Month: May 2017

Fourth Circuit Revives Wikimedia NSA Case

Yesterday the Fourth Circuit reinstated a case brought by the Wikimedia Foundation concerning the National Security Agency’s bulk “Upstream” surveillance program.  Under the Upstream program, the NSA collects traffic on the U.S. Internet backbone.  The Government claims that this collection is targeted to specific queries relating to terror investigations and other intelligence matters.  As a result, the government claimed, it is unlikely that any communications involving Wikimedia were reviewed by the NSA as part of the Upstream program, and therefore Wikimedia lacks standing to assert its claims.  The district court, relying on Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), agreed and Granted the government’s motion to dismiss on the pleadings.  The Fourth Circuit reversed.

Wikimedia alleged that  that, because of the way packets travel over the network, the NSA necessarily must collect substantially all the the international text-based communications traveling  over high-capacity cables, switches and routers in the U.S.  The Government argued that this was a speculative assertion that should not be taken at face value even at the pleading stage.  However, Wikimedia also alleged that, given the enormous number of Internet communications involving Wikimedia each year — a number Wikimedia put at over one trillion — it is nearly certain that the NSA has collected and reviewed communications involving Wikimedia even if the NSA’s data collection were limited to one trunk line.  As the Complaint put it, “even if one assumes a 0.00000001% chance  . . . of the NSA copying and reviewing any particular communication, the odds of the government copying and reviewing at least one of the Plaintiffs’ communications in a given one-year period would be greater than 99.9999999999%.”  Complaint, 46-47.  

The Government disputed these factual statistical assertions as well, but the Fourth Circuit found them plausible enough that the case should proceed.  The Fourth Circuit noted that “[w]e would never confuse the plausibility of this conclusion with that accorded to Newton’s laws of motion,” but noted that the standard is merely reasonable plausibility.  Opinion, at 26.  The Fourth Circuit did, however, uphold the dismissal of what it termed that “Dragnet” allegations because the Complaint did not contain specific enough factual assertions about the actual scope of the NSA’s surveillance activity.

The Fourth Circuit makes some interesting interpretive moves in this Opinion relating to how Clapper should apply in cases involving bulk surveillance claims and large Internet entities.  Wikimedia’s “statistical” argument seems dubious, and it seems that under the Fourth Circuit’s analysis any entity with a large Internet presence would have standing to challenge a surveillance program.  Perhaps that is a good policy result, but it does not seem consistent with Clapper.

The Fourth Circuit’s Opinion is below:

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xWm81WlFScWlDY3c/preview?usp=drivesdk” title=”Wikimedia-ca4-20170523.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

Facebook and Terrorism: Cohen v. Facebook and Force v. Facebook

It’s well-known that Facebook, Twitter, YouTube, and other social media platforms are used for propaganda and recruiting purposes by terrorist groups such as ISIL.  A number of Jewish groups filed lawsuits alleging that Facebook should be held civilly liable for facilitating terrorist attacks against Jews.  Two of these cases recently were dismissed by Judge Nicholas Garaufis in the U.S. District Court for the Eastern District of New York.  A copy of Judge Garaufis’ Memorandum and Order is available below.

In Cohen v. Facebook, the plaintiffs asserted negligence and civil conspiracy theories under Israeli and U.S. law.  That case was removed to federal court by Facebook.  In Force v. Facebook, the plaintiffs asserted claims under the federal “Providing Material Support to Terrorists” statute, 18 U.S.C. § 2339A and the civil remedies provision for terrorist acts, 18 U.S.C.  §  2333A, as well as for negligence and other breaches of duty under Israeli law. Copies of the Cohen and Force Complaints are available below.

Judge Garaufis dismissed the Cohen case for lack of standing because the individual plaintiffs asserted only a threat or fear of possible future harm.  He also dismissed the Force case under the immunity provision of section 230 of the Communications Decency Act, 47 U.S.C. § 230(c)(1).  This provision states that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”  Id.  

The Second Circuit has established a three-part test for determining whether section 230 immunity applies:  the law “shields conduct if the defendant (1) is a provider or user of an interactive computer service, (2) the claim is based on information provided by another information content provider and (3) the claim would treat [the defendant] as the publisher or speaker of that information.”  FTC v. LeadClick Media, LLC, 838 F.3d 158, 173 (2nd Cir. 2016).

The primary issue in these cases was whether the third element would be satisfied.  Here, the focus is on whether the provider exercises “a publisher’s traditional editorial functions — such as deciding whether to publish, withdraw, postpone, or alter content.”  Id. at 174.  The plaintiffs in the Force case argued that Facebook was not acting as a publisher but rather was providing content-neutral services in support of terrorist activities by Hamas.  The court rejected this argument and found the section 230 immunity applies to Facebook. Memorandum and Order, at 17-23.

The plaintiffs in the Force case also raised a creative argument:   section 230 should not apply because the terrorist acts occurred in Israel and there is a presumption against extraterritoriality.  Judge Garaufis also rejected this argument and held that the focus of section 230 is to limit civil liability of internet service providers and that the relevant events relating to such liability involve the location of the speaker.  Since Facebook is a U.S. corporation, Judge Garaufis held that section 230 did not require extraterritorial application in this case even though the terrorist acts happened in Israel. Memorandum and Order, at 23-27.

Judge Garaufis’ interpretation of section 230, including the question of extraterritoriality raised by this case, seems correct.  Section 230, however, was a legislative solution to Internet publisher liability in a simpler age, before the explosion of social media platforms and their cooptation by terrorists.  There may be good policy arguments today for imposing some legal duties on social media sites to screen for materials that incite violence and terrorism.

 

Cohen and Force Opinion

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xeHRxOEZZdkFJYXc/preview?usp=drivesdk” title=”Cohen v. Facebook.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

 

Cohen Complaint

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xWkVUb21jM2dUaDQ/preview?usp=drivesdk” title=”Cohen v. Facebookcomplaint.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

 

Force Complaint

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xN28zMFhXa3piUGM/preview?usp=drivesdk” title=”force v facebook.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

WannaCry Ransomware and Legal Fault

The WannaCry Ransomware attack has spread throughout the world over the past week.  Fingers are pointing at Microsoft for the vulnerability in earlier versions of Windows, at the NSA for creating the leaked exploit, and at North Korea for allegedly perpetrating the attack.  There is blame to go around, but if we were to assess comparative fault the victim is also substantially to blame, for at least two reasons, one obvious and one less obvious:

First, the obvious reason:  the attack affected older versions of Windows, including Windows XP, which has not been supported by Microsoft since 2014.  However frustrating Microsoft’s update and support cycle might seem, and whatever transaction and opportunity costs are involved in switching an organization to a newer OS, it is negligent to continue using an outdated, unpatchable OS.

Second, the less obvious reason:  the attack exploited Port 445, a networking port used by those older versions of Windows for peer-to-peer connections with printers and the like.  A basic component of any cybersecurity compliance program — in addition to using updated, patched software — is to conduct regular port audit scans and to configure firewalls to block unnecessary ports.  Given the low cost of this kind of precaution, failure to conduct port audits is almost certainly negligence.

 

Trump Cybersecurity Executive Order

President Trump Signing an Earlier Executive Order (Img Src = ZDNet)

President Trump signed today a long-awaited Executive Order on Cybersecurity.  I think it is mostly a non-event.  There are some helpful provisions, including a requirement that government agencies implement the NIST Framework.  Otherwise, it requires  a series of executive reports on cybersecurity preparedness, generally within 90 days of the Order.  As others have noted, those reports are likely to show that government cybersecurity is significantly lacking because of outdated infrastructure.  The real test will come when changes must be implemented and government cyber infrastructure moves towards a more centralized cloud-based model.

The text of the Order is below.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xVGNIR3ZWdGI1eDQ/preview?usp=drivesdk” title=”Trump-cybersecurity-executive-order.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

DTSA Statistics

Introduction

Trade secrets are important to cybersecurity because many data breaches involve trade secret theft.  The Defend Trade Secrets Act of 2016 (DTSA) amended the Espionage Act of 1996 to provide a federal private right of action for trade secret misappropriation.   Some commentators opposed the DTSA in part because it seems redundant in light of state trade secret law and could lead to unnecessary litigation and restrictions on innovation.  Now that the DTSA has been in effect for nearly a year, I conducted an empirical study of cases asserting DTSA claims (with the able help of my research assistant, Zach Hansen).  This post summarizes the results of that study.

Methodology

We ran keyword searches in the Bloomberg Law federal docket database to identify cases asserting DTSA claims in federal courts.  It is not possible to search only on the Civil Cover Sheet because there is no discrete code for DTSA claims.  Our search ran from the effective date of the DTSA (May 26, 2016) through April 21, 2017 (just prior to our symposium on the DTSA at Seton Hall Law School).  After de-duping, we identified 280 unique Complaints, which we coded for a variety of descriptive information.  Our raw data is available online.

Findings

This chart shows the number of filings by district:

We were not surprised to see that the Northern and Central Districts of California, Southern District of New York, or District of Massachusetts were among the top five.  We were surprised, however, to see the Northern District of Illinois tied for first.  This could reflect the influence of the financial services industry in Chicago, but further research is required.

The next chart shows the number of filings by month:

It is interesting to note the decline in filings following the initial uptick after the May 26, 2016 effective date.  Perhaps this reflects a slight lull during the summer months.  Filings then remained relatively steady until March, 2017, when they increased significantly.  This could have something to do with the quarterly business cycle or bonus season, since many of the cases (as discussed below) involve employment issues.  Or, it could reflect a random variation given the relatively small sample size.

We next examined other claims filed along with the DTSA counts in these Complaints:

We excluded from this chart related state law trade secret claims.  Not surprisingly, nearly all the cases included claims for breach of contract.  As noted above, trade secret claims often arise in the employment context in connection with allegations of breach of a confidentiality agreement or covenant not to compete.  Another finding of note was that a fair number of cases assert Computer Fraud and Abuse Act claims, although the number is not as high as expected.  Most trade secret cases today involve exfiltration of electronic information, but perhaps many cases do not involve hacking or other access techniques that could run afoul of the CFAA.

We also noted a smaller but not insignificant number of cases asserting other intellectual property claims, including trademark, copyright and patent infringement.  Since many documents taken in alleged trade secret thefts are subject to other forms of intellectual property — particularly copyright — this may show that some lawyers are catching on to the benefit of asserting such claims along with DTSA claims.

Finally, our review of case status revealed the following:

  • 198 cases in various pre-trial stages
  • 61 cases dismissed
  • 5 preliminary injunctions
  • 4 final judgments, including 2 permanent injunctions
  • 3 default judgments
  • 1 case sent to compulsory arbitration
  • 8 undetermined / miscellaneous

At first blush, the number of cases dismissed seems high, given that none of the cases have been pending for more than a year.  We assume the vast majority of these cases settled, though further investigation is required.  In contrast, the number of preliminary injunctions granted seems very low.  Again, further investigation is required, but so far it does not seem that the DTSA is resulting in the kind of preliminary injunction practice we expected to see under a federal trade secret statute.

Published
Categorized as DTSA