“Hacking” – Has the True Meaning Been Distorted?

August 18, 2011 by Leave a Comment

The Computer Fraud and Abuse Act (“CFAA”) was intended to be used to prosecute cases of malicious hacking. In particular, it was meant mainly to cover “protected computers” which means computers associated with financial institutions and the Government. “Hacking” generally refers to situations where an individual or group breaks into a protected computing system and either copies or destroys data. However, because the CFAA was written in a vague and broad manner, courts continue to expand the CFAA’s meaning beyond what many believe was originally intended.

For example, in Pulte Homes, Inc v. Laborers’ International Union of North America, the United States Sixth Circuit Court of Appeals recently ruled that a labor union could be held liable for violating the CFAA because it hired an auto dialing service to inundate Pulte Homes with calls and asked labor union members to call and email Pulte Homes. Overall, there were thousands of calls and e-mails. The union did this to protest what it believed was the wrongful termination of seven union members.  Many have questions regarding whether these actions rise to the level of “hacking” or if it was instead covered by tort law or even anti-spamming law.

However, in the view of the Sixth Circuit Court of Appeals, “the e-mails wreaked more havoc: they overloaded Pulte Home’s system, which limits the number of e-mails in an inbox; and this, in turn, stalled normal business operations because Pulte Home’s employees could not access business-related e-mails or send e-mails to customers and vendors.”

Yet, if anything it appears that the union could be held at least partially liable under the CAN-SPAM Act, which covers unsolicited commercial e-mails and messages sent to wireless phones. However, one must stop to wonder if many of these messages, even in large quantities rise to the level of “spam.” The labor union hired an auto-dialing service which might be considered a commercial spam service under that law. In addition, some of the labor union members left obscene and threatening messages, which might rise to the level of criminal or civil harassment.

Yet, the court noted that it was not the content of the calls and e-mails that damaged Pulte, instead, it was the volume. The court stated that the sheer volume of calls and e-mails made it impossible for Pulte to carry on its business operations because customers and vendors could not reach them. However, there are remedies available to aggrieved parties for this sort of intentional interference with business operations in tort law.

Yet, the court broadly concluded that “a transmission that weakens a sound computer system – or, similarly, one that diminishes a plaintiff’s ability to use data or a system – causes damage [under the CFAA].” One could say that the court’s conclusion was  proper because the CFAA never explicitly defines “hacking.” On the other hand, the CFAA seems to make it clear that the computer intruder must have “knowingly accessed the computer or exceed[ed] authorized access” and “caused damage.”

However, the court noted that the labor union did not dispute the “accessing” element of the claim, nor did it dispute that it had accessed “protected computers.” Instead, the court said that the only issue to address was whether the labor union “intended” to access the protected computers. Therefore, it leaves one to wonder whether this case amounts more to bad lawyering than anything else.

As the court said, the actions of the labor union probably did “cause damage,” but, the labor union never “exceed authorized access” nor did it even “enter” the computer systems at all. Moreover, under the CFAA it appears that the individuals need to act with the “intent” to access the computers, perhaps the labor union simply “intended” to gain attention from their employer to further their cause and make their voices heard.

What do you think? Is there a difference between hacking and spamming? Where does one begin and the other end or are they even related at all? We welcome your thoughts! Please feel free to comment!

If you have questions about any of these issues, or if we may be of assistance to you on any other matter, please feel free to contact us.

Filed under Internet Law, Technology and Telecom Law

California Appeals Court Rules: Some E-mails Not Protected by Attorney Client Privilege

January 19, 2011 by 1 Comment

A California appeals court ruled last week that if a client sends an e-mail to an attorney from a work e-mail account, that e-mail is not protected by attorney-client privilege. What are the implications of this decision? In short, if you are suing your employer, you should not correspond with your attorney using company e-mail because the company may have a right to access and use it against you in court.

In the opinion, the court explained that the e-mails at issue in that case, which were sent on a company computer, were like “consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard.”

This case appears to expand on a recent Supreme Court decision from last year, which held that a police officer’s text messages on two-way department pagers were not private because the Ontario Police Department’s policy said that text messages on work pagers were not private.

Electronic privacy case law is still evolving and the law varies from state to state, and from situation to situation. For example, the New Jersey Supreme Court ruled that the use of a personal web-based e-mail account accessed from an employer’s computer were private.

Yet, in another case addressing the privacy issue, a California Circuit Court ruled that an employee has a reasonable expectation of privacy within the space of his private office. Therefore, “any search of that space and the items located therein must comply with the Fourth Amendment.” However, “had the company computer assigned to Ziegler [the  employee] for his business-use only been physically located outside a private office, we might have had to consider whether Ziegler had reasonable expectation of privacy in the device itself, in the face of a corporate policy of monitoring the corporate computers.”

Significantly, while recognizing the greater expectation of privacy within a specific office, the courts have also been clear that employees “reasonable expectation of privacy” is overcome if a company has clearly stated a policy that it has the right to inspect all equipment (including laptops, filing cabinets, etc) that it has provided to its employees.

Thus, “a public employee’s reasonable expectation of privacy may be reduced or eliminated by ‘legitimate regulations’ or by ‘office practices and procedures,’ such as how frequently coworkers and other individuals are permitted to enter the area that was searched.”

Along these same lines, the courts have found that an employee’s own conduct may limit his expectation of privacy and thus his privacy rights. For example, if an employee “knowingly exposes [materials] to the public, even in his own home or office, [those materials are] not a subject of Fourth Amendment protection.”

The lesson is that the legitimate interests of employers and employees are best met by the development and implementation of clear policies and practices regarding the use and monitoring of communications originating from a workplace. These policies must recognize both that employees do have a “reasonable expectation of privacy” but that employers also have a legitimate interest in ensuring that company email is utilized for its intended purpose.

At the end of the day, given the fragility of private information and the difficulty of  repairing the damage that can be done by public disclosure, employees are well advised to keep personal e-mails, documents, or the like out of the office and off of company computers or technological devices.

What do you think? Should a company have unlimited access to an employee’s work e-mail? Should employees have a reasonable expectation of privacy even on work e-mail? We welcome your thoughts! Please feel free to comment!

If you have questions about this issue, or if we may be of assistance to you, please feel free to contact us.

Filed under Court Decisions, Internet Law, Technology and Telecom Law

Federal Court Rules Fourth Amendment Protects Email

December 20, 2010 by Leave a Comment

Last week, the Sixth Circuit Court of Appeals ruled that police must get a search warrant before searching Internet users’ email records.  The decision struck down part of The Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq., which has been held to permit a governmental entity to compel a service provider (“ISP”) to disclose the contents of electronic communications in certain circumstances without a warrant.

The Court’s analysis was based on the long history of cases interpreting the scope of the protection provided by the Fourth Amendment against “unreasonable searches and seizures.” As the Court explained, it is well-established that, “[N]ot all government actions are invasive enough to implicate the Fourth Amendment.  The Fourth Amendment’s protections hinge on the occurrence of a “search”, which occurs when the government infringes upon an expectation of privacy that society is prepared to consider reasonable. The question of whether there is a reasonable expectation of privacy breaks down into two discrete inquiries: (i) has the target of the investigation manifested a subjective expectation of privacy in the object of the challenged search; and (ii) is society willing to recognize that expectation as reasonable?

With respect to defendant’s subjective expectation, the Court concluded that, given the “sensitive and sometimes damning substance of his emails,” the defendant clearly had an expectation that his emails would be private.  With respect to whether his expectation was reasonable, the Court first noted that, “[T]his question is one of grave import and enduring consequence, given the prominent role that email has assumed in modern communication.”  With this in mind, the Court went on to conclude that defendant’s expectation of privacy was reasonable.  In reaching this conclusion, the Court gave substantial weight to the following matters: (i) the ubiquitous nature and use of email in all aspects of modern communication and life means that by obtaining access to someone’s email, government agents gain the ability to peer deeply into his activities; (ii) the fact that information is being passed through a communications network; and (iii) the Fourth Amendment, which has historically focused on searches of physical property and telephonic communications, “must keep pace with the inexorable march of technological progress, or its guarantees will wither and perish.”

“Given the fundamental similarities between email and traditional forms of communication,” the Court concluded that “it would defy common sense to afford emails lesser Fourth Amendment protection.” The Court went on to say, “It follows that email requires strong protection under the Fourth Amendment; otherwise the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long … serve[d]… [T]he police may not storm the post office and intercept a letter, and … are likewise forbidden from using the phone system to make a clandestine recording of a telephone call–unless they get a warrant…”

The Court’s decision rendered the evidence against Defendant, Stephen Warshak, invalid. This ruling was far from a victory for the Defendant.  The Court affirmed the conviction Warshak for defrauding customers with his product, “natural male enhancement” pills.  However, the Court remanded Warshak’s case to a lower court for reconsideration of his sentence.  Warshak also remains liable for a $44 million money laundering judgment.

A complete copy of the Sixth Circuit Opinion is available here.

What do you think? Do you agree with the Sixth Circuit’s decision? Should users have a reasonable expectation of the privacy of their emails? Should it matter if they originate from a personal or third party employer’s email service?  We welcome your thoughts! Please feel free to comment!

Filed under Court Decisions, Internet Law, Technology and Telecom Law

Internet Law: A Sea of Uncertainty

October 12, 2010 by Leave a Comment

The Internet has created a host of new legal issues for the courts to deal with. Courts are faced with the challenge of trying to squeeze Internet crimes into the mold of traditional crimes. However, courts also must face brand new issues that no law maker could have anticipated and figure out what rights are applicable to those involved with those issues. This leads to questions about how to treat Internet postings generally and what rights those involved in the post have.

One interesting case in California tackled the issue of the extent of a blogger’s First Amendment rights. In 2006, the California Court of Appeals decided O’Grady v. Superior Court.[1] In that case, a computer manufacturer filed action against a web site publisher alleging that they published confidential information about a product, and sought to identify the source of the disclosure. The court in O’Grady held that the content of the website was newsworthy because of the nature of the information about a technical advancement it conveyed.  Therefore, because the content of the website was newsworthy, the web site publisher was entitled to First Amendment protection because he was acting in the capacity of a journalist. In other words, the blogger did not have to reveal the source of this damaging information. Although not all courts have agreed with this decision, it has not been overruled.

There are also other cases supporting the notion that communication through the Internet should not be treated differently simply because the information is online versus from some other source. For example, in Nexus v. Swift,[2] a Minneapolis court held that a statute’s public-participation requirement did not exclude speech communicated through the medium of the Internet. Additionally, other courts have decided that Internet posts should be treated equivalently to mass-media publications. In Wolk v. Olson,[3] a Pennsylvania court dismissed a defamation claim against “Overlawyered” blog because the statute of limitations had run.  In that case, the court treated the blog equivalently to a mass-media publication.

These laws are still developing in courts across the United States. Many courts have yet to address any of the issues associated with Internet law, and still others have only had to address very narrow issues associated with the Internet. Thus, there are no hard and fast rules that you can associate with the Internet.

What do you think? Should bloggers have First Amendment protections like journalists who do not have to reveal the sources of their information? Is the Internet equivalent to any other mass-media publication or does it depend on the type of Internet forum? We welcome your thoughts! Please feel free to comment!

[1] O’Grady v. Superior Court, 44 Cal. Rptr. 3d 72 (Cal. Ct. App. 2006).

[2] Nexus v. Swift, 2010 WL 3211906 (Minn. App. Ct. 2010).

[3] Wolk v. Olson (E. D. Pa. Aug. 2, 2010).

Filed under Internet Law

Follow

Get every new post delivered to your Inbox.