There's legal hardball, and then there's legal lunacy, and Alvin Farey-Jones just got an expensive lesson in the difference. In the course of a lawsuit against a company named ICA, he sent a subpoena to ICA's ISP, asking for all of ICA's email. The ISP complied.
The Ninth Circuit has just ruled
that Farey-Jones's actions could constitute a violation of both the Computer Fraud and Abuse Act, which prohibitions "unauthorized access" to computer systems, and the Stored Communications Act, which does the same for electronic communications.
Opinion here, SecurityFocus story here, and more inside . . .
Now, this kind of subpoena, in addition to being ridiculously overbroad, is "patently unlawful," in the words of the trial judge. In a civil lawsuit, you're supposed to ask the other side for the documents you need. If they don't give them to you, you're supposed to ask the judge to make them give them to you. You don't just go running around telling your opponent's friends and business partners to turn over everything in their files to you or else . . . .
But did you know that fact already? Until I took Civil Procedure in my first semester of law school, I sure didn't. And did you know that if someone socks you with an obviously invalid subpoena and you fight to quash it ("quash" has to be one of my favorite legal terms), you can recover your legal fees from them? NetGate either didn't know these rules, or decided that the expense of standing up to protect its users' rights was too great to justify the risk. All it did was ask Farey-Jones to pay for its expenses in turning over a huge volume of email, most of it personal and unrelated to the lawsuit.
So one the one hand, every time you trust an ISP or someone else on the Net with your information, you really are trusting them; NetGate, like so many others, turned out to be pretty mushy about protecting its customers' privacy rights. And on the other hand, NetGate, like so many others, got scared by a document written in complex language on legal letterhead ("It was a piece
of paper masquerading as legal process.") and did what it said, without even consulting a lawyer. Lack of privacy and abusive subpoenas: these are exactly the causes about which, say, EPIC and Chilling Effects have been making noise.
Anyway, when ICA found out about Farey-Jones's actions, they went to the judge, who did exactly what he should have done within the context of the ongoing case. He quashed the subpoena and fined Farey-Jones $9000 to cover the expense of quashing it, in addition to handing down a severe tongue-lashing.
But then ICA, and those of its employees whose emails had been turned over, turned around and filed a second suit, this one under the various federal computer security and privacy laws. It was this suit that the Ninth Circuit today said could proceed.
The first major issue (or, more accurately, the first issue that I find particularly interesting) was whether NetGate's ability to object to the subpoena mattered. Farey-Jones had argued that his "access" to the emails was "authorized" because NetGate had turned them over due to its mistaken understanding of the relevant laws. The court, however, pointed out that this mistake was cause by Farey-Jones's deceit. This point -- that "consent procured by known mistake" doesn't count as permission for purposes making your actions okay -- showed up in Robert Morris's prosecution for guessing other people's passwords when he released his infamous worm, and seems to be the federal judiciary's standard line on exploiting security holes.
The other striking thing about the case is Farey-Jones's main line of defense. He tried to rely on a line of First Amendment cases called Noerr-Pennington that protect people from legal retaliation for the act of petitioning the government. I have to say, if you have to rely on Noerr-Pennington in a civil lawsuit against another private party, you might as well settle. You're not going to win.
The core of Noerr-Pennington is that the government can't make it illegal to file certain kinds of lawsuits, or to go through the necessary prerequisites of filing one. Thus, for example, it's not a violation of antitrust law to get together with your competitors to draft a common lawsuit. If antitrust law were to prohibit you from gathering together, it would stop you from pursuing your full legal rights and deprive you of access to the legal system; the Supreme Court has interpreted the "right to petition the government for redress of grievances" (you know, the part of the First Amendment that everyone always forgets about) as creating a carve-out from antitrust law. It operates similarly anywhere a law intrudes on your ability to communicate with government officials or to take advantage of governmental processes.
A few final notes on the case. The oral arguments were held at Boalt Hall (the law school at Berkeley); I bet they were particularly fun to watch. Especially because the opinion was written by Judge Alex Kozinski, who wrote the opnion in the Barbie-doll trademark and New Kids on the Block trademark case, among many other incredibly well-written opinions. The following passage from this one is already getting forwarded around extensively, and stands as a good summation of the dangers of subpoenas:
The subpoena power is a substantial delegation of authority
to private parties, and those who invoke it have a grave
responsibility to ensure it is not abused. Informing the person
served of his right to object is a good start, see Fed. R. Civ.
P. 45(a)(1)(D), but it is no substitute for the exercise of independent
judgment about the subpoena’s reasonableness.
Fighting a subpoena in court is not cheap, and many may be
cowed into compliance with even overbroad subpoenas, especially
if they are not represented by counsel or have no personal
interest at stake.
RIAA take note.