Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
The Vice of Vice Presidential E-Mail
Mark Rasch, 2008-10-06

Is it a crime to read someone else’s e-mail without their consent?

Seems like a simple question, but the law is not so clear. In mid-September 2008, a hacker using the handle "Rubico" claim credit for breaking into the Yahoo! e-mail account of Governor Sarah Palin, the Republican Vice Presidential candidate. In a post online, Rubico wrote that he had been following news reports that claimed Palin had been using her personal Yahoo e-mail account for official government business. (Editor's note: Reports have linked David Kernell, a 20 year old undergraduate at the University of Tennessee, with the intrusion, but Kernell has not been charged nor indicted.)

To break into Palin's account, Rubico had to figure out the personal details that the governor used as security questions. From behind a single proxy server, Rubico used a form of social engineering to change Palin’s password to "popcorn" and then posted both the technique he used and a few of the e-mails he observed. The technique was relatively simple and took less that 45 minutes, because much of Palin’s information was public.

Palin’s date of birth? February 11, 1964. Where did she meet her husband? Wasilla High.

Using the answers, Rubico was able to reset the password, access and read -- and post -- the e-mails. So, is this a crime, if so, what crime and what could, or should, the punishment be?

Some on the left have focused on the fact that Palin may have been misusing her personal e-mail account, that the information on the account should therefore have been public, and therefore what Rubico allegedly did was nothing more than make this information available. They also argue that he didn’t break into her computer or server -- he just “guessed” her password -- perhaps the equivalent of guessing that a homeowner hid their extra key in the flower pot and using it to enter.

Those on the right have likened him to a war criminal.

The truth is in the middle. What Rubico allegedly did was not only unethical and improper, but illegal. However, in the vast scheme of things, his offense was a relatively minor crime -- albeit directed at a major figure. To understand whether or not he committed a crime -- and if so, which one -- you have to understand the discrete elements of what he did.

Rubico allegedly:

  1. broke into -- or obtained unauthorized access -- to Palin’s e-mail account on a computer;
  2. read the email stored on that computer; and
  3. posted some of these e-mails to the web.

What crime is it anyway?

One possible avenue of prosecution is what is called the Stored Communications Act, Title 18 USC 2701, which makes it a crime to exceed authorization to access an e-mail service and obtain communications in “electronic storage.” Under the statute, "electronic storage" is defined as:

any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and any storage of such communication by an electronic communication service for purposes of backup protection of such communication

Was Sarah Palin’s e-mail in "intermediate storage incidental to its transmission" if she had already received and read it? If not, was it in "storage for the purpose of backup protection"? The Legal Eight Ball says, "Situation murky, ask again later."

In a case called Theoffel v. Farey-Jones, the court addressed whether emails improperly subpoenaed from an Internet service provider were obtained in violation of the statute. They noted that the emails had already been read, and therefore were not in "transmission" but that the were at least in storage under the law noting:

An obvious purpose for storing a message on an ISP's server after delivery is to provide a second copy of the message in the event that the user needs to download it again -- if, for example, the message is accidentally erased from the user's own computer. The ISP copy of the message functions as a "backup" for the user. Notably, nothing in the Act requires that the backup protection be for the benefit of the ISP rather than the user. Storage under these circumstances thus literally falls within the statutory definition.

Seems pretty straightforward.

If Palin’s emails are being stored by Yahoo for "backup" purposes -- either by Palin or Yahoo -- then the law applies, right? Yet, the Department of Justice doesn’t agree -- or at least they haven't agree in the past. In the DOJ prosecution manual, A. 4 indicates that:

The government feels that the term "backup" means backup that is incidental to delivery to the recipient. Under the government’s interpretation, if the recipient chooses to retain a copy of the communication on the service provider's system, the retained copy is no longer in "electronic storage" because it is no longer in "temporary, intermediate storage ... incidental to ... electronic transmission," and neither is it a backup of such a communication. Instead, it is treated like any other material stored by a user under provisions governing remote computing services.

Think of physical mail. When it is in an envelope en route to you, it can be called "mail" and is protected under laws that prevent the interception of mail. When an opened letter or package is on your desk or the kitchen table, it is no longer "mail" but rather is just a piece of paper, like any other document in the house.

Story continued on Page 2 



Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
The Vice of Vice Presidential E-Mail 2008-10-07
Anonymous (2 replies)
Re: The Vice of Vice Presidential E-Mail 2008-10-10
Drafterman (1 replies)
The Vice of Vice Presidential E-Mail 2008-11-18
SpellingNazi


 

Privacy Statement
Copyright 2010, SecurityFocus