Hacking-by-subpoena ruled illegal
By Kevin Poulsen, SecurityFocus
Aug 29 2003 7:59PM
Issuing an egregiously overbroad subpoena for stored e-mail qualifies as a computer intrusion in violation of anti-hacking laws, a federal appeals court ruled Thursday, deciding a case in which a litigant in a civil matter subpoenaed every single piece of e-mail his courtroom adversary sent or received.
Alwyn Farey-Jones was embroiled in commercial litigation with two officers of Integrated Capital Associates (ICA) when he instructed his attorney, Iryna Kwasny, to send a subpoena to the company's Internet service provider -- California-based NetGate. Under federal civil rules, a litigant can issue such a subpoena without prior approval from the court, but is required to "take reasonable steps to avoid imposing undue burden or expense" on the recipient.
"One might have thought, then, that the subpoena would request only e-mail related to the subject matter of the litigation, or maybe messages sent during some relevant time period, or at the very least those sent to or from employees in some way connected to the litigation," reads the decision by the Ninth Circuit Court of Appeals. "But Kwasny ordered production of '[a]ll copies of emails sent or received by anyone' at ICA, with no limitation as to time or scope."
By the time ICA learned of the subpoena, NetGate had already provided Farey-Jones with a sample of 339 e-mails from ICA officers and employees -- most of them unrelated to the matter under litigation, and many of them privileged or personal. When ICA found out, they quickly got the subpoena quashed. An outraged district court magistrate termed the subpoena "massively overbroad" and "patently unlawful," and hit Farey-Jones with over $9,000 in sanctions.
The ICA officers and employees whose e-mail was accessed went on to sue Farey-Jones and his attorney under the civil provisions of three federal privacy and computer protection laws, but a federal judge threw out the lawsuit. On Thursday, the Ninth Circuit partially reversed that ruling, finding that the subpoena didn't violate federal wiretap law, but could constitute a violation of the Stored Communications Act and the Computer Fraud and Abuse Act -- both of which outlaw unauthorized access to computers and stored e-mail.
The three-judge panel rejected a defense argument that the e-mail access was "authorized" by NetGate's failure to challenge the subpoena. "Allowing consent procured by known mistake to serve as a defense would seriously impair the statute's operation," the court wrote. "A hacker could use someone else's password to break into a mail server and then claim the server 'authorized' his access. Congress surely did not intend to exempt such intrusions -- indeed, they seem the paradigm of what it sought to prohibit."
Although the ruling addressed a civil suite, the Computer Fraud and Abuse Act includes criminal penalties, and is the most common weapon for prosecutors in federal computer crime cases. That means civil attorneys issuing overbroad subpoenas -- not an uncommon event -- now risk lawsuits, and even potential criminal prosecution as computer intruders.
The ruling got a mixed reaction from Internet law experts.
"To equate an overbroad subpoena to breaking in is outrageous," says Mark Rasch, an attorney and former Justice Department cybercrime prosecutor. "The real crime here is the ISP getting the subpoena didn't contact the customer immediately and say, 'what do you want to do?' Every subpoena is overbroad. It's the responsibility of the party receiving the subpoena to try and narrow it."
A NetGate spokesperson said no one was available to comment on the case late Friday.
Stanford University cyberlaw expert Jennifer Granick says the ruling is good for online privacy, but that it spotlights serious problems in the federal computer crime law. "I like privacy, but I'm more concerned about the breadth of the criminal law," says Granick. "The language 'unauthorized access' is really vague. Here the defendant never even touched a computer, except to perhaps print out the subpoena."
Cindy Cohn, legal director at the San Francisco-based Electronic Frontier Foundation, says she's bothered by one aspect of the ruling: the court found that you don't have to own or operate a computer that's been improperly accessed in order to sue under the Computer Fraud and Abuse Act -- you need only have been harmed by the intrusion. "I think it could be troubling for people who are poking around on the Internet and stumble into something," says Cohn. "This widens the community of people who can complain they've been hurt by what you did."
But Cohn is pleased by the court's crackdown on subpoena-aided fishing expeditions, and says EFF plans to cite the case in arguments against the Recording Industry Association of America, which has begun subpoenaing ISPs to identify file traders. "It's going to be pretty useful to us," says Cohn. "It buttresses the idea that you have a serious level of responsibility in issuing these legal instruments."