Seems like a simple question, but the law is not so clear. In mid-September 2008, a hacker using the handle "Rubico" claim credit for breaking into the Yahoo! e-mail account of Governor Sarah Palin, the Republican Vice Presidential candidate. In a post online, Rubico wrote that he had been following news reports that claimed Palin had been using her personal Yahoo e-mail account for official government business. (Editor's note: Reports have linked David Kernell, a 20 year old undergraduate at the University of Tennessee, with the intrusion, but Kernell has not been charged nor indicted.)

To break into Palin's account, Rubico had to figure out the personal details that the governor used as security questions. From behind a single proxy server, Rubico used a form of social engineering to change Palin’s password to "popcorn" and then posted both the technique he used and a few of the e-mails he observed. The technique was relatively simple and took less that 45 minutes, because much of Palin’s information was public.

Palin’s date of birth? February 11, 1964. Where did she meet her husband? Wasilla High.

Using the answers, Rubico was able to reset the password, access and read -- and post -- the e-mails. So, is this a crime, if so, what crime and what could, or should, the punishment be?

Some on the left have focused on the fact that Palin may have been misusing her personal e-mail account, that the information on the account should therefore have been public, and therefore what Rubico allegedly did was nothing more than make this information available. They also argue that he didn’t break into her computer or server -- he just “guessed” her password -- perhaps the equivalent of guessing that a homeowner hid their extra key in the flower pot and using it to enter.

Those on the right have likened him to a war criminal.

The truth is in the middle. What Rubico allegedly did was not only unethical and improper, but illegal. However, in the vast scheme of things, his offense was a relatively minor crime -- albeit directed at a major figure. To understand whether or not he committed a crime -- and if so, which one -- you have to understand the discrete elements of what he did.

Rubico allegedly:

1. broke into -- or obtained unauthorized access -- to Palin’s e-mail account on a computer;
2. read the email stored on that computer; and
3. posted some of these e-mails to the web.

What crime is it anyway?

One possible avenue of prosecution is what is called the Stored Communications Act, Title 18 USC 2701, which makes it a crime to exceed authorization to access an e-mail service and obtain communications in “electronic storage.” Under the statute, "electronic storage" is defined as:

any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and any storage of such communication by an electronic communication service for purposes of backup protection of such communication

Was Sarah Palin’s e-mail in "intermediate storage incidental to its transmission" if she had already received and read it? If not, was it in "storage for the purpose of backup protection"? The Legal Eight Ball says, "Situation murky, ask again later."

In a case called Theoffel v. Farey-Jones, the court addressed whether emails improperly subpoenaed from an Internet service provider were obtained in violation of the statute. They noted that the emails had already been read, and therefore were not in "transmission" but that the were at least in storage under the law noting:

An obvious purpose for storing a message on an ISP's server after delivery is to provide a second copy of the message in the event that the user needs to download it again -- if, for example, the message is accidentally erased from the user's own computer. The ISP copy of the message functions as a "backup" for the user. Notably, nothing in the Act requires that the backup protection be for the benefit of the ISP rather than the user. Storage under these circumstances thus literally falls within the statutory definition.

Seems pretty straightforward.

If Palin’s emails are being stored by Yahoo for "backup" purposes -- either by Palin or Yahoo -- then the law applies, right? Yet, the Department of Justice doesn’t agree -- or at least they haven't agree in the past. In the DOJ prosecution manual, A. 4 indicates that:

The government feels that the term "backup" means backup that is incidental to delivery to the recipient. Under the government’s interpretation, if the recipient chooses to retain a copy of the communication on the service provider's system, the retained copy is no longer in "electronic storage" because it is no longer in "temporary, intermediate storage ... incidental to ... electronic transmission," and neither is it a backup of such a communication. Instead, it is treated like any other material stored by a user under provisions governing remote computing services.

Think of physical mail. When it is in an envelope en route to you, it can be called "mail" and is protected under laws that prevent the interception of mail. When an opened letter or package is on your desk or the kitchen table, it is no longer "mail" but rather is just a piece of paper, like any other document in the house.

This is important because the law requires a higher degree of warrant -- probable cause -- to "seize" an email "in transmission" than it does to subpoena a document that is stored, which is why the government takes the position that read but stored email is like any other stored document. While the DOJ manual is not binding of the government, having taken this position in the past, they would be hard pressed to argue that Rubico’s "reading" of Palin’s already read mail violated at least their interpretation of the Stored Communications Act.

Trespass of more?

A second possibility is to use the old standby, the Computer Fraud and Abuse Act. At its most basic, this makes it a crime to "intentionally access a computer without authorization" or in excess of authorization and to "obtain information" from a computer. This is the electronic equivalent of a trespass statute: a mere break-in.

There is little doubt that Rubico accessed Palin’s Yahoo account, that this account is on a "computer" and that he didn’t have authorization to do so. While he may argue that Palin’s alleged placing of Alaska government communications on her personal account would give him or others the right to read the emails, ultimately, this does not give him the right to break in, any more than O.J. Simpson had the right to allegedly break into someone’s hotel room to retrieve what he believed was his sports memorabilia.

As the Theoffel court noted:

A hacker could use someone else's password to break into a mail server and then claim the server "authorized" his access. Congress surely did not intend to exempt such intrusions—indeed, they seem the paradigm of what it sought to prohibit, cf. United States v. Morris, 928 F.2d at 510 (access gained by guessing someone else's password is not "authorization" under the Computer Fraud and Abuse Act).

So it seems that Rubico is on the hook for at least breaking into Palin’s email account -- assuming that the government can collect admissible evidence linking him to the access -- a likely assumption in light of both his online admissions and the evidence they have already collected.

However, a mere break in is a misdemeanor. As noted with respect to the Lori Drew-MySpace case, this trespass statute can be a felony if committed for commercial advantage, or if the "value of the information taken" exceeds $5,000 or if the crime is committed "in furtherance of any . . . tortious act in violation of the . . . laws of the United States or of any State."

Let’s concede that Rubico had no commercial advantage, and that the emails did not have any true economic value. In order for the government to charge him with a felony, they would have to argue that he was committing some other crime or tort -- in this case that he read the email to further the tort of invading Palin’s privacy.

So what tort? Breaking in is a tort itself. But breaking in just to break in? Sounds circular.

Invasion of privacy is a tort, and misappropriation of an identity is a tort. Was Palin’s Yahoo password her identity? Was the posting of her e-mails an unreasonable intrusion into her private life?

As I have noted previously, by broadly defining such torts -- breaking in to get information for the purpose of committing the tort of breaking in to obtain information -- you have essentially circular logic. Rubico broke in to read and publish Palin’s email, which might constitute the tort of invasion of privacy.

To make matters more confusing, there is the unanswered question of the tort under which state’s law: California where Yahoo is located (like in the MySpace case); Tennessee where Rubico is located; or Alaska where Palin is located. A federal grand jury was convened in Tennessee, so we can presume they may apply Tennessee law, but they are not required to do so.

In addition, the tort of "invasion of privacy" is not well defined. It includes things like unreasonable intrusion upon the seclusion of another, appropriation of the other's name or likeness, malicious, false or unreasonable publicity given to other person's private life, or publicity of an unreasonably nature that places the other person in a false light before the public. In this case, the contents of the emails posted were not particularly intimate or personal and there was not an “unreasonable” publicity given to Palin’s private life.

Distinguish this from the case of Philadelphia television news anchor Larry Mendte, who was charged in July with repeatedly breaking in to the email accounts of his female co-anchor to read salacious details of various civil and criminal cases involving the co-anchor and to read attorney client privileged information.

In another case in San Jose, the government indicted Roman Meydbray, a software executive, for breaking into the email accounts of the president of a competitor "which had not yet been read by the President" and of doing so in order to further the tort of breaking into and damaging the computer.

So as a general rule, just breaking into a computer and reading e-mail is considered a misdemeanor, but the government has the option of making it a felony if it wants to.

With everything at stake, the government will have a hard time resisting the more severe punishment.