Root Kit. Password Sniffer. Subpoena?

Hackers have just had a new tool added to their arsenal of ways to get unauthorized access to a computer: the overbroad subpoena.

The story starts with Alwyn Farey-Jones, who was embroiled in a commercial lawsuit with a company called Integrated Capital Associates (ICA). In the course of that suit he told his lawyer to subpoena ICA’s internet service provider, NetGate, for ICA’s email. All of it.

What NetGate should have done is pass the subpoena by a lawyer, or at the very least talk to ICA first. But apparently they were cowed by the legal saber-rattling and eventually put up a “free sample” of 339 messages from ICA on their website for Farey-Jones and his lawyer to download. Most were unrelated to the litigation, and many were privileged or personal. Farey-Jones and his lawyer read them without notifying opposing council. After ICA’s lawyers found out what had happened, the court issued a major tongue-lashing, quashed the subpoena and fined Farey-Jones over $9000 to cover ICA’s legal fees. The court found “the subpoena, on its face, was massively overbroad” and “patently unlawful,” that it “transparently and egregiously” violated the Federal Rules, and that defendants “acted in bad faith” and showed “at least gross negligence in the crafting of the subpoena.” Subpoenas can be issued without a judge’s approval, but under the Federal Rules lawyers must “take reasonable steps to avoid imposing undue burden or expense.”

This is where things get interesting. ICA’s lawyers and ICA employees whose e-mail was made available sued Farey-Jones and his lawyer for violating the Stored Communications Act and the Computer Fraud and Abuse Act, among others. These acts are usually applied to hackers who crack into a computer. In particular, the Stored Communications Act provides a cause of action against anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided… and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.” The Computer Fraud and Abuse Act reads similarly with regard to accessing “information from any protected computer.” The district court threw the case out, but on appeal the 9th Circuit ruled that these laws can, in fact, apply to overly broad subpoenas. The case now goes back for trial.

From my non-lawyer’s perspective, the court’s logic makes sense. Farey-Jones and his lawyer used deception (in this case, a subpoena they knew to be illegally broad) to gain access to information from a computer. This sounds a lot like the so-called “social engineering” used by Kevin Mitnick to gain network access and sensitive information. As Mitnick said in a recent interview, “social engineering… is basically using manipulation or deception to influence a person to comply with a request — to release sensitive information or perform an action that creates a security hole, such as typing in commands, installing software or turning on a modem.” Or in this case, to get an ISP to post email archives on their website where they can be downloaded.

SecurityFocus reports that legal reactions to the ruling are mixed. On the one hand, experts were concerned that it expands the scope of computer crime to include people who never themselves access a computer, and allows people who don’t even own the computer in question to bring suit. On the other hand, experts said the ruling is good for online privacy and cracks down on subpoena-aided fishing expeditions. Cindy Cohn, legal director at the Electronic Frontier Foundation, said the EFF plans to cite the case in arguments against the Recording Industry Association of America, which has been subpoenaing ISPs to identify file traders. “It’s going to be pretty useful to us,” Cohn told SecurityFocus. “It buttresses the idea that you have a serious level of responsibility in issuing these legal instruments.”

References