Cyberlawyer: Don't blame the hackers

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1014-201-4673155-0.html?tag=btmprm

By Robert Lemos
Special to CNET News.com
February 1, 2001, 3:30 a.m. PT

Jennifer Granick is a well-known figure within the hacker community.
She helped Kevin Poulsen navigate his return to using computers after
the convicted hacker came out of jail. Granick is now defending Jerome
Heckenkamp, the 21-year-old Los Alamos National Laboratory employee
accused of breaking into eBay's computer systems.

A frequent speaker at the annual Def Con hacker conference, Granick
was appointed last month to head Stanford University Law School's new
Center for Internet and Society, a legal institute that will train
students in Internet law.

In a recent interview on the Stanford campus, Granick talked about the
Center, the future of law on the Internet, and the important cases of
2001.


What is the Center for Internet and Society?

It's new, so (laughing) that's one thing it is. This is a program that
Stanford Law School is starting that Larry Lessig runs, which is a
combination public interest, technology and computer law program.


As far as law students are concerned, what will the Center provide?

Well, I have my students, who are participating in the clinical part
of the Center. We are going to do actual litigation of cases and give
direct representation to clients. But we're going to litigate the
cases in court--whether they are criminal or civil--so long as they
raise a public interest issue and are the kind of things that we want
to work on. The Center as a whole will have other projects as well
that students can be involved in...but one of the main parts of
it--and the thing that I do--is the clinical part, the practical.


Will most of the cases be defending someone or will you also take a
proactive role?

We're going to do suing people, too. We'll do both. We don't care. It
just depends on the issue.


What sort of issues are you going to pursue?

We're going to do free speech vs. copyright type issues, open-access
broadband issues. We may do some trade secrets litigation, where
computer security people are sued or criminally prosecuted because
they threatened to reveal information about a company's security
vulnerabilities. Stuff like that.


Have you taken any cases yet?

We have one that involves alleged game piracy, where a company has
claimed that our clients have contributorially infringed on their
copyrighted game. I don't know if that is going to end up as a lawsuit
or not. We are kind of in a wait-and-see mode.

Then we have one project we have agreed to work on with Indian tribes
having to do with sovereignty over broadband that passes through their
territory. That's a case Larry (Lessig) was really interested in
because they have an alternative model for distributing broadband
other than auctioning the frequency off to the highest bidder. So,
something different that keeps the network open--not just to the money
interests but to everybody--is something that we want to work on.


That's a jurisdictional case? Would that have any effect on the
current lawsuit against Yahoo France?

We have to decide whether and how much we want to get involved in
jurisdictional stuff. I don't know what the students are going to want
to do. It is not a huge interest of mine, but I may come to see things
differently, given the right case that comes along.


Looking at what's happening on the Internet front, what are the issues
that you think will be most important?

Intellectual property is going to be huge for us--more than anything
else, more than legislation, more than, I think, even filtering
technology. Intellectual property is going to determine what you see
on the Internet.


Like what? Copyright, trademark?

Copyright, trademark, some patent, but mostly copyright and trademark
law. And then we are going to be doing a lot of copyright free speech
type of stuff. I think that is going to be really huge. We are going
to have to do a lot with trade secrets too.

I would hope that we get involved with some standards, which may not
be through litigation but through some other way. But I believe that
standards have to do with how the Internet operates. It is sort of
arcane and uninteresting to the average person, but really critical
because the decisions that are made at the basic technology level
determine what kinds of things you can do with the network later on.


A couple of cases out there seem to be influencing what will "be" on
the Internet in the future. For instance, what about the various DeCSS
lawsuits?

The DeCSS case--there are a lot of good issues with that, that sort of
reverse engineering, and reverse engineering is a fair use and free
speech right. Is it a right that stems from contract, from statute,
from the Constitution--you know, what's the basis of it? That's a
really important issue.

I know that Larry's been working on the case and writing some briefs
for the defendants in the DVD litigation. So I think that the Center
may have some role in that. How formal it will be and what we can do
once classes start or what stage that litigation will be in--I don't
know. We are already in the appellate process there.


What about the push by the software industry to pass laws that make
software licenses more binding--that is, UCITA (Uniform Computer
Information Transaction Acts)?

We haven't been targeted toward doing any kind of lobbying, but that's
not out of the question for us either. That may be the kind of thing
we can do effectively by coordinating with other centers locally or
something like that.


Will licensing be a big issue?

I think licensing is a huge issue. A couple of people have contacted
me about licensing-related stuff, both in terms of licenses that say
you can't reverse engineer licenses or that say you cannot make any
copies for any purpose whatsoever. Each license is sort of different.
People don't even read them, so are they really enforceable? There are
licenses that make you agree to let the company use remote scanning
software to see if you have pirated versions of their software on
their hard drives, which has privacy implications. There is a question
that I would like to litigate as to whether some of these terms that
have become standard in these licenses are legally enforceable at all.


There also seems to be a big push by companies to use lawsuits to
reveal people's identities on the Net. Are you looking into that?

John Doe litigation? I know the Electronic Frontier Foundation is
doing a project for people who are served with these subpoenas, and we
may provide some support and work with them on that. There is a
cease-and-desist letter project that the Berkman Center does, and the
EFF started a John Doe subpoena project. That is really important, and
we will work some on that.


What is the issue?

Anonymity. It is basically if there is a right to anonymity.


Do those companies that sue intend to actually prosecute?

Sometimes it is just harassment...and it is not really worth the
resources to sue this person. But if there is a whole big splash about
how they're finding out who these people are because they are going to
sue them, then that has a speech-chilling effect which may get the
company what they really want in the long run without actually having
to sue any of these John Doe's.


Let's go back to your old stomping ground. Are you giving up
cybercrime cases?

There are going to be some criminal cases that will raise public
interest issues that the Center may take. There will be other criminal
cases that don't really raise public interest issues, but that I'm
interested in for some other reasons, that I may take. And if I take
those cases, then I will take responsibility alone as a separate
entity. If the client doesn't mind and if the students feel like it,
then the students may work on those cases if they like. Those types of
things will be separate. But the hallmark of the Center is that the
cases have to have a public interest issue.


How do you see the current climate? Are hackers being treated fairly?
Are they being pursued in proportion to the threat they represent?

Well, I think there is a hysteria about the hackers, which is
dangerous because of things like what I said with security people
getting sued or prosecuted for discovering security vulnerabilities
and threatening to disclose them or disclosing them in a way that the
company didn't want to have done. I think that it's dangerous, and I
think that it gives hacking--in terms of its societal harm--too heavy
a weight. I don't think that it has the level of societal harm that
all the news stories and all of that give it. But there are going to
be a lot of other issues in which I am afraid the law is far too
serious. It seems like our law has come down on the side of the
intellectual property holder almost all the time. And the recording
industry is incredibly powerful. And I think that is something to be
equally afraid of, as being afraid of the government and their
overzealous prosecution of the hacker cases. Of course, with (John)
Ashcroft as the attorney general, I think we can probably expect to
see more of that type of mentality about these crimes as opposed to
less.


Last question: Is there a crisis looming? Are there any issues that we
have to fight before we have to go much further in our development as
an Internet society?

There are a lot of important issues, and I think we need to fight them
all. I don't know if there is one that I think is worse or less worse.
As litigation comes down the pike, something becomes a crisis; then it
sort of ebbs away. And then something else becomes a crisis. You're
always putting out the fires.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".