Gorsuch on Cyber-related Issues: Part Three
This is the final installment in a three-part series on Judge Neil Gorsuch’s cyber-related decisions from the Tenth Circuit.
Published by The Lawfare Institute
in Cooperation With
This is the final installment in a three-part series on Judge Neil Gorsuch’s cyber-related decisions from the Tenth Circuit. In the cases below, the judge addresses internet prescriptions; examines the extent of a computer technician's knowledge of a prescription scheme; explains computer systems and some of their interactions with software; decides appropriate damages for disclosing, but perhaps not using, a former employer’s computer source code; and finds that in certain circumstances, a reasonable person should know that his or her internet activities involves interstate wire transmissions.
Rest Easy (or Easier), Low-level Computer Technicians
In United States v. Lovern, a computer technician was convicted for conspiracy to dispense drugs in violation of the Controlled Substances Act. Red Mesa, the pharmacy that the technician worked for, operated an elaborate online prescription scheme, contracting with two internet-based companies, SafeTrust and IntegraRx, which ran websites where “patients” who wanted prescriptions would answer a questionnaire. Contract physicians would then log onto these sites and approve prescription requests based solely on the questionnaires. There was no contact between the doctors and patients—no consultation, no follow up questions, no scheduled review. SafeTrust and IntegraRx then contracted with several pharmacies, Red Mesa being one of them, to fill the prescriptions, paying $7 per prescription on top of the wholesale cost of the drugs.
Not only did Red Mesa’s methods diverge from the norm, but so did its prescription breakdown. Where a traditional pharmacy dispenses more non-controlled substances than controlled substances at a rate of nine to one, Red Mesa filled more controlled than non-controlled substances.
In Lovern, Judge Gorsuch handles two issues—first, whether SafeTrust and IntegraRx’s physicians were acting outside the usual course of modern medical practice by prescribing medicine based solely on an online questionnaire, and second, whether the computer technician had the requisite mens rea for violating the Controlled Substances Act by knowingly helping to fill prescriptions written by doctors who had no interaction with their patients and were either acting outside of the scope of usual medical practice or without a legitimate medical purpose.
As to the first question, Judge Gorsuch finds that a reasonable jury could have been persuaded by the government’s substantial evidence from a variety of sources that SafeTrust and IntegraRx’s physicians were acting outside of medical standards of care and contemporary medical practices. However, he leaves the door open to these practices changing in the future, noting that “[w]hatever may be the case in five or ten or twenty years, the government adduced sufficient proof at trial that the practices of SafeTrust and IntegraRx physicians were not within the usual course of professional practice as of 2005 and 2006 (emphasis added).”
And as for the computer technician’s conviction under the Controlled Substances Act, Judge Gorsuch reverses the verdict, finding that no reasonable jury could have found the technician, named Barron, guilty beyond a reasonable doubt. In order for the conviction to stand, the government would have needed to prove that Barron knew that the physicians were prescribing medicine based solely on online questionnaires and that this was not consistent with legitimate medical practices.
Barron had little familiarity with pharmaceuticals and received little training from SafeTrust and IntegraRx. His job was quite menial—he logged onto the websites and navigated to a page with the prescriptions available to Red Mesa. The business manager sat next to Barron and directed him on which prescriptions to select to fill. Barron would then print out the labels.
This question points to an interesting strategy by the government. The government chose not to argue that Red Mesa was unlawfully accepting prescriptions over the internet, stating both in its brief and at oral argument that “[u]sing the Internet to transmit a lawful prescription is not the issue.” Instead, it chose to apply the Controlled Substances Act in a more traditional way, arguing that those involved in the pharmacy knew that the doctors were “exceed[ing] the boundaries of legitimate practices and purposes in the medical profession.”
However, Judge Gorsuch finds the facts did not line up with the government’s argument when it came to Barron. While there were some instant messages between Barron and the operator of the SafeTrust website showing that Barron knew something at Red Mesa was awry, that level of general knowledge is not sufficient to convict under the Controlled Substances Act: the government needed to prove that Barron knew both that the online questionnaires were the only “interaction” the doctors had with the patients and that this was not consistent with contemporary medical practices.
Judge Gorsuch’s opinion provides a roadmap for computer technicians to isolate themselves from the criminal behavior of their employees. If a technician is performing tasks that do not provide, or amount to, knowledge of the criminal activity on the part of his or her employer, taking the ostrich approach and sticking one’s head in the sand may be beneficial—at least if the suspected criminal activity violates the Controlled Substances Act.
Harkening Back to Microsoft’s Monopoly
Sending us back to the release of Microsoft 95, Judge Gorsuch’s opinion in Novell Inc., v. Microsoft is yet another example of his technological understanding. Novell, creators of WordPerfect software programs, brought suit against Microsoft for withdrawing independent software vendors’ (ISVs) access to part of Windows 95’s application programming interfaces and thus furthering Microsoft’s monopoly of Intel-related personal computer systems.
While ultimately finding that Microsoft’s actions did not monopolize trade as defined by § 2 of the Sherman Act, Judge Gorsuch explains computer systems and software interfacing with ease and precision. While the whole opinion reads as an accessible, historical primer, here are some highlights:
An operating system amounts to the computer’s core software—software that allows the everyday user to take advantage of a computer’s functions. Users often rely on an operating system to open and close other applications—word processors, spreadsheets, calendars, or the like. Those applications often depend on the operating system, too, drawing on the operating system’s code to read and write files on the hard drive, draw images and text on the screen, or transmit information. In 1981, Microsoft introduced MS–DOS, an operating system that required users to type commands on the keyboard. Beginning in 1990, the company developed successive versions of its Windows operating system, one that featured a “graphical user interface” allowing users to issue commands simply by pointing and clicking a mouse on visual icons.
…
Anticipating the release of Windows 95 to the public sometime in 1995, in June 1994 it shared a beta, or test, version of the operating system with ISVs [independent software vendors]. At the same time, Microsoft also gave ISVs access to Windows 95’s application programming interfaces (APIs). APIs allow programs to invoke the operating system’s built-in abilities to perform certain functions; each API consists of a set of named procedures that automate particular tasks an application might need to perform. By publishing the names of the procedures in an API and providing information about how to invoke each one, Microsoft essentially permitted ISVs a shortcut—they could rely on Microsoft’s APIs when writing their own code rather than having to design custom code to perform the same functions.
…
Among the APIs Microsoft chose to share information about were namespace extensions (NSEs). NSEs are a subset of APIs that permit a user to see (and then open) documents affiliated not just with the current application but located in wildly different places on the computer or elsewhere. Familiar namespaces include the “Recycle Bin”—where a user might dispose of an unwanted document—and the “Desktop”—the computer’s default screen that displays when the user starts up his computer. If a user wants to open a document on the Desktop, she might click the Desktop namespace icon on the left side of the file open dialog on the application she is currently running, and watch the contents of the Desktop appear on the right side of the window. With a double click, she might then open the document. NSEs thus provide something of a shortcut to places outside the current application.
In Novell, Judge Gorsuch demonstrates not only his understanding of the detailed workings of computers and software but also that he can clearly, and fairly concisely, explain technology to the general public.
Sharing Your Former Employer’s Source Code: What Damages Are Allowed?
In StorageCraft Technology v. Kirby, Judge Gorsuch examined the Uniform Trade Secrets Act, the definitional overlap between “use” and “disclosure”, and the distinction between trade secret law and patent law’s available awards for disclosure violations. Given the importance of trade secrets and the applicable law to the industry, StorageCraft may be an important case for tech companies to keep in mind in dealing with a future Justice Gorsuch
James Kirby, one of the founders and directors of the computer software company StorageCraft had a falling out with the company and took StorageCraft’s source code, a trade secret, to a rival company, NetJapan. StorageCraft sued for trade secret misappropriation and a jury returned a verdict of 2.92 million dollars in favor of StorageCraft. However, he never personally profited from the move and StorageCraft did not prove at trial that NetJapan ever made commercial use of the source code. As a result, Kirby argued that the claim is immune from certain damages, namely “reasonable royalty” damages or “the price that would be set by a willing buyer and a willing seller.” Reasonable royalty damages “seek[] to recreate ‘an actual market transaction,’” as opposed to the two other options for damages—defendant’s unjust enrichment or the plaintiff’s “actual loss.”
Noting that Utah’s statute, in line with the Uniform Trade Secrets Act, does not restrict reasonable royalty damages to cases where the defendant used the trade secret as opposed to disclosing it, Judge Gorsuch upholds the district court’s judgment. In doing so, he touches on the policy behind Utah’s use of reasonable royalty awards as a general option, ultimately declaring it the terrain of the state legislature.
[W]here (as here) a defendant discloses a trade secret to a rival company in a fit of retaliatory pique without any desire for personal riches, the other two measures of damages may not always be entirely fit for the task. An award based on unjust enrichment risks undercompensating the plaintiff when the defendant has no gains of his own to disgorge Though what the Utah statute calls the “actual loss” measure of damages doesn’t suffer from this particular problem, it may invite practical difficulties of its own. In cases like ours the best evidence about the extent of the plaintiff’s lost sales isn’t readily available from the defendant before the court but resides instead in the hands of far-flung third parties like NetJapan. Proving a causal connection between the plaintiff’s claimed lost profits and the defendant’s conduct might be difficult, too, in these circumstances. Complexities like theses may be surmountable, but the cost of doing so may be enough to explain why a state would wish to make reasonable royalty awards generally available to misappropriation plaintiffs. After all, it is hardly unknown for the law to resolve ambiguities about the appropriate quantity of damages against the wrongdoer rather than his victim.
…
We can imagine arguments that might lead reasonable lawmakers in [another] direction as well, including worries that hypothetical royalty negotiation exercises themselves might be difficult to administer in certain circumstances or might yield damages in excess of the plaintiff’s actual losses.
…
In the end, though, arguments like these are more appropriately directed to those charged with writing Utah’s trade secret statute than those charged with applying it. To decide this case it’s enough for this court to recognize and respect Utah’s policy choice to permit “reasonable royalty” awards as a “general option” in “disclosure” cases. We are in no position to override that legislative choice simply because we might prefer another.
While Judge Gorsuch repeats that states did not have to follow Utah’s choice in adhering to the Uniform Trade Secrets Act, he points out that the distinction between use and disclosure is not quite clear.
Can’t disclosing a trade secret for a particular end or purpose (be it retribution or profit or otherwise) be a way of putting it to use, at least in a broad sense of the word? What happens when the disclosure is made to a third party (like NetJapan) with the intent the third party itself put the trade secret to commerical use in ways harmful to the secret’s owner? Isn’t at least that disclosure a use of the secret, whether or not the third party takes up the invitation?
Finally, Judge Gorsuch muddles through the cases cited by the defendant and clarifies the source of the distinction between trade secret and patent law’s requirements for reasonable royalty damages.
To the extent that University Computing or similar cases cited by Mr. Kirby happen to emphasize commercial use apart from disclosure, it’s noteworthy that they tend to borrow generously from patent law’s approach to reasonable royalty damages. Under the terms of the federal patent statute (unlike those of the Uniform Trade Secrets Act), a reasonable royalty award does depend on “the use made of the invention by the infringer.” But the difference between the Patent Act and Uniform Trade Secrets Act on this score is hardly surprising given basic differences between patents and trade secrets. Sharing information about another’s patented invention is generally not the injury disclosing a trade secret is. After all, patentees aren’t allowed to keep their innovations entirely to themselves; telling us how to practice their invention is the price they must pay for their patent. Because the crucial information about patented inventions is already a matter of public record, patent cases on reasonable royalties have had no cause to address unauthorized disclosure. Their focus has been and must be on authorized uses. To be sure, patent cases still provide useful instruction for courts considering damages for trade secret misappropriation, as we have noted before. But in light of the differences between the patent and trade secret statutes—and between patents and trade secrets themselves—patent law’s treatment of reasonable royalties can’t be read to suggest that a reasonable royalty award in trade secret must always and as a matter of logical necessity require commercial use.
What the Reasonable Person Should Know About the Internet
Do you know where server connections were made for you to read this article? Do you at least presume that they crossed state lines? According to United States v. Mullins, Judge Gorsuch believes there are situations in which a reasonable person should know that her internet activity moved beyond the boundary of her own state.
LaDonna Mullins and Linda Edwards used their real estate business to defraud the U.S. Department of Housing and Urban Development (HUD) by falsifying applications for Federal Housing Administration (FHA) loans, which are often easier to obtain than standard loans. Once Mullins and Edwards had a client who was unable to obtain a loan due to poor credit, they sent the client on to a pair of forgers Warren Williams and Rod Wesson, who would create a variety of false documents—”pay stubs, W-2 forms, Social Security numbers, rent verifications, and gift letters”—to bolster the client’s credit. The plan was well thought through; Mullins and Edwards even created fake companies acting as the client’s employer, using their own phone numbers so they could answer verification calls. Money flowed both ways between the real estate agents and the forgers: the document makers would pay the real estate agents a percentage of the fee they charged the client, and once a client closed on a house, a percentage of the real estate agents’ commission went to the forgers.
After being convicted of wire fraud, Mullins appealed on the grounds that the government lacked sufficient evidence that she had caused interstate wire transmissions. Judge Gorsuch finds that in order to sustain her convictions, “the evidence need not go so far as to prove she ‘specifically intend[ed] to use this or that wire,’ but it must at least show that Ms. Mullins did ‘an act with knowledge that the use of the wires will follow in the ordinary course of business, or where such use can reasonably be foreseen, even though not actually intended.’”
Since a FHA case number was required for each loan application, interstate wires were frequently used in the scheme.
To obtain the case number, a lender logged in to HUD’s FHA Connection computer database system and entered information about the property and prospective borrower. That information was sent to HUD’s mainframe in Maryland, which produced and transmitted an [sic] FHA case number back to the lender. That case number then appeared on the various loan documents the real estate agents handled through closing of the property purchase.
However, Mullins claimed that the entirety of her business dealings occurred in Colorado so the interstate nature of the wire transmissions for the FHA case numbers was not foreseeable. Judge Gorsuch does not find her argument persuasive.
The wire fraud statute doesn’t require that a defendant be able to anticipate every technical detail of a wire transmission, before she may be held liable for causing it. It’s enough if she “sets forces into motion which foreseeably would involve” use of the wires.
Judge Gorsuch finds that due to Mullin’s choice of FHA-insured loans, coupled with her seeing the closing documents that contained case numbers, a rational jury to find that she could reasonably foresee the use of the wires.
Before narrowing his holding to the case at hand, Judge Gorsuch hints at a more sweeping ruling.
Indeed, given the ubiquity of electronic communications in our day and age, one might posit that use of the wires is always foreseeable when conducting such large and complex transactions.
As for the interstate nature of the wire transmissions, Judge Gorsuch drew an interesting conclusion—that since the seat of the FHA was outside Colorado, Mullins should have anticipated interstate wire transmissions.
She maintains that the real estate transactions underlying her convictions had everything to do with Colorado and only Colorado: all of the people and properties involved were located in the Centennial State. But that is not so. The charged wire transmissions came from the FHA in Maryland. As its name suggests—and as Ms. Mullins testified she was aware—FHA is an agency of the federal government, whose seat resides outside of Colorado. From this, it’s no stretch for a jury to conclude Ms. Mullins should have anticipated that wire transmissions involving the agency might cross state lines, as they did.
This holding gives rise to other questions—if there is a FHA branch office in Colorado, which there is, is it reasonable to assume that the FHA has in-house servers and databases for processing Colorado applications? Also, is it reasonable to assume that an agency or a company stores their servers and databases where their seat is located? Does cloud computing change this?
Regardless of these lingering questions, Judge Gorsuch makes one thing crystal clear: he envisions the hypothetical “reasonable person” as endowed with a certain degree of technological understanding.