In the midst of an FBI investigation and convening of a grand jury, it is still not clear if there will be a prosecution on the email hack of Governor Sarah Palin, US vice presidential nominee. Palin's Yahoo account was breached, and her private emails posted online, before authorities tracked down the hacker's ISP fingerprint to Knoxville, Tennessee, connected to college student David Kernell.
In a previous article, IBLS examined Alaska law against the crime of unauthorized computer access. Now we investigate Federal Statutes against the same crime. Analyzed are the statutes that could apply, but it is ironic that Alaska law appears to have stronger statutes against hacking than the US Code does. This underscores the need for the US to update its hacking and illegal access laws, since this has become such a common crime that causes great cost, both in financial and human terms, for acts such as ID theft, and also the civil issue of invasion of privacy.
The following questions will be answered to better understand the issues involved for the Federal crime of email hacking: What is Hacking? What Federal Laws did Governor Palin's Hacker Break? What Other Statutes Could Apply? What Punishment Could be Given? Does the US Need Better Email Hacking Laws?
What is Hacking?
Hacking is concisely defined as the illegal entry into a computer system through unauthorized means. This can be done several ways, via a direct, or indirect approach. A criminal can break into a site or computer, or they can access a machine by sending out a malicious program allowing secondary control. Sometimes thieves deliver a code that directs the computer to send back user information, or to follow directions from a third machine. The latter occurs when a Trojan viruses is sent to create a zombie machine, forcing the computer to secretly disgorge data for ID theft, or allow itself to be used to send out more viruses, setting up an exponentially multiplying web crime.
What Federal Laws did Governor Palin's Hacker Break?
Sarah Palin's hacker ostensibly breached U.S.C. §2701, Unlawful Access to Stored Communications. This states that anyone who... "intentionally accesses without authorization ... an electronic communication service ...and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished..."
Palin's hacker did access her email without authorization and obtained electronic communication. "Electronic Storage" itself is an elusive definition. The Act says "electronic storage" is "any temporary, intermediate storage of a wire or electronic communication," or "any storage of such communication by an electronic communication service for purposes of backup protection." Since the Act talks of temporary storage, many argue that any opened emails would not be protected.
Since prosecution of Palin's hacker would proceed to California's Ninth Circuit, which covers Alaska cases, her prosecutors would file charges there. That Court has ruled that "electronic storage" allows for both opened and unopened emails, as outlined in Theofel v. Farey-Jones, 359 F.3d 1066, 1075 (9th Cir. 2003).
The Department of Justice's training manual, "Prosecuting Computer Crimes," says that federal courts are unsettled upon whether "electronic storage" should include already accessed emails, and favors defining it as just unopened messages. Yet, this guide is not an authoritative standard that must be followed. So, a federal prosecutor could use Theofel to argue that Palin's hacker broke the law at the 9th Circuit.
It is not clear whether the hacker opened any unread emails. There is a great chance he did, and if so he is guilty of this crime, regardless of the Circuit.
What Other Statutes Could Apply?
§ 1343. Fraud by Wire, Radio, or Television
This law states that someone who creates ... "any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses... causes to be transmitted by means of wire...in interstate...any writings...for the purpose of executing such scheme or artifice..." is guilty of wire fraud.
The hacker did use fraudulent means to break into Sarah Palin's email account to steal her data property. So he has technically broken this law.
Normally, the Government would not go after email hacking with a wire fraud charge if it does not involve a financial crime, such as phishing for bank account numbers, etc. In fact, the notes on the law state, "Prosecutions of fraud ordinarily should not be undertaken if the scheme employed consists of some isolated transactions between individuals, involving minor loss to the victims..." But it adds, "Serious consideration, however, should be given to the prosecution of any scheme which in its nature is directed to defrauding...the general public..."
If the prosecution wanted to go after the criminal and send out a strong message against future hackers, especially of private emails from public officials, they could add this charge. The Court could rule that the hacker was trying to "defraud the general public" by undermining a democratic election with stolen, scandalous, private information. But applying the wire fraud law to this email hack seems quite unlikely.
The punishment for this crime is a fine, incarceration up to five years, or both.
Another law that could be applied is: Intercepting a Communication: 18 U.S.C. § 2511(1)(a).
In Section 2511(1)(a), it provides that anyone who "intentionally intercepts...any wire, oral, or electronic communication ...." has violated the law.
This statute is normally applied only to contemporaneously captured messages, occurring at the time of the breach. This usually leaves out emails. Only the First Circuit in Massachusetts has allowed an email interpretation. Since Palin's case would be heard in the Ninth Circuit, this would not apply. But the Prosecutor could argue this interpretation of the law against the hacker in the Ninth Circuit and ask the court to apply the other Court's ruling, despite the fact that it would not be binding. This would probably not be successful.
What About the Computer Fraud and Abuse Act (CFAA)?
The CFAA is essentially a law designed to protect Government computer systems. It was passed originally as the "Counterfeit Access Device and Computer Fraud and Abuse Act of 1984," and is in the Federal Statutes at 18 U.S.C. 1030. It was intended to supplement mail and wire fraud statutes by targeting "protected" computers dealing with classified, financial and credit information on government and financial institution computers, or so-called "federal interest computers."
The CFAA, at 18 U.S.C. 1030(a)(2)(C), requires proof a person to have (1) intentionally, (2) accessed a computer, (3) without authorization (4) and obtained information from any "protected computer," (5) which includes those involving an interstate or foreign communication.
Unfortunately for Governor Palin and prosecutors, the CFAA defines the "interstate" aspect as having to do with commerce, as opposed to simply occurring online between states. Therefore, Governor Palin's case probably does not apply here.
Does the US Need Better Email Hacking Laws?
Yes. In fact, John W. Thompson, the CEO of security giant Symantec recently delivered a keynote speech on that topic, titled "Information Centric Security: The Next Wave." At a tech conference Thompson noted that in the last six months of 2007, nearly 50 million people worldwide were the victims of identity theft, and almost three-quarters of computer owners suffered a malware attack. Said Thompson, "It's impractical to have 40 different states, each with its own laws; we need a federal law with very high standards today."
It is unacceptable that someone can break into another's email account, steal their property, and publicly state the act was meant to overthrow an election, yet have the crime not be prosecuted because the law is so poorly written.
