Hacker with a White Hat

Hacker With A White Hat
By Ronald D. Coleman and Matthew W. Carlin

Originally published in Mealey’s Cyber Tech Litigation, May 14, 2001
Once it was a litigation home run: Obtaining a grant of injunctive relief. An injunction is the essential equitable remedy, a court order that says, “Don’t do that any more. Or else.” And for centuries of common law jurisprudence, obtaining the injunction was usually the end of the discussion.

Certainly, in the modern United States, who would openly and notoriously flout an order of a court of equity such as a state superior court within its jurisdiction, or the United States District Court anywhere? The image of Governor George Wallace attempting just that, met with the irresistible force of the United States Army, is a compelling picture of just how powerful can be an injunction issued by what is today arguably the strongest branch of government.

Or, at least, how powerful it could once be. For today the Internet challenges all notions of jurisdiction and authority.  People of good will may cheer the corrosive effect on illegitimate regimes of disembodied information and free communication, but the evanescence of the Internet threatens to undermine the rule of law everywhere. For in 2001, an injunction is just not an injunction any more – at least not when the enjoined party is a defaulting, identity-shifting virtual phantasm, an Internet non-person for whom injunctions are not even minor annoyances. How, then, to enforce the terms of an injunction against “merely” virtual lawlessness?

Imagine the following scenario: You have obtained, on default, a large judgment and a permanent injunction against Max Ersatz, who runs the web site www.counterfeits4U.com. This site unabashedly sells counterfeit luxury items. Ersatz – who knows his (or her) real name? – never bothered to answer the complaint, but you had no difficulty persuading the court that he received it: He scanned it and posted it right on his web site. A badge of honor for him, a finger in the eye for you.

But you had the last laugh, because you laboriously plowed through the default process and obtained a punitive order. Ersatz is such a big time counterfeiter that even U.S. Customs and the U.S. Attorney in a friendly District are looking for him. You have investigators working on execution of the money judgment, but you are realistic on that score. In a time where “regulatory triage” and electronic sleight of hand make assets hard to pin down even for relatively modest miscreants, you have no illusions about collecting on this judgment against a Net crime master.

At least, however, you have that permanent injunction. No less authority than the United States District Court has ordered Ersatz to shut down the web site. You know you have won, because a person whose job is protected by the Constitution wearing a long black robe has signed this paper that says you won.

The only thing your client, one of the luxury goods manufacturers, wants to know is: If we won, why is that web site still selling knockoffs of my product?

You have already chased the web site from Internet Service Provider (ISP) to ISP, advising each ISP of its liability for contributory infringement. Now the counterfeiter has become his own ISP – on his profit margin, it is not a big stretch to plug himself directly into the Internet. Those servers are somewhere on earth, but neither Customs nor the U.S. Marshall, putative enforcers of federal court orders, are going to find them or unplug them any time soon.

Your solution seems obvious, if unconventional: You have to shut down this web site technologically, whether by a denial of service attack or other technological approach. You have to become a hacker with a white hat – and a writ.

Under normal circumstances, hacking the web site would be a violation of Federal Criminal Statute 18 U.S.C. § 1030(a)(5), Fraud and related activity in connection with computers. Although the name of the statute on its face does not seem to apply there, it is, in fact, on point. The relevant sections of this statute states:

Whoever . . . knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage, without authorization, to a protected computer . . . shall be punished . . . .

Whoever, intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage . . . shall be punished . . . .

This statute also provides for a civil cause of action for victims of attacks in violation of this law.

Notably, § 1030(f) of this provision contains potentially helpful language: “This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or of an intelligence agency of the United States.” This takes us back to your ideal world – where law enforcement would do this “dirty work” for you. Arguably, a request to the court for permission to hack is of a quasi-law enforcement “protective” nature. But no case has spoken to this, nor is the legislative history illuminating.

Neither does any case address the unspoken presumption of the statute itself: That the “protected” computer is operating in a lawful manner. If the contrary is true, can a claim be made? From a civil standpoint, it is hard to imagine relief being granted to Max Ersatz here. His hands are as unclean as they come, and the statute is explicit that damages “are limited to economic damages.” No court would permit a damages claim based on loss of illegal profits – which would only be offset against your damage award against Ersatz, anyway.

On the other hand, none of these defenses apply to criminal liability under the statute. The decision whether or not to prosecute would be rife with policy and political implications. Until Congress speaks, this sort of “self help” could well raise very thorny criminal law questions, for both you and your client.

Now that it is clear what you cannot do, the obvious question is what can you do, as a legal matter?

As a practical matter, you could add permission to find and hack the web site as part of the laundry list of relief submitted to the Court in a proposed Order and Permanent Injunction. Because your proposed order is likely to be unopposed, you may just get that permission without a fight. But depending on the posture, the judge, the timing and the facts, you have to be prepared to argue for this actually rather extraordinary relief on the merits. What is the legal basis for an application to obtain court permission to have a third party shut down the infringing web site?

It is axiomatic that an equity court has the authority to order the doing of something that, absent its order, would otherwise be illegal. The best example is the ancient remedy of replevin. Here, the authority on which to base a request the relief you are seeking against Ersatz appears to come from the Federal Rule of Civil Procedure 70, which grants federal courts the power to enforce judgements via equity. The relevant section of Rule 70, “Judgment for Specific Acts;

Vesting Title,” reads:

If a judgment directs a party . . . to perform any . . . specific act and the party fails to comply within the time specified, the court may direct the act to be done . . . by some other person appointed by the court and the act when so done has like effect as if done by the party.

One district court, in Beck v. Transportes, explained the purpose of Rule 70 as “primarily intended to preclude recalcitrant parties from frustrating court orders.” The Court in Beck continued its discussion of Rule 70, by quoting Wright and

Miller as follows:

Rule 70 provides five different remedies by which a court may enforce a judgment requiring a party to perform a specific

act:

1. Issue a writ of attachment or sequestration against the property of the disobedient party.

2. Find the party in contempt.

3. Issue a writ of execution or assistance, if the judgment is for the delivery of the possession of property.

4. Direct the doing of the act by some other person appointed by the court.

5. Enter a judgment having the effect of a conveyance as to real or personal property.

Obviously, it is Wright and Miller’s #4 that you would cite in a request for court authorization for someone else – some third party – to do what the court already ordered Ersatz to do. Unfortunately, you will be the first, or one of the first, to do so, because all the cases that cite Rule 70 involve the conveyance of property.

As has been mentioned, Rule 70 provides for a third party to be appointed by the Court to act as its enforcement arm.  Thus you will request that the court appoint a computer consultant identified by you rather than requesting an order allowing you to contract with the consultant. This has a number of advantages. One is that, court order or not, from a liability standpoint it is probably better for the consultant to be working for the court than for you. In addition, from a supervisory point of view, the consultant would answer only indirectly to you – since you are paying her – but directly to the court, with which the court may be more comfortable.

You will want this consultant to bring unusually strong bona fides to the table. The actual hacking may end up being done by a teenager with a mohawk haircut, but let that character be subcontracted by a known computer consulting, investigative or other established service provider. This arrangement will enable you to bring the consultant to court to testify at the hearing as to (1) why there is no other way to stop the injunction from being enforced, (2) how she will go about shutting down or otherwise interfering with the web site, and (3) how she will avoid collateral damage to the resources, assets and data of others.

In other words, she must convince the court that she is proceeding in as narrow and careful a fashion as possible while still getting the job done. And she will also want to demonstrate what happens “next” – whether or not, following her efforts, Max goes back online merely by adjusting a digital sprocket. She will have to say whether there some lasting protection than can be effected, or if doing so will require an ongoing project by the consultant.

It should go without saying that whether or not your adversary has made an appearance in this matter, you will have to make this application ex parte, because otherwise it will not work. Prepare to have your consultant testify about how advance notice would make her task that much more difficult, or impossible. And, of course, be familiar with the legal standards for the granting of ex parte relief, and brief them.

In preparing your computer consultant’s testimony, you will want to remember on the one hand how little love judges have for ongoing judicial supervision of injunctive remedies. On the other hand, you will keep in mind that your defaulting infringer, while fairly well heeled, is both on the lam and probably less able to effect a fix to a sophisticated hacking attempt than EBay or the Department of Defense. No less important, as a legal matter, is the best proof of the assertion that your client needs this equitable relief because there is no remedy at law: You have already secured the money judgment, and yet the problem continues unabated.

It may also be advisable to utilize Rule 70 to seek a judgment of civil contempt against a party not complying with a judgment. Thus, you may move as part of your application that Ersatz be held in contempt in addition to seeking the enforcement remedy.

We wrote earlier that you will be in very new territory on this application. In such a legal environment, where there is no on point authority and little that is analogous in the reporters, policy arguments have an unusually prominent role.  Because your adversary, Max Ersatz, is in default, he will not be proffering arguments against your brief. But that is all the more reason why the court will want to hear policy arguments from you, and why the judge himself will demand a heightened showing that granting this enforcement not only vindicates your client’s rights, but is right.

Several policy “problems” suggest themselves, as do their answers. The judge may express some leeriness over the idea of “the government” shutting down web sites, for any reason. You will remind the court that this is why you did not press the government’s own enforcement arms, such as Customs or the U.S. Marshall, to take this action. This “hacking” is, in fact, the action of a private citizen only using the legal tools provided by Congress to vindicate his legal rights. You are only, essentially, asking for permission to help yourself – and, since this is a trademark infringement case – to protect consumers.

You may also want to make it clear that this is not a First Amendment matter in any sense. It is well recognized that the trademark laws are not unconstitutional limitations on speech, but you are not even relying on that point. The merits of this case are no longer before the court. This is solely a matter of Ersatz’s contumacious disregard of the court’s order.  The courts have never shrunken from protecting their important prerogatives. Indeed, you will remind the court, the defendant’s actions in this case strike at the very legitimacy of the legal system. The relief requested has no bearing on the nature of the claims asserted or any person’s rights, because there is no right to violate an explicit court order.

Finally, you may want to find a better term than “hacking.” The phrases “technological cyber-enforcement in aid of litigant’s rights” or “court sanctioned interference with the infringing instrumentality” does not have quite the ring of “hacking,” but then again this is a serious endeavor. Whatever you call it, you will, as usual, be best off letting one of the judge’s own robed colleagues have the last word. In Chuckleberry Publishing, Judge Scheindlin of the Southern District of New York stated, “Cyberspace is not a ‘safe haven’ from which [an infringer] may flout [a] court’s injunction.” Your injunction application will test those brave words. Good luck.