Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking By Subpoena

Posted by Hemos on from the not-gonna-do-it dept.

solidox writes "SecurityFocus has an article on how Alwyn Farey-Jones instructed his lawyer to issue a subpoena against ICA to get all their emails. ICA's ISP, NetGate, complied and gave them over 300 emails from ICA employees. When ICA found out about this they sued and the court ruled that this was a violation of the Computer Fraud and Abuse Act. This could be good news for those trying to fight off the RIAA subpoenas to isps to catch file-sharers."

3 of 30 comments (clear)

  1. The oldest form of hacking by Dachannien · · Score: 4, Informative

    From the article:

    "To equate an overbroad subpoena to breaking in is outrageous," says Mark Rasch, an attorney and former Justice Department cybercrime prosecutor. "The real crime here is the ISP getting the subpoena didn't contact the customer immediately and say, 'what do you want to do?' Every subpoena is overbroad. It's the responsibility of the party receiving the subpoena to try and narrow it."

    This comment ignores the fact that the oldest form of hacking is social engineering. Doing something to sound official, or to appear to have clout that you don't have, in order to get what you want (generally, to get something you're not supposed to have) is definitely a form of hacking, used in some cases for nefarious purposes. The case mentioned in the article definitely has nefarious outcomes, and so, this sort of social engineering should definitely be prohibited.

  2. somewhat misleading by danoatvulaw · · Score: 5, Informative

    When ICA found out about this they sued and the court ruled that this was a violation of the Computer Fraud and Abuse Act.

    Well, not quite. The 9th Cir. reversed the trial court's dismissal of certain claims made by the plaintiffs. They did not hold that this conduct of serving overbroad, deceptive and illegal subpoenas per se violates the CFAA. Essentially, what the court did say was that there was enough questions of law and fact to go to trial on the issue. The opinion is on the 9th Circuit's website

    And to answer the poster below, there are certain times when parties to a litigation can issue subpoenas (under the FRCP), and some statutes authorize subpoena power without requiring the person to whom you are going to serve to be a party (ex. DMCA). But no, not just anyone can issue an subpoena, even though today it may look like it!

  3. There are different standards by Anonymous Coward · · Score: 2, Informative

    The recipient of a subpoena has an obligation to act in good faith and not just throw the cupboard open.

    For example, lets say you got some MS Documents via e-mail, and they are under an NDA. You want to give them to your buddy, but can't because of the NDA. So you get your buddy to issue you a DMCA subpoena for ALL your e-mails, and you give them over.... he gets the data you otherwise couldn't give him and you claim as a defense to violating the NDA as the subpoena (which is why mos NDA's have a notice clause that you must give them notice if you get a subpoena before complying with it.) In this situation, MS can go after you for complying with the subpoena that you shouldn't have complied with.

    This is a pretty outrageous example, but is illustrates a situation where the recipient should NOT have complied with the subpoena.

    In a non-collusive situation, similar results happen when someone hands over whatever the subpoena asks for. If an attorney is taking advantage of the subpoena process, he or his client can be held liable. Asking for stuff you know (or reasonablely should know as an attorney) you can't force the other person to give you by subpoena can get you sued and disbarred.

    However, many attorneys do it all the time, knowing that the recipient will not know it, or if they do, it will be cheaper to just comply than fight.

    But under some laws, a company that caves in to such a brazen subpoena can be held liable too. If the LAW (not just an NDA) makes it illegal to release certain information (such as long distance toll call information for calls you make from home) and the phone company gets a subpoena from an out-of-state court, the phone company should NOT comply with the subpoena since it does not HAVE to. Complying voluntarily with a subpoena that you don't legally HAVE to comply with will violate the law restricting disclosure absent a "valid" subpoena or court order.