Feeds

Hacking by subpoena ruled illegal

Fishing tripped

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Issuing an egregiously overbroad subpoena for stored e-mail qualifies as a computer intrusion in violation of anti-hacking laws, a federal appeals court ruled Thursday, deciding a case in which a litigant in a civil matter subpoenaed every single piece of e-mail his courtroom adversary sent or received.

Alwyn Farey-Jones was embroiled in commercial litigation with two officers of Integrated Capital Associates (ICA) when he instructed his attorney, Iryna Kwasny, to send a subpoena to the company's Internet service provider -- California-based NetGate. Under federal civil rules, a litigant can issue such a subpoena without prior approval from the court, but is required to "take reasonable steps to avoid imposing undue burden or expense" on the recipient.

"One might have thought, then, that the subpoena would request only e-mail related to the subject matter of the litigation, or maybe messages sent during some relevant time period, or at the very least those sent to or from employees in some way connected to the litigation," reads the decision by the Ninth Circuit Court of Appeals. "But Kwasny ordered production of '[a]ll copies of emails sent or received by anyone' at ICA, with no limitation as to time or scope."

By the time ICA learned of the subpoena, NetGate had already provided Farey-Jones with a sample of 339 e-mails from ICA officers and employees -- most of them unrelated to the matter under litigation, and many of them privileged or personal. When ICA found out, they quickly got the subpoena quashed. An outraged district court magistrate termed the subpoena "massively overbroad" and "patently unlawful," and hit Farey-Jones with over $9,000 in sanctions.

The ICA officers and employees whose e-mail was accessed went on to sue Farey-Jones and his attorney under the civil provisions of three federal privacy and computer protection laws, but a federal judge threw out the lawsuit. On Thursday, the Ninth Circuit partially reversed that ruling, finding that the subpoena didn't violate federal wiretap law, but could constitute a violation of the Stored Communications Act and the Computer Fraud and Abuse Act -- both of which outlaw unauthorized access to computers and stored e-mail.

The three-judge panel rejected a defense argument that the e-mail access was "authorized" by NetGate's failure to challenge the subpoena. "Allowing consent procured by known mistake to serve as a defense would seriously impair the statute's operation," the court wrote. "A hacker could use someone else's password to break into a mail server and then claim the server 'authorized' his access. Congress surely did not intend to exempt such intrusions -- indeed, they seem the paradigm of what it sought to prohibit."

Although the ruling addressed a civil suite, the Computer Fraud and Abuse Act includes criminal penalties, and is the most common weapon for prosecutors in federal computer crime cases. That means civil attorneys issuing overbroad subpoenas -- not an uncommon event -- now risk lawsuits, and even potential criminal prosecution as computer intruders.

The ruling got a mixed reaction from Internet law experts.

"To equate an overbroad subpoena to breaking in is outrageous," says Mark Rasch, an attorney and former Justice Department cybercrime prosecutor. "The real crime here is the ISP getting the subpoena didn't contact the customer immediately and say, 'what do you want to do?' Every subpoena is overbroad. It's the responsibility of the party receiving the subpoena to try and narrow it."

A NetGate spokesperson said no one was available to comment on the case late Friday.

Stanford University cyberlaw expert Jennifer Granick says the ruling is good for online privacy, but that it spotlights serious problems in the federal computer crime law. "I like privacy, but I'm more concerned about the breadth of the criminal law," says Granick. "The language 'unauthorized access' is really vague. Here the defendant never even touched a computer, except to perhaps print out the subpoena."

Cindy Cohn, legal director at the San Francisco-based Electronic Frontier Foundation, says she's bothered by one aspect of the ruling: the court found that you don't have to own or operate a computer that's been improperly accessed in order to sue under the Computer Fraud and Abuse Act -- you need only have been harmed by the intrusion. "I think it could be troubling for people who are poking around on the Internet and stumble into something," says Cohn. "This widens the community of people who can complain they've been hurt by what you did."

But Cohn is pleased by the court's crackdown on subpoena-aided fishing expeditions, and says EFF plans to cite the case in arguments against the Recording Industry Association of America, which has begun subpoenaing ISPs to identify file traders. "It's going to be pretty useful to us," says Cohn. "It buttresses the idea that you have a serious level of responsibility in issuing these legal instruments."

Copyright © 2003,

Beginner's guide to SSL certificates

More from The Register

next story
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
NATO declares WAR on Google Glass, mounts attack alongside MPAA
Yes, the National Association of Theater Owners is quite upset
Inside the EYE of the TORnado: From Navy spooks to Silk Road
It's hard enough to peel the onion, are you hard enough to eat the core?
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.