Law 696: Computer Security and Privacy
Jonathan Mayer
Stanford Law School
Spring 2014

This seminar surveys the legal environment for technology security and privacy. We will emphasize areas of law that are frequently invoked, hotly contested, or ripe for reform. Specific topics will include trespass offenses (CFAA and DMCA), consumer protection against deficient security, breach notification, privacy policies, communications safeguards (ECPA), and compelled disclosure to law enforcement and intelligence agencies (Title III and FISA). The material will draw upon high profile and challenging cases, including the prosecutions of Aaron Swartz and Bradley Manning, the contempt citation against Lavabit, and class actions against Apple, Facebook, and Google. A background in computer science is not required for this course.

Please see the syllabus for additional course details and written assignments.

Topic Summaries

April 3 - Trespass Liability and the Computer Fraud and Abuse Act (Combined PDF)
Review Panel, MIT and the Prosecution of Aaron Swartz (2013)
Intel Corp. v. Hamidi, 30 Cal. 4th 1342 (2003)
Focus on the policy arguments in this case. I’ll discuss the intentional tort of trespass to chattels in class.
The Computer Fraud and Abuse Act, 18 U.S.C. § 1030
Read the CFAA very carefully, please. We’ll spend some time working with the statutory text.
Summarized Revisions to the Computer Fraud and Abuse Act
The legislative history of CFAA is lengthy and complicated; I’ve prepared this abbreviated table for your convenience.
The District of Minnesota’s Creative Interpretation of CFAA
Pulte Homes, Inc. v. Laborers’ International Union of North America, 648 F.3d 295 (6th Cir. 2011)
The court is wrestling with the terms “without” and “exceeding” authorization. Try to understand why the Sixth Circuit has to find that line, and how the panel draws it.
United States v. Morris, 928 F.2d 504 (2d Cir. 1991)
This is one of the most famous computer crime prosecutions ever, so I’ve given you a little extra in the facts section. Don’t sweat the technical details. Focus on how the panel scopes CFAA liability.
United States v. Phillips, 477 F.3d 215 (5th Cir. 2007)
Again, try to understand how the court delineates CFAA’s reach.
EF Cultural Travel BV v. Explorica, Inc. [EF I], 274 F.3d 577 (1st Cir. 2001)
EF Cultural Travel BV v. Zefer Corp. [EF II], 318 F.3d 58 (1st Cir. 2003)
Same. Compare how this panel treats the same underlying facts, and consider whether it is limiting EF I.
United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010)
International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006)
This is another employee disloyalty case, but contrast the basis for liability with EF I and Rodriguez.
United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009)
The prosecution of Lori Drew was highly controversial and grabbed national headlines. I think you’ll quickly see why.

April 10 - CFAA Continued and California Penal Code § 502 (Combined PDF)
United States v. Nosal, 642 F.3d 781 (9th Cir. 2011) (panel)
Try to understand why the panel is wrestling with the magic word “so.” Do you agree that the intent and causation requirements are sufficient to alleviate policy concerns?
United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc)
The majority and dissent sharply disagree about the liability risks of an expansive CFAA. Who do you find more persuasive?
United States v. Nosal, 930 F. Supp. 2d 1051 (N.D. Cal. 2013) (remand)
Does Judge Chen vindicate Nosal’s reasoning, or is his interpretation of the opinion too narrow?
WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012)
Is the Fourth Circuit adopting Nosal, or is it doing more? Compare the panel’s holding to Pulte Homes and the distinction between “without’ and “exceeding’ authorization.
United States v. John, 597 F.3d 263 (5th Cir. 2010)
How does John modify the access vs. use standard?
Summary of CFAA “Damage” and “Loss” Caselaw
The opinions interpreting “damage” and “loss” are all over the map, so I’ve just prepared a summary table for your convenience. Don’t worry about the footnotes.
The California Computer Crime Law (CCL), Cal. Pen. Code § 502
Compare the use of “permission” in CCL to “authorization” in CFAA.
Facebook, Inc. v. Power Ventures, Inc., No. C 09-05780 JW (N.D. Cal. July 20, 2010)
What role do California and intra-district precedent play in Judge Ware’s opinion? Why is the technical circumvention test satisfactory?
In re Google Inc. Cookie Placement Consumer Litigation, No. 12-2358-SLR (D. Del. Oct. 9, 2013)
How does the court determine that Google and the other defendants didn’t circumvent a technical protection?
Optional: Peter Nicholas, Angelides Aides Cleared in Tape Probe, L.A. Times, Feb. 3, 2007
An amusing episode in California politics, but also a reflection of how state law enforcement perceives Section 502.
Optional: Prosecution’s Response Brief in United States v. Auernheimer
A skim is fine, you don’t need to read this closely. Apologies for the offensive language.
Optional: Brief of Amici Curiae in United States v. Auernheimer
Optional: The Third Circuit’s Footnote in United States v. Auernheimer
This opinion was handed down the day after class. The panel notes, in very cursory dicta, that Auernheimer did not circumvent a technical protection.

April 17 - Anti-Circumvention and the Digital Millennium Copyright Act (Combined PDF)
The Anti-Circumvention Provisions of the Digital Millennium Copyright Act, 17 U.S.C. § 1201
Try to make sense of the statutory structure. What are the different offenses in 1201(a)(1)(A), (a)(2), and (b)(1)? What policy motivates the various exceptions in (a)(1)(B)-(E), (c)(3), (f), (g), (i), and (j)?
Civil Remedies and Criminal Offenses for Circumvention, 17 U.S.C. §§ 1203-1204
Do you think the civil remedies are light, proportionate, or draconian? Also, compare the mens rea elements of DMCA criminal liability to the CFAA (a)(2) and (a)(4) offenses.
RealNetworks, Inc. v. Streambox, Inc., No. 2:99CV02070, 2000 WL 127311 (W.D. Wa. Jan. 18, 2000)
This is a fairly straightforward circumvention case. Work through the court’s reasoning on liability, and focus on why the copy switch is an enforceable technological protection measure (TPM).
Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 294 (S.D.N.Y. 2000)
Reimerdes was the earliest comprehensive opinion on DMCA’s anti-circumvention provisions, and has been highly influential. How does the court elaborate on the RealNetworks interpretation?
Lexmark International, Inc. v. Static Control Components, Inc., 387 F.3d 522 (6th Cir. 2004)
Why does the panel conclude that Lexmark’s print cartridge authentication is not a TPM? Is it because of a distinction between protecting source code and protecting functionality? Is it because the source code wasn’t sufficiently protected? Both?
Agfa Monotype Corp. v. Adobe Systems, Inc., 404 F. Supp. 2d 1030 (N.D. Ill. 2005)
How does the court’s analysis differ under (a)(2) and (b)(1)? Why does Agfa think it has a stronger case under (b)(1)? Are you persuaded that the protection bits in this case substantially differ from the copy switch in RealNetworks?
Auto Inspection Services, Inc. v. Flint Auto Auction, Inc., No. 06-15100, 2006 WL 3500868 (E.D. Mich. 2006)
The court declines to find an enforceable TPM. Why isn’t the user detection feature enough? Do you think the Reimerdes and Lexmark tests are really the same, as the court suggests?
IMS Inquiry Management Systems, Ltd. v. Berkshire Information Systems, Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004)
Why is using someone else’s password not actionable under DMCA? Note that this interpretation is controversial, and other courts have reached the opposite conclusion.
Chamberlain Group, Inc. v. Skylink Technologies, Inc., 381 F.3d 1178 (Fed. Cir. 2004)
How does the panel arrive at a copyright “nexus” requirement for DMCA claims? What are the implications? Note that many courts have not followed Chamberlain, and the Ninth Circuit has expressly rejected it.
Optional: Ed Felten, The Chilling Effects of the DMCA, Slate Future Tense (Mar. 29, 2013)
In this short piece, a prominent security researcher at Princeton explains his first-hand experience with DMCA threats.
Optional: The Electronic Frontier Foundation, Unintended Consequences: Fifteen Years Under the DMCA (2013)
This document collects questionable uses of DMCA since its enactment. Which applications do you think are legitimate, and which are illegitimate?
Optional: The 2010 DMCA Rulemaking
Pay special attention to the cell phone unlocking and video game security exceptions. Why are these necessary? Reading through the arguments over each possible exception, do you think the Librarian of Congress is equipped to adjudicate DMCA’s scope?

April 24 - Privacy Policies and Breach Disclosure Requirements (Combined PDF)
The California Online Privacy Protection Act (CalOPPA), Business and Professions Code §§ 22575-22577
Skim: LinkedIn’s Privacy Policy
Chief Justice Roberts Commenting on Website Legalese
Aleecia M. McDonald & Lorrie Faith Cranor, The Cost of Reading Privacy Policies (2008)
Joseph Turow et al., Americans Reject Tailored Advertising (2009)
In re Google Inc. Privacy Policy Litigation, No. C-12-01382-PSG, 2013 WL 6248499 (N.D. Cal. Dec. 3, 2013)
Skim: Federal Trade Commission, Final Complaint Against MySpace (2012)
Optional: Federal Trade Commission, Final Complaint Against Facebook (2012)
Optional: Federal Trade Commission, Final Amendments to the Children’s Online Privacy Protection Act Rule (2013)
Optional: Federal Trade Commission, Complying with COPPA: Frequently Asked Questions (2013)
Optional: Morrison & Foerster, California’s “Shine the Light” Law (2012)
Optional: Lauren Thomas & Chris Hoofnagle, Exploring Information Sharing Through CA’s “Shine the Light” Law (2012)
Optional: Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456 (2013)
Skim: The California Data Breach Notification Law, Civ. Code § 1798.82
In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013)
Optional: Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007)
Optional: Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010)
Optional: Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011)

May 1 - Consumer Protection Against Deficient Security and Privacy Practices (Combined PDF)
Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45
Optional: Federal Trade Commission, Policy Statement on Unfairness (1980)
Optional: A Brief Overview of the Federal Trade Commission's Investigative and Law Enforcement Authority (2008)
Optional: Telebrands Corp. v. Federal Trade Commission, 457 F.3d 354 (4th Cir. 2006)
Federal Trade Commission, Final Complaint Against Sony BMG (2007)
Optional: Federal Trade Commission, Final Complaint Against Sears (2009)
Skim: Federal Trade Commission, Final Order Against Google (“Google Buzz Order”) (2011)
Optional: Federal Trade Commission, First Amended Complaint Against Wyndham (2012)
Federal Trade Commission v. Wyndham Worldwide Corp., No. 13-1887(ES), 2014 WL 1349019 (D.N.J. Apr. 7, 2014)
Optional: Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014)
The California Unfair Competition Law (UCL), Bus. & Prof. Code § 17200 et seq.
The California False Advertising Law, Bus. & Prof. Code § 17500
Optional: Connecticut Complaint Against Citibank (2013)
The California Data Safeguard Law, Civ. Code § 1798.81.5
Optional: Security Standards Under the Gramm-Leach-Bliley Act

May 8 - The Electronic Communications Privacy Act and Civil Litigation (Combined PDF)
The Wiretap Act, 18 U.S.C. § 2510 et seq. (Civil Provisions)
The Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq. (Civil Provisions)
O’Grady v. Superior Court, 139 Cal. App. 4th 1423 (2006)
Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2003)
In re Google Inc. Gmail Litigation, No. 13-MD-02430-LHK359, 2013 WL 5423918 (N.D. Cal. Sept. 26, 2013)
Optional: Joffe v. Google, Inc., No. 11-17483, 2013 WL 6905957 (9th Cir. Sept. 10, 2013)

May 15 - Compelled Law Enforcement Access to Data (Combined PDF)
Congressional Research Service, Electronic Surveillance Under the Fourth Amendment (2013)
Orin Kerr, The Case for the Third-Party Doctrine, 107 Mich. L. Rev. 561 (2009)
Skim: Federal Rule of Criminal Procedure 41
Optional: Judicial Conference of the United States, Committee on Rules of Practice and Procedure, Proposed Amendment to Federal Rule of Criminal Procedure 41 (2014)
Skim (Except § 2518): The Wiretap Act, 18 U.S.C. § 2510 et seq. (Criminal Provisions)
Skim (Except § 2703): The Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq. (Criminal Provisions)
Skim (Except §§ 3122, 3127): The Pen Register Act, 18 U.S.C. § 3121 et seq.
Optional: Electronic Frontier Foundation, Who Has Your Back? (2013)
Google, Transparency Report: Legal Process
Google, Way of a Warrant (YouTube Video)
Optional: Apple, Legal Process Guidelines for U.S. Law Enforcement
United States v. Warshak, 631 F.3d 266 (6th Cir. 2010)
In re Application of the United States for an Order Directing a Provider of Electronic Communication Service to Disclose Records to the Government, 620 F.3d 304 (3d Cir. 2010)
Optional: In re Application of the United States for Historical Cell Site Data, 724 F.3d 600 (5th Cir. 2013)
Ann E. Marimow & Craig Timberg, Low-Level Federal Judges Balking at Law Enforcement Requests for Electronic Evidence, Wash. Post, Apr. 24, 2014, at A1
Optional: In re [REDACTED], No. 14-70655-PSG (N.D. Cal. May 9, 2014)

May 22 - Facilitating Government Access to Data (Combined PDF)
United States v. Jones, 132 S. Ct. 945 (2012)
Optional: United States v. Verdugo-Urquidez, 494 U.S. 259 (1990)
The Company v. United States, 349 F.3d 1132 (9th Cir. 2003)
United States v. Lavabit, 2014 WL 1465749 (4th Cir. Apr. 16, 2014)
Congressional Research Service, Digital Surveillance: The Communications Assistance to Law Enforcement Act (2007)
Charlie Savage, U.S. Weighs Wide Overhaul of Wiretap Laws, N.Y. Times (May 7, 2013), at A1
Optional: Peter Swire & Kenesa Ahmad, ‘Going Dark’ Versus a ‘Golden Age for Surveillance’, Cen. Dem. Tech. (Nov. 28, 2011)
Optional: Report by Computer Security Experts on CALEA II (May 17, 2013)
United States v. John Doe, 670 F.3d 1335 (11th Cir. 2012)

May 29 - Compelled Intelligence Access to Data (Combined PDF)
Peter P. Swire, The System of Foreign Intelligence Surveillance Law, 72 Geo. Wash. L. Rev. 1306 (2004)
National Security Agency, Office of the Inspector General, Working Draft of Report on the President’s Surveillance Program (2009)
Optional: [Redacted], No. PR/TT [Redacted] (FISA Ct. 2004) (Kollar-Kotelly, J.)
This is the first FISC opinion authorizing domestic bulk metadata collection. It allows email surveillance under the FISA pen/trap provisions, 50 U.S.C. § 1842, commonly referred to as Section 214 of the USA PATRIOT Act.
Optional: In re Application of the FBI for an Order Requiring the Production of Tangible Things from [Redacted], No. BR 06-05 (FISA Ct. May 24, 2006)
In this opinion, the FISC first authorizes domestic bulk collection of telephone metadata. Instead of using the pen/trap provisions again, as you might expect, the court relies on the FISA business records provision, 50 U.S.C. § 1861, better known as Section 215 of the USA PATRIOT Act.
Optional: In re Directives [Redacted] Pursuant to Section 105B of the Foreign Intelligence Surveillance Act, No. 08-01 (FISA Ct. Rev. Aug. 22, 2008)
Yahoo brought a Fourth Amendment challenge to what we now know as PRISM, a program of warrantless compelled cloud service disclosure where the accountholder is not a U.S. person. (The specific statutory provision at issue was a stopgap predecessor to Section 702 of the FISA Amendments Act, which remains in effect.) The FISA Court of Review, a special appellate tribunal, rejected Yahoo’s arguments.
Optional: In re Production of Tangible Things from [Redacted], No. BR 08-13 (FISA Ct. Dec. 12, 2008)
In 2008, the government notified the FISC that the SCA might be relevant to its bulk telephone metadata program. The court recognized a tension between the program and SCA, but fashioned an exception for the program.
Optional: The White House, Administration White Paper: Bulk Collection of Telephony Metadata Under Section 215 of the USA PATRIOT Act (Aug. 9, 2013)
Following the Snowden disclosures, the White House released this comprehensive legal defense of the domestic bulk telephone metadata program.
Optional: In re Application of the FBI for an Order Requiring the Production of Tangible Things from [Redacted], No. BR 13-109 (FISA Ct. Oct. 11, 2013) (Eagan, J.)
In this opinion, the FISC provides some legal elaboration on why it has authorized the domestic bulk telephone metadata program. (Cynical observers have noted that the FISC did not author such extensive legal reasoning until after the program leaked to the public.)
Optional: President’s Review Group on Intelligence and Communications Technologies, Liberty and Security in a Changing World (Dec. 12, 2013)
Optional: Klayman v. Obama, No. 13-0851 (RJL) (D.D.C. Dec. 16, 2013) (Leon, J.)
Judge Leon finds a substantial probability that the Section 215 telephone metadata program violates the Fourth Amendment. His opinion provides a snapshot of Fourth Amendment arguments against the program.
Optional: ACLU v. Clapper, No. 13 Civ. 3994 (WHP) (S.D.N.Y. Dec. 27, 2013) (Pauley, J.)
Judge Pauley dismisses the ACLU’s Fourth Amendment challenge to the Section 215 telephone metadata program. The opinion complements Judge Leon’s, as a snapshot of constitutional arguments in favor of the program. (Aside: when a judicial opinion begins with 9/11, that’s code for “government wins.”)
Optional: Privacy and Civil Liberties Oversight Board, Report on the Telephone Records Program Conducted Under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence Surveillance Court (Jan. 23, 2014)

Any original material or arrangement used in this course is available under a Creative Commons Attribution 4.0 International License.