Security Focus updates us on issuing subpoenas to ISPs for email messages.
Kevin Poulsen writes (excerpt):
A federal appeals court has declined to reverse last year’s decision that the issuance of an egregiously overbroad subpoena for e-mail can qualify as a computer intrusion in violation of anti-hacking laws, despite an argument by the Justice Department that a side-effect of the ruling has already made it harder for law enforcement officials to obtain Americans’ private e-mail.
The defendant in the case, Alwyn Farey-Jones, was embroiled in commercial litigation with two officers of Integrated Capital Associates (ICA) when he instructed his then-attorney, Iryna Kwasny, to send a subpoena to the company’s Internet service provider — California-based NetGate. Under federal civil rules, a litigant can issue such a subpoena without prior approval from the court, but is required to “take reasonable steps to avoid imposing undue burden or expense” on the recipient.
“One might have thought, then, that the subpoena would request only e-mail related to the subject matter of the litigation, or maybe messages sent during some relevant time period, or at the very least those sent to or from employees in some way connected to the litigation,” reads last August’s decision by the 9th Circuit Court of Appeals. Instead, the subpoena demanded every single piece of e-mail ICA’s officers and employees had ever sent or received.
By the time ICA learned of the subpoena, NetGate had already provided Farey-Jones with a sample of 339 e-mails from ICA — most of them unrelated to the matter under litigation, and many of them privileged or personal. When ICA found out, they quickly got the subpoena quashed. An outraged district court magistrate termed the subpoena “massively overbroad” and “patently unlawful,” and hit Farey-Jones with over $9,000 in sanctions.