August 03, 2005
Jennifer Granick on Defending Mike Lynn (Cisco/ISS router disclosures)
Read Jennifer Granick's inside account on the Mike Lynn case, explaining the legal issues regarding his disclosure of
Cisco router security problems. Money quote (pun intended):
At the point that you get sued, or even charged with a crime, it
matters less what actually happened and whether you did something
wrong and more what it takes to get out of the case as unscathed as
possible. It's sad, but true, that our legal system can often be more
strategy than justice.
Core of the "interesting" legal controversy:
It seemed that Cisco was claiming that Mike's actions were improper
because he violated the End User License Agreement (EULAs), which
prohibited reverse engineering. So now I was having fun. I'm totally
interested in EULAs and the circumstances under which they take away
public rights that are otherwise guaranteed us. Usually, a breach of
contract is no big deal. But increasingly in the tech field, we're
seeing big penalties for what's essentially a contract violation. Under
the Computer Fraud and Abuse Act, if you exceed your authorization to
access a computer, you've committed a crime. Cases have said you
exceed authorization when you breach a EULA, terms of service, or
employment contract. Other cases have said that EULAs can waive fair
use rights and other rights guaranteed under copyright law. Lynn's
case presented the question of whether EULAs could subvert the legislature's
express desire to allow people to reverse engineer trade secrets.
[Note - I've said this before, many times, but once again, here's more
evidence that the types of legal risks I faced myself in investigating
were severe, and it was a
very serious matter of extensive attacks combined with lack of support
which made me quit censorware decryption research]
By Seth Finkelstein |
posted in legal
on August 03, 2005 11:53 PM
You sound at least a little alarmed by EULA enforcement.
The legal system is set up to protect businesses from individuals.
Kind of like your grokster comments, this will likely go one of two ways.
1. Cisco drags this threatening individual through court and the court finds he violated the EULA. Let the harsh penalties fly.
2. This threatening individual might have violated the EULA, but Cisco doesn't want to pay to find out, so plea bargain to a lesser crime and let the penalties fly.
Clearly the guy is intelligent, but he needed to WAIT to get this done through proper legal and political channels. If the Internet failed spectacularly while he was doing this then he certainly wouldn't be to blame.
Your censorship research that you so lovingly cling to COULD find appropriate and safe channels to work in. But it's easier to be made a victim and cry about it than make some political and legal effort to getting it done right.
Be an adult about it, stop whining and get to work. I'll even pitch in and help!
Sigh. It's always easy to fight to the last drop of someone else's blood.
Precisely because of certain types of crticism which I receive, I have an interest in noting cases where programmers get sued, to establish that my fear of being sued is realistic and well-founded. I can't do anything about people who blithely volunteer me to get sued.
I don't want to play anonymity games. I did it for a long time at the start, and it's never worked out well for me. The channels I have explored for getting support have not been successful.
Personal attack is not helpful. I have had that in abundance. It does not change the legal risk.
1. If you took my comments to mean "just do the research anyway", then I've been misconstrued. The best analogy I can think of is there are people doing research with deadly viruses every day. They have procedures to minimize the risks associated with the work and the law and government had a role in defining those procedures and environment. You are in a situation where you have this really important work on a really risky topic, but no political and legal framework in which to do the work. You need to create the framework first.
2. "The channels I've have explored..." Okay, you've made some effort, and they didn't pan out. No, you won't get instant results. 10 years from now you may be able to safely research the topic. If you continue to do nothing, it's much more likely you'll never get to do it.
3. It sounds like you've resigned yourself to doing nothing but communicating with morally justifiable anger. I'm not sure how that helps move your agenda forward. Please explain.
Good luck to you.
"You need to create the framework first."
I wish I knew how to do that. I'm a techie, I'm *bad* at politics. I know this. Seriously, such framework creation seems beyond my skills. It requires a lot of ability to fund-raise, and get various powers-that-be to make alliances, which are just not my strengths.
"No, you won't get instant results."
More like, I'll be unemployed and extensively personally attacked. There are costs, direct and indirect, in making attempts. Such costs are too high for me.
"resigned yourself to doing nothing but communicating with morally justifiable anger"
Because it's all I can do, since it's mostly harmless :-(.
Between worrying about a lawsuit, and writing I'm not doing something because of worry about a lawsuit, I would MUCH rather do the latter than the former. I understand that this is not in most people's experience. But, considered objectively, it makes a great deal of sense.
1. I'm *bad* at politics. I know this.
This is where I call B.S. on guys like you and the guy in trouble with Cisco. You are plenty smart enough to get the job done. You actively choose not to get involved.
2. I'll be unemployed.
No. You'll be going around in your spare time talking to anyone that might have a connection/interest in your cause. The people you talk to are not fellow techies, but legal and political types. Again, takes 10 years and talk to hundreds of people, but you get to your research eventually and more importantly establish the policies for others like you.
3. It's all that I can do.
No. It's all you choose to do.
4. Considered objectively.
Another weak argument. It's the equivalent of commercial radio station programming. The computer picks songs to play. The only new songs that get played are the ones that sound exactly like successful songs or are from known commercially successful bands. Perfectly rational system. Perfect objectivity. But the songs don't really change. Ever.
I'm all done with the topic.
Once more - it is always easy to tell another person to risk much, to endure suffering, to sacrifice themselves for the greater good. Saving the world (or even just the Internet) is much easier said than done.