October 14, 2003  ·  Lessig

So imagine this: An employee works for a software company. He discovers a problem with the software, tries to warn the company, but it does nothing. He quits, and then sends email to all the customers of the company, informing them of the security problem with the software. The flood of emails brings the email server down for a bit, but that admittedly does not cause significant damage. Nonetheless, the employee is criminally prosecuted for causing an “impairment to the integrity” of a computer system (by revealing its flaws) which resulted in more than $5,000 in damage (because now it was known to be flawed).

The employee is found guilty. He is sentenced and serves (yes, he actually serves) 16 months in a federal prison.

In America, you ask? Well, in fact, yes — justice in the Central District of California. But it gets better.

On appeal, the employee retains Jennifer Granick, executive director of Stanford’s Center for Internet and Society. She argued the obvious point: it can’t be “damage” to tell the truth about some company’s software — however ugly that truth might be.

Today the government agreed. In an extraordinary (and extraordinarily rare move) it confessed error. “On futher review,” the government wrote, “in light of defendent’s arguments on appeal, the government believes it was error to argue that defendant intended an ‘impairment’ to the integrity of [X's] computer system.” The government asked that the conviction be vacated.

“In light of defendant’s arguments on appeal.”

Indeed, America: Where defendants sometimes get great lawyers, and where governments let justice admit it is wrong.

I am proud, and moved, by both.

  • http://home.uchicago.edu/~kldavis/weblog/ste.html Karl

    A great story. It’s a shame that the system failed so woefully at first, but hopefully more good can come of this.

    -kd

  • http://houseoftom.com tom

    Having a hard time getting past the whole “16 months in a federal prison.” Yeah, it’s great that the justice systems will admit error, but if I had just spend 16 months in a federal prison, an apology wouldn’t suffice.

  • John S

    I wonder what happened in the original trial in the district court. That is, did his previous lawyer not make the same arguments that Jennifer Granick made, or did the court just disagree with those arguments last time?

  • http://www.aaronsw.com/ Aaron Swartz

    Following up on John S’s question, I thought the appeals courts could only review issues that you attempted to raise in district court.

    That aside, it’s a heartwarming victory.

  • Paul Clarke

    Aren’t there some parallels between “telling the truth” about a computer system, which was found to be legally protected here, and “exposing flaws in” a computer system, as is sometimes used as justification for prosectution under the DMCA? This would seem (in my untrained judgement) to weaken the broad reach of the DMCA. Am I off base?

  • http://pobox.com/~joehall joe

    …if only everyone had such good representation.

  • http://www.nerdylorrin.net Lorrin

    I’ll second Tom’s comments — after 16 months served for not doing anything wrong all he gets is an apology?

  • Michael Chermside

    That’s wonderful news, because I had followed the original case (well, the original decision) with horror. To reverse it on appeal would be good. To have the prosecutorial side declare, in such a dramatic fashion, that they were wong, is even better. A little of my (often badly tarnished) faith in the system has been restored.

  • gd

    Recall: Jennifer Granick for governor!

  • Dev

    Since he served 16 months unjustly, can he now commit 16 months worth of crimes and get off scott free?

  • Andrew Klausmeyer

    Amidst the torrential flood, and freeze-dried case file, Granick and her team come through! Go basement!

  • Hag

    Pays to have a good defense attorney in situations like this.

  • Anonymous

    Unfortunately, defendants getting great lawyers and justice admitting that it’s wrong are things that rarely ever happen in America. If 2600 were accused of impairing the integrity of a computer system for discussing an exploit in their magazine, do you think the judge would care that they were telling the truth? If so much as a single person hacked into the vulnerable system and caused more than $5,000 damage, do you not think the judge would see that as real damage and attribute it to 2600? The law can be abused in all kinds of ways.

  • Rob

    I am going to assume that Prof. Lessig’s tongue was firmly in his cheek in his praise for the government’s begruding admission of error long after the fact. I know I am appalled and dismayed (and yet not at all surprised) that the legal system would convict someone falsely, let them serve their full sentence with all the devastation of their lives that that entails, and then finally own up to a mistake only after an appeals trial. What a travesty.

    I would say that we must ensure that this never happens again, but as the Cigarette Smoking Man said in the X-Files, “it’s done every day.”

  • Anonymous

    G’day Lawrence,

    I’m sorry but I can see very little reason for “pride” in any aspect of this case or its eventual outcome. My perspective (refreshingly an Australian one, where we possess a British-derived legal system that exhibits at least some separation of powers between the judiciary and the legislature (lawyers and politicians for short) ) is that this whole sorry affair is yet another sad indictment on the nature of the US legal system.

    Presumably, experiences such as these are characteristic of the so-called system of “American justice” that President George W. Bush seems so keen of late to export and promote to other parts of the world!

    Frankly, over the last few decades, the US has built itself into an incredibly litigious society where obvious errors of law seem par for the course, and only those priveleged few with the means to afford proper legal representation are likely to achieve a just outcome. Does this sound like “justice”? It’s certainly not the kind of system I’d like to see here any time soon, or of which I could comprehend anyone feeling proud.

    Basically from what I have read and understood a prima facie case could be made that the federal agents perjured themselves to achieve the original conviction. If the US justice system really is fair and equitable, it would now pursue those responsible for the frivolous original prosecution with the same vigour as that brought upon the now-exonerated defendent (victim?).

    Call me when it happens. I won’t hold my breath.

    Regards, Dave

  • http://the-goddess.org/blog/index.html Morgaine Swann

    16 Months for writing an email and crashing a server? Does this seem excessive to anyone else?

    How about being ordered to pay restitution? How about probation? How about a stern “Don’t do that again” ?

    How about laughing these turkeys out of court because they should have thanked the guy for helping them improve their crappy product?!

    I see a massive civil suit in the offing. I also see a serious lack of common sense in our legal system.

  • Xavier

    Dave,
    I agree almost entirely with your last three paragraphs. However, the US legal system is in fact derived from English common law and does indeed have a fair degree of separation between the judiuciary and the legislature. Dr. Lessig could I’m sure tell you more about how this works out in practice, but the only legislative power our courts have is that of interpreting law and setting precedent. Likewise, the only judicial power our lawmakers have is that they must approve the appointment of judges in certain courts.

  • bono

    Apparently, it’s very easy to offer general criticisms of our legal system. It’s not perfect, doesn’t even come close. There is a lot of truth to what people have posted.

    But there’s also truth to Lessig’s post. What should not be overlooked here are the following:

    1. Pro bono. This is not a case in which a wealthy defendant hired a high priced attorney, who was able to get the defendant off on some technicality. J. Granick’s and CIS’s work is done pro bono. Anyone who has a worthy case in her field can potentially get representation. Although probably not enough attorneys do pro bono work, thousands across the country do significant pro bono work. Their efforts often go unrecognized and unreported. It’s just wrong to indict the entire system or ignore the hard work and dedication of many great attorneys who work pro bono (not to mention those who work for public interest, legal services, or indigent clients).

    2. The government. The aggressive kind of prosecution at the trial level cannot be defended. On appeal, the government has admitted its error. It is truly unfortunate it took this long for the government to realize its position was untenable, and only after the defendant served out his 16 mos. term. It is certainly appropriate to criticize the government for its position and prosecution at trial.

    But we also should not forget — and here I take Lessig’s post as sincere — that the government has taken the extraordinary step of admitting error and asking to vacate the conviction. Had they not taken that step, who knows what would have happened on appeal. Our criminal justice system is admittedly not perfect. In fact, here, a huge error was made by the government and the court below. But people should not undervalue the importance of having prosecutors who admit they’ve erred when they realize it. It takes integrity of person to voluntarily admit those mistakes. I know, this time it took at least 16 months too long for the defendant. Better late than never.

  • http://www.safdar.net Shabbir

    What’s cool is that we can see now what an important precedent this sets, and we should all be thankful that Ms. Granick took this case. (She could choose not to practice anymore, but that would deprive the world of her talents)

  • http://ctl.ncsc.dni.us Jim McMillan

    I believe that John Edwards has already done a stint on Professor Lessig’s blog last spring. Anyway, the good Professor should also be congratulated on his excellent article in Wired Magazine on blogs that was just published.

  • bob

    What I am wondering is what the government had to gain by backing off? What precedent would have been set? What issue would have become a nuisance?

    The reason I ask is that I NEVER see prosecutors back off a conviction. What I see is “Hey, that negative DNA test doesn’t mean he’s innocent. He probably had an accomplice….”

  • http://www.polaprints.com/blog Sophie

    If I find a flaw in a car or bicycle design or whatever, the product itself gets recalled and fix installed.

    If I find a flaw in a program, I get procecuted? So wrong.. So wrong that he lost 16 months of his life.

  • Anonymous

    So I assume that this guy is going to be compensated for the 16 months he was deprived of his freedom? Can 16 months of incarceration be deleted from one’s mind and time rolled back to the beginning of those 16 months?

    I wouldn’t call that justice at all.

    I think all members of the government’s prosecution team should be taken to jail for the same amount of time. They’ll be more careful next time.

  • Kevin

    Why company X?

    X = Tornado Development (from link in original post)

    “Kevin Torf founded Tornado Development in 1995″
    http://www.wirelessweek.com/index.asp?layout=article&articleid=CA37334

    Now let’s have a home phone number

  • Me

    Hey Lessig,

    Got anything on the FCC’s assault on fair-use rights with the HDTV copy protection bit yet?

  • Anonymous

    I greatly enjoyed Prof. Lessig’s article on blogs in Wired. It is amazing how blogs have become so much of a force in the presidential campaigns. I really enjoy Edwards new blog – Blog.JohnEdwards2004.com – and the postings from Mrs. Edwards. I was on there earlier and was pleased to see that Sen. Edwards does not support the blank, $87B check to Pres Bush.

  • dilly77

    Speaking of great lawyers, shout out to Prof. Lessig for blogging the Edwards blog earlier this month. Edwards might have been a little late to the blog game, but he’s getting a pretty lively discussion going over there now. Thanks for helping make people aware.

  • harold

    Though off topic a bit, I am totally with you on the 87 billion deal. I am certainly not huge political guy but this iraq reconstruction makes me incredibly nervous. I don’t know too much about Edwards but if he is against this enormous and,it seems not planned out, package, then he has his head on his shoulders and is thinking right about not supporting it.

  • Anonymous

    as soon as i rack up enough points i am so moving to canada.

  • http://the-goddess.org/blog/index.html Morgaine Swann

    You do realize that a significant chunk ot the $87 B is going to benefit Halliburton, Right? And that Cheney still has stock options with them? And that Halliburton just billed the US Gov’t $300 Million for gasoline in Iraq – that’s 1.65 per gallon in a country where gasoline costs between 4 and 15 CENTS per Gallon?

  • Cypherpunk

    It’s actuallly a pretty interesting case.

    McDanel did a couple of things that were really dumb. The first was crashing his former employer Tornado’s email system by flooding it. This is malicious and he was just lucky that the company didn’t manage to put together a case that by themselves his three flood attacks caused the requisite $5000 in damage.

    Second, he wanted to inform the customers about a vulnerability in the Tornado software that might put the customer’s confidential data at risk, a laudable goal. But by its nature, there is no way to distribute that kind of information without also informing the bad guys of the possible exploit. This is a current hot topic in the vulnerability community. The emerging consensus is that the right thing to do is to inform the company that you are going public with the information and give them a reasonable advance notice, of perhaps two to a few weeks. McDanel did not do so, apparently, and although he had tried to get the company to fix its problems while an employee, they had no way to know that once he left he would go public with the data.

    Going beyond what is right and wrong here, as a practical matter it was foolish for McDanel to associate his name with his actions by including in his warning email links to a web site he controlled. I would suggest that he should have posted the information anonymously, if he decided it needed to be propagated. This accomplishes his goals and would have protected him against his 16 months in prison.

    I should add BTW that based upon personal experience I agree that Jennifer Granick is worth her weight in gold!

  • http://www.jzip.org/ adamsj

    But also as a practical matter, how much credibility is gained by signing your own, real, honest-to-god-and-in-the-tradition-of-civil-disobedience-I-am-willing-to-be-held-accountable-for-my-actions name?

  • http://www.mcdavidmeek.com/weblog/private_investigator_blog.html Toxey

    I find this story shocking. Not that he was released… it was inevitable that somewhere in the appeals process this insane sentence would have to be amended. I’m shocked that it ever got this far in the first place! I understand the company’s need to protect it’s interests, but I can’t imagine how this was not classified as a CIVIL matter. The fact that this continued through the entire criminal trial process, and no one said “Hey! Doesn’t this seem entirely wrong?” is amazing! Apology Shmology! This poor sod needs to take somebody “to the cleaners” for stealing 16 months of his life. Sheesh!

  • No one

    In response to cypherpunk…

    McDanel did contact managment on several occasions prior to sending the emails out. There were weblogs on his system from Tornado staff visiting his page prior to him informing anyone about the problem.

    McDanel included a solution to this problem, to not click on links in email, but instead cut and paste the url into a new browser. The problem had to do with HTTP_REFERER information, Tornado claimed that the *name* of a CGI variable that appeared on the location bar as part of the url was a *trade secret* at one point!!! I have a hard time seeing how anything in the url that you can see is in any way secret or confidential.

    McDanel sent emails at a rate of 10 wait 1.5 seconds then 10 more.. This works out to about 6.67/second. The system logs prove that the system had no cpu problems until after admins logged in and shut sendmail (as well as pop3, and httpd) down. As soon as they shut sendmail down no amount of sending mail will cause any cpu load. They did this to delete the already delivered emails (in violation of 18 USC 2701). He did not crash the email server, there was even testimony that people read the email first, then made the decision to take the system down to delete the email.

  • chris

    Lessig,
    I love your writings, and I think your a vital piece of a new movement of informed Gex X’ers… however being “proud and moved” may be the wrong term for a man who served 16 months in prison…