My name is Bond. James Bond.
We know that those words will appear in the upcoming Sony movie SPECTRE. We actually know a lot more about the upcoming movie with Christoph Waltz thanks to the mysterious Sony hackers. According to published reports, the script for the upcoming movie has been leaked online.
Sony has responded with a letter from uber-lawyer David Boies to various news outlets demanding that these outlets not republish any of the stolen and leaked information, with a threat that if the media outlets do publish Sony will have ““no choice but to hold you responsible from any damage or loss resulting from such use or dissemination by you.”
The letter also notes that Sony does not consent to the possession by the media of what it terms “stolen information,” and demands that the media outlets not only return the stolen information but also take affirmative steps to prevent its dissemination — including sending copies of the Boies letter to others.
And while SONY is trying to silence the New York Times and others, the hackers are trying to silence Sony. They reportedly published a demand on GitHub warning of consequences to the studio if they went ahead with their plans to release the movie “The Interview.” Whether this means the hack comes from North Korea as rumored, or the hackers are using the North Korea connection as cover is, at this juncture, is anyone’s guess.
But the question remains, is the New York Times criminally or civilly liable for republishing the information that Sony failed to protect? Not even Richard Nixon’s White House went so far as to threaten the Washington Post and the New York Times (well, yeah they did — but they never followed through with these threats.)
Let’s start with an observation. Much of what the media does — and has always done — is to publish “stolen” information. Every leak, every dissemination of confidential information, every time someone talks out of school they are disseminating “stolen” information.
The Ellsburg files were stolen from the Pentagon and Rand Corporation. Almost every major investigation has resulted from someone giving reporter information that someone else would rather they not give — and often without the permission of the “owner” of that information. Bribery, corruption, and other public interest cases could never be exposed by the media if we held “information” to the same standard as we do, say stolen staplers or Bic pens. Information is “stolen” and “misappropriated” every time there is a leak.
But not all leaks are the same. Some relate to information in the public interest. Some simply prurient. And much, somewhere in between. So exposing the mild racism of Sony executives might serve some public interest — especially where it highlights hypocrisy. But publishing the medical records of some assistant to the assistant producer simply because you can — not newsworthy.
Newspapers are always liable for what they publish and disseminate. But the standard has generally been that they are not liable for publishing true things — most of the time. Indeed, that was the whole point of the case of the Crown v. John Peter Zenger. Publishing false defamatory information is libel. Publishing true (but private) information may be tortious (depending on the circumstances). But publishing true — but stolen information — there you are on a slender reed indeed.
We have to distinguish between the various kinds of information being leaked, and the legal consequences to both the leakers and leakees from the leak. In all of these cases, the hackers themselves are clearly liable for unauthorized access to computers (hacking), theft, conversion (taking property and using for their own purposes) and a host of other potential offenses. We are talking about those disseminating the leaked information.
1. Copyrighted Information
At the end of the day, almost all of the stolen information is protected under copyright law. Even the stolen emails are copyrighted – although not registered with the copyright office. This makes those disseminating the stolen information potentially liable to Sony for contributory copyright infringement, or for direct copyright infringement.
Some of the disseminated information, however, is more within the wheelhouse of the copyright law than others. For example, the dissemination (or download) of the unreleased or undistributed movies (and the SPECTRE script) is the kind of thing the copyright law is designed to prevent. Sony and others are taking steps to un-ring the bell, like seeding torrents with gibberish files or trying to take down pirate site, or going after Google (Project Goliath) for contributory infringement. But the bell really can’t be un-rung.
Legally however, those disseminating and downloading Sony copyrighted information have potential civil and criminal liability, unless that downloading comes within the permissible “fair use” exception – like the author downloading a portion of one of the hacked movies to show the watermarking feature on television. That’s fair use, right? Having a Fury party at home with a bunch of friends – not so much.
There have been a few cases when the U.S. government has prosecuted someone for “theft” of information under the criminal theft statute, 18 USC 641. For example, the government prosecuted a former Navy employee who sold photographs of Soviet ships to Jane’s Defense Weekly. Or they prosecuted a former government official who sold the names of DEA undercover agents to the mob. But that’s about it.
In fact, the Supreme Court has said that, when the thing sought to be protected is actually intellectual property rather than physical property, you can’t resort to the theft statutes.
In Dowling v. United States the government tried to use the theft statutes to prosecute a man who was selling pirated copies of Elvis Presley tapes (the King lives!) The Supreme Court held that, where the thing “stolen” is copyrighted information, and the “theft” really amounts to a copyright infringement, you can’t use the stolen property statutes to go after infringing activity.
The Court noted:
“The Government’s theory here would make theft, conversion, or fraud equivalent to wrongful appropriation of statutorily protected rights in copyright. The copyright owner, however, holds no ordinary chattel. A copyright, like other intellectual property, comprises a series of carefully defined and carefully delimited interests to which the law affords correspondingly exact protections. “… Interference with copyright does not easily equate with theft, conversion, or fraud. The Copyright Act even employs a separate term of art to define one who misappropriates a copyright: “`Anyone who violates any of the exclusive rights of the copyright owner,’ that is, anyone who trespasses into his exclusive domain by using or authorizing the use of the copyrighted work in one of the five ways set forth in the statute, `is an infringer of the copyright.’ [17 U.S.C.] 501(a).”
And in fact, the Court in Boston dismissed criminal charges against David LaMacchia a suspected computer hacker for breaking into MIT’s computers and stealing source code because, essentially, copyrighted information can’t be “stolen” — it can only be “infringed.” So there’s a hurdle Mr. Boies has to overcome.
2. Personally Identifiable or Personal Health Information (PII PHI)
Some of the information stolen from Sony is PII or PHI. Name, addresses, social security numbers, email addresses, health records, etc. The dissemination by third parties of this information is probably not a crime, but it does increase the harm to the impacted party. Thus, there could be civil liability for torts like intrusion into seclusion, or in states that recognize the tort, dissemination of private facts. Also, a person willfully disseminating personal information might – just might – be held liable for intentional infliction of emotional distress.
If you disseminated PII or PHI with the intent to further a crime like identity fraud or identity theft, you might also be held liable for what is called “inchoate” crimes – accessory before the fact, accessory after the fact, aiding and abetting, criminal facilitation, or conspiracy.
Lesson for CISOs. Don’t take a narrow definition of PII or PHI when deciding what needs to be protected. Battles are often fought in boardrooms over whether a telephone number is PII (lawyer answer, it depends). Just ask this question instead – if it was leaked in a Sony type attack, what harm could result? That will dictate how you protect the data.
It is possible that newspapers or other media outlets could be held liable for publishing personal information — or more accurately, for the harm caused to individuals resulting from the publication. But if there is precedent for such an action against a newspaper or other media outlet, I haven’t seen it.
3. Credit of Payment Card Information (PCI)
There currently is little evidence that any credit, debit or payment card data was disseminated as a result of the Sony hack. So far. The liability for the release of such information comes under contractual rules set up by the Payment Card Industry Council, and involve a host of parties – the bank that issued the card, the merchant, the retailer, the accepting bank, the processor, the respective insurers. But this is not that kind of breach.
Generally, stolen account information is disseminated on the dark web through carder organizations. In those cases, those selling the data can generally be held liable under 18 USC 1029 or other statutes for trafficking in stolen access devices. Or for conspiracy. If you can catch them, which you usually can’t.
One somewhat frightening theory holding media outlets liable for publication of this information would be the so-called “material support” idea. The publication of the information gives an incentive for the hackers to steal it, and therefore aids and abets, or lends material support for the crimes themselves. A scary principle when applied to, say The New York Times.
4. Trade Secret Information
Much of the stolen information is, or possibly was, trade secret information. The SPECTRE script for example is both subject to copyright protection (whether disseminated or not) as well as trade secret. A trade secret is a unique form of intellectual property. It derives value by virtue of being secret. Once the secret is no longer secret, the trade secret has no value. Or little value. So you can understand why Sony would want to try to keep what it considers secrets, well, secret.
So if the trade secret is made public – and is truly public information – its not a trade secret and can’t be protected. The original leaker is liable for obtaining the secret by improper means, but those who obtained it without resort to improper means are likely not liable.
Or maybe they are.
Think of the Snowden and Manning data dumps. No doubt that both Snowden and Manning violated their duties of secrecy to their employers. No doubt that each of them probably violated the WWI era espionage act, 18 USC 793 by disseminating the information. Also, the government takes the position that, despite their actions, the data contained in the files is still classified.
This puts government employees, contractors and policymakers in the position that reading the New York Times or the Washington Post constitutes the unauthorized access to classified information, and even though the Department of Justice has decided not to go after New York Times reporter James Risen, it could still go after a GS-5 clerk in the Agriculture Department for leafing through Forbes online. Gotta love the law.
Most trade secret litigation occurs at the state level. A uniform law called the Uniform Trade Secret Act, adopted in one fashion or another in 40 States, protects trade secrets from theft or dissemination. The uniform law defines a trade secret as:
· information, including a formula, pattern, compilation, program, device, method, technique, or process,
· that derives independent economic value, actual or potential, from not being generally known to or readily ascertainable through appropriate means by other persons who might obtain economic value from its disclosure or use; and
· is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
One can question whether the Sony data is “secret” now, and whether it was subject to “reasonable efforts” to protect its secrecy.
One test of trade secret protection is whether the information is “readily ascertainable through appropriate means.” That means right now. Not two weeks ago. Two weeks ago, if you wanted to know the screenplay for SPECTRE, you had to know the author or work for Sony. A trade secret.
Today, a Google search will find it. (I think – I haven’t tried.)
Is this then “appropriate means?” Not if you ask Sony.
And that points out one of the problems with trade secret litigation in the days when everyone is a publisher. In the old days (and today) people stole trade secrets and used them. Get the plans for the U.S. space shuttle, and build the Buran Soviet shuttle. You know – espionage.
But today, hackers and others are equally motivated by disseminating the secrets – not to “use” them but to release them, to embarrass the owners, or to simply cause economic harm and render the secrets useless. The law wasn’t really designed for that.
A lot of this depends on whether the trade secret was acquired by “improper means.” Certainly to the Sony hackers, it was. Or to their direct cohorts. You can’t claim that you didn’t acquire it improperly because you delegated that task to someone else.
But what about to the downloaders? Did a person who simply Googled “SPECTRE script” and found it acquire the “trade secret” by “improper means?”
Orin Kerr of GWU Law School points to a case called United States v. Genovese in New York City in which a person was criminally prosecuted for trade secret violation for downloading a file. Genovese himself downloaded, and then offered for sale Microsoft source code for Windows NT and Windows 2000. He was prosecuted under the federal trade secret law, the Economic Espionage Act, 18 USC 1839. The Court noted that:
Genovese maintains that “he had every reason to believe the code had become publicly available” when he found it on the Internet. … However, a trade secret does not lose its protection under the EEA if it is temporarily, accidentally or illicitly released to the public, provided it does not become “generally known” or “readily ascertainable through proper means.” 18 U.S.C. § 1839(3)(B).
The Court ruled that, even though the source code could be found online, it was not “generally known” and therefore not truly “public.” Therefore, it was still entitled to trade secret protection, and Genovese could be prosecuted for downloading the file. The Court explained:
… a reasonable inference from Genovese’s website
posting is that he knew that the source code derived independent value because it was not “generally known.” The Government alleges that he described the code as “jacked” and indicated that others would have to “look hard” to find it elsewhere As such, Genovese was on notice that Microsoft had not publicly released the code and recognized its public scarcity.
Moreover, because Genovese offered the code for sale and successfully sold it, he was on notice that it derived value from its relative obscurity, notwithstanding that it was available from other sources. See United States v. Hsu, 40 F.Supp.2d 623, 630-31 (E.D.Pa.1999) (rejecting a similar challenge to the definition of “trade secret” where the evidence showed that the defendant “knew (or at a minimum believed) that the . . . information he was seeking to acquire was not `generally known to’ or `readily ascertainable’ through proper means by, the public”).
Ben Franklin once observed that “two may keep a secret, so long as one of them is dead.”
So the takeaway is that there’s “secret” “kinda secret” and “not so secret.” But what’s missing from the Court’s analysis in Genovese is whether the “secret” is “readily ascertainable” by proper means. In other words, can you easily find it without doing something illegal or improper.
In the Genovese case, you can make an argument that, despite the fact that Genovese himself was able to find the stolen source code, it was not “readily ascertainable.” In other cases, courts have found the fact that a trade secret was inadvertently disclosed because a court failed to seal a docket, the trade secret was not extinguished, and the genie could be put back in the bottle.
Similarly, if you accidently disclose a trade secret (or for that matter, a privilege like attorney client privilege) there are so-called “clawback” provisions that allow you to get it back. In those cases, the fact that the secret document CAN be found doesn’t mean that it WILL be found, and therefore that the secret is still a secret.
But what about the script to SPECTRE? Or the other Sony secrets? If they are “readily ascertainable” without resort to “improper means” they are fair game. It’s not the fact that they CAN be downloaded, as Mr. Genovese learned. It’s the fact, apparently that it can be EASILY downloaded. I guess.
So the best way to keep a secret is to just not say anything at all. As Agent 007 said to Auric Goldfinger, “do you expect me to talk?” And Goldfinger replied, “No, Mr. Bond. I expect you to die…”