Cyberlawyer: Don't blame the hackers

By Robert Lemos
Special to CNET News.com

February 1, 2001, 3:30 a.m. PT

Jennifer Granick is a well-known figure within the hacker community. She
helped Kevin Poulsen navigate his return to using computers after the
convicted hacker came out of jail. Granick is now defending Jerome
Heckenkamp, the 21-year-old Los Alamos National Laboratory employee accused
of breaking into eBay's computer systems.

A frequent speaker at the annual Def Con hacker conference, Granick was
appointed last month to head Stanford University Law School's new Center for
Internet and Society, a legal institute that will train students in Internet
law.

In a recent interview on the Stanford campus, Granick talked about the
Center, the future of law on the Internet, and the important cases of 2001.

What is the Center for Internet and Society?

It's new, so (laughing) that's one thing it is. This is a program that
Stanford Law School is starting that Larry Lessig runs, which is a
combination public interest, technology and computer law program.

 As far as law students are concerned, what will the Center provide?
Well, I have my students, who are participating in the clinical part of the
Center. We are going to do actual litigation of cases and give direct
representation to clients. But we're going to litigate the cases in
court--whether they are criminal or civil--so long as they raise a public
interest issue and are the kind of things that we want to work on. The
Center as a whole will have other projects as well that students can be
involved in...but one of the main parts of it--and the thing that I do--is
the clinical part, the practical.

Will most of the cases be defending someone or will you also take a
proactive role?

We're going to do suing people, too. We'll do both. We don't care. It just
depends on the issue.

What sort of issues are you going to pursue?

We're going to do free speech vs. copyright type issues, open-access
broadband issues. We may do some trade secrets litigation, where computer
security people are sued or criminally prosecuted because they threatened to
reveal information about a company's security vulnerabilities. Stuff like
that.

Have you taken any cases yet?

We have one that involves alleged game piracy, where a company has claimed
that our clients have contributorially infringed on their copyrighted game.
I don't know if that is going to end up as a lawsuit or not. We are kind of
in a wait-and-see mode.

Then we have one project we have agreed to work on with Indian tribes having
to do with sovereignty over broadband that passes through their territory.
That's a case Larry (Lessig) was really interested in because they have an
alternative model for distributing broadband other than auctioning the
frequency off to the highest bidder. So, something different that keeps the
network open--not just to the money interests but to everybody--is something
that we want to work on.

That's a jurisdictional case? Would that have any effect on the current
lawsuit against Yahoo France?

We have to decide whether and how much we want to get involved in
jurisdictional stuff. I don't know what the students are going to want to
do. It is not a huge interest of mine, but I may come to see things
differently, given the right case that comes along.

Looking at what's happening on the Internet front, what are the issues that
you think will be most important?

Intellectual property is going to be huge for us--more than anything else,
more than legislation, more than, I think, even filtering technology.
Intellectual property is going to determine what you see on the Internet.

Like what? Copyright, trademark?

Copyright, trademark, some patent, but mostly copyright and trademark law.
And then we are going to be doing a lot of copyright free speech type of
stuff. I think that is going to be really huge. We are going to have to do a
lot with trade secrets too.

I would hope that we get involved with some standards, which may not be
through litigation but through some other way. But I believe that standards
have to do with how the Internet operates. It is sort of arcane and
uninteresting to the average person, but really critical because the
decisions that are made at the basic technology level determine what kinds
of things you can do with the network later on.

A couple of cases out there seem to be influencing what will "be" on the
Internet in the future. For instance, what about the various DeCSS lawsuits?

The DeCSS case--there are a lot of good issues with that, that sort of
reverse engineering, and reverse engineering is a fair use and free speech
right. Is it a right that stems from contract, from statute, from the
Constitution--you know, what's the basis of it? That's a really important
issue.

I know that Larry's been working on the case and writing some briefs for the
defendants in the DVD litigation. So I think that the Center may have some
role in that. How formal it will be and what we can do once classes start or
what stage that litigation will be in--I don't know. We are already in the
appellate process there.

What about the push by the software industry to pass laws that make software
licenses more binding--that is, UCITA (Uniform Computer Information
Transaction Acts)?

We haven't been targeted toward doing any kind of lobbying, but that's not
out of the question for us either. That may be the kind of thing we can do
effectively by coordinating with other centers locally or something like
that.

Will licensing be a big issue?

I think licensing is a huge issue. A couple of people have contacted me
about licensing-related stuff, both in terms of licenses that say you can't
reverse engineer licenses or that say you cannot make any copies for any
purpose whatsoever. Each license is sort of different. People don't even
read them, so are they really enforceable? There are licenses that make you
agree to let the company use remote scanning software to see if you have
pirated versions of their software on their hard drives, which has privacy
implications. There is a question that I would like to litigate as to
whether some of these terms that have become standard in these licenses are
legally enforceable at all.

There also seems to be a big push by companies to use lawsuits to reveal
people's identities on the Net. Are you looking into that?

John Doe litigation? I know the Electronic Frontier Foundation is doing a
project for people who are served with these subpoenas, and we may provide
some support and work with them on that. There is a cease-and-desist letter
project that the Berkman Center does, and the EFF started a John Doe
subpoena project. That is really important, and we will work some on that.

What is the issue?

Anonymity. It is basically if there is a right to anonymity.

Do those companies that sue intend to actually prosecute?

Sometimes it is just harassment...and it is not really worth the resources
to sue this person. But if there is a whole big splash about how they're
finding out who these people are because they are going to sue them, then
that has a speech-chilling effect which may get the company what they really
want in the long run without actually having to sue any of these John Doe's.


Let's go back to your old stomping ground. Are you giving up cybercrime
cases?

There are going to be some criminal cases that will raise public interest
issues that the Center may take. There will be other criminal cases that
don't really raise public interest issues, but that I'm interested in for
some other reasons, that I may take. And if I take those cases, then I will
take responsibility alone as a separate entity. If the client doesn't mind
and if the students feel like it, then the students may work on those cases
if they like. Those types of things will be separate. But the hallmark of
the Center is that the cases have to have a public interest issue.

How do you see the current climate? Are hackers being treated fairly? Are
they being pursued in proportion to the threat they represent?

Well, I think there is a hysteria about the hackers, which is dangerous
because of things like what I said with security people getting sued or
prosecuted for discovering security vulnerabilities and threatening to
disclose them or disclosing them in a way that the company didn't want to
have done. I think that it's dangerous, and I think that it gives
hacking--in terms of its societal harm--too heavy a weight. I don't think
that it has the level of societal harm that all the news stories and all of
that give it. But there are going to be a lot of other issues in which I am
afraid the law is far too serious. It seems like our law has come down on
the side of the intellectual property holder almost all the time. And the
recording industry is incredibly powerful. And I think that is something to
be equally afraid of, as being afraid of the government and their
overzealous prosecution of the hacker cases. Of course, with (John) Ashcroft
as the attorney general, I think we can probably expect to see more of that
type of mentality about these crimes as opposed to less.

Last question: Is there a crisis looming? Are there any issues that we have
to fight before we have to go much further in our development as an Internet
society?

There are a lot of important issues, and I think we need to fight them all.
I don't know if there is one that I think is worse or less worse. As
litigation comes down the pike, something becomes a crisis; then it sort of
ebbs away. And then something else becomes a crisis. You're always putting
out the fires.

************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************