Feeds

Hacking by subpoena ruled illegal

Fishing tripped

  • alert
  • submit to reddit

Boost IT visibility and business value

Issuing an egregiously overbroad subpoena for stored e-mail qualifies as a computer intrusion in violation of anti-hacking laws, a federal appeals court ruled Thursday, deciding a case in which a litigant in a civil matter subpoenaed every single piece of e-mail his courtroom adversary sent or received.

Alwyn Farey-Jones was embroiled in commercial litigation with two officers of Integrated Capital Associates (ICA) when he instructed his attorney, Iryna Kwasny, to send a subpoena to the company's Internet service provider -- California-based NetGate. Under federal civil rules, a litigant can issue such a subpoena without prior approval from the court, but is required to "take reasonable steps to avoid imposing undue burden or expense" on the recipient.

"One might have thought, then, that the subpoena would request only e-mail related to the subject matter of the litigation, or maybe messages sent during some relevant time period, or at the very least those sent to or from employees in some way connected to the litigation," reads the decision by the Ninth Circuit Court of Appeals. "But Kwasny ordered production of '[a]ll copies of emails sent or received by anyone' at ICA, with no limitation as to time or scope."

By the time ICA learned of the subpoena, NetGate had already provided Farey-Jones with a sample of 339 e-mails from ICA officers and employees -- most of them unrelated to the matter under litigation, and many of them privileged or personal. When ICA found out, they quickly got the subpoena quashed. An outraged district court magistrate termed the subpoena "massively overbroad" and "patently unlawful," and hit Farey-Jones with over $9,000 in sanctions.

The ICA officers and employees whose e-mail was accessed went on to sue Farey-Jones and his attorney under the civil provisions of three federal privacy and computer protection laws, but a federal judge threw out the lawsuit. On Thursday, the Ninth Circuit partially reversed that ruling, finding that the subpoena didn't violate federal wiretap law, but could constitute a violation of the Stored Communications Act and the Computer Fraud and Abuse Act -- both of which outlaw unauthorized access to computers and stored e-mail.

The three-judge panel rejected a defense argument that the e-mail access was "authorized" by NetGate's failure to challenge the subpoena. "Allowing consent procured by known mistake to serve as a defense would seriously impair the statute's operation," the court wrote. "A hacker could use someone else's password to break into a mail server and then claim the server 'authorized' his access. Congress surely did not intend to exempt such intrusions -- indeed, they seem the paradigm of what it sought to prohibit."

Although the ruling addressed a civil suite, the Computer Fraud and Abuse Act includes criminal penalties, and is the most common weapon for prosecutors in federal computer crime cases. That means civil attorneys issuing overbroad subpoenas -- not an uncommon event -- now risk lawsuits, and even potential criminal prosecution as computer intruders.

The ruling got a mixed reaction from Internet law experts.

"To equate an overbroad subpoena to breaking in is outrageous," says Mark Rasch, an attorney and former Justice Department cybercrime prosecutor. "The real crime here is the ISP getting the subpoena didn't contact the customer immediately and say, 'what do you want to do?' Every subpoena is overbroad. It's the responsibility of the party receiving the subpoena to try and narrow it."

A NetGate spokesperson said no one was available to comment on the case late Friday.

Stanford University cyberlaw expert Jennifer Granick says the ruling is good for online privacy, but that it spotlights serious problems in the federal computer crime law. "I like privacy, but I'm more concerned about the breadth of the criminal law," says Granick. "The language 'unauthorized access' is really vague. Here the defendant never even touched a computer, except to perhaps print out the subpoena."

Cindy Cohn, legal director at the San Francisco-based Electronic Frontier Foundation, says she's bothered by one aspect of the ruling: the court found that you don't have to own or operate a computer that's been improperly accessed in order to sue under the Computer Fraud and Abuse Act -- you need only have been harmed by the intrusion. "I think it could be troubling for people who are poking around on the Internet and stumble into something," says Cohn. "This widens the community of people who can complain they've been hurt by what you did."

But Cohn is pleased by the court's crackdown on subpoena-aided fishing expeditions, and says EFF plans to cite the case in arguments against the Recording Industry Association of America, which has begun subpoenaing ISPs to identify file traders. "It's going to be pretty useful to us," says Cohn. "It buttresses the idea that you have a serious level of responsibility in issuing these legal instruments."

Copyright © 2003,

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.