In Which NY Times Reporter Jenna Wortham Accidentally Reveals How She Violated Both The CFAA & The DMCA

from the all-in-one dept

Over the past few months and weeks there’s been much greater attention paid to both the CFAA and the anti-circumvention provisions of the DMCA, and how both are in need of serious reform. The attention to anti-circumvention was galvanized around the fact that unlocking your mobile phone became illegal again, after the Library of Congress allowed an exemption to expire, making many people realize that the anti-circumvention clause of the DMCA, also known as section 1201, meant that they often don’t really own the products they thought they owned. The attention to CFAA reform came in response to Aaron’s Swartz’s untimely death, and the light it shed on the parts of the CFAA that he was charged under. Of course, many of us have been fighting back against both laws for years, but the public attention on both has been key over the past few months.

One of the key issues that critics of both laws have pointed out, repeatedly, is how they criminalize things that most people don’t really think are bad or illegal. That is, they often criminalize someone (or at least make them open to huge civil awards) for the types of things plenty of people do everyday without thinking twice about it.

Given all that, it’s interesting to see a NY Times reporter, Jenna Wortham, more or less admit publicly to willfully breaking both laws in an article she wrote about the rising number of people, including herself, who use other people’s logins for various streaming content services. In Wortham’s case, she logs in to the HBO Go internet service via a login obtained from some guy she met at a restaurant.

LAST Sunday afternoon, some friends and I were hanging out in a local bar, talking about what we’d be doing that evening. It turned out that we all had the same plan: to watch the season premiere of “Game of Thrones.” But only one person in our group had a cable television subscription to HBO, where it is shown. The rest of us had a crafty workaround.

We were each going to use HBO Go, the network’s video Web site, to stream the show online — but not our own accounts. To gain access, one friend planned to use the login of the father of a childhood friend. Another would use his mother’s account. I had the information of a guy in New Jersey that I had once met in a Mexican restaurant.

That’s a violation of the anti-circumvention clause of the DMCA, as she is circumventing a technical protection measure that is designed to keep her from watching the show without paying. It’s a violation of the CFAA because it means that she is knowingly accessing a protected computer without authorization (or, at least, exceeding authorized access). There may be some questions about whether or not the data she obtained exceeds $5,000 in value, but it wouldn’t be that hard for a inspired US Attorney to come up with some way to count it as such. After all, they made that claim with Aaron Swartz and all he was downloading was academic papers that have little or no actual commercial value. Wortham is admitting to streaming some of the most popular (and expensive to produce) content out there.

No, no one thinks that anyone is likely to actually go after Wortham, but this story highlights why both of those laws are highly problematic and are in serious need of immediate reform. Just the fact that Wortham could find herself on the receiving end of lawsuits (both criminal and civil) over both of those laws (and considering her public admission to the key facts, she might have a difficult time pleading innocence) shows why those laws desperately need to be fixed. A quick look through Wortham’s writings this year suggest that she has not written about either of these issues. While it may not directly be considered her “beat,” the fact that this latest article leads to inadvertent admissions to breaking two laws — one of which can result in $150,000 in statutory damages and the other a felony charge and potential jail time — suggest that perhaps it should be something worth covering.

All that said, her article is actually pretty interesting, and worth reading. While it starts out talking about how people are sharing their accounts, it also notes that many of these services are really falling down on enabling easier community and sharing features among friends or the wider community of people who like the same content. I agree with all of that, though I don’t think people should face penalties for breaking these two incredibly obsolete laws to explore the topic.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “In Which NY Times Reporter Jenna Wortham Accidentally Reveals How She Violated Both The CFAA & The DMCA”

Subscribe: RSS Leave a comment
74 Comments
Ninja (profile) says:

Actually it’s worse than Swartz. He downloaded things that were freely available in big quantities. She’s (ab)using a PAID subscription.

Using Hollywood accounting and “Carmen’s handy book of charges and penalties” HBO lost over a billion dollars due to her broadcasting over a very long cord of a paid service and should face 43 felony charges and up to life imprisonment + 75 years. In case Disney has its way it could be perpetual.

Ahem.

Akari Mizunashi (profile) says:

Let’s hope HBO doesn’t read this article, because if they do, you can bet they’re going to find a way to ensure there’s only 1 account per user and the IP address will be restricted to that account with *no* exceptions.

It’s also not going to be surprising if this lands her in legal hot water because it’s pretty much an easy win for an over-zealous “Watch my career grow” prosecutor.

Chosen Reject (profile) says:

Re: Re: Re:

That’s not a problem for HBO. They just pop up a helpful message stating that you need to create a new account because your IP address has been pirated. Something along the lines of, “Someone has pirated your IP address. You need to create a new account. See how it feels to have your property pirated from you?”

crade (profile) says:

In my opinion it’s worse that they *do not* charge her.. The fact that they selectively enforce these rules and laws just makes things worse. It keeps everyone from understanding what would be obvious if they were strictly enforced (that the majority of people would consider them just plain wrong) and allows them to still allows them to bully particular people for effect or for whatever other reasons they want.

That said, abuse of streaming services like the sort that Wortham touts in her article is exactly why we have problems like the DMCA. In my opinion, this issue would be better solved with something like not allowing the same account to simultaneously stream to 30 different end user locations, but maybe thats just because I’m not a politician.

Arthur Moore (profile) says:

Re: Re:

Most services already prevent you from streaming to too many locations.

Netflix already prevents you from streaming to more than one device at a time: https://support.netflix.com/en/node/29
It’s surprising how little this impacts most people.

What’s (unfortunately) less surprising is how outdated other laws are as well. If she had said she was inviting everyone to her house to watch the show then it might have been considered a “public performance.” Something that she would need a license for.

Anonymous Coward says:

Re: Re: Re:

There are de minimus rules in this regard, making it unlikely that she would face consequences for that. Unfortunately de minimus in western countries are qualitative as in “a measure of the relative damage the type of infringement cause”. I think that is the scandal in copyright law: If everyone knew that 10 people were the maximum for a private showing within the rules, safety copies of 2 cds constituted the maximum allowed and traversing borders with 20 DVDs were the limits people could respect the laws.

Dreddsnik says:

“It’s also not going to be surprising if this lands her in legal hot water because it’s pretty much an easy win for an over-zealous “Watch my career grow” prosecutor.”

Possible, but I doubt it. She has the entire financial ‘weight’ of her employer behind her, and suing a high profile person isn’t the kind of publicity they want. They are like grade school bullies, they only go after those they are certain can’t or won’t fight back.

crade (profile) says:

Re: Re: Re:

It’s the same sort of problem as getting one “All you can eat” and sharing it with the whole restaurant. It’s not a scarce resource like food, the problem there isn’t that you are using too much food, the same problem applies with any “unlimited” service, bus passes, whatever. The problem is that isn’t what you paid for is unlimited access to the service for yourself not for unlimited access to the service for everyone.

Anonymous Coward says:

Re: Re: Re: Re:

And it’s just another way that non-authorised services offer a better service than the authorised services.

This is taken from a non-US news group provider:

A XXX account will be assigned to one user, account sharing is possible! But your XXX account can’t be used simultaneous with full connections, however simultaneous sharing is possible. For example: You have a account/package with 12 connections; Client 1: can use 6 connections and Client 2: 6 connections. This way you are able to download simultaneous from 1 XXX Usenet Account

Funny how they don’t want to lock up their own paid for service and are actively promoting sharing the service.

It’s worth noting that the above comes with 50 connections which means you could theoretically share the one subscription with 50 people.

Chosen Reject (profile) says:

Re: Re:

I agree on the question, but disagree with your reason. The question “Why should she NOT be in trouble over this?” is a valid question. She has clearly broken the law. If it’s stupid to enforce the law over this, then the law is stupid and should be removed, not just unenforced. Selectively enforced laws are what despots, dictators, kings and tyrants do. Your essentially free at the whim of the government. That is wrong.

As for what she’s doing being wrong, I’m not seeing it. If the guy gave her his credentials freely, then what’s wrong with her using it? If he doesn’t want her to access it, he could change the password and be done.

Anonymous Coward says:

Re: Re: Re:

“As for what she’s doing being wrong, I’m not seeing it. If the guy gave her his credentials freely, then what’s wrong with her using it? If he doesn’t want her to access it, he could change the password and be done.”

The guy doesn’t care – it’s the company selling the service that cares. They likely lose customers. Sure, not everyone would pay… but if people are going so far as to remember someone else’s login credentials, there’s a pretty good chance that they like it enough to consider paying.

In the extreme, imagine if only one person bought the service and posted their credentials for everyone to use.

I agree that selective enforcement is bad. If you’re not going to even try to apply a law equally, don’t have that law at all.

Anonymous Coward says:

Re: Re: Re: Re:

“As for what she’s doing being wrong, I’m not seeing it. If the guy gave her his credentials freely, then what’s wrong with her using it?

As her authorised access is none, she is exceeding her authorised access. Further she is misrepresenting who she is while on the Internet. That is at least two counts under the CFAA.

JP Jones (profile) says:

Re: Re: Re:

Chosen, it’s illegal because passwords could be considered a “technological measure” to prevent access to copyrighted works. Thus even if someone freely gives you their password, by using it you have violated the DMCA since it’s intended to prevent you from doing so.

I’m still trying to figure out at what point we decided it was OK to sell things and yet still keep ownership of them. If someone sold me a chair 15 years ago, and then told me if I stood on it instead of sitting they’d take it back and fine me hundreds of dollars, I’d have laughed at them.

Now I’d have to laugh nervously and call my lawyer. It’s ridiculous and why the copyright maximalists have lost any semblence of moral high ground.

I’m not asking for free chairs. I’m not demanding free chairs. I just want the person who sells me a chair to go away and leave me alone after I’ve bought it, whether I intend to use it as a chair, a stool, or to use it as a model to make my own chair.

We’ve criminilized the entire country and it needs to stop.

Soundy (profile) says:

Which begs the question...

…what if you’re visiting someone who does have the paid subscription, you both sit down to watch the show, and then that person leaves as soon as it starts? Is it illegal for YOU to keep watching it?

How about if your friend (with the subscription) comes to your house, fires it up there, and you both watch it?

Tooooooo many “what ifs”.

John Doe says:

Aren't there many laws criminalizing "normal" activity?

One of the key issues that critics of both laws have pointed out, repeatedly, is how they criminalize things that most people don’t really think are bad or illegal.

This is a serious problem today. There are many, many ways to become a criminal. Many of those ways are for very minor things or things that the majority of people disagree with. The more good people we turn into criminals and ruin, the more social dependence we will have. We should be building people up, not knocking them down.

Where is the government that is Of the people, By the people and for the people?

Anonymous Coward says:

That’s a violation of the anti-circumvention clause of the DMCA, as she is circumventing a technical protection measure that is designed to keep her from watching the show without paying.

Um. Wow. Could you be any more of a FUD-packer? I doubt it.

Using somebody else’s password is not a DMCA violation:

Defendants cite I.M.S. to support their contention that Egilman’s DMCA claim should be dismissed, arguing that accessing Egilman’s website without authorization, but with a valid username/password combination, does not constitute circumvention for purposes of imposing DMCA liability. In his opposition, Egilman argues that reliance on I.M.S. is inappropriate because it was both wrongly decided and is factually distinguishable. The court disagrees with both arguments and will dismiss Egilman’s DMCA claim.

First, I.M.S. was correctly decided. Circumvention, as defined in the DMCA, is limited to actions that ?descramble,? ?decrypt,? ?avoid, bypass, remove, deactivate or impair a technological measure.? 17 U.S.C. ? 1201(a)(3). What is missing from this statutory definition is any reference to ?use? of a technological measure without the authority of the copyright owner, and the court declines to manufacture such language now. As such, the court concludes that using a username/password combination as intended-by entering a valid username and password, albeit without authorization-does not constitute circumvention under the DMCA.

Second, I.M.S. is not factually distinguishable so as to preclude its application to this case. Egilman contends that the holding in I.M.S. does not apply here because the username/password combination in I.M.S. was legitimately issued by the plaintiff to a third party, whereas in this case no such allegation exists. Simply put, this is a distinction without a difference. The important aspect of the holding in I.M.S. was that the authorized use of a technological measure does not constitute circumvention for purposes of the DMCA. It was irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained.Moreover, there is no dispute in this case that the username/password combination used by defendants to enter Egilman’s website without authorization was validly created by Egilman himself. See *114 Ver. Compl. ? 11 (?an authorized username/password? was created to restrict access to his website); id. ?? 15-16 (defendant used a ?username/password combination? to ?gain access? to Egilman’s website). Further, Egilman admitted that he ?created the user name ?brown? and the password ?student? to allow access to my computer,? K & H Mot., Exh. E at 2, and that this password was used by defendants to access his website. Id. at 3. Accordingly, because Egilman’s allegations demonstrate that ?an otherwise legitimate, owner-issued password,? I.M.S., 307 F.Supp.2d at 531, was used to access his website, those allegations fall squarely within the I.M.S. court’s holding that, ?[w]hatever the impropriety of defendant’s conduct, the DMCA and the anti-circumvention provision at issue do not target? the unauthorized use of a ?password intentionally issued by plaintiff to another entity.? Id. at 533.

Because Egilman’s complaint and the matters of which the court may take judicial notice make clear that the username/password combination used to access Egilman’s website itself was authorized, the ?technological measure? employed by Egilman to control access to his computer was not ?circumvented? by defendants. Accordingly, the court will dismiss Egilman’s DMCA claim.

Egilman v. Keller & Heckman, LLP., 401 F. Supp. 2d 105, 113-14 (D.D.C. 2005).

Have you ever considered doing one minute of research before spouting your ridiculous FUD? I doubt it. It took me literally 10 seconds to find that quote.

It’s a violation of the CFAA because it means that she is knowingly accessing a protected computer without authorization (or, at least, exceeding authorized access).

Which section(s) of the CFAA specifically do you think she violated? Let’s look at the elements and the case law there. Something tells me this is pure FUD too, but I need you to be more specific.

Anonymous Coward says:

Re: Re: Re:

I’ve found three courts so far that say it’s not a violation of the DMCA, and none that say it is–but I’ve only been researching it for five minutes. The funny part is that Mike, who goes out of his way to say that something doesn’t violate copyright law, is jumping the gun and saying that this does. It’s hilarious–he’ll say whatever it takes to pump out the FUD.

crade (profile) says:

Re: Re: Re: Re:

for me the funny part is how screwed up these laws are that the courts have to try and twist the words like this to try to make some sort of sense out of them.
This is exactly how every single keycode generator works,
Of course hacking a valid key and using it is circumventing the lock. The lock isn’t there to make sure people are able to hack keycodes, it’s there to prevent unauthorized access. Gaining access without authorization is circumventing the lock. Anyone who says differently is wrong.

The part you mention isn’t very funny, it’s still criminal anyway regarless if it’s actually violating the DMCA so that part is just a technicality if it’s wrong.

Anonymous Coward says:

Re: Re: Re:

The best part is, if she actually gets sued for a DMCA violation, Mike would do a 180 and defend her to the end of time. It’s hilarious that Mike writes an article claiming that someone has violated copyright law when there’s a good, perhaps winning, argument that she has not. The cognitive dissonance here is so stupid that it hurts. Great job, Pirate Mike. I guess you’re not “doing journalism” with this one, right? LOL!

Reality Check (profile) says:

Re: Re: Re: Re:

Apparently you missed the entire point of the article.

It’s not that Wortham did something morally wrong, it’s that the LAW is wrong.

This sentence might help unclog your cognitive dissonance:
Just the fact that Wortham could find herself on the receiving end of lawsuits (both criminal and civil) over both of those laws (and considering her public admission to the key facts, she might have a difficult time pleading innocence) shows why those laws desperately need to be fixed

Too bad your hatred of anyone that doesn’t worship IP is interfering with your comprehension.

Anonymous Coward says:

Re: Re: Re:2 Re:

Mike said she violated the DMCA. He is accusing someone of violating copyright law, when, as far as I can tell, she is not. The irony is so thick that it’s palpable. Mike was trying to use her as an example of someone who thinks it’s OK to break the law because he wants everyone to think the law is dumb and OK to break (all the while pretending like he’s really, really on the fence about copyright, and he just can’t decide whether he really, really thinks it’s worth having or not–like there is ANY possibility whatsoever that Mike has not 100%, absolutely, positively already made up his mind about the propriety of copyright). The irony is that he’s accusing someone of violating copyright law when she probably isn’t, and 99% of the time he’s arguing that someone who obviously is violating copyright law is not. Get it? Of course, he won’t come into the comments and address any of this, as per usual. He’ll just keep pumping out idiotic, copyright-bashing, stupid post after post. The only thing he cares about is destroying copyright. He only wants to disparage it and make it look bad. Yet, he PRETENDS, like, gee, he can’t decide how he really feels about it. LOL! Right. I can’t believe that someone can lie so much. I truly can’t believe it. It’s incredible to me. Seriously. Mike, we all fucking know that you HATE copyright more than anything else on earth. Stop fucking lying! You are a liar, and you know it!

Anonymous Coward says:

Re: Re: Re:

My neighbor gave me the key to his house so I can water his plants while he’s on vacation. Apparently the minute I entered his house, I committed breaking and entering, because the lock was designed to keep me out. Is that the logic we’re employing here?

It’s your neighbor’s house and neighbor’s key. You have explicit permission to enter. How in the world is that breaking and entering? You don’t make any sense.

Anonymous Coward says:

Re: Re:

Good job finding that.

“Which section(s) of the CFAA specifically do you think she violated? Let’s look at the elements and the case law there. Something tells me this is pure FUD too, but I need you to be more specific.”

I assume it has to be this section:

“knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period”

“knowingly”

Check.

“and with intent to defraud”

Her intent here is to not pay the subscription fee.

“accesses a protected computer”

There’s a password involved, so it’s protected.

“without authorization, or exceeds authorized access”

She is not an authorized user. I doubt the exception you cite above would apply here. In fact, the court uses the words “the username/password combination used by defendants to enter Egilman’s website without authorization“.

“and by means of such conduct furthers the intended fraud and obtains anything of value”

She obtained the Game of Thrones content, which has value.

“unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period”

I’m pretty sure the content is considered to be more than “use of the computer”, and therefore the $5000 threshold does not apply. I could be wrong on that part.

Anonymous Coward says:

Re: Re: Re:

Of course, there’s also THIS section:

“(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if?
(A) such trafficking affects interstate or foreign commerce”

And from section 1029:

“the term ?traffic? means transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of; “

Anonymous Coward says:

Re: Re: Re:

>”accesses a protected computer”

>There’s a password involved, so it’s protected.

Gah. I forgot that when reading the law, they get to define terms however they like. Protected doesn’t have anything to do with a password.

“(2) the term ?protected computer? means a computer?
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;”

The term didn’t mean what I thought it meant, but it still applies, since the computer is in fact used for interstate commerce or communication.

Anonymous Coward says:

Re: Re: Re:

I’m totally being an asshole, because he deserves it. He’s even accusing someone of violating copyright law, and none of you guys can even admit the irony. And really? His dumb argument that she’s acquired something valued more than $5,000 by watching GoT with somebody else’s HBO Go password? Wow. It’s so dumb it hurts. And you guys lap it up. Sorry, but I call 100% bullshit. Beautiful, ironic, idiotic bullshit. Yet you guys are incapable of being critical. It’s delicious. Mike’s too scared to even respond. I love it.

Anonymous Coward says:

Re: Re: Re: Re:

Mike accused this woman of violating the DMCA and the CFAA. Both claims are unsupportable. If she were actually charged with either, he would be defending her with every argument he could find or think up. But because with these “the law is so dumb” posts he has to say that someone violated the law, he takes his defensive hat off and pretends that using a password in this way is illegal. His argument changes depending on the circumstances of the point he’s making, not based on an actual application of the actual law. It’s FUD, pure and simple. Mike’s specialty. I prefer reality myself.

JP Jones (profile) says:

Re: Re: Re:2 Re:

Mike accused this woman of violating the DMCA and the CFAA. Both claims are unsupportable.

Have you read the charges against Aaron Swartz? He used a built-in function of JSTOR and a script to access free information and was being threatened with potentially years in prison. He even had legal access to the content.

Yet you find the idea that someone with unauthorized access to commercial content is an unsupportable claim?

Under our current laws she absolutely violated at a minimum the CFAA, and would probably lose against DMCA charges as well considering she is accessing copyrighted material based on unauthorized access to that material. The man who gave her the password had “permission” from the creator (HBO). She did not. Hence copyright infringement, regardless of the technical means to access the data.

If anything I would argue Mike is being too conservative with the law. Laws should not be based on whether or not some judge thinks they make sense in a specific context. They should be clear, and it should be clear when they are violated. The CFAA and DMCA are anything but clear and should be removed or replaced with something that is.

Gregory Kohs (profile) says:

Steal your next copy of the New York Times

When you steal your next copy of the New York Times, just make sure that you share it with a couple of your friends, or even a stranger, because that makes your theft of it okay. Do I have that right, Jenna? Because that seems to be the basis of your defense.

(I wonder if Jenna Wortham has ever taken two minutes to consider how copyright basically ensures her paycheck?)

Anonymous Coward says:

Mike–

This’ll be fun. YOU make the argument that she’s violating copyright law, and I’LL make the argument that she’s not! C’mon! You really, really believe that she is, right? Or else there’s no way you would have said it, right? I mean, you wouldn’t say something that you think is not true, right? You wouldn’t mislead your readers to make copyright look bad, would you? You’re ALL about fact-based reality and not spreading FUD, right? Of course you are! You never misrepresent anything! Back it up! Let’s do this! I’ve already quoted some case law. Your turn!

ROFLMAO!

Will says:

When did people get antisocial?

It used to be that people used to get together to “watch the big game” on someone’s television. They’d make a thing of it; get their families together. Why not for Game of Thrones? One person had a subscription. Why couldn’t everyone come over and make a thing of it. Maybe have a Game of Thrones marathon leading up to it.

Jesus, maybe I’m getting old, but openly admitting you’re breaking the law (which I admit wouldn’t have to be broken if content providers catered to our needs better), seems like a dumb idea especially when you’re also openly admitting to being lazy and antisocial.

Kids these days.

RyanNerd (profile) says:

A government by the people for the people

?Governments, if they endure, always tend increasingly toward aristocratic forms. No government in history has been known to evade this pattern. And as the aristocracy develops, government tends more and more to act exclusively in the interests of the ruling class — whether that class be hereditary royalty, oligarchs of financial empires, or entrenched bureaucracy.?

-Frank Herbert – Children of Dune

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...