Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court Rules Sending Too Many Emails Is "Hacking"

Posted by samzenpus on from the if-you-send-it-more-than-twice-your-hacking-it dept.

An anonymous reader writes "An appeals court has ruled that having people send a company a lot of emails (in this case, a union protesting a company's business practices) qualifies as hacking under the Computer Fraud & Abuse Act. We're not even talking about a true DDoS action here, but just a bunch of protest emails. Part of the problem is that the company apparently set up their email to only hold a small number of emails in their inbox, and the court seems to think the union should take the blame for stuffing those inboxes."

31 of 317 comments (clear)

  1. Got it wrong in one by arth1 · · Score: 4, Insightful

    The "problem" is that hacking and disrupting services is governed by the same laws, without much distinction. And it is disrupting services if the sender knew about or had reason to know about the limitation of the recipient.

    1. Re:Got it wrong in one by LateArthurDent · · Score: 5, Insightful

      The "problem" is that hacking and disrupting services is governed by the same laws, without much distinction. And it is disrupting services if the sender knew about or had reason to know about the limitation of the recipient.

      No, no it's not. If the limitation of the recipient is an unreasonable limitation, you can't blame the union. If they were using a bot to mass-spam them with the intention of crashing their systems, I'd agree with you. Manual protest e-mails are a valid form of a communication with the company. If we allow considering this "disruption of services", companies will start having crappy e-mail systems on purpose just so they have the option open to sue people.

    2. Re:Got it wrong in one by HungryHobo · · Score: 2

      It's no different than a letter writing campaign.

      When groups organise one it disrupts service as people have to sift through the piles of envelopes for normal business letters yet that's not illegal.

      You'd just spouting the standard "it's different on a computer" bullshit.

    3. Re:Got it wrong in one by h4rr4r · · Score: 3, Insightful

      Every time you send an email you are checking if they can receive them. Did the mail server sent back 421 or 422 or did it accept the mail?

    4. Re:Got it wrong in one by arth1 · · Score: 2

      No, no it's not. If the limitation of the recipient is an unreasonable limitation, you can't blame the union.

      If they knew about it, and exploited it to cause an outage, yes, I both can and think I should blame them.

      This is slashdot, so an obligatory car analogy:
      If I have told you that the company car has an overheating problem, so please don't drive it at high revs, and you wilfully drive it at low gear until the engine breaks, you are to blame. Whether I should have fixed it or not is irrelevant - you knew about it and wilfully chose to ignore it in order to cause damage.

      Intent is what matters here. Was the Union's intent good? The judge doesn't seem to think so.

    5. Re:Got it wrong in one by sjames · · Score: 3, Interesting

      No, *I* wouldn't send them thousands, because that's simply a harassment. However, if I disagree with a company's actions, I might well decide to be one of thousands of people to send them AN email to let them know what I think. It's perfectly valid to ask individuals to let someone (or something in the case of a corporation) know you don't approve of them.

      The intent is to communicate and email is for communication, so there is no abuse happening.

      Here's a good thought experiment, I post in a /. story that everyone should email their congressman and let them know what they think. Did I just "hack" Congress? Am I assaulting the U.S. government? Or am I exercising my 1st amendment rights, participating in a demopcratic government, and urging others to do the same?

      Beyond that, if their email system is such a creaking rust bucket that it can't handle a thousand emails, it was hardly a "sound" system.

    6. Re:Got it wrong in one by postbigbang · · Score: 4, Interesting

      Then what of the slashdot effect? What really is *normal*? If we post this, then crater their website, are we guilty, too? I think not. If they can't do the normal thing and empty their mailboxes in a reasonable manner, then the onus is on the company. The judge will have his ruling overturned.

      --
      ---- Teach Peace. It's Cheaper Than War.
    7. Re:Got it wrong in one by Anonymous Coward · · Score: 3, Informative

      The union used an automated mailing system to send thousands of emails to a few email addresses... It wasn't only a bunch of people sending their own emails. Many emails were "threats and obscenities". The company told the union to stop because it was disrupting their service. The union intentionally continued knowing that it would cause the business problems. It wasn't a protest, it was revenge for firing employees.

      Their intent was clear. To disrupt business by hammering the mail servers. That is very similar to a DDOS attack and how it affects a business, (i.e. making resources unavailable).

      If the union had no idea that it would kill the mail server then I would agree. But the Union knew and was first asked to stop before litigation.

    8. Re:Got it wrong in one by pixelpusher220 · · Score: 2

      Then what of the slashdot effect?

      Generally speaking, a /. article involves lots of people doing 1 thing (loading the page) a few times because it isn't loading due to volume.

      The union specifically told people to send emails, multiple emails, keep sending them so that they are overloaded. That's close enough to a DDOS to me. If a spammer told his bot army to send emails to someone such that it crashed their email server, how is that different than this?

      They weren't really trying to get responses. If the union said "Contact the company and ask them X" and people independently did so multiple times, fine it's an employee's right to ask their employer questions. It's a far different story for the union to organize a protest that disrupts business. Striking/picket lines likewise are not allowed to prevent people from accessing the business. Sure they do, but that is clearly illegal.

      --
      People in cars cause accidents....accidents in cars cause people :-D
    9. Re:Got it wrong in one by DeadCatX2 · · Score: 2

      If they were using a bot to mass-spam them with the intention of crashing their systems, I'd agree with you.

      They did in fact use an outside robo-dialer to flood the phone system with voice mails. http://computerfraud.us/articles/can-a-labor-union-be-sued-under-the-computer-fraud-and-abuse-act-for-spamming-an-employer%E2%80%99s-voice-and-email-systems

      --
      :(){ :|:& };:
    10. Re:Got it wrong in one by todrules · · Score: 3, Informative
      To quote from TFA: "Damage alone, however, is not enough for a transmission claim. A defendant must also cause that damage with the requisite intent."

      The brief goes on to explain, in detail, how it comes to the conclusion that LIUNA had the intent to cause damage:

      "The following allegations illustrate LIUNA’s objective to cause damage: (1) LIUNA instructed its members to send thousands of e-mails to three specific Pulte executives; (2) many of these e-mails came from LIUNA’s server; (3) LIUNA encouraged its members to “fight back” after Pulte terminated several employees; (4) LIUNA used an auto-dialing service to generate a high volume of calls; and (5) some of the messages included threats and obscenity. And although Pulte appears to use an idiosyncratic e-mail system, it is plausible LIUNA understood the likely effects of its actions—that sending transmissions at such an incredible volume would slow down Pulte’s computer operations. LIUNA’s rhetoric of “fighting back,” in particular, suggests that such a slow-down was at least one of its objectives. The complaint thus sufficiently alleges that LIUNA—motivated by its anger about Pulte’s labor practices—intended to hurt Pulte’s business by damaging its computer systems.

      LIUNA attempts—but fails—to justify its conduct. Though it maintains that the calls and e-mails are “fully consistent with an ongoing, lawful, organizing campaign” through which it “is attempting [only] to organize Pulte employees,” LIUNA offers no explanation of how targeting Pulte’s executives and sales offices—rather than employees eligible for recruitment—advances its campaign. And an equally, if not more, plausible explanation is that LIUNA intended to disrupt Pulte’s business by bogging down its computer systems."

    11. Re:Got it wrong in one by SmurfButcher+Bob · · Score: 2

      You certainly can, and certainly would sue - since my sending it would would likely take out your infrastructure for several days, and especially when I refuse to stop it. More especially when you discover that my sending it is a coordinated effort with others, and that WE will repeatedly continue to do this, and that WE will actively compete against any mitigation you attempt, and WE know for a fact that the attachment has no value to you, and WE are doing it explicitly for the purpose of pissing you off. And WE will NEVER stop.

      You'd not sue for money, however; you'd sue for an order to stop it, likely under the CF&Abuse act, so that if I don't stop, I now have a problem with a pissed off Judge.

      You likely missed the part about the union firing up a mass of autodialers to crapflood the phone lines over this same time period, and the email crapflood was simply another facet of this campaign, with the same goal, knowledge, and intent.

      Your claims are valid for the context you're imagining. However, that context has nothing to do with this Union's actions.

      --

      help me i've cloned myself and can't remember which one I am

    12. Re:Got it wrong in one by nitehawk214 · · Score: 2

      What would you have done if the bridge collapsed, complained that the truck drivers should have ascertained the maximum load of the bridge? It's not their task.

      Sure it is. They simply need to drive progressively heavier trucks over the bridge until it collapses. Then rebuild the bridge to the exact specifications, and post the weight of the heaviest truck to survive.

      Its quite simple, Calvin.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    13. Re:Got it wrong in one by mdielmann · · Score: 2

      Was the Union's intent good? The judge doesn't seem to think so.

      On the other hand, was the corporation's intent good? If a suggestion box had a stack of standard 3" x 5" cards by it, and the slot to insert the comment card was 2" wide, and the space inside the box was 3" x 3" x 1" deep, would you get the impression that the company wasn't interested in your suggestion?

      If the company has feeble and ridiculous capacities for its size, then maybe they need to beef up their systems before whining about other people breaking them.

      ...And this is why I try to avoid generalities. I didn't expect there to be a day when I would be defending a union's actions.

      --
      Sure I'm paranoid, but am I paranoid enough?
    14. Re:Got it wrong in one by Genda · · Score: 2

      There are two distinctly separate issues here.

      The first is regarding the rights of corporations vs everyone else. If the court system has degenerated into a rubber stamp to give corporations whatever they want effectively criminalizing anyone who isn't a corporation, then we have some serious problems here and they need to be address with velocity and extreme prejudice.

      The other is a technical issue involving a broken service being used by the corporation. Intent is one of those things that is hard to determine, and without solid evidence like "A witness overheard a conversation..." or "The union employed ex-employees to find the vulnerability..." one must look at a reasonable expectation. If the corporation created a means for traffic, such that reasonable use of that means caused it to fail, then the corporation has no expectation of winning this case, because the union did nothing exceptional or in this specific case unreasonable, ie. no apparent act of malice.

      If my front yard ends up filled with hazards and imminent disasters, either intentionally or through neglect, and the mailman trips and breaks a decrepit lamp post or falls into my flower patch, the mailman is not liable. There was no malice in his actions, in fact he had reasonable expectations to the contrary and the vulnerability was a product of my irresponsible or inappropriate behavior. The only exception to this is if I can prove unequivocally that the mailman willfully and with full knowledge damaged my yard, and with evidence that I created a hazardous environment already acknowledged, that's going to be a really tough stretch.

    15. Re:Got it wrong in one by pixelpusher220 · · Score: 2

      They used an auto-dialer to bombard the phone system.

      from linky:

      (1) The union “instructed its members to send thousands of e-mails to three specific Pulte executives;
      (2) many of these e-mails came from . . . [the union’s] server;
      (3) . . . [the Union] encouraged its members to “fight back” after Pulte terminated several employees;
      (4) . . . [the union] used an auto-dialing service to generate a high volume of calls; and
      (5) some of the messages included threats and obscenity. And although Pulte appears to use an idiosyncratic e-mail system, it is plausible . . . [the union] understood the likely effects of its actions–that sending transmissions at such an incredible volume would slow down Pulte’s computer operations. . . .
      [The Union’s] rhetoric of “fighting back,” in particular, suggests that such a slow-down was at least one of its objectives. Id. at *6.

      It's pretty clear the 'intent' here was to disrupt them, not to prove a point. And preventing the business from operating (which is entirely separate from a strike) *is* illegal. you can picket outside but you can't block access...which is what they did here.

      --
      People in cars cause accidents....accidents in cars cause people :-D
    16. Re:Got it wrong in one by WorBlux · · Score: 2
      And what if it is overheating because the thermastat is stuck partially shut and your employer was too miserly to fix it? Contributory negligence is a defense. Why didn't IT setup a sane amount of data for emails, or include a graceful failure mode where e-mails less than a week old would be buffered, or a whilelist of customer and official employee addresses that would always make it through?

      Anyways people really need to read the freaking order. The order of dismissal was only reversed in part. It found that the email were in fact damaging (one of the remanded parts), but because no claim was made that authorized use was exceeded. Not making such a claim, the order of dismissal was affirmed. Also some things about labor activity and competing state/federal jurisdiction, but it's not as relevant.

  2. Does it work the other way 'round? by mcmonkey · · Score: 3, Interesting

    What about a company sending a lot of emails to a person?

    1. Re:Does it work the other way 'round? by BitHive · · Score: 5, Insightful

      A company's actions, as long as they serve its profit motive, are beyond reproach. This article is about a union, which is a whole other story!

    2. Re:Does it work the other way 'round? by Anonymous Coward · · Score: 2, Funny

      A company's actions, as long as they serve its profit motive, are beyond reproach.

      You sure you don't work for BP?

  3. My Mailbox at Home is Full by rotide · · Score: 5, Funny

    My physical mailbox at home is kind of small and when I go on vacation it can get full to the point of no longer being able to put more mail in. Do I get to go after Capital One or any/all of the other habitual mail spammers now? If not, why? Because this Act only covers electrons flowing through wires and not physical items physically limiting my mailbox?

  4. The union may have shit for lawyers. by blair1q · · Score: 3

    If the company can't handle the consequences of its actions, it shouldn't act.

  5. Re:It doesn't matter...either way! by denis-The-menace · · Score: 2

    unfortunately a company is now a "super-person"
    -immortal
    -immoral
    -and unaccountable if large enough

    --
    Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
  6. Actually, the union didn't lose. by Animats · · Score: 5, Informative

    Here's the actual decision. First, the company's request for an injunction to stop the mail campaign, denied by the district court, is still denied. The claim under the Computer Fraud and Abuse act goes back to the district court, and can proceed there, but the appellate court makes no comment on the merits of that claim. The appellate court was only dealing with the issue of whether the Norris-LaGuardia act, which gives jurisdiction to the National Labor Relations Board when the behavior involved arises out of a labor dispute, preempted the Computer Fraud and Abuse Act . The appeals court decided that this isn't an NLRB matter, and goes back to the district court.

  7. Was it deliberate? by 91degrees · · Score: 2

    I'll disagree with what seems to be the consensus here, if they sent emails with the deliberate intent to bring down the mail server. It's a crude hack but it is taking advantage of a flaw in a system to cause damage.

    It seems that they carried on emailing without actual malicious intent. However it looks like they were told that this would bring them down. That brings it down to recklessness. Does recklessly damaging a computer system count as hacking?

  8. Nowhere does the ruling say "hacking" by NiteShaed · · Score: 4, Informative

    The law in question is called the Computer Fraud and Abuse act, and I'd say they're going with the angle of abuse. In this case, LIUNA seems to have been going for what amounts to a DDoS attack against the contractors phones and emails.

    To generate a high volume of calls, LIUNA both hired an auto-dialing service and requested its members to call Pulte. It also encouraged its members, through postings on its website, to “fight back” by using LIUNA’s server to send e-mails to specific Pulte executives. Most of the calls and e-mails concerned Pulte’s purported unfair labor practices, though some communications included threats and obscene language.

    Now, right or wrong, I can at least see the reasoning of the ruling, and this isn't just a clueless judge saying "Oh noes, they hax0r3d the company interwebs". LIUNA seems to have decided that they were going to use their membership and outside companies to shut down Pulte's communications. That they used individual members instead of a botnet to go after the email server seems irrelevant, the intent was clearly to beat the company into submission, not just to voice dissatisfaction. Had they not hired the guys with the autodialer it would have been much easier to believe they were just trying to make themselves heard.

    --
    Some bring out the best in others, some the worst. Some bring out far more.
  9. Think "physical mail". by khasim · · Score: 3, Insightful

    Would the same amount of physical mail result in any legal actions against the union?

    No? Then the judge is an idiot.

  10. what's next voice mail full = hacking? parking lot by Joe_Dragon · · Score: 2

    what's next voice mail full = hacking? parking lot full is = hacking as a Computer turns on the full sign?

  11. Careful everyone by Haedrian · · Score: 2

    If we comment too much on this post we might be hacking /.

  12. I hate unions, and I still support the union here by tlambert · · Score: 2

    I hate unions, and I still support the union here

    I see no reason for them to exist, following the passage of the fair labor relations act. The CWA routinely harrased a number of IBM facilities, as if by using networking we were also communications workers, even though we were all salaried engineers and therefore exempt, according to the department of labor.

    That said, I see the unions actions in this case as being no different than having a sit-in at a diner at the height of the civil rights movement, or a protest by the UAW blocking entry of workers into a manufacturing facility.

    Now THAT said, sit-ins were civil disobedience, specifically in violation of the law, in order to DOS the court system into forcing a change in law (and which were successful in that). However, in accordance with law at the time, many of the protesters involved were in fact arrested, since the only way to try a point of law is to violate it, and then go to court over it to demonstrate why a reasonable person would do the same.

    Whether the tactics used in this case constitute legal tactics of protest as a matter of process for collective bargaining, or if they constitute acts of criminal trespass on the effected communications systems really remains to be seen.

    Either way, it's an interesting case.

    -- Terry

  13. equating ordinary emails with illegal hacking by thesquire · · Score: 2

    Based on the rather skimpy information available to this writer, this may illustrate just another example of ignorant and uninformed judges running amok. No one should assume that judges are not petty, ignorant and power-mad just because they have been appointed or elected to that office. They can be and often are just as stupid as everyone else. Good luck with further appeals.