LawMeme LawMeme Yale Law School  
LawMeme
Search LawMeme [ Advanced Search ]
 
 
 
 
From the Strange File: Archive.org Hacking in Civil Lawsuit?
Posted by James Grimmelmann on Monday, July 12 @ 02:27:02 EDT Computer Crime
I'm not really sure what to make of this one. BNA mentioned a case named Flynn v. Health Advocate Inc. (not publicly online yet, but keep checking here). It's just a garden-variety civil lawsuit around a business venture that never went anywhere. The plaintiff is accusing the defendants of using the negotiations as a ploy to ferret out various trade secrets and other confidential information.

Nothing particularly interesting there: just your normal run-of-the-mill "unfair competition, trademark/service mark infringement, violations of the Lanham Act (15 U.S.C. ยง 1125(a)), breach of contract, unjust enrichment, tortious interference with existing and prospective contractual relations, conspiracy, fraud, misappropriation of trade secrets and copyright infringement" claims. No, what's strange about this case is that the plaintiff tried to amend its complaint to accuse on of the defendant's lawyers of hacking Archive.org.

More details inside . . .

First, the relevant portions of the new complaint (HAS is the plaintiff, and the Law Firm is representing one of the defendants):

49. Between July 8, 2003, and July 15, 2004, the Law Firm "hacked" into [HAS, Inc.'s] archived materials on a website known as www.archive.org. The forgoing website is effectively a library of all web pages and other information which appears on the internet. The website gathers information contained on the internet, which is thereafter archived by the website and can be searched through search engines on the website.

50. Not all of the information contained on www.archive.org is available to the public. Any owner of a website can notify www.archive.org that it does not want its past website material to be made public on www.archive.org and, according to the policies and procedures of the website, as well as the security safeguards implemented by www.archive.org and each website's owner's terms of use, such information is not available to the general public.

51. [HAS, Inc.] notified www.archive.org that it wanted its archival material to remain private and confidential and www.archive.org complied with [HAS, Inc's] request by blocking access to [HAS, Inc.'s] archival information.

52. As a result of the security put into place by www.archive.org, any person attempting to retrieve information regarding [HAS, Inc.] received a message advising the person attempting to obtain the information that the owner of the website had elected to deny access to the site to third parties.

53. The Law Firm attempted to obtain information regarding [HAS, Inc.] through www.archive.org; however, when it attempted to obtain the information it received the notice that the information was not available at the request of the owner.

54. Rather than honor this notice, or the terms of use on [HAS, Inc.'s] website, or www.archive.org's website, the Law Firm devised a methodology to defeat the security system that was put into place by www.archive.org.

55. Computer records demonstrate that between July 8 and July 15, 2003, the Law Firm made approximately 849 attempts to access the information regarding [HAS, Inc.] through www.archive.org. Notwithstanding the fact that the Law Firm knew that security was in place to prevent it from obtaining access to [HAS, Inc.'s] information, and the Law Firm actually received notices from www.archive.org that the information was not available, the Law Firm devised a methodology, using multiple computers at its offices, to defeat the security which was put into place by the website for the benefit of companies like [HAS, Inc.].

56. The Law Firm was successful in breaching the security put into place by www.archive.org on approximately 112 occasions. From a technological standpoint, this meant that the Law Firm was also receiving information directly from [HAS, Inc's] website on each of these occasions, as www.archive.org retrieved or attempted to retrieve information from [HAS, Inc.'s] website each time it was successful in breaching the security. It was a result of this communication between www.archive.org and [HAS, Inc.'s] website that [HAS, Inc.] obtained the web logs memorializing the hacking activity. This conduct constituted unlawful "hacking" activity in violation of both federal and state law, as described more fully below.

57. The Law Firm was successful in executing old HTML pages from the [HAS, Inc.] website without authorization from www.archive.org or [HAS, Inc.], and made copies of the copyrighted materials contained therein.

As hinted in there, HAS is of the opinion that this behavior was illegal in five different ways. The court completely ducked the issue by ruling that even if all of this was true, it wasn't relevant enough to the original lawsuit to justify hauling the lawyers into court, too. (Mmm, FRCP 15). As a pragmatic decision, this strikes me as right, because if yourlawyers become your co-defendants, they can't be your lawyers any more. In general, the American system bends over backwards to let people choose the lawyers they want to represent them, and won't undo that choice without damn good reason.

The issue may not go away, of course. (Despite the above, lawyers can't just get away with anything.) It could show up in disciplinary proceedings against the lawyers, or, more likely, in a motion for sanctions in the case against the defendants for misconduct, and in a motions to exclude anything these Archive.org hits turned up. Which means that the court may well at some point confront the question in my mind as soon as I saw the case, namely, "What the frick?"

I mean, I think I can tell what was going on. HAS wanted to keep information that used to be on its web site out of the case, either because it would hurt HAS's case (by negating the "secret" part of a trade secret claim, for example) or because it had slipped up and put something confidential there that it wanted to retract. Therefore, HAS both changed its site and asked Archive.org to remove them from its index.

The other side's lawyers wanted to get at this information, presumably for the same reasons HAS wanted it secret. And then they found some way to "defeat the security" at Archive.org. By this, I am puzzled. Did they actually hack into Archive.org's servers? The complaint seems to suggest not; rather, it was something involving "multiple computers" that convinced Archive.org to serve up old HAS pages (while at the same time making requests for new ones from the HAS servers) I can't really tell whether this involved exploiting a bug in Archive.org, or whether HAS simply screwed up and didn't fill out its robots.txt properly, or something else entirely.

But I can say this: HAS is raising a striking issue here: third party standing to sue over violation of various computer security statutes. Take for example the DMCA claim. It presumably runs something like this. Access to our copyrighted works (the web pages) is effectively controlled by the technological measures in place at Archive.org. You circumvented those measures. We were injured as a result (I can see copyright infringement, plus possibly some of the other claims from the underlying lawsuit). Therefore, under sections 1201(a) and 1203(a) of the DMCA, you're liable to us. Ka-pow.

In the normal hacking situation where third parties' information is leaked, two things happen. First, the hackee does what it can to come down on the hacker like a ton of bricks. And second, the third parties do what they can to the hackee, a legal fight that usually turns on terms of service or whatever other legal standard the hackee got the information in the first place. It's not the norm for the hackee to be blase in a situation where the third party can find the hacker and haul him or her into court.

One for the radar screens . . .

UPDATE: July 15, 1:30 PM: Fixed the case name (I had conflated "Healthcare Advocates" with "Health Advocate").

 
Related Links
· More about Computer Crime
· News by James Grimmelmann


Most read story about Computer Crime:
Life Sentences for Child Porn Busters?

Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
  
The comments are owned by the poster. We aren't responsible for their content.

Re: From the Strange File: Archive.org Hacking in Civil Lawsuit? (Score: 0)
by Anonymous on Monday, July 12 @ 09:33:52 EDT
Paragraph 56's claim that archive.org accessed HAS's Web site, looks fishy to me. I think it's much more likely that what was actually going on there was that when "the Law Firm" loaded pages from archive.org, those pages contained inline graphics with URLs pointing at the current HAS Web site, so that the Law Firm accessed the current HAS Web site as a result of loading the archive.org pages. This technical point probably has no bearing on the legal issues, but I wonder, if their statements on this point are misleading, which of their other statements might also be.


[ Reply to This ]


Re: From the Strange File: Archive.org Hacking in Civil Lawsuit? (Score: 0)
by Anonymous on Tuesday, July 13 @ 10:08:41 EDT
Obviously content owners can sue under the DMCA anti-circumvention provisions for illegal access to their content, even if the maker or owner of the protection system does not sue. See Section 1203(a): "Any person injured by a violation of section 1201 or 1202 may bring a civil action in an appropriate United States district court for such violation." The question here is whether there was a "technological measure that effectively controls access."

The CFAA also would appear to permit third-party suits, but the third party would have to show "damage or loss" as defined under the statute. See 18 USC 1030(g) and (e)(8) and (11).

I don't see how a third party could make a trespass claim, since the trespass is to the computer servers themselves, not the content. I think under most states' laws a third party would not have a claim. Same for breach of contract of any site terms and conditions, unless there are identifiable third-party beneficiary rights.


[ Reply to This ]


Re: From the Strange File: Archive.org Hacking in Civil Lawsuit? (Score: 0)
by Anonymous on Wednesday, July 14 @ 17:23:40 EDT
Flynn v. Healthcare Advocates is available on Lexis Nexis.


[ Reply to This ]


Leges humanae nascuntur, vivunt, moriuntur
Human laws are born, live, and die

Contributors retain copyright interests in all stories, comments and submissions.
The PHP-Nuke engine on which LawMeme runs is copyright by PHP-Nuke, and is freely available under the GNU GPL.
Everything else is copyright copyright 2002-04 by the Information Society Project.

This material may be distributed only subject to the terms and conditions
set forth in the Open Publication License, v1.0 or later.
The latest version is currently available at http://www.opencontent.org/openpub/.

You can syndicate our news with backend.php



Page Generation: 0.183 Seconds