DNC v. Russia: Hacking, Copyright Infringement, and Trade Secret Misappropriations

I teach internet law, and focus substantial time on computer privacy and cyber security law.  The core anti-hacking statute is the Computer Fraud and Abuse Act (18 U.S.C. 1030(a)). Although I’m somewhat surprised by the new DNC v. Russia lawsuit, it is not surprising that the CFAA serves as a primary basis for the lawsuit.

[Read the Complaint]

In addition to Russia, the Democratic National Committee (DNC) also joined Donald Trump Jr., Paul Manafort, Wikileaks Wikipedia, Julian Assange, Jared Kushner, Guccifer 2.0, and others as defendants alleging violations of a wide array of federal laws, including the CFAA, RICO the Wiretap Act, the Stored Communications Act, the DMCA, and the Defend Trade Secrets Act, as well as common law trespass and trespass to chattels.

The complaint begins:

In the run-up to the 2016 election, Russia mounted a brazen attack on American Democracy. The opening salvo was a cyberattack on the DNC, carried out on American soil.  In 2015 and 2016, Russian intelligence services hacked into the DNC’s computers, penetrated its phone systems, and exfiltrated tens of thousands of documents and emails. Russia then used this stolen information . . . supporting the campaign of Donald J. Trump (“Trump”), whose policies would benefit the Kremlin.

In the Trump campaign, Russia found a willing and active partner in this effort . . . Through multiple meetings, emails, and other communications, these Russian agents made clear that their government supported Trump and was prepared to use stolen emails and other information to damage his opponent and the Democratic party.

The intellectual property claims here are two-fold:

  1. Violation of the anti-circumvention provisions of the DMCA; and
  2. Trade secret misappropriation.

The DMCA’s anti-circumvention provisions provide a cause of action against someone who circumvents a “technological measure” used to control access to a copyrighted work:

No person shall circumvent a technological measure that effectively controls access to a work protected under this title.

17 U.S.C. 1201. Here, the argument is that the firewalls and passwords protecting the DNC computers were the “technological measures” used to protect the files, documents, and emails — all of which are copyrighted.

Similarly, the DNC argues that those files also contain trade secret material.  Here, the DNC argues that – although a non-profit – the DNC is in business.  “Specifically, the DNC is in the business of supporting Democratic political campaigns.” The stolen documents included important strategic information whose value required secrecy.

Although clearly politically motivated, it will be interesting to follow the development of the lawsuit.

18 thoughts on “DNC v. Russia: Hacking, Copyright Infringement, and Trade Secret Misappropriations

  1. 7

    The DMCA also states “‘circumvent a technological measure’ means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.”

    Normally, we interpret ‘otherwise to’ as limited to the same general category as the main list. See the whole ‘does the AIA allow secret commercial sales’ issue.

  2. 6

    Would not the DNC have to prove that the Russian Federation did these things? Or is hearsay and “expert testimony” from their partisan paid experts enough? Surely the defendants would have the right to examine the primary evidence. In which case it will be very difficult to demonstrate the Russian Federation has anything to with the hack – as independent experts have already testified.

    There’s lots of theories about how this data got out. One of the most convincing is that a gentleman by the name of Seth Rich was so horrified by the corruption inside the DNC in favour of Hillary R. Clinton (rigging the deck against her competitor Senator Bernard Sanders for the party’s nomination for President) that he decided to leak the contents of an internal server to Wikileaks. Julian Assange who is a relatively straight shooter (his credibility and that of Wikileaks partially depends on being seen as truthful) more or less said as much. There is a long Wikipedia article which all too professionally tries to bury this theory. Methinks the maiden protests too much.

    I’m very surprised that the DNC really wants to go through a court process here with disclosure and formal examination of evidence. It seems the DNC must have strong assurances by highly placed directors within the security agencies that due process will not be diligently followed. The whole case can only be a charade of justice, some kind of political puppet theater.

    From a legal perspective, it’s fascinating to watch a common-law legal system and due process destroyed by political imperatives. How much remains of a republic when the fireworks is over is an interesting question. Neither did Rome remain a republic, despite strong institutions and tradition

  3. 5

    Re “7 U.S.C. 1201. Here, the argument is that the firewalls and passwords protecting the DNC computers were the “technological measures” used to protect the files, documents, and emails — all of which are copyrighted.”

    But did any of the plaintiffs here own such registered copyrights? Also, is a mere password copyrightable?

    1. 5.1

      My thought as well. When did the DNC register ANY of these things with the Copyright Office?

    2. 5.2

      A couple of things:

      First – registration is not necessary to have protection of copyright. Yes, you want to have registration if you are going to bring a copyright action (in and of itself), but note the headlines here: there is a plethora of actions being brought:

      ” alleging violations of a wide array of federal laws, including the CFAA, RICO the Wiretap Act, the Stored Communications Act, the DMCA, and the Defend Trade Secrets Act, as well as common law trespass and trespass to chattels”

      Do you notice what is missing from this list? Yes – copyright infringement.

      Second – “Also, is a mere password copyrightable?” No one is suggesting this, (and the answer is no, short phrases – such as a password – are not copyrightable. Where the password action comes in is in the defeating of the separate protection measures. No one ever suggests that the protection measures themselves are what are the subject of copyright protection. Instead, it is the files, documents and emails that have copyright (which they do – based on generally understood – even if not appreciated here – concepts of copyright law.

      Third – as to actually registering any of this, well, that would be highly doubtful, as it appears that the items that they are talking about are run of the mill daily type of writings. Even as inexpensive as copyright is, running all of that through the copyright process would be prohibitively expensive. That’s not to say though that key items may not have been submitted and one should remember that submissions can be made with redactions.

      Just a thought there on the third point – not something that I would get too excited about.

  4. 4

    Don’t you have to register all the copyrighted material claimed before being able to bring a lawsuit? The act of registering a copyrighted document- does that then put it in the public domain?

    1. 4.1

      I am not sure your use of the phrase “in the public domain” reflects the legal notion of that term of art, Mary.

      (plus, see the bit above about being able to submit a redacted version of something)

  5. 3

    non-political question here (so let’s leave the mindless political ad hominem out):

    The DMCA’s anti-circumvention provisions provide a cause of action against someone who circumvents a “technological measure” used to control access to a copyrighted work:

    No person shall circumvent a technological measure that effectively controls access to a work protected under this title.

    Is Fair Use something that over rides this “circumvention” aspect?

    Can someone who has a legitimate claim to a copyright PREVENT all access – and thus any chance at all OF Fair Use – to the item?

    Or, if access (however gained) is accomplished, and the “use” is deemed a Fair Use (such that no copyright violation can be said to have occurred in the first instance), then is the circumvention law itself circumvented?

    If I “get access” and the only thing I do is something that I have a right to do, have I really done anything to “a work protected under this title.”…?

    Is not the phrase “work protected under this title” carrying with it the notion that some protection has been violated?

    Or to phrase this somewhat differently, can Congress amplify the copyright right and remove items that people can do in the face of the copyright right (all those things allowed under Fair Use), by making it a crime to even get to the material in the first place?

    Does this not – in essence – take away Fair Use from everyone that rightfully has a claim to Fair Use?

    In other contexts, we have seen “the right to hack” be protected (think: repair, or retrieval of one’s own goods from a ‘locked’ device).

    Maybe its time to consider that laws that are purported to lock things away – things that have Fair Use elements – are laws that reach too far. Maybe its time to consider that “data really wants to be free” – or at least, those things that carry with them the rights of Fair Use cannot have those rights of Fair Use blocked unfairly.

    1. 3.1

      Can someone who has a legitimate claim to a copyright PREVENT all access – and thus any chance at all OF Fair Use – to the item?

      Sure. Remember, copyright is automatic – your copyright arises as soon as you fix your creative work in a tangible medium. You don’t have to publish, register, or even make it publicly available.
      So, say I write out my product roadmap, or create source code for my internal accounts receivable program, or any other such work, I have valid copyrights in them.

      But they’re internal docs, so I also keep them secret, and I’m protected by trade secret laws against corporate espionage. If you break into my business one night to steal my source code, you can’t claim that copyright fair use defense protects you against civil and criminal liability for trade secret misappropriation.

      However, bear in mind, once you publish that stolen source code, my trade secret is destroyed, and anyone else can potentially copy it with a valid fair use defense (say, if they’re reporting on it, or making critical commentary of it, etc.).

      In other words, copyright fair use is only a defense when my sole claim against you is copyright infringement. It would be an odd amplification of copyright fair use if Congress said “anyone who has a valid fair use claim under 17 USC 107 is also immune from prosecution for trespass, burglary, theft, etc.”

      1. 3.1.1

        Excellent reply – thank you Abstract iDan.

        So as long as you keep your copyrighted items Secret, then you are saying that NO Fair Use attaches.

        This makes sense certainly as one looks at “secrecy” in and of itself.

        But my question is at a slightly different legal level, and it is at a level that any such “applied Secrecy” comes secondary to the very definition of what it means to have a copyright and what it means to have Fair Use to copyright protected material.

        In this sense, “secrecy” is a bit of a smokescreen. One can have that SAME secrecy apply to material to which NO copyright may attach.

        In that regard, attempting to insert “secrecy” as something that defeats Fair Use is a bit of the cart before the horse as far as understanding exactly what it means to have something that has copyright protection.

        In other words, I want to stress the fact that Fair Use is NOT something that “excuses” copyright infringement. Instead, Fair Use is something that shows that what one may consider to be a copyright does NOT extend as far as one may believe. Fair Use is use that is “not excused,” but instead is use to which the copyright never inures to in the first place.

        I fully grant they overlap from the State to State Trade Secret laws (including the new Federal cause of action) may complicate sorting out actions (on their own) that appear to violate Trade Secret protections.

        But I am specifically separating Trade Secret from copyright – and doing so in order to drive home the distinction that Fair Use of certain items is NOT protected by copyright and their are specific “lock-down” mechanisms geared to copyright-protected items.

        It is those specific “lock-outs” that must/should fail to have any merit under the law when the item which is under lock may have BOTH legitimate copyright protection AND a lack of legitimate copyright protection (depending on what is being done.

        It is not a fully developed legal concept, but the notion of “jail-break” technically MUST apply to ALL Fair Use cases, otherwise the “lock-out” extends copyright to that which copyright – by law – does not extend to.

        Where this lack of full legal development has a real impact is with Big Data/Big Music/Big Hollywood. This is is because (purely) the weakness of the business model intersecting with the nature of a digital good.

        If indeed NO “lock-out” protection could extend to those things that which do NOT have copyright protection in the first place (e.g., Fair Use items), then application of lock out prevents the public from having what they have a right to. (Taking for argument’s sake that we are talking about things being put into the public domain, but under the “locks”.)

        Basically, we have let Big Money take away Fair Use and lock such away under their locks AND made even trying to get to the items for which people have a right (for Fair Use) into a criminal matter.

        Can you imagine what it would be like if we made patent infringement into a criminal matter?

  6. 2

    The Complaint makes it sound like this was a technologically sophisticated hack. In truth, the DNC’s computers were never hacked.

    The whole thing was pretty stupid. John Podesta, chairman of HRC’s campaign in 2016, foolishly used his GMail account for DNC campaign business (perhaps reminiscent of his boss’s own misuse of non-approved email servers). He foolishly clicked on a phishing email sent to that Gmail account by persons unknown. It was one of those dumb “update your information” phishing emails, giving you a fake (but official looking) Google web page asking you to “confirm” your credential information such as your password. He fell for it and entered his Gmail password, not realizing it was a fake website.

    The hackers, armed with access to Podesta’s Gmail password, were able to then download the contents of his inbox. And off to Wikileaks (and to history), those emails went.

    > Although clearly politically motivated, it will be interesting to follow the
    > development of the lawsuit.

    I don’t think so. It’s embarrassing that any major political campaign in the United States would file a lawsuit like this. The primary defendants who are actually responsible are either entitled to foreign sovereign immunity from civil suits, or otherwise totally outside the reach of the federal courts. It’s almost hilarious to read a complaint suing the Russian Federation for violating D.C.’s local trade secrets act. The suit will go nowhere, and was filed simply to create a small blip in the 24-hour news cycle. Next story please.

    1. 2.1

      I beg to differ.

      I think the plaintiffs know this is a loser as a lawsuit. What it does, though, is continue to churn the notion of collusion between Trump and Russia to feed the plaintiffs’ PR needs. The Mueller investigation is likely nearing the end, with an exoneration of Trump (at least on the collusion with Russia allegation) and the Dems want to keep beating that horse’s corpse, and are going to use this lawsuit to do so.

    2. 2.2

      The DNC leak is different than the Pedestal leak. And both are unrelated to Hillary’s server scandal.

  7. 1

    “Wikipedia” is not an entity, would not be a proper party to join in a lawsuit, and is not, in fact, a named defendant. Wikileaks is unrelated to the Wikimedia Foundation, which runs Wikipedia. An error worth correcting.

Comments are closed.