Feeds

Feds: email subpoena ruling hurts law enforcement

Significance 'cannot be overstated'

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

A federal appeals court has declined to reverse last year's decision that the issuance of an egregiously overbroad subpoena for email can qualify as a computer intrusion in violation of anti-hacking laws. This is despite an argument by the Justice Department that a side-effect of the ruling has already made it harder for law enforcement officials to obtain Americans' private email.

The defendant in the case, Alwyn Farey-Jones, was embroiled in commercial litigation with two officers of Integrated Capital Associates (ICA) when he instructed his then-attorney, Iryna Kwasny, to send a subpoena to the company's Internet service provider - California-based NetGate. Under federal civil rules, a litigant can issue such a subpoena without prior approval from the court, but is required to "take reasonable steps to avoid imposing undue burden or expense" on the recipient.

"One might have thought, then, that the subpoena would request only email related to the subject matter of the litigation, or maybe messages sent during some relevant time period, or at the very least those sent to or from employees in some way connected to the litigation," reads last August's decision by the 9th Circuit Court of Appeals. Instead, the subpoena demanded every single piece of email ICA's officers and employees had ever sent or received.

By the time ICA learned of the subpoena, NetGate had already provided Farey-Jones with a sample of 339 emails from ICA - most of them unrelated to the matter under litigation, and many of them privileged or personal. When ICA found out, it quickly got the subpoena quashed. An outraged district court magistrate termed the subpoena "massively overbroad" and "patently unlawful," and hit Farey-Jones with over $9,000 in sanctions.

Criminal Penalties

The ICA officers and employees whose email was accessed went on to sue Farey-Jones and his attorney under the civil provisions of three federal privacy and computer protection laws, but a federal judge threw out the lawsuit. The 9th Circuit partially reversed that ruling last August, finding that the subpoena didn't violate federal wiretap law, but could constitute a violation of the Computer Fraud and Abuse Act and the Stored Communications Act (SCA), which outlaw unauthorized access to computers and stored email respectively.

Although the ruling addressed a civil suit, both laws include criminal penalties. That means civil attorneys issuing overbroad subpoenas - not an uncommon event - now risk lawsuits, and even potential criminal prosecution as computer intruders, under the decision.

"In my view, the 9th Circuit decision... potentially criminalizes a broad swath of conduct," says San Francisco attorney Robert White, who represented Farey-Jones in the appeal. Electronic civil libertarians were split over the decision, seeing it as good for privacy, but a tempting tool for abuse by zealous prosecutors or litigious companies.

But when White filed a motion for rehearing at the 9th Circuit, he found himself with an unlikely ally in the case: the US Justice Department, which filed an amicus brief supporting a new hearing.

Justice Department lawyers didn't object to an expansion of the Computer Fraud and Abuse Act -- their most common weapon against accused computer intruders and virus writers - but they were deeply troubled by the court's interpretation of the SCA, which they say hobbles their ability to obtain a suspect's email.

Federal law protects email under two different standards: messages in "electronic storage" at an ISP can only be obtained by law enforcement officials only with a search warrant issued by a judge based on probable cause to believe that a crime has been committed. But messages that the recipient has read and chosen not to delete can be obtained with a simple administrative subpoena.

"Difficulties for Law Enforcement Nationwide"
Based on the Justice Department's interpretation of that law, the FBI is long accustomed to being able to obtain messages that the recipient has read by simply handing the ISP an administrative subpoena, only troubling a judge when they need access to unopened email, or, under another requirement of the law, messages older than 180 days.

But in ruling against Farey-Jones, the 9th Circuit found that the ICA messages were still in "electronic storage" at NetGate, even though the recipients had read them. It may seem a fine point, but the Justice Department worries that that interpretation places all email less than 180 days old, and stored at an ISP, into the category that requires a search warrant.

"The significance of this change for law enforcement cannot be overstated," wrote Justice Department attorney Mark Eckenwiler in the amicus brief. "Substantial quantities of evidence previously available to state and federal prosecutors are no longer available under this heightened standard."

Prosecutors in the parts of the country governed by 9th Circuit case law - eight western U.S. states and Hawaii - have already stopped issuing administrative subpoenas for email, according to the brief, filed last September, forcing them to go to a judge and show probable cause when they want a peek into a netizen's inbox.

"Moreover, because the Internet spans state and national borders, the panel's decision is likely to create difficulties for law enforcement nationwide," reads the filing, noting that some of the nation's largest email providers, including Yahoo and Hotmail, are located in the 9th circuit.

"I was grateful - it's nice to have the government on your side," says White. "It's a question of whether something is considered to be a stored communication or not, and that's really what this case is about, to a very large extent."

But despite Farey-Jones' unexpected help from Washington, last month, the appellate court rejected both Farey-Jones' bid for a new hearing, and the Justice Department's narrow argument over electronic storage.

"We acknowledge that our interpretation of the Act differs from the government's and do not lightly conclude that the government's reading is erroneous," the court wrote. "Nonetheless... we think that prior access is irrelevant to whether the messages at issue were in electronic storage." On Thursday, the court agreed to temporarily suspend the civil suit against Farey-Jones while he appeals to the US Supreme Court.

Copyright © 2004, 0

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.