August 03, 2005

Jennifer Granick on Defending Mike Lynn (Cisco/ISS router disclosures)

Read Jennifer Granick's inside account on the Mike Lynn case, explaining the legal issues regarding his disclosure of Cisco router security problems. Money quote (pun intended):

At the point that you get sued, or even charged with a crime, it matters less what actually happened and whether you did something wrong and more what it takes to get out of the case as unscathed as possible. It's sad, but true, that our legal system can often be more strategy than justice.

Core of the "interesting" legal controversy:

It seemed that Cisco was claiming that Mike's actions were improper because he violated the End User License Agreement (EULAs), which prohibited reverse engineering. So now I was having fun. I'm totally interested in EULAs and the circumstances under which they take away public rights that are otherwise guaranteed us. Usually, a breach of contract is no big deal. But increasingly in the tech field, we're seeing big penalties for what's essentially a contract violation. Under the Computer Fraud and Abuse Act, if you exceed your authorization to access a computer, you've committed a crime. Cases have said you exceed authorization when you breach a EULA, terms of service, or employment contract. Other cases have said that EULAs can waive fair use rights and other rights guaranteed under copyright law. Lynn's case presented the question of whether EULAs could subvert the legislature's express desire to allow people to reverse engineer trade secrets.

[Note - I've said this before, many times, but once again, here's more evidence that the types of legal risks I faced myself in investigating censorware were severe, and it was a very serious matter of extensive attacks combined with lack of support which made me quit censorware decryption research]

By Seth Finkelstein | posted in legal , security | on August 03, 2005 11:53 PM (Infothought permalink)
Seth Finkelstein's Infothought blog (Wikipedia, Google, censorware, and an inside view of net-politics) - Syndicate site (subscribe, RSS)

Subscribe with Bloglines      Subscribe in NewsGator Online  Google Reader or Homepage


You sound at least a little alarmed by EULA enforcement.

The legal system is set up to protect businesses from individuals.

Kind of like your grokster comments, this will likely go one of two ways.

1. Cisco drags this threatening individual through court and the court finds he violated the EULA. Let the harsh penalties fly.

2. This threatening individual might have violated the EULA, but Cisco doesn't want to pay to find out, so plea bargain to a lesser crime and let the penalties fly.

Clearly the guy is intelligent, but he needed to WAIT to get this done through proper legal and political channels. If the Internet failed spectacularly while he was doing this then he certainly wouldn't be to blame.

Your censorship research that you so lovingly cling to COULD find appropriate and safe channels to work in. But it's easier to be made a victim and cry about it than make some political and legal effort to getting it done right.

Be an adult about it, stop whining and get to work. I'll even pitch in and help!

Posted by: gooseliver fordinner at August 4, 2005 01:39 PM

Sigh. It's always easy to fight to the last drop of someone else's blood.

Precisely because of certain types of crticism which I receive, I have an interest in noting cases where programmers get sued, to establish that my fear of being sued is realistic and well-founded. I can't do anything about people who blithely volunteer me to get sued.

I don't want to play anonymity games. I did it for a long time at the start, and it's never worked out well for me. The channels I have explored for getting support have not been successful.

Personal attack is not helpful. I have had that in abundance. It does not change the legal risk.

Posted by: Seth Finkelstein at August 4, 2005 03:28 PM

1. If you took my comments to mean "just do the research anyway", then I've been misconstrued. The best analogy I can think of is there are people doing research with deadly viruses every day. They have procedures to minimize the risks associated with the work and the law and government had a role in defining those procedures and environment. You are in a situation where you have this really important work on a really risky topic, but no political and legal framework in which to do the work. You need to create the framework first.

2. "The channels I've have explored..." Okay, you've made some effort, and they didn't pan out. No, you won't get instant results. 10 years from now you may be able to safely research the topic. If you continue to do nothing, it's much more likely you'll never get to do it.

3. It sounds like you've resigned yourself to doing nothing but communicating with morally justifiable anger. I'm not sure how that helps move your agenda forward. Please explain.

Good luck to you.

Posted by: gooseliver fordinner at August 5, 2005 02:06 PM

"You need to create the framework first."

I wish I knew how to do that. I'm a techie, I'm *bad* at politics. I know this. Seriously, such framework creation seems beyond my skills. It requires a lot of ability to fund-raise, and get various powers-that-be to make alliances, which are just not my strengths.

"No, you won't get instant results."

More like, I'll be unemployed and extensively personally attacked. There are costs, direct and indirect, in making attempts. Such costs are too high for me.

"resigned yourself to doing nothing but communicating with morally justifiable anger"

Because it's all I can do, since it's mostly harmless :-(.

Between worrying about a lawsuit, and writing I'm not doing something because of worry about a lawsuit, I would MUCH rather do the latter than the former. I understand that this is not in most people's experience. But, considered objectively, it makes a great deal of sense.

Posted by: Seth Finkelstein at August 5, 2005 08:46 PM

1. I'm *bad* at politics. I know this.
This is where I call B.S. on guys like you and the guy in trouble with Cisco. You are plenty smart enough to get the job done. You actively choose not to get involved.

2. I'll be unemployed.
No. You'll be going around in your spare time talking to anyone that might have a connection/interest in your cause. The people you talk to are not fellow techies, but legal and political types. Again, takes 10 years and talk to hundreds of people, but you get to your research eventually and more importantly establish the policies for others like you.

3. It's all that I can do.
No. It's all you choose to do.

4. Considered objectively.
Another weak argument. It's the equivalent of commercial radio station programming. The computer picks songs to play. The only new songs that get played are the ones that sound exactly like successful songs or are from known commercially successful bands. Perfectly rational system. Perfect objectivity. But the songs don't really change. Ever.

I'm all done with the topic.

Good luck.

Posted by: gooseliver fordinner at August 6, 2005 02:02 AM

Once more - it is always easy to tell another person to risk much, to endure suffering, to sacrifice themselves for the greater good. Saving the world (or even just the Internet) is much easier said than done.

Posted by: Seth Finkelstein at August 6, 2005 10:17 AM