In June of this year, the personal email account of a Twitter employee was accessed, apparently as a result of an insecure password. By Twitter’s own account, the unauthorized access to that account was the first in a series of actions that ultimately gained the hacker (who calls himself “Hacker Croll”) access to Twitter corporate documents that were maintained on Google Apps.
The documents ranged from executive meeting notes, partner agreements, financial projections and sensitive personal information such as credit card numbers, to more mundane items such as the meal preferences, calendars and phone logs of various Twitter employees.
The hacker eventually sent the documents to tech blog TechCrunch, which decided to post some but not all of them. They are online here, here and here. Soon, a debate raged about whether or not TechCrunch was right to post the documents.
The Twitter files in question aren’t exactly the Pentagon Papers, but their dissemination — and the resulting controversy — may help clarify whether blogs and bloggers are journalists.
Before getting to that issue, a brief and very general survey of the legalities involved in unauthorized access to corporate documents may be helpful background. There are several bodies of law that may be implicated by the scenario outlined in Twitter’s account of the incident.
According to Twitter, the documents sent to TechCrunch were obtained through unauthorized access to an employee’s email account, followed by unauthorized access to other email and online accounts. There are a number of federal and state enactments that the hacker may have violated by accessing those accounts without authorization.
Unauthorized access to electronic communications such as stored email (as opposed to email that is “intercepted” in transit) is covered by the federal Stored Communications Act (SCA). Violations of the Act may result in a criminal prosecution or a civil action for damages. In addition, many states have enacted laws that are similar to the federal statute.
Unauthorized access to a computer is largely covered under the federal Computer Fraud and Abuse Act (CFAA), which makes unauthorized access a crime under specified circumstances. Like the SCA, the CFAA permits a person (which includes a corporation or other entity) who suffers damage or loss by such access to bring a civil action for damages and an injunction.
As is the case with the SCA, there is an extensive body of law that relates to the CFAA, as well as a number of important, outstanding disagreements about how it applies. For example, when copies of electronic documents are obtained via unauthorized access to a computer network and the original documents are neither damaged nor destroyed, there is a question as to whether there was either “damage” or “loss” within the meaning of certain sections of the CFAA.
Many, if not most, states have computer crime statutes that potentially cover the kind of unauthorized access alleged by Twitter. These enactments may be similar to the federal statute, but they can be more broadly applicable. For example, Section 502 of the Penal Code of California (where Twitter’s main office is located), like the federal statute, criminalizes certain acts of unauthorized access to computer systems and similarly provides for a civil right of action.
That said, an incident might fall under the unauthorized computer access statute of more than one state. A prosecutor in a particular state might seek to bring charges based on the location of the hacker at the time of the unauthorized access, or the location of the server or servers upon which the email account or accounts were hosted.
According to TechCrunch, which documented extensive discussions with Hacker Croll, the attacker is French, and thus may be operating from outside the U.S. If that’s the case, while U.S. laws may still apply to the hacker’s conduct, either criminal prosecution or a civil action may be more difficult to maintain as a practical matter.
Unauthorized access to corporate information in general (regardless of the manner in which the items were obtained) may constitute trade secret misappropriation. A secret formula or process such as the closely guarded recipe for making the Coca-Cola soft drink is what most people probably think of as a trade secret. Most states have enacted some version of the Uniform Trade Secrets Act (UTSA), which defines the term very broadly to include not only a secret process or formula but also any other “information” that has economic value as a result of being kept secret. Corporate documents containing information that would be valuable to a competitor, such as business plans and non-public financial information, can fit that definition under the proper circumstances. The UTSA provides for a civil action for unlawful access to trade secrets.
There is also a federal statute, the Economic Espionage Act of 1996 (EEA), that criminalizes the theft of trade secrets. The federal statute is broader than state trade secret misappropriation laws in some respects, and narrower in others. The EEA expressly covers “all forms and types of financial…information,” and violations may result in 10 years in prison and up to a $250,000 fine.
But in a case of “domestic” trade secret theft, there must be a showing of intent to economically benefit a person other than the rightful owner of the trade secret. Hacker Croll has denied having any intent of that nature. If that is the case, then the EEA may not apply. On a related note, it has also been suggested that the California law criminalizing the receipt of stolen property may apply to this incident.
Some of the information obtained via the Twitter hack appears to pertain to individuals, such as documents discussing individuals who had applied to Twitter for jobs. This information is both personal to the individual and potentially proprietary to a corporation. Some states allow a right of action for public disclosure of private facts, where private information which is not of public concern, and which would be highly offensive to a reasonable person, is publicly disseminated. This right of action might come into play if the information was posted publicly, either by the hacker or by TechCrunch. But it is not clear that applying for a job is the kind of embarrassing personal information usually involved in such a lawsuit, and it could be argued that such information is of legitimate public interest, at least with respect to some individuals.
In any event, TechCrunch apparently decided not to post any of the personal information included in the documents. The site said it would only post “information that is relevant to Twitter’s business, particularly product notes and financial projections….” TechCrunch editor Michael Arrington discussed his reasoning in an interview with the New York Times in which he stated that he had been working with Twitter to determine which documents to publish.
The discussion of potentially applicable laws is speculative, and will remain speculative unless Twitter decides to take legal action against the hacker or TechCrunch, or if federal or state authorities decide to prosecute Hacker Croll. In either event, press shield laws and the First Amendment are likely to come into play.
Confidential Information and the First Amendment
As previously noted, the Twitter documents aren’t exactly the Pentagon Papers, but in some respects the same issues are involved. TechCrunch is taking the position that, regardless of the manner in which the hacker obtained them, the documents are of legitimate public interest and that posting them is protected by the First Amendment. The U.S. Supreme Court has ruled that the interest in privacy of information can be outweighed by the public interest in the dissemination of truthful information about matters of public importance.
See, for example, the court’s opinion in Bartnicki v. Vopper, 532 U.S. 514 (2001), which involved a radio station that played a recording of a phone conversation about school district labor negotiations. The tape was made illegally by an unknown third party and sent to the station anonymously. It’s important to note that the court specifically stated it was not ruling on whether the same analysis would apply to a case involving a disclosure of trade secrets.
The issue of trade secrets has arisen on more than one occasion in the last several years with respect to Apple Inc.‘s continuing efforts to protect its trade secrets from disclosure. One case was settled with an agreement by the operator of the Think Secret blog to shut down his website, albeit without disclosing the source(s) of his information.
In another case, Jason O’Grady, the operator of Powerpage.org, dug in his heels and refused to reveal the source of confidential information about a potential new Apple product release. Apple chose not to sue O’Grady for posting the information. Instead, it brought suit against unknown “John Doe” parties it suspected of leaking the information to O’Grady and served a subpoena on O’Grady seeking information that would lead to their identities. O’Grady claimed protection under the California press shield law and the First Amendment.
In a precedent-setting opinion, the California Court of Appeals ruled in O’Grady v. Superior Court that by engaging in “open and deliberate publication on a news-oriented website of news gathered for that purpose,” O’Grady was a “publisher” and his “online news magazine” was a “publication” within the meaning of the California press shield law — even though the site did not have a regular publication schedule. The court also found that the source of the information was protected from disclosure under the First Amendment, despite the fact that Apple claimed it was protected by trade secret law. The court ruled that there was a “legitimate public interest” in information about a potential new product release under the circumstances presented.
The O’Grady case is of particular interest with respect to the posting of the Twitter documents because TechCrunch is located in California, and any legal action to obtain information about the identity of “Hacker Croll” is likely to take place in a court that would apply California law.
Are All News Sites Created Equal?
The O’Grady opinion offers much to consider when debating whether TechCrunch’s actions would fall under the protection of the California press shield law. Despite the broad language used in O’Grady to apply the California press shield law, and the resulting headlines claiming that the ruling extended First Amendment protection to a blogger, the California court expressly reserved any findings on that issue. It has yet to be resolved in any definitive way.
The court stated that while Powerpage.org arguably was a blog, the term had an “amorphous” and unsettled meaning. The court chose instead to treat the site as an “emagazine,” “ezine” or “webzine” because of its “multiple staff members and other factors,” including the non-reverse-chronological manner in which the site was laid out. In contrast, TechCrunch is avowedly a blog and its reverse chronological presentation of material falls within the commonly accepted definition of a blog.
The result is that if TechCrunch is served with a subpoena issued from a California court seeking information on Hacker Croll, the courts may be forced to rule on whether blogs and bloggers, at least some of them, are “press” and therefore entitled to the protection of the California shield law.
Jeffrey D. Neuburger is a partner in the New York office of Proskauer Rose LLP, and co-chair of the Technology, Media and Communications Practice Group. His practice focuses on technology and media-related business transactions and counseling of clients in the utilization of new media. He is an adjunct professor at Fordham University School of Law teaching E-Commerce Law and the co-author of two books, “Doing Business on the Internet” and “Emerging Technologies and the Law.” He also co-writes the New Media & Technology Law Blog.