By Ellen Nakashima
Washington Post Staff Writer
Wednesday, August 6, 2008
A federal appeals court in California is reviewing a lower court's definition of "interception" in the digital age, in a case that some legal experts say could weaken consumer privacy protections online.
The case, Bunnell v. Motion Picture Association of America, involves a hacker who in 2005 broke into a file-sharing company's server and obtained copies of company e-mails as they were being transmitted. He then e-mailed 34 pages of the documents to an MPAA executive, who paid the hacker $15,000 for the job, according to court documents.
The issue boils down to the judicial definition of an intercept in the electronic age, in which packets of data move from server to server, alighting for milliseconds before speeding onward. The ruling applies only to the 9th District, which includes California and other Western states, but could influence other courts around the country.
In August 2007, Judge Florence-Marie Cooper, in the Central District of California, ruled that the alleged hacker, Rob Anderson, had not intercepted the e-mails in violation of the 1968 Wiretap Act because they were technically in storage, if only for a few instants, instead of in transmission.
"Anderson did not stop or seize any of the messages that were forwarded to him," Cooper said in her decision, which was appealed by Valence Media, a company incorporated in the Caribbean island of Nevis but whose officers live in California. "Anderson's actions did not halt the transmission of the messages to their intended recipients. As such, under well-settled case law, as well as a reading of the statute and the ordinary meaning of the word 'intercept,' Anderson's acquisitions of the e-mails did not violate the Wiretap Act."
Anderson was a former business associate of an officer for Valence Media, which developed TorrentSpy, a search engine that helped users find "torrents," or special data files on the Internet that can be used to help download free audio, software, video and text. According to court documents, Anderson configured the "copy and forward" function of Valence Media's server so that he could receive copies of company e-mail in his Google mail account. He then forwarded a subset to an MPAA executive.
The documents sent to the MPAA included financial statements and spreadsheets, according to court papers. "The information was obtained in a legal manner from a confidential informant who we believe obtained the information legally," MPAA spokeswoman Elizabeth Kaltman said.
Valence Media alleged that the MPAA wanted those documents to gain an advantage in a copyright infringement lawsuit against the company and its officers.
"The case is alarming because its implications will reach far beyond a single civil case," wrote Kevin Bankston, a senior attorney for the Electronic Frontier Foundation in a friend-of-the-court brief filed Friday. If upheld, the foundation argued, "law enforcement officers could engage in the contemporaneous acquisition of e-mails just as Anderson did, without having to comply with the Wiretap Act's requirements." Those requirements are strict, including a warrant based on probable cause as well as high-level government approvals and proof alternatives would not work.
Cooper's ruling also has implications for non-government access to e-mail, wrote Bankston and University of Colorado law professor Paul Ohm in EFF's brief. "Without the threat of liability under the Wiretap Act," they wrote, "Internet service providers could intercept and use the private communications of their customers, with no concern about liability" under the Stored Communications Act, which grants blanket immunity to communications service providers where they authorize the access.
Individuals could monitor others' e-mail for criminal or corporate espionage "without running afoul of the Wiretap Act," they wrote.
"It could really gut the wiretapping laws," said Orin S. Kerr, a George Washington University law professor and expert on surveillance law. "The government could go to your Internet service provider and say, 'Copy all of your e-mail, but make the copy a millisecond after the email arrives,' and it would not be a wiretap."
In August, 2007, Valence Media shut down TorrentSpy access to the United States due in part to concern that U.S. law was not sufficiently protective of people's privacy, according to its attorney, Ira Rothken.
The Electronic Privacy Information Center also filed a friend-of-the-court brief Friday, arguing that Congress intended to cover the sort of e-mail acquisition Anderson engaged in.