Join 3,414 readers in helping fund MetaFilter (Hide)


YA reason to love the DMCA
December 14, 2005 7:57 AM   Subscribe

Judge: Stealing a password does not constitute hacking. David Egilman is a highly-regarded expert in occupational medicine; he was the plaintiff's witness in a recent $253-million verdict in Texas against Vioxx. After two opposing law firms stole a password to his private website containing confidential information for his clients and students, he sued them under the DMCA. He lost.
posted by docgonzo (50 comments total)

 
From the second article at law.com:

Egilman sued Jones Day and Keller & Heckman, first in Texas and later in the District of Columbia, saying that his reputation was besmirched and his effectiveness compromised.

He argued that the law firms and Behr circumvented measures installed to deny access to his copyright-protected work on the Web site, in violation of the 1978 Digital Millennium Copyright Act.

U.S. District Judge Henry Kennedy Jr. in D.C. ruled that obtaining a username and password from a third party that has authorized access does not violate the DMCA. Kennedy cited the only other court to rule on improper use of a legitimate password, holding that gaining access to a third party's legitimate password is not the same as hacking.

"It is irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained," Kennedy wrote in Egilman v. Keller & Heckman, No. 04-876HHK. Use of a legitimate password does not "circumvent" a technology used to control access, Kennedy concluded.

"This is not really about the DMCA," Egilman said. "It is about how the legal system is designed to benefit people in power. That is why courts said it was legal for blacks to be slaves or ruled it legal to deny women the vote," he said.

Accessing his computer "was illegal conduct. It was breaking and entering. It is simple theft," he said.

posted by docgonzo at 7:58 AM on December 14, 2005


This guy is a dimwit. Doesn't he know that the DMCA is only for the benefit of corporations? Passwords, like CSS keys, are only protected if you paid for the law in the first place.
posted by Rothko at 8:02 AM on December 14, 2005


David Egliman has a reputation of being one of the biggest whores around in that he will testify about anything for the right price. That is the reputation that I have heard about him.
posted by dios at 8:06 AM on December 14, 2005


By the way, if you ever want to be rich, be a professional expert witnesses. I personally know at least a dozen who make in the seven digits a year. I deposed a guy a couple of weeks ago who had been an expert in over 1500 cases. The key is to try to craft some sort of limited speciality that is often litigated, and then just start rolling the money in.
posted by dios at 8:09 AM on December 14, 2005


David Egliman has a reputation of being one of the biggest whores around in that he will testify about anything for the right price. That is the reputation that I have heard about him.

You got any evidence to back this up, dios, or do you just want to spread unsubstantiated libel about this man?
posted by docgonzo at 8:10 AM on December 14, 2005


This is making my heat hurt. If your intent is to obtain something you aren't allowed access to, and you abuse the proper method of obtaining it instead of circumventing said method, you aren't violating the law?

Isn't that like stealing someone's savings out of a safe and getting off because you duped the bank into giving you the combination?
posted by selfnoise at 8:11 AM on December 14, 2005


Egilman's a smart guy. I've interviewed him.
posted by unSane at 8:15 AM on December 14, 2005


I missed the part of the article that explained how the law firms obtained the password. I have problems with the DMCA as a whole, but the judge's decision is perfectly correct-- using someone else's username/password would not constitute a violation of it. What section of the DMCA was Egilman claiming they violated?
posted by justkevin at 8:20 AM on December 14, 2005


selfnoise: If someone accuses you of armed robbery when you weren't armed, then yes, you've committed a crime, but not the one of which you're accused.
posted by parliboy at 8:22 AM on December 14, 2005


"...in violation of the 1978 Digital Millennium Copyright Act. "

That's supposed to be 1998 I believe.
posted by hupp at 8:24 AM on December 14, 2005


Ok, I can see that.

Could he have sued them for theft, or is taking information from a secure website without formal access not illegal?
posted by selfnoise at 8:24 AM on December 14, 2005


You got any evidence to back this up, dios, or do you just want to spread unsubstantiated libel about this man?
posted by docgonzo at 10:10 AM CST on December 14


Ha! How is that libel? I stated the reputation that I heard about the guy. I didn't state it was, in fact, true that he would say anything. I don't know if it is or isn't. I said what I had heard about him.

I know you can't stand me, docgonzo, but you are going to have try harder if you want to threaten/intimidate me with the law.

Egilman's a smart guy. I've interviewed him.
posted by unSane at 10:15 AM CST on December 14


I'm quite certain that he is a brilliant individual. The "go to" experts are always brilliant with impeccable resumes.

Out of curiosity, what did you interview him about?
posted by dios at 8:24 AM on December 14, 2005


IANAL, but if it was "breaking and entering" or "simple theft", why didn't he go after them on that charge? Seems to me that the only problem here is that Egilman tried to use the DMCA to argue his case, and he failed.
posted by sriracha at 8:26 AM on December 14, 2005


justkevin, downloading and using DeCSS software are apparently violations of the DMCA, although I would simply be applying decryption keys (the equivalent of using a "username" and "password") to gain access to protected data.

From a technology standpoint, this ruling is just another of a long series solely for the benefit of certain parties who paid for the law in the first place: big pharma, MPAA, etc. It is a B&E if you're not a corporation; it is DMCA if you are.
posted by Rothko at 8:27 AM on December 14, 2005


As for Egilman's alternate claim that unauthorized use of the password violated the Computer Fraud and Abuse Act, the court found that he had filed that claim too late. Egilman said he is not sure whether he will appeal. " source

If it is not a violation of the DMCA it would seem like a violation of the Computer Fraud and Abuse Act but he made a procedural error in filing that claim. If this is not about money, but rather about principle, he should file grievances with the state bar on both Jones Day and the lawyer in question. Violating the law to obtain unauthorized access to a computer would seem to be the kind of thing that could get an attorney or law firm into trouble with the bar.
posted by caddis at 8:28 AM on December 14, 2005


Here in the Sourthern District of New York, Egliman would also have lost, but only because he sued under the wrong act. In I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Information Systems, Inc.,307 F.Supp.2d 521 (S.D.N.Y. 2004) [PDF] the Court held that use of a password obtained from a third party was not a violation of the DMCA, but might be a violation of the Computer Fraud and Abuse Act.

On Preview, Caddis FTW.
posted by The Bellman at 8:30 AM on December 14, 2005


Violating the law to obtain unauthorized access to a computer would seem to be the kind of thing that could get an attorney or law firm into trouble with the bar.

Except for the fact that they didn't violate the law, according to the court.

And, assuming the facts are what I understand them to be (a third party gave them access to a website the third party rightfully had access to), I'm not sure that would be violative of ethics. In effect, it is no different if they looked over the shoulder of the third party or were just told what was on it.

Getting disbarred for discovery issues is kind of rare, but does happen. There was one attorney who was recently disbarred for planting evidence. He was a product liability/car wreck attorney was winning cases on a theory about a certain screw that was puncturing tires. Well, one night he was caught breaking into an auto impound where a wrecked car was in order to plant those screws on the car. That is the kind of thing that gets you disbarred.
posted by dios at 8:33 AM on December 14, 2005


I'm not familiar with the Computer Fraud and Abuse Act. Is it a criminal statute? Does it create a civil cause of action? Is a civil cause of action for mere access? Or do you have to have use or cause a loss to the other party?
posted by dios at 8:37 AM on December 14, 2005


docgonzo: try a different approach like .....given that you remember in such fine details the potentially libeleous claims I guess you also remember who reported them to you ..or you're just pretending to have a source other then yourself ?
posted by elpapacito at 8:43 AM on December 14, 2005


How does this square with accessing open wifi networks being a crime?
posted by 31d1 at 8:48 AM on December 14, 2005


The Computer Fraud and Abuse Act provides that: Whoever . . . intentionally accesses a computer without authorization, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication . . . shall be punished as provided in subsection (c) of this section. You can read the cite for the penalties. The actions of the attorney seem to fit this definition, although I don't know if it involved interstate communication, and thus would be criminal. You don't need to be convicted of a crime to get into trouble with the bar, especially if you commit that crime in furtherance of practicing law.
posted by caddis at 8:49 AM on December 14, 2005


A lot of details are missing from those two articles, the major one being who gave the lawyers the password.

Still, Egilman did violate a gag order.
posted by mischief at 8:53 AM on December 14, 2005


Dios, relevant to this situation the criminal penalty requires unauthorized access to a protected computer "involved in interstate communication." Case laws suggests pretty much any computer connected to the internet qualifies. First offense is a misdemeanor.

There are civil penalties as well, but they require some additional factors such as more than $5k in damage, access to medical records, physical injury.

On preview: Caddis has it.
posted by schoolgirl report at 8:53 AM on December 14, 2005


I have written (in connection with the I.M.S. case cited above) that this way of looking at password sharing as a violation of the CFAA, but not of the DMCA is exactly wrong, and that it should in fact be a violation of the DMCA, not of the CFAA which is a criminal staute with a civil component.

Metaquette question: Is a self-link to my firm's website okay? My column in the New York Law Journal is only available for a free but I can post the article to my firm's site if people are interested.
posted by The Bellman at 8:57 AM on December 14, 2005


For a fee, not for a free. Spellcheck is not enough.
posted by The Bellman at 8:58 AM on December 14, 2005


Still, Egilman did violate a gag order.

True. He doesn't looks so hot in this mess either. By violating the gag order he screwed up his clients' case. Who knows, perhaps the plaintiffs might want to sue him.

on preview - link away Bellman
posted by caddis at 8:59 AM on December 14, 2005


Ha! How is that libel? I stated the reputation that I heard about the guy.

So if all I do is state that I heard you're a child molester it's not libelous? Regardless of veracity, just so long as I heard it somewhere? I think there's a lot of libel cases over the years that would demonstrate this is not true.

You're smarter than this, dios. When someone calls you on something like this either pony up some substance or admit you've for no basis.
posted by phearlez at 9:03 AM on December 14, 2005


Out of curiosity, what did you interview him about?
posted by dios at 8:24 AM PST on December 14 [!]


I'm trying to remember. I think it was the case of the patients who were injected with Plutonium by scientists on the Manhattan project, or one of the constellation of human radiation experiments that came to light after that like the Eugene Sanger whole body irradiation research. I made a film about it called DEADLY EXPERIMENTS in 1995.

He didn't strike me *at all* as a professional expert witness at that time. He came across as a very earnest and passionate public health advocate.
posted by unSane at 9:04 AM on December 14, 2005


Attorneys are always talking among themselves about good and bad whores expert witnesses, and yes "whore" is attorney slang for "expert witness," at least for the ones who reliably will take the side of whoever is paying. Enough of this derail.
posted by caddis at 9:09 AM on December 14, 2005


From the second link:
"It is irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained," Kennedy wrote in Egilman v. Keller & Heckman (my emph.)

Am I mistaken, or does this mean that brute force attacks against a password, (or decryption key) are no longer violations of the DMCA, so long as they result in a legitimate user/pwd combination or valid key?
posted by bashos_frog at 9:22 AM on December 14, 2005


That's exactly the issue, bashhos_frog. If this kind of conduct does not violate the DMCA, then neither does "social engineering" -- and in practical terms social engineering and reverse engineering are not really different. More after lunch when I will link to the article.
posted by The Bellman at 9:27 AM on December 14, 2005


I heard that dios was a total shill for republicans and big corporations, and that if there's a thread out there discussing either, he'll spout whatever party line crap is on the latest talking points list. Just what I heard, though.
posted by papakwanz at 9:38 AM on December 14, 2005


The Bellman penned "Is a self-link to my firm's website okay?"

Self links to relevent pages is allowed in comments.
posted by Mitheral at 10:25 AM on December 14, 2005


Dios,

I'm not sure I'm following, here. Are you saying that there is specifically a clause written somewhere in our law that says that if you have access to a website, and you provide the means to that acess to a third party, and that third party uses that access to rob the web site's owner of particular pieces of information, that that was defined as legal before this verdict?

Or are you saying that, in your opinion, there's no reason it shouldn't be?

I'm trying to come up with reasons that that situation could be legal, and all I can come up with is this:

either:
1. access to information is ownership of said information. period.
2. license to view information cannot be separated from a license to distribute information.
3. access to information immediately provides license to offer that access to any other interested parties without legal repercussion.

are any of the above statements legally true? if so, should they be (I'm just asking for opinion on that one.)

and... let's look at the judge's ruling in particular:

"It is irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained," Kennedy wrote in Egilman v. Keller & Heckman, No. 04-876HHK. Use of a legitimate password does not "circumvent" a technology used to control access, Kennedy concluded.

does this mean that if I visit any of those sites that provide passwords to porn sites, that my acquisition of those passwords and use to access their services free of charge is legal? What about when people post passwords for pay service sites to bugmenot? same thing?

Inquiring minds want to know.
posted by shmegegge at 11:00 AM on December 14, 2005


the reason this doesn't make any sense to me, btw, is that the judge's ruling basically says that so long as the party sued didn't actually steal the password themselves, but only used what someone else stole, then it's okay, because there's nothing illegal about being given something freely or outright purchasing it.

doesn't this sound like saying "so long as someone gave you the key to that house you robbed, no matter if they stole that key originally, then you're okay stealing from them."

But then, hey, black hat hackers are about to make a lot of money if that's true, and their clients are going to be untouchable. awesome.
posted by shmegegge at 11:07 AM on December 14, 2005


Shmegegge, that's pretty much what the ruling says. Fire up those DVD burners!
posted by Rothko at 11:08 AM on December 14, 2005


With that in mind, here's the article. The interesting thing is that, in the IMS case, the DMCA claim failed because plaintiff had failed to register the particular version of its database that was at issue with the copyright office (a formal prerequisite to an action under the Copyright Law). It's difficult to understand why, if the DMCA anti-circumvention provisions mean what courts have typically said they mean, Egilman does not have a case under the DMCA.
posted by The Bellman at 11:13 AM on December 14, 2005


Shmegegge: That is the fundamental problem in trying to square this ruling with Universal (the DeCSS case). Remember that in Universal the author of the software had acquired a legitimate decryption password by reading it out of a licensed piece of DVD playing software that had (by accident) included its key in the clear. DeCSS wasn't really a hack at all--it just used a DVD key that the user wasn't legally entitled to have. This was deemed to constitute circumvention.

It's very hard to square these two decisions under those facts. It looks more like a judge got angry that Egilman ignored a gag order and didn't want him to profit by doing so.
posted by The Bellman at 11:20 AM on December 14, 2005


So then is the difference that in Universal's case they had an anti-circumvention statute in place, while in this case Eligman's password doesn't?
posted by stratastar at 11:56 AM on December 14, 2005


Isn't theses kinds of direct oppositions in interpretation what higher level courts are supposed to sort out?
posted by Mitheral at 12:04 PM on December 14, 2005


Bellman, my next question is whether this new ruling is sufficient to overturn Universal and restrictions on distribution and use of DeCSS code?
posted by Rothko at 12:12 PM on December 14, 2005


Yes, Mitheral, but typically it needs to go up one level before the big boys (and girls, thank you Mr. President) get involved. Egilman's case appears to be in direct conflict with the Second Circuit's decision in Universal, but its's a District Court decisions (federal trial courts are called "District Courts", federal courts of appeals are called "Circuit Courts".) If Egilman were to appeal (which he apparently might) and the D.C. Circuit were to uphold this decision on substantially the same grounds, there would arguably be a "circuit split" with the D.C Circuit on one side and the 2nd, 7th, 9th (to my knowledge) and probably most other Circuits on the other.

Such circuit splits are classic Supreme Court fodder, but there is no requirement that the Supremes take such cases, so they might or might not decide to do so, depending on the importance of the issue, the seriousness of the split, how busy their docket is and a host of political imponderables.
posted by The Bellman at 12:21 PM on December 14, 2005


Rothko: No way. This appears to be a ruling from a D.C. District Court and I haven't read the opinion, so I can't tell how distinguishable it is, but Universal is a Second Circuit case -- that is, it comes from a higher Court and one in a different federal district. While an opinion from another district may be cited for persuasive effect, it is not binding on courts in other jurisdictions and cannot overrule a decision from another district. In fact, even a DC Circuit opinion (that is, an opinion from a Court at the same "level" as the one that handed down Universal) can't overrule an opinion from another district. The most the DC Circuit could do would be to create and note a circuit split and hope the Supreme Court sorts it out.
posted by The Bellman at 12:30 PM on December 14, 2005


The Bellman penned "Such circuit splits are classic Supreme Court fodder, but there is no requirement that the Supremes take such cases, "

What the heck happens then, entering a computer using a stolen password is OK as long as your in the right state?
posted by Mitheral at 12:54 PM on December 14, 2005


Dios said: Ha! How is that libel? I stated the reputation that I heard about the guy. I didn't state it was, in fact, true that he would say anything. I don't know if it is or isn't. I said what I had heard about him.

Um, because it's about his professional reputation (and thus it toes into scary libel per se territory) and because in the comment immediately below it you hold yourself out as being in a position to know quite a bit about the world of expert witnesses.

(Not meaning to bait, criticize or sound like your mom-- but if it'd been me, I wouldn't a' said it. Though judging from what I've seen of the rest of your Metafilter life, you're more of a fan of borrowing trouble than I am, ever have been, or ever will be. Anyway, /derailment)
posted by palmcorder_yajna at 12:57 PM on December 14, 2005


Mitheral: yes, though it'd be more precise to say if your state is in the right Circuit.

Note also that if use of a shared password is deemed circumvention of a technological protection measure, Bugmenot and we who enjoy it might someday find ourselves in a spot of trouble.
posted by schoolgirl report at 1:14 PM on December 14, 2005


What a wasted FPP. The doc filed the wrong kind of suit.

Nevermind that what he should have done was filed criminal computer trespass charges with the FBI and his local police, not engaged in a civil lawsuit for which he had no basis. As many have pointed out, computer trespass isn't covered at all in the DMCA, but is under plenty of other laws that the judge would have accepted as applicable.

I'm not sure who is more ignorant in this situation, the lawyer that filed for the Doc, or the blogger who can't figure out the difference between copy-circumvention and intrusion...
posted by nomisxid at 3:40 PM on December 14, 2005


Dios: Nitpicking about "is libel" or "is not libel" aside, are you going to substantiate your initial claim, or can I just go ahead and file you under "makes bullshit claims/can't back them up" and be done with it?
posted by kjs3 at 7:38 PM on December 14, 2005


give it a rest kjs3.
posted by caddis at 7:55 PM on December 14, 2005


"It is irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained," Kennedy wrote in Egilman v. Keller & Heckman, No. 04-876HHK.

Sweet.

Post passwords here lookin 4 abbywinters.com K thx
posted by obiwanwasabi at 10:07 PM on December 14, 2005


« Older Newsfilter: Washington Post columnist/blogger Dan ...  |  President Bush today accepted ... Newer »


This thread has been archived and is closed to new comments