Legal Geek No. 81: The CFAA Strikes Again, in Baseball

Welcome back to Legal Geek. This week, we return to the interesting Computer Fraud and Abuse Act law we took a deep dive into a couple weeks ago to look at a highly interesting recent application of the anti-hacking law in the context of professional baseball.

https://archive.org/details/LegalGeekEp81

Last week, the CFAA hit the news again because Chris Correa, a former scouting director of the St. Louis Cardinals, was convicted of hacking a competitor team's player personnel database, leading to a prison sentence of almost 4 years and over $275,000 of damages restitution.  This was no case of password sharing, however.

Instead, the FBI found the following facts.  Correa in 2013 and 2014 gained unauthorized access to the Houston Astros' databases by using a password similar to one used by a former Cardinals employee who had to turn over a company laptop and his password when he left to go work for the Astros in 2011. Ironically, the current general manager Jeff Luhnow is the only employee that would have had such access and also fits this profile, and he is the very person who informed reporters of the data breach in 2014.

From those facts, we can basically conclude that Luhnow used a similar or variant form of the same password for his Astros database access, and this was predictable enough for Correa to guess it based on the information turned over to him with the laptop in 2011.  There's an important lesson to all people who change jobs, particularly to leave for competitors.  Although hacking is a federal crime, re-using the same or similar passwords is absolutely, positively a terrible idea.  It's just not worth the risk, so don't do it!

For example, despite the nearly $300,000 in restitution that will be paid by Correa, the Astros are estimated to have lost $1.7 million or more.  A mistake of that magnitude could easily cost a guy like Luhnow his job, and it's all about not sufficiently changing passwords when you change jobs.

This case also implicates the discussion of broad vs. narrow interpretation of the catch all provision of the CFAA guarding any protected computer acting in interstate commerce from unauthorized access.  Certainly protecting major league baseball team databases is within a broad view of this catch all, but this is also clearly hacking to cause serious financial detriment.  That activity falls directly in the scope of what the law is supposed to stop.

The Bottom Line is, there will continue to be concerns about how broad the CFAA will be applied based on big cases like this baseball one, especially when there are other mechanisms available like Major League Baseball rules in this case to govern such bad conduct.  However, unlike the Nosal case, this outcome is not quite so broad or troubling.  Let's hope for well-reasoned applications of this law in the future.

Oh, and change your darn passwords already.

-----------------------------------

Thanks for reading. Please provide feedback and legal-themed questions as segment suggestions to me on Twitter @BuckeyeFitzy

------------------------------------
TEMPORARY CLOSER
If you will be at GenCon in Indianapolis in August, come check out my seminars on IP law and game design there, or message me on Twitter @BuckeyeFitzy and we can meet up for a drink or a game.

Legal Geek No. 80: Pokemon Go and a Myriad of Legal Issues

Welcome back to Legal Geek. This week, we join the Pokemon Go craze of the past few weeks with a brief look at all the interesting legal questions the popular application and its certain knock-off competitors will raise.

https://archive.org/details/LegalGeekEp80

The first legal concern of Pokemon Go has largely been dealt with by the developer, that being privacy settings which were way more than necessary for running the software. Originally access to your entire Google account had to be granted to play on some platforms, and that would raise serious potential liability concerns for the company maintaining and accessing that data. However, this is one issue that played out quickly with a settings fix.

There's already videos and stories of players being transfixed in their phones and walking into roads or other dangerous situations. That raises a question of whether there could be any legal liability for putting digital Pokemon in places that lure people into dangerous areas. The risks get even worse in different contexts like playing while driving. The game's terms of service disclaim all liability for such things, but would it stand up in court? That's an open question.

Another issue is placement of Pokemon or gyms in the locations of private property and businesses. A property owner could hypothetically argue that this creates an attractive nuisance by drawing unwanted people to the property, and it also negatively affects the owner's interests in exclusive possession of the property. Can real property rights be used to claim property rights in augmented reality digital elements placed on the property by a third party like this game developer? I expect someone will try such claims in court if annoyed enough.

There's also the problem of potential competition for public spaces between Pokemon Go users who may be congregating at a digital gym and others who want to use the public property like a park for other purposes it was designed for. It would be interesting to see if the government could constitutionally limit Pokemon Go in certain public properties. Some prison operators certainly think so, but that's a slightly different context.

The Bottom Line is, the law always takes time to catch up with technology fads and movements, as discussed for the CFAA last week. But Pokemon Go raises far more interesting legal questions potentially than you might originally think when you begin playing the game.

Now excuse me while I go catch this Charmander...or maybe it's Justin Robert Young, who knows?

-----------------------------------

Thanks for reading. Please provide feedback and legal-themed questions as segment suggestions to me on Twitter @BuckeyeFitzy

------------------------------------
TEMPORARY CLOSER
If you will be at GenCon in Indianapolis in August, come check out my seminars on IP law and game design there, or message me on Twitter @BuckeyeFitzy and we can meet up for a drink or a game.

Legal Geek No. 79: Computer Fraud and Abuse Act in the Crosshairs

Welcome back to Legal Geek. This week, we cover the new scrutiny placed on the Computer Fraud and Abuse Act after that federal criminal law was interpreted broadly in a 9th Circuit Court of Appeals decision last week.

https://archive.org/details/LegalGeekEp79

The Computer Fraud and Abuse Act was written in 1986 to criminalize hacking activities with respect to government computers and computers of financial institutions. The law also has a catch-all provision added in 2008 that also prohibits access "without authorization" or "by exceeding authorized access" to any protected computer which is used in interstate commerce, which can be read as anything connected to the Internet.

This amendment, while made by Congress in efforts to solidify the anti-hacking law, have created questions of how broadly this law should be interpreted. If broadly interpreted, seemingly innocuous things like breaking a social network's code of conduct or letting someone use your Netflix password would be a federal felony, while if narrowly interpreted, such conduct would fall well outside the scope of this law. The 9th Circuit's decision this week in U.S. v. Nosal illustrates both sides of the argument well.

The facts in Nosal are pretty simple. Nosal left an executive recruiting firm to open his own competitor firm, and over time, he took a couple of former co-workers and his assistant from the original company as well. To get a leg up on leads and information, Nosal instructed the former co-workers while they still had access to pull confidential lead information from the old company's servers and give it to his new company. Then after those co-workers also left and had their own access revoked, Nosal had his former assistant give her password to them and they accessed similar information again to deliver it to the new firm. The former assistant left for the new firm shortly thereafter.

Clearly these are bad actors in the Nosal case, so why is this case such a fuss? This is actually the second time this case and set of facts has been decided by the 9th Circuit. The first time, back in 2012, the full en banc panel considered specifically the actions of the former co-workers who downloaded and transferred confidential data and gave it to Nosal while they were still employed by the original company and still had full access to the information. That panel determined that these employees did have access, so the conduct was clearly not "without authorization" and it also was not deemed "exceeding authorized access" because they did have full access to the information. Certainly the transfer to Nosal broke employee codes and therefore violated contract or trade secret laws, but not a law designed to stop outside or inside hacking.

Yet just four years later, a smaller 3-judge panel of the 9th Circuit essentially reversed this decision based solely on a small change in the facts considered. Specifically, this year the Court focused on the activities of the co-workers after they had been fired with access revoked, but they used the assistant's authorized password anyway to access the database and pull more information from the original company.  Instead of focusing on the fact that this was just another type of password sharing and essentially the same access by the assistant, the new panel decided to call this slightly altered conduct as clearly falling under the "without authorization" prong of the law, generalizing this story as a hacking scheme with an inside man. A small fact difference totally flipped the outcome.

However, as the dissent of the current decision notes, this decision could be extended to apply to all password sharing, which would mean giving your buddy an HBO GO password is a felony. Or other things like companies forcing employees out for minor violations of using work computers for personal tasks like e-mail during work hours, by threatening to turn them over to the FBI.

This case is not necessarily over, as a full en banc panel of the 9th Circuit could go back and reverse this new decision to make it more consistent with the first one which narrowly interpreted the scope of the CFAA. Moreover, as the 2nd and 4th Circuits have sided with the narrow interpretation of the law while three other Circuits have sided with the broad interpretation, this is a classic case of circuit split of opinion, which usually brings swift action by the Supreme Court to settle an issue. So stay tuned for further developments.

The Bottom Line is, the cries that sharing passwords for consumer things like streaming services is now a felony is not exactly true, as that type of fact scenario has not been applied to this law yet. Even though it can be painful to watch the judicial branch labor over how to interpret what laws Congress enacts when trying to keep up with technology, this is how the process is supposed to work. With so many other potential laws like contract, tort, and trade secret laws being available to stop smaller breaches like password sharing, and the original intent to stop hacking with the CFAA, it seems likely that the eventual solution of the judiciary will be a narrow interpretation of this law. It just takes a while and some bumps on the road to get there.

-----------------------------------

Thanks for reading. Please provide feedback and legal-themed questions as segment suggestions to me on Twitter @BuckeyeFitzy

------------------------------------
TEMPORARY CLOSER
If you will be at GenCon in Indianapolis in August, come check out my seminars on IP law and game design there, or message me on Twitter @BuckeyeFitzy and we can meet up for a drink or a game.

Legal Geek No. 78: Supreme Court Closes Term with Abortion Caselaw Update

Welcome back to Legal Geek. Last time, we ran quickly through a summary of many of the significant Supreme Court decisions of this term.  This week, we dive deep into arguably the biggest decision of the term from the Supreme Court in June, which was Whole Women's Health v. Cole, also known as the Texas Abortion Case.

https://archive.org/details/LegalGeekEp78

This year's Supreme Court term has been most notably defined by the absence of Justice Scalia and important decisions on immigration policy and affirmative action. Indeed, Scalia's absence made a risk for a 4-4 split in the Texas Abortion Case, which would've upheld the decision of the 5th Circuit that a recent Texas law restricting abortion clinics was constitutional.

However, that did not occur as the court split 5-3 along normal ideological lines, with swing vote Justice Kennedy joining the majority just as he did back in 1992 in the landmark Planned Parenthood v Casey abortion decision. Ironically, he's the only majority vote from the Casey decision still present at the Court today.

Under the rules of Roe v Wade in the 70s and Casey, the standard applied for abortion-restrictive state laws is that if a state law places a substantial obstacle or undue burden in the path of a woman's right to access an abortion and exercise her rights to do so, such a law is unconstitutional.  This is true even when the law promotes a legitimate state interest such as women's health and safety, which is also required under the constitutional analysis.

Turning to the 2013 Texas law, two new requirements were applied: first, that a doctor performing an abortion at an abortion clinic had to have admitting privileges at a hospital within 50 miles of the clinic; second, that a clinic must meet the same standards as ambulatory surgery centers. Neither of these requirements survived constitutional scrutiny in the majority's decision, written by Justice Breyer.

With respect to the admitting privileges requirement, which had already gone into effect, the Court found that this did not advance the interest of women's health in any way. Furthermore, it put an undue burden on access to abortion based mostly on the number of clinics in Texas being cut roughly in half from 42 to 19 after this requirement was enacted.

With respect to the ambulatory surgery center standards requirement, the Court again found that this did not advance the interest in health but was instead targeted at this sole procedure, as other more dangerous procedures such as child birth, colonoscopies, and liposuction were not also subject to such requirements.  If this part of the law had gone into effect, the number of clinics would have been halved again to about 7 or 8, only in 5 major metropolitan areas. That was sufficient evidence to again let the Court conclude that this requirement created an undue burden on the right to choose.

With both requirements failing the Casey test, the Texas law was stricken as unconstitutional. The dissents from Justices Alito and Thomas focused more on legal procedural issues like res judicata and severability clauses, rather than the Casey test, which makes this decision less contested and split compared to last year's gay marriage decision and dissents.

The Bottom Line is, this Court continues to strongly protect constitutional rights in a broad manner, with this possibly being the most significant abortion-related decision since Roe and Casey. By applying those prior tests as strongly as was done in this Texas Abortion Case, the woman's right to choose is on more solid ground than ever, being seemingly safe from any targeted legislative attack from a state.  Perhaps this will cause states like Texas to drop the debate over abortion and move on to other social issues of our time.

-----------------------------------

Thanks for reading. Please provide feedback and legal-themed questions as segment suggestions to me on Twitter @BuckeyeFitzy

------------------------------------
TEMPORARY CLOSER
If you will be at GenCon in Indianapolis in August, come check out my seminars on IP law and game design there, or message me on Twitter @BuckeyeFitzy and we can meet up for a drink or a game.