Twitter and “Hacker Croll” problems
The hacker eventually sent the documents to tech blog TechCrunch, which decided to post some but not all of them. They are online here, here and here. Soon, a debate raged about whether or not TechCrunch was right to post the documents.
The Twitter files in question aren’t exactly the Pentagon Papers, but their dissemination — and the resulting controversy — may help clarify whether blogs and bloggers are journalists.
Before getting to that issue, a brief and very general survey of the legalities involved in unauthorized access to corporate documents may be helpful background. There are several bodies of law that may be implicated by the scenario outlined in Twitter’s account of the incident.
Unlawful Access
According to Twitter, the documents sent to TechCrunch were obtained through unauthorized access to an employee’s email account, followed by unauthorized access to other email and online accounts. There are a number of federal and state enactments that the hacker may have violated by accessing those accounts without authorization.
Unauthorized access to electronic communications such as stored email (as opposed to email that is “intercepted” in transit) is covered by the federal Stored Communications Act (SCA). Violations of the Act may result in a criminal prosecution or a civil action for damages. In addition, many states have enacted laws that are similar to the federal statute.
Unauthorized access to a computer is largely covered under the federal Computer Fraud and Abuse Act (CFAA), which makes unauthorized access a crime under specified circumstances. Like the SCA, the CFAA permits a person (which includes a corporation or other entity) who suffers damage or loss by such access to bring a civil action for damages and an injunction.
As is the case with the SCA, there is an extensive body of law that relates to the CFAA, as well as a number of important, outstanding disagreements about how it applies. For example, when copies of electronic documents are obtained via unauthorized access to a computer network and the original documents are neither damaged nor destroyed, there is a question as to whether there was either “damage” or “loss” within the meaning of certain sections of the CFAA.
Many, if not most, states have computer crime statutes that potentially cover the kind of unauthorized access alleged by Twitter. These enactments may be similar to the federal statute, but they can be more broadly applicable. For example, Section 502 of the Penal Code of California (where Twitter’s main office is located), like the federal statute, criminalizes certain acts of unauthorized access to computer systems and similarly provides for a civil right of action.
That said, an incident might fall under the unauthorized computer access statute of more than one state. A prosecutor in a particular state might seek to bring charges based on the location of the hacker at the time of the unauthorized access, or the location of the server or servers upon which the email account or accounts were hosted.
According to TechCrunch, which documented extensive discussions with Hacker Croll, the attacker is French, and thus may be operating from outside the U.S. If that’s the case, while U.S. laws may still apply to the hacker’s conduct, either criminal prosecution or a civil action may be more difficult to maintain as a practical matter.
Trade Secrets
Unauthorized access to corporate information in general (regardless of the manner in which the items were obtained) may constitute trade secret misappropriation. A secret formula or process such as the closely guarded recipe for making the Coca-Cola soft drink is what most people probably think of as a trade secret. Most states have enacted some version of the Uniform Trade Secrets Act (UTSA), which defines the term very broadly to include not only a secret process or formula but also any other “information” that has economic value as a result of being kept secret. Corporate documents containing information that would be valuable to a competitor, such as business plans and non-public financial information, can fit that definition under the proper circumstances. The UTSA provides for a civil action for unlawful access to trade secrets.
There is also a federal statute, the Economic Espionage Act of 1996 (EEA), that criminalizes the theft of trade secrets. The federal statute is broader than state trade secret misappropriation laws in some respects, and narrower in others. The EEA expressly covers “all forms and types of financial…information,” and violations may result in 10 years in prison and up to a $250,000 fine.
But in a case of “domestic” trade secret theft, there must be a showing of intent to economically benefit a person other than the rightful owner of the trade secret. Hacker Croll has denied having any intent of that nature. If that is the case, then the EEA may not apply. On a related note, it has also been suggested that the California law criminalizing the receipt of stolen property may apply to this incident.
Privacy
Some of the information obtained via the Twitter hack appears to pertain to individuals, such as documents discussing individuals who had applied to Twitter for jobs. This information is both personal to the individual and potentially proprietary to a corporation. Some states allow a right of action for public disclosure of private facts, where private information which is not of public concern, and which would be highly offensive to a reasonable person, is publicly disseminated. This right of action might come into play if the information was posted publicly, either by the hacker or by TechCrunch. But it is not clear that applying for a job is the kind of embarrassing personal information usually involved in such a lawsuit, and it could be argued that such information is of legitimate public interest, at least with respect to some individuals.
In any event, TechCrunch apparently decided not to post any of the personal information included in the documents. The site said it would only post “information that is relevant to Twitter’s business, particularly product notes and financial projections….” TechCrunch editor Michael Arrington discussed his reasoning in an interview with the New York Times in which he stated that he had been working with Twitter to determine which documents to publish.
The discussion of potentially applicable laws is speculative, and will remain speculative unless Twitter decides to take legal action against the hacker or TechCrunch, or if federal or state authorities decide to prosecute Hacker Croll. In either event, press shield laws and the First Amendment are likely to come into play.
Confidential Information and the First Amendment
As previously noted, the Twitter documents aren’t exactly the Pentagon Papers, but in some respects the same issues are involved. TechCrunch is taking the position that, regardless of the manner in which the hacker obtained them, the documents are of legitimate public interest and that posting them is protected by the First Amendment. The U.S. Supreme Court has ruled that the interest in privacy of information can be outweighed by the public interest in the dissemination of truthful information about matters of public importance.
See, for example, the court’s opinion in Bartnicki v. Vopper, 532 U.S. 514 (2001), which involved a radio station that played a recording of a phone conversation about school district labor negotiations. The tape was made illegally by an unknown third party and sent to the station anonymously. It’s important to note that the court specifically stated it was not ruling on whether the same analysis would apply to a case involving a disclosure of trade secrets.
The issue of trade secrets has arisen on more than one occasion in the last several years with respect to Apple Inc.’s continuing efforts to protect its trade secrets from disclosure. One case was settled with an agreement by the operator of the Think Secret blog to shut down his website, albeit without disclosing the source(s) of his information. [PBS]
Post information: