Update: Judge orders self-described hacker's computer seized without warning

The court was worried developer Corey Thuen might erase evidence

In a rare move, a federal court in Idaho recently ordered a software developer's computer seized and its contents copied without prior notice because the developer described himself as a 'hacker' on his website.

Judge Lynn Winmill, of the U.S. District Court for the District of Idaho, issued the ruling even as he acknowledged it was "very rare" and "extraordinary." Nonetheless, he maintained it was necessary under the circumstances. "The tipping point for the Court comes from evidence that the defendants - in their own words - are hackers," Winmill wrote.

"By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act."

The ruling has potential Fourth Amendment implications against unreasonable search and seizure and involves Battelle Energy Alliance and Southfork Security, a software startup established this year by former Battelle employee Corey Thuen.

Battelle Energy Alliance is based in Idaho Falls. It manages and operates the Idaho National Laboratory (INL) on behalf of the U.S. Department of Energy.

In 2009, Battelle was commissioned to build a monitoring tool capable of detecting and stopping anomalous behavior on INL's network. The result of that effort was a security tool dubbed Sophia. Thuen was part of the team that helped develop Sophia.

In 2012, after successful tests of the tool, Battelle decided to license Sophia out to other owners and operators of industrial control systems and Supervisory Control and Data Acquisition (SCADA) systems.

Since Battelle did not have the ability to commercialize the product on its own, it opened up a bidding process for companies interested in doing so. Thuen left Battelle and set up Southfork Security so his new company could bid for exclusive rights to the product.

Southfork submitted a proposal for licensing the product early this year but withdrew it shortly thereafter.

Battelle claims that a few months later, Southfork began marketing a tool called Visdom that was very similar to Sophia. Battelle also claimed that Southfork planned to offer Visdom as an open-source product available to all.

In a complaint, the company urged the court to issue a Temporary Restraining Order on Southfork preventing it from marketing Visdom or releasing it to the open-source community. Battelle claimed copyright infringement, trade secret theft, breach of contracts and other misdeeds by Southfork.

Battelle also asked the court to issue the restraining order without any notice, because it feared Thuen would release the software as open source if he were given notice.

In complying with that request, Winmill offered several explanations as to why Battelle's numerous claims were strong enough to merit a restraining order. However, it was the judge's reasons for issuing the order without notice to Southfork raised questions.

The ruling, for instance, pointed to hacking-related comments on Southfork's website. "The court finds it significant that defendants are self-described hackers, who say, 'We like hacking things and we don't want to stop,'" Winmill wrote.

The court was also convinced that Southwork would wipe its hard drives clean if given the chance. "The defendants have identified themselves as hackers," Winmill wrote. "A well-known characteristic of hackers is that they cover their tracks."

The order requires a forensic expert retained by Battelle to image Thuen's hard drive and then hand the image over to the court without examining the copy or image.

"The court has struggled over the issue of allowing copying of the hard drive," Judge Winmill noted. "This is a serious invasion of privacy and certainly not a standard remedy." But by labeling themselves hackers, Southwork has essentially announced that it has the "necessary computer skills and intent to simultaneously release the code publicly and conceal their role in act," the judge wrote.

In an email Wednesday, Thuen said that three Southfork Security hard drives were imaged in compliance with court orders. The court is holding the data, he said. No analysis of the drives is yet permitted under the court order, he said.

"Needless to say, our small startup company has many disadvantages in this case but we intend to fight vigorously because we have the most important advantage: truth," Thuen said.

Hanni Fakhoury, staff attorney with the Electronic Frontier Foundation said the decision is based on faulty reasoning.

"We've seen a sort of 'hacker madness' permeating across the courts recently," Fakhoury said. "The court took a pretty extraordinary step by relying on stereotype and hyperbole rather than really digging into the facts."

Courts need to look beyond the word "hacker" and assess whether a defendant is likely to cause the harm that a plaintiff claims is likely, Fakhoury said.

"Plus, the real question is, what exactly is 'hacking?' And who's a white hat and a black hat?" he said. "The court seems to assume 'hacker' means black hat. That's not necessarily the case. In the end, using these sort of subjective semantics to make important legal decisions is always a risky business."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies