Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking By Subpoena

Posted by Hemos on from the not-gonna-do-it dept.

solidox writes "SecurityFocus has an article on how Alwyn Farey-Jones instructed his lawyer to issue a subpoena against ICA to get all their emails. ICA's ISP, NetGate, complied and gave them over 300 emails from ICA employees. When ICA found out about this they sued and the court ruled that this was a violation of the Computer Fraud and Abuse Act. This could be good news for those trying to fight off the RIAA subpoenas to isps to catch file-sharers."

30 comments

  1. Damn! by laptop006 · · Score: 2, Funny

    Can't sue Microsoft for the Windows source code now!

    --
    /* FUCK - The F-word is here so that you can grep for it */
  2. 300 emails? by aderusha · · Score: 3, Interesting

    the entire company only had 300 emails collectively? i've got more than that in my deleted items folder on any 1 given day...

    1. Re:300 emails? by Anonymous Coward · · Score: 0

      Where did it say the word "ever", "all", or "every"?

    2. Re:300 emails? by Anonymous Coward · · Score: 0

      SecurityFocus has an article on how Alwyn Farey-Jones instructed his lawyer to issue a subpoena against ICA to get all their emails.

      Err, there. You Sir, are a dick.

    3. Re:300 emails? by Basje · · Score: 1

      spam doesn't count

      --
      the pun is mightier than the sword
    4. Re:300 emails? by bluGill · · Score: 3, Interesting

      If I understood the artical correctly, the 300 or so obtained was a sample. Presumably the ISP was working on getting them the rest when the court steped in. No mention of how many total emails could have been obtained.

      No details are given on how they were selected, so I don't know if they are emails between 1:00pm and 1:10pm, or all emails for an entire month. Or just a random sample from the backup tapes.

    5. Re:300 emails? by Anonymous Coward · · Score: 0

      They ASKED for all the e-mails. It never says they GOT all the e-mails. So, when someone asks where it says they GOT all the e-mails, the answer is "it doesn't say that, it only says they GOT 300 of them".

      Err, where ? You, sir, are a moron.

  3. The oldest form of hacking by Dachannien · · Score: 4, Informative

    From the article:

    "To equate an overbroad subpoena to breaking in is outrageous," says Mark Rasch, an attorney and former Justice Department cybercrime prosecutor. "The real crime here is the ISP getting the subpoena didn't contact the customer immediately and say, 'what do you want to do?' Every subpoena is overbroad. It's the responsibility of the party receiving the subpoena to try and narrow it."

    This comment ignores the fact that the oldest form of hacking is social engineering. Doing something to sound official, or to appear to have clout that you don't have, in order to get what you want (generally, to get something you're not supposed to have) is definitely a form of hacking, used in some cases for nefarious purposes. The case mentioned in the article definitely has nefarious outcomes, and so, this sort of social engineering should definitely be prohibited.

    1. Re:The oldest form of hacking by MrWa · · Score: 4, Insightful
      This comment ignores the fact that the oldest form of hacking is social engineering. Doing something to sound official, or to appear to have clout that you don't have, in order to get what you want (generally, to get something you're not supposed to have) is definitely a form of hacking, used in some cases for nefarious purposes. The case mentioned in the article definitely has nefarious outcomes, and so, this sort of social engineering should definitely be prohibited.

      This comment ignores the fact that the first comment was about breaking in and not about hacking. To equate breaking in with hacking only serves to further the illusion that all hacking is, by its very nature, something that is at best in the grey area of the law. This is, of course, absurd.

      The aforementioned comment goes even further to suggest that social engineering - and overly broad subpoenas by connection - are something that should be regulated because this particular case had "nefarius outcomes." Not a good idea - more regulation is not the answer, thank you very much.

      A better, and more reasoned approach, would be to not give business to an ISP that doesn't care about the privacy of its customers enough to ask what that company would want to do. Maybe, if an ISP were sued for providing the emails in the first place - industrial espionage? - we could focus on the misapplication of a subpoena. This is, though, something that is not new and unique to cyberspace. The application of anti-hacking laws to something that is, in essence, a purely "real-world" problem creates a scary precedent considering the inept laws regarding computers and the Internet that have been created in the past few years.

      BTW: does an ISP actually own the traffic going over its network and, if so, are they not culpable for stolen MP3s? If not, how can the ISP be asked to provide something that does not belong to them (emails in this case...)

  4. Subpoenas by Goo.cc · · Score: 1, Insightful

    From what I read of the article, it sounds like anyone can issue a subpoena without going to court first. Am I understanding this correctly? If so, it seems silly that anyone can subpoena e-mail just on their word.

    1. Re:Subpoenas by Anonymous Coward · · Score: 1, Insightful

      Never underestimate the power of human stupidity. Sure you need to go to court, but not if the other guy is too stupid to check, since that was the point of this story.

    2. Re:Subpoenas by red+floyd · · Score: 1

      Welcome to the Wonderful World of the DMCA.

      --
      The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
    3. Re:Subpoenas by homer_ca · · Score: 1

      Article quote here:

      Under federal civil rules, a litigant can issue such a subpoena without prior approval from the court, but is required to "take reasonable steps to avoid imposing undue burden or expense" on the recipient.

      "A litigant" implies that there is ongoing litigation, and it's normal in the discovery phase for each side to request each other's emails and internal documents that are relevant to the case.

      A DMCA subpoena for copyright doesn't require an ongoing trial and it doesn't require a judge's approval. The court clerk takes care of that. However they can't subpoena your emails that way. The main purpose is to force your ISP to identify you by your IP address.

  5. somewhat misleading by danoatvulaw · · Score: 5, Informative

    When ICA found out about this they sued and the court ruled that this was a violation of the Computer Fraud and Abuse Act.

    Well, not quite. The 9th Cir. reversed the trial court's dismissal of certain claims made by the plaintiffs. They did not hold that this conduct of serving overbroad, deceptive and illegal subpoenas per se violates the CFAA. Essentially, what the court did say was that there was enough questions of law and fact to go to trial on the issue. The opinion is on the 9th Circuit's website

    And to answer the poster below, there are certain times when parties to a litigation can issue subpoenas (under the FRCP), and some statutes authorize subpoena power without requiring the person to whom you are going to serve to be a party (ex. DMCA). But no, not just anyone can issue an subpoena, even though today it may look like it!

  6. Isn't one required to respond to a subpoena? by BitterOak · · Score: 3, Interesting
    I am not a lawyer, so I'm asking. Aren't you immune lawsuits if your actions are required by a court order? It sounds to me like you're damned if you do and damned if you don't. If a judge orders you to do something, and another judge orders you to pay up for doing just that thing, it seems impossible to comply with the law. Doesn't the constitution have something to say about that? Otherwise, when a judge gives an order, what's to stop a defendent from saying "I'd like to comply with your order judge, but I'm afraid I might get sued!"

    Any lawyers care to comment?

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    1. Re:Isn't one required to respond to a subpoena? by Anonymous Coward · · Score: 0

      I'll need a $1,000 retainer from you first before I can comment.

    2. Re:Isn't one required to respond to a subpoena? by Compulawyer · · Score: 1
      Yes you are required to respond. No, you aren't necessarily required to COMPLY with it.

      Simply put, you can't ignore a subpoena and hope it goes away. But you can respond with a Motion to Quash, asking the judge in the case to wipe out the subpoena or at least modify what you have to do to comply with it.

      By the way, most subpoenas come from lawyers in the case, not directly from judges. Lawyers are given subpoena power to gather evidence to make their cases for their clients, but as officers of the court, that power is regulated and controlled by the Court.

      --

      Laws affecting technology will always be bad until enough techies become lawyers.

  7. According to the article... by Fryed · · Score: 3, Interesting

    Actually, from my reading of the article, it appears that the ISP is not being sued in this case, merely the person who issued the subpoenas. First off, a judge never ordered the ISP to hand over the emails. Apparently, in certain situations, individuals can issue subpoenas without asking the judge, and that appears to be what happened in this case. When the ISP received that subpoena, they were required by law to provide the emails, and did so. When the company whose emails were subpoenaed found out, that's when someone was sued...but it wasn't the ISP who was sued, but the person who issued the subpoenas in the first place.

    (Of course, I'm not a lawyer either, so it's entirely possible that my reading of the article is completely wrong. I'm sure someone will post to enlighten me if that is the case)

  8. Was former Netgate customer by Krellan · · Score: 2, Interesting

    There's a reason I'm not a Netgate customer anymore.

    They were a fine ISP when I used them several years ago, having good dialin numbers (these were the days before easy broadband access) and reasonable prices. They didn't have any technical problems to speak of. They even had really good USENET access (I used to post a ton from krellan@netgate.net, Google it).

    However, Netgate's social/legal policies really stank.

    At the time, for example, they had agreed to host godhatesfags.com. So, I left.

    It wouldn't surprise me now to see them overzealously comply with a subpoena, hurting their own customers in the process.

    I still think it's really cheap of hosting companies to not warn their customers when receiving legal action against them (except when the DMCA actually requires that they not warn, yet another reason why it's such a scary law).

    --

    Dr. Demento On The 'Net!

    1. Re:Was former Netgate customer by Anonymous Coward · · Score: 5, Insightful
      However, Netgate's social/legal policies really stank. At the time, for example, they had agreed to host godhatesfags.com. So, I left.
      In other words, you're not a big fan of freedom of speech?
    2. Re:Was former Netgate customer by Anonymous Coward · · Score: 0

      In other words, you're not a big fan of hosters being free to choose who they host, based on their own morals ?

      You don't generally have the freedom to speak using someone else's property without their permission.

    3. Re:Was former Netgate customer by Anonymous Coward · · Score: 0

      "In other words, you're not a big fan of freedom of speech? "

      In other words, you are no big fan of freedom of association?

    4. Re:Was former Netgate customer by Anonymous Coward · · Score: 0

      Freedom of speech is a right.

      It doesn't mean you have to support or listen to someone who's ideals are diffrent then yours. That's one of the nice things about freedom, you are free to walk away.

      It's called freedom of choice.

      If I found that my ISP supported a neo-nazi hate group, it would be wrong of me to ask them not to because they do have the freedom of speech. It doesn't require me to actually visit their site, nor even support the isp it self. It's not censorship as long as you are only censoring what you see.

      It's easy to be a fan of free speech yet not be a fan of those who speak.

  9. RTFC! by Anonymous Coward · · Score: 0

    Hey, everyone... RTFCase! Check out the link to opinion in parent.

    The reason these guys got slammed is because they tried to subpoena every damn email on the ISP, rather than ask for their opponents email.

    The ISP who apparently did have or couldn't afford a lawyer tried to narrow things down, but the wankers on the other side refused, and when threatened with being held in contempt, the ISP caved and shared a random selection of the users' email on their website.

    Serves these bastards right for abusing the subpoena power.

  10. Over broad ? by jefu · · Score: 3, Insightful
    Every subpoena is overbroad. It's the responsibility of the party receiving the subpoena to try and narrow it.

    IANAL (naturally) so I'm confused.

    As I understand it, the DMCA allows someone who thinks they are being ill used (in copyright sorts of ways) to issue a subpoena essentially without a judge being involved and those on the receiving end are then supposed to comply. But this lawyer says that those on the receiving end get to try to negotiate it. If there's no court/judge involved, who do you negotiate with?

  11. Not all ISPs are gutless... by Anonymous Coward · · Score: 0
    My ISP was asked for their IP logs by SOCAN (sort of like RIAA, in Canada) and the BSA, and basically told them to piss off.

    That was well over a year ago, and I haven't heard anything more about it. Hopefully the result was the SOCAN/BSA did actually piss off.

  12. No doubt by phorm · · Score: 2, Funny

    What would be their closing statement using these emails as evidence:
    "Your honor, as you can see the defendent is of questionable moral integrity and dubious legal practice. Of their 300 emails we *ahem* appropriated, 289 of the messages received were in relation to conduct of dubious sexual nature. Obviously, your honor, they are nothing but a bunch of no-good perverts!"

  13. There are different standards by Anonymous Coward · · Score: 2, Informative

    The recipient of a subpoena has an obligation to act in good faith and not just throw the cupboard open.

    For example, lets say you got some MS Documents via e-mail, and they are under an NDA. You want to give them to your buddy, but can't because of the NDA. So you get your buddy to issue you a DMCA subpoena for ALL your e-mails, and you give them over.... he gets the data you otherwise couldn't give him and you claim as a defense to violating the NDA as the subpoena (which is why mos NDA's have a notice clause that you must give them notice if you get a subpoena before complying with it.) In this situation, MS can go after you for complying with the subpoena that you shouldn't have complied with.

    This is a pretty outrageous example, but is illustrates a situation where the recipient should NOT have complied with the subpoena.

    In a non-collusive situation, similar results happen when someone hands over whatever the subpoena asks for. If an attorney is taking advantage of the subpoena process, he or his client can be held liable. Asking for stuff you know (or reasonablely should know as an attorney) you can't force the other person to give you by subpoena can get you sued and disbarred.

    However, many attorneys do it all the time, knowing that the recipient will not know it, or if they do, it will be cheaper to just comply than fight.

    But under some laws, a company that caves in to such a brazen subpoena can be held liable too. If the LAW (not just an NDA) makes it illegal to release certain information (such as long distance toll call information for calls you make from home) and the phone company gets a subpoena from an out-of-state court, the phone company should NOT comply with the subpoena since it does not HAVE to. Complying voluntarily with a subpoena that you don't legally HAVE to comply with will violate the law restricting disclosure absent a "valid" subpoena or court order.

  14. market can only respond to clear knowlege by Anonymous Coward · · Score: 0

    A better, and more reasoned approach, would be to not give business to an ISP that doesn't care about the privacy

    I'm sorry, but how is "the market" going to collect and maintain this information across all of the ISPs so that the prices can be reflected properly. I'll give you a clue, it isn't. Sometimes liberitarian ideals are good, sometimes they are just stupid.

  15. Outrage! by treat · · Score: 1

    Isn't this a perfect example of why people shouldn't be able to attack, harass, seize the posessions of, or arrest other people without a court's approval? This is the same thing as the new PATRIOT act no-warrant searches.