"Sure, you can have a cookie, but you may not."

We all have had that discussion before -- either with our parents or our kids. A recent case from North Dakota reveals that the difference between those two concepts may lead not only to civil liability, but could land you in jail.

Spam King?

Since the "old" days of the Internet -- you know, the days of USENET postings and the like, there have been allegations that Jerry Reynolds and his company Sierra Corporate Design were responsible for distributing volumes of spam -- much of it pornographic. Anti spam activists, including Edward Faulk and David Ritz have been seeking information about Reynolds and Sierra in an effort to demonstrate that the company is responsible for this porn spam. Reynolds and Sierra responded not only with denials, but in the time-honored American tradition, by going to the courts. Lawyers were consulted, lawsuits filed, discovery taken, lawsuits dismissed, injunctions granted, etc. You know, the typical legal drill.

In one of these back and forth lawsuits, Reynolds and Sierra sued the anti-spam activists Faulk and Ritz in Reynolds home state of North Dakota, alleging among other things that Ritz "hacked" into Sierra’s computers and "stole" nonpublic information which he then allegedly gave to Faulk for publication. The suit against Faulk, who lives in California, was dismissed for jurisdictional reasons, but the suit against Ritz for "hacking" proceeded.

On January 11, 2008, a Fargo, North Dakota court ruled for Sierra and against Ritz, and ordered Ritz to pay Sierra $60,000 in actual damages, punitive damages, and to pay Sierra’s lawyer’s fees. Nothing unusual there. The problem is that the "hack" that Ritz is alleged to have committed against Sierra and Reynolds was nothing more than using simple UNIX and SMTP commands to look up domain addresses -- commands like host -l and vrfy. Can such simple things on a system configured to allow a zone transfer support not only result in civil damages but also a potential criminal conviction? How far can you go in probing and profiling a system before you are in danger of going to jail?

Findings of Fact -- Conclusions of Law

In the course of the lawsuit, the District Court Judge in Cass County North Dakota held hearings and came to certain "factual" conclusions. As with most factual conclusions issued by a court, what likely happened was that each party submitted a statement of what it thought the facts were, and the judge picked and chose from among those facts whatever the judge felt was correct. In some cases, the judge simply adopts one party’s "statement of facts." That’s just the system.