The Arts and Economic Development: A Hot Mess at a Museum in Dallas

At the intersection of economic development and the arts sits a dispute about property rights and moral rights.  The Nasher Sculpture Center in Dallas, Texas, houses a world-renown collection of art in a building that was designed by famed architect Renzo Piano especially for that purpose, in that location.  D Magazine describes the patented roof system as

“a barrel-vaulted roof-cum-ceiling made of 3-inch-thick, 1,200 pound glass panels, and, suspended above the glass, a sunscreen of millions of tiny aluminum oculi aimed due north.  The sunscreen was designed using the precise longitude and latitude of the Nasher, and it accounts for every hour of the Earth’s 365-day trip around the sun. Standing in the gallery, a visitor looking up and to the south sees what appears to be a solid structure through the glass ceiling. Turning 180 degrees and looking north, though, he sees open sky. The system allows into the museum soft, full-spectrum light that is not only safe for artwork but creates ideal, transcendent viewing conditions.”

The Nasher was designed to be a focal point for economic development in the area, and it has been wildly successful; the Dallas Arts District now houses a variety of cultural venues including the Dallas Museum of Art, the Myerson Symphony, the Trammel Crow Museum, and the AT&T Performing Arts Center.  In fact, it has been so successful that in order to take advantage of the economic development in the Arts District, a developer has been building Museum Tower, a 42-story residential high-rise development, on an adjacent piece of land.

The glass façade of Museum Tower, however, reflects light up to 250% the strength of the sun onto the Nasher from the north at an intensity that can kill plants and trees, damage artworks, and blind visitors.  The gardens at the Nasher, including live oaks, are threatened.  A Picasso had to be removed to avoid damage.  James Turrell claimed that his piece installed at the Nasher, “Tending, (Blue)”, had been destroyed by the Tower, because it blocked the sky that was to be visible through the aperture at the top of his skyspace.  The Nasher had to close the Turrell exhibit entirely.  There would many property and moral rights issues to spot here, if only this were a law school exam.

The parties are currently in a protracted mediation process.  More can be found on the dispute here, here, and here.

Idea for In-Class Discussion of Protectable Cultural Expression

I recently returned from our Summer Away program in Santa Fe, New Mexico.  While at the Taos Pueblo, I purchased a pot crafted by an Acoma artist at a small shop.  As I handed the money to the owner, she commented, “This artist has a patent on this design.  No one else can make pots with this design on it.”  Wondering to myself if there is something perceptible about me that screams talk-to-me-about-IP, I thanked the woman and left.  Here is the pot:

Acoma Artist Pot

The design depicts a legend that is common to several different tribes, which is the legend of the water serpent.  It has various names in different tribes, such as Kolowisi in Zuni, Pachua in Hopi, and Avanyu in tribes of the Rio Grande outlier regions.  When I showed the pot to a colleague, she commented that a very similar image was painted on the Zuni mission church. Later that day, we went to an upscale gallery in Santa Fe where I happened to notice this pot:

Gallery Artist Pot

This might be an interesting exercise for an in-class discussion on what is protectable and what is not protectable cultural expression.  Of course, despite the shop owner’s assertions, neither utility nor design patents are apt here.  However, there could be source identification of a design with a particular artist.  (I did a quick search of the trademark office records online and, with the caveat that design mark records are notoriously difficult to find, didn’t find any marks registered by the artist.)  Perhaps the artist registered a copyright, and believes that affords exclusive protection.  In any event, this situation raises questions about the scope of various forms of IP protection, as well as public and private ownership of cultural expressions and heritage, which might be useful in the classroom.

When the Right Interpretation of the Law is a Scary One (CFAA Edition)

A divided 9th Circuit panel decided U.S. v. Nosal today. The case initially looks like a simple employee trade secret theft case, but the Court’s interpretation of the Computer Fraud and Abuse Act has potentially far reaching ramifications. Here’s the thing – the court (in my view) reached the right ruling with the right statutory interpretation. However, that interpretation could possibly make many people liable under the CFAA that probably shouldn’t be.

Here are the basic facts: Nosal is charged with conspiracy to violate the CFAA, 18 U.S.C. 1030 because he conspired with employees at his former employer. Those employees accessed a database to obtain secret information that Nosal allegedly used in a competing business. Importantly, those employees had full access rights to that database. They didn’t hack, steal a password, rummage around, or anything else. They just logged on and copied information. Those employees had agreements that said they would not use the information for purposes other than their employment. I suspect that the agreement would not have even been necessary if it were reasonably clear that the information was trade secret, but that’s an issue for another post.

The provision at issue is 1030(a)(4), which outlaws: “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value….”

 

The district court dismissed the indictment, ruling that the employees could not have exceeded authorization. The court relied on a prior case, called LVRC HoldingsLLC v. Brekka, to rule that the employees could not have exceeded authorized access because database access was within their employment. According to the lower court, one can only exceed authorization if one wanders into an area where there is no authorized access. The appellate panel talks about drive letters. If the employees could access the F: drive, but not the G: drive, then any data taken from the F: drive for any purpose could not exceed authorized access, but gathering data from the G: drive would exceed because the employees were not supposed to go there. By analogy here, there could be no exceeded authority because the database was part of the employee access rights.

The Ninth Circuit panel disagreed. It starts with the definition in 1030(e)(6):

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter

The Court focuses on the “so” term. It argues that “so” would be superfluous under the district court’s reading. After all, exceeding authorized access means you must have had the right to be there in the first place. To limit this to different areas of the database doesn’t work, since the statute plainly outlaws access to the computer when such access is then used to obtain information that the accessor is not entitled to obtain.

The problem with this reading, of course, is that the employees arguable were entitled to obtain the information. Not so, says the Court – and this is where the trade secret angle comes in. The employees were decidedly (or at least allegedly) not entitled to access the information if the purpose was to leak it to Nosal. 

How does the court deal with LVRC? It appears that the two cases are consistent:

1. LVRC says that “without authorization” requires no access at all to a drive, not exceeded authorization (there are some parts of the statute with require no authorization, and some where exceeded authorization is enough).

2. LVRC makes clear that where employers set access policies and communicate them, then employees may be deemed to have acted without authorization.

3. LVRC envisions exactly the result in this case: 

Section 1030(e)(6) provides: “the term `exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). As this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has “exceed[ed] authorized access.” On the other hand, a person who uses a computer “without authorization” has no rights, limited or otherwise, to access the computer in question.

Of course, it is not this easy. LVRC had a footnote:

On appeal, LVRC argues only that Brekka was “without authorization” to access LVRC’s computer and documents. To the extent LVRC implicitly argues that Brekka’s emailing of documents to himself and to his wife violated §§ 1030(a)(2) and (4) because the document transfer “exceed[ed] authorized access,” such an argument also fails. As stated by the district court, it is undisputed that Brekka was entitled to obtain the documents at issue. Moreover, nothing in the CFAA suggests that a defendant’s authorization to obtain information stored in a company computer is “exceeded” if the defendant breaches a state law duty of loyalty to an employer, and we decline to read such a meaning into the statute for the reasons explained above. Accordingly, Brekka did not “obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,” see 18 U.S.C. § 1030(e)(6), and therefore did not “exceed[ ] authorized access” for purposes of §§ 1030(a)(2) and (4).

This footnote seems directly contrary to the outome in Nosal. It is also an example of something I tell my cyberlaw students – make every argument you can! How could LVRC not have made the exceeded authorization argument directly on appeal? Surely that issue merited more than a footnote.

The court doesn’t deal with this footnote, but instead makes some factual distinctions that work for me. First, in LVRC the defendant had unfettered access with no clear rules about the data. Second, in this case there is a clear trade secret misappropriation, whereas in LVRC the allegation was a nebulous “breach of duty” argument without any real showing that the email accessed would be competitively used against LVRC.

Maybe it is because of my background in trade secret law, and I suspect that I may be in the minority among my cyberlaw colleagues, because I think this was the right interpretation and the right outcome.  Exceeding authorized access has no meaning if it does not apply in this case. To me, at least, this was a textbook case of access that starts authorized, but becomes unauthorized as soone as the nefarious purpose for the access is revealed.

And now the scary part

That said, this is still scary – but the problem is with the law, not the court’s ruling. Why is it scary?

First, employees who look where they shouldn’t could now be considered a criminal under the CFAA, so long as they are looking at material they know they shouldn’t be accessing.

Second, this is not necessarily limited to employees. Anyone using a website who starts using information from it in a way that the web operator clearly does not desire could theoretically be criminally liable.

Now that’s scary.

The Nosal court tries to explain this away by saying that fraudulent intent and obtaining something of value are required under 1030(a)(4). True enough, but that’s not the only subsection in the CFAA. Section 1030(a)(2), for example, outlaws simply obtaining information. Sure, the penalties may not be as severe, but it is still barred.

So, how do we reconcile this case with common sense? Are all web users now criminals if they lie about their age or otherwise commit minor violations? I doubt it. 

First, I think there must be some independent wrongful action associated with the action – a tort that common folk would understand to be wrongful. In this case, trade secret misappropriation was clear. LVRC v. Brekka went the other way because it was not at all clear the action was independently wrongful and thus something the employer would never authorize. I tend to think that browsewrap agreements on websites won’t cut it.

Second, the wrongful action has to be tied somehow to the unauthorized access. In other words, lying about your age shouldn’t affect access rights generally, but lying about your age might very well be a problem if the reason you did so was to prey on young children. I’ll leave others to debate how this might apply to the Lori Drew case. The recent case of MDY v. Blizzard makes this connection for the Digital Millenium Copyright Act, and it seems like a reasonable one under the CFAA as well.

The CFAA scares me, and it should scare you, too. But its not as scary as many make it out to be – at least I hope not.

The Multiple Choice Exam: Friend or Foe?

[Cross-posted at Prawfsblawg, where I am guest blogging this month]

I’m giving my very first multiple choice exam in cyberlaw this semester. I decided to move to a multiple choice exam for a few reasons:

1. Time: I have 85 students (about half 3L) and I just don’t think I can get the exams graded in time for the graduation cutoff. I’ve always believed that I have to read all the exams before assigning grades to some of them.

2. Assessment: More important, I’ve grown a bit disillusioned by the use of essays in this particular class (I’m still giving an essay in Patent Law). Much of the law is factor based and malleable, which you would think might work well in an essay. However, some rules are crystal clear, no exceptions. I’ve found that my students have had a hard time expressing which are which, and also which facts are more important than others in factor based tests.  I want to know if they know the difference, and I think a multiple choice exam will help me find out.

I always told myself that essay exams were better because they help prepare a skill for the bar. However, the bar includes a multiple choice segment, which was much harder than the essays — at least for me.

So, I’m drafting an exam. My students seem worried, in large part because they have no idea what to expect. I wrote several sample questions based on last year’s fact pattern, and I must say that it was very difficult. I’ve always viewed multiple choice exams as easier to grade (which they are), but I have a feeling that I’m going to spend a lot of time writing the exam that I had not spent in prior years.

Any ideas or input on this would be appreciated as I try out something new.

“GC by George Clooney” Dispute

I recently noticed some publicity about a court case in Italy involving a clothing line using the trademark “GC by George Clooney” which has no affiliation with the popular actor George Clooney.  Looking at this online write up of the dispute (source here), it strikes me that one could construct a neat exam hypothetical in the TM/personality rights area from these facts:

“Does George Clooney dress well off and on the screen? Thanks to Giorgio Armani, he does. No one wears a suit better. Which is what some Italian entrepreneurs in Milan thought two years ago, when they cooked up a clothing line called GC by George Clooney. Problem is, the superstar had nothing to do with it. The fraudulent business people even organized a show in a Milan hotel and used the actor’s name to promote the line. But this week, the real George Clooney – who has a home in Lake Como, Italy – had to appear in an [sic] Milan court to play out a lawsuit against the people who used his name without consent, permission, or even an attempt to contact him. Of course, there was a crush of cameras in the Milan court, but Clooney remained cool throughout, even cracking jokes. Only one defendant — Vincenzo Cannalire — attended the trial. He and associates apparently forged Clooney’s name – and photo – on many documents. They even claimed Clooney was dating one of their female partners, and doctored pictures to insinuate that. Clooney turned to greet him after recognizing the man from of the photos he was looking at. “This is the first time I’ve ever seen him,” Clooney said, motioning to the defendant. Then with he added, “So I’d like to say hello, nice to meet you.” So if you’re in Italy and someone tries to sell you clothes by George Clooney – buy Armani instead. But – perhaps someone should get Clooney to design and back a line of mens’ clothes. It would probably be extremely cool – and well tailored.”

(source, Fashion Rules!)