August 2015 Legal Report
Intellectual Property. In the first case of its kind, a foreign hacker convicted of stealing trade secrets in the United States has been sentenced to prison for his role in stealing trade secrets from U.S. companies.
David Pokora, 22, of Ontario, Canada, led a hacker group that targeted the gaming world between January 2011 and March 2014 to steal information from Microsoft to build its own Xbox One gaming system prior to the authentic product’s official release, and to obtain prerelease versions of video games, including Gears of War 3 and Call of Duty: Modern Warfare 3.
The group hacked into Microsoft’s network by visiting websites where others had posted legitimate login credentials, copying those credentials, and saving them for future use.
Around August 2012, the hackers gained unauthorized access to Microsoft’s networks to download trade secrets, including internal design, technical specifications, and prerelease operating system software codes to build a counterfeit, next-generation Microsoft Xbox gaming console.
Along with targeting Microsoft, the hackers also attacked the networks of Epic, Valve, Activision/Blizzard, Zombie, and the U.S. Department of the Army, gaining access to its training software for the Apache helicopter. From these networks, the hackers stole, used, and shared similar information that they had taken from Microsoft.
The hackers created a counterfeit version of the Xbox gaming console, which was transported to Delaware where an individual planned to mail it to a buyer in the Republic of Seychelles. However, the FBI received an anonymous tip about the console and special agents obtained the counterfeit Xbox, preventing it from being mailed.
The FBI then began monitoring the group, which stole more than $100 million worth of intellectual property from the companies it targeted before being charged with a variety of crimes, including conspiracy to commit wire fraud, conspiracy to commit theft of trade secrets, unauthorized computer access, and aggravated identify theft.
Pokora pled guilty in October to one count of conspiracy to commit fraud and related activity using a computer. He was sentenced to 18 months in prison, followed by three years of supervised release. The other three U.S. defendants—Nathan Leroux, Sanadodeh Nesheiwat, and Austin Alcala—also pled guilty to a variety of charges and are awaiting sentencing. (U.S. v. Leroux, U.S. District Court for the District of Columbia, No. 1:13-cr-00078, 2015)
Background screening. A federal judge dismissed a lawsuit against LinkedIn, ruling that plaintiffs failed to establish sufficient facts to “support a plausible inference” that the Fair Credit Reporting Act (FCRA) had been violated.
Tracee Sweet applied for a position in the hospitality industry by submitting her resume to a potential employer through LinkedIn, a social media professional network. She was then called in for an interview and told by the general manager that she would be hired. However, the company later called her and said she would not be hired.
Sweet then asked the general manager why the offer had been rescinded. The manager said the company had checked some references, and based on that information had changed its mind.
The references the manager referred to were the result of a LinkedIn Reference Searches function, which allows employers to find people with whom an applicant may have worked previously. Users who pay a subscription fee can search for references for any LinkedIn member, pulling up a list of the user’s current and former employers. Users can also search for LinkedIn members who are in their network and worked at the same company during the time the user would like to learn more about.
Reference Searches are marketed as a way for potential employers to find “trusted references for job candidates,” to “get the real story on any candidate,” and to “find references who can give real, honest feedback” about job candidates, according to court documents.
The search results also encourage the search initiator to contact the listed references through an “introduction.” However, LinkedIn does not tell search subjects about the Reference Searches that are conducted on them.
Sweet banded together with other plaintiffs who had similar experiences as hers to file a class action suit against LinkedIn, alleging that the Reference Searches function violated their rights under the FCRA.
The FCRA’s purpose is to “protect consumers from the transmission of inaccurate information about them” and requires consumer reporting agencies to “adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer.”
The plaintiffs charged that LinkedIn, a consumer reporting agency, violated their rights by furnishing Reference Searches results for employment purposes. They sought statutory damages, actual damages, punitive damages, attorney’s fees, and costs from LinkedIn.
LinkedIn moved to dismiss the case, and Magistrate Judge Paul Sing Grewal granted the motion, noting that the plaintiffs had not “alleged sufficient facts” to support a plausible inference that the Reference Searches are within the FCRA’s definition of a consumer report.
Reference Searches are not consumer reports because “the information contained in these histories came solely from LinkedIn’s transactions or experiences with these same consumers,” Grewal wrote. “The FCRA excludes from the definition of a consumer report any ‘report containing information solely as to transactions or experiences between the consumer and the person making the report.’”
Even if the Reference Searches were not within the exception, they would still not qualify as consumer reports because “plaintiffs’ allegations do not raise a plausible inference that LinkedIn acts as a consumer reporting agency when it publishes these histories,” Grewal added. “To meet the definition of a consumer report, a communication must be made ‘by a consumer report agency.’” (Sweet v. LinkedIn Corporation, U.S. District Court Northern District of California, San Jose Division, No. 5:14-cv-04531-PSG, 2015)
U.S. Legislation
Data retrieval. Sen. John Hoeven (R-ND) introduced legislation that limits data retrieval from vehicle event data recorders by making the data the property of the vehicle’s owner or lessee.
The bill (S. 766) prohibits access to the data, unless requested by a court order, or another judicial or administrative authority authorizes its retrieval. The data can also be retrieved for an investigation, for crash response determination, or for traffic safety research.
The bill is cosponsored by Sen. Amy Klobuchar (D-MN) and has been referred to the Senate Commerce, Science, and Transportation Committee.
Surveillance. Rep. James Sensenbrenner (R-WI) introduced a bill that would extend some rights under the U.S. Privacy Act to European Union citizens and other designated allies.
The Judicial Redress Act (H.R. 1428) would authorize the U.S. Department of Justice—with the agreement of the U.S. Departments of State, Treasury, and Homeland Security—to designate countries or organizations whose citizens may pursue civil remedies if their country or organization has appropriate privacy protections for sharing information with the United States.
Civil actions would be pursued under the Privacy Act of 1974 against U.S. government agencies for accessing, amending, or redressing unlawful disclosures of records maintained by an agency.
The bill is cosponsored by Rep. John Conyers, Jr. (D-MI), and has received support from the corporate sector. It has been referred to the House Oversight and Government Reform Committee.
Other Legislation
France
Surveillance. France’s lower house of Parliament overwhelmingly passed legislation that gives authorities more intrusive domestic spying abilities.
The bill (No. 2669) would allow French intelligence services to tap cell phones and read e-mails. The measure would require Internet providers to comply with government requests to go through subscribers’ communications.
Additionally, the legislation authorizes intelligence services to request to install microphones in rooms or objects—including cars—and to capture telephone conversations and text messages of French citizens and foreigners. The bill now moves to the French Senate.
