Feeds

Feds: email subpoena ruling hurts law enforcement

Significance 'cannot be overstated'

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

A federal appeals court has declined to reverse last year's decision that the issuance of an egregiously overbroad subpoena for email can qualify as a computer intrusion in violation of anti-hacking laws. This is despite an argument by the Justice Department that a side-effect of the ruling has already made it harder for law enforcement officials to obtain Americans' private email.

The defendant in the case, Alwyn Farey-Jones, was embroiled in commercial litigation with two officers of Integrated Capital Associates (ICA) when he instructed his then-attorney, Iryna Kwasny, to send a subpoena to the company's Internet service provider - California-based NetGate. Under federal civil rules, a litigant can issue such a subpoena without prior approval from the court, but is required to "take reasonable steps to avoid imposing undue burden or expense" on the recipient.

"One might have thought, then, that the subpoena would request only email related to the subject matter of the litigation, or maybe messages sent during some relevant time period, or at the very least those sent to or from employees in some way connected to the litigation," reads last August's decision by the 9th Circuit Court of Appeals. Instead, the subpoena demanded every single piece of email ICA's officers and employees had ever sent or received.

By the time ICA learned of the subpoena, NetGate had already provided Farey-Jones with a sample of 339 emails from ICA - most of them unrelated to the matter under litigation, and many of them privileged or personal. When ICA found out, it quickly got the subpoena quashed. An outraged district court magistrate termed the subpoena "massively overbroad" and "patently unlawful," and hit Farey-Jones with over $9,000 in sanctions.

Criminal Penalties

The ICA officers and employees whose email was accessed went on to sue Farey-Jones and his attorney under the civil provisions of three federal privacy and computer protection laws, but a federal judge threw out the lawsuit. The 9th Circuit partially reversed that ruling last August, finding that the subpoena didn't violate federal wiretap law, but could constitute a violation of the Computer Fraud and Abuse Act and the Stored Communications Act (SCA), which outlaw unauthorized access to computers and stored email respectively.

Although the ruling addressed a civil suit, both laws include criminal penalties. That means civil attorneys issuing overbroad subpoenas - not an uncommon event - now risk lawsuits, and even potential criminal prosecution as computer intruders, under the decision.

"In my view, the 9th Circuit decision... potentially criminalizes a broad swath of conduct," says San Francisco attorney Robert White, who represented Farey-Jones in the appeal. Electronic civil libertarians were split over the decision, seeing it as good for privacy, but a tempting tool for abuse by zealous prosecutors or litigious companies.

But when White filed a motion for rehearing at the 9th Circuit, he found himself with an unlikely ally in the case: the US Justice Department, which filed an amicus brief supporting a new hearing.

Justice Department lawyers didn't object to an expansion of the Computer Fraud and Abuse Act -- their most common weapon against accused computer intruders and virus writers - but they were deeply troubled by the court's interpretation of the SCA, which they say hobbles their ability to obtain a suspect's email.

Federal law protects email under two different standards: messages in "electronic storage" at an ISP can only be obtained by law enforcement officials only with a search warrant issued by a judge based on probable cause to believe that a crime has been committed. But messages that the recipient has read and chosen not to delete can be obtained with a simple administrative subpoena.

"Difficulties for Law Enforcement Nationwide"
Based on the Justice Department's interpretation of that law, the FBI is long accustomed to being able to obtain messages that the recipient has read by simply handing the ISP an administrative subpoena, only troubling a judge when they need access to unopened email, or, under another requirement of the law, messages older than 180 days.

But in ruling against Farey-Jones, the 9th Circuit found that the ICA messages were still in "electronic storage" at NetGate, even though the recipients had read them. It may seem a fine point, but the Justice Department worries that that interpretation places all email less than 180 days old, and stored at an ISP, into the category that requires a search warrant.

"The significance of this change for law enforcement cannot be overstated," wrote Justice Department attorney Mark Eckenwiler in the amicus brief. "Substantial quantities of evidence previously available to state and federal prosecutors are no longer available under this heightened standard."

Prosecutors in the parts of the country governed by 9th Circuit case law - eight western U.S. states and Hawaii - have already stopped issuing administrative subpoenas for email, according to the brief, filed last September, forcing them to go to a judge and show probable cause when they want a peek into a netizen's inbox.

"Moreover, because the Internet spans state and national borders, the panel's decision is likely to create difficulties for law enforcement nationwide," reads the filing, noting that some of the nation's largest email providers, including Yahoo and Hotmail, are located in the 9th circuit.

"I was grateful - it's nice to have the government on your side," says White. "It's a question of whether something is considered to be a stored communication or not, and that's really what this case is about, to a very large extent."

But despite Farey-Jones' unexpected help from Washington, last month, the appellate court rejected both Farey-Jones' bid for a new hearing, and the Justice Department's narrow argument over electronic storage.

"We acknowledge that our interpretation of the Act differs from the government's and do not lightly conclude that the government's reading is erroneous," the court wrote. "Nonetheless... we think that prior access is irrelevant to whether the messages at issue were in electronic storage." On Thursday, the court agreed to temporarily suspend the civil suit against Farey-Jones while he appeals to the US Supreme Court.

Copyright © 2004, 0

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.