USA v. Andrew Auernheimer
Filing
26
ECF FILER: ELECTRONIC AMICUS/INTERVENOR BRIEF on behalf of Digital Media Law Project in support of Appellant/Petitioner, filed. Certificate of Service dated 07/08/2013 by ECF. (CCW)
No. 13-1816
IN THE
UNITED STATES COURT OF APPEALS
FOR THE THIRD CIRCUIT
UNITED STATES OF AMERICA,
PLAINTIFF-APPELLEE,
v.
ANDREW AUERNHEIMER,
DEFENDANT-APPELLANT.
____________________________
On Appeal From The United States District Court
For The District of New Jersey
Case No. 2:11-cr-00470-SDW-1
Honorable Susan D. Wigenton, District Judge
__________________________________________________________________
BRIEF OF AMICUS CURIAE DIGITAL MEDIA LAW PROJECT
IN SUPPORT OF DEFENDANT-APPELLANT
__________________________________________________________________
Kit Walsh (MA BBO#673509)
cwalsh@cyber.law.harvard.edu
Clinical Instructional Fellow
Cyberlaw Clinic
Berkman Center for Internet and Society
Harvard Law School
23 Everett St., 2nd Floor
Cambridge, MA 02140
Tel: (617) 384-9125
Fax: (617) 495-7641
Counsel for Digital Media Law Project
On the brief:
Jeffrey P. Hermes
Andrew F. Sellars
Digital Media Law Project
Berkman Center for Internet & Society
23 Everett Street, 2nd Floor
Cambridge, MA 02138
Tel: (617) 495-7547
Fax: (617) 495-7641
TABLE OF CONTENTS
STATEMENT OF INTEREST.............................................................................1
SUMMARY OF ARGUMENT .............................................................................1
ARGUMENT ..........................................................................................................3
I.
APPLICATION OF 18 U.S.C. § 1030(c)(2)(B)(ii) TO NEW JERSEY’S
COMPUTER INTRUSION LAW ESCALATES PUNISHMENT
SOLELY FOR DISSEMINATING INFORMATION, AND THUS
MANDATES FIRST AMENDMENT SCRUTINY. ...............................3
II.
UNDER THE FIRST AMENDMENT, DISCLOSURE OF
INFORMATION OF PUBLIC IMPORTANCE CANNOT SUBJECT
THE DEFENDANT TO ADDITIONAL PUNISHMENT ABSENT A
STATE INTEREST OF THE HIGHEST ORDER. ................................6
A.
The Information Disclosed by Auernheimer Was Both True and
Related to a Matter of Public Concern. .........................................7
B.
Application of the New Jersey Statute in This Case Requires
Exacting Judicial Scrutiny Because the Prosecution Targets the
Publication of Truthful Information of Public Concern. ...........13
C.
The Jury’s Verdict that Auernheimer Accessed the Information at
Issue Illegally Does Not Satisfy First Amendment Scrutiny for
Punishing the Disclosure of that Information. ............................18
D.
Application of First Amendment Scrutiny Does Not Invalidate
Punishment for Disclosures Which Would Violate an Existing
Duty Not to Disclose, Disclosure of Purely Private Information, or
Disclosures that Violate Copyright or Trade Secret Laws. ........22
i
III.
ALLOWING ADDITIONAL PUNISHMENT OF THE DEFENDANT
HERE WOULD CHILL REPORTING ON DATA SECURITY
VULNERABILITIES AND HARM THE PUBLIC’S
UNDERSTANDING OF DATA PRIVACY ISSUES. ...........................26
ii
TABLE OF AUTHORITIES
Cases
Anderson v. Suiters, 499 F.3d 1228 (10th Cir. 2007) ...........................................10
Bartnicki v. Vopper, 532 U.S. 514 (2001) .................................................... passim
Bartnicki v. Vopper, 200 F.3d 109 (3d Cir. 1999) ....................................14, 16, 20
Beyer v. Duncannon Borough, 428 Fed. App‟x 149 (3d Cir. 2011) ....................10
Bond v. Floyd, 385 U.S. 116 (1966) .......................................................................7
Boehner v. McDermott, 484 F.3d 573 (D.C. Cir. 2007) .......................................24
Bowley v. City of Uniontown Police Dep’t, 404 F.3d 783 (3d Cir. 2005) ......15, 19
Brandenburg v. Ohio, 395 U.S. 444, (1969) ...........................................................7
Cohen v. Cowles Media Co., 501 U.S. 663 (1991) .........................................19, 20
Cox Broadcasting Corp. v. Cohn, 420 U.S. 469 (1975) .......................................15
Desnick v. ABC , Inc., 44 F.3d 1345 (7th Cir. 1995) ............................................21
Dietemann v. Time, Inc., 449 F.2d 245 (9th Cir. 1971) .........................................21
Eldred v. Ashcroft, 537 U.S. 186 (2003) ..............................................................25
First Amend. Coalition v. Judicial Inquiry & Review Bd.,
784 F.2d 467 (3d Cir. 1986) ...................................................................... 19
iii
Florida Star v. B.J.F., 491 U.S. 524 (1989) ...................................................15, 18
Food Lion, Inc. v. Capital Cities/ABC, Inc.,
194 F.3d 505 (4th Cir. 1999) ............................................................4, 20, 21
Giboney v. Empire Storage & Ice Co., 336 U.S. 490 (1949) ..................................6
Hornberger v. ABC, Inc., 799 A.2d 566, (N.J. Super. App. Div. 2002) ...............21
Hustler Magazine, Inc. v. Falwell, 485 U.S. 46 (1988) ...................................12, 20
Jean v. Mass. State Police, 492 F.3d 24 (1st Cir. 2007) .......................................24
Jenkins v. Dell Publ’g Co., 251 F.2d 447 (3d Cir. 1958) ......................................24
Landmark Communications, Inc. v. Virginia, 435 U.S. 829 (1978) .....................15
Medical Laboratory Mgmt. Consultants v. ABC, Inc.,
306 F.3d 806 (9th Cir. 2002) .......................................................................21
Miami Herald Publ’g Co. v. Tornillo, 418 U.S. 241 (1974) ................................31
NAACP v. Claiborne Hardware Co., 458 U.S. 886 (1982) ....................................7
Nat’l Taxpayers Union v. U.S. Soc. Sec. Admin.,
302 Fed. App‟x 115 (3d Cir. 2008) ............................................................25
New York v. Ferber, 458 U.S. 747 (1982) .............................................................. 6
New York Times Co. v. Sullivan, 376 U.S. 254 (1964) .........................................20
Ostergren v. Cuccinelli, 615 F.3d 263 (4th Cir. 2010) ................................. passim
iv
Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am.,
648 F.3d 295 (6th Cir. 2011) .......................................................................5
Reno v. ACLU, 521 U.S. 844 (1997) ....................................................................10
Ross v. Midwest Commc’ns, Inc., 870 F.2d 271 (5th Cir. 1989) ..........................11
Saxe v. State Coll. Area Sch. Dist., 240 F.3d 200 (3d Cir. 2001) ...........................5
Shulman v. Group W Prods., Inc., 955 P.2d 469 (Cal. 1998) ........ 4, 21, 22, 25, 32
Simon & Schuster, Inc. v. Members of the N.Y. State Crime Victims Bd.,
502 U.S. 105 (1991) ......................................................................................5
Smith v. Daily Mail Publ'g Co., 443 U.S. 97 (1979) ............................................15
Smithfield Foods, Inc. v. United Food & Commercial Workers Int’l Union,
585 F.Supp.2d 815 (E.D. Va. 2008) ...........................................................21
Snyder v. Phelps, 131 S. Ct. 1207 (2011) ...........................................................7, 8
Sorrell v. IMS Health Inc., 131 S. Ct. 2653 (2011) .................................................6
Startzell v. City of Philadelphia, 533 F.3d 183 (3d Cir. 2008) .............................13
Thornhill v. Alabama, 310 U.S. 88 (1940) ..........................................................27
Time, Inc. v. Hill, 385 U.S. 374 (1967) ................................................................25
Turner Broad. Sys., Inc. v. FCC, 512 U.S. 622 (1994) ........................................13
v
United States v. Aguilar, 515 U.S. 593 (1995) ....................................................23
United States v. Cioni, 649 F.3d 276 (4th Cir. 2011) ............................................6
United States v. O'Brien, 391 U.S. 367 (1968) ....................................................17
United States v. Stevens, 130 S. Ct. 1577 (2010) ..........................................14, 26
United States v. Stevens, 533 F.3d 218 (3d Cir. 2008) ..........................................7
Statutes
17 U.S.C. § 301 ......................................................................................................25
18 U.S.C. § 1030 .....................................................................................................3
18 U.S.C. § 1028 ......................................................................................................5
N.J. Stat. § 2C:20-31 ...............................................................................3, 6, 14, 24
Other Authorities
Yochai Benkler, The Wealth of Networks (2006) ................................................11
Robert G. Bone, A New Look at Trade Secret Law: A Doctrine in Search of a
Justification, 86 Cal. L. Rev. 241 (1998) ...................................................25
Wilson Huhn, The Emerging Constitutional Calculus,
79 Ind. L.J. 801 (2004) ...............................................................................17
Leslie Kendrick, Content Discrimination Revisited,
98 Va. L. Rev. 231 (2012) ....................................................................13, 17
vi
Andrea M. Matwyshyn, Hacking Speech: Informational Speech and the First
Amendment, 107 Nw. U. L. Rev. 795 (2013) .............................................31
Andrea M. Matwyshyn, Hidden Engines of Destruction: The Reasonable
Expectation of Code Safety and the Duty to Warn in Digital Products,
62 Fla. L. Rev. 109 (2010) ..........................................................................12
N.J. Assembly Judiciary Committee, 201st Legislature, Statement to Assembly
Committee Substitute for Assembly No. 1303, (Mar. 26, 1984) ...............23
N.J. Senate, 201st Legislature, Sponsor's Statement for S. No. 1807
(May 14, 1984) ...........................................................................................23
Ethan Peterson & John Lofton, Computer Security Publications: Information
Economics, Shifting Liability, and the First Amendment,
24 Whittier L. Rev. 71 (2002) ...................................................................28
S. Rep. No. 99-432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479 .....................19
Nathan Siegel, Publication Damages in Newsgathering Cases,
19 Commc‟n Law. 11 (2001) .....................................................................20
Geoffrey R. Stone, Content-Neutral Restrictions,
54 U. Chi. L. Rev. 46 (1987) ................................................................14, 27
Geoffrey R. Stone, Government Secrecy vs. Freedom of the Press,
1 Harv. L. & Policy Rev. 185 (2007) .........................................................12
Peter P. Swire, A Model for When Disclosure Helps Security: What Is Different
About Computer and Network Security?,
3 J. Telecomm. & High Tech. L. 163 (2004) ..............................................29
vii
Eugene Volokh, Crime-Facilitating Speech,
57 Stan. L. Rev. 1095, 1118 (2005) ...........................................................11
viii
STATEMENT OF INTEREST1
Amicus Curiae the Digital Media Law Project (“Amicus” or “DMLP”)
provides legal assistance, training, and other resources for online and citizen
media. The DMLP has a strong interest in ensuring that online journalists, media
organizations, and their sources are allowed to examine and debate network
security and data protection vulnerabilities without criminal punishment, in order
to inform citizens and lawmakers about networked computer security.
SUMMARY OF ARGUMENT
Had Defendant Andrew Auernheimer simply obtained the email addresses
and device identification numbers that AT&T left open to the public on its website,
without more, the Department of Justice would have treated this act as a
misdemeanor. But because Auernheimer shared this information with the news
website Gawker in order to inform the public about AT&T‟s poor data security, the
government escalated his crime to a felony. This was premised upon the alleged
violation of the New Jersey computer intrusion statute as a predicate offense to the
1
The DMLP herby certifies that both parties consented to the filing of this brief.
Pursuant to Fed. R. App. P. 29(c)(5), the DMLP certifies that no party‟s counsel
authored the brief in whole or in part, and that no person, including any party or
party‟s counsel, contributed money that was intended to fund preparing or
submitting this brief.
1
Computer Fraud and Abuse Act (“CFAA”). The substantive elements of the
statutes are identical apart from the requirement that under the New Jersey law the
defendant must also disclose information obtained through the intrusion. The effect
of this unprecedented application is a dramatic escalation of punishment based
specifically and solely upon Auernheimer‟s speech. This requires First
Amendment scrutiny, and cannot be sustained absent the government
demonstrating a state interest of the highest order.
The First Amendment may tolerate punishment of unauthorized access to
information, but prior decisions from both this Court and the Supreme Court
indicate that the First Amendment bars the escalation of penalties for the
publication of true and newsworthy information under any circumstance that does
not fall into any existing exception to First Amendment protection. Absent
satisfaction of First Amendment scrutiny, the escalation applied in this case is
unconstitutional.
The DMLP, on behalf of its constituency of independent and online
journalists, respectfully request that this Court apply First Amendment scrutiny in
the case at bar in order to protect those who discover vulnerabilities and decide to
inform the public. A contrary rule would limit public understanding of data
2
security, frustrate informed public policy around the proper nature and extent of
computer crimes laws, and leave the public ignorant of existing vulnerabilities.
ARGUMENT
I.
APPLICATION OF 18 U.S.C. § 1030(c)(2)(B)(ii) TO NEW JERSEY’S
COMPUTER INTRUSION LAW ESCALATES PUNISHMENT
SOLELY FOR DISSEMINATING INFORMATION, AND THUS
MANDATES FIRST AMENDMENT SCRUTINY.
Auernheimer was charged with a violation of 18 U.S.C. § 1030(a)(2)(C),
escalated from a misdemeanor to a felony under § 1030(c)(2)(B)(ii) as committed
“in furtherance of any criminal or tortious act in violation of the Constitution or
laws of the United States or of any State.” The superseding indictment alleges that
the CFAA violation was committed in furtherance of New Jersey‟s computer crime
law, N.J. Stat. § 2C:20-31(a). Superseding Indictment at ¶ 5. This law is
substantively identical to the federal CFAA, save for one distinction: the New
Jersey statute applies only when the defendant “knowingly or recklessly discloses
or causes to be disclosed any data, data base, computer software, computer
programs or personal identifying information” from an unlawfully-accessed
computer. See Opening Brief of Appellant at 35-36 [hereinafter Appellant‟s Br.].
Had Auernheimer chosen not to disclose the data he obtained from AT&T‟s
website, he would have faced a maximum of one year in prison for the CFAA
3
charge, under 18 U.S.C. § 1030(c)(2)(A). His disclosure of the information to a
news outlet raised the maximum punishment to five years in prison, escalating
punishment from a misdemeanor to a felony based exclusively upon the
dissemination of information.
Dissemination of the information obtained from AT&T‟s website is
indisputably an act of free expression. Bartnicki v. Vopper, 532 U.S. 514, 526
(2001) (“The naked prohibition against disclosures is fairly characterized as a
regulation of pure speech.”). It is atypical for free speech issues to arise out of
generally applicable laws governing access, because access laws do not typically
escalate punishment or damages based upon the disclosure of information obtained
through unlawful activity. When they do, they must satisfy First Amendment
scrutiny. Bartnicki, 532 U.S at 526 (analyzing a law that punishes disclosure of
unlawfully-intercepted communications under the First Amendment); see Food
Lion, Inc. v. Capital Cities/ABC, Inc., 194 F.3d 505, 522 (4th Cir. 1999)
(upholding liability for breach of a duty of loyalty, but refusing to escalate
damages based on the disclosure of information obtained); Shulman v. Group W
Prods., 955 P.2d 469, 497 (Cal. 1998) (analyzing claims of unauthorized intrusion
4
upon seclusion and disclosure of private facts separately “for constitutional
reasons”).
This Court “cannot turn a blind eye to the First Amendment implications” of
adding up to four years to a prison sentence because the defendant chose to alert
the public. Saxe v. State College Area Sch. Dist., 240 F.3d 200, 206 (3d Cir. 2001)
(applying scrutiny to anti-harassment policy). First Amendment scrutiny is
mandated for more innocuous punishments, such as placing an additional financial
burden on speakers based on the disclosure of certain information. Simon &
Schuster, Inc. v. Members of the N.Y. State Crime Victims Bd., 502 U.S. 105, 115
(1991). It is critical to apply such scrutiny before increasing criminal punishment
based on disclosure of information of public concern. Failing satisfaction of such
scrutiny, Auernheimer‟s felony conviction under Section 1030 must be
overturned.2
2
Overturning the felony conviction under 18 U.S.C. § 1030 would also invalidate
the felony charge under 18 U.S.C. § 1028(a)(7), as the only possible application of
that statute to these facts is through Auernheimer‟s use of personally identifying
information in the course of disclosure to Gawker. Any other “use” would be so
general as to be unconstitutionally vague. See Appellant‟s Br. at 42. While the
DMLP writes to specifically address the First Amendment concern inherent in the
escalation here, the DMLP agrees with the Defendant that a finding of
unauthorized access based solely on entering a website URL with a specific
browser configuration would constitute a drastic over-reading of both the CFAA
5
II.
UNDER THE FIRST AMENDMENT, DISCLOSURE OF
INFORMATION OF PUBLIC IMPORTANCE CANNOT SUBJECT
THE DEFENDANT TO ADDITIONAL PUNISHMENT ABSENT A
STATE INTEREST OF THE HIGHEST ORDER.
The escalation of Auernheimer‟s punishment, based solely on the knowing
or reckless disclosure of “any data, data base, computer software, computer
programs or personal identifying information,” N.J. Stat. § 2C:20-31, is a
regulation of pure speech. See Bartnicki, 532 U.S. at 526; Sorrell v. IMS Health,
Inc., 131 S. Ct. 2653, 2667 (2011) (“[T]he creation and dissemination of
information are speech within the meaning of the First Amendment.”). Under
Supreme Court precedent, such punishment is only permissible if it can survive
exacting First Amendment scrutiny.3
and the New Jersey equivalent, Appellant‟s Brief at 20-21, 36-37; see Pulte
Homes, Inc. v. Laborers’ Int’l Union of N. Am., 648 F.3d 295, 304 (6th Cir. 2011),
and that use of the federal computer intrusion law‟s felony escalation provision to
an alleged violation of state computer intrusion law frustrates the intent of
Congress and serves as an inappropriate “double counting” of an offense
tantamount to double jeopardy, Appellant‟s Br. at 33-35; see United States v.
Cioni, 649 F.3d 276, 283 (4th Cir. 2011). Even if this Court opts to find
unauthorized access and no double jeopardy issue here, the valid application of the
CFAA to this conduct would not mitigate the free speech harm raised by the
escalation of punishment based on disclosure.
3
Auernheimer first raised a First Amendment challenge in this case – specifically,
to the application of § 1028 – in his motion to dismiss. Memorandum of Law in
Support of Motion to Dismiss at 18. In addressing that challenge the prosecution
argued, and the District Court agreed, that the case did not present First
Amendment issues, citing the Supreme Court cases of New York v. Ferber, 458
6
A.
The Information Disclosed by Auernheimer Was Both True and
Related to a Matter of Public Concern.
It is critical to the First Amendment analysis in this case that the information
Auernheimer disclosed to the press (and by extension, the public) was both true
and related to a matter of public concern. “The central commitment of the First
Amendment . . . is that „debate on public issues should be uninhibited, robust, and
wide-open.‟” Bond v. Floyd, 385 U.S. 116, 136 (1966) (quoting New York Times
Co. v. Sullivan, 376 U.S. 254, 270 (1964)). Discussion of public affairs is thus “at
U.S. 747 (1982), and Giboney v. Empire Storage & Ice Co., 336 U.S. 490 (1949).
See Order on Motion to Dismiss at 12. Giboney, a case that allowed punishment of
picketing activity under anticompetition law, is severely limited in both facts and
principle by Brandenburg v. Ohio, 395 U.S. 444, 447 (1969) (limiting punishment
of speech that induces unlawful conduct only when unlawful activity is imminent
and likely, and the speaker directs speech to produce such unlawful action), and
NAACP v. Claiborne Hardware Co., 458 U.S. 886, 911-12 (1982) (recognizing the
First Amendment protection for non-violent boycotts, and limiting Giboney to its
strict antitrust application). Similarly, this Court has recognized the limited
application of New York v. Ferber to the specific context of child pornography.
United States v. Stevens, 533 F.3d 218, 225 (3d Cir. 2008), aff’d 559 U.S. 460
(2010) (“Without guidance from the Supreme Court, a lower federal court should
hesitate before extending the logic of Ferber to other types of speech.”). Neither
case absolves the obligation to engage in First Amendment scrutiny when the
government specifically seeks to assign punishment for the disclosure of
information, and the district court‟s conclusion to the contrary need not be afforded
any deference. See Snyder v. Phelps, 131 S. Ct. 1207, 1216 (2011) (in First
Amendment cases “the court is obligated to make an independent examination of
the whole record in order to make sure that the judgment does not constitute a
forbidden intrusion on the field of free expression” (internal quotations omitted)).
7
the heart of the First Amendment‟s protection.” Snyder v. Phelps, 131 S. Ct. 1207,
1215 (2011) (quoting Dun & Bradstreet, Inc. v. Greenmoss Builders, Inc., 472
U.S. 749, 758-59 (1985)). “Speech deals with matters of public concern when it
can be fairly considered as related to any matter of political, social or other concern
to the community, . . . or when it is a subject of legitimate news interest; that is, a
subject of general interest and of value and concern to the public.” Snyder, 131 S.
Ct. at 1216 (internal quotations omitted).
Disclosures like Aurenheimer‟s are essential to our collective understanding
of Internet data privacy and security. Indeed, all parties seem to agree that the
information disclosed here was newsworthy. See Trial Tr., Nov. 14, 2012, at 119
(testimony that the defendant and co-conspirator believed that it was newsworthy);
id. at 124 (in examination, the prosecution states, “[a]nd it was big media news;
correct?”); see also Ostergren, v. Cuccinelli, 615 F.3d 263, 272 (4th Cir. 2010)
(disclosure of Social Security Numbers (“SSNs”) addresses a matter of public
concern when done as part of criticism over entity‟s handling of that information).
One need only look to the reaction the publication of this information
received to see both its newsworthiness and social utility. The reporting that
resulted from Auernheimer‟s disclosure included:
8
Gawker‟s criticism of AT&T and Apple, Inc. for their lax data security
practices. Ryan Tate, Apple’s Worst Security Breach: 114,000 iPad Owners
Exposed, Gawker (June 9, 2010), http://gawker.com/5559346/apples-worstsecurity-breach-114000-ipad-owners-exposed;
reporting on the user impact of AT&T‟s data practices, see John Herrman,
Should I Worry About the Apple iPad + AT&T Security Breach? (Probably
Not.), Gizmodo (June 9, 2010), http://gizmodo.com/5559586/should-iworry-about-the-apple-ipad-%252B-att-security-breach-probably-not;
discussion of what companies should do to address comparable oversights in
their own systems, see Dan Cornell, 4 Lessons from the AT&T/Apple Data
Breach for Smartphone App Developers, Denim Group (June 9, 2010),
http://blog.denimgroup.com/denim_group/2010/06/4-lessons-from-theattapple-data-breach-for-smartphone-app-developers.html; and
recognition of the importance of Auernheimer‟s disclosure of this
information, such as the popular information technology website
TechCrunch‟s giving a “public service” award to Auernheimer‟s
organization for discovering and disclosing the vulnerability. Michael
Arrington, We’re Awarding Goatse Security a Crunchie Award for Public
9
Service, TechCrunch (June 14, 2010), http://techcrunch.com/2010/06/14/
were-awarding-goatse-security-a-crunchie-award-for-public-service/.
This widespread discussion and debate through the “vast democratic forums of the
Internet,” Reno v. ACLU, 521 U.S. 844, 869 (1997), is a testament to the
information‟s newsworthiness and underscores the importance of this information
to our understanding of data security and privacy. Beyer v. Duncannon Borough,
428 Fed. App‟x 149, 154 (3d Cir. 2011) (“Communicating the message in a public
manner through the [I]nternet and news further weighs in favor of the conclusion
that the speech here is of public concern.”); see Section III, infra.
The public importance of this information is not altered by Auernheimer‟s
choice to speak by directly disclosing the material obtained from AT&T‟s website.
The disclosure is integral to his message regarding data security, see Ostergren,
615 F.3d at 271-72 (disclosure of documents with unredacted SSNs integral to
message criticizing entity‟s handling of SSNs), and is essential to substantiate
claims about the nature and extent of the AT&T‟s data mismanagement. See Trial
Tr., Nov. 14, 2012, at 92 (testimony noting that Gawker asked for a copy of the
data in order to verify the authenticity of the story); Anderson v. Suiters, 499 F.3d
10
1228, 1236 (10th Cir. 2007) (disclosure of primary source material “heightened the
report's impact and credibility by demonstrating that the allegations rested on a
firm evidentiary foundation and that the reporter had access to reliable
information”); Ross v. Midwest Commc’ns, Inc., 870 F.2d 271, 274-75 (5th Cir.
1989) (disclosure of private details related to newsworthy event had “unique
importance to the credibility and persuasive force of the story”); Yochai Benkler,
The Wealth of Networks 228 (2006) (noting that Internet news reporting is highly
effective where the “[t]he first move . . . is to make the raw materials available for
all to see”).
The social utility of the disclosure here is clear, both as evidence of AT&T‟s
poor security practice and as a description of the technological vulnerability. As
one scholar has noted, “[p]ublishing detailed information about a computer
program‟s security vulnerabilities may help security experts figure out how to fix
the vulnerabilities, persuade apathetic users that there really is a serious problem,
persuade the media and the public that some software manufacturer isn‟t doing its
job, and support calls for legislation requiring manufacturers to do better.” Eugene
Volokh, Crime-Facilitating Speech, 57 Stan. L. Rev. 1095, 1118 (2005). As
Internet services and digital communications are increasingly integral to our lives,
11
the data security practices of intermediaries and service providers are of vital
public importance. See generally Andrea M. Matwyshyn, Hidden Engines of
Destruction: The Reasonable Expectation of Code Safety and the Duty to Warn in
Digital Products, 62 Fla. L. Rev. 109 (2010) (identifying data security harms and
calling for a duty to warn and public disclosure regime to help the public
appreciate such dangers).
The government does not refute this, but instead casts doubt upon the
motives for Auernheimer‟s disclosure. Trial Tr., Nov. 15, 2012, at 49-50, 55
(cross-examination of Defendant as to his motive). The motive of the speaker,
however, is irrelevant. “In deciding whether an individual may be punished for her
speech, it is necessary to focus on what she says and the danger she creates, rather
than on her motives. . . . [W]e learned long ago that inquiries into subjective intent
and personal motivation are usually fruitless – and often dangerous – in the context
of free speech.” Geoffrey R. Stone, Government Secrecy vs. Freedom of the Press,
1 Harv. L. & Policy Rev. 185, 216 (2007). Indeed, “many things done with
motives that are less than admirable are protected by the First Amendment,” and a
speaker‟s motive does not change the newsworthiness of the information disclosed.
Hustler Magazine, Inc. v. Falwell, 485 U.S. 46, 53 (1988). In order to protect the
12
disclosure of such newsworthy information, whatever the motivation, First
Amendment scrutiny is required before assigning Auernheimer additional years in
prison for informing the public about AT&T‟s poor data security practices.
B.
Application of the New Jersey Statute in This Case Requires
Exacting Judicial Scrutiny Because the Prosecution Targets the
Publication of Truthful Information of Public Concern.
Given that Auernheimer‟s speech was on a matter of public concern, the
targeting of that speech for punishment requires constitutional scrutiny. Although
Auernheimer was convicted for a violation of 18 U.S.C. § 1030(a)(2), his alleged
violation of N.J. Stat. § 2C:20-31(a) escalated his punishment from a misdemeanor
to a felony. It was the disclosure element of this statute that led to punishment for
Auernheimer‟s speech, and therefore careful examination of this statute is required.
Statutes that are either written or justified on the basis of the content of
speech receive strict scrutiny, satisfied only when the law is narrowly tailored to a
compelling state interest. Turner Broad. Sys., Inc. v. FCC, 512 U.S. 622, 642-43,
680 (1994); Startzell v. City of Philadelphia, 533 F.3d 183, 193 (3d Cir. 2008);
Leslie Kendrick, Content Discrimination Revisited, 98 Va. L. Rev. 231, 238 (2012)
(a law is “content-based” if it targets content either on its face or in its purpose).
The New Jersey statute seeks to limit disclosure specifically as to “any data, data
13
base, computer software, computer programs, or personal identifying information”
obtained through unauthorized access to a computer. N.J. Stat. § 2C:20-31.
Targeting specific types of information, drawn from specific sources, strongly
suggests that the New Jersey legislature sought to punish dissemination based upon
the privacy or proprietary interest that may be harmed if the public is made aware
of such information. This targets the speech for its “communicative impact,”
warranting strict scrutiny. See Bartnicki v. Vopper, 200 F.3d 109, 123 (3d Cir.
1999), aff’d 532 U.S. 514 (2001); Geoffrey R. Stone, Content-Neutral Restrictions,
54 U. Chi. L. Rev. 46, 47 (1987) (using “a ban on the publication of confidential
information” as an example of a content-based restriction of speech) [hereinafter
Stone, Content-Neutral Restrictions]. Should the Court consider this to be a
content-based restriction on speech, the statute is “presumptively invalid” and the
government bears a heavy burden to rebut that strong presumption. United States v.
Stevens, 130 S. Ct. 1577, 1584 (2010).
Even if this Court finds that the New Jersey law is a content-neutral
restriction of speech, the government may not assign additional punishment based
on Auernheimer‟s dissemination of information absent a state interest of the
highest order. In Bartnicki, the Supreme Court found that a statute banning the
14
publication of information gained through unlawful wiretapping was contentneutral, but nevertheless held that: “„[S]tate action to punish the publication of
truthful information seldom can satisfy constitutional standards [.] ... [I]f a
newspaper lawfully obtains truthful information about a matter of public
significance then state officials may not constitutionally punish publication of the
information absent a need . . . of the highest order.‟” 532 U.S. at 527-28 (quoting
Smith v. Daily Mail Publ'g Co., 443 U.S. 97 (1979)) (citing Florida Star v. B.J.F.,
491 U.S. 524 (1989); Landmark Commc’ns, Inc. v. Virginia, 435 U.S. 829 (1978));
accord. Bowley v. City of Uniontown Police Dep’t, 404 F.3d 783, 786 (3d Cir.
2005); see Cox Broad. Corp. v. Cohn, 420 U.S. 469 (1976) (disclosing elements of
public record, even if sensitive, cannot be criminalized consistent with the First
Amendment). To establish such a need, the government must present evidence
“„far stronger than mere speculation about serious harms.‟” Bartnicki, 532 U.S. at
532 (quoting United States v. Treasury Employees, 513 U. S. 454, 475 (1995)).
The prosecution of Auernheimer “implicates the core purposes of the First
Amendment because it imposes sanctions on the publication of truthful
information of public concern.” Bartnicki, 532 U.S. at 534-35. The case at bar
bears close resemblance to a recent Fourth Circuit case building upon the Bartnicki
15
line of Supreme Court decisions: Ostergren v. Cuccinelli, 615 F.3d 263. There, the
Fourth Circuit examined a First Amendment challenge to Virginia‟s Personal
Information Privacy Act, as applied to a protester who called attention to
Virginia‟s lax data privacy practices by posting documents obtained from
government websites that contained the unredacted Social Security Numbers
(“SSNs”) of Virginian public officials. Id. at 267-69. The court in Ostergren
rejected the government‟s argument against First Amendment scrutiny, noting that
while disclosure of SSNs may not present First Amendment issues in other
contexts, the postings were “integral to [Ostergren‟s] message. Indeed, they are her
message.” Id. at 271 (emphasis in original). The Fourth Circuit thus scrutinized the
application of the law to Ostergren‟s disclosure and found that the First
Amendment barred punishment for Ostergren‟s publication, stating that “[w]e
cannot conclude that prohibiting Ostergren from posting public records online
would be narrowly tailored to protecting individual privacy . . . .” of information.
Id. at 286.4
4
The Ostergren court declared the Virginia law a content-based restriction of
speech, 615 F.3d at 271, but proceeded to apply the lesser scrutiny from the Daily
Mail line of cases. This is similar to this Court‟s approach in Bartnicki v. Vopper,
where this Court noted both content-based and content-neutral justifications for the
law, but decided the case along the Daily Mail line of cases. 200 F.3d at 123. This
16
Here, Auernheimer similarly disclosed information initially hosted online by
AT&T in order to highlight AT&T‟s poor data security practices. Appellant‟s Br.
at 11. Such disclosure is integral to the Defendant‟s message, and although his
disclosure bore with it some chance that one could use the disclosed information to
cause the harm of which he was warning, the First Amendment protects such
disclosure. See Ostergren, 615 F.3d at 269 (noting a similar self-fulfilling danger
in the speaker‟s message there, but nevertheless protecting the speech under the
First Amendment). And, like the speaker in Ostergren, Auernheimer‟s speech led
to the correction of the identified issue, thus further benefiting the public. See Trial
Tr., Nov. 14, 2012, at 66 (testimony of Defendant‟s co-conspirator, noting that
AT&T changed its practices after disclosure); Ostergren, 615 F.3d at 269 n.4
was followed by the Supreme Court‟s own analysis when affirming Bartnicki,
which purported to apply content-neutral scrutiny, but nevertheless applied
something higher than the standard content-neutral scrutiny of United States v.
O'Brien, 319 U.S. 367 (1968). See, e.g., Bartnicki, 532 U.S. at 544 (Rehnquist,
C.J., dissenting) (noting the “tacit application of strict scrutiny”); Kendrick, supra,
at 279 (same); Wilson Huhn, The Emerging Constitutional Calculus, 79 Ind. L.J.
801, 831, 846 (2004) (noting the Court's application of a “higher level of judicial
review than intermediate scrutiny” in part because the case “clearly turned upon
the content of the speech being restricted”). This stronger scrutiny than the O’Brien
test is consistent with the entire Daily Mail line of cases, and appropriate, given the
closer nexus between the speech and punishment sought by the government and
the unlikelihood that the government seeks to punish anything other than the
communicative impact of the speech in question.
17
(noting an instance where Ostergren‟s publication led a county to reform its data
practices). Accordingly, this Court must consider whether the government has
satisfied its First Amendment burden in punishing Auernheimer‟s disclosures.
C.
The Jury’s Verdict that Auernheimer Accessed the Information at
Issue Illegally Does Not Satisfy First Amendment Scrutiny for
Punishing the Disclosure of that Information.
The court in Ostergren, as well as the Supreme Court and other courts
considering the Daily Mail line of cases, leave unsettled the question of whether
the government may punish one who unlawfully acquires information by punishing
the information‟s subsequent disclosure. Florida Star, 491 U.S. at 535 n.8. At the
same time, this Court has never declined to apply First Amendment considerations
to a statute that punishes disclosure of unlawfully obtained information. The
Supreme Court‟s decision in Bartnicki indicates that information does not lose
First Amendment value or become categorically off-limits for discussion merely
because it was unlawfully acquired. 532 U.S. at 535. Moreover, the Supreme Court
has only tolerated punishment of speech to deter underlying unlawful conduct in
the special case of child pornography, where the value of the speech is extremely
low and the interests of the government are especially strong. See discussion at n.3,
supra.
18
Courts that have addressed crimes and torts that punish both access and
disclosure – as the prosecution does here by taking a misdemeanor access law and
elevating it to a felony based on disclosure – have applied separate First
Amendment scrutiny when considering the validity of the disclosure element. See
Bowley, 404 F.3d at 787 n.5 (noting that it is appropriate to separately consider
questions of unlawful access and disclosure); see also First Amend. Coalition v.
Judicial Inquiry Review Bd., 784 F.2d 467, 472 (3d Cir. 1986) (noting, in the
context of access to court proceedings, that “the right of publication is . . . broader
[than access], and in most instances, publication may not be constitutionally
prohibited even though access to the particular information may properly be
denied”).
In describing the CFAA, Congress often likens the law to a “trespass” statute
for electronic information. S. Rep. No. 99-432, at 7-10 (1986), reprinted in 1986
U.S.C.C.A.N. 2479, 2484-88. This analogy is instructive to the First Amendment
analysis as well. Although it is an oft-cited principle that newsgatherers are not
exempt from generally applicable civil laws, see Cohen v. Cowles Media Co., 501
19
U.S. 663, 669-70 (1991),5 courts have carefully separated damages attributable to
illegal access from those caused by disclosure, and only punished the latter when
penalties for disclosure survived First Amendment scrutiny. See Nathan Siegel,
Publication Damages in Newsgathering Cases, 19 Comm. Law. 11, 14 (2001)
(“No court has ever finally approved a verdict for publication damages [in
newsgathering tort cases.]”). For example, in Food Lion, Inc. v. Capital
Cities/ABC, Inc., a case involving claims that reporters engaged in trespassing to
acquire information for broadcast, the Fourth Circuit allowed trespass and breach
of duty claims to survive First Amendment scrutiny but barred recovery of
damages for reputational harm based on subsequent disclosure. 194 F.3d at 522.
Like AT&T in this case, see Appellant‟s Br. at 14, plaintiff Food Lion claimed that
the reputational damage caused by the defendants‟ disclosure of unlawfully
gathered information compounded the harm from the trespass. However, the
Fourth Circuit cited New York Times Co. v. Sullivan, 376 U.S. 254 (1964), and
Hustler, 485 U.S. 46, for the principle that even generally applicable laws are
subject to First Amendment scrutiny when they target the publication of
5
Notably, the Court in Cohen limited this principle to cases involving
“compensatory damages,” and distinguished a situation involving “criminal
sanctions” for newsgathering activity. Cohen, 501 U.S. at 670.
20
information, rejecting the application of Cohen. 194 F.3d at 523-24; see also
Bartnicki, 200 F.3d at 119 (distinguishing Cohen); Desnick v. ABC, Inc., 44 F.3d
1345 (7th Cir. 1995) (separately considering the claims related to the “production
of the broadcast” and the “content of the broadcast,” and applying Cohen only to
the production elements). Because Food Lion sought damages for dissemination of
information without evidence of actual malice, its claim failed the scrutiny of
Sullivan and Hustler. 194 F.3d at 522.6
The Supreme Court of California reached a similar conclusion in Shulman.
955 P.2d 469. In assessing intrusion upon seclusion and public disclosure of
private facts claims of accident victims who were recorded during rescue, the
Supreme Court of California carefully distinguished between the two torts “for
6
The Ninth Circuit, seventeen years before Hustler, allowed a plaintiff to obtain
enhanced damages for intrusion upon seclusion based upon subsequent disclosure
of the information obtained. Dietemann v. Time, Inc., 449 F.2d 245 (9th Cir. 1971).
Courts outside of the Ninth Circuit have found that the analysis of Food Lion and
Hustler supersedes that of Dietemann. See, e.g., Hornberger v. ABC, Inc., 799
A.2d 566, 598 (N.J. Super. App. Div. 2002) (“Dietemann pre-dates Hustler and
Food Lion; these later cases control.”); Smithfield Foods, Inc. v. United Food &
Commercial Workers Int’l, 585 F. Supp. 2d 815, 818-23 (E.D. Va. 2008); Siegel,
supra, at 16 (doubting that Dietemann “supports the proposition for which it is
often cited”). The Ninth Circuit itself has narrowed the merits of Dietemann to
intrusions upon the home itself, suggesting a form of newsworthiness analysis that
would allow punishment for publication of private facts even after First
Amendment scrutiny. Medical Laboratory Mgmt. Consultants v. ABC, Inc., 306
F.3d 806, 818 n.6 (9th Cir. 2002); see Section II.D, infra.
21
constitutional reasons.” Id. at 497. The court held that triable issues prevented
summary judgment for the media defendants as to intrusion. Id. at 490-91. But as a
matter of law, the court held that the newsworthiness of the information gathered
through the intrusion was fatal to the public disclosure of private facts claim. Id. at
488-89. The court noted its differing treatment of the two, stating that “the
intrusion tort, unlike that for publication of private facts, does not subject the press
to liability for the contents of its publications.” Id. at 496. This case necessitates
similar scrutiny; the government cannot let unauthorized access taint the
subsequent disclosure of information without engaging in a First Amendment
analysis. And because the information was both true and newsworthy, see Section
II.A, supra, Auernheimer‟s conviction cannot stand absent the prosecution‟s
satisfaction of that scrutiny.
D.
Application of First Amendment Scrutiny Does Not Invalidate
Punishment for Disclosures Which Would Violate an Existing
Duty Not to Disclose, Disclosure of Purely Private Information, or
Disclosures that Violate Copyright or Trade Secret Laws.
Applying First Amendment scrutiny to protect Auernheimer‟s disclosure in
this irregular case does not disrupt application of computer intrusion laws to pure
access crimes. Nor does it affect application of such laws to disclosure crimes
where the disclosure is a paradigmatic example of the harms that computer crimes
22
seek to address (including violation of a preexisting duty to keep the information
confidential, disclosure of purely of private information, or disclosures that can be
punished as falling within an unprotected category of speech). See Ostergren, 615
F.3d at 272 (protecting disclosure of SSNs, but noting that the court did not
“foreclose the possibility that communicating [SSNs] might be found unprotected
in other situations”).
In enacting its computer crime law, the New Jersey legislature was
especially concerned with disclosure of information in violation of a preexisting
duty to use the information only for certain purposes. Legislators cited an incident
where a Connecticut auxiliary police officer was suspected of accessing a police
computer to gain information on his full-time employer (and presumably disclosed
that information to others, given the context of the lawmakers‟ statements). See
N.J. Senate, 201st Legislature, Sponsor's Statement for S. No. 1807, at 7 (May 14,
1984); N.J. Assembly Judiciary Committee, 201st Legislature, Statement to
Assembly Committee Substitute for Assembly No. 1301 at 1 (Mar. 26, 1984).
Applying First Amendment scrutiny would not generally prevent punishment of
such behavior. Courts have consistently held that violation of a preexisting duty
not to disclose information can be punished, even when the information is true and
23
newsworthy. See, e.g., United States v. Aguilar, 515 U.S. 593, 605-06 (1995)
(federal judge‟s disclosure of information could be punished in part because the
information was obtained through his role in a sensitive confidential position);
compare Boehner v. McDermott, 484 F.3d 573, 579 (D.C. Cir. 2007) (en banc)
(disclosure of information obtained through another‟s unlawful interception can be
punished when information was provided to defendant in his role as member of
House Ethics Committee), with Jean v. Mass. State Police, 492 F.3d 24, 32 (1st
Cir. 2007) (protecting similar disclosure against punishment, and noting that the
court in Boehner would have protected disclosure “if McDermott had been a
private citizen, like Jean”).
Similarly, the New Jersey statute‟s punishment of the disclosure of “any
data, data base, computer software, computer programs or personal identifying
information,” N.J. Stat. § 2C:20-31, might properly be invoked to protect purely
private information, subject to the constitutional constraint that the information is
not newsworthy. See Jenkins v. Dell Publ’g Co., 251 F.2d 447, 450 (3d Cir. 1958)
(allowing liability for publication of non-newsworthy private information,
balancing “the embarrassment, humiliation or other injury which may result from
public disclosure concerning his personality or experiences” with “the interest of
24
the public in the free dissemination of the truth and unimpeded access to news”);
see also Time, Inc. v. Hill, 385 U.S. 374, 383 n.7 (1967) (citing many cases where
a state right of privacy “was held to give way to the right of the press to publish
matters of public interest”); Shulman, 955 P.2d at 479 (“Although we speak of the
lack of newsworthiness as an element of the private facts tort, newsworthiness is at
the same time a constitutional defense to, or privilege against, liability for
publication of truthful information.”). On a closely related matter, the Court has
previously held that disclosures that defraud the public, such as “phishing” scams
conducted with email addresses, can be punished consistent with the First
Amendment. Nat’l Taxpayers Union v. U.S. Soc. Sec. Admin., 302 Fed. App‟x 115,
118 (3d Cir. 2008). Protecting Auernheimer‟s disclosure would not disrupt that
holding.
Nor would applying First Amendment scrutiny here invalidate prohibitions
for copyright infringement or theft of trade secrets. Putting aside Congress‟s
disfavor of state regulation of copyright-related issues, see 17 U.S.C. § 301,
disclosures that constitute a valid claim of copyright infringement could be pursued
consistent with the First Amendment. Eldred v. Ashcroft, 537 U.S. 186, 219-21
(2003). Similarly, most trade secret cases can be justified based upon a preexisting
25
duty or obligation not to disclose information. See Robert G. Bone, A New Look at
Trade Secret Law: A Doctrine in Search of a Justification, 86 Cal. L. Rev. 241,
244 (1998).
Thus, a rule that applied First Amendment scrutiny here would not disrupt
the established body of caselaw that allowing sanctions for disclosure based on
preexisting duties, disclosure of purely private information, or disclosures that
constitute copyright infringement or theft of trade secrets. By contrast, where a
disclosure like the one here does not fit within one of these excepted areas, or any
other categorical exception to First Amendment scrutiny, see Stevens, 130 S. Ct. at
1584, punishment for dissemination of information is not constitutionally
permissible.
III.
ALLOWING ADDITIONAL PUNISHMENT OF THE DEFENDANT
HERE WOULD CHILL REPORTING ON DATA SECURITY
VULNERABILITIES AND HARM THE PUBLIC’S
UNDERSTANDING OF DATA PRIVACY ISSUES.
The DMLP and its constituency of independent online journalists share in
the public‟s concern over the use of personal, online information by corporations,
governments, and unscrupulous individuals. It is vitally important that persons who
discover technological vulnerabilities do not suffer additional punishment when
they bring information about such vulnerabilities to the public‟s attention.
26
“Freedom of discussion, if it would fulfill its historic function in this nation,
must embrace all issues about which information is needed or appropriate to enable
the members of society to cope with the exigencies of their period.” Thornhill v.
Alabama, 310 U.S. 88, 102 (1940). With the rapid development and expansion of
networked technology, data security is one of today‟s critical issues. See
Lieberman Research Group, Unisys Security Index: US, Unisys (Apr. 18, 2013),
http://www.unisyssecurityindex.com/system/reports/uploads/288/original/
Unisys%20Security%20Index_United%20States_May%202013.pdf?1370347491
(a March 2013 survey found that 82.1% of Americans were at least somewhat
concerned about data breaches). Prosecution of Auernheimer for a felony threatens
to chill analysis of the nature and scope of discovered network vulnerabilities,
which the public must understand in order to make informed decisions about
whom to trust with personal information. See Stone, Content-Neutral Restrictions,
supra, at 55 (noting that one of the risks in content-based laws is that they
“mutilate[] the thinking process of the community‟” (quoting Alexander
Meiklejohn, Political Freedom 27 (1960)).
Data vulnerabilities are often discovered by researchers operating
independent of the vulnerable company, in circumstances where the vendor may
27
not wish to report their own bad practices to the public out of fear of
embarrassment or litigation. Ethan Peterson & John Lofton, Computer Security
Publications: Information Economics, Shifting Liability, and the First Amendment,
24 Whittier L. Rev. 71, 77, 137-38 (2002). For example, the company Skype took
over a year to fix a known data vulnerability, and only addressed the problem after
the researcher who found the vulnerability told the press. See Joel Schectman,
Skype Knew of Security Flaw Since November 2010, Researchers Say, Wall St. J.
(May 1, 2012), http://blogs.wsj.com/cio/2012/05/01/skype-knew-of-security-flawsince-november-2010-researchers-say/. Sony similarly waited several months to
fix a known vulnerability disclosed to it by an independent researcher, leaving
users of its Playstation 3 console vulnerable in the interim. See Eduard Kovacs,
Experts Find Code Execution Flaw in PS3, Password Reset Bug in Sony
Entertainment Network, Softpedia (May 29, 2013), http://news.softpedia.com/
news/Experts-Find-Code-Execution-Flaw-in-PS3-Password-Reset-Bug-in-SonyEntertainment-Network-356623.shtml.
In this case, AT&T was clearly embarrassed. See Appellant‟s Br. at 14
(noting that AT&T cited their “reputation” as the harm suffered). Several witnesses
in this case testified as to the bad data management practices of AT&T, and how
28
that company should not have set up a system whereby any individual entering a
series of specific Internet addresses in a browser could obtain a the emails of over a
hundred thousand AT&T customers. See generally Appellant‟s Br. at 7-9; Trial
Tr., Nov. 19, 2013, at 39, 41, 57 (testimony of AT&T‟s security officer, who called
the system a “poorly crafted design feature,” stated that the company “did
something we probably should not have done,” and that “we had no security in
place”). Testimony shows that AT&T changed their practices only after this breach
was discovered and disclosed to the public. See Trial Tr., Nov. 15, 2012, at 72
(from AT&T's Chief Security Officer, “we very quickly shut down that feature the
day we found out what was going on”); see generally Peter P. Swire, A Model for
When Disclosure Helps Security: What Is Different About Computer and Network
Security?, 3 J. Telecomm. & High Tech. L. 163 (2004) (exploring circumstances
when disclosure of a security vulnerability improves overall security). It is
impossible to know whether AT&T would ever have informed its customers about
their vulnerability without Auernheimer‟s disclosure.7
7
This fear of corporate secrecy and misdirection around public data vulnerabilities
is why most states mandate corporate disclosure of data breaches. See State
Security Breach Notification Laws, National Conference of State Legislatures,
http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx
29
Overreaching CFAA claims based on disclosure of corporate data practices
present very real journalistic harms. As journalism increasingly focuses on public
data security, journalists themselves have been subject to readings of the CFAA
that chill technological reporting. In May of this year, reporters at the Scripps
Howard News Service discovered and broadcast that two companies that manage
the federal Lifeline phone service program for low-income Americans had
published the names and parts of Social Security Numbers of enrollees online. See
Scripps Howard News Service, Privacy on the Line: Scripps Uncovered Security
Risks for Some Lifeline Phone Customers, KJRH-TV (May 18, 2013),
http://www.kjrh.com/dpp/news/local_news/special_reports/Privacy-on-the-LineScripps-uncovered-security-risks-for-some-Lifeline-phone-customers. Under the
government‟s theory in this case, not only would the accessing those websites
constitute unauthorized access for CFAA purposes, the disclosure could escalate
the violation to a felony, punishable by up to five years in prison. The companies
that were responsible for publishing the confidential Lifeline information appear to
welcome the prosecution‟s argument, as they have threatened Scripps with
punishment under the CFAA for exposing their bad data practices. See Sarah
(last updated Aug. 20, 2012) (providing links to 46 different state data breach
disclosure laws).
30
Laskow, Reporting, Or Illegal Hacking, Columbia Journ. Review (June 13, 2013),
http://www.cjr.org/cloud_control/scripps_hackers.php.
Preventing punishment in this case absent satisfaction of First Amendment
scrutiny also ensures that the government does not have too great a hand in
interfering with the ethics and norms of the data security community, who are
currently engaged in a robust debate over when it is appropriate to tell a company
first about bad data practices, and when it is better to inform the public directly.
See Trial Tr., Nov. 19, 2012, at 105 (testimony of the Defendant‟s expert witness,
noting the “complex dispute” within the data security community over the proper
means of disclosure); Andrea M. Matwyshyn, Hacking Speech: Informational
Speech and the First Amendment, 107 Nw. U. L. Rev. 795, 825 n.154 (2013)
(noting the ongoing debate between “full disclosure” and “coordinated
vulnerability disclosure” in the information security community). Prosecutors and
lawmakers should not use heavy-handed and chilling applications of law to set the
ethical norms around this delicate and complicated space. See Miami Herald
Publ’g Co. v. Tornillo, 418 U.S. 241, 256 (1974) (“[P]ress responsibility . . .
cannot be legislated.”); Ostergen, 615 F.3d at 271 n.8 (“[T]he First Amendment
protects [speaker‟s] freedom to decide how her message should be communicated.”
31
(citing cases)); Shulman, 955 P.2d at 485 (formulating a test for newsworthiness in
the privacy context that “incorporates considerable deference to reporters and
editors, avoiding the likelihood of unconstitutional interference with the freedom
of the press”).
In sum, the additional punishment sought by the government for disclosure
of newsworthy information presents profound danger to the public, data security
policymakers, and journalists reporting on technology. Any attempt to punish
disclosure of a network vulnerability must first satisfy First Amendment scrutiny.
Absent such satisfaction, the felony punishment in this case must be overturned.
32
Respectfully submitted,
DIGITAL MEDIA LAW PROJECT
By its counsel,8
Dated: July 8, 2013
/s/Kit Walsh
Kit Walsh (MA BBO#673509)
cwalsh@cyber.law.harvard.edu
Clinical Instructional Fellow
Cyberlaw Clinic
Berkman Center for Internet and Society
Harvard Law School
23 Everett St., 2nd Floor
Cambridge, MA 02140
Tel: (617) 384-9125
Fax: (617) 495-7641
On the brief:
Jeffrey P. Hermes
Andrew F. Sellars
Digital Media Law Project
Berkman Center for Internet & Society
23 Everett Street, 2nd Floor
Cambridge, MA 02138
Tel: (617) 495-7547
Fax: (617) 495-7641
8
The DMLP wishes to thank Harvard Law School Cyberlaw Clinic summer
interns David Collado and Kerry Sheehan, and DMLP summer intern Kristin
Bergman, for their invaluable contributions to the preparation of this brief.
33
CERTIFICATE OF COMPLIANCE
1. This brief complies with the type-volume limitation of Fed. R. App. P.
32(a)(7)(B) because this brief contains 6757 words, excluding the parts of the brief
exempted by Fed. R. App. P. 32(a)(7)(B)(iii) and Local App. R. 29.1(b).
2. This brief complies with the typeface requirements of Fed. R. App. P. 32(a)(5)
and the type style requirements of Fed. R. App. P. 32(a)(6) because it is in 14-point
Times New Roman font.
3. The text of the PDF version of this brief and the hard copies are identical.
4. A virus check was performed on the PDF version of this brief using Microsoft
Security Essentials Version 4.0.1526.0.
5. I have applied for admission to the bar of this Court pursuant to Local App. R.
46.1.
Dated: July 8, 2013
/s/Kit Walsh
Kit Walsh (MA BBO#673509)
cwalsh@cyber.law.harvard.edu
Clinical Instructional Fellow
Cyberlaw Clinic
Berkman Center for Internet and Society
Harvard Law School
23 Everett St., 2nd Floor
Cambridge, MA 02140
Tel: (617) 384-9125
Fax: (617) 495-7641
34
CERTIFICATE OF SERVICE
I certify that on this 8th day of July, 2013, the BRIEF OF AMICUS
CURIAE DIGITAL MEDIA LAW PROJECT IN SUPPORT OF DEFENDANTAPPELLANT was served on all parties via electronic filing with the Court, that
counsel for both parties have consented to electronic service via the Court‟s ECF
system, and that, pursuant to Local App. R. 25.1, ten (10) paper copies will be
delivered to a third party commercial carrier for delivery to the Clerk of the Court
within three calendar days.
Dated: July 8, 2013
/s/Kit Walsh
Kit Walsh (MA BBO#673509)
cwalsh@cyber.law.harvard.edu
Clinical Instructional Fellow
Cyberlaw Clinic
Berkman Center for Internet and Society
Harvard Law School
23 Everett St., 2nd Floor
Cambridge, MA 02140
Tel: (617) 384-9125
Fax: (617) 495-7641
35
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?