Feeds

Feds: email subpoena ruling hurts law enforcement

Significance 'cannot be overstated'

  • alert
  • submit to reddit

Remote control for virtualized desktops

A federal appeals court has declined to reverse last year's decision that the issuance of an egregiously overbroad subpoena for email can qualify as a computer intrusion in violation of anti-hacking laws. This is despite an argument by the Justice Department that a side-effect of the ruling has already made it harder for law enforcement officials to obtain Americans' private email.

The defendant in the case, Alwyn Farey-Jones, was embroiled in commercial litigation with two officers of Integrated Capital Associates (ICA) when he instructed his then-attorney, Iryna Kwasny, to send a subpoena to the company's Internet service provider - California-based NetGate. Under federal civil rules, a litigant can issue such a subpoena without prior approval from the court, but is required to "take reasonable steps to avoid imposing undue burden or expense" on the recipient.

"One might have thought, then, that the subpoena would request only email related to the subject matter of the litigation, or maybe messages sent during some relevant time period, or at the very least those sent to or from employees in some way connected to the litigation," reads last August's decision by the 9th Circuit Court of Appeals. Instead, the subpoena demanded every single piece of email ICA's officers and employees had ever sent or received.

By the time ICA learned of the subpoena, NetGate had already provided Farey-Jones with a sample of 339 emails from ICA - most of them unrelated to the matter under litigation, and many of them privileged or personal. When ICA found out, it quickly got the subpoena quashed. An outraged district court magistrate termed the subpoena "massively overbroad" and "patently unlawful," and hit Farey-Jones with over $9,000 in sanctions.

Criminal Penalties

The ICA officers and employees whose email was accessed went on to sue Farey-Jones and his attorney under the civil provisions of three federal privacy and computer protection laws, but a federal judge threw out the lawsuit. The 9th Circuit partially reversed that ruling last August, finding that the subpoena didn't violate federal wiretap law, but could constitute a violation of the Computer Fraud and Abuse Act and the Stored Communications Act (SCA), which outlaw unauthorized access to computers and stored email respectively.

Although the ruling addressed a civil suit, both laws include criminal penalties. That means civil attorneys issuing overbroad subpoenas - not an uncommon event - now risk lawsuits, and even potential criminal prosecution as computer intruders, under the decision.

"In my view, the 9th Circuit decision... potentially criminalizes a broad swath of conduct," says San Francisco attorney Robert White, who represented Farey-Jones in the appeal. Electronic civil libertarians were split over the decision, seeing it as good for privacy, but a tempting tool for abuse by zealous prosecutors or litigious companies.

But when White filed a motion for rehearing at the 9th Circuit, he found himself with an unlikely ally in the case: the US Justice Department, which filed an amicus brief supporting a new hearing.

Justice Department lawyers didn't object to an expansion of the Computer Fraud and Abuse Act -- their most common weapon against accused computer intruders and virus writers - but they were deeply troubled by the court's interpretation of the SCA, which they say hobbles their ability to obtain a suspect's email.

Federal law protects email under two different standards: messages in "electronic storage" at an ISP can only be obtained by law enforcement officials only with a search warrant issued by a judge based on probable cause to believe that a crime has been committed. But messages that the recipient has read and chosen not to delete can be obtained with a simple administrative subpoena.

"Difficulties for Law Enforcement Nationwide"
Based on the Justice Department's interpretation of that law, the FBI is long accustomed to being able to obtain messages that the recipient has read by simply handing the ISP an administrative subpoena, only troubling a judge when they need access to unopened email, or, under another requirement of the law, messages older than 180 days.

But in ruling against Farey-Jones, the 9th Circuit found that the ICA messages were still in "electronic storage" at NetGate, even though the recipients had read them. It may seem a fine point, but the Justice Department worries that that interpretation places all email less than 180 days old, and stored at an ISP, into the category that requires a search warrant.

"The significance of this change for law enforcement cannot be overstated," wrote Justice Department attorney Mark Eckenwiler in the amicus brief. "Substantial quantities of evidence previously available to state and federal prosecutors are no longer available under this heightened standard."

Prosecutors in the parts of the country governed by 9th Circuit case law - eight western U.S. states and Hawaii - have already stopped issuing administrative subpoenas for email, according to the brief, filed last September, forcing them to go to a judge and show probable cause when they want a peek into a netizen's inbox.

"Moreover, because the Internet spans state and national borders, the panel's decision is likely to create difficulties for law enforcement nationwide," reads the filing, noting that some of the nation's largest email providers, including Yahoo and Hotmail, are located in the 9th circuit.

"I was grateful - it's nice to have the government on your side," says White. "It's a question of whether something is considered to be a stored communication or not, and that's really what this case is about, to a very large extent."

But despite Farey-Jones' unexpected help from Washington, last month, the appellate court rejected both Farey-Jones' bid for a new hearing, and the Justice Department's narrow argument over electronic storage.

"We acknowledge that our interpretation of the Act differs from the government's and do not lightly conclude that the government's reading is erroneous," the court wrote. "Nonetheless... we think that prior access is irrelevant to whether the messages at issue were in electronic storage." On Thursday, the court agreed to temporarily suspend the civil suit against Farey-Jones while he appeals to the US Supreme Court.

Copyright © 2004, 0

Remote control for virtualized desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.