We’re the Freedom People

March 2001

An Interview with  WITH JENNIFER GRANICK

Attorney Jennifer Granick has made a career out of defending the “little guys”–a mission that takes on added dimension in her new post at Stanford Law School’s Center for Internet and Society.

INTERVIEWED BY RICHARD THIEME
BioLines

>05.93 Graduated from Hastings Law School, San Francisco.

>10.96 Started own law practice, defending computer crime and other criminal cases.

>01.01 Named clinical director at Stanford Law School’s Center for Internet and Society.
Q: What is the intended mission of Stanford’s new Center for Internet and Society? Do you plan to incubate ideas or export them? Do research papers or white papers? Or will it be a think tank?

A:In the Center’s clinical division, we’re going to take actual cases that raise public-interest issues in the technology world and litigate them, providing direct representation to clients. We will also do lobbying and write amicus briefs, and we’ll have a set of clients whom I will represent. The students will work with me in providing representation, which will help them develop practical skills.

This will be good for clients who might not have the resources to hire a civil attorney. It’s good for society because we provide an additional force interested in litigating in the public’s interest. And it’s great for me personally, because I get to do what I am deeply interested in.

My personal ideology and political goals are to keep the Internet at least as free as the rest of our lives-and now I get to do that full time, with brilliant and supportive colleagues.

How did you find yourself in this position?

I knew Lawrence Lessig [the Center’s advisory board chairman] when he was head of Harvard Law School’s Berkman Center on Internet and Society. One of the lures that brought him to Stanford Law last year was a promise of funding for the Stanford Center for Internet and Society, and he asked me to be the director.

The timing for me was perfect. In many ways, I’ve loved being a criminal defense lawyer. There are things I will miss, but it’s difficult to be in private practice for yourself-you have to spend a lot of time on administrative tasks, and there are cases you have to take that don’t really challenge you. At the Center, I’ll be able to spend more time on things I really want to do.

When did you first get involved with the Internet and cyber civil liberty?

As a criminal defense attorney, I became very involved with hackers and hacking, but that was simply one subset of my passion for computing and the Internet.

I’m 31 now, and when I moved to San Francisco to attend law school, I had a dial-up shell account on a small ISP; this was around 1991 and the Web was barely born. There were no graphics, and Gopher was the big new thing. I remember the day I fell in love with the Internet. As difficult as it was to figure out how to use Archie, Veronica and Pine, what struck me was that there was a chaotic amount of interaction-it really was chaotic at the time-and it hit me that there were no rules. People were doing all sorts of things online, and it seemed totally random, totally free, unsurveillable and completely anonymous. It was amazing to talk with all of these people you would not otherwise encounter.

And soon this became a central part of your career . . .

When I graduated in 1993 from Hastings Law School [a University of California law school in San Francisco], I did death penalty stuff at first, then worked for a trial attorney. Then I was hired for a small criminal defense firm that did a lot of white-collar cases. I thought, well, if I’m going to do white-collar crime, I’m going to do computer crime.

I loved computers, thought they were fascinating. Everything seemed so chaotic. As the law’s and the public’s attentions was drawn to that chaos, there was a great push for regulation. I didn’t want the regulation to undermine the experience of freedom and near-chaos that I had had when I first used the Internet. So I was concerned about surveillance, free speech and related issues.

But there wasn’t a lot of money in it. Most of the people getting into trouble were kids, and kids don’t have much money. White-collar crimes generally involve firms that will pay defendants’ costs; the people accused of computer crime are often young, with limited income, and they haven’t accumulated wealth. They have no corporation behind them. I thought taking these cases was important for my role in the firm at the time, but because it didn’t generate a lot of money, it wasn’t seen that way.

How did you migrate into the world of defending hackers? Bruce Schneier told me that it’s tough to do computer security unless you can think like a criminal. You’re a lawyer–yet there was a powerful attraction to the hacking world, wasn’t there?

Yes. There were intellectual reasons why it was interesting, too–some fascinating challenges. But I believe there are two types of people in this world-cops and criminals. You can have a cop mentality and still be a criminal, or you can have a criminal mentality and never act on it.

Are you the kind of person who thinks everybody should follow the rules or are you the kind who appreciates chaos, likes a more freewheeling kind of world? According to that paradigm, I am definitely on the criminal side. I don’t like routine. I thought, here are people who are all over the map in terms of how they think about things, and I find that just excellent. It’s fun and interesting to be around. I want to promote it.

I was told by my father, early on, if you ever tell them what you really think, you’ll never make it with the establishment. But you have to know what you really think so you can play the game. Being a lawyer is all about playing the game. I tried to represent people who played the game poorly, so I could use my game-playing skills to escort them through a difficult time.

You were a mentor to people who needed coaching as to how to blend life skills with computing skills?

Right. The bottom line is, they want to find out stuff. They need to know how much they can find out and how to go about getting information without getting into trouble. I didn’t tell them to just sit there with their hands in their laps and be “good.” I said, what you’re doing is great, so how can we figure out how to do it without crossing the line?

I’m an enabler, in the best sense of the word. I don’t mean I want to promote criminal behavior. It’s just the opposite: I want to promote their passionate search for knowledge and what interests them, and teach them how to do it right. I think the ability to see how the system does not work is a great skill; unfortunately, it’s a skill that schools try to teach out of us. The real sign of a good education is not knowing the answers-it’s knowing what questions to ask. You want to promote that kind of intense questioning.

But some readers of this magazine would argue that the pursuit of knowledge is no justification for engaging in criminal activities, especially when those engaged in the activities know they are breaking the law. They might further argue that many teenage hackers know full well that if they’re caught, the penalty won’t be that severe, because they’re underage.

I don’t think we should criminalize the pursuit of knowledge. If we do, then that’s a good justification for breaking that law. The law is just only to the extent that it protects an individual or society. When the law hampers the individual or doesn’t protect society, I don’t think we should get up in arms about protecting it.

If someone argues that the recent DoS attack against Microsoft, for example, was designed to increase the public’s knowledge about the consequences of a faulty network design or misconfigured routers, would you extend the same protections to them?

No, because in that case damage was done. That goes beyond the pursuit of knowledge. But we criminalize far more than that. I have clients who were accused of crimes for verbally revealing security vulnerabilities, not for exploiting them. First of all, revealing security vulnerabilities should not be criminal. Second, the law should not prohibit people from discovering how systems work and understanding them. To the degree that the law prohibits damage or invasion of property, I agree.

As to the statement that teen hackers don’t think they will incur severe penalties because of their ages, I can tell you as a criminal defense lawyer, my experience is that no one, young or old, ever thinks they will be caught. They all think they’re going to get away with it, or they’re not thinking about it at all. The idea that a slap on the wrist is in the mind of anyone when they act is irrelevant. At the time someone is committing an act, they think they will get away with it or they’re acting out of passion, from a non-rational place, and they’re not taking into consideration the consequences of their actions. It’s a rare criminal who weighs the pros and cons and does the calculus of the consequences of getting caught and acts on that rational evaluation.

Would you say one of the reasons the law has become so constraining in this area is because initially people didn’t understand cyberspace and tended to become overly restrictive?

Definitely. People without a lot of expertise fear the knowledge and expertise of those who have it and their ability to hurt them. So people are afraid hackers will steal their credit card or medical information because they fear that hackers are powerful and ubiquitous. But that fear doesn’t mean that they’re right or that their fear-based actions should become a social priority.

You certainly have an ideological slant. Do you see the Center as a counterweight to the inevitable threat to civil liberties as the computer revolution fulfills some of its darker promises? By that I mean, the level of security recommended for the ‘Net is moving inexorably into society at large at all levels, and you sound like you’re saying that you want to protect people from that momentum.

That’s exactly right. The technology itself has done a lot of things. There are a lot of 800-pound gorillas in this cage. The government is involved. Corporations. The networks and the commercial aspects of the ‘Net. These players have huge resources and all of the little guys lose. The individual versus the corporation loses. Privacy versus surveillance loses. The citizen versus government loses. The public interest loses to the well-financed corporate lobby. We’re hoping the Center will be powerful but not profit-motivated, so we can represent the individual, the citizen and the public interest on a level playing field.

A colleague and I were participating in a roundtable discussion of copyright law the other day, and one of the corporate lawyers finished a critique of our position by dismissing us as “the freedom people.” I’d like to trademark that. That’s exactly who we are: We’re the freedom people.

What exactly is it that you know? How do you make the system work for you?

I know people. I know when to be nice and when to be stern. I know what people are about and how to lead them to act in our mutual self-interest. Hackers call it “social engineering,” but it’s really just understanding human nature.

Harvard’s Berkman Center for Internet and Society is defined as a research program founded to explore cyberspace, share in its study, and help pioneer its development. Is that the defining statement for the Stanford Center, too?

No. Larry Lessig’s vision is for the Stanford Center to be a lot more student-oriented.

Which means what?

Among other things, it means that the Center is a work in progress, and it will continue to be. As we work to establish the Center, it will have the stamp of Larry’s personality on it as well as mine. We both want it to be very responsive to students’ interests and we want the students to be a driving force behind its development. Larry and I will determine what cases we take, and no one will have a veto, but we’ll be very interested in input from the students.

So they’ll be encouraged to ask the right questions.

We hope the Center will not predetermine the questions to be asked but will give structure to a creative environment in which students learn to ask the right questions. We’re providing safe boundaries, but we want it to be an entrepreneurial culture and for students to bring their real concerns to the Center.

Who will your clients be? A large corporation taking on Napster wouldn’t come to you.

Nor would Napster. But we already have interesting projects. We’re doing a lot of copyright-versus-free-speech cases, where “copyright infringements” are actually instances of free speech. We’ll do open-source cases, too. We have one case involving Native American tribes and their claim to territorial sovereignty over the control of bandwidth. We’re representing local free wireless connectivity groups. We have cases involving security consultants who were sued, or threatened with a suit, by companies to keep them quiet about vulnerabilities they discovered. Over time, we’ll develop other issues.

How about hackers and hacking per se?

That will be a little more difficult. I’ll continue to take on some of those cases myself, but the Center is focused on cases that involve public interest, and a lot of hacking cases don’t raise sufficient public-policy questions. UC Berkeley and Duke University are developing centers, too, and the EFF [Electronic Frontier Foundation] is concentrating on litigation now. But we’ll all be focused differently.

Here’s an ideal scenario for the Stanford Center: a large corporation has copyright interests and they’re mad at some little guy who wants to disclose a vulnerability they should have fixed, or maybe they don’t like his parody site. Right now, they write a letter to the little guy to “cease and desist” and he calls a lawyer. The lawyer says it will cost him $20,000 up front and the litigation will take three years. For a student doing this as a hobby, it isn’t worth fighting. Two or three years from now, when that little guy gets that letter, I want him to go to one of these centers with his letter so we can tell the large corporation that the playing field is level. That would be a huge step forward.

You don’t think there might be gray areas in which you’ll have to compromise with the corporate interests of the university or the sources of foundation money that are funding you?

Larry Lessig and I have discussed this. We don’t think the school has any incentive to apply pressure on us, because they really want him to start the cyberlaw program and to do it here. Since there’s no public pressure on Larry and there’s no pressure on me, I like to think we’re immune from any university influence.

At any rate, I would love it if what we’re doing is so important that a large corporation expresses its displeasure.

You’ve talked about how you have grown as a lawyer and as a person. Is it one of your goals for your students, then, to facilitate the kind of environment that will enable them to grow in the same way?

Absolutely. We want them to be good lawyers. We want them to have the skills they’ll need. We want to give them a jump-start. I don’t think you can teach good judgment or discernment, but we can try to provide the kind of environment that will help them grow.

One of our goals with students is to provide them with skills, but another goal is to have this generation of people think about the Internet as something other than a business story. I think that’s where we have been going lately, reading about the Internet and technology on the business pages. I want students to think about the Internet as something that’s socially important.

Law schools don’t necessarily give you a sense, a feeling, of what it’s like to spend your life working on something that you care about-that’s important to you. I want our program to give that to students. In law school you’re trained to see both sides of the story and argue both ways, which is important. But I think it’s important-and maybe nothing is more important-that your life’s work is something that you believe in and care about. If we can give students a feeling of what it’s like to make a difference in areas that they care about, that’s the most critical thing we can do.

Where do you see the Internet going? What will prevent the Internet from becoming an extension of everything and disappearing into the background of our lives, like electric power, telephony, roads? What will prevent others from determining its shape and structure unconsciously, so that our networks will embody assumptions without these critical questions ever having been asked?

That’s what happens now. We were fortunate that the Internet had its own philosopher kings or wise founders, who had brilliant ideas at the beginning about how to set up IT networks to make them free. Now the land is developed and we have competing interests and competing philosophies, but we don’t have a constitution. So what are the values written into the Internet that we want to preserve in terms of, say, end-to-end connectivity, open access and anonymity?

So you are carving out a space in which the most important questions can be asked and, beyond that, people can take action together on behalf of the answers they discover?

That’s what we’re doing, and that’s why this is so important.

Does this in any way conflict with the goals of those in the intelligence community, which emphasizes the flexibility of our real enemies and insists on the need to anticipate and strike preemptively? If there are plans to destroy our crops and hit our electricity and communications infrastructure simultaneously, the intelligence community believes sincerely and passionately that they must have the tools to secure the larger boundaries around our lives that enable these smaller boundaries even to exist.

Yes, I think that in some cases these values are in opposition. I would be foolish not to realize that. We can emphasize order, but at what price? It may be difficult to protect us in a world without complete surveillance, and it may be time-consuming and expensive to secure civil liberties in a wired world, but competing interests have to be balanced. Sometimes with freedom comes certain risks.

I don’t want to live in a “perfect” world where every criminal is caught and there’s no danger of any kind because anyone who would think of doing something wrong is under surveillance, under control or in prison. But neither do I want to live in a world where people are afraid and there’s terrorism and you can’t ride a bus. I want to live in a world that’s somewhere in between.

Copyright © 2001 Information Security, a division of TruSecure Corporation

Pin It on Pinterest

Share This