Forgive me my trespasses

How a recent federal appeals court decision makes virtually everyone a computer criminal, writes SecurityFocus columnist Mark Rasch.

Last month, a federal appeals court in California dramatically and unwarrantedly expanded the scope of the federal criminal law prohibiting "unauthorized access" to computers and electronic mail.

This ruling, reported on Security Focus, opens the door for civil lawyers and prosecutors alike to punish as computer "hacking" and "trespass" a whole host of activities that have virtually nothing to do with computer crime.

You can now go to jail for computer crime even if you never touch a computer, and know nothing about computers (indeed, particularly if you know nothing about computers.) The ruling was an unwarranted expansion of federal computer crime powers -- one which will come back to haunt even the most zealous privacy proponents.

The case arose out of an ordinary civil lawsuit between two parties. During the course of discovery (legal jargon for a fishing expedition to seek out virtually any kind of dirt about the other side) one of the parties to the lawsuit subpoenaed the other party's ISP for all of the e-mail the opposing party had ever sent or received.

Now, you have to understand how a civil subpoena is actually issued in the United States. A lawyer with a pending lawsuit asks the clerk of the court for a stack of blank subpoenas. They have the seal of the clerk of the court, and they read something like, BY ORDER OF THE CLERK OF THE COURT... for whatever district, you are COMMANDED to produce ... whatever documents and records are listed on the subpoena.

The lawyer and not the clerk or the judge, decides who to subpoena, when to subpoena, and what to ask for -- and they almost always ask for the kitchen sink.

In practice, a subpoena is invariably not an order, but more an invitation to negotiate compliance -- sort of a modern day Arab Souk: you ask for everything, I give you nothing, and we eventually settle on something reasonable.

But apparently, nobody told the ISP about this secret. The ISP never got a lawyer, but, in response to the subpoena, decided to give the lawyers a "Smorgasbord" of emails -- one from column A one from column B -- none of which had anything to do with the litigation, and some of which were privileged. When the law firm representing the company whose e-mails were subpoenaed found out, they went to court, got the subpoena quashed, and made the other party pay for the costs, because they had violated the rules about taking "reasonable steps to avoid imposing undue burden or expense" to the ISP, and had demonstrated "at least gross negligence" in crafting the subpoena.

There are lots of problems with what happened in this case. The law firm should have clearly identified what it was looking for, and not simply subpoenaed all e-mails. The ISP should have consulted with counsel, and sought to narrow the subpoena (even with a phone call to the lawyers). They clearly should have called their customer and let them know about the order.

In fact, I am frightened at the thought that my ISP might turn over my information to anyone without telling me first.

What happened next, though, is what gives me chills.

A Felony a Day

The lawyers for the ISP's customers went after the other lawyers and their client for accessing their emails "without authorization" in violation of U.S. computer crime laws. A lower court threw out the case, but last month the appeals court let them proceed under this theory.

The federal court of appeals essentially treated the subpoena as a sham, and stated that, because the subpoena was overbroad and violated the rules about what can be subpoenaed, it must be treated as though it didn't exist.

And if there was no subpoena, there was no authorization to get the e-mail. Therefore, the court reasoned, if there was no authorization, this must have been a "break in" or "trespass" to the ISP's computers -- a crime.

This decision, while motivated by a legitimate desire to protect privacy and force lawyers to obey the rules, nevertheless dramatically expands the meaning and intent of the computer crime in a way that could permit hundreds of thousands of people to be prosecuted.

Moreover, it represents a trend to use concepts as "trespass" and "unauthorized use" to criminalize things like sending e-mail to people who don't want it, viewing competitor's public information and Web pages, and even using a work computer for personal purposes. The laws were designed to prosecute people who hack into computers and steal information.

Let's face it, virtually all of the information that might be sought by subpoena in civil or criminal cases is likely created on, stored on, processed in, or transmitted through a computer. Credit card bills, phone records, word processing documents, letters, correspondence, memos -- virtually anything but hand written notes require someone to access a computer to obtain them.

The California decision makes any access to such information a crime, unless it is obtained with effective consent. Overbroad subpoenas, fraud, trickery or deceit all vitiate consent, and render the access to the information criminal.

If we now call overbroad subpoenas an unauthorized access, then unwanted e-mail is a trespass. Linking to someone's website without permission is likewise a trespass. Reading personal e-mail on a corporate computer exceeds the scope of authorization to use the computer, and is therefore a crime. We have so expanded the scope of criminal law that it includes virtually anything we do on a computer. You can't go through a day in cyberspace without committing at least one felony and a host of misdemeanors.

Let's get real. What the lawyers did was issue an overbroad subpoena. The Washington D.C. court in the Verizon/RIAA case held that the RIAA subpoenas were valid even though no lawsuit had been filed, because a subpoena is not a court order, and doesn't enforce itself. The recipient is essentially free to ignore it, and wait for the issuer to go to court to enforce it.

The defendants in this case did not break into any computers -- and saying that they did is bad for those who value liberty and prosecutorial restraint.

Copyright © 2003,

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.