• The European Union is moving to outlaw “hacking tools,” such as programs used to access information without a password. Security researchers are concerned that the new law, if implemented, would hinder their ability to do their jobs and perform important research in cybersecurity. [Wired]
• The Department of Justice filed suit against Apple and certain book publishers over e-book pricing. The DOJ argued that contract provisions known as “most favored nation” clauses, which forbid the publisher from allowing a book to be sold below a certain price, violate antitrust laws. Three publishers have already settled with the DOJ. This lawsuit is a boon for Amazon, which will be able to lower prices for Kindle books and better compete in the marketplace. [N.Y. Times]
• The Court of Appeals for the Ninth Circuit has ruled in U.S. v. Nosal that it is not a crime under the Computer Fraud and Abuse Act to violate an employer’s computer use policy or a website’s terms of service. David Nosal, the defendant in the case, had obtained information that he was legally permitted to acquire, but then used it improperly. The majority expressed worry that the government’s interpretation of the statute would criminalize minor lies on social networking sites or slight improprieties (such as an employee sending a personal email from a work computer). The dissent argued that this case was not about the violation of the terms themselves, but rather about intent, and Mr. Nosal acted with an actual intent to defraud. [Law.com]

As the Washington Post recently reported, employers have started demanding that employees (and potential employees) turn over their Facebook passwords. Recently, according to Ars Technica, a teacher’s aid was suspended for failing to turn over her Facebook login information after a parent complained about a posted photograph. Facebook has instructed users not to turn over their passwords, and has stated that it may take legal action against companies that require employees to provide this information. Facebook has made clear that requiring this information (and logging in as someone else) is a violation of their terms of service, which tells users that they must not “solicit login information or access an account belonging to someone else.” As was pointed out in a recent episode of This Week in Law, it would be imprudent for any company which values its online presence to ignore Facebook’s terms of service.

It is unclear if there will be any legal consequences for companies which demand employees’ passwords. According to the New York Times, “Senators Charles E. Schumer  of New York and Richard Blumenthal  of Connecticut said they were calling on the Justice Department and the Equal Employment Opportunity Commission to begin investigations” on the grounds that “[p]ersonal information such as gender, race, religion and age are often displayed on a Facebook profile — all details that are protected by federal employment law.” The House of Representatives recently rejected a proposed amendment to a bill which would have explicitly granted the FCC the authority to prevent employers from demanding “confidential passwords to social networking websites.”

Image: CC BY-SA 2.0 / massimobarbieri

• Former Rutgers University student Dharun Ravi was convicted of all charges against him relating to his use of a webcam to spy on his roommate. The charges included invasion of privacy and bias intimidation.  [N. Y. Times]
• The Eleventh Circuit has found that being forced to decrypt an encrypted hard drive would constitute self-incrimination under the Fifth Amendment. [Volokh Conspiracy]
• U.S. soldier Bradley Manning was formally charged with 22 counts, including “aiding the enemy,” for allegedly releasing classified U.S. documents to WikiLeaks. [National Post]

According to an article in the New York Times, the Second Circuit Court of Appeals has overturned the conviction of Sergey Aleynikov, a former Goldman Sachs programmer. Mr. Aleynikov was convicted of transferring vital source code from Goldman Sachs to a server in Germany in violation of the Economic Espionage Act. At issue in the appeal was whether the code was used in interstate or international commerce. Mr. Aleynikov “argued that the bank’s trading platform was built for internal use and never placed in the stream of commerce,” and hence was outside the scope of the Act. The code allowed Goldman Sachs to engage in high-frequency trading, where algorithms analyze market data and take advantage of investment opportunities which may last for only a short period of time. A full opinion from the Court of Appeals is forthcoming. Mr. Aleynikov may still be liable in civil court for violating his confidentiality agreement with Goldman Sachs.

Image: CC BY-NC-SA 2.0 / b00nj

• A Pennsylvania firm is suing a former partner and the firm he now works for claiming that he secretly installed software on their computer system to steal client files. [Law.com]
• The hacker group Anonymous hacked into the email accounts of top Syrian government officials, including President Bashar al-Assad. The password was “12345″. [NPR]
• The senate is considering a bill which would impose requirements on private computer systems which are part of “critical infrastructure.” [WSJ]

Jennifer Granick at the Center for Internet and Society at Stanford Law School has an interesting post about the difficulties prosecutors will face in the Megaupload case. According to Ms. Granick, while it might be possible to prove civil liability,  it will be extremely difficult to prove the willfulness requirement necessary for criminal liability. This is mainly because those running Megaupload likely believed they were operating legitimately under the Digital Millennium Copyright Act. As she explains, “for criminal liability, it doesn’t really matter whether the service qualifies [under the DMCA], so long as Defendants believed it qualified.” In addition, it is unclear whether someone can be held criminally liable for secondary copyright infringement (“aiding and abetting” copyright infringement) or whether the US will have jurisdiction over the Defendants merely because they used a hosting provider in the Eastern District of Virginia.

The Supreme Court has unanimously ruled that GPS tracking of a suspect’s car for an extended period of time without a warrant violates the Fourth Amendment (PDF opinion). The District Court had ruled that data about the car when it was at the suspect’s private residence was a inadmissible because the police did not have a warrant, but information about the suspect’s driving on public roads was admissible because he had no reasonable expectation of privacy there. Writing for the majority, Justice Scalia stressed how the government physically intruded on one of the suspect’s “effects” and used that effect to secretly monitor the suspect. The Court held that it was not necessary to apply the “reasonable expectation of privacy” test from Katz v. United States, 389 U. S. 347 (1967) because this test applies in addition to (and does not supplant) the traditional property-based approach used in Fourth Amendment analysis. The opinion explains, “for most of our history the Fourth Amendment was understood to embody a particular concern for government trespass upon the areas (‘persons, houses, papers, and effects’) it enumerates. Katz did not repudiate that understanding.”

Justice Sotomayor joined in the opinion, and wrote separately to discuss the unique attributes of GPS monitoring and how police monitoring of civilians may affect our democratic society.

Justice Alito concurred in judgment and wrote a separate opinion arguing that the case should be decided based on the more modern “reasonable expectations of privacy” test. This concurring opinion argued that short-term monitoring of a suspect’s vehicle would not violate such expectations, but long term monitoring would violate them. It explained, “In this case, for four weeks, law enforcement agents tracked every movement that respondent made in the vehicle he was driving. We need not identify with precision the point at which the tracking of this vehicle became a search, for the line was surely crossed before the 4-week mark.”

Each approach certainly leaves much of the law undecided. Under the minority view, it is unclear at what point the line would be “crossed” and police monitoring of a suspect’s car would constitute a “search.” Under the majority view, which is now binding precedent, it is unclear what the result would be if the police were able to track a car via GPS without physically intruding on the vehicle.

Image: CC BY-NC 2.0 / S.E.B.

William & Mary Law School is back in session and The Circuit is back from hiatus. Here are some stories you might have missed over the break.

• Congress is working on a number of new laws dealing with national security and access to computer data.
• The founder of the file-sharing website MegaUpload was arrested in New Zealand. The FBI has taken control of the MegaUpload web domain.
• Congress has delayed voting on the controversial Stop Online Piracy Act and Protect Intellectual Property Act after concerted protests from the online community. Many popular sites, including Google and Wikipedia, “censored” themselves to protest the bill.