Short answer: Pretty much no.
The Computer Fraud and Abuse Act is found at 18 U.S.C. 1030. Subpart (f) reads as follows:
This section [i.e., the Computer Fraud and Abuse Act] does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
The recent controversy over whether the FBI and/or the NSA is behind the recent Tor anonymity compromising brings this question up. So we can cut right to the question of whether that conduct is outside this exception to the CFAA, in that it is not a “lawfully authorized” law enforcement activity. Given the nuance and complexity of these issues, we should not expect easy answers.
Two members of an LLC sued another member and the company’s manager of information services alleging violation of the Stored Communications Act, 28 U.S.C. 2701 et seq. Defendants moved to dismiss for failure to state a claim. The court denied the motion.
Plaintiffs alleged that the LLC’s operating agreement required “Company decisions” to be made based on four of the five members voting in favor. The company had no policy in place authorizing the search and review of employees’ email messages, nor did it inform employees that their email may be accessed. Plaintiffs did not consent to their emails being searched and reviewed.
In connection with a dispute among the LLC members, one of them allegedly (in cooperation with the manager of information services) accessed the company’s email server using administrative credentials. She allegedly performed over 2,000 searches, retrieving other members’ communications of a personal nature, as well as communications with those members’ legal counsel.
Defendants moved to dismiss under 12(b)(6), arguing that plaintiffs could not show the access was unauthorized. Defendants argued that there was no electronic trespass, as the access was accomplished simply by company procedure.
The court rejected defendants’ arguments, finding that plaintiffs had sufficiently alleged an SCA violation, since plaintiffs had not consented to the access, and because no policy existed permitting an individual to search and review emails of members or employees absent the four-fifths approval required by the operating agreement.
Joseph v. Carnes, 2013 WL 2112217 (N.D.Ill. May 14, 2013)
Huntington Ingalls Inc. v. Doe, 2012 WL 5897483 (N.D. Cal. November 21, 2012)
A federal court in California has allowed a party to subpoena Google to learn the identity of a Gmail account owner, even though that owner did nothing to involve himself in the dispute.
A contractor that plaintiff hired accidentally emailed “property” belonging to plaintiff to the wrong email address. (The court’s opinion is not clear on the nature of this “property,” but we are safe in assuming it was some sort of proprietary information.) Plaintiff sent messages to the Gmail account seeking return of the property, but the unknown account owner did not respond.
Plaintiff filed suit in federal court against the anonymous account holder (John Doe) seeking declaratory and injunctive relief (i.e., to get the property back). Since plaintiff did not know Doe’s identity, it sought expedited discovery so that it could subpoena Google for the identifying information.
The court granted the motion for leave to send the subpoenas. It found that:
- without the subpoena, plaintiff would have no other way to obtain “this most basic information”
- the subpoena was the exclusive means available to plaintiff to protect its property interest
- plaintiff’s proposed procedure guarded Doe’s due process rights by requiring Google to give Doe notice of the subpoena and an opportunity to object
The court’s opinion shows how any privacy interest in one’s email account information is tenuous at best. In this situation, the target of the unmasking efforts was, as they say, minding his own business, not doing anything to inject himself into any dispute.
Moreover, unlike many previous cases in which courts have required the party seeking discovery of an anonymous party’s identity to put forth facts showing it has a good case, there was no claim here that Doe did anything wrong. Instead, it was the sender’s mistake. One could find it unsettling to know that other peoples’ errors could cause a court to order his or her identity to be publicly revealed.
Photo courtesy Flickr user Bart Heird under this Creative Commons license.
AllianceBernstein L.P. v. Atha, — N.Y.S.2d —, 2012 WL 5519060 (N.Y.A.D. 1 Dept., November 15, 2012)
Plaintiff sued its former employee for breach of contract alleging he took client contact information on his iPhone when he left the job. The trial court ordered defendant to turn the iPhone over to plaintiff’s counsel so plaintiff could obtain the allegedly retained information.
Defendant sought review of the discovery order. On appeal, the court reversed and remanded.
The appellate court found that the lower court’s order that defendant turn over his iPhone was beyond the scope of plaintiff’s request and was too broad for the needs of the case. Ordering production of defendant’s iPhone (which, the court observed, has built-in applications and internet access) “was tantamount to ordering the production of his computer.” The iPhone would disclose irrelevant information that might include privileged communications or confidential information.
So the court ordered that the phone and a record of the device’s contents be delivered to the court for an in camera review to determine what, if any information contained on the phone was responsive to plaintiff’s discovery request.