|  | ||||||||||||||||||||
| | ||||||||||||||||||||
| Chilling Effects Clearinghouse > Trade Secret > Weather Reports > MediaDefender Claims Analyzed | 
|
|  MediaDefender Claims AnalyzedPeter Ostrovski, October 07, 2007 Abstract: As against the hosts of stolen emails, MediaDefender's three statutory claims do not appear to be backed by the letter of the law or cases. Its claim of misappropriation of trade secrets would have some weight, if the information from the e-mails is found to contain trade secrets. Recently I described MediaDefender (MD)'s attempts to combat the spread of its internal e-mails through cease and desist demands sent to various online hosts. I've since examined the three statutes MD invokes as the legal basis for its threat. Careful analysis and a look at pertinent cases reveals that these laws do not create third party liability for hosting information (no matter how ill-gotten it is by someone else). The person acquiring the information would be held liable, but since the identity of that individual is still unknown, MD has improperly decided to address their letters to those hosting the data. It would appear that MD has included the three statutes, and the accompanying penalties they potentially provide for, in an attempt to scare host sites into removing the content in question. (But MD may have some valid points in another area—see the trade secrets section below). The complaint first cites 18 U.S.C. § 1030, the Computer Fraud and Abuse Act, but does not reference a particular section (only the threatened punishment). It's therefore up to the supposed wrongdoers to figure out what it is they supposedly did wrong, which at least under this act, appears to be: nothing. The first five provisions of Section (a) of the statute are all inapplicable, as they concern a party knowingly or intentionally accessing certain kinds of protected information. Since GPIO (now MediaDefender-Defenders or MDD) other hosts did not access anything (remember the MediaDefender e-mails appeared on the sites from third party sources), we move right along. (An examination of cases invoking § 1030 also turns up no examples of responsibility for third party breaches.) The last section deals with extortion and causing damage to protected computers, so we can ignore it as well. The only part that may even conceivably apply is (a)(6), which concerns the trafficking of "any password or similar information through which a computer may be accessed without authorization." Even if the information at issue is somehow construed to fall into this category, it would still be a fairly hard sell to show that any "trafficking" occurred and if it did, that it took place "knowingly and with intent to defraud." We now move on the second alleged violation, that of 18 U.S.C. § 2701, the Electronic Communications Privacy Act. The statute specifies punishment for an entity that "intentionally accesses without authorization a facility through which an electronic communication service is provided" or "intentionally exceeds an authorization to access that facility." As before, since the hosts themselves did not access the information in question, they seem to be unaffected by this statute. A careful review of cases arising out of this act also results in no examples of third party liability. Not looking too good on the federal claims--let's see if the state act applies. The last potential prong of MD's tripartite attack is Cal. Penal Code § 502, the California Computer Data Access and Fraud Act. The provisions of this statute, however, read very much like the federal Computer Fraud and Abuse Act (lots of "knowing access" language) and appear to be similarly inapplicable to hosts. There is no mention of third parties, and a look at case law citing the statute again yields nothing that would implicate hosts. While Congress (and the California Legislature) may, in light of this fairly visible issue, modify these acts to include third party hosts that ease access to such unauthorized information (in which case, this would still be far from an open and shut case for a multitude of reasons), the statutes as they stand do not appear to back MediaDefender. So none of the statutes MediaDefender cites seems to impose liability on a third-party poster. Then there's the whole Trade Secret issue. We first have to ask whether the information contained in the e-mails was a trade secret. Though it would appear that much it was not, there's room for argument among the whole mass. The first characteristic of a trade secret is that it must be a secret that provides a business with a competitive advantage. While it is a bit unclear how anything in those e-mails provided MD with a competitive advantage (against other anti-piracy companies working for the RIAA?), it could have, and trade secret status itself is a tricky concept. To qualify, information must be "not generally known or readily ascertainable." Host sites would argue that the key information at issue here was widely reported by numerous sources, including official news organizations, as soon as it was leaked (and some of it was available even before). MD, however, would contend that this classification does not cover all of the content, some of which was indeed secret, or that the rapid dissemination shouldn't deprive it of erstwhile secrets. Let's say that those e-mails did contain some trade secrets. Did sites hosting them engage in misappropriation of trade secrets? Then, finally, it would appear that they did. The Uniform Trade Secret Act's definition of misappropriation, as applicable in this case, is "disclosure or use of a trade secret of another without express or implied consent by a person who ... at the time of disclosure or use knew or had reason to know that his knowledge of the trade secret was derived from or through a person who has utilized improper means to acquire it." Even if certain hosts can claim ignorance over a certain period of time, MediaDefender could put them on future notice with a cease and desist notice. For a place like MD-Defenders, which openly boasts about hosting this particular content knowing how it was acquired, the ignorance argument wouldn't fly. Even under this scenario, however, damages appear minimal. There is no actual loss here, and the only unjust enrichment experienced by hosts would be additional ad revenue from an increase in the number of people using the site. This figure would be higher for MD-Defenders since it relies solely on this information and probably fairly low for torrent hosts. But for all this to happen, the information has to be proven to fall into the category of trade secrets. (And if only some of the information qualifies, what proportion of the unjust enrichment would be attributable to the trade secrets?)
|
|
|
|
Related News