.
Section 1030 of Title 18 of the U.S. Code is the basic federal cybercrime provision. It defines a number of computer-related offenses, e.g., hacking, cracking, virus dissemination, fraud, password trafficking, and extortion. It was added to the federal criminal code in 1984, substantially revised in 1986 and has been amended a number of times since.
Section 1030: Provisions and sentencing
Section 1030(a) reaches conduct directed at a “protected computer.” A “protected computer” is one that falls into either of two categories: (1) a computer that is used exclusively by a financial institution or the federal government or that is used, albeit nonexclusively, by a financial institution or the federal government but the conduct constituting the offense affects that use; or (2) a computer that is used in interstate or foreign commerce or communication. 18 U.S. Code § 1030(e)(2)
The concept of basing liability on conduct targeting “protected computers” was introduced by a 1996 amendment; until then, § 1030 only reached conduct targeting “federal interest computers,” e.g., computers used by the federal government or computers located in more than one state. As a result of the 1996 amendment, the statute now reaches conduct directed at any computer connected to the Internet, regardless of whether the computers involved are located in the same state.
Section 1030(a) makes it a federal crime to do any of the following:
- To (i) knowingly access a computer without authorization or by exceeding authorized access and thereby obtain information that is protected against disclosure which the perpetrator has reason to believe could be used to the disadvantage of the U.S. or to the advantage of any foreign nation and (ii) willfully either deliver that information to a person not entitled to receive it or retain the information and refuse to deliver it to the federal agent entitled to receive it;
- To intentionally access a computer without authorization or by exceeding authorized access and thereby obtain (i) information contained in a financial record of a financial institution, or of a card issuer or contained in a file of a consumer reporting agency on a consumer, (ii) information from any federal department or agency, or (iii) information from any protected computer if the conduct involved an interstate or foreign communication;
- To intentionally and without authorization access (i) a computer used exclusively by a federal department or agency or (ii) a computer not used exclusively by a federal department or agency when the conduct affects the computer’s use by or for the federal government;
- To knowingly and with the intent to defraud access a protected computer without authorization or by exceeding authorized access and thereby further the intended fraud and obtain anything of value unless the object of the fraud and the thing obtained consist only of the use of the computer and the value of that use does not exceed $5,000 in any one-year period;
- To (i) knowingly cause the transmission or a program, information, code or command and thereby intentionally cause damage to a protected computer; (ii) intentionally access a protected computer without authorization and thereby recklessly cause damage; (iii) intentionally access a protected computer without authorization and thereby cause damage; AND (iv) by conduct falling into any of the three prior categories, cause or attempt to cause physical injury, the modification or impairment of any medical diagnosis, loss aggregating $5,000 in one year period, threat to public health or safety or damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national security or national defense;
- To knowingly and with intent to defraud traffic in any password or other information used to access a computer if (i) the trafficking affects interstate or foreign commerce or (ii) the computer to which access can be gained is by or for the federal government;
- To transmit in interstate or foreign commerce any threat to cause damage to a protected computer with the intent to extort money or any thing of value.
Section 1030: B&A (possible) civil claim
Section 1030 also creates a civil cause of action. Since the cause of action is created by a federal statute, a federal court has jurisdiction over the case (which means it will be heard by a federal court).
Section 1030(g) states that any “person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” The statute also provides that “a civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B).” These are the factors set out above: cause or attempt to cause physical injury, the modification of a medical diagnosis, financial loss aggregating $5,000 in one year period, threat to public health or safety or damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national security or national defense. Suits for financial loss are limited to the recovery of damages.
It looks to me like B&A may well be bringing a civil suit under section 1030. This fits with their claim that the IBM employee gained unauthorized access to the system. So let’s assume that, and analyze the viability of their claim against IBM.
To prevail in a civil action of this sort, the plaintiff essentially has to prove a criminal case under section 1030, though they only have to prove it by a preponderance of the evidence (not the beyond a reasonable doubt standard used in criminal cases).
Here, if we assume the allegations in the complaint are true and that B&A can prove them, they would clearly have a viable civil claim against the IBM employee who is alleged to have gained unlawful access to their system. The problem is holding IBM liable.
Assuming, again, that the allegations in the complaint are true and B&A can prove them, IBM’s should be, basically, “so what?” Hence the motion to dismiss: IBM can only be held liable if it can be shown to be responsible, in some way, for what the employee did. At this point, we’re talking about holding him criminally responsible; I’ll talk about civil liability in a minute.
Holding IBM liable for what the employee did requires imputing the employee’s criminal conduct to IBM, and the only way to do that is with one – maybe two – criminal doctrines.
The first is accomplice liability: If I aid and abet your commission of a crime, then I become guilty as an accomplice, which basically means that I, too, stand in your shoes. I can be convicted of the crime just as if I committed it personally. To be an accomplice, one must, basically, either encourage or facilitate the commission of the crime. I see no indication B&A claims IBM encouraged the crime, and I doubt that very much, so we’ll try the other option.
It looks to me like B&A may be claiming IBM facilitated the commission of the crime by maintaining lax security procedures which made it possible/easy for the IBM employee to hack B&A’s system. There’s a problem with that, in terms of imposing accomplice liability on IBM: Courts almost entirely agree that to be an accomplice you must have acted with the purpose of facilitating the target crime (here, the hacking), though some have held that acting knowingly is enough. I don’t see how B&A is going to be able to show IBM either acted with the purpose of facilitating this crime (it would have had to be their intent to see that the crime was committed) or with the knowledge that the employee was going to use its lax security to commit the crime. It looks to me very much like B&A are claiming IBM was negligent, and that just won’t fly in terms of accomplice liability.
There is a possible other way to impute the employee’s conduct to IBM, though I don’t think it would work either. This is to claim IBM conspired with the employee for the commission of the crime (hacking B&A); in the federal system, a principle known as the Pinkerton doctrine holds conspirators (like IBM in this hypothetical) liable for crimes that are committed by other members of the conspiracy (IBM’s employee) as long as they are a foreseeable consequence of the conspiracy. What seems to me the obvious problem with this theory is that you’d have to show IBM conspired for the commission of the hacking crime, and that, again, requires that you show IBM intended (has as its purpose) the commission of that crime. It doesn’t look to me like B&A is alleging that, and I doubt they could.
So, if this is a section 1030(g) claim, I don’t think it works.
Second possible premise: Negligence
B&A might be asserting a basic negligence claim, using diversity of citizenship between it and IBM to establish federal jurisdiction (and therefore get into federal court).
The essential elements of a civil tort action for negligence are (i) a duty to the injured party (B&A), (ii) breach of that duty (iii) which caused (iv) injury to the plaintiff (B&A). Here, B&A’s theory could be that IBM is liable because it breached a duty to supervise its employees, and the breach of that duty caused injury to B&A. It would, though, probably be difficult for B&A to establish such a claim.
Courts have imposed a duty on companies to supervise their employees, though this obligation usually extends only to actions that are within the scope of the employee’s job-performance. At least one federal court declined to apply this principle to federal employees who committed crimes for their own benefit:
The criminal conduct at issue in the instant case was clearly prompted by purely personal motives and was not related to the accomplishment of objectives within the line of any Customs Service duties. The former agents' outrageous . . . conduct was in no sense rationally connected to the subject matter which formed the basis of the respondeat superior relationship existing between them and the Customs Service. These individuals had no desire to serve the government's interest and had indisputably stepped outside the scope of their employment in committing intentional criminal acts against the plaintiffs. . . .
Attalah v. United States, 758 F.Supp.81 (D.P.R. 1991), affirmed 955 F.2d 776 (1st Cir. 1992). I suspect a similar rule would apply here, since it seem that the IBM employee was acting entirely out of personal motivation and that what he did was way, way outside the scope of his employment with IBM.
Even if B&A can show that what the employee did was sufficiently within the scope of his employment to have triggered the duty to supervise, there might well be a question as to whether the duty that arose extended to B&A. Usually, the duty to supervise extends to the employer’s customers and others who can foreseeably be harmed by an employee’s negligence, malpractice, etc. If B&A was not a customer of IBM, then it seems IBM could credibly argue that, even assuming it breached a duty to supervise this employee, the duty did not extend to B&A, so it cannot complain about the employee’s actions.