Chilling Effects
Home Weather Reports Report Receiving a Cease and Desist Notice Search the Database Topics
Sending
Monitoring the legal climate for Internet activity
Chilling Effects
 Chilling Effects Clearinghouse > Weather Reports > Blackboard Erases Research Presentation with Cease-and-Desist, TRO Printer-friendly version
 Quick Search:
 Site Guide

Clearinghouse Topic Areas:

  • ACPA
  • Anticircumvention (DMCA)
  • Copyright
  • Copyright and Fair Use
  • Court Orders
  • Defamation
  • Derivative Works
  • DMCA Notices
  • DMCA Safe Harbor
  • DMCA Subpoenas
  • Documenting Your Domain Defense
  • Domain Names and Trademarks
  • E-Commerce Patents
  • Fan Fiction
  • International
  • John Doe Anonymity
  • Linking
  • No Action
  • Patent
  • Piracy or Copyright Infringement
  • Private Information
  • Protest, Parody and Criticism Sites
  • Responses
  • Reverse Engineering
  • Right of Publicity
  • Trade Secret
  • Trademark
  • UDRP
  • Uncategorized


  • lightning

    Blackboard Erases Research Presentation with Cease-and-Desist, TRO

    Jennifer Jenkins, Center for the Study of the Public Domain, September 30, 2003

    Abstract: Two students' planned conference presentation on the insecurity of university campus physical security systems was blocked shortly before the talk by a cease-and-desist letter invoking the DMCA, along with trademark, trade secret, and computer hacking laws. Billy Hoffman and Virgil Griffith were scheduled to present their research on security flaws in the Blackboard ID card system at the Interz0ne II conference in Atlanta, until they and Interz0ne were served with a temporary restraining order (TRO) barring the presentation. The heavy-handed invocation of the law -- Blackboard obtained its TRO ex parte the day before the conference -- gave the students and conference organizer no opportunity to appear in court or challenge the order before the scheduled presentation had to be cancelled.



    Background


    On Saturday, April 12, 2003, university students Billy Hoffman and Virgil Griffith were scheduled to present their research at the secondInterz0ne conference. They had been prepared to discuss the security flaws in a widely used ID card system known as the Blackboard Transaction System. Students and faculty at schools nationwide use these systems to automatically charge meals, snacks, books, laundry and other items to their debit accounts. They also use these systems to gain access to campus buildings and parking decks. According to Blackboard, its ID card system "covers approximately 223 university systems nationwide, including electronic security systems, trust accounts, debit cards, and many other electronic types of financial and physical security." Blackboard advertises its system as "safe" and "secure."

    Hoffman and Griffith claimed to have found significant security flaws in Blackboard’s ID card system, and planned to present their findings at the Interz0ne conference. Upon learning of the conference, however, Blackboard used two legal maneuvers to silence discussion of these security flaws. First, it sent the conference organizers a cease and desist letter demanding that the conference refrain from "facilitating" the disclosure of this information. In addition, Blackboard filed a complaint against the two students, which enabled it to obtain a temporary restraining order prohibiting the students from presenting this information. Blackboard claimed that the students, in the course of their research, illegally hacked its card system. But, even if this "hacking" were illegal, it was not what the company targeted: both its letter and requested restraining order explicitly banned speech about the students’ research at the Interz0ne conference, on Hoffman’s website and beyond.

    On July 15, 2003, Blackboard’s lawsuit against the students concluded with a settlement requiring that the students, among other things, apologize for their conduct, refrain from any unauthorized use of Blackboard’s system, and perform 40 hours of community service.

    Cease and desist letter

    Like many cease and desist letters, Blackboard’s letter intimidated its recipient with exaggerated and often unfounded legal threats. What initially sparked attention for this case was the cease and desist letter’s citation of the Digital Millennium Copyright Act (DMCA) as a possible ground for legal action. However, in its complaint filed on the same day, Blackboard did not mention the DMCA as a basis for legal action, indicating its awareness that a DMCA claim would be unlikely to succeed. Blackboard’s letter also suggested that the conference organizers could face implausible "criminal consequences." Based on these threats, the cease and desist letter made overly broad demands. For example, it did not only seek to silence criticism of Blackboard’s product, but effectively banned any discussion of Blackboard at all: "Blackboard also requests that you immediately cease and desist from any facilitation of the use of its name and marks in any manner, and that you remove all references to Blackboard and its Transaction System from any website, power point presentation, seminar handouts, or any other promotional materials…"

    Cease and desist letters can make such spurious claims and overreaching demands because they are not official legal filings and there has been, as yet, little accountability for their abuses. Even though recipients may have the legal right to engage in the threatened activity (in this case the facilitation of free speech), those without specialized legal expertise and a solid defense fund – most non-corporate recipients – may simply comply with the letter’s demands out of fear, uncertainty and lack of resources. The Interz0ne conference organizers hardly had the time to even react to their cease and desist letter, which Blackboard sent on the eve of the students’ scheduled presentation. The conference complied with Blackboard’s demands, but not without exposing Blackboard’s tactics: in place of the students’ scheduled presentation, a conference representative read the content of the cease and desist letter.

    Complaint and restraining order

    Blackboard’s complaint requested a restraining order that would prohibit the students from revealing or discussing their information about the security flaws in its system, and require them to remove that information (as well as Blackboard’s logo) from Hoffman’s website. The complaint alleged that several laws would be violated unless the court granted this order. In addition to claims involving computer crime laws, the complaint alleged that the students would infringe Blackboard’s intellectual property rights in its trademarks and trade secrets.

    Blackboard’s trademark claim was far-fetched at best. Hoffman had suggested on his website that if Blackboard would not make parts of its card system more secure, "I’ll simply make compatible ones myself and give them away." Elsewhere on Hoffman’s website (not in connection with the discussion of these parts) Blackboard’s logo appeared. Based on Hoffman’s statement and the unrelated appearance of Blackboard’s logo, the complaint claimed that his distribution of compatible parts would violate 18 U.S.C. s 2320—the criminal law against "Trafficking in Counterfeit Goods and Services." First of all, the complaint cites the wrong law: this is the criminal counterfeiting provision rather than the civil provision, and only the government can invoke the criminal provision (which presents penalties in the millions of dollars and prison time of up to 20 years). Even under the civil counterfeiting provision, however, Hoffman would not have been liable for trafficking in counterfeit goods. By definition, counterfeit goods are fake goods that use someone else’s trademark to pass off as genuine goods (fake Rolex watches, for example). The compatible parts that Hoffman described on his website were not counterfeit goods—he nowhere claimed that he would use Blackboard’s logo with them, or that anyone would think they were Blackboard’s products; in fact his point was that they would be different and more secure than Blackboard’s products. The unrelated appearance of Blackboard’s logo elsewhere on his website was obviously irrelevant to whether these particular goods would be making infringing use of Blackboard’s trademarks.

    Blackboard also claimed that the students would misappropriate its trade secrets. Under the applicable law, in order to claim that any aspects of its card system were "trade secrets," Blackboard must have made reasonable efforts to maintain their secrecy; in other words, they must really have been secrets. (One of the most famous trade secrets is the Coca-Cola formula, which the company keeps in a bank vault that can only be opened by a resolution from its Board of Directors.) If anything, the students’ case indicated that the workings of Blackboard’s card system were not secret enough: according to Hoffman, the weak security of the system allowed him to easily discover and manipulate its components and operation. Blackboard’s efforts, if any, to guard its alleged trade secrets appear to have been inadequate. (In fact, when Hoffman tried to convince Blackboard to improve these efforts, the company ignored him—before the Interz0ne conference, he had repeatedly notified Blackboard of the security flaws in its system, along with possible fixes, but the company did not redress them.)

    In addition to these intellectual property claims, the complaint also contained allegations based on various computer crime laws. One charge alleged that the students would run afoul of computer trespass and password disclosure provisions in the Georgia Computer Systems Protection Act; however, it is debatable that these provisions would apply to the students’ intended actions. The other charges alleged that actions the students had already engaged in violated federal wiretapping and computer fraud laws. But whether these laws covered the students’ past actions is questionable, and – more importantly – beside the point. The purpose of the complaint was to justify a restraining order that would prevent future and different actions, such as the presentation at the conference, but the complaint does not explain how these actions might violate the cited laws (and it is highly unlikely that they would). Even though these computer crime allegations were implausible, they did summon laws that carried heavy criminal and civil penalties, and the threat of these penalties, in the end, may have induced the students to agree to Blackboard’s settlement (discussed below).

    Despite these questionable claims in the complaint, the court summarily granted the requested restraining order. This order prohibited the students from such activities as "claiming…any right…to provide products or services that can legitimately be used or interfaced with a Blackboard product" and "discussing" information about the product’s security flaws. Even if the students were going to infringe Blackboard’s trademarks, misappropriate its trade secrets or violate computer crime laws, these remedial measures would be overreaching: claiming the right to provide better products and discussing information about product flaws are acts of free speech (and do not violate those laws). By enjoining such activities, the restraining order trammeled on the students’ First Amendment rights, and did so based on highly disputable allegations. If the students had the time or comparable resources to marshal a team of lawyers, these lawyers could have educated the court as to the deficiencies of Blackboard’s complaint, and the importance of the students’ free speech rights. Unfortunately, not every court has the necessary background to understand this complex area of law, and the aggressive language and misleading claims in the complaint – standing unchallenged – were sufficiently convincing to draw this court-ordered restraint of speech.

    Settlement

    The actual settlement agreement between Blackboard and the students was confidential, but an announcement by Blackboard summarized the agreement’s terms. (There is no indication that the students had the necessary resources to negotiate a fair settlement, any more than they did to defend the original lawsuit.) The settlement’s emphasis was different than that of the cease and desist letter and complaint. There was no longer any point in restricting disclosure of the students’ research at the Interz0ne conference or on Hoffman’s website. The company had already intercepted their presentation at the conference, which was over; and, interestingly, Hoffman’s website had been mirrored so many times since the conference that suppressing its content was beyond the capability of the settlement. Where it could, however, the settlement did continue to restrict lawful speech: its trademark terms provided that the students "will not use or display any name, trademark or logo of Blackboard publicly or commercially," whether or not this use would actually violate trademark law.

    The other terms of this settlement concentrated on preserving Blackboard’s image and perpetuating the impression that its system was secure, and preventing future research that might show otherwise. First, the settlement essentially attempted to establish that Blackboard was right and the students were wrong. While the company originally used its letter and complaint to suppress speech, its settlement mandated that the students "agree" that their activities in connection with researching and criticizing the card system "would be wrong," apologize for these actions, and withdraw one of their more serious claims about the system’s vulnerabilities. In addition, the settlement required the students to "refrain from any further unauthorized access to or use of the System," including "any transaction designed to better understand or determine how the System works." This forestalls any contribution by the students to future research and indicates that the company will make efforts to prevent any other unauthorized – or in its words, "wrong" – research. Unfortunately, if the company itself is unwilling to concede or address weaknesses in its system, this unauthorized research may be the best way to discover the system’s flaws and generate solutions that would fix them.

    Chilling Effects

    When not abused, cease and desist letters and restraining orders can be valuable tools for protecting a company’s rights. For example, if someone began selling counterfeit products bearing the Blackboard logo to universities, then using a cease and desist letter to prevent this activity would be appropriate. However, what the instant case shows is that these measures are increasingly being used in destructive ways that deviate from what the law intended. Intellectual property and computer laws were not enacted so that companies could censor information about the shortcomings of their products, especially when this information could benefit the public. Yet Blackboard, through an intimidating letter and questionable court filing, used these laws to silence disclosure and discussion of security flaws that could endanger financial and personal security at hundreds of universities nationwide. Any claim that these flaws did not exist is belied by Blackboard’s aggressive efforts to prevent anyone from learning about them, and by sustained criticism of its system—a number of mailing lists and websites have emerged that continue to identify security problems.

    In the end, Blackboard was able to use the law to ban two students from speaking at a conference, conducting security research and publicly criticizing its product. As long as such efforts prove effective, other individuals and corporations will continue to misuse the law in order to censor speech and other legitimate activities. Those concerned with chilling effects should take note.

    Blackboard could legitimately be concerned that research by outsiders might make their products both less attractive and less secure. Makers of security systems for cars, for example, might have a similar concern if Consumer Reports were to publish a report that some popular system, such as LoJack or the Club, could be easily defeated by using two paper clips and a fountain pen. These concerns are legitimate, in that we do not want car thieves to make off with cars based on information received in the press. Nevertheless, we do not make it illegal for Consumer Reports to test security systems. We rely on the market to provide more secure alternatives, and we believe that informing consumers is too important for us to shut down the flow of information, even if some of it might be misused. Most security testers are delighted to think that their spotting of flaws might influence a future design change of the system, as Hoffman and Griffith clearly were here. They even offer to do some of the work for free. The affected companies have a strong incentive to work with outside security testers and to benefit from their discovery of holes in security systems. (For example, Microsoft has repeatedly improved its products because of security flaws pointed out by outsiders in the only possible way: by detailing how an attack would proceed.)

    If cease and desist letters and restraining orders chill this vital area of security testing, consumers will be doubly impoverished. First, they will not be informed about serious flaws in products they are purchasing, as if it were to be illegal to reveal the tendency of certain tires on SUVs to explode at high speeds. Thus the market will not work as it is supposed to. Second, the products themselves may remain unsafe, because security testers will be chilled from revealing the flaws that must be fixed and the methods to fix them. Both of these results are entirely undesirable. To be sure, the companies whose vulnerabilities are being revealed have an understandable desire to clamp down on the knowledge, but the courts should not be drawn into the process without a much fuller adjudication than occurred in the Blackboard case. Education of the security testing community, and encouragement of informed consumer choices and responsible reporting, are much better tools for solving this problem.

     


    Chilling Effects Clearinghouse - www.chillingeffects.org
    disclaimer / privacy / about us & contacts