Friday, August 21, 2009

Cyberterrorism . . . ?

This post is about a case in which one company sued another claiming it was the victim of cyber-terrorism.


The case is Margae, Inc. v. Clear Link Technologies, LLC, 2009 WL 1248952 (U.S. District Court for the District of Utah 2009), and here, according to Plaintiff Margae, is what led to the filing of the lawsuit:

Plaintiff is an internet marketing company that contracts with individuals and entities to act as an internet referral agent. Plaintiff performs internet marketing services for entities and individuals on its websites to generate sales leads for those entities and individuals, often known as `merchants.’ The sales leads are directed by Plaintiff to the merchants' websites or provided telephone numbers to reach a merchants' call center for each sales lead that generates an actual sale. Plaintiff receives a commission for each referral that leads to a sale. Additionally, Plaintiff performs search engine optimization for some merchants which results in a merchant's website appearing earlier when a customer performs an internet search. . . .

From January of 2004, Plaintiff entered into a series of agreements with Clear Link to provide affiliate and optimization services. . . .

Eventually, Clear Link terminated Plaintiff. . . .

Clear Link 1) misappropriated various websites associated with Plaintiff and 2) changed all of Plaintiff's account passwords so that Plaintiff could not (and cannot) access websites that it created pursuant to its work with Clear Link. In addition, Clear Link continues to utilize certain websites, sub-domains and optimization work provided by Plaintiff.

Plaintiff’s Memorandum in Support of Motion to Compel Arbitration and Stay Proceedings, Margae, Inc. v. Clear Link Technologies, LLC, 2008 WL 1906775.


In its complaint, Margae asserted several causes of action, one of which was unfair competition under the Utah Unfair Competition Act (UUCA).

The type of `unfair competition’ alleged by Margae is `cyber terrorism.’ `Cyber terrorism’ is defined, in part, as `willfully communicating, delivering, or causing the transmission of a program, code, or command without authorization or exceeding authorized access’ which `leads to a material diminution in value of intellectual property.’ . . . Margae contends . . . that Clear Link's unauthorized use of its web pages lead to the diminution of those web pages' value because Margae was deprived of the commissions it was owed from their use.

Margae, Inc. v. Clear Link Technologies, LLC, supra. Margae’s cyber-terrorism claim was brought under Utah Code § 13-5a-103, which creates a civil cause of action for unfair competition.


Section 13-5a-102(4)(a) of the Utah Code defines “unfair competition” as “an intentional business act or practice that” is (i) unlawful, unfair or fraudulent or leads to a material diminution in value of intellectual property AND constitutes (i) cyber-terrorism, infringement of a patent, trademark or trade name, a software license violation or predatory hiring practices. Section 13-5a-102(2) defines cyber-terrorism as any of the following:

(a) the unlawful use of computing resources to intimidate or coerce others;

(b) accessing a computer without authorization or exceeding authorized access;

(c) willfully communicating, delivering, or causing the transmission of a program, information, code, or command without authorization or exceeding authorized access;

(d) intentionally or recklessly:

(i) intends to defraud or materially cause damage or disruption to any computing resources or to the owner of any computing resources; or

(ii) intends to materially cause damage or disruption to any computing resources indirectly through another party's computing resources.


The last three alternatives (e.g., (b)-(d)) are very similar to crimes that are outlawed by Utah’s Criminal Code. Section 76-6-703 of the Utah Code makes it a crime to (i) access a computer without authorization and cause damage a computer, software or data, (ii) use a computer to execute a scheme to defraud and (iii) use a computer to interrupt computer services to someone authorized to receive them. So to a great extent, the UUCA pulls these basic computer crimes into its definition of cyber-terrorism as that term is used in the unfair competition statute.


I’m not sure why Utah did that and/or did it the way they did. If the Utah legislators wanted to incorporate computer crimes into the UUCA (as cyber-terrorism or whatever), it seems they could have cross-referenced the computer crimes sections of the Criminal Code in the UUCA, with any additions or modifications they thought appropriate. That, though, is a peripheral issue. Let’s get back to the cyber-terrorism claim.


Clear Link moved to dismiss the unfair competition claim. That claim, again, was based on Margae’s contention that “Clear Link's unauthorized use of its web pages lead to the diminution of those web pages' value because Margae was deprived of the commissions it was owed from their use.” Margae, Inc. v. Clear Link Technologies, LLC, supra. Clear Link argued that “this allegation does not state a claim for `cyber terrorism’ because the `program, code or command’ sent by a defendant must be different than the target `intellectual property.’” Margae, Inc. v. Clear Link Technologies, LLC, supra.


Clear Link won. The federal judge found that the UUCA

clearly requires that the transmitted `program, code or command’ must be different from the damaged `intellectual property.’ That is, by using the term `cyber terrorism,’ the legislature signaled that it meant to cover only a situation where the `program, code or command’ was the tool for an attack and the `intellectual property’ was the target of an attack. Had the legislature wanted to define `cyber terrorism’ as the unauthorized use of intellectual property, it could have easily done so.

Margae, Inc. v. Clear Link Technologies, LLC, supra. The judge noted, however, that Margae might still be able to save the claim:

Margae has argued that Clear Link's actions meet the definition of `cyber terrorism’ because Clear Link's unauthorized use of Margae's Clear Link-related web pages damages the value of Margae's non-Clear Link web pages and web sites. The court will not consider this argument, because it is not tied to any express allegation Margae made in its complaint. . . . Margae may amend its complaint to make this factual allegation clear and Clear Link is free to challenge whether such an allegation meets the definition of `cyber terrorism.’

Margae, Inc. v. Clear Link Technologies, LLC, supra.


Several things about the UUCA’s cyber-terrorism provision mystify me. First of all, as far as I can tell no other state creates a civil cause of action for victims of cyber-terrorism, regardless of who commits it or the type of injury it inflicts. I don’t think federal law does this, either. I don’t think civil liability has ever been seriously floated as a way to deal with terrorists; the U.S. certainly hasn’t sued Al Qaeda for the damage to the Pentagon and the Twin Towers and the loss of life in all the 911 attacks.


I discovered, though, that the Utah Code includes provisions that can require a terrorist to pay reparations to his victim(s). Section 63M-7-502(9)(b) defines “criminally injurious conduct” as including actions that cause or pose a substantial risk of bodily injury or death or an act of terrorism as defined in the federal terrorism statute, 18 U.S. Code § 2331, that is committed outside the U.S. against a Utah citizen. A subsequent provision of the state’s Crime Victims’ Reparations Act, § 63M-7-511, allows victims of terrorism to receive reparations for medical expenses, lost wages and other losses. So Utah has apparently decided to let victims of international terrorism and victims of unfair-competition-as-cyber-terrorism recover civilly.


Another thing that perplexes me is Utah’s styling the alternatives in § 13-5a-102(2) as “cyber-terrorism.” The first one, § 13-5a-102(2)(a), looks like a terrorism provision because it refers to using computing resources to intimidate or coerce others. As I noted in an earlier post, the generic definition of terrorism is that it consists of using force (of whatever type) to coerce or intimidate civilians in order to further a political agenda. The Utah statute has the “coerce or intimidate” element, but the focus of the coercion and/or intimidation is unfair competition.


Finally, what surprises me, given the effort the Utah legislature apparently put into creating a civil cause of action for cyber-terrorism-as-unfair-competition is that the state doesn’t seem to have a criminal cyber-terrorism provision. The “coerce or intimidate” option doesn’t appear in the state’s general cybercrime statute, and I can’t find a Utah statute that makes terrorism and/or cyber-terrorism a crime.


Unless I’m missing something, then, it looks like Utah’s decided to create civil remedies for victims of terrorism/cyberterrorism, but hasn’t actually criminalized either.

2 comments:

Anonymous said...

Losing couldn't have happened to a finer person.

Nelson said...

Excellent post. The main issue...cyber crime has been dealt with in a very fine way. Solution to cyber safety becomes a must.