Wednesday, October 23, 2013

Self-identify yourself as a hacker, see your legal rights suspended

We've always said that people need to watch what they say online, but this is taking things just a bit too far. As first reported by Digital Bond on Tuesday, the U.S. District Court for the District of Idaho seems to have suspended a software developer's legal rights, all because he self-identified himself as a hacker.

Battelle Energy Alliance, which is the management and operating contractor for the Idaho National Laboratory (INL), has sued ex-INL employee Corey Thuen and his company Southfork Security. The path to the lawsuit is as follows:
It began with the US Department of Energy funding an effort for INL to develop “a computer program aimed at protecting the United States’ critical energy infrastructure (oil, gas, chemical and electrical companies) from cyber attacks.” Corey Thuen was one of the developers of this software program that was later called Sophia. [...]

Battelle wants to license this technology, NexDefense was selected to negotiate for a license, and the suit states that Corey was pushing for it to be open source. Eventually Corey left INL, created Southfork Security, and wrote a similar “situational awareness” program called Visdom.

In simple terms, the suit alleges that Corey stole the code and violated agreements with INL.
In short, the suit alleges that Thuen stole Sophia code to use in Visdom.

The part about the Fourth Amendment, though, stems from the way that Battelle asked for -- and successfully received -- a restraining order without first notifying Southfork Security. According to the U.S. District Court of Idaho's decision, the court was strongly influenced by statements on the Southfork web site.

One, on its about page, says
We like hacking things and we don’t want to stop.
The second, on its main page, says
Southfork Security is a new startup in the ICS/SCADA security space made up of cybersecurity researchers formerly at Idaho National Laboratory. We worked there, hacked things, and made some cool tools.
From the court's decision:
The Court has struggled over the issue of allowing the copying of the hard drive. This is a serious invasion of privacy and is certainly not a standard remedy, as the discussion of the case law above demonstrates.

The tipping point for the Court comes from evidence that the defendants – in their own words – are hackers. By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act.
Although Digital Bond called this a case of suspending Thuen's Fourth Amendment rights, that's not precisely the case here. Although it makes for great headlines, as Paul E. "Marbux" Merrell, J.D. commented:
I agree that the 4th Amendment is not in play here. The relevant law is the copyright statute and Fed.R.Civ.P. 65. A temporary restraining order (“TRO”) in a civil case between private parties where no government search or seizure is involved does not present 4th Amendment issues.

I’ll observe as a retired lawyer with lots of years spent in federal court cases that the judge’s order is staggeringly weak, with the reliance on the “hacker” admission by the defendants on their web site only one facet of a very weak argument by the Court. Most glaringly, the judge’s order prohibits the defendants from publishing their program, which raises an enormous “prior restraint” 1st Amendment issue that the Court does not address (and that the plaintiff’s lawyers apparently did not address as well).
How did this happen? Wikipedia notes that the term "hacker" can have many meanings:
Hacker (term), is a term used in computing that can describe several types of persons
  1. Hacker (computer security) someone who accesses a computer system by circumventing its security system
  2. Hacker (hobbyist), who makes innovative customizations or combinations of retail electronic and computer equipment
  3. Hacker (programmer subculture), who combines excellence, playfulness, cleverness and exploration in performed activities
In this case, the court only recognized the term hacker as it refers to a cybercriminal (no. 1, above). This, in fact, is the meaning that most of mainstream media uses for the term.

In other words, while Fourth Amendment rights were not trampled upon, the court seems to have made a serious error, translating the word hacker into criminal, and insinuating that the fact that the "necessary computer skills" that Southfork had meant that the company had the "intent" of wrongdoing.

Heck, doesn't Apple have the necessary computer skills to read your iMessages? Oh, wait ...



No comments: