One hundred years ago when I was a judicial clerk at DC Superior Court, the worst docket was divorce court. The parties hated each other. They were nasty to each other. The attorneys were nasty. Everyone would do vindictive things to each other. It was horrible. Nothing was worse.
Oh yeah, there was something worse. Divorce where all the parties are lawyers – a law firm break up. ("Argh! Make that bad people stop!" says the judicial clerk buried in motions and pleadings).
Today's case is the best of both worlds; it involves a married couple engaged in a contentious divorce who also happened to be busting up their firm. Global Policy Partners, Inc. v. Yessin, No. l:09cv859 (EDVa Nov. 24, 2009). The question for the court was: when Defendant decided to log into Plaintiff's email account in order to read Plaintiff's emails to her divorce attorney – did Defendant violate the Computer Fraud and Abuse Act – had he hacked her email account without authority?
The alleged facts of the case are a bit messy; here is a simplified, made-for-TV, version (story has been changed to fit your screen): Plaintiff lived in State A, Defendant lived in State B, they were partners in the ACME firm, and Defendant was the manager of the ACME firm. The Parties were engaged in a contested divorce and dissolution of their firm. Defendant allegedly stumbled upon Plaintiff's email password and used it to access Plaintiff's email at the ACME firm, reading messages between Plaintiff and her divorce attorney. Plaintiff became suspicious and changed her password. Defendant still tried to gain access to Plaintiff's account and even sought the assistance of the Help Desk to gain the new password.
Plaintiff filed suit in federal court. As a part of Plaintiff's complaint, Plaintiff alleges that Defendant violated the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Stored Communications Act – in additional to several state causes of action. Defendant moved to dismiss Plaintiff's complaint for failure to state a cause of action. The question before the court here was not whether Plaintiff wins the case – it's merely should the case go forward: has Plaintiff stated a claim that is plausible, that she could eventually win as a matter of law if she provides sufficient evidence?
As many of the experts in this area of law will tell you, ECPA is a complicated area of law, and this case hits on two big complications: when does a party have authority to access a computer system and when is an email message in transit such that reading the email message is an interception.
This case confused me on several grounds. First, ECPA, CFAA, and SCA normally are talked about as restraints on police power (when do the police get to wiretap your phone), or conversely are laws used by the police to nail a criminal (for instances, the guys in the parking lot of the hardware box store sniffing credit card numbers out of the unencrypted WiFi signal). This case involves a civil cause of action between two civilians – no police involved here at all (oh yeah, goes the dumb guy, the law does restrain the actions of civilians and does provide a private right of action).
The Federal Court proceeded with its analysis by lumping the Computer Fraud and Abuse Act (18 U.S.C. § 1030 (a)) claim with the Stored Communications Act (18 U.S.C. § 2701(a)) claim, and analyzing whether Defendant's access of the Plaintiff's email at ACME was authorized. He was, after all, the manager at ACME. Wouldn't that mean he has authorization to access any of the firm's assets?
It's not so simple says the court. Yes, generically, the manager of a firm ought to have authority to access the firm's computer assets; but some situations merit a further exploration of facts: "authorization to access a computer network is analyzed 'on the basis of the expected norms of intended use.'" The Court notes that the following facts cut against Defendant: Defendant used a password to access an email account that was not his, and Defendant lacked a legitimate business reason to access that account.
Defendant responds that State B law authorizes him, as manager, to act as an agent of the firm for purposes of carrying out the ordinary business of transferring or affecting the firm's real property. To quote the Court: "Really?!?!" The court pointed out that authority to transfer real property is not exactly the same as authority to spy on your wife by hacking into her email to her divorce attorney. The court further pointed out that spying on one's wife is not normally considered "ordinary business." Motion denied.
Therefore, the Court concludes, Plaintiff has alleged sufficient facts to establish a plausible cause of action that Defendant hacked her account without authorization pursuant to the Computer Fraud and Abuse Act and the Store Communications Act (again, not that Plaintiff wins, merely that this cause of action gets to go to trial).
Now here comes the tricky part. The third cause of action is a violation of the Electronic Communications Privacy Act, or, in plain English, did Defendant intercept Plaintiff's email. The begged question is, when is an email in transit such that it can be intercepted, and when is it not. If Defendant read Plaintiff's email before Plaintiff had read it, is that interception? What about after plaintiff read it?
In the words of the Court,
Courts applying the ECPA have consistently held that a qualifying "intercept" occurs only where the acquisition of the communication occurs contemporaneously with its transmission by its sender. Thus, interception includes accessing messages in transient storage on a server during the course of transmission, but does not include accessing the messages stored on a destination server . . . a qualifying "intercept" under the ECPA [] can only occur where an e-mail communication is accessed at some point between the time the communication is sent and the time it is received by the destination server, at which point it becomes a "stored communication" within the meaning of the SCA.
Think of it this way, football fans: can you intercept a passed football after it has been caught? While it's true that you might be able to force a fumble, this aint an interception (even if the result on the scoreboard is the same).
In this case, Plaintiff's emails were sitting on her computer on the ACME network. Defendant had to illicitly use Plaintiff's password to get at them, and after Plaintiff had changed the password, Defendant was closed out. The emails had reached their destination server; thus, Plaintiff had not alleged facts pursuant to which an ECPA claim could be successful. The Court dismissed this cause of action.
Here is another place I got confused. You see, if it were the police that wanted access to this email, the fact that Plaintiff had not opened the email would be relevant. If the email has been unopened for less than 181 days, the police needs a warrant to gain access to it. If the email has been opened or it's been more than 181 days, the police needs a subpoena. 18 U.S.C. § 2703(a) & (b). But all of this is irrelevant as there are no police involved in this scenario. And as the Court notes, all of this falls under the Stored Communications Act – not ECPA.
Let's see what today's lesson is: "Wheel of Morality, turn, turn, turn - Tell us what lesson we should learn." [Whirl, Click, Click, Clock]: Attorneys should not be permitted to marry.