decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
IAC v. Citrin - Deleting Files a Crime?
Saturday, March 11 2006 @ 10:31 AM EST

Whenever I get a lot of email about a story, I take it seriously. This story about International Airport Centers, LLC v. Citrin is filling up my inbox. I see Slashdot had it yesterday too. So I decided to take a look and see if I could find some material to help you understand what is happening, and I have.

It's an Order being described as an expansion of the Computer Fraud and Abuse Act:
The 7th Circuit made two remarkable leaps. First, the judges said that deleting files from a laptop counts as "damage." Second, they ruled that Citrin's implicit "authorization" evaporated when he (again, allegedly) chose to go into business for himself and violate his employment contract.

The implications of this decision are broad. It effectively says that employees better not use OS X's Secure Empty Trash feature, or any similar utility, because they could face civil and criminal charges after they leave their job.

When I read the article, I just knew there had to be more to the story.

For one thing, Judge Richard Posner, who wrote the controversial order for the U.S. Court of Appeals for the Seventh Circuit, is an intelligent judge, although not a geek, as you will see, and anyway, whenever you read something in the media that violates your sense of what should be, it's wise to check and make sure of the details before you stop breathing and turn purple.

In fact there is quite a bit more to the story. And the good news is that it isn't the end of the story yet. Before I explain it all, here are some documents that will help you get the whole picture, all PDFs:

First, what happened?

If you read the Amended Complaint, you find out it was by no means a typical employer sues employee case:

3. The Defendant is Jacob Citrin ("Citrin").... Citrin, until October 30, 2003, was an officer and employee of IAC, serving as a "Managing Director." Citrin continuously has been employed by IAC since its formation in 1995. ...

4. Citrin was responsible during his employment at IAC for, among other things, identifying potential properties for acquisition and directing the acquisition process with respect to such properties. Citrin is a 19.88% member of PIC IAC LLC (and thus indirectly a .08% owner of IAC [4.18% of IAC x 19.88% of PIC IAC LLC = .08% of IAC] and a 40% member of IACEA LLC (thereby indirectly an owner of an additional interest in IAC). Citrin is thus a beneficial owner of IAC and such beneficial membership interest is worth several million dollars.

See what I mean? Already you can see that this isn't just some poor slob being run over by his ex-employer.

Now, why did the plaintiffs decide to sue under the Computer Fraud and Abuse Act? It's a jurisdictional ploy, as best I can make out. They wanted to sue in Federal court, and that was a problem, because the plaintiffs are in Illinois and the defendant is in New York State, but because he had an ownership interest in the plaintiffs, there was no diversity jurisdiction. In paragraph 5, the plaintiffs state that jurisdiction is proper because of the CFAA, 18 U.S.C. Section 1030(g). Marbux explained it to me like this:

Therefore, federal court jurisdiction, if it existed, had to depend on a combination of the federal question jurisdiction provided by the CFAA claim and supplemental jurisdiction (encompassing in part what used to be called "pendant" jurisdiction). Under supplemental jurisdiction, if federal question jurisdiction exists, the pendant state claims can be appended to the federal action regardless of any lack of diversity among the parties. But if the claim raising the federal question can not be stated, then there is no basis for federal supplemental jurisdiction over the state claims.

As for what they allege he did wrong, it's largely contract-based. As I always tell you, don't sign anything you haven't read and discussed with your lawyer. They claim that Citrin has made illegal profits by his actions to the tune of "the high six figures or low seven figures". They say that "sometime at a date unknown" but before October 2003, he decided to quit the company and compete against it, and he didn't tell the company but instead made certain "surreptitious plans" to "fraudulently appropriate IAC opportunities and assets", along with the company's "confidential and proprietary work product" for his own use.

For example, they say he identified a property for acquisition, then told the company there were issues that made it not a good idea to go forward, asked for documents obtained in the course of the due diligence by IAC, secretly formed his own company, and then acquired the facility himself. It's more complex than that even, since he then sold a 50% interest, but you can read the complaint for yourself for the fine details.

The point is that he had signed an agreement that he wouldn't compete for two years after termination of his employment with IAC, and here they say he was competing against the company even before termination. However, the agreement said that the covenant not to compete was void "in the event of a Change of Control and/or termination of Grantee's employment, if not for Cause." He also signed a Confidentiality Agreement. The company notified him on October 22, 2003, after he allegedly failed to show up for several important meetings, that he would likely be terminated for cause because of non-performance, so he quickly resigned on October 30th in what the plaintiffs' call "a transparent effort to preempt termination for cause." The company responded to his ploy, as they saw it, by telling him he was terminated for cause, so there. And so the fight began.

So the company wants an injunction against Citrin not to compete, saying it's a classic inevitable disclosure case, and a declaration that he has lost the right to "certain compensation expectations". There is real money at stake, and to win, the plaintiffs must prove that he is guilty of wrongdoing, and that is where the CFAA claim comes in.

Now, the company provided Citrin with a computer, a laptop, for use in traveling about looking for acquisition targets. The reason the company cared about him deleting materials is because they felt having the materials gave him an unfair advantage over the company, and he allegedly deleted materials not only from the laptop he was using but from the snap server the company provided for storage and backup. IAC wants that confidential material returned to them and they'd also like financial restitution. They'd like a million dollars in punitive damages, plus compensatory damages, as well as disgorgement of pay Citrin received during the period they say he was actually working against them, and they don't want him to be able to use the materials he deleted from the laptop and server against them in business.

The Computer Fraud and Abuse Act Claim

The plaintiffs cited the following sections of the CFAA:

Whoever ... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer... 18 U.S.C. Section 1030(a)(5)(A)(i).

by conduct described in clause (i), (ii), or (ii) of subparagraph (A), caused...18 U.S.C. Section 1030(a)(5)(B).

loss to 1 or more person during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggegating at least $5,000 in value; 18 U.S.C. Section 1030(a)(5)(B)(i).

the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing devce performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device; 18 U.S.C. Section 1030(e)(1).

the term "protected computer" means... a computer which is used in interstate or foreign commerce or communication.... 18 U.S.C. Section 1030(e)(2)(B).

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages. 18 U.S.C. Section 1030(g).

Then, they stated that his "willful destruction of IAC's computer and snap server" was a violation of both the criminal and civil provisions of the CFAA, in that he "knowingly caused the transmission of a program, information, code or command, and as a result of such conduct, intentionally caused damage without authorization, to a protected computer within the meaning of the CFAA."

Well. He allegedly destroyed materials on the computer and the server, but it surely isn't accurate to say that he destroyed the computer or the server by deleting materials. That's just silly. They asked for the following relief: an injunction so he wouldn't violate the CFAA any more. That's silly too. They have the laptop and he already deleted all there was on the server. However the rest isn't so silly, viewed from the plaintiffs' standpoint. They asked for an injunction that he be blocked from destroying or disposing of any materials he has in his possession that are actually the property of the plaintiffs and that he be ordered to return it all to them.

Another cause of action had to do with the state of Illinois' Computer Tampering Act. This is an area of law I researched for my boss once, a few years ago, and some of the local statutes are far worse than the CFAA. So it is here. Illinois' law says that it is against to law to insert a program knowing that the program contains information or commands that will or may "alter, delete or remove a computer program or data from that computer". Happily I don't live in Illinois, because I remove programs and data from my computer all the time. I used to do it on company computers too, now that I think of it, because I didn't want certain Windows applications on any computer I used on the Internet. Barring a writing authorizing me to do that, an Illinois employer wishing to cause me trouble could claim I was in violation of that Illinois statute, and he'd be correct. And the plaintiffs here do exactly that, saying the deletion program was "inserted" into the laptop and it altered, deleted and removed data from the laptop and server. Ta da. He's an alleged criminal in Illinois.

You can just use a little logic to see that they are not talking sensibly though. First they claim he destroyed the laptop and the server, and hence he broke the law. And then they ask the court to make him return the "destroyed" materials. It sort of can't be both, so far as I can see. The problem isn't the courts. It's the laws, the way they are written. They are written by folks who don't know enough about computers to fine-tune the statutory language so it isn't so broad it pretty much criminalizes everyone.

The lower court at the District level didn't see it plaintiffs' way. Citrin brought a motion to dismiss, and here's what the District Judge, Wayne R. Andersen ruled on January 31, 2005:

Citrin was an employee and managing director of IAC until October 30, 2003. During his employment, Citrin was responsible for identifying potential properties for acquisition by IAC and directing the acquisition process with respect to such properties. Plaintiffs assert that Citrin breached his contract and fiduciary obligations when he decided to leave his employment and compete with IAC. Plaintiffs allege that Citrin has fraudulently misappropriated IAC opportunities and assets along with confidential and proprietary work product.

Specifically, in relation to the allegations set forth in Count VI, plaintiffs assert that, prior to leaving his employment at IAC, Citrin deleted all of the data contained on the computer and snap backup server that IAC had provided him for his use as as IAC employee and managing director. In addition, IAC alleges that Citrin installed a software program on his computer and snap server that made it impossible for IAC to recover any of the deleted material. As a result of deleting this material and installing a program which prevented IAC from recovering any of the material, plaintiffs claim that Citrin has gained a competitive edge over IAC by having sole knowledge of the contents of the data he erased from his laptop computer and snap server. Based on these allegations, plaintiffs claim that Citrin has violated the CFAA, 18 U.S.C. Section 1030(a)(5)(A).

DISCUSSION

To state a claim under the CFAA, a plaintiff must allege a knowing "transmission" of a "program, information, code, or command" to "protected computer" which causes damage. 18 U.S.C. Section 1030(a)(5)(A) (2002); Hayes v Packard Bell Nec., 193 F. Supp. 2d 910, 912 (E.D. tex. 2001). Plaintiffs alleges that Citrin's installation of a software program to delete the data and material stored on his individual laptop computer and backup snap server constitutes a violation of the CFAA. We disagree.

Even assuming as plaintiffs have alleged that Citrin "is guilty of gross spoilation in purging the data from the IAC computer and snap server" and that "by destroying the entire content of information contained on the computer and snap server, [Citrin] was clearly attempting to prevent IAC from recovering . . . any evidence of his [alleged] improper conduct" (Amended Complaint, at Paragraph 9), this court concludes that this conduct, as a matter of law, does not constitute a violation of the CFAA. The legislative history for the CFAA explains that the general purpose of the CFAA is to address the problem of computer crime, to protect computers and computer networks from access by hackers and to prevent the transmission of computer viruses or other harmful computer programs. . . .

we find that the installation of a program which is designed simply to delete material only from that individual's computer and snap server does not constitute a "transmission" as contemplated by the CFAA. We do not believe that Congress intended that the simple act of erasing files from an individual laptop computer and backup snap server would trigger liability under the CFAA, and we decline to expand the scope of the Act to include such conduct.

Plaintiff's amended complaint also includes allegations of misappropriation, conversion and alleged violations of the Illinois Trade Secret Act and the Illinois Computer Tampering Act. These allegations may state claims for relief although this court declines to decide those issues. This court, however, does find that the allegations in plaintiffs' amended complaint do not fall within the scope of the CFAA. Based on the facts alleged in the amended complaint, plaintiffs fail, as a matter of law, to state a claim for a violation of the CFAA. Accordingly, we grant Citrin's motion to dismiss Count VI. As the remaining claims in this case are pendant state law claims, we decline to exercise supplemental jurisdiction over those claims.

CONCLUSION

For the foregoing reasons, defendant's motion to dismiss Count VI is granted, and plaintiffs' amended complaint is dismissed in its entirety.

It is so ordered.

The plaintiffs were not happy with that decision, so they appealed to the U.S. Court of Appeals for the Seventh Circuit, and the Order ended up being written by Judge Posner for the three-judge court of appeals panel, and Judge Posner clearly is not a geek. You can see him struggling to understand what the erase application is that Citrin used and how it works on page 3 of the Order:

We do not know whether the program was downloaded from the Internet or copied from a floppy disk (or the equivalent of a floppy disk, such as a CD) inserted into a disk drive that was either inside the computer or attached to it by a wire. Oddly, the complaint doesn’t say; maybe IAC doesn’t know—maybe all it knows is that when it got the computer back, the files in it had been erased. But we don’t see what difference the precise mode of transmission can make. In either the Internet download or the disk insertion, a program intended to cause damage (not to the physical computer, of course, but to its files—but “damage” includes “any impairment to the integrity or availability of data, a program, a system, or information,” 18 U.S.C. § 1030(e)(8)) is transmitted to the computer electronically. The only difference, so far as the mechanics of transmission are concerned, is that the disk is inserted manually before the program on it is transmitted electronically to the computer. The difference vanishes if the disk drive into which the disk is inserted is an external drive, connected to the computer by a wire, just as the computer is connected to the Internet by a telephone cable or a broadband cable or wirelessly.

There is the following contextual difference between the two modes of transmission, however: transmission via disk requires that the malefactor have physical access to the computer. By using the Internet, Citrin might have erased the laptop’s files from afar by transmitting a virus. Such long-distance attacks can be more difficult to detect and thus to deter or punish than ones that can have been made only by someone with physical access, usually an employee. The inside attack, however, while easier to detect may also be easier to accomplish. Congress was concerned with both types of attack: attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii) (emphasis added), it can’t make any difference that the destructive program comes on a physical medium, such as a floppy disk or CD.

You can see when he calls the delete function "a destructive program" that he has concluded that Citrin is attacking, in the sense of a virus or trojan. He's thinking evil hacker. Obviously, he's never used a Mac. In Mac OSX, there is a secure delete option every time you empty the Trash. It's not a hacker tool. It's built right in to the system. People who are not familiar with computers tend to fear them, I've observed, and to view them as a kind of out of control weapon they don't know how to protect themselves from unless they stomp away in all directions at once, just to be on the safe side.

The judge is wrong that we don't know where the program came from. I don't know why he wrote that, because if you read the Plaintiffs' Response to Defendant's Motion to Dismiss, linked to above, you can see that it says clearly on page 9 it was from a CD or disk. Unfortunately, the Motion to Dismiss is not available on Pacer, but if you read the Plaintiffs' Response, you can discern what his arguments were.

And you'll notice that he bases his argument not on the parts of the CFAA that the plaintiffs cited but on 18 U.S.C. § 1030(e)(8). When you see judges helping one side out like that it generally means that they are looking for a way to pin the guilty party, in their estimation. Frankly, if a judge wants to get you, you're going to get got. They know how. Here, plaintiffs had alleged serious harm, and their day in federal court got thrown out when the lower court threw out the CFAA federal claim and with it all the state claims too, which it had to do, being a federal court. The state claims can only be heard by a federal court if there are federal claims too, and when the federal claim got tossed, everything went with it. This appeals court found a way to restore them to federal court. My guess is that they felt there was sufficient harm alleged that they wanted the plaintiffs to have their day in federal court. To do that, all the appeals court had to find was that the plaintiffs had stated a claim, which is a pretty low bar, generally speaking. The ruling opens like this:

This appeal from the dismissal of the plaintiffs’ suit for failure to state a claim mainly requires us to interpret the word “transmission” in a key provision of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030.

That is what the court did, interpret "transmission" to include this defendant's actions. It doesn't mean the defendant will be found guilty. I find that unlikely on the CFAA claim, since the lower court has already expressed what seemed to be a disinclination to do so, and even though the matter was successfully appealed, Judge Posner, writing for the court, isn't the only judge that can look for ways to accomplish what they want to accomplish. And don't leave out of the equation this: on a motion, such as the one Citrin brought to dismiss, the court must accept as true all facts not disproven by the other side. On the appeal, brought by the plaintiffs, it's the other way around. So the order beginning with the second sentence reads like this:

The complaint alleges the following facts, which for purposes of deciding the appeal we must take as true. The defendant, Citrin, was employed by the plaintiffs—affiliated companies engaged in the real estate business that we’ll treat as one to simplify the opinion, and call “IAC”—to identify properties that IAC might want to acquire, and to assist in any ensuing acquisition. IAC lent Citrin a laptop to use to record data that he collected in the course of his work in identifying potential acquisition targets. Citrin decided to quit IAC and go into business for himself, in breach of his employment contract. Before returning the laptop to IAC, he deleted all the data in it—not only the data that he had collected but also data that would have revealed to IAC improper conduct in which he had engaged before he decided to quit. Ordinarily, pressing the “delete” key on a computer (or using a mouse click to delete) does not affect the data sought to be deleted; it merely removes the index entry and pointers to the data file so that the file appears no longer to be there, and the space allocated to that file is made available for future write commands. Such “deleted” files are easily recoverable. But Citrin loaded into the laptop a secure-erasure program, designed, by writing over the deleted files, to prevent their recovery. Thomas J. Fitzgerald, “Deleted But Not Gone: Programs Help Protect Confidential Data by Making Disks and Drives Unreadable,” New York Times (national ed.), Nov. 3, 2005, p. C9. IAC had no copies of the files that Citrin erased.

The provision of the Computer Fraud and Abuse Act on which IAC relies provides that whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer [a defined term that includes the laptop that Citrin used],” violates the Act. 18 U.S.C. § 1030(a)(5)(A)(i). Citrin argues that merely erasing a file from a computer is not a “transmission.” Pressing a delete or erase key in fact transmits a command, but it might be stretching the statute too far (especially since it provides criminal as well as civil sanctions for its violation) to consider any typing on a computer keyboard to be a form of “transmission” just because it transmits a command to the computer.

There is more here, however: the transmission of the secure-erasure program to the computer.

What the appeals court doesn't understand, I think, is that any company laptop really should have a secure delete application, so that confidential materials can't fall into the wrong hands. Stuff should be routinely encrypted too, I believe, because it's just too easy to leave a laptop in a cab or on a plane.

But my point is this: You can see that if the court had to accept all those facts it lists as true, it would tilt against Mr. Citrin. And so it does, as you can see here:

Citrin violated that subsection too. For his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.

If a court of appeals had heard a disputed motion to dismiss in the SCO v. IBM case, imagine all the mistakes it would inevitably have to make, since the complaint is chock full of what I believe are inaccurate facts that the court, at that stage, would have to accept as true for the purposes of the appeal.

But that doesn't hold for the actual trial, where the jury will decide based not on the appeal of this one issue about "transmission" under CFAA, but on the facts of the case as they see them.

So the case goes back to Judge Andersen and they'll have to go the entire discovery/trial route before we will know the ultimate outcome. That leaves on the table the rather horrifying ruling that deleting files can be a violation of CFAA. Of course, that was true before, if you read the words of the statute. It's true of the Illinois statute too. But the circumstances of a case matter in any determination. What it will turn on is whether he was deleting his own materials, in accord with the agreement which said he was to return or destroy materials on the laptop. He'll argue at trial, no doubt, that he merely opted to delete as per the agreement. A lot will depend on whether he knew when deleting the materials that IAC had no other copies or whether he thought he was just removing his own materials in contemplation of leaving the company. I note that the Amended Complaint doesn't give an exact date for when the termination happened or when all the activities, such as the deleting, happened, so that's another issue. If he deleted while still employed, for example, then IAC can't accuse him of unauthorized access. But if he quit and then later deleted (and if the agreement to destroy or return materials doesn't cover his activities), then they presumably can argue that he had no right to access the laptop at all. Posner seemed to think that way, but that doesn't mean a jury will so find. Here's what Posner wrote on that theme:

Citrin violated that subsection too. For his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee. United States v. Galindo, 871 F.2d 99, 101 (9th Cir. 1989); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1124-25 (W.D. Wash. 2000); see Restatement (Second) of Agency §§ 112, 387 (1958).

Muddying the picture some, the Computer Fraud and Abuse Act distinguishes between “without authorization” and “exceeding authorized access,” 18 U.S.C. §§ 1030(a)(1), (2), (4), and, while making both punishable, defines the latter as “access[ing] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6). That might seem the more apt description of what Citrin did.

The difference between “without authorization” and “exceeding authorized access” is paper thin, see Pacific Aerospace & Electronics, Inc. v. Taylor, 295 F. Supp. 2d 1188, 1196-97 (E.D. Wash. 2003), but not quite invisible. In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir. 2001), for example, the former employee of a travel agent, in violation of his confidentiality agreement with his former employer, used confidential information that he had obtained as an employee to create a program that enabled his new travel company to obtain information from his former employer’s website that he could not have obtained as efficiently without the use of that confidential information. The website was open to the public, so he was authorized to use it, but he exceeded his authorization by using confidential information to obtain better access than other members of the public.

Our case is different. Citrin’s breach of his duty of loyalty terminated his agency relationship (more precisely, terminated any rights he might have claimed as IAC’s agent—he could not by unilaterally terminating any duties he owed his principal gain an advantage!) and with it his authority to access the laptop, because the only basis of his authority had been that relationship. “Violating the duty of loyalty, or failing to disclose adverse interests, voids the agency relationship.” State v. DiGiulio, 835 P.2d 488, 492 (Ariz. App. 1992). “Unless otherwise agreed, the authority of the agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.” Id.; Restatement, supra, § 112; see also Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., supra, 119 F. Supp. 2d at 1123, 1125;cf. Phansalkar v. Andersen Weinroth & Co., 344 F.3d 184, 20102 (2d Cir. 2003) (per curiam); Restatement, supra, § 409(1) and comment b and illustration 2.

Citrin points out that his employment contract authorized him to “return or destroy” data in the laptop when he ceased being employed by IAC (emphasis added). But it is unlikely, to say the least, that the provision was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have—if only to nail Citrin for misconduct. The purpose of the provision may have been to avoid overloading the company with returned data of no further value, which the employee should simply have deleted. More likely the purpose was simply to remind Citrin that he was not to disseminate confidential data after he left the company’s employ—the provision authorizing him to return or destroy data in the laptop was limited to “Confidential” information. There may be a dispute over whether the incriminating files that Citrin destroyed contained “confidential” data, but that issue cannot be resolved on this appeal.

The judgment is reversed with directions to reinstate the suit, including the supplemental claims that the judge dismissed because he was dismissing IAC’s federal claim.

So, the appeals court puts the entire Amended Complaint back on the table, not just the CFAA federal claim. I told you if a court wants to find a way to get you, you're going to get got.

I know if I were on the jury, I'd find it hard to view such a program as a cracker tool, since I use the Mac OSX secure delete option every time I delete anything from trash. So, unlike Judge Posner, I just can't view it as an evil hacker tool, the way he does. However, if the guy deliberately destroyed the materials so as to prevent IAC from being able to compete, and the materials belonged to them and they had no other copy, obviously that isn't right either, and the wording of the CFAA then might well seem to cover what he did. But their other claims under state law are certainly sufficient to deal with that kind of behavior. What happened was, as I see it, a dance to keep it in federal court. That doesn't mean that in the end he'll be found guilty of violating the CFAA necessarily, but it does mean that anyone in the Seventh Circuit now can be, if the circumstances are right. That's the trouble with such laws, actually, when laws are written by nongeeks to try to control geeks, when no one devising the language knows where up is or how to write a law that can't be abused.

On the other hand, if you think about it in meat space terms, it's not so horrifying. If, for example, he had files belonging to the company, paper files, at his home, and instead of returning them either destroyed them or hid them and used them to get business for his new company even though the files consisted of his ex-employer's materials, is it hard to decide that it's wrong to behave that way? If you agree, then why not make it wrong to do the equivalent on a computer? It's not so black and white then, is it?

Anyway, I hope going through all this helps you to breathe a little more normally again, now that you see that the case isn't quite as simple as it sounded at first glance. Furthermore, decisions by the Court of Appeals for the Seventh Circuit apply to the seventh circuit, not the entire country. It is certainly possible that Mr. Citrin will further appeal this decision, for that matter. I know I would.

I hope you see why I'm so thrilled when I hear from readers that they have decided to attend law school. Another reader sent me just such an email last week, actually, and that makes 8 Groklaw members who have decided to become lawyers so far. (I just heard from a 9th, at Harvard Law School.) It really matters to have judges (and lawyers) who understand the tech and don't view computers as scary tools that can do unknown things as if by magic when commanded to by those skilled in black arts.


  


IAC v. Citrin - Deleting Files a Crime? | 236 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Corrections here ...
Authored by: alisonken1 on Saturday, March 11 2006 @ 10:54 AM EST

... as needed

---
- Ken -
Registered Linux user #296561
Slackin' since 1994 -
import std_disclaimer.py

[ Reply to This | # ]

OT here ...
Authored by: alisonken1 on Saturday, March 11 2006 @ 10:56 AM EST

... and one of these days I'll have an off-topic to add.

---
- Ken -
Registered Linux user #296561
Slackin' since 1994 -
import std_disclaimer.py

[ Reply to This | # ]

Math challenged
Authored by: Anonymous on Saturday, March 11 2006 @ 10:58 AM EST
19.88% of 4.18% is about 0.8%, not 0.08%.

[ Reply to This | # ]

"Protected Computers"
Authored by: Carlo Graziani on Saturday, March 11 2006 @ 11:27 AM EST

The term "Protected Computer", as defined in the statute, strikes me as a serious ambiguity not addressed in this matter.

A few years ago, an FBI agent giving a presentation told me (informally, and with no pretense of dispensing official legal advice, which I would not be qualified to assess anyway) that DOJ had talked the courts into interpreting the term as meaning, essentially, "servers". Under this interpretation, the criminal action alleged would refer to what happened at the backup server, while the laptop itself ought to be exempt from the provisions of the Federal statute.

It's possible I misunderstood. It's also possible that the law has moved on since then. However, I would dearly love to read a careful analysis of how the courts interpret the term "protected computer" in the context of the statute.

[ Reply to This | # ]

IAC v. Citrin - Deleting Files a Crime?
Authored by: tredman on Saturday, March 11 2006 @ 11:39 AM EST
What I can't understand is that it's common for a company to not make backups of
individual computers and workstations, particularly laptops. However, the IT
guy that decided not to take removable media backups of the backup server
wouldn't last long in my department. I would have chewed him out severely and
given him his walking papers. It's situations like this, not just natural or
man-made disasters, that you archive digital material.

Their disaster recovery strategy, in a nutshell, is a joke, if they can't back
up a single server who's primary purpose is the archiving of data. Our DR
strategy, and we're a very small company, involves nightly encrypted backups to
removable media, and regular offsite storage. When we had the rash of
hurricanes the last couple of years, it was not uncommon for me to take a copy
of the most recent backup and keep it at my house, simply because of the
geographical separation.

Their IT department needs an enema (apologies to Jack Nicholson).

---
Tim
"I drank what?" - Socrates, 399 BCE

[ Reply to This | # ]

IAC v. Citrin - Deleting Files a Crime?
Authored by: Anonymous on Saturday, March 11 2006 @ 11:51 AM EST
Very interesting. IMO this all revolves around timing, and the plantiff's
ability to prove the sequence of events. IANAL and what follows is purely my
conjecture for your comments.

Frankly, from a pure IT governance viewpoint (not a legal one), the company
itself has culpability here, if they only had one level of backup (the
snapstream server) for the laptop data, and no archives. Consider this as a
hypothetical example of why I make this statement.... Presume no employment
issue here, and that the employee is propery accessing and backiing up his/her
laptop to the server. Now, said employee is using the laptop on the internet to
do research for their stated business, and gets infected with a virus or is
attacked and loses key information without realizing it. Said employee then
does a backup to the server, replacing the previous backups with now corrupted
information. The end result is the same, and the company's inability to go back
to a grandfather of the backup leaves them without usable data. In this case
the CFAA would apply to the attacker that accessed the laptop without
authorization.

Now, bring this back to the case at hand. If Citrin acted to delete what he
knew was critical information after such time as he breached his employement
contract, then his willful destruction of data is no more or no less devistation
or illegal than that of the attacker in my hypothetical.

It doesn't really matter where the program that did the delete and wipe came
from... as it still had to be loaded into memory and caused to be used. An
attacker could have conceviably "root kitted" the system and caused
the local copy of the delete/wipe to be executed on that computer... just as
running it from the keyboard or clicking on the icon with the mouse. I see the
distinction as moot. What is not moot is if the person using the tool had
legitimate (authorized) access to the computing system at the time the tool was
run.

So the company, in not providing adequate governance to even prevent against
accidental erasure of important files by having tiered /archived backups... has,
IMO, not done due dilligence to mitigate against such risk, and damages as a
result of loss of such information therefore should be small, if any.

As far as "returning copies" of said information, I don't see this as
being a circular arguement at all. If I were to want to use company information
to go into business, I'd make my own copies of it before removing said
information from the laptop or servers as was claimed. Just because it's
deleted on the laptop Citrin returend and the backup server does not imply or
assure that copies, either printed or in electronic form, do not exist.

This one will be interesting to watch.

...D

[ Reply to This | # ]

    Richard Posner
    Authored by: rcbixler on Saturday, March 11 2006 @ 11:51 AM EST
    His ruling makes me curious about him and, also, I've heard of him before from the days of the US-DOJ v. Microsoft case. I found an interview where he speaks about his unsucessful attempt to be a mediator in the case. In the interview he mentions that he enjoyed the experience because it allowed him "to learn about computers." Also, Wikipedia has an interesting article on Posner. It says that "Richard Posner's political ideology is hard to describe neatly" - he started out as liberal but became increasingly conservative after the '60's. In some ways he remains socially liberal but he did rule against the right to privacy in the '80's.

    [ Reply to This | # ]

    IAC v. Citrin - Deleting Files a Crime?
    Authored by: Kilz on Saturday, March 11 2006 @ 12:24 PM EST
    One thing that was in the orignal article that seems important to me.

    "Citrin pointed out that his employment contract permitted him to "destroy" data in the laptop when he left the company. But the 7th Circuit didn't buy it, and reinstated the suit against him brought by IAC."

    So its ok for a judge to ignore an employment contract that alows the data to be removed?

    [ Reply to This | # ]

    Posner s Blog
    Authored by: cjovalle on Saturday, March 11 2006 @ 12:48 PM EST
    Judge Posner and Gary Becker share a blog:
    Becker Posner Blog that is pretty interesting. Judge Posner is one of the main individuals associated with the joining of law and economics theory, and his is a *very* utilitarian view.

    [ Reply to This | # ]

    • V interesting - Authored by: Anonymous on Saturday, March 11 2006 @ 12:55 PM EST
    IAC v. Citrin - Deleting Files a Crime?
    Authored by: tknarr on Saturday, March 11 2006 @ 12:59 PM EST

    It sounds to me like he wiped the entire hard drive, not just some files. But that can't be right, because if he'd done that then the snap server couldn't have been infected because after that the laptop wouldn't be able to boot to connect to the snap server and update the backed-up state. If it were only some files that were deleted, instead of the arguments he made I'd've argued:

    • The employment contract permitted personal use of the laptop, so the company authorized storing of personal files on the laptop as well as company data. The company has no ordinary right to demand those personal files, and defendant at the time was not aware those files might be demanded in the course of a legal action, so defendant had no obligation to preserve those files and as much right to delete them before returning the laptop as the company would have to delete company files before eg. selling the laptop for surplus.
    • When the company terminated him it made no request for him to return the laptop and made no attempt to take the laptop back. That constitutes at least implicit authorization to continue using the laptop, else the company would have made at least some token effort to retrieve the laptop. The laptop was returned promptly when a request to do so was made, so no breach of any agreement has occured.
    • Plaintiff has alleged that defendant deleted company data from the computer, but has presented no evidence to support this allegation such as a log showing the actual deletion of a file along with a chain of evidence showing that that file contained company data.
    Of course I'd've also been careful to keep everything of mine in a seperate directory away from any files belonging to the company. That makes it easier to clean up personal data as well as adds weight to the argument that I'm not damaging company data. If successful, there go the Federal charges again.

    It sounds like the company's got a good case on the non-compete clause and general unfair competition and fraudulent dealing, but strictly as a state case. It sounds, though, like they're trying to go into Federal court purely for convenience and have created a contrived reading of the CCFA to justify doing so, and that should be smacked down. Contortion and contrivance never result in good law.

    [ Reply to This | # ]

    IAC v. Citrin - Deleting Files a Crime?
    Authored by: kozmcrae on Saturday, March 11 2006 @ 01:46 PM EST
    Thank you PJ. That was a fascinating read.

    Richard


    ---
    Darl, have you been lying to us? I'm a frayed knot.

    [ Reply to This | # ]

    criminal tools is context dependaent?
    Authored by: darkonc on Saturday, March 11 2006 @ 01:50 PM EST
    A friend of a friend was recently arrested for having 'burglary tools'. He explained to me that his burglary tools consisted of things like bolt-cutters.

    Now, bolt cutters are a legitimate tool, but he had a history of B&E and lacked any really good excuse for having these tools.

    Similarly: I have (and use) ethereal and tcpdump on my computer all the time. However, on some of the servers I run, those tools (and even things like gcc) are stripped to prevent misuse.
    If somebody were to download those tools and use them to (say) snoop userids from customers that insist on using (unencrypted) FTP access, I'd call that a hacker tool -- even though I use it legitimately myself.

    Similarly for a butcher knife suddenly becomming a 'deadly weapon' when you're stalking somebody on a dark street.

    It seems relatively common to me that the legality of various tools will vary depending on intent and context. I don't see why computer tools should be any different.

    ---
    Powerful, committed communication. Touching the jewel within each person and bringing it to life..

    [ Reply to This | # ]

    "Protected Computers"
    Authored by: Khym Chanur on Saturday, March 11 2006 @ 01:58 PM EST
    Unless that laptop had software installed or settings enabled to prevent (or at least attempt to prevent) the safe deletion of certain files, how in the world can it be considered protected?

    ---
    Give a man a match, and he'll be warm for a minute, but set him on fire, and he'll be warm for the rest of his life. (Paraphrased from Terry Pratchett)

    [ Reply to This | # ]

    IAC v. Citrin - Diversity Jurisdiction?
    Authored by: rsteinmetz70112 on Saturday, March 11 2006 @ 02:00 PM EST
    Why can't this case be heard in Federal Court on grounds of Diversity
    Jurisdiction? Isn't that how SCO and IBM got to Federal Court?

    The Plaintiffs claimed Federal Jurisdiction on diversity, and later apparently
    did not dispute the Defendants assertion that it did not exist? I wonder why
    not.

    ---
    Rsteinmetz - IANAL therefore my opinions are illegal.

    "I could be wrong now, but I don't think so."
    Randy Newman - The Title Theme from Monk

    [ Reply to This | # ]

    Advantages of Thin Client for Companies!
    Authored by: Anonymous on Saturday, March 11 2006 @ 02:20 PM EST
    What would have happened in this case if the fellow said that he was taking it
    back to the company, and parked his car and did not keep it locked, and someone
    walked off with the Laptop and the SNAP-server both (stolen and he reported it
    to the cops)!

    Hey world wake up... there are advantages of Thin Client use for Companies in
    every walk of life!

    Obviously - when we have wireless everywhere, including on AIR PLANES (someday
    with the FAA waking up with Congress hitting them over the head and requiring
    FREE wireless data on an airplane without having to pay each carrier a fee or
    tax for useage), well, then data can sit on a company server (as it should).
    Otherwise there is a need for using the existing snch tools where the employee
    is required to get email from a company server and then files that changed on
    the Laptop get put onto the server at the company during the secure connection.
    Such files get backed up, and would be non-deletable by the remote laptop user.


    But - Citrix, Tarantella, and NoMachine.com's stuff all would be an important
    asset for a company to use. Of interest is that the FreeNX or the GPL'd NX
    compression technology used by NoMachine allows for remote user speeds down to
    9600 baud (CELL PHONE speeds). Such a low speed allows for remote devices that
    are pretty portable and by such useable im many places when one is on the go and
    can't be bothered to find a Wi-Fi, a RJ-45 that is open, or a Wi-Max that is
    connected to the internet. 9600 baud on a cell phone device with remote desktop
    of tools needed by employees is a reality. Notebook computers or laptops
    floating around where they are at risk of theft or being lost or fogotten on a
    Taxi cab ride... WITH IMPORTANT COMPANY DATA... is a IT management mistake as
    all those roads lead to one resulting reaction in IT (how we gonna cover our
    risk end on this one)!

    I have been doing wireless terminal sessions from at least before 1993 and at
    the speed then 38k plus or minus (RS-232 connectors), and was able to get full
    desktop perfomance at those speeds (what is that now, 15 years ago). I got the
    whole environment that I did it with still constructed with the wireless modems
    still all in a box in storage. I sometimes drag the old RS-232 wireless modems
    out and test limited bandwidth wireless to see how certain networking solutions
    run.

    It is now 15 years later since my early deployment of this technology with low
    speed terminal sessions over wireless! With wireless Cell Phone networking
    ability, one only has to scratch one's head as to why companies still don't know
    how to use it to their advantage to protect their data.

    Note: Data should not even be sitting on desktops - it is too easy to take, and
    earase there as well! Data needs to be in a locked server room with limited
    access by only the most trusted employees! Access to data needs to be by double
    password entry with every log in having the second password change and expire
    after one use.

    Security is not a product, it is a process.

    [ Reply to This | # ]

    What about system backups?
    Authored by: cheros on Saturday, March 11 2006 @ 02:44 PM EST
    I'm a bit surprised that that snap server wasn't backed up in other ways. If it
    handles files of that level of criticality it's almost criminal in itself not to
    stream that system daily onto tape or other means of recovery.

    It shows, however, that giving write access should not always include the
    ability to delete, other than by versioning files out. That always allows
    rollback..

    = Ch =

    [ Reply to This | # ]

    What if this had been criminal instead of civil?
    Authored by: brianj on Saturday, March 11 2006 @ 02:49 PM EST
    I'm interested in what would occur had this been a criminal (and not civil) matter. For instance (and I'll agree that this is a bit of a stretch, but bear with me for the sake of argument), let's say that Alice had done some work as a consutant in the evening and had used her work laptop as part of this. She is paid and has received receipts via e-mail for her services, but doesn't report the income.

    Now, she's audited and charged criminally for violations of the tax code. Can she also be charged under the CFFA for doing a secure wipe of the e-mailed receipts? I would think not, due to the 5th amendment.

    Thoughts?

    [ Reply to This | # ]

    Why federal?
    Authored by: Anonymous on Saturday, March 11 2006 @ 04:31 PM EST
    Why having this dispute resolved in the Federal court is that important? Why
    can't they do it in a State court?

    [ Reply to This | # ]

    Damage & evil hackers
    Authored by: Anonymous on Saturday, March 11 2006 @ 04:39 PM EST
    PJ writes: "it surely isn't accurate to say that he destroyed the computer or the server by deleting materials."

    "destroy" is indeed not accurate, but "caused damage to" is.

    The appeals court addressed that very issue:

    a program intended to cause damage (not to the physical computer, of course, but to its files—but “damage” includes “any impairment to the integrity or availability of data, a program, a system, or information,” 18 U.S.C. § 1030(e)(8))

    I don't agree with PJs assement that the Judge is "thinking evil hacker." the decission quoted just above spends many words explaining that the statute is aimed at both "evil hackers" and "disgruntled employees".

    [ Reply to This | # ]

      Missed the story ... Posner's Agenda
      Authored by: Anonymous on Saturday, March 11 2006 @ 04:45 PM EST
      I rarely disagree with PJ about anything, but this time I think she's missed the
      real story.

      Simply put, the text of Posner's decision is irrelevent to the intended result,
      which was to maintain Federal Court jurisdiction. So, very much like an SCO
      brief, you cannot logically analyze the content to understand the result.

      Posner is an activist judge, and vicerally anti-federalist. He was not going to
      allow the District Judge to defer to state court jurisdiction. He is a symptom
      of a larger problem in American law, which is a creeping subversion of state
      courts and law.

      For those outside the U.S., The United States are a regime of fifty-one
      sovereign entities, each of which is supreme in its specified jurisdiction. As
      PJ noted, all of the plaintiff's complaint fell within state law, except this
      trumped up pretext. Thus, as the District Judge correctly decided, this case
      belongs in state court. Posner couldn't abide by that, and had to cobble up some
      words to cover what he intended to do, regardless of the merits. Thus the
      non-sequiturs.

      The real story is this is another case of a national court stealing jurisdiction
      from a state court and in doing so, subverting the federal constitution.

      End of rant.

      JG

      [ Reply to This | # ]

      Destroying all copies sound like "bad faith"
      Authored by: Anonymous on Saturday, March 11 2006 @ 04:57 PM EST
      It is one thing if you destroy your own copies (which could be argued as
      contractual responsibility here), but Citrin is also alleged to have removed the
      copies that were stored on the company's central server. To use a real-world
      analogy, this is more like not only destroying the paper files at your house,
      but also getting into the company's files and removing those copies as well.
      The latter is most definately wrong, and I wonder if IAC considered using the
      removal of data from the server as a cause under CFAA?

      It would sure seem more clear-cut to argue that the removal from the server was
      in excess of authorized access.

      IANAL, but right is right and wrong is wrong, and this just looks wrong.

      [ Reply to This | # ]

      Destruction of server [data] has to fail on this info
      Authored by: Anonymous on Saturday, March 11 2006 @ 05:34 PM EST
      If a person in possession of a laptop only wants to dispense with locally held
      data then there's an almost infinite number of fates that could befall said
      kit.

      "Accidental" exposure to a bulk eraser and a puzzled expression when
      the feds tried to boot it up would be one.

      Terminal Deceleration Trauma would be another.

      Of course, if the same data disappears off a backend server also - well then
      it's worth a second glance.

      On the other hand, if references to Snap servers are what I think they are, then
      deletions on the local PC would be automatically mirrored at the back end.

      So the "I was just clearing out space on my laptop officer, I don't know
      nuthink about any servers" defence would then be deployed.

      But the REAL question here is how could data (allegedly) be
      "destroyed" on the backend servers?

      Clued up Judge: Plaintiff, how much of the alleged "destroyed" data on
      your server where you able to recover from your nightly backup tapes?
      Plaintiff: Backups your honor?

      <grin>

      [ Reply to This | # ]

      How do they know what was deleted
      Authored by: publius_REX on Saturday, March 11 2006 @ 08:41 PM EST
      (see above comment by sckark46)
      How do they know what, if anything, was deleted?
      How do they distinguish temp files from others?
      Is this a tSCOg-like fishing expedition?
      Is this punishment by legal costs? (a common tool in USA)
      Hint: encrypt everything. Just to be sure.

      [ Reply to This | # ]

      IAC v. Citrin - Deleting Files a Crime?
      Authored by: polymath on Saturday, March 11 2006 @ 08:52 PM EST
      It seems to me that Citrin cannot be held to have installed a code or program to
      damage the computer if that code or program was an normal part of OS X.
      Especially when it was probably preinstalled or installed for him by the company
      technician; rather than installed by Citrin himself.

      On the other hand deleting the file from the snap server seems to qualify as the
      transmission of a command to destroy data that he knew, or should have known, he
      was not authorized to detroy.

      [ Reply to This | # ]

      Starting a new job before leaving the old
      Authored by: The Mad Hatter r on Saturday, March 11 2006 @ 08:54 PM EST


      Starting a new job before leaving the old isn't necessarily a crime - I've done
      it in the past but ONLY with the approval of management at the company I was
      leaving. The problem comes when you don't have that approval, are going to be
      competing with them, and have a non-compete agreement.

      Couple of years ago one of our staff decided to leave. While still working for
      the firm he was actively soliciting business for his new company, which is a
      direct competitor of ours.

      Management had a choice - go after him, or leave him alone. They choose not to
      go after him. There were various factors behind the decision, including our
      reputation among potential employees (note that while I knew this was under
      consideration, I was not directly involved in the decision). Quite frankly it
      came down to how much damage he did, and he didn't do enough to make it
      worthwhile.

      Part of the problem that management had at the time was a lack of knowledge of
      where the rest of staff stood, including most importantly myself (I'm our top
      sales rep). I have a very mild case of autism, so what I do and say doesn't
      always make sense from their point of view (note that they don't know about it,
      and I really should tell them at some point - because I know that some of my
      actions REALLY puzzle them).


      ---
      Wayne

      http://urbanterrorist.blogspot.com/

      [ Reply to This | # ]

      Frank Zappa said it best
      Authored by: roadfrisbee on Saturday, March 11 2006 @ 09:36 PM EST
      "We are a nation of laws, poorly written and randomly enforced" The
      problem with laws such as the Computer Fraud and Abuse Act, the RICO act, etc.
      is that they are so poorly written that the legal interpretation of these laws
      is basically "Whatever the heck we want them to mean". Rather than
      directly address a problem, our legislature tends to write laws that are a
      "scatter-gun" approach, and leave them open to interpretation by
      over-zealous prosecutors. A prime example is using "Weapons of Mass
      Destruction" laws against meth labs. These interpretations are idiotic,
      but the blame lies at the feet of the people who wrote them, and those who
      passed them. These people are incompetent, and need to be removed.

      [ Reply to This | # ]

      Helping one side out
      Authored by: Anonymous on Saturday, March 11 2006 @ 11:18 PM EST
      Isn't the judge supposed to be impartial? "Helping" one side by
      making a (small in this case) change their argument just seems wrong to me. And
      what about the facts the judge used (that the program was transmitted, was a
      virus, that we didn't know where it came from, etc.) which were not agreed to by
      both parties... I thought that facts were for juries to weigh unless both sides
      agreed to them.

      So, in summary, something feels wrong about this decision.

      Is the only appeal to the US Supreme Court? Is there any other way to make a
      judge revisit their decision?

      [ Reply to This | # ]

      IAC v. Citrin - Deleting Files a Crime?
      Authored by: Anonymous on Sunday, March 12 2006 @ 12:43 AM EST
      I guess what chaps me most is that some rich idiot decided to screw a rich
      organization, and it may set some precedent that could affect all of us honest
      citizens.

      It would be nice if there were a 'rich twit' flag on legal decisions, such that
      future court cases could say, "Oh, it was one of _those_ guys. Let's see
      what the actual people who live in this country are doing...", rather than
      saying, "Hmmm. He|she used linux|Unix. That 'rm' thing doesn't make sense
      to me, so he|she must be violating some nationally important anti-terrorist
      legislation that we can't figure out anyway."
      The whole world begins to look like Alice's Wonderland, sometimes.

      [ Reply to This | # ]

      Snap Server 1100 review
      Authored by: SilverWave on Sunday, March 12 2006 @ 01:19 AM EST
      http://www.guru3d.com/article/content/119/

      "Here in the office we need to do regular backups and I'm telling you the
      ease of use and efficiency of this combo is not something that I'm willing to
      miss. It's the most secure backup solution that I've ever wished for. This
      software with a SnapServer 1100 is a fantastic combo."

      Ahah...

      This company was ...way serious... about the value of the information on this
      laptop.


      "You can use DataKeeper to:

      * Back up combinations of files and folders on your computer with options
      such as password protection and file compression.
      * Enable remote access to files from anywhere on the network.
      * Restore a single file (even from a compressed backup), a most recent
      version of a file, or an older version of a file from up to a year
      earlier."


      ---
      "They [each] put in one hour of work,
      but because they share the end results
      they get nine hours... for free"

      Firstmonday 98 interview with Linus Torvalds

      [ Reply to This | # ]

      IAC v. Citrin - Deleting Files a Crime?
      Authored by: Anonymous on Sunday, March 12 2006 @ 08:42 AM EST
      Exceeding Authorization -- Which is one reason why I avoid knowing the root
      password like the plague. The company's computer is the company's computer, and
      you better keep things squeeky clean!!!!

      I'm not so sure that a jury wouldn't see things Judge Prosner's way. If you
      were to poll the public at large, I'm betting that 93 percent of them wouldn't
      know about secure delete. Probably 97 percent of them don't know that it's part
      of the OS in a Mac, (I didn't, but I use an older revision.) and if it's not on
      windows, then someone installing such a program was probably doing it with evil
      intent.

      They didn't get Al Capone on masterminding numerous murders, extortion, and what
      all. They got him on Income Tax evasion.

      Ask yourself this question:
      Is useing laws in ways they were not designed for a good thing? Remember Judges
      do not write the laws, they only interpret them. Your elected representatives
      write the laws, and they base their decisions on input from "interested
      individuals".

      In order to get good laws, it is impossible to keep politics out of the
      discussion.

      [ Reply to This | # ]

      • 97% - Authored by: Anonymous on Sunday, March 12 2006 @ 11:29 AM EST
      Legal Calibration question
      Authored by: Anonymous on Sunday, March 12 2006 @ 11:12 AM EST
      I get the computer question. What I don't understand is the paper equivalent.
      What does the law say about paper files? If I feed my file cabinet to the
      shredder the day before I resign am I committing a crime or cleaning my office?


      It would seem to me that there should be parity in action.

      [ Reply to This | # ]

      What if *YOU* wiped the drive on a company laptop?
      Authored by: Walter Dnes on Sunday, March 12 2006 @ 01:55 PM EST
      The headline at the EmailBattles blog is misleading. They say "Wipe out
      *YOUR* hard disk, go directly to jail" (my emphasis). It was not Citrin's
      hard drive, or laptop. It was his employer's laptop.

      Ask yourself this question... what would happen to you if you wiped the drive
      on your employer's laptop without permission? I certainly have no intention of
      finding out "the hard way".

      [ Reply to This | # ]

      I Was Sued -- More on Computer Fraud and Abuse Act.
      Authored by: Anonymous on Sunday, March 12 2006 @ 02:37 PM EST
      One day I decided to quit my job. A few weeks after I quit I became aquatinted
      with the Computer Fraud and Abuse Act (and the corresponding state statute) big
      time: I was sued.

      My computer was used mostly for accounting, spreadsheets and word processing.
      All data files created were printed out, then filed or bound up as reports. This
      was done as the files were created or shortly thereafter. Since everything went
      to hard copy and much of the data was one time use only, I had no compelling
      reason to make hard drive back ups. Due to the small hard drive and slow
      computer, every month or so I would delete the files which had already been
      printed out and use Norton Speed Disk to tidy things up, which automatically did
      a secure wipe of unused space. When I quit there was about a months worth of
      data on the computer, the rest had already been printed and filed. Prior to
      leaving I prepared a 20 page status report which included the work in progress
      plus the location of all the printed data.

      My employer apparently did not like the timing of my resignation and
      "strongly" suggested that I reconsider. I refused and kept to my two
      weeks notice. A few days after I left the computer was then sent out for
      forensic analysis and was returned, the finding that there were no deleted files
      which were recoverable -- that is: all deleted files were intentionally
      destroyed by use of a secure wipe program. A couple weeks later I was sued with
      the complaint stating that I had deleted company files in violation of Computer
      Fraud and Abuse Act plus the corresponding state statutes. Discovery started
      and the company claimed that they could not specifically identify the missing
      files because they had already intentionally been deleted in violation of the
      law. In response to more discovery they finally made nonspecific references to
      data created over the last year of employment which they had expected to be
      present in the usual course of my employment but which they claimed could not be
      found.

      Finally, I was able to do a court ordered search of the Company's files and my
      old computer and "found" the all the data created over the last year
      of employment both in hard copy form and on the computer. It seemed the company
      somehow "overlooked" the data in response to our other discovery
      requests but maintained still other unidentified data must be missing due to the
      state of the computer and the forensic analysis.

      The company eventually disclosed that they sought two years of back salary in
      compensation for the (non-alleged) "loss" but my guess was they
      decided to hire a replacement for my job at my own expense in retaliation for my
      resignation -- I would agree to pay this in the face of mounting legal fees. I
      refused the shakedown.

      The company continued to assert that the lack of recoverable files was proof of
      violation of the law. My $350.00 per hour lawyer filed a motion to dismiss based
      on the fact that there was no triable evidence -- in fact, nothing was missing,
      that the presumed missing data had been found during discovery, and even if
      something was missing the company could not identify it -- there was simply no
      triable evidence to present at trial. The judge ruled that the fact that there
      were no recoverable files on the hard drive indicated that I had intentionally
      used the wipe function to permanently delete company data in violation of the
      law. Whether I was authorized to do so was for the jury to decide. The motion,
      which alone cost $28,000, was denied. This was a one-term judge who made
      national headlines for his goofy decisions.

      In respoinse, my lawyer forced the issue and filed another motion to prevent the
      company from presenting damages at trial since they were unable to produce
      evidence of any such damages in response to discovery. Before the motion was
      heard the judge referred the case to mediation and the company caved in with a
      settlement agreement. No money changed hands. In the end it cost about $150,000
      in legal fees for the extensive discovery, motions, oral arguments, and the
      like. It was my life's savings.

      The lesson learned: Your employer can bankrupt you with bogus charges, charges
      loosely based on the Computer Fraud and Abuse Act and the corresponding state
      statutes. If you are in a key position, get legal advice before quitting
      regarding the condition of your computer long before you quit. The law in some
      jurisdictions is clear: delete ANY file without specific authorization (and you
      had better get the authorization in writing) you can wind up in court for years
      and it can cost you everything.






      [ Reply to This | # ]

      I'm going to disagree with PJ on this one.
      Authored by: meshuggeneh on Monday, March 13 2006 @ 12:26 AM EST
      Actually, I think PJ, Anderson and Posner all have it wrong. (oh boy... listen
      to me!)

      Anderson says a simple use of the existing file removal capabilities of the OS
      can't be regarded as an abuse, but neglects to notice that a "command"
      can also be "transmitted" to the computer and be subject to the CFAA.

      Posner speculates on the "transmission" of a program that deletes the
      file, but doesn't reflect that it is a command, or a series of clicks as is more
      likely, that is the malicious act allegedly perpetrated.

      PJ follows up on this, doubting Posner's argument and pointing out that the
      "erase" command isn't a "destructive" program, but fails to
      note that when it is used maliciously, whether it be typed out on the command
      line and pointed at the files in question or performed using a series of
      selection clicks and activating the program on the selected material, the
      *command* as it is composed becomes the malicious instruction transmitted to the
      machine.

      I think that the subject of the "transmission" is the actual command
      to delete the files, and not a "code" or "program".
      Commands are subject to the CFAA, as I see in the sections reproduced here.

      So PJ, I think you are wrong (much as I'd like to be on your side as much
      because you are a terrific person as because I don't like the implications of
      the whole mess) but I think, as far as I am concerned, you are in good company.
      :)

      [ Reply to This | # ]

      IAC v. Citrin - Deleting Files a Crime?
      Authored by: PeteS on Monday, March 13 2006 @ 03:17 PM EST
      I've been reading all the background and comments, and one thing really stands out - Really terrible law. It has been said that those who respect the law or like sausage should never watch either one being made, but this law is ripe even by that scale.

      Not that bad laws are the preserve of any one nation or state - it's a worldwide phenomenon, particularly with the latest technology: it seems legislators need 40 years to catch up.

      It reminds me of a T-shirt

      and with appropriate credits for the inspiration, my SQL query:

      >Select * from legislators where clue >0

      0 rows returned

      Seriously, the way this law is written, it positively invites abuse. In this case, the company is annoyed that the ex-employee (not a mere employee either) took the precaution of wiping possibly detrimental information (from his perspective) from the laptop and a server.

      Where, oh where, is some responsibility for a backup (I know, I have read the threads). So if one securely removes a file from a work computer (said file not necessarily belonging to the company), this act might be used against one.

      This is not merely academic.

      I was contracting to do a hardware system (hardware, base system firmware, implement a specified API) design, and to do that design, I personally (actually, my company) had an NDA with one of the chip vendors. The contract was written in such a way that I was required to do the work on their computers, but I was required to negotiate NDAs for myself. They wanted a finished product (so they said) that they would merely send out for fab, build and packaging.

      As many companies do not permit 3-way NDAs (and this chip vendor did not) I was not permitted to show those materials to my contracting company, yet I needed internal network access within their building, (but could not get it on my machine), so I used their computer and kept encrypted versions of the materials on that computer.

      At the end of the job, I used a secure filewipe to remove all NDA covered (My NDA) materials so I would be in compliance with that NDA. About a month later, I was called asking where the materials were, and I truthfully stated I had deleted those files as they were under my NDA and I was required to delete them. At this point they got a hissy fit, and I told them to go get their own NDA, so they could get the materials.

      Keep in mind that all the deliverables I had stated I would give I did give, along with all working notes except those related to NDA materials.

      Even so, this law looks like it might trump said contracts - and that could be a problem for a lot of small contractors who perhaps don't check as thoroughly as they should.

      Fortunately, that was some years ago (in the USA) before the passage of this act. I can just see the trouble that might get me into now.

      PeteS

      ---
      Artificial Intelligence is no match for Natural Stupidity

      [ Reply to This | # ]

      Lesson I learned a while ago
      Authored by: webweave on Tuesday, March 14 2006 @ 12:54 AM EST
      Lease your own computer, have it in your name and allow your company to pay
      its share of its use via your expense account. It's easy to add $50 per mo. to
      cover computer use. When you leave or get fired it's yours all they did was pay

      for the time they received. Anyone who can maintain their own computer should
      do this.

      [ Reply to This | # ]

      Groklaw © Copyright 2003-2013 Pamela Jones.
      All trademarks and copyrights on this page are owned by their respective owners.
      Comments are owned by the individual posters.

      PJ's articles are licensed under a Creative Commons License. ( Details )