[Originally published in _Internet_World_, Jan./Feb. 1994.]


When Copying Isn't Theft:
How the Government Stumbled in a "Hacker" Case


By Mike Godwin




As more and more private individuals and private companies connect to the
Internet, more and more of them will generate or use their intellectual
property there. And since not everyone is familiar with the legal
distinctions between so-called "intellectual property" and everyday
tangible property, there will be more and more discussion of how
infringement of intellectual property amounts to "online theft."


But the law of intellectual property is not so simple as Usenet
discussions may lead you to believe. Assuming that your information is
"property" (when in fact it may not be property at all) may lead you to a
false sense of security about how much the law protects your interest in
that information. This article discusses one computer-crime case, United
States v. Riggs, that illustrates how even well-trained federal
prosecutors can grow confused about how to apply intellectual-property
law--especially the law of trade secrets. In particular, it shows what can
happen when prosecutors uncritically apply *intellectual* property notions
in prosecuting a defendant under laws passed to protect *tangible*
property.


Big Phrack Attack


In the recent case of U.S. v. Riggs, the Chicago U.S. Attorney's office
prosecuted two young men, Robert Riggs and Craig Neidorf, on counts of
wire fraud (18 U.S.C. 1343), interstate transportation of stolen property
(18 U.S.C.  2314) and computer fraud (18 U.S.C. 1030).  Of these statutes,
only the last was passed specifically to address the problems of
unauthorized computer intrusion; the other two are "general purpose"
federal criminal statutes that are used by the government in a wide range
of criminal prosecutions.  One element of the wire-fraud statute is the
taking (by fraudulent means) of "money or property," while the
interstate-transportation-of-stolen-property (ITSP) statute requires,
naturally enough, the element of "goods, wares, merchandise, securities or
money, of the value of $5,000 or more."


(I don't discuss here the extent to which the notions of "property" differ
between these two federal statutes.  It is certain that they do differ to
some extent, and the interests protected by the wire-fraud statute were
expanded in the 1980s by Congress to include Rthe intangible right to
honest services.S 18 U.S.C. 1346..  Even so, the prosectuion in the Riggs
case relies not on 1346, but on intellectual-property notions, which are
the focus of this article.)


The computer-intrusion counts against Neidorf were dropped in the
governmentUs June 1990 superseding indictment, the indictment actually
used at NeidorfUs trial in July 1990. Probably this was due to the
government's realization that it would be hard to prove beyond a
reasonable doubt that Neidorf had any direct involvement with any actual
computer breakin.


The Riggs case is based on the following facts: Robert Riggs, a computer
"hacker" in his early '20s, discovered that he could easily gain access to
an account on a computer belonging to Bell South, one of the Regional Bell
Operating Companies (RBOCs).  The account was highly insecure--access to
it did not require a password (a standard, if not always effective,
security precaution).  While exploring this account, Riggs discovered a
word-processing document detailing procedures and definitions of terms
relating the Emergency 911 system ("E911 system").  Like many hackers,
Riggs had a deep curiosity about the workings of this country's telephone
system. (This curiosity among young hackers is a social phenomenon that
has been documented for more than 20 years. See, e.g., Rosenbaum, "Secrets
of the Little Blue Box," Esquire, October 1971; and Barlow, "Crime and
Puzzlement: In Advance of the Law on the Electronic Frontier," Whole Earth
Review, September 1990.)


Riggs knew that his discovery would be of interest to Craig Neidorf, a
Missouri college student who, while not a hacker himself, was an amateur
journalist whose electronically distributed publication, Phrack, was
devoted to articles of interest to computer hackers.  Riggs sent a copy of
the E911 document to Neidorf over the telephone, using computer and modem,
and Neidorf edited the copy to conceal its origin.  Among other things,
Neidorf removed the statements that the information contained in the
document was proprietary and not for distribution.  Neidorf then sent the
edited copy back to Riggs for the latter's review; following RiggsUs
approval of the edited copy, Neidorf published the E911 document in the
February 24, 1989, issue of Phrack.  Some months following publication of
the document in Phrack, both Riggs and Neidorf were contacted and
questioned by the Secret Service, and all systems that might contain the
E911 document were seized pursuant to evidentiary search warrants.


Riggs and Neidorf were indicted under the statutes discussed above; Riggs,
whose unauthorized access to the BellSouth computer was difficult to
dispute, later pled guilty to wire fraud for that conduct.  In contrast,
Neidorf pled innocent on all counts, arguing, among other things, that his
conduct was protected by the First Amendment, and that he had not deprived
Bell South of property as that notion is defined for the purposes of the
wire fraud and ITSP statutes.


The two defenses are closely related.  Under the First Amendment, the
presumption is that information is free, and that it can readily be
published and republished.  For this reason, information "becomes
property" only if it passes certain legal tests.  This means that law
enforcement cannot simply assume that whenever information has been copied
from a private computer system a theft has taken place.


But in Neidorf's case, as it turns out, this is essentially what the
Secret Service and the U.S. Attorney's office did assume. And this
assumption came back to haunt the government when it was revealed during
trial that the information contained within the E911 document did not meet
any of the relevant legal tests to be established as a property interest.


How information becomes stealable property.


In order for information to be stolen property, it must first be property.
There are only a few ways that information can qualify as a property
interest, and two of these--patent law and copyright law--are entirely
creations of federal statute, pursuant to an express Constitutional grant
of legislative authority. (U.S. Constitution, Article I, Sec. 8, clause
8.)  Patent protections were clearly inapplicable in the Neidorf case; the
E911 document, a list of definitions and procedures, did not constitute an
invention or otherwise patentable process or method.  Copyright law might
have looked more promising to Neidorf's prosecutors, since it is well
established that copyrights qualify as property interests in some contexts
(for example, your uncle's copyright interest in his novel can be
bequeathed to you as "personal property" through a will).


Unfortunately for the government, the Supreme Court has explicitly stated
that copyrighted material is not property for the purposes of the ITSP
statute.  In Dowling v. United States, 473 U.S. 207 (1985), the Court held
that interests in copyright are outside the scope of the ITSP statute.
(Dowling involved a prosecution for interstate shipments of pirated Elvis
Presley recordings.)  In reaching its decision, the Court held, among
other things, that 18 U.S.C. ' 2314 contemplates "a physical identity
between the items unlawfully obtained and those eventually transported,
and hence some prior physical taking of the subject goods."   Unauthorized
copies of copyrighted material do not meet this "physical identity"
requirement.


The Court also reasoned that intellectual property is different in
character from property protected by generic theft statutes: "The
copyright owner, however, holds no ordinary chattel.  A copyright, like
other intellectual property, comprises a series of carefully defined and
carefully delimited interests to which the law affords correspondingly
exact protections."  The Court went on to note that a special term of art,
"infringement," is used in reference to violations of copyright
interests--thus undercutting any easy equation between unauthorized
copying and "stealing" or "theft."


It is clear, then, that in order for the government to prosecute the
unauthorized copying of computerized information as a theft, it must rely
on other theories of information-as-property.  Trade-secret law is one
well-established legal theory of this sort.  Another is the
breach-of-confidence theory articulated recently by the Supreme Court in
Carpenter v. United States, 108 S.Ct. 316 (1987). I will discuss each
theory in turn below.
 
Trade Secrets


Unlike copyrights and patents, trade secrets are generally created by
state law, and most jurisdictions have laws that criminalize the
violations of a trade-secret holder's rights in the secret. There is no
general federal definition of what a trade secret is, but there have been
federal cases in which trade-secret information has been used to establish
the property element of a federal property crime. In the 1966 case of
United States v. Bottone (365 F.2d 389, cert denied, 385 U.S. 974 (1966)),
for example, the Second Circuit Court of Appeals affirmed ITSP convictions
in a case involving a conspiracy to steal drug-manufacturing bacterial
cultures and related documents from a pharmaceutical company and sell them
in foreign markets.


But the problem in using a trade secret to establish the property element
of a theft crime is that, unlike traditional property, information has to
leap several hurdles in order to be established as a trade secret.


Trade secret definitions vary somewhat from state to state, but the
varying definitions typically have most elements in common.  One good
definition of "trade secret" is outlined by the Supreme Court in Kewanee
Oil Co. v. Bicron Corp., 416 U.S. 470 (1974): "a trade secret may consist
of any forumula, pattern, device or compilation of information which is
used in one's business, and which gives one an opportunity to obtain an
advantage over competitors who do not know or use it.  It may be a formula
for a chemical compound, a process of manufacturing, treating or
preserving materials, a pattern for a machine or other device, or a list
of customers."  The Court went further and listed the particular
attributes of a trade secret:


* The information must, in fact, be secret--"not of public knowledge or of
general knowledge in the trade or business."
* A trade secret remains a secret if it is revealed in confidence to
someone who is under a contractual or fiduciary obligation, express or
implied, not to reveal it.
* A trade secret is protected against those who acquire via unauthorized
disclosure, violation of contractual duty of confidentiality, or through
"improper means." ("Improper means" includes such things as theft,
bribery, burglary, or trespass. The Restatement of Torts at 757 defines
such means as follows: "In general they are means which fall below the
generally accepted standards of commercial morality and reasonable
conduct.")
* A court will allow a trade secret to be used by someone who discovered
or developed the trade secret independently (that is, without taking it in
some way from the holder), or if the holder does not take adequate
precautions to protect the secret.
* An employee or contractor who, while working for a company, develops or
discovers a trade secret, generally creates trade secret rights in the
company.


The holder of a trade secret may take a number of steps to meet its
obligation to keep the trade secret a secret.  These may include: 
a) Labelling documents containing the trade secret "proprietary" or
"confidential" or "trade secret" or "not for distribution to the public;"
b) Requiring employees and contractors to sign agreements not to disclose
whatever trade secrets they come in contact with;  
c) destroying or rendering illegible discarded documents containing parts
or all of the secret, and;
d) restricting access to areas in the company where a nonemployee, or an
employee without a clear obligation to keep the information secret, might
encounter the secret. (See Dan Greenwood's Information Protection Advisor,
April 1992, page 5.)


Breach-of-confidence


Even if information is not protected under the federal patent and
copyright schemes, or under state-law trade-secret provisions, it is
possible, according to the Supreme Court in Carpenter v. United States,
for such information to give rise to a property interest when its
unauthorized disclosure occurs via the breach of confidential or fiduciary
relationship.  In this case, R. Foster Winans, a Wall Street Journal
reporter who contributed to the Journal's "Heard on the Street" column,
conspired with Carpenter and others to reveal the contents of the column
before it was printed in the Journal, thus allowing the conspirators to
buy and sell stock with the foreknowledge that stock prices would be
affected by publication of the column.  Winans and others were convicted
of wire fraud; they appealed the wire-fraud convictions on the grounds
that had not deprived the Journal of any money or property.


It should be noted that this is not an "insider trading" case, since
Winans was no corporate insider, nor was it alleged that he had received
illegal insider tips.  The "Heard on the Street" column published
information about companies and stocks that would be available to anyone
who did the requisite research into publicly available materials.  Since
the information reported in the columns did not itself belong to the
Journal, and since the Journal planned to publish the information for a
general readership, traditional trade secret notions did not apply.  Where
was the property interest necessary for a wire-fraud conviction?


The Supreme Court reasoned that although the facts being reported in the
column were not exclusive to the Journal, the Journal's right--presumably
based in contract--to Winan's keeping the information confidential gave
rise to a property interest adequate to support a wire-fraud conviction.
Once the Court reached this conclusion, upholding the convictions of the
other defendants followed: even if one does not have a direct fiduciary
duty to protect a trade secret or confidential information, one can become
civilly or criminally liable if one conspires with, solicits, or aids and
abets a fiduciary to disclose such information in violation of that
person's duty.  The Court's decision in Carpenter has received significant
criticism in the academic community for its expansion of the contours of
"intangible property," but it remains good law today.


How the theories didn't fit


With these two legal approaches--trade secrets and breach of
confidence--in mind, we can turn back to the facts of the Riggs case and
see how well, or how poorly, the theories applied in the case of Craig
Neidorf.


With regard to any trade-secret theory, it is worth noting first of all
that the alleged victim, BellSouth, is a Regional Bell Operating
Company--a monopoly telephone-service provider for a geographic region in
the United States.  Remember the comment in the Kewanee Oil case that a
trade secret "gives one an opportunity to obtain an advantage over
competitors who do not know or use it"?  There are strong arguments
that--at least so far as the provision of Emergency 911 service
goes--BellSouth has no "competitors" within any normal meaning of the
term.  And even if BellSouth did have competitors, it is likely that they
would both know and use the E911 information, since the specifications of
this particular phone service are standardized among the regional Bells.


Moreover, as became clear in the course of the Neidorf trial, the
information contained in the E911 document was available to the general
public as well, for a nominal fee. (One of the dramatic developments at
trial occurred during the cross-examination of a BellSouth witness who had
testified that the E911 document was worth nearly $80,000.  Neidorf's
counsel showed her a publication containing substantially the same
information that was available from a regional Bell or from Bellcore, the
Bells' research arm, for $13.to any member of the public that ordered it
over an 800 number.) Under the circumstances, if the Bells wanted to
maintain the E911 information as a trade secret, they hadn't taken the
kind of steps one might normally think a keeper of a secret would take.


BellSouth had, however, taken the step of labelling the E911 document as
"NOT TO BE DISCLOSED OUTSIDE OF BELLSOUTH OR ITS SUBSIDIARIES" (it was
this kind of labelling that Neidorf attempted to remove as he edited the
document for publication in Phrack).  This fact may have been responsible
for the federal prosecutors' oversight in not determining prior to trial
whethe E911 document actually met the tests of trade-secret law.  It is
possible that prosecutors, unfamiliar with the nuances of trade-secret
law, read the "proprietary" warnings and, reasonining backwards, concluded
that the information thus labelled must be trade-secret information.  If
so, this was a fatal error on the government's part.  In the face of
strong evidence that the E911 document was neither secret nor
competitively or financially very valuable, any hope the government had of
proving the document to be a trade secret evaporated. 


(It's also possible that the government reasoned that the E911 information
could be used by malicious hackers to damage the telephone system in some
way. The trial transcript shows instances in which the government
attempted to elicit information of this sort. It should be noted, however,
that even if the information did lend itself to abuse and vandalism, this
fact alone does not bring it within the scope of trade-secret law.) 


Nor did the facts lend themselves to a Carpenter-like theory based on
breach of confidence; Neidorf had no duties to BellSouth not to disclose
its information.  Neither did Riggs, from whom Neidorf acquired a copy of
the document.  The Riggs case lacks the linchpin necessary for a
conviction based on Carpenter--in order for nonfiduciaries to be
convicted, there must be a breaching fiduciary involved in the scheme in
some way.  There can be no breach of a duty of confidence when there is no
duty to be breached.


Thus, when its trade-secret theory of the E911 document was demolished in
mid-trial, the government had no fall-back theory to rely on with regard
to its property-crime counts, and the prosecution quickly sought a
settlement on terms favorable to Neidorf, dropping prosecution of the case
in return for Neidorf's agreement to a pre-trial diversion on one minor
count. 


The lesson to be learned from Riggs is that it is no easy task to
establish the elements of a theft crime when the "property" in question is
information.  There are good reasons, in a free society, that this should
be so--the proper functioning of free speech and a free press require that
information be presumptively free, and that the publication of information
be presumptively protected from regulation by the government or by private
entities invoking the civil- or criminal-law property protections.  The
government in Riggs failed in its duty to recognize this presumption by
failing to make the necessary effort to understand the intellectual
property issues of the case.  Had it done so, Neidorf might have been
spared an expensive and painful trial, and the government might have been
spared a black eye.*


*See, e.g., "Score One for the Hackers of America," NEWSWEEK, Aug. 6 1990,
page 48, and "Dial 1-800 ... for BellSouth 'Secrets'," COMPUTERWORLD, Aug.
6, 1990, page 8.


_______________________________________________


Mike Godwin, a 1990 guaduate of the University fo Texas School of Law, is
legal services counsel for the Electronic Frontier Foundation. EFF filed
an amicus curiae brief in the Neidorf case, arguing that Neidorf's
attempted publication of the E911 document was protected speech under the
First Amendment. Godwin received a B.A. in liberal arts from the
University of Texas at Austin in 1980. Prior to law school, Godwin worked
as a journalist and as a computer consultant.