Wednesday, May 18, 2011

ISPs must respond to warrants to identify subscribers

A California court ruled recently that an ISP must respond to warrants demanding the identification of its subscribers.

In criminal hacking case, the court held that the police could force an ISP (in that case, Time Warner) to give the identity and address of a Time Warner subscriber based on a IP (Internet Protocol) address.

The police subsequently searched the defendant's home and found evidence of the defendant hacking into a public school's computer network. The defendant claimed that he had a privacy expectation for his information with Time Warner.

"A subscriber has no expectation of privacy in the subscriber information he supplies to his Internet provider. Therefore, his challenge to a warrant requiring his Internet provider to identify him through his Internet Protocol (IP) number has no merit." wrote the court in People vs. Stipo.  The appellate court found no expectation of privacy in the defendant's subscriber information.

This case has some interesting implications, not only for criminal cases, but civil cases as well since a civil subpoena could also be used to find out identifying information as well.

Wednesday, May 11, 2011

Employees can be criminally prosecuted for misuse of computers

Employees can be criminally prosecuted for unauthorized and illegal use of computers and computer networks, but only if the employer has a strong and clear computer use policy.  A Federal court recently held that an employee can be criminally prosecuted if the employee accessed the employer’s computer system in order to defraud the employer.

In U.S. v. Nosal, No. 10--10038 (9th Cir, April 28, 2011), the 9th Circuit Court of Appeals held that employees could be prosecuted under the Federal Computer Fraud and Abuse Act (the “CFAA”).
CFAA is a statute that was originally intended to allow for the criminal prosecution of hackers. In the Nosal case, three employees used their employer's computer and obtain trade secrets from the employer. The employees then quit and started their own business using the employer's information.

The employees were prosecuted under CFAA by the U.S. Government. Their defense was that CFAA was intended to prosecute hackers who did not have authorization to enter a computer or a computer network.  They argued that they should not be criminally prosecuted because they had access to the system.  (Of course, the employer could have sued but that is less serious than a criminal prosecution).

However, the government successfully argued when the employees used their user names and passwords to access the employer's trade secrets, they exceeded their authorization and broke the law. 


The key to the case:  The employer had strong computer use and confidentiality policies.  All employees were required to sign agreements that explained what was the employer's confidential information, its sensitive nature, and clearly stated that such information was only to be used for the employer's purpose.  All of the employer's computers were restricted access and protected by passwords and user names.  So, despite their status as employees with access to the employer's computer system, the court determined that the employees were, legally, no better than hackers.


I have had several instances of business owners who have been ripped off by employees stealing confidential information.  They now have a big stick to fight back with.

Businesses should develop clear computer use policies that forbid the use of their computers for anything other than company business, protect their computers with user names and passwords, and have their employees sign well written confidentiality agreements.  The threat of criminal prosecution is much more weighty than the threat of a lawsuit and will go farther to keep this type of theft in check.

Saturday, May 7, 2011

Copyright Trolls - Don't use stock pictures without a license



Intellectual property has become a hardball arena in recent years. Small businesses steal trademarks and trade secrets from each other.  Patent trolls file serial lawsuits extorting money from busineses. Now we have copyright trolls.


A client was recently threatened with legal action by a stock photo company.  This stock photo company sells photographs on-line for use in websites.  Typically, a website owner or developer can download and use a photo for a royalty of $5.00 to $10.00.

My client had a stock photo on his website.  He received a demand letter from a stock photo company that had the rights to sell licenses to use this photo.   My client's website developer had downloaded this photo from somewhere (the developer was a little vague).

The stock photo company initially demanded $1,500.00 and threatened to take legal action if not paid.  My client discussed the matter with the stock photo company which progressively lowered its demand to around $900.00.

The threat of legal action was serious.  If you use a computer to download copyright protected art from a website and use it on your website, you can be liable for up to $150,000 in statutory damages, plus statutory attorneys fees, per download.  So, the potential exposure was huge, even for a lousy stock photo.

The stock photo company had an entire division devoted to collecting large fees from companies that had used the stock photo company's photos without authorization.  They searched the Internet with special software that looked for their photos and then checked to see if the use of the photos was authorized.  If not, then they would aggressively demand outrageous fees and threaten legal action.  Furthermore, the photos on the company's website were easily downloaded without payment of a royalty and watermarks were easy to crop out.  The company essentially had a copyright troll division searching out the unwary using their cheap photos.

In my client's case, the photo on his website was not registered with the U.S. Copyright Office.  Since it was not registered, the stock photo company could not collect the huge statutory damages but only actual damages, in this case about $5.00.  My client removed the photo from his website and the stock photo company left him alone when we asked for registration information.

Lessons:
1.   Do not use someone else's photos, pictures, videos, etc. on your website. 
2.   If you are a web developer, pay all royalties necessary for every bit of art on a website.
3.   Ask you website developer for proof of a license for all stock photos or other art on a website.  You will have to pay the price if the developer stole them.