Is Visiting a Web Site a Crime?

Is it a crime to visit a Web site? That’s one of the issues the Ninth Circuit Court of Appeals has been addressing in United States v. Nosal (decided April 10, 2012) and in Facebook v. Vachani (decided July 12, 2016).

I briefly described these cases and the July 6, 2016, Nosal II opinion in a prior posting. Essentially, Nosal I said violating a Web site’s Terms of Service Agreement is not a crime under the Computer Fraud and Abuse Act, but Vachani said that accessing a Web site after receiving a cease-and-desist letter can be a crime under the CFAA. The bottom line is that it’s difficult to distinguish the two decisions.

The reason I’m posting about this topic again is that the attorneys for the defendants in the Vachani case filed a petition on August 9, 2016, for rehearing of the case with respect to liability under the Computer Fraud and Abuse Act. The rehearing is requested so the court can correct or clarify its interpretation of the CFAA, because the court’s opinion conflicts with the opinion in Nosal I.

Hopefully, the court will clarify their decision so that users will know more clearly when it is a crime to visit a Web site in violation of the company’s Terms of Service Agreement.

Posted in General | Tagged , , , , , , , , | Comments Off on Is Visiting a Web Site a Crime?

Two New Cases on Using Computers “Without Authorization” under the Computer Fraud and Abuse Act

Two new cases on using computers “without authorization” under the Computer Fraud and Abuse Act were decided in July 2016, and both were decided by the United States Court of Appeals for the Ninth Circuit.

The first case, decided on July 6, 2016, is United States v. Nosal (a/k/a Nosal II because the Ninth Circuit also issued an opinion on April 10, 2012, involving the same situation). The short summary of Nosal II is that sharing a password can be a crime of accessing a protected computer “without authorization” under the Computer Fraud and Abuse Act. For an excellent recap of the facts and analysis of the case, read this July 6, 2016, article by Orin Kerr that appeared in The Washington Post.

The second case, decided on July 12, 2016, is Facebook v. Vachani. The short summary of Vachani is that accessing a Web site after being notified that you are not authorized to access it can be a crime of accessing a protected computer “without authorization” under the Computer Fraud and Abuse Act. For an excellent recap of the facts and analysis of the case, read this July 12, 2016, article by Orin Kerr that appeared in The Washington Post.

With respect to the Vachani case, the court makes a difficult-to-follow distinction as it interprets the Computer Fraud and Abuse Act, and this issue is described in more detail in Orin Kerr’s article. In Nosal I, the Ninth Circuit court decided that the “exceeds authorized access” prong of 18 U.S.C. § 1030(a)(4) “does not extend to violations of [a company’s] use restrictions” (e.g., violating a Terms of Service Agreement is not a crime under the Computer Fraud and Abuse Act). But, in Vachani, the Ninth Circuit court decided that accessing a Web site after receiving a cease-and-desist letter can be a crime of accessing a protected computer “without authorization” under the Computer Fraud and Abuse Act. The court’s distinction appears to depend on the person’s intent—whether the person at issue “might be unaware that they were committing a crime” (e.g., that is not a crime) versus a person who “deliberately circumvented the rescission of authorization” (e.g., that is a crime).

For fiduciaries and family members dealing with online accounts and digital property of an incapacitated or deceased family member, the concern remains that accessing the incapacitated or deceased person’s online accounts and digital property could be a crime under federal or state law. The U.S. Department of Justice is on the record asserting that the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position was stated by Richard Downing, Deputy Chief of the DOJ’s Computer Crime and Intellectual Property Section, Criminal Division, in testimony presented on November 15, 2011, before the U.S. House Committee on Judiciary, Subcommittee on Crime, Terrorism, and National Security (note that this testimony was given before Nosal I was decided). However, Mr. Downing also testified, “Let me be very clear that the DOJ is in no way interested in bringing cases against the people who lie about their age on a dating site or anything of the sort. We don’t have time or resources to do that.”

The bottom line is that this still is a developing area of law. Fiduciaries and family members should review and consider carefully the applicable Terms of Service Agreement before using a shared password or otherwise accessing a Web site in violation of the Web site’s access rules.

Posted in General | Tagged , , , , , , , , | Comments Off on Two New Cases on Using Computers “Without Authorization” under the Computer Fraud and Abuse Act

Study Shows Users Don’t Read Terms of Service Agreements

Not surprisingly, a recent study shows that users don’t read Terms of Service Agreements and Privacy Policies. In a July 7, 2016, working paper, Jonathan Obar and Anne Oeldorf-Hirsch reported that, in their experiment, 98% of users missed the “gotcha clauses” they planted in the Terms of Service Agreement and Privacy Policy for a fictitious social networking site they created. One of the “gotcha clauses” was that, by agreeing to the Terms of Service Agreement, the user would immediately assign their first-born child to the company!

In their experiment, the fictitious company had a 4,316-word Terms of Service Agreement for the user to read when signing up for the company’s social networking site. By comparison, Google’s Terms of Service Agreement (revised April 14, 2014) runs 1,881 words, Facebook’s Terms of Service Agreement (revised January 30, 2015) runs 3,159 words, and Yahoo!’s Terms of Service Agreement (revised March 16, 2012) runs 5,585 words. The working paper notes that an average adult should be able to read the 4,316-word Terms of Service Agreement used in the experiment in 15-17 minutes. However, in the experiment, 86% of users spent less than one minute reading the Terms of Service Agreement, and 97% of users spent less than five minutes reading the Terms of Service Agreement. Only 9 of the 527 participants in the experiment (1.7%) reported noticing the “gotcha clause” requiring the user to assign their first-born child to the company.

From an estate planning perspective, some Terms of Service Agreement provisions are important to consider, especially when planning for a user’s incapacity or death. Here are several provisions to consider in reviewing Terms of Service Agreements:

  1. May the user share the user’s password or let others access the user’s account? For estate planning, this is important to determine whether a fiduciary or family member can access the user’s account during the user’s incapacity or after the user’s death. If someone other than the user accesses the user’s account and “exceeds authorized access”—which could include violating the access rules of a company’s Terms of Service Agreement—that person could be charged with a crime under applicable state law, under the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030(a)(2)), or under the federal Stored Communications Act (18 U.S.C. § 2701(a)) For example, Section 4.8 of Facebook’s Terms of Service Agreement (revised January 30, 2015) says “You will not share your password…let anyone else access your account, or do anything else that might jeopardize the security of your account.”
  2. May the user transfer the user’s account? For estate planning, this is important to determine whether the user’s account may be transferred to another individual, to the trustee of a revocable living trust, to the trustee of an irrevocable trust, to a Limited Liability Company (LLC), to a partnership, or to a corporation either during the user’s lifetime or after the user’s death. If the user breaches the account transfer restrictions in the company’s Terms of Service Agreement, it could be grounds for the company to terminate the user’s account.
  3. Does the user’s account terminate on the user’s death? For estate planning, this is important to know what planning needs to be done during the user’s lifetime to preserve and protect the user’s account contents and what planning options are available after the user’s death. For example, Section 28 of Yahoo!’s Terms of Service Agreement (revised March 16, 2012) says “You agree that your Yahoo account is non-transferable and any rights to your Yahoo ID or contents within your account terminate upon your death.”
  4. What rights to the user’s data are being assigned to the company? For estate planning, this is important to know what intellectual property rights are involved. For example, is the user granting the company a license to use original works of authorship of the user that may be protected by copyright law? If so, does that license continue after the user’s death or after the user’s account is deleted?
Posted in General, Intellectual Property Rights | Tagged , , , , , , , , | Comments Off on Study Shows Users Don’t Read Terms of Service Agreements

Minnesota Joins Other States Enacting the Revised Uniform Fiduciary Access to Digital Assets Act

On May 22, 2016, Minnesota’s Governor signed a bill enacting the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA). The new law takes effect August 1, 2016, and will be found in Minnesota Statutes Chapter 521A. The new law creates a clear procedure to enable access to or disclosure of online accounts and digital assets to a person’s fiduciaries. A person’s fiduciaries may include an agent under a power of attorney, a court-appointed conservator of a living person, a trustee of a trust, or a court-appointed personal representative of a deceased person’s estate.

At latest count (updated July 14, 2016), including Minnesota, 18 states have enacted RUFADAA into law, and 13 other states have introduced RUFADAA in their legislatures. My understanding is that many other introductions of RUFADAA are planned within the next year. An up-to-date list of RUFADAA introductions and enactments in state legislatures can be found on the Uniform Law Commission Web site. A good summary of RUFADAA is also available on the ULC Web site.

Even with the new enactment of RUFADAA in Minnesota and other states, it is important for individuals to plan ahead for access to or disclosure of their online accounts and digital assets during incapacity or after death. The federal Stored Communications Act (18 U.S.C. § 2702) creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain providers of electronic communication services or remote computing services. If the privacy protections of the Stored Communications Act apply, an online account service provider is prohibited from disclosing the contents of certain electronic communications and files unless an exception under § 2702(b) of the Act is met. Under § 2702(b)(3) of the Act, with the “lawful consent” of the user, an online account service provider may disclose the contents of the user’s electronic communications and files that are protected by the Act. RUFADAA provides a clear state law procedure for fiduciaries to follow to request access to or disclosure of online account contents and other digital assets.

So, a user’s “lawful consent” for disclosure of digital assets should be included in an individual’s estate plan, such as an individual’s financial power of attorney document for use while the individual is living, the individual’s will for use after the individual is deceased, and, if applicable, the individual’s revocable living trust (or irrevocable trust) for use if any digital assets are held in the trust. Under Section 4(b) of RUFADAA, it is also possible to sign a stand-alone document (what RUFADAA calls a “record”) to allow or prohibit disclosure to a fiduciary of some or all of an individual’s digital assets, including the content of electronic communications sent or received by the individual.

A document evidencing a user’s “lawful consent” for disclosure of digital assets is important to coordinate with the full fiduciary access and disclosure procedures under RUFADAA. In addition, there are other important digital asset issues that should be addressed as part of a comprehensive estate plan that an estate planning attorney can help plan and implement. For example, how should digital assets be distributed at death? Should family photos and videos be copied for each of the individual’s children? Should some beneficiaries be prohibited from receiving some of the digital assets? Should some of the digital assets be deleted on the individual’s death?

Because so many aspects of our personal and business lives have moved into the digital world, it’s important for an individual considering disclosure of and distribution of digital assets to seek legal advice from an attorney licensed to practice in the individual’s state as part of a comprehensive estate plan.

Posted in General | Tagged , , , , , , , , | Comments Off on Minnesota Joins Other States Enacting the Revised Uniform Fiduciary Access to Digital Assets Act

Widow Told by Apple to Get Court Order So She Can Continue to Play a Card Game on the Couple’s iPad After Her Husband’s Death

Peggy Bush, a 72-year old Canadian woman whose husband died in August, was told by Apple that she needed to obtain a court order so that she could continue playing a card game app on the couple’s iPad device. The couple owned the iPad and used one Apple ID to purchase apps, including the card game app that Peggy enjoyed playing. She knew the password to access the iPad itself, but she didn’t know the password her husband used for the Apple ID associated with the iPad.

When the family contacted Apple to reset the Apple ID password, Apple told them a court order was required. However, it can be costly and time-consuming to obtain a court order. On the positive side, at least Apple will permit the family to reset the Apple ID password with a court order—some online service providers refuse to reset or reveal a user’s password after the user has died.

An excellent news report by Rosa Marchitelli of CBC News describes the family’s struggle with Apple’s customer service. Peggy’s daughter was quoted in the article saying, “What do you mean a court order? I said that was ridiculous, because we’ve been able to transfer the title to the house, we’ve been able to transfer the car, all these things, just using a notarized death certificate and the will.” Peggy was quoted in the news report as saying, “I could get the pensions, I could get the benefits, I could get all kinds of things from the federal government … [b]ut from Apple, I couldn’t even get a silly password. It’s nonsense.”

When CBC News contacted Apple to ask about its official policy for users seeking to reset Apple ID passwords or to obtain data of family members who have passed away, Apple told them it would not comment.

This is an excellent reminder of why it’s important to plan ahead for access to your digital property—passwords, online accounts, and electronically-stored information—in your estate plan. By planning ahead, you can arrange for full access to your digital property, keep administration costs down, and ensure that no valuable or significant digital property is overlooked.

Compared with traditional types of property, digital property may have four additional, significant obstacles for fiduciaries and family members to overcome: (1) passwords, (2) data encryption, (3) criminal laws regarding unauthorized access to computers, and (4) data privacy laws. These obstacles can make it practically impossible for fiduciaries and family members to access your digital property if you don’t plan ahead.

How should you plan ahead? First, make a list of your important passwords, online accounts, and digital property, and specify what should be done with each item on your list if you become incapacitated or after you die. Keep your list up to date, store it in a secure location, and let your fiduciaries and family members know how to access it. A “My Digital Audit” form to use for your list can be downloaded here: http://www.digitalpassing.com/digital-audit/

Second, if you store valuable or significant digital property in the cloud, back up your data to a local computer or local storage device on a regular basis. Fiduciaries and family members can access the local computer or local storage device without the obstacles that may prevent them from accessing your data stored in online accounts.

Third, work with an estate planning attorney to update your will, power of attorney, and revocable living trust to address digital property. Your estate planning documents should: (1) specify your wishes about the distribution of or deletion of your digital property; (2) provide your consent to divulge the contents of your electronic communications to your fiduciaries; (3) authorize your fiduciaries to access your computing devices, storage devices, accounts, and data; and (4) permit your fiduciaries to bypass, reset, or recover your passwords on your computing devices and to decrypt your encrypted data, if desired. But, don’t list your passwords in your will, power of attorney, or revocable living trust documents—that isn’t secure. Instead, store your passwords securely, and let your fiduciaries and family members know how to access them.

Posted in General | Tagged , , , , , , , , | Comments Off on Widow Told by Apple to Get Court Order So She Can Continue to Play a Card Game on the Couple’s iPad After Her Husband’s Death

Income Taxes, Identity Theft, and Identity Fraud

According to the Bureau of Justice Statistics, about 17.6 million individuals in the U.S. were victims of identity theft in 2014. When a data breach occurs at a company, the company may offer to provide identity protection services to its customers, employees, or other affected individuals. Is the value of those identity protection services taxable income?

In Announcement 2015-22, the IRS concluded that, for an individual whose personal information may have been compromised, the IRS will not treat the value of identity protection services as gross income to that individual when provided by a company that experienced a data breach. Similarly, for an employee whose personal information may have been compromised in a data breach of the employer, of an agent of the employer, or of a service provider of the employer, the IRS will not treat the value of identity protection services as gross income to that employee when provided by the employer. Identity protection services include credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or other similar services.

In Announcement 2016-2, the IRS extended these conclusions to identity protection services provided before a data breach occurs. So, for an individual who provides personal information (e.g., the individual’s name, social security number, bank account number, or credit card number) to a company, the IRS will not treat the value of identity protection services as gross income to that individual when provided by that company before a data breach occurs. Similarly, for an employee, the IRS will not treat the value of identity protection services as gross income to that employee when provided by the employer before a data breach occurs.

As we begin the 2016 income tax filing season, it’s also important for taxpayers and tax preparers to take extra precautions regarding identity theft, tax refund fraud, and tax-related scam emails. The IRS has issued Publication 4524 on Security Awareness for Taxpayers and Publication 4557 on Safeguarding Taxpayer Data. The IRS reports that since 2013, there were 3,331 identity theft investigations initiated by the IRS Criminal Investigation division resulting in 1,976 convictions. For fiscal year 2015, their incarceration rate is 84.6% with an average of 38 months to serve. The IRS also has released as series of security awareness tax tips. Finally, certain eligible taxpayers can apply for an Identity Protection PIN from the IRS to prevent someone else from filing a tax return with the taxpayer’s social security number.

If you are concerned about identity theft or identity fraud, consider placing a security freeze on your credit file at the three major credit bureaus: Equifax, Experian, and TransUnion. For more information about this, read the recent report from the U.S. Public Interest Research Group “Why You Should Get Security Freezes Before Your Information is Stolen—Tips to Protect Yourself Against Identity Theft & Financial Fraud.” According to the report, a security freeze is the only reliable way to prevent someone from opening new financial accounts in your name.

Posted in General | Tagged , , , , , | Comments Off on Income Taxes, Identity Theft, and Identity Fraud

October is National Cyber Security Awareness Month

October has been designated as National Cyber Security Awareness Month. Here are a few resources from the federal government on how to stay safe online:

  1. Department of Homeland Security’s Mobile Security Tip Card
  2. Department of Homeland Security’s Social Media Guide
  3. Department of Homeland Security’s Internet of Things Tip Guide
  4. National Cyber Security Alliance’s information on Malware & Botnets
  5. National Cyber Security Alliance’s information on Spam & Phishing
  6. National Cyber Security Alliance’s information on Hacked Accounts
  7. National Cyber Security Alliance’s information on Securing Your Home Network
  8. National Cyber Security Alliance’s information on Identity Theft, Fraud & Victims of Cybercrime
  9. National Cyber Security Alliance’s information on Passwords & Securing Your Accounts
  10. National Cyber Security Alliance’s information on Online Shopping
  11. National Cyber Security Alliance’s information on Backing Up Important Files
  12. National Cyber Security Alliance’s information on Internet Safety & Security Tips for Parents

More cyber security news and articles are available on StaySafeOnline.org’s blog.

Posted in General | Tagged , , , , , | Comments Off on October is National Cyber Security Awareness Month

Revised Uniform Fiduciary Access to Digital Assets Act

On September 28, 2015, the Uniform Law Commission released the final text of the Revised Uniform Fiduciary Access to Digital Assets Act (revised UFADAA). The original UFADAA was released in 2014.

For background on why the original UFADAA was revised, read the ULC’s document explaining the proposed changes to the original UFADAA. They also prepared a helpful chart comparing the original UFADAA, the revised UFADAA, and the Privacy Expectations Afterlife and Choices Act (PEAC Act). The PEAC Act was prepared by a coalition of Internet service providers and their lobbyists, and a version of it was enacted in Virginia. The revised UFADAA addresses and resolves concerns raised by some Internet service providers and some privacy advocates who initially opposed enactment of the original UFADAA.

The ULC Web site has a document explaining why your state should adopt the revised UFADAA, and more information about the enactment status of the revised UFADAA will be posted on the ULC Web site as it becomes available

Posted in General | Tagged , , , , , | Comments Off on Revised Uniform Fiduciary Access to Digital Assets Act

Remembering Gene Hennig

My friend and colleague, Gene Hennig, passed away on August 25, 2015. I had the privilege of working with Gene at two different law firms over the past 18 years.

Gene was a business law attorney at the Gray Plant Mooty law firm and was one of Minnesota’s commissioners to Uniform Law Commission. In 2009, I started writing and speaking about an emerging area of law—estate planning for passwords, online accounts, and digital property. Gene thought that the current state laws didn’t adequately deal with these emerging issues, so Gene thought this would be a great topic for a new uniform state law. We co-authored and submitted a proposal to the Uniform Law Commission on May 31, 2011, for a uniform law on fiduciary powers and authority to access online accounts and digital property during incapacity and after death.

With Gene’s encouragement, the Uniform Law Commission appointed a Study Committee in January 2012 to consider this topic. Gene and I were both involved in that process, and the Study Committee presented its final report at the July 2012 Uniform Law Commission annual meeting. On July 17, 2012, the Uniform Law Commission appointed a Drafting Committee to prepare a uniform law on fiduciary access to digital assets, and Gene and I participated in that process together. The first reading of the Uniform Fiduciary Access to Digital Access Act (UFADAA) was at the July 2013 Uniform Law Commission annual meeting.

Gene was diagnosed with a brain tumor in November of 2013, but he continued to stay actively involved in the drafting of UFADAA. On July 16, 2014, the Uniform Law Commission approved the final version of UFADAA at their annual meeting. Gene continued to be actively involved in encouraging enactment of UFADAA. On January 20, 2015, Gene and I testified together at the Civil Law and Data Practices Committee of the Minnesota House of Representatives to explain why UFADAA is needed in Minnesota. Our local Minnesota Channel 5 Eyewitness News ran a TV segment about it. At last count, 27 states had introduced legislation based on UFADAA.

The Uniform Law Commission approved a revised version of UFADAA at their July 2015 meeting, and the final text of the revised UFADAA is expected by October 2015. The draft version of the revised UFADAA and a discussion of the changes made by the revised UFADAA are available on the Uniform Law Commission Web site.

Gene lived a full and amazing life as a lawyer, a law professor at both William Mitchell College of Law and the University of St. Thomas School of Law, a Uniform Law Commissioner, a volunteer, a family man, a world traveler (vising more than 60 countries!), and much more. You can read more about Gene’s life at the following Web sites:

Posted in General | Tagged , , , , , , , , , | Comments Off on Remembering Gene Hennig

Theft of Virtual Currency and Virtual Property

There can be significant financial value in digital property, and thieves have started to take notice. Below are a few recent news stories about stolen virtual currency and stolen virtual property.

In June 2015, armed robbers stole $1,100 worth of the popular virtual currency Bitcoin from a New York man. The man had advertised bitcoins for sale on Craigslist, and a potential buyer forced the man at gunpoint to transfer his bitcoins. This follows two other recent armed robberies in New York targeting bitcoins. In one of those robberies, a man was stabbed in an attempt to take his bitcoins. In the other robbery, $8,500 worth of bitcoins were taken at gunpoint. Because Bitcoin is anonymous—no name or Social Security number is connected to a Bitcoin address—it makes it more difficult for law enforcement to find the robbers.

In January 2015, Bitstamp—an online marketplace for buying and selling bitcoins—was compromised, and it appears that about $5.1 million of bitcoins were stolen. The compromise affected the company’s bitcoin reserves, but the bitcoins of their customers were not affected.

Also, a May 20, 2015, article by Kashmir Hill describes the theft of in-game virtual currency and virtual property from players of the online video game Diablo III. In 2012, thieves used a remote access tool to gain control of twenty to thirty computers used by other video game players, which allowed them to take the in-game virtual currency and property of those players. FBI agents tracked down the thieves, seized their computers, and arrested them on felony charges. The prosecutors alleged that the thieves sold the stolen in-game virtual currency and virtual property for over $8,000. In 2014, the thieves plead guilty to misdemeanor charges.

Posted in Video Games & Virtual Worlds, Virtual Currency | Tagged , , , , | Comments Off on Theft of Virtual Currency and Virtual Property