|Chilling Effects Clearinghouse > Weather Reports > Blackboard Erases Research Presentation with Cease-and-Desist, TRO|
Blackboard Erases Research Presentation with Cease-and-Desist, TRO
Jennifer Jenkins, Center for the Study of the Public Domain, September 30, 2003
Abstract: Two students' planned conference presentation on the insecurity of university campus physical security systems was blocked shortly before the talk by a cease-and-desist letter invoking the DMCA, along with trademark, trade secret, and computer hacking laws. Billy Hoffman and Virgil Griffith were scheduled to present their research on security flaws in the Blackboard ID card system at the Interz0ne II conference in Atlanta, until they and Interz0ne were served with a temporary restraining order (TRO) barring the presentation. The heavy-handed invocation of the law -- Blackboard obtained its TRO ex parte the day before the conference -- gave the students and conference organizer no opportunity to appear in court or challenge the order before the scheduled presentation had to be cancelled.
Hoffman and Griffith claimed to have found significant security flaws in Blackboards ID card system, and planned to present their findings at the Interz0ne conference. Upon learning of the conference, however, Blackboard used two legal maneuvers to silence discussion of these security flaws. First, it sent the conference organizers a cease and desist letter demanding that the conference refrain from "facilitating" the disclosure of this information. In addition, Blackboard filed a complaint against the two students, which enabled it to obtain a temporary restraining order prohibiting the students from presenting this information. Blackboard claimed that the students, in the course of their research, illegally hacked its card system. But, even if this "hacking" were illegal, it was not what the company targeted: both its letter and requested restraining order explicitly banned speech about the students research at the Interz0ne conference, on Hoffmans website and beyond.
On July 15, 2003, Blackboards lawsuit against the students concluded with a settlement requiring that the students, among other things, apologize for their conduct, refrain from any unauthorized use of Blackboards system, and perform 40 hours of community service.
Cease and desist letter
Cease and desist letters can make such spurious claims and overreaching demands because they are not official legal filings and there has been, as yet, little accountability for their abuses. Even though recipients may have the legal right to engage in the threatened activity (in this case the facilitation of free speech), those without specialized legal expertise and a solid defense fund most non-corporate recipients may simply comply with the letters demands out of fear, uncertainty and lack of resources. The Interz0ne conference organizers hardly had the time to even react to their cease and desist letter, which Blackboard sent on the eve of the students scheduled presentation. The conference complied with Blackboards demands, but not without exposing Blackboards tactics: in place of the students scheduled presentation, a conference representative read the content of the cease and desist letter.
Complaint and restraining order
Blackboards complaint requested a restraining order that would prohibit the students from revealing or discussing their information about the security flaws in its system, and require them to remove that information (as well as Blackboards logo) from Hoffmans website. The complaint alleged that several laws would be violated unless the court granted this order. In addition to claims involving computer crime laws, the complaint alleged that the students would infringe Blackboards intellectual property rights in its trademarks and trade secrets.
Blackboards trademark claim was far-fetched at best. Hoffman had suggested on his website that if Blackboard would not make parts of its card system more secure, "Ill simply make compatible ones myself and give them away." Elsewhere on Hoffmans website (not in connection with the discussion of these parts) Blackboards logo appeared. Based on Hoffmans statement and the unrelated appearance of Blackboards logo, the complaint claimed that his distribution of compatible parts would violate 18 U.S.C. s 2320the criminal law against "Trafficking in Counterfeit Goods and Services." First of all, the complaint cites the wrong law: this is the criminal counterfeiting provision rather than the civil provision, and only the government can invoke the criminal provision (which presents penalties in the millions of dollars and prison time of up to 20 years). Even under the civil counterfeiting provision, however, Hoffman would not have been liable for trafficking in counterfeit goods. By definition, counterfeit goods are fake goods that use someone elses trademark to pass off as genuine goods (fake Rolex watches, for example). The compatible parts that Hoffman described on his website were not counterfeit goodshe nowhere claimed that he would use Blackboards logo with them, or that anyone would think they were Blackboards products; in fact his point was that they would be different and more secure than Blackboards products. The unrelated appearance of Blackboards logo elsewhere on his website was obviously irrelevant to whether these particular goods would be making infringing use of Blackboards trademarks.
Blackboard also claimed that the students would misappropriate its trade secrets. Under the applicable law, in order to claim that any aspects of its card system were "trade secrets," Blackboard must have made reasonable efforts to maintain their secrecy; in other words, they must really have been secrets. (One of the most famous trade secrets is the Coca-Cola formula, which the company keeps in a bank vault that can only be opened by a resolution from its Board of Directors.) If anything, the students case indicated that the workings of Blackboards card system were not secret enough: according to Hoffman, the weak security of the system allowed him to easily discover and manipulate its components and operation. Blackboards efforts, if any, to guard its alleged trade secrets appear to have been inadequate. (In fact, when Hoffman tried to convince Blackboard to improve these efforts, the company ignored himbefore the Interz0ne conference, he had repeatedly notified Blackboard of the security flaws in its system, along with possible fixes, but the company did not redress them.)
In addition to these intellectual property claims, the complaint also contained allegations based on various computer crime laws. One charge alleged that the students would run afoul of computer trespass and password disclosure provisions in the Georgia Computer Systems Protection Act; however, it is debatable that these provisions would apply to the students intended actions. The other charges alleged that actions the students had already engaged in violated federal wiretapping and computer fraud laws. But whether these laws covered the students past actions is questionable, and more importantly beside the point. The purpose of the complaint was to justify a restraining order that would prevent future and different actions, such as the presentation at the conference, but the complaint does not explain how these actions might violate the cited laws (and it is highly unlikely that they would). Even though these computer crime allegations were implausible, they did summon laws that carried heavy criminal and civil penalties, and the threat of these penalties, in the end, may have induced the students to agree to Blackboards settlement (discussed below).
The other terms of this settlement concentrated on preserving Blackboards image and perpetuating the impression that its system was secure, and preventing future research that might show otherwise. First, the settlement essentially attempted to establish that Blackboard was right and the students were wrong. While the company originally used its letter and complaint to suppress speech, its settlement mandated that the students "agree" that their activities in connection with researching and criticizing the card system "would be wrong," apologize for these actions, and withdraw one of their more serious claims about the systems vulnerabilities. In addition, the settlement required the students to "refrain from any further unauthorized access to or use of the System," including "any transaction designed to better understand or determine how the System works." This forestalls any contribution by the students to future research and indicates that the company will make efforts to prevent any other unauthorized or in its words, "wrong" research. Unfortunately, if the company itself is unwilling to concede or address weaknesses in its system, this unauthorized research may be the best way to discover the systems flaws and generate solutions that would fix them.
In the end, Blackboard was able to use the law to ban two students from speaking at a conference, conducting security research and publicly criticizing its product. As long as such efforts prove effective, other individuals and corporations will continue to misuse the law in order to censor speech and other legitimate activities. Those concerned with chilling effects should take note.
Blackboard could legitimately be concerned that research by outsiders might make their products both less attractive and less secure. Makers of security systems for cars, for example, might have a similar concern if Consumer Reports were to publish a report that some popular system, such as LoJack or the Club, could be easily defeated by using two paper clips and a fountain pen. These concerns are legitimate, in that we do not want car thieves to make off with cars based on information received in the press. Nevertheless, we do not make it illegal for Consumer Reports to test security systems. We rely on the market to provide more secure alternatives, and we believe that informing consumers is too important for us to shut down the flow of information, even if some of it might be misused. Most security testers are delighted to think that their spotting of flaws might influence a future design change of the system, as Hoffman and Griffith clearly were here. They even offer to do some of the work for free. The affected companies have a strong incentive to work with outside security testers and to benefit from their discovery of holes in security systems. (For example, Microsoft has repeatedly improved its products because of security flaws pointed out by outsiders in the only possible way: by detailing how an attack would proceed.)
If cease and desist letters and restraining orders chill this vital area of security testing, consumers will be doubly impoverished. First, they will not be informed about serious flaws in products they are purchasing, as if it were to be illegal to reveal the tendency of certain tires on SUVs to explode at high speeds. Thus the market will not work as it is supposed to. Second, the products themselves may remain unsafe, because security testers will be chilled from revealing the flaws that must be fixed and the methods to fix them. Both of these results are entirely undesirable. To be sure, the companies whose vulnerabilities are being revealed have an understandable desire to clamp down on the knowledge, but the courts should not be drawn into the process without a much fuller adjudication than occurred in the Blackboard case. Education of the security testing community, and encouragement of informed consumer choices and responsible reporting, are much better tools for solving this problem.