The U.S. Department of Justice's current position on a law governing electronic storage raises questions about how it might prosecute the hacker who accessed Republican vice presidential nominee Sarah Palin's Yahoo e-mail account, according to the Electronic Frontier Foundation (EFF).
That conclusion by the digital rights advocacy group is based on the DOJ's disagreement with a decision issued in 2003 by the U.S. Ninth Circuit Court of Appeals in a little-known e-mail privacy case, the EFF said in a blog post on its Web site last Thursday, after news of the e-mail hack broke.
The response to the court decision by the DOJ suggests that the agency's interpretation of some of the language in the federal Stored Communications Act (SCA) would be favorable to whoever was responsible for compromising Palin's e-mail account, the EFF claimed.
"We are pointing out the irony that the DOJ would take a position that would actually make it harder to prosecute somebody for accessing stored e-mail" without authorization, said Kurt Opsahl, a senior staff attorney at the EFF who wrote the blog post.
The decision in question stemmed from a dispute involving an individual named Alwyn Farey-Jones and a company called Integrated Capital Associates Inc. (ICA). As part of the litigation, Farey-Jones' attorney served a subpoena on ICA's Internet service provider asking for copies of certain e-mails that were sent and received by workers at the San Francisco-based investment firm. In response to the subpoena, Farey-Jones and his attorney received and read more than 300 e-mails, many of which were personal and unrelated to the case.
When ICA protested, a magistrate judge hearing the case quashed the subpoena, ruling that it was overly broad and unlawful. In addition, Farey-Jones was hit with a separate lawsuit by people whose e-mails he had obtained from the Internet service provider. That lawsuit, known as Theofel v. Farey-Jones, charged him with offenses that included violating the provisions of the SCA, which prohibits unauthorized access to any type of electronic communication that is being stored before being read or kept for backup purposes after the recipient has read it.
A U.S. District Court judge dismissed the claims against Farey-Jones, but the Ninth Circuit appeals court found that he had indeed violated the SCA by not obtaining permission from the owners of the e-mail accounts before accessing the stored messages. The court ruled that e-mails are in electronic storage regardless of whether they have been previously opened by recipients. According to the decision, a read e-mail that is stored on a Internet service provider's systems in case it is needed again constitutes a backup copy covered by the SCA.
Opsahl said in an interview this week that there are two forms of electronic storage of e-mail: temporary storage of unopened messages and backups. "The court felt that if you had read the e-mail, it had come to a rest, but it was still within electronic storage because it was being used for backup purposes," he said.
The DOJ's view, on the other hand, is that the copy of an e-mail stored by a service provider after it has been read by the recipient is no longer in electronic storage as defined by the SCA, according to Opsahl. He pointed to the DOJ's Prosecuting Computer Crimes Manual, which details the agency's stance on the issue.
In expressing its disagreement with the ruling in Theofel v. Farey-Jones, the DOJ argues in the manual that "little reason exists for treating old e-mail differently than other material a user may choose to store on a network." The manual urges prosecutors who are considering bringing charges under the SCA to first contact the DOJ's Computer Crime and Intellectual Property Section, or CCIPS.
"CCIPS continues to question whether Theofel was correctly decided," the manual states, while acknowledging that the decision in the case would make it "substantially less difficult" to prosecute incidents of unauthorized access to e-mail. Furthermore, the manual points to another case decided by the Third Circuit Court of Appeals, which held that an opened e-mail retained by the recipient on an Internet service provider's server wasn't covered under the SCA but under other laws relating to remote access.
Under the DOJ's interpretation of the SCA, any e-mails that Palin had opened but then left on Yahoo Inc.'s mail servers wouldn't be protected by the law, Opsahl said. In a strict sense, that would mean anyone who accessed the e-mails couldn't be prosecuted under the SCA, he added, contending that the DOJ's stance probably stems from its desire to be able to access stored e-mails more easily during criminal investigations.
The interpretation issue is important, Opsahl said, because it's quite likely that any legal case related to the Palin hacking incident would fall within the purview of the Ninth Circuit Court, since Yahoo is based in California and Palin is the governor of Alaska. In his blog post, he lauded the decision in the Theofel case as a boost to online privacy.
"What happened to Gov. Palin shows why Theofel is good for privacy," Opsahl wrote. "As more and more people use Web mail like Yahoo, Gmail, Hotmail and others, they also will naturally leave opened e-mail on the server. People should not have to sacrifice their privacy protections under the law when they do so."
Palin's e-mail account was illegally accessed last week, allegedly by someone identified only as "Rubico" who managed to reset the password to her Yahoo Mail account. The incident received widespread publicity, and copies of the accessed e-mails were posted on various Web sites.
Mike Kernell, a Tennessee state representative, confirmed last Thursday that his 20-year-old son David was being named in blogs and online message boards as being connected to the Rubico name, according to a story published by The Tennessean. On Sunday, the FBI served a search warrant at the Knoxville, Tenn., apartment of a local college student, who was identified as David Kernell by a Knoxville TV station.
And yesterday, the webmaster of a company that provides proxy services said he had traced the IP address of the individual who accessed Palin's e-mail account to an Illinois company that provides Internet service to the apartment complex where the FBI served the search warrant.
Today, a federal grand jury in Chattanooga, Tenn., reportedly began hearing testimony in the hacking case, while a lawyer who is representing David Kernell issued a statement describing him as "a decent and intelligent young man." The Kernell family "wants to do the right thing, and they want what is best for their son," the lawyer said.
Charlene Brownlee, an attorney at Davis Wright Tremaine LLP in Seattle, said that the DOJ's position on e-mail storage is puzzling, given that the Ninth Circut appeals court in June essentially reaffirmed the Theofel ruling in another e-mail privacy case.
That case, called Quon v. Arch Wireless, again involved the release of e-mails by an Internet service provider to a third party without the consent of the recipient. The court held that Jeff Quon, a member of the SWAT team of Ontario, Calif., had a reasonable expectation of privacy when sending and receiving messages using an official pager. That expectation was violated when the city sought and obtained text messages sent and received by Quon from the service provider, the court ruled.
The Quon case goes even further than Theofel did in making it clear that electronic communications stored by Internet service providers after they have been received by recipients are protected under the SCA, according to Brownlee. Given such precedents, the DOJ's continuing stance on what constitutes stored e-mail is "disappointing," she said.