by Paul Ducklin
This week’s fascinating Friday fable reaches back nearly a decade, and is a reminder of how hard it can be to decide what wrong has been done, if any, in court cases that deal with what most people would call “hacking”.
The story of the original court case is simply told, and it goes like this.
In late 2013, X was brought in as an IT manager for a city in the state of Georgia in the US, supposedly to “increase the reliability and efficiency of the City’s computer system.”
X seems to have decided that Y’s work wasn’t up to scratch, and “criticized Y’s work performance, which led to an argument and a loud outburst from Y.”
The outcome of this, it seems, is that Y had some of his IT powers reduced for security reasons, and sadly ended up getting fired in mid-2014.
A couple of months after Y’s departure, X received an email from another colleague, whom we shall call Z, and replied as he normally would…
…only to receive a “bounce” message (a delivery failure) from a mysterious external email address, Q.
You can probably guess what was going on here.
Back in 2013, presumably before his administrator privileges were revoked but after their falling-out, Y had modified X’s email account settings so that a copy of all X’s incoming email messages would be sent to the mysterious outside address, Q.
Q, it transpired, was not only operated by Y but also had been “routinely accessed from his cellphone.”
As you probably know, abusing built-in mail forwarding rules in email systems is a common trick used by cybercrooks to keep tabs on what their victims are up to, especially in so-called Business Email Compromise (BEC) scams.
BEC criminals typically monitor messages to senior figures in a company, such as the CEO or CFO, so that they have first-hand information about major financial milestones.
When huge invoices are due (or, in one notorious case, when a multimillion dollar major league soccer transfer was about to conclude), the crooks make their play to get some or all of the money redirected to a bogus account.
In this case, the siphoning off of X’s emails had been orchestrated unsubtly enough that it eventually drew attention to itself when one of X’s reply-to-alls failed to reach the unexpected additional recipient.
Unsurprisingly, perhaps, Y was prosecuted, convicted by a jury of “computer trespass”, and sentenced to 10 years’ probation.
Given that there is no suggestion that Y didn’t actually do what was described above – namely, use his Administrator powers to get copies of his boss’s emails – this probably sounds like an open-and-shut case.
However, Y has very recently, nearly eight years after the incidents described above, had his conviction set aside by the Supreme Court of Georgia.
The legal report from the hearing makes fascinating reading, albeit that it is both lengthy (at 36 pages) and full of legal jargon, such as:
The fundamental rules of statutory construction require us to construe [a] statute according to its own terms, to give words their plain and ordinary meaning, and to avoid a construction that makes some language mere surplusage.
In plain English, the judgment focuses on examining whether the plain English meaning of the words “obstruction” and “interference”, as used in Georgia’s Computer Trespass law, actually apply in this case.
Did Y’s actions – siphoning off and looking at someone else’s business email, even after his employment at that company had ended – really amount to obstruction, given that no emails were actually impeded?
The court, it seems, decided that Y didn’t obstruct or interfere with anything, so that whatever he did, it wasn’t Computer Trespass, even though the judgement expressly notes that it is “[i]t is undisputed that Y did not have authority or permission to forward X’s e-mail.”
Ironically, the judgement mentions in one of its footnotes that Y could have been charged under a nearby part of Georgia law that uses rather different words, perhaps with a different final outcome.
That part of the Georgia computer crime statutes criminalises “us[ing] a computer or computer network with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority.”
Interestingly, three of the judges on this case dissented from the majority opinion, remarking that:
By manipulating the data stream to give himself access to X’s e-mails, Y intermeddled in the affairs of others and the data intended to go to others with neither authority nor invitation. As such, there was sufficient evidence to support a finding that Kinslow interfered with the use of the City’s computer program and its data.
Additionally, the dissenting judges criticised the majority opinion with these intriguing words:
The majority opinion educates wrongdoers that they are better off from both a detection standpoint and from prosecution as a matter of law if they simply copy data rather than block its delivery.
We can’t help but wonder whether the dissenters were alluding to contemporary ransomware attacks here, where data is often both copied, or “stolen” as you or I might say (which does not prevent the owner of the data from continuing to use it), and scrambled (which does).
What do you think?