Cyberlawyer: Don't blame the hackers

One of the nation's top cyberlawyers, Jennifer Granick, is training a new generation of lawyers at Stanford to take on the powers-that-be in a struggle over the future of the Internet.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
7 min read
Jennifer Granick is a well-known figure within the hacker community. She helped Kevin Poulsen navigate his return to using computers after the convicted hacker came out of jail. Granick is now defending Jerome Heckenkamp, the 21-year-old Los Alamos National Laboratory employee accused of breaking into eBay's computer systems.

A frequent speaker at the annual Def Con hacker conference, Granick was appointed last month to head Stanford University Law School's new Center for Internet and Society, a legal institute that will train students in Internet law.

In a recent interview on the Stanford campus, Granick talked about the Center, the future of law on the Internet, and the important cases of 2001.

What is the Center for Internet and Society?
It's new, so (laughing) that's one thing it is. This is a program that Stanford Law School is starting that Larry Lessig runs, which is a combination public interest, technology and computer law program.

I think there is a hysteria about the hackers that is dangerous. As far as law students are concerned, what will the Center provide?
Well, I have my students, who are participating in the clinical part of the Center. We are going to do actual litigation of cases and give direct representation to clients. But we're going to litigate the cases in court--whether they are criminal or civil--so long as they raise a public interest issue and are the kind of things that we want to work on. The Center as a whole will have other projects as well that students can be involved in...but one of the main parts of it--and the thing that I do--is the clinical part, the practical.

Will most of the cases be defending someone or will you also take a proactive role?
We're going to do suing people, too. We'll do both. We don't care. It just depends on the issue.

What sort of issues are you going to pursue?
We're going to do free speech vs. copyright type issues, open-access broadband issues. We may do some trade secrets litigation, where computer security people are sued or criminally prosecuted because they threatened to reveal information about a company's security vulnerabilities. Stuff like that.

Have you taken any cases yet?
We have one that involves alleged game piracy, where a company has claimed that our clients have contributorially infringed on their copyrighted game. I don't know if that is going to end up as a lawsuit or not. We are kind of in a wait-and-see mode.

Then we have one project we have agreed to work on with Indian tribes having to do with sovereignty over broadband that passes through their territory. That's a case Larry (Lessig) was really interested in because they have an alternative model for distributing broadband other than auctioning the frequency off to the highest bidder. So, something different that keeps the network open--not just to the money interests but to everybody--is something that we want to work on.

That's a jurisdictional case? Would that have any effect on the current lawsuit against Yahoo France?
We have to decide whether and how much we want to get involved in jurisdictional stuff. I don't know what the students are going to want to do. It is not a huge interest of mine, but I may come to see things differently, given the right case that comes along.

Looking at what's happening on the Internet front, what are the issues that you think will be most important?
Intellectual property is going to be huge for us--more than anything else, more than legislation, more than, I think, even filtering technology. Intellectual property is going to determine what you see on the Internet.

Like what? Copyright, trademark?
Copyright, trademark, some patent, but mostly copyright and trademark law. And then we are going to be doing a lot of copyright free speech type of stuff. I think that is going to be really huge. We are going to have to do a lot with trade secrets too.

I would hope that we get involved with some standards, which may not be through litigation but through some other way. But I believe that standards have to do with how the Internet operates. It is sort of arcane and uninteresting to the average person, but really critical because the decisions that are made at the basic technology level determine what kinds of things you can do with the network later on.

A couple of cases out there seem to be influencing what will "be" on the Internet in the future. For instance, what about the various DeCSS lawsuits?
The DeCSS case--there are a lot of good issues with that, that sort of reverse engineering, and reverse engineering is a fair use and free speech right. Is it a right that stems from contract, from statute, from the Constitution--you know, what's the basis of it? That's a really important issue.

It seems like our law has come down on the side of the intellectual property holder almost all the time. I know that Larry's been working on the case and writing some briefs for the defendants in the DVD litigation. So I think that the Center may have some role in that. How formal it will be and what we can do once classes start or what stage that litigation will be in--I don't know. We are already in the appellate process there.

What about the push by the software industry to pass laws that make software licenses more binding--that is, UCITA (Uniform Computer Information Transaction Acts)?
We haven't been targeted toward doing any kind of lobbying, but that's not out of the question for us either. That may be the kind of thing we can do effectively by coordinating with other centers locally or something like that.

Will licensing be a big issue?
I think licensing is a huge issue. A couple of people have contacted me about licensing-related stuff, both in terms of licenses that say you can't reverse engineer licenses or that say you cannot make any copies for any purpose whatsoever. Each license is sort of different. People don't even read them, so are they really enforceable? There are licenses that make you agree to let the company use remote scanning software to see if you have pirated versions of their software on their hard drives, which has privacy implications. There is a question that I would like to litigate as to whether some of these terms that have become standard in these licenses are legally enforceable at all.

There also seems to be a big push by companies to use lawsuits to reveal people's identities on the Net. Are you looking into that?
John Doe litigation? I know the Electronic Frontier Foundation is doing a project for people who are served with these subpoenas, and we may provide some support and work with them on that. There is a cease-and-desist letter project that the Berkman Center does, and the EFF started a John Doe subpoena project. That is really important, and we will work some on that.

What is the issue?
Anonymity. It is basically if there is a right to anonymity.

Do those companies that sue intend to actually prosecute?
Sometimes it is just harassment...and it is not really worth the resources to sue this person. But if there is a whole big splash about how they're finding out who these people are because they are going to sue them, then that has a speech-chilling effect which may get the company what they really want in the long run without actually having to sue any of these John Doe's.

Let's go back to your old stomping ground. Are you giving up cybercrime cases?
There are going to be some criminal cases that will raise public interest issues that the Center may take. There will be other criminal cases that don't really raise public interest issues, but that I'm interested in for some other reasons, that I may take. And if I take those cases, then I will take responsibility alone as a separate entity. If the client doesn't mind and if the students feel like it, then the students may work on those cases if they like. Those types of things will be separate. But the hallmark of the Center is that the cases have to have a public interest issue.

How do you see the current climate? Are hackers being treated fairly? Are they being pursued in proportion to the threat they represent?
Well, I think there is a hysteria about the hackers, which is dangerous because of things like what I said with security people getting sued or prosecuted for discovering security vulnerabilities and threatening to disclose them or disclosing them in a way that the company didn't want to have done. I think that it's dangerous, and I think that it gives hacking--in terms of its societal harm--too heavy a weight. I don't think that it has the level of societal harm that all the news stories and all of that give it. But there are going to be a lot of other issues in which I am afraid the law is far too serious. It seems like our law has come down on the side of the intellectual property holder almost all the time. And the recording industry is incredibly powerful. And I think that is something to be equally afraid of, as being afraid of the government and their overzealous prosecution of the hacker cases. Of course, with (John) Ashcroft as the attorney general, I think we can probably expect to see more of that type of mentality about these crimes as opposed to less.

Last question: Is there a crisis looming? Are there any issues that we have to fight before we have to go much further in our development as an Internet society?
There are a lot of important issues, and I think we need to fight them all. I don't know if there is one that I think is worse or less worse. As litigation comes down the pike, something becomes a crisis; then it sort of ebbs away. And then something else becomes a crisis. You're always putting out the fires.