2014

Is it illegal to test websites for security flaws? Heartbleed & the CFAA

Erin Fleury, MJLST Managing Editor

Earlier this year, the general public became acutely aware of the Heartbleed security bug which exposed vast amounts of encrypted data from websites using OpenSSL technology (estimated to affect at least 66% of active websites). Software companies are still fixing these vulnerabilities but many servers remain vulnerable and surely victims could continue to suffer from these data breaches long after they occurred. While Heartbleed, and the fact that it was around for nearly two years prior to detection, is troubling by itself, it also raises concerns about the scope of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, and white-hat hackers.

The CFAA prohibits “intentionally accessing a computer without authorization or exceed[ing] authorized access” and thereby “obtain[ing] information from a protected computer.” See § 1030(a)(2). It would appear that the Heartbleed bug operates by doing exactly that. In very simplistic terms, OpenSSL authorizes limited requests for information but Heartbleed exploits a flaw to cause systems to send back far more than what is intended. Of course, the CFAA is meant to target people who use exploits such as this to gain unauthorized access to computer systems, so it would seem that using Heartbleed is clearly within the scope and purpose of the CFAA.

The real problem arises, however, for people interested in independently (i.e. without authorization) testing a system to determine if it is still susceptible to Heartbleed or other vulnerabilities. With Heartbleed, the most efficient way to test for the bug is to send an exploitive request and see if the system sends back extra information. This too would seem to fall squarely within the ambit of the CFAA and could potentially be a violation of federal law. Even testing a website which has been updated so that it is no longer vulnerable could potentially be a violation under §1030(b)(“attempting to commit a violation under subsection (a)”).

At first glance it might seem logical that no one should be attempting to access systems they do not own, but there are a number of non-nefarious reasons someone might do so. Perhaps customers may simply wish to determine whether a website is secure before entering their personal information. More importantly, independent hackers can play a significant role in finding system weaknesses (and thereby helping the owner make the system more secure), as evidenced by the fact that many major companies now offer bounty programs to independent hackers. Yet those who do not follow the parameters of a bounty program, or who discover flaws in systems without such a program, may be liable under the CFAA because of their lack of authorization. Furthermore, the CFAA has been widely criticized for being overly broad because, among other reasons, it does not fully distinguish between the reasons one might “exceed authorization.” Relatively minor infractions (such as violating the Terms of Service on MySpace) may be sufficient to violate federal law, and the penalties for fairly benevolent violations (such as exploiting security flaws but only reporting it to the media rather than using the obtained information for personal gains) can seem wildly disproportional to the offense.

These security concerns are not limited to websites or the theft of data either. Other types of systems could pose far greater safety risks. The CFAA’s definition of a “protected computer” in § 1030(e)(1-2) applies to a wide range of electronics and this definition will only expand as computers are integrated into more and more of the items we use on a daily basis. In efforts to find security weaknesses, researchers have successfully hacked and taken control of implantable medical devices or even automobiles. Merely checking a website to see if it is still susceptible to Heartbleed is unlikely to draw the attention of the FBI, so in many ways these concerns can be dismissed for the simple reason that broad enforcement is unlikely and, of course, many of the examples cited above involved researchers who had authorization. Yet, the CFAA’s scope is still concerning because of the chilling effect it could have on research and overall security by dissuading entities from testing systems for weaknesses without permission or, perhaps more likely, by discouraging individuals from disclosing these weaknesses when they find them.

Without question, our laws should punish those who use exploits (such as Heartbleed) to steal valuable information or otherwise harm people. But the CFAA also seems to apply with great force to unauthorized access which ultimately serves a tremendous societal good and should be somewhat excusable, if not encouraged. The majority of the CFAA was written decades ago and, while there have been recent efforts to amend it, it remains a highly-controversial law. Surely, issues surrounding cybersecurity are unlikely to disappear anytime soon. It will be interesting to see how courts and lawmakers react to solve these challenging issues in an evolving landscape.


Is it illegal to test websites for security flaws? Heartbleed & the CFAA

Erin Fleury, MJLST Managing Editor

Earlier this year, the general public became acutely aware of the Heartbleed security bug which exposed vast amounts of encrypted data from websites using OpenSSL technology (estimated to affect at least 66% of active websites). Software companies are still fixing these vulnerabilities but many servers remain vulnerable and surely victims could continue to suffer from these data breaches long after they occurred. While Heartbleed, and the fact that it was around for nearly two years prior to detection, is troubling by itself, it also raises concerns about the scope of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, and white-hat hackers.

The CFAA prohibits “intentionally accessing a computer without authorization or exceed[ing] authorized access” and thereby “obtain[ing] information from a protected computer.” See § 1030(a)(2). It would appear that the Heartbleed bug operates by doing exactly that. In very simplistic terms, OpenSSL authorizes limited requests for information but Heartbleed exploits a flaw to cause systems to send back far more than what is intended. Of course, the CFAA is meant to target people who use exploits such as this to gain unauthorized access to computer systems, so it would seem that using Heartbleed is clearly within the scope and purpose of the CFAA.

The real problem arises, however, for people interested in independently (i.e. without authorization) testing a system to determine if it is still susceptible to Heartbleed or other vulnerabilities. With Heartbleed, the most efficient way to test for the bug is to send an exploitive request and see if the system sends back extra information. This too would seem to fall squarely within the ambit of the CFAA and could potentially be a violation of federal law. Even testing a website which has been updated so that it is no longer vulnerable could potentially be a violation under §1030(b)(“attempting to commit a violation under subsection (a)”).

At first glance it might seem logical that no one should be attempting to access systems they do not own, but there are a number of non-nefarious reasons someone might do so. Perhaps customers may simply wish to determine whether a website is secure before entering their personal information. More importantly, independent hackers can play a significant role in finding system weaknesses (and thereby helping the owner make the system more secure), as evidenced by the fact that many major companies now offer bounty programs to independent hackers. Yet those who do not follow the parameters of a bounty program, or who discover flaws in systems without such a program, may be liable under the CFAA because of their lack of authorization. Furthermore, the CFAA has been widely criticized for being overly broad because, among other reasons, it does not fully distinguish between the reasons one might “exceed authorization.” Relatively minor infractions (such as violating the Terms of Service on MySpace) may be sufficient to violate federal law, and the penalties for fairly benevolent violations (such as exploiting security flaws but only reporting it to the media rather than using the obtained information for personal gains) can seem wildly disproportional to the offense.

These security concerns are not limited to websites or the theft of data either. Other types of systems could pose far greater safety risks. The CFAA’s definition of a “protected computer” in § 1030(e)(1-2) applies to a wide range of electronics and this definition will only expand as computers are integrated into more and more of the items we use on a daily basis. In efforts to find security weaknesses, researchers have successfully hacked and taken control of implantable medical devices or even automobiles. Merely checking a website to see if it is still susceptible to Heartbleed is unlikely to draw the attention of the FBI, so in many ways these concerns can be dismissed for the simple reason that broad enforcement is unlikely and, of course, many of the examples cited above involved researchers who had authorization. Yet, the CFAA’s scope is still concerning because of the chilling effect it could have on research and overall security by dissuading entities from testing systems for weaknesses without permission or, perhaps more likely, by discouraging individuals from disclosing these weaknesses when they find them.

Without question, our laws should punish those who use exploits (such as Heartbleed) to steal valuable information or otherwise harm people. But the CFAA also seems to apply with great force to unauthorized access which ultimately serves a tremendous societal good and should be somewhat excusable, if not encouraged. The majority of the CFAA was written decades ago and, while there have been recent efforts to amend it, it remains a highly-controversial law. Surely, issues surrounding cybersecurity are unlikely to disappear anytime soon. It will be interesting to see how courts and lawmakers react to solve these challenging issues in an evolving landscape.


Somnophilia, The “Sleeping Beauty” Disorder

Becky Huting, MJLST Editor

To date, at least 19 women have come forward accusing Bill Cosby of some type of sexual abuse. The majority of the women have told similar stories that involve some variant of being drugged, sexually assaulted, or being drugged and also sexually assaulted by Cosby. The New York Times recently published a piece entitled “When a Rapist’s Weapon is a Drug” that talks about a particular kind of paraphilia that some hypothesize is present in Cosby: a sexual deviation that involves drugging and raping unconscious partners. While it is important to note there is no indication of any formal diagnoses of Cosby (nor of criminal charges), this narrative has opened the dialogue about the contours of sexual disorder diagnosis and what it might mean in our legal regime.

The DSM, or Diagnostic and Statistical Manual of Mental Disorders, is authored by the American Psychiatric Association (APA) and offers a standardized classification of mental disorders. According to the APA, the DSM is “intended to be applicable in a wide array of contexts and used by clinicians and researchers of many different orientations (e.g., biological, psychodynamic, cognitive, behavioral, interpersonal, family/systems).” The DSM’s 5th Edition (DSM 5) is the 2013 update to the APA tool, superseding the last (DSM-IV-TSR), which was published in 2000.

Paraphilic disorders are defined by an unusual sexual preference that becomes compulsive. The DSM 5 contains eight distinct groups of disorders that constitute paraphilia. They include: exhibitionistic disorder, fetishistic disorder, frotteuristic disorder (arousal from touching or rubbing against a stranger), pedophilic disorder, sexual masochism disorder, sexual sadism disorder, transvestite disorder, and voyeuristic disorder.

Now returning to Cosby: date rape incidents involving drugs being dosed to victims are very common. Alcohol is the most commonly used drug in sexual assaults, but some perpetrators use so-called “knock-out” drugs. Experts view the motives for the former simple opportunism, but some of the latter category of druggers have a different motive in mind: they like unresponsive partners. This preference for unconscious partners, and the erotic arousal dependent upon intruding upon an unresponsive partner, and sometimes waking the person, is being labeled “sleeping beauty syndrome” or “Somnophilia.” Somnophilia is a less common compulsion, but under a more common umbrella of a motive guided by coercion where the perpetrator is aroused by domination of their drugged partner.

According to Dr. Michael First, a psychiatrist and editorial consultant on the new DSM 5, the kind of coercion and domination achieved by drugging a partner is common enough that the APA actually contemplated adding it as a distinct diagnosis as a paraphilia disorder, but the idea was shelved in part because of concerns that doing so would give rapists added recourse in legal cases. This should be of interest for legal practitioners: it begs the question – should doctors be thinking about legal implications when they classify disorders? If they are indeed guided by what might be a legal defense, one could imagine the whole composition of the DSM changing tomorrow. Just a couple examples come quickly to mind. Schizophrenia is a widely accepted mental disorder included on the DSM, and yet is not infrequently used to bolster a legal defense for very horrific crimes. Consider also sleep-walking disorders. These too are on the DSM 5, and yet, criminal defendants have been known to use sleep-walking as a legal defense for equally ghastly crimes. It seems incongruous to say that leaving these kind of “excusing” mental disorders off is the policy here. They are already on the DSM, and criminal defendants have used them for quite some time. If the APA is willing to sacrifice classifying valid mental disorders in the name of some sense of legal responsibility, they must also consider the consequences for the field of psychiatry and the name of treatment.

Clearly here the concern by the American Psychiatric Association is that giving disorders like Somnophilia a name legitimizes it – those ostensibly like Bill Cosby will now have a diagnosis to stand behind in court. They can say: “it wasn’t my fault, it’s my disposition. I have a disorder.” (It is also unclear that a jury would give any sympathetic weight or credence to this). But the clear question is whether lawyers want doctors doing the legal work for them behind the scenes. Will psychiatry and its patients actually benefit by this kind of legal policy gut-checking, or should we just ask politely ask doctors to do what they do best – classify, diagnose, and treat?


The Limits of Free Speech

Paul Overbee, MJLST Editor

A large portion of society does not put much thought into what they post on the internet. From tweets and status updates to YouTube comments and message board activities, many individuals post on impulse without regard to how their messages may be interpreted by a wider audience. Anthony Elonis is just one of many internet users that are coming to terms with the consequences of their online activity. Oddly enough, by posting on Facebook Mr. Elonis took the first steps that ultimately led him to the Supreme Court. The court is now considering whether the posts are simply a venting of frustration as Mr. Elonis claims, or whether the posts constitute a “true threat” that will direct Mr. Elonis directly to jail.

The incident in question began a week after Tara Elonis obtained a protective order against her husband. Upon receiving the order, Mr. Elonis posted to Facebook, “Fold up your PFA [protection-from-abuse order] and put it in your pocket […] Is it thick enough to stop a bullet?” According the Mr. Elonis, he was trying to emulate the rhyming styles of the popular rapper Eminem. At a later date, an FBI agent visited Mr. Elonis regarding his threatening posts about his wife. Soon after the agent left, Mr. Elonis again returned to Facebook to state “Little agent lady stood so close, took all the strength I had not to turn the [expletive] ghost. Pull my knife, flick my wrist and slit her throat.”
Due to these posts, Mr. Elonis was sentenced to nearly four years in federal prison, and Elonis v. United States is now in front of the Supreme Court. Typical state statutes define these “true threats” without any regard to whether the speaker actually intended to cause such terror. For example, Minnesota’s “terroristic threats” statute includes “reckless disregard of the risk of causing such terror.” Some states allow for a showing of “transitory anger” to overcome a “true threat” charge. This type of defense arises where the defendant’s actions are short-lived, have no intent to terrorize, and clearly are tied to an inciting event that caused the anger.

The Supreme Court’s decision will carry wide First Amendment implications for free speech rights and artistic expression. A decision that comes down harshly on Mr. Elonis may have the effect of chilling speech on the internet. The difference between a serious statement and one that is joking many times depends on the point of view of the reader. Many would rather stop their posting on the internet instead of risk having their words misinterpreted and charges brought. On the other hand, if the Court were to look towards the intent of Mr. Elonis, then “true threat” statutes may lose much of their force due to evidentiary issues. A decision in favor of Mr. Elonis may lead to a more violent internet where criminals such as stalkers have a longer leash in which to persecute their victims. Oral argument on the case was held on December 1, 2014, and a decision will be issued in the near future.


Asteroid Mining–Not As Crazy As It Sounds

Kirsten Johanson, MJLST Staff Member

Over the last few years, companies and private individuals have fully embraced novel space activities. Felix Baumgarner completed a space jump with the Red Bull Stratos making him the first human to break the sound barrier without any engine power. SpaceX developed the first reusable rocket, the Grasshopper, and was the first private company to deliver a shipment to the International Space Station. Recently, for the first time in history, the European Space Agency’s Rosetta mission successfully landed its space probe, Philae, on a comet. All of these ventures pushed the boundaries of space exploration beyond limits previously imagined and all indications are that such ventures will continue. One such undertaking is the concept of asteroid mining.

Asteroid mining is exactly what it sounds like–humans landing equipment on asteroids (and other celestial bodies) and mining for the minerals that exist on such bodies. This concept might seem far-fetched but, in reality, it is a serious topic of debate primarily because of the usefulness of the minerals that exist in the crust of asteroids. NASA has released an estimate “that the mineral wealth resident in the belt of asteroids between the orbits of Mars and Jupiter would be equivalent to about 100 billion dollars for every person on Earth today.” The reason such minerals are so valuable is because of their potential usefulness in “developing the space structures and in generating the rocket fuel that will be required to explore and colonize our solar system in the twenty-first century.”

Today, the physical process of actually mining these minerals is still not cost-effective. As a result, the bigger debate on this issue is currently over the legal implications of mining these minerals and returning them to earth. In space, no single country’s laws apply but, in 1967, over one hundred countries signed the United Nations’ Outer Space Treaty of 1967. This treaty is the current law governing space and it prevents the appropriation of outer space or any celestial body in space by any nation in its space explorations. While this law unequivocally applies to sovereign nations, the recent dispute is over the extension of this treaty to private companies participating in asteroid mining. If it does not, companies like Deep Space Industries, Planetary Resources, SpaceX, or other private players in the space exploration field could begin developing mining procedures that would give them rights to any mined asteroid minerals. However, if it does extend to private companies, this opportunity will likely die before it gets started.

Many in the public and private sector in the United States are pushing for a narrow application of the law to nations which would leave open a huge industry for private development. In Congress, the American Space Technology for Exploring Resource Opportunities In Deep Space (ASTEROIDS) Act was recently introduced in the House of Representatives to officially clarify the law. The Act states that “[a]ny resources obtained in outer space from an asteroid are the property of the entity that obtained such resources.” This would mean that any asteroid mining company would have unlimited access and appropriation rights over any asteroid materials they mine but not over the asteroid itself.

Proponents of such a reading have introduced various statutory interpretation arguments that get them to this conclusion, but it is still unclear which of these will likely be the winning argument. Or even if there will be a winning argument. While asteroid mining does present significant opportunities well into the future, it is still a long-term venture unlikely to launch anytime soon. As a result, if the ASTEROID Act does find enough support in Congress, that is only the first step. The United States will still have to assert an international position amenable to other countries.

Overall, this Act and the publicity it will need to generate to garner sufficient support of this industry is an important first step but it cannot be the only step. Other countries, particularly the signers of the Outer Space Treaty of 1967, must develop a workable solution to the ownership question of asteroid materials. However, with the potential technological advancements and economic realizations of such an industry, it is unlikely that countries with active space exploration will be opposed. Hopefully, these countries see the development opportunities as outweighing the costs because, if there is wide acceptance, this might be the real start of space development and colonization.


The Limits of Free Speech

Paul Overbee, MJLST Editor

A large portion of society does not put much thought into what they post on the internet. From tweets and status updates to YouTube comments and message board activities, many individuals post on impulse without regard to how their messages may be interpreted by a wider audience. Anthony Elonis is just one of many internet users that are coming to terms with the consequences of their online activity. Oddly enough, by posting on Facebook Mr. Elonis took the first steps that ultimately led him to the Supreme Court. The court is now considering whether the posts are simply a venting of frustration as Mr. Elonis claims, or whether the posts constitute a “true threat” that will direct Mr. Elonis directly to jail.

The incident in question began a week after Tara Elonis obtained a protective order against her husband. Upon receiving the order, Mr. Elonis posted to Facebook, “Fold up your PFA [protection-from-abuse order] and put it in your pocket […] Is it thick enough to stop a bullet?” According the Mr. Elonis, he was trying to emulate the rhyming styles of the popular rapper Eminem. At a later date, an FBI agent visited Mr. Elonis regarding his threatening posts about his wife. Soon after the agent left, Mr. Elonis again returned to Facebook to state “Little agent lady stood so close, took all the strength I had not to turn the [expletive] ghost. Pull my knife, flick my wrist and slit her throat.”

Due to these posts, Mr. Elonis was sentenced to nearly four years in federal prison, and Elonis v. United States is now in front of the Supreme Court. Typical state statutes define these “true threats” without any regard to whether the speaker actually intended to cause such terror. For example, Minnesota’s “terroristic threats” statute includes “reckless disregard of the risk of causing such terror.” Some states allow for a showing of “transitory anger” to overcome a “true threat” charge. This type of defense arises where the defendant’s actions are short-lived, have no intent to terrorize, and clearly are tied to an inciting event that caused the anger.

The Supreme Court’s decision will carry wide First Amendment implications for free speech rights and artistic expression. A decision that comes down harshly on Mr. Elonis may have the effect of chilling speech on the internet. The difference between a serious statement and one that is joking many times depends on the point of view of the reader. Many would rather stop their posting on the internet instead of risk having their words misinterpreted and charges brought. On the other hand, if the Court were to look towards the intent of Mr. Elonis, then “true threat” statutes may lose much of their force due to evidentiary issues. A decision in favor of Mr. Elonis may lead to a more violent internet where criminals such as stalkers have a longer leash in which to persecute their victims. Oral argument on the case was held on December 1, 2014, and a decision will be issued in the near future.


The UETA: Are Attorneys Automatically Authenticating Every Email?

Dylan Quinn, MJLST Lead Note Comment Editor

The work week is winding down and you are furiously trying to reach an agreement with opposing counsel on some issue or dispute. You email back and forth until it appears you have reached an agreement – at least for the weekend. You will tell your client about the essential terms next week to see if you should “finalize” everything with the other side.

I don’t want to ruin your weekend, but you may have already bound the client to an enforceable agreement. How, you ask, can this be possible if I did not sign anything? Well, in light of the UETA and developing case law, that automatic signature block at the bottom of all your emails might be enough.

Minnesota Statutes Section 481.08 provides that an “attorney may bind a client, at any stage of an action or proceeding, by agreement made … in writing and signed by such attorney.” In addition, Minnesota has long joined almost every other state by adopting a variation of the Uniform Electronic Transactions Act (UETA). The purpose of the UETA is to provide a legal framework for the use of electronic signatures and records in government of business transactions, making them as legal as paper and manually signed signature. In sum, the UETA will apply to agreements reached under Section 481.08.

Minnesota Statutes Section 325L(h), defines “electronic signature” as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.” Furthermore, Section 325L.05 (b), makes clear that the UETA in Minnesota only applies to transactions between parties where they both have “agreed to conduct transactions by electronic means,” which is determined by the “context and surrounding circumstances, including the parties’ conduct.” However, any attorney negotiating a settlement or other stipulation via email will open themselves up to the argument that they intended to transact business electronically, so the central question is whether or not an attorney intended the signature block to constitute a legally significant act that authenticates the email, thus binding the client to a settlement or other agreement.

It has long been held that an email chain can constitute a binding agreement. This past summer, the Minnesota Court of Appeals, held that “an electronic signature in an email message does not necessarily evidence intent to electronically sign a document attached to the e-mail.” See SN4, LLC v. Anchor Bank, fsb, 848 N.W.2d 559, 567 (Minn. Ct. App. 2014). While the decision adds to a growing body of jurisprudence in this area, the question of automated signature blocks was tabled by the decision and the parties involved were not attorneys. The Minnesota Supreme Court denied review this past September.

Other jurisdictions can offer some guidance. For example, In New York, where another law outside the UETA effectively serves the same purpose, it has long been held that automated imprints or signatures were insufficient to authentic every document. See Parma Tile Mosaic & Marble Co. v. Estate of Fred, 663 N.E.2d 633, 635 (NY Ct. App. 1996) (finding for Statute of Frauds purposes, automatic imprint of “MRLS Construction” on every faxed document did not amount to “sender’s apparent intention to authentic every document subsequently faxed.”).

In Texas, there is a split among the Courts on the issue of an attorneys signature block creating an enforceable agreement. Compare Cunningham v. Zurich Am. Ins. Co., 352 S.W.3d 519, 529-30 (Tex. App. 2011) (determining settlement agreement had not been reached because the Court declined “to hold that mere sending … of an email containing a signature block satisfies the signature requirement when no evidence suggests that the information was typed purposefully rather than generated automatically.”), with Williamson v. Bank of New York Mellon, 947 F. Supp. 2d 704, 710 (N.D. Tex. 2013) (disagreeing with Cunningham because (1) the attorney must have typed in the signature block information “at some point in the past,” (2) a broad view of the electronic signature definition comports with UETA’s purpose, and (3) “email communication is a reasonable and legitimate means of reaching a settlement in this day and age.”).

On the one hand, it seems like a strong argument to point out the fact that all emails contain the signature block. How can that possibly evidence the requisite intent to authenticate statements or agreements? Do we really want to allow attorneys to use this argument any time they get close enough to reaching an agreement when emailing back and forth? In response, one must ask: in what instance should we allow an attorney to seemingly agree with opposing counsel via email, but get out of it because they did not use “/s/”, and just had their automated signature block?

Regardless of the outcome, the potential impact of a decision one way or the other will have far reaching impacts on legal practice, and more specifically litigation, in Minnesota. As the Court recognized in Williamson, “email communication is a reasonable and legitimate means of reaching a settlement in this day and age.” If the entire purpose of the UETA was to facilitate electronic transactions, and the Minnesota Supreme Court is in charge of providing professional and ethical guidance for the profession within the state, they should grant review as opposed to tabling the issue.

Until then, all parties transacting business electronically, but especially attorneys, should be conscious of that little signature block they typed in the first day they set up their email account.


An Authorship-Centric Approach to the Authentication of Social-Networking Evidence

Sen “Alex” Wang, MJLST Staff Member

In Volume 13 Issue 1 of the Minnesota Journal of Law, Science & Technology, Ira P. Robbins called for special attention for social-networking evidence used in civil and criminal litigation and proposed an authorship-centric approach to the authentication of such evidence. In recent years, social-networking websites like Facebook, MySpace, and Twitter have become an ingrained part of our culture. However, at least as it appears to Robbins, people are stupid with regard to their online postings since they document their every move no matter how foolish or incriminating on social-networking sites. The lives and careers of not only ordinary citizens, but also lawyers, judges, and even Congress members have been damaged by their own social-networking postings.

Social-networking sites are designed to facilitate interpersonal relationships and information exchanges, but they have also been used to harass, intimidate, and emotionally abuse or bully others. With no effective check on fake accounts or false profiles, the anonymity of social-networking sites permits stalkers and bullies to take their harmful conduct above and beyond traditional harrying. The infamous Lori Drew and Latisha Monique Frazier cases provide excellent examples. Moreover, hackers and identity thieves have also taken advantages of the personal information posted on social-networking sites. Thus, Robbins argued that the growth in popularity of social-networking sites and the rising number of fake accounts and incidents of hacking signal that information from social-networking sites will begin to play a central role in both civil and criminal litigation.

Often unbeknownst to the social-networking user, postings leave a permanent trail that law-enforcement agents and lawyers frequently rely upon in crime solving and trial strategy. Robbins argued that the ease with which social-networking evidence can be altered, forged, or posted by someone other than the owner of the account should raise substantial admissibility concerns. Specifically, Robbins stated that social-networking postings are comparable to postings on websites rather than e-mails. Thus, the authentication of social-networking evidence is the critical first step to ensuring that the admitted evidence is trustworthy and, ultimately, that litigants receive a fair and just trial.

Robbins, however, further argued that the current judicial approaches to authentication of such evidence have failed to require rigorous showings of authenticity despite the demonstrated unreliability of information on social-networking sites. In the first approach, the court effectively shirks its gate-keeping function, deflecting all reliability concerns associated with social-networking evidence to the finder of fact. Under the second approach, the court authenticates a social-networking posting by relying solely on testimony of the recipient. The third approach requires testimony about who, aside from the owner, can access the social-networking account in question. With the fourth approach, the court focuses on establishing the author of a specific posting but failed to provide a thorough framework.

As a solution, Robbins proposed an authorship-centric approach that instructs courts to evaluate multiple factors when considering evidence from social-networking websites. The factors fall into three categories: account security, account ownership, and the posting in question. Although no one factor in these categories is dispositive, addressing each will help to ensure that admitted evidence possesses more than a tenuous link to its purported author. For account security, the inquiry should include at least the following questions: (1) Does the social-networking site allow users to restrict access to their profiles or certain portions of their profiles? (2)Is the account that was used to post the proffered evidence password protected? (3) Does anyone other than the account owner have access to the account? (4) Has the account been hacked into in the past? (5) Is the account generally accessed from a personal or a public computer? (6) How was the account accessed at the time the posting was made? As to account ownership, a court should address, at a minimum, the following key questions: (1) Who is the person attached to the account that was used to post the proffered evidence? (2) Is the e-mail address attached to the account one that is normally used by the person? (3) Is the alleged author a frequent user of the social-networking site in question? Finally, the court should ask at least these questions regarding the posting in question: (1) How was the evidence at issue placed on the social-networking site? (2) Did the posting at issue come from a public or a private area of the social-networking website? (3) How was the evidence at issue obtained from the website?

This authorship-centric approach properly shifts a court’s attention from content and account ownership to authorship, it underscores the importance of fairness and accuracy in the outcome of judicial proceedings that involve social-networking evidence. In addition, it fit within the current circumstantial-evidence authentication framework set out by Federal Rules of Evidence 901(b)(4) and will not require the courts to engage in a more exhaustive inquiry than is already required for other types of evidence.


Republicans Win, Earth Loses

Vinita Banthia, MJLST Staff Member

The results of last Tuesday’s midterm elections were somewhat of a victory for climate-change deniers around the country. In Iowa, Joni Ernst, a long-time climate change denier beat Democratic candidate Bruce Braley in the race for Senate. Ernst has remarked that she has “not seen proven proof that [climate change] is entirely man-made.” Meanwhile Colorado elected climate change skeptic Cory Gardner over Mark Udall and Oklahoma elected one of the environment’s biggest enemies: James Inhofe. Inhofe has long believed that the dangers of climate change are a hoax and recently wrote a book expressing the same sentiment. Ironically, Inhofe will also serve as the new chair of the Senate Environment and Public Works Committee.

At the United Nations Climate Summit on September 23, 2014, President Obama pledged to world leaders that the United States is committed to doing its part in reducing carbon emissions while also maintaining economic growth. This extended Republican majority in the House will push back President Obama’s Climate Action Plan and the nation’s environmental policy, and will increase resistance to the Environmental Protection Agency’s heightened regulations, but will not entirely seize efforts on that front because the White House remains dedicated to advancing its climate change agenda and the President’s veto will prevent drastic changes in the current law and policy.

In the last year, the U.S. has reduced its carbon production more than any other nation, and the President continues to push this trend to meet his office’s goal of reducing carbon emissions to 17% below 2005 levels by 2020. As part of the Climate Action Plan, the White House aims to work with states and companies to cut the amount of carbon emissions from power plants, which will be the one of the biggest step in reducing carbon emissions in the nation’s history. In addition, new actions are being taken to encourage and implement alternative sources of energy (such as hydroelectric, solar and wind power generators) which will save consumers $10 billion on their bills and reduce carbon pollution by 300 million metric tons by 2030.

Finally, the U.S. aims to work with private companies to reduce hydrofluorocarbons (HFCs) in similar ways as they limited ozone-depleting chemicals such as chlorofluorocarbon (CFC). In addition to taking measures domestically, the U.S. is working with developing nations to find sustainable and clean ways to build infrastructure and create economic growth. For example, the President has formed partnerships with African farmers to implement sustainable agricultural practices.

Despite the recent elections of many Republicans who fail to appreciate the immediate dangers of climate change, many environmentalists, including David Doniger of the Natural Resources Defense Council, say that this kind of climate denial could have a negative impact on the party’s popularity in the long run. Colbert Report host, Stephen Colbert mocked several Republicans for adamantly denying the man-made nature of climate change while they repeatedly disclaimed that they are “not scientists.” Republicans adhering to this view ignore the glaring evidence linking human activity to the drastic rise in sea levels, global temperatures, and loss of biodiversity, without proposing alternative causes for these phenomena.

According to a recent poll conducted by the New York Times, over 54% of Americans believe that some part of global warming is caused by human activity–the greatest number in American history to share this belief. The Chicago Council on Global Affairs poll found that more than 70% of Americans believe climate change is an important threat to the interests of the country, and half of the respondents felt that the government needs to do more to curb the its effects.

As suggested by Senator Bernie Sanders from Vermont, most Republicans’ denial of the dangers of climate change is based on political pressure from their supporters in industries that contribute to environmental degradation. Since much of the Republican campaign funds come from some of the largest polluters , it is unlikely that Republican candidates will expressly change their views unless these culprit industries, such as the fossil fuel industry, move away from these damaging processes and adopt sustainable practices. This change may only be had by incentivizing “green” processes such as efficient and renewable energy sources, which is a key aspect of President Obama’s Climate Action Plan. Hence, even though the current House might try to push the Action Plan behind schedule, the nation is heading toward a more sustainable and green future whether James Inhofe and his fellow Republicans are onboard or not.


The Data Dilemma for Cell Phone Carriers: To Throttle or Not to Throttle? FTC Seeks to Answer by Suing AT&T Over Speed Limitations for Wireless Customers

Benjamin Borden, MJLST Staff Member

Connecting to the Internet from a mobile device is an invaluable freedom in the modern age. That essential BuzzFeed quiz, artsy instagram picture, or new request on Friendster are all available in an instant. But suddenly, and often without warning, nothing is loading, everything is buffering, and your once treasured piece of hand-held computing brilliance is no better than a cordless phone. Is it broken? Did the satellites fall from the sky? Did I accidentally pick up my friend’s blackberry? All appropriate questions. The explanation behind these dreadfully slow speeds, however, is more often than not a result of data throttling courtesy of wireless service providers. This phenomenon arises from the use of unlimited data plans on the nation’s largest cell phone carriers. Carriers such as AT&T and Verizon phased out their unlimited data plans in 2010 and 2011, respectively. This came just a few years after requiring unlimited data plans for new smartphone purchases. Wireless companies argue that tiered data plans offer more flexibility and better value for consumers, while others suggest that the refusal to offer unlimited data plans is motivated by a desire to increase revenue by selling to data hungry consumers.

Despite no longer offering unlimited data plans to new customers, AT&T has allowed customers who previously signed up for these plans to continue that service. Verizon also allows users to continue, but refuses to offer discounts on new phones if they keep unlimited plans. Grandfathering these users into unlimited data plans, however, meant that wireless companies had millions of customers able to stream movies, download music, and post to social media without restraint, and more importantly, without a surcharge. Naturally, this was deemed to be too much freedom. So, data throttling was born. Once a user of an unlimited data plan goes over a certain download size, 3-5GB for AT&T in a billable month, their speeds are lowered by 80-90% (to 0.15 mbps in my experience). This speed limit makes even the simplest of smartphone functions an exercise in patience.

I experienced this data throttling firsthand and found myself consistently questioning where my so-called unlimited data had escaped to. Things I took for granted, like using Google Maps to find the closest ice cream shop, were suddenly ordeals taking minutes rather than seconds. Searching Wikipedia to settle that argument with a friend about the plot of Home Alone 4? Minutes. Requesting an Uber? Minutes. Downloading the new Taylor Swift album? Forget about it.

The Federal Trade Commission (FTC) understands this pain and wants to recoup the losses of consumers who were allegedly duped by the promise of unlimited data, only to have their usage capped. As a result, the FTC is suing AT&T for misleading millions of consumers about unlimited data plans. After recently consulting with the Federal Communications Commission (FCC), Verizon decided to abandon its data throttling plans. AT&T and Verizon argue that data throttling is a necessary component of network management. The companies suggest that without throttling, carrier service might become interrupted because of heavy data usage by a small group of customers.
AT&T had the opportunity to settle with the FTC, but indicated that it had done nothing wrong and would fight the case in court. AT&T contends that its wireless service contracts clearly informed consumers of the data throttling policy and those customers still signed up for the service. Furthermore, there are other cellular service options for consumers that are dissatisfied with AT&T’s terms. These arguments are unlikely to provide much solace to wireless customers shackled to dial-up level speeds.
If there is a silver lining though, it is this: with my phone acting as a paperweight, I asked those around me for restaurant recommendations rather than turning to yelp, I got a better understanding of my neighborhood by finding my way rather than following the blue dot on my screen, and didn’t think about looking at my phone when having dinner with someone. I was proud. Part of me even wanted to thank AT&T. The only problem? I couldn’t tweet @ATT to send my thanks.