So by the way, when and how will Sony be held liable for criminal negligence?
Their security track record is equivalent to a bank storing its customers, partners and employees crown jewels in a wooden bikeshed with no doorlock. Repeatedly.
Stomping your feet, blaming evil North Korea and launching lawsuits against unrelated bystanders may be a convenient way to distract the mainstream media.
But it's also completely missing the point and a little bit embarrassing...
Various employees have started civil suits claiming damages.
Their entire IT infrastructure was obliterated and they had to spend tons of money on IR and new security tools. So quite a bit of damage has been done already.
The part where they don't establish most basic protection at least for their critical customer data, after suffering from security breaches pretty much constantly[1] for over 3 years.
If you have an account with any Sony product (Playstation network etc.) then your personal and payment data (credit card numbers) have most likely been leaked not once but multiple times by now.
Why is Sony still allowed to store payment data? Why is their PCI certification not revoked?
Can you point out which law(s) you mean? It's a little hard to establish a criminal charge otherwise. Everything in your comment so far indicates cause for civil damages, which are already being pursued as pointed out.
As a layman I would argue that we know anyway that these kinds of laws are rarely ever enforced upon companies the size of Sony. Especially not when there's a political PR spin as convenient as "omg North Korea" (was: "omg terrorists").
However, the least that they have obviously violated (on multiple occasions) are the PCI-DSS diligence requirements and probably every data protection act under the sun.
This seems like fairly standard procedure to be honest, I'm not entirely sure what the issue is here...?
Especially given quotes such as "To the extent that Twitter has previously suspended the accounts of users publishing the Stolen Information, SPE and its employees are sincerely grateful to you"
There was no need to be threatening in manner that they were, and, as far as I understand, the threats are non-actionable (that is, Twitter can't be held liable in the manner they are suggesting).
Letters like this go back and forth between companies all the time. It doesn't even sound threatening to me. Just a standard legal complaint. I'm sure there were a handful of phone calls made first. Sony and Twitter couldn't figure it out over the phone, so Sony sends the official letter saying, "here's why we're upset, this is what we want you to do about it, if you don't we will climb the legal ladder some more until it's all straightened out."
Though I understand Sony probably feels compelled to at least try to stifle links to the stolen data, I am a little bothered by their legal reasoning they are using to support their argument. That said, they seem to be wording their accusations towards Twitter very cautiously. It also does not seem to be worded as a threat, but more of a strongly-worded request, so I'm not sure saying that they're threatening to sue them is accurate.
I'm taking it as you've noted, a "strongly-worded request". They are just pushing Twitter to enforce their own TOS immediately or face actual, legal consequences. Which honestly, seems fair.
It's like YouTube. Google refuses to take ownership of any content provided by their site -- even though in that case they do host it -- as they are merely a "provider". And even then, they must enforce a DMCA mechanism or face the consequences. Otherwise they would have been sued into obscurity.
>If Twitter does not comply with this request, and the Stolen Information continues to be disseminated by Twitter in any manner, SPE will have no choice but to hold Twitter responsible for any damage or loss arising from such use or dissemination by Twitter, including any damages or loss to SPE or others, and including, but not limited to, any loss of value of intellectual property and trade secrets resulting from Twitter’s actions.
Page 3 of Sony PDF
Sony should be sending these letters to their network department as they are the ones that appear to have 'disseminated' the Stolen Information.
I have to agree. "will have no choice but to hold Twitter responsible for any damage or loss..." implicates a potential lawsuit if their demands are not met.
Should SONY's response been DMCA takedown notices? Does DMCA cover unpublished copyrighted work? If the DMCA applies to trade secrets and personal email, it seems like Twitter would be legally in the clear and particular users would be liable.
>Should SONY's response been DMCA takedown notices?
This lawyer letter goes beyond what DMCA Sec. 512 allows. 512 authorizes requests for "removal of material" that is believed to be infringing; in this case, Sony is demanding suspension of Twitter users' accounts (which even Sony would likely concede are 99.999% non-infringing as measured by number of tweets). The letter also raises non-DMCA CFAA and state law claims.
> Does DMCA cover unpublished copyrighted work?
Yes. The DMCA covers "copyrighted work[s]," and publication is not necessary for copyright to attach. The longer emails likely meet the threshold for copyrightability and the screenplays, even unpublished, are the very definition of a copyrighted work. Note fair use still applies to copyrighted works.
> If the DMCA applies to trade secrets and personal email
The C in DMCA stands for "copyright." It doesn't apply to trade secrets.
David Boies, the lawyer who wrote this on behalf of Sony, is a very capable hired gun (he represented DOJ in its futile pursuit of Microsoft and plenty of other high-profile plaintiffs). Twitter is going to have to be careful in how it responds.
Remember news organizations have also reproduced excerpts from the Sony-hacked emails, and in some cases the entire correspondence. Note Sony hasn't threatened to sue them, at least so far. Also note Boies' letter could have been addressed to the individual Twitter users, who are actually the ones responsible for posting the material. It wasn't.
> David Boies, the lawyer who wrote this on behalf of Sony, is a very capable hired gun
He wasn't very capable when he was acting for the SCO Group in their never-ending bullshit case against Novell and IBM. He has also been criticized for ethics violations.
Lawyers should (within the bounds of ethics) be advocates for their clients. I can't fault him for his role in the 2000 election, but as to SCO I think anyone and everyone who took SCO's side should be disbarred!
This letter seems like a blanket that Sony's lawyers are laying out across @BikiniRobotArmy and pinning Twitter with a wall of federal and state law violation claims. Does anyone have information on what material @BikiniRobotArmy actually "published" ??? Did he upload the 26GB Sony dump into a Tweet? Did he upload a picture he found on Google Images? Did he retweet Greenwald?
Might just be me but it seems likely Sony and these celebrities are in pretty clear violation of the FTC 2013 .com disclosure guidelines?
It's one thing to give celebrities clothes, etc and let them parade them around so that gullible consumers buy the product to pretend to be "fashionable" via known endorsement contracts.
It's quite another to pay a celebrity millions of dollars to say something and hide it as their own statement without disclosure.
Again just speculating, but this could also elevate the dump of the documents on Twitter by the individual into a press issue now since it is showing wrongdoing.
Rights of journalist to distribute illegally obtained documents in public interest I think was firmly established by SCOTUS in BARTNICKI v. VOPPER [0] and they go over the DMCA implications in the opinion.
Is Sony requesting that twitter not shut down just this one account but keep up with every account that pops up for this purpose? If they are that naive then no wonder they hacked, no idea how technology works. If I can write a script to create a different twitter account every few seconds, imagine what these guys can do.
So, from this now I know 1) that Sony pays celebrities to do gray advertising, 2) name of such person that does it, 3) that Sony uses lawyer threats to stop people from talking about it. It's hard to hurt Sony's public image any more at this point, but they certainly keep digging with vigor.
You start with feeling bad for Sony and its employees. You see a letter like this and my response goes from feeling bad to "Screw you Sony. You first show immense stupidity in how you handle your security and then flex your muscle around."
In a way, they are right about it being against the twitter terms of use, and twitter should comply because it's their rules anyway. Still, can twitter be "held responsible"? It kind of sounds like you holding a bar tender responsible for drugs being traded in her bar. Even if she was aware of it, why not arrest the actual culprits?
Service provider liability isn't exactly a new topic; it goes back to at least Cubby v. CompuServe in 1991 (note this is not necessarily the law today) and hundreds of law review articles and dozens of conferences have discussed the topic. You might also want to read DMCA Sec. 512: http://www.law.cornell.edu/uscode/text/17/512
To extend your analogy, once the management knows this is going on in their bar, they have a responsibility to act. If they don't they open themselves and the bar to legal liability. What if someone is injured or dies in the course of, or later as a result of, illegal acts on their premises?
To have "terms of use" and not enforce them, or enforce them selectively, is to invite disaster. If the rules should be changed, better to do that. The courts will take that better than selective enforcement.
If twitter deletes that account it would take the owner a few seconds to create another one. Better to have this one account than for many to pop up. I think it is pretty clear that Sony was lax in their security and are now paying a huge security debt.
Hmm. Up until now the Sony/NK thing has been confusing from a technical standpoint - there's lots of good reasons to be curious about and skeptical whether NK had anything to do with the SONY hack (see the bazillion threads on HN and elsewhere that cover it). Now for some conspiracy.
Here are some facts. One of the primary journalists responsible for announcing that the government had determined NK was responsible for the SONY hack is the same one responsible for falsely declaring the US had confirmed locations of weapons of mass destruction in Iraq on behalf of the State Department (Judith Miller), who hadn't yet gotten the public support it needed to go into Iraq.
But what could the US's motivation for falsely fingering North Korea in this attack, if that's in fact what was done?
First, either instability or regime collapse in North Korea would mean very good things for the United States. Not just because it would advance human rights or because NK represents a black mark on US military operations. But also because instability threatens China. A regime collapse would mean China would have to deal with a flood of millions of starving and brainwashed immigrants at its border, and in fighting due to power vacuums. The downside is that the US would need to spend a lot of money and man hours supporting their ally South Korea, as they would also be forced to handle the instability, and because of US military presence in the region.
The conspiracy here would be that since the US has so far lacked legal traction in giving it the ability to influence other nations with adversarial messages but preventing others from influencing US citizens in the same way, that it is using the traction of the NK/SONY event to create a civil law precedent for content curation in Twitter that can later be expanded to federal law. This creep from civil to federal law has happened before - notably with Youtube - which now removes content that the federal government wants it to (known examples include ISIL recruitment videos and US citizen Anwar al-Awlaki's political messages).
Their security track record is equivalent to a bank storing its customers, partners and employees crown jewels in a wooden bikeshed with no doorlock. Repeatedly.
Stomping your feet, blaming evil North Korea and launching lawsuits against unrelated bystanders may be a convenient way to distract the mainstream media.
But it's also completely missing the point and a little bit embarrassing...