Court Says Sending Too Many Emails To Someone Is Computer Hacking
from the you-can't-be-serious dept
Okay, the courts are just getting out of hand when it comes to the Computer Fraud and Abuse Act (CFAA), which is supposed to be used against cases of malicious hacking. Most people would naturally assume that this meant situations in which someone specifically broke into a protected computing system and either copied stuff or destroyed stuff. And yet, because of terrible drafting, the law is broad and vague and courts are regularly stretching what the CFAA covers in dangerous ways.
The latest example, found via Michael Scott is that the Sixth Circuit appeals court has overturned a district court ruling, and is now saying that a labor union can be sued for violating the CFAA because it asked members to email and call an employer many times, in an effort to protest certain actions. Now some of the volume may have hurt the business, but does it reach the level of hacking? What’s really troubling is even just the focus on emails:
The e-mails wreaked more havoc: they overloaded Pulte’s system, which limits the number of e-mails in an inbox; and this, in turn, stalled normal business operations because Pulte’s employees could not access business-related e-mails or send e-mails to customers and vendors
So… because Pulte’s IT folks set up their email boxes such that they could only hold a certain number of emails, suddenly this raises to the level of “hacking”? That seems like a stretch, and you can definitely see how such a rule can and likely will be abused. Especially since the court made some very broad statements, including:
[We] conclude that a transmission that weakens a sound computer system?or, similarly, one that diminishes a plaintiff?s ability to use data or a system?causes damage.
Broad enough for you? I can see this ruling being cited in all sorts of abusive trials now.
Comments on “Court Says Sending Too Many Emails To Someone Is Computer Hacking”
It’s definitely an abuse of computers. Well, their ports anyway.
What an outrage
Quickly, everybody flood the judge’s email inboxes with messages of protest over this decision!
Re: What an outrage
The email should read: Techno-idiot judges should not rule on technology cases.
It’s a lost cause, though. I doubt he reads email. He might have a secretary that prints them for him though.
Re: Re: What an outrage
Nah, she takes a picture of the screen, then brings the film to Wal-Mart for 1-hour printing.
Also… hahaha, remember film?
Re: Re: What an outrage
Cally O’Neal can print my emails any day…
Re: What an outrage
“Quickly, everybody flood the judge’s email inboxes with messages of protest over this decision!”
And pray the justice system is still on Exchange 2003. We can reach that 75GB limit in minutes and be hackers all of us…..
Re: Re: What an outrage
Pfft you can just patch Exchange’03 for file-system size infostores.
Re: Re: What an outrage
That assumes that they have moved beyond using 40GB hard drives, and with as up to date as they seem to be on technology, I am not sure they would have.
I also think Dave above might be on to something there.
Re: What an outrage
Careful or you’ll end up with a charge for solicitation of computer hacking of a federal judge.
Soon
Sending email to incompetent people in general will also be punishable as hacking…
It seems like a pretty good ruling, because the intention of flooding the email was to limit it’s functionality and to cause the computer(s) in question to be of diminished use. While it isn’t a hack in the sense of breaking in, it isn’t anything other than a form of DoS – which is hacking in the legal sense.
Sorry Mike, you are out to lunch on this one too.
Re: Re:
9/10
Re: Re: Re:
Umm actually its not. Ask the Consumerist if email carpet bombs are illegal. They do it every day.
Re: Re: Re: Re:
Err, I assume you’re referring to their EECB – Executive Email Carpet Bombs. Those are where you send one well written email to a company’s CEO and other executives in order to get an issue addressed when normal channels have failed.
Re: Re: Re:2 Re:
Yeah, its speech. Im pretty sure the First Amendment doesnt have a volume control on it, so if one is legal sos the other.
Re: Re: Re:3 Re:
Sorry. The email server must not be in the “Free Speech Zone”. You know the holding area they setup whenever the President comes to down. The one across the river on the other side of town.
Re: Re:
A+. I could almost feel my brain leaking out my ears as I read it.
Re: Re:
Having your tiny inbox flooded by protests doesn’t very well fit the description of a DOS attack. Perhaps the “victim” should increase the inbox size limit. And implement some basic spam filtering too.
Re: Re:
+1 on this assessment!
Re: Re:
Do you have any concept of how email systems work? I have our spam box setup to temporarily block an address if it sends more than 500 emails per second. There is simply no way that a group of people could send enough emails written by hand to cripple a system. It’s about time judges start hiring geeks to act as translators.
This case is more akin to those jackass merchants leaving a flier under my windshield wiper. It’s annoying but not illegal.
Re: Re: Re:
Do I have a concept how email systems work? Umm, yeah.
First off, since email headers can (and usually are) faked, it isn’t hard for someone to send all those emails apparently from different addresses, with slight differences in subject line that would make it very hard to simply filter.
Second, your email server still has to process the mail. If you are using server based rule systems, the server still has to accept the connection, take the mail, process it, etc. If you are using “PC based rules” (spam filters in your local system) you still have to actually download all the mail from your email server and process it.
Third, a basic DoS attack is just overwhemling a computer with too many requests or too much traffic. If your PC is spending most of it’s time filtering spam, downloading messages, and not being available to do what you want, then the email is a DoS.
I have seen it done, it isn’t hard to tear down an email server and make it puke it’s internals on the floor from too much traffic. That is a basic DoS method.
Re: Re: Re: Re:
You dont know a lot about Spam filtering do you? Most, if not all, enterprise spam filtering is done on a firewall, then the Exchange server looks over the non-spoofed messages and does a content scan, then it submits the email to the user’s inbox. If, as they claim, that the ‘inbox’s were being stuffed then the email system NEVER WENT DOWN. Which is funny, they just didnt have the manpower to read all the emails. Thats it. So apparently if you cause a company to have to hire more people to read paperwork, you are hacking. I guess lawyer filed motions are now illegal…
Re: Re: Re: Re:
But you’re evading the basic premise. 20 years ago 10,000 emails over the course of an hour would not have been enough to cripple a decent server. If we were talking about computer generated messages sent thousands of times per second I’d be on your side. But I stand by my original statement, there just isn’t a way for human beings to take down an email system without help, we’re simply not fast enough.
Re: Re: Re:2 Re:
What basic premise? That sending more than a normal amount of emails to a system is enough to slow it down? That email, on a shared (and possibly already busy) server may be enough to deny access, or at least slow it?
I am not getting where you are going here. They sent the emails with the intention of loading down the system. That is pretty much a basic DoS, no matter how successful or not it is.
As for human power, would you care to explain how LOIC works?
Re: Re: Re:3 Re:
What is a normal amount of emails?
Re: Re: Re:3 Re:
Uh…
LOIC is automated, because no human has the will to refresh a web page 10 times per second for hours….
The whole point of LOIC is to make an impact by exceeding the parameters at which a human operates.
Following your line, demonstrating outside a business so that workers and customers are inconvenienced is also DoS and should be considered hacking?
Or to highlight – what if the business behaved like jerks and got tons of customer complaints. Would the angry customers then be sued for hacking? And is that reasonable?
Re: Re: Re:3 Re:
They sent the emails with the intention of loading down the system.
Did they? Was that cited in the ruling? I am admittedly too lazy to wade through the legalese, but the writeup didn’t mention anything about their intent.
Re: Re: Re:3 Re:
> I am not getting where you are going here.
> They sent the emails with the intention of
> loading down the system
Or they sent the emails with the intention of making the company aware of the strength in numbers of those who oppose their policies. (Which is much more likely to be the case, by the way.)
Re: Re: Re:
This whole subthread is a fairly major case of focusing on minutiae. Is how Exchange filters spam relevant to this?
Re: Re:
Masnick, kindly post an article discussing how the world is irrefutably “round”. If the phrasing is suitably antagonistic and contains some legalese, I believe AC will rebut before recognizing the honeypot.
Re: Re:
While I haven’t read the whole thing I would think that if they were encouraged to call and email to voice their protest that would be ok.
If they were encouraged to do it specifically to bring down the system the fuckem.
Re: Re:
Wouldn’t ‘a form of DoS’ require that a service actually be denied? Did the e-mail ‘service’ actually get ‘denied’ or was the inbox just full? They’re not the same things technically or legally.
Re: Re: Re:
Do you technically or legally have to do anything else than fill up someone’s inbox to deny them email service? They’re not getting any mail because you’ve filled up their inbox.
Re: Re:
> It seems like a pretty good ruling, because
> the intention of flooding the email was to
> limit it’s functionality and to cause the
> computer(s) in question to be of diminished use
How do you know that was the intention?
Sounds to me like the intention was to show the company how many people are upset with their actions. Just like when Rush Limbaugh (or Michael Moore, to be non-partisan) exhorts his listeners to call their congressman about one thing or another. It’s not to overload the switchboard and bring business to a halt, but to make sure the politicians know the strength of public opinion.
Re: Re:
If physical letters were sent, overwhelming the company’s mail room staff would that also be hacking? The was no attempt to overcome a system, it’s simply mail.
Re: Re:
There is a requirement that the system under question be “sound.” A system not designed to handle spikes in this day and age can hardly be considered sound
Re: Re:
Comparing high email volume to a DoS attack illustrates the authors point beautifully. People that have no idea what they’re talking about have no business weighing in on a given issue.
Re: Re:
It seems like a pretty ridiculous ruling, because the intention of flooding the email was NOT to limit its functionality or to cause the computer(s) in question to be of diminished use. Instead, the intention was merely to communicate, which is not illegal yet. It is also unreasonable to make this ruling based on the fact that a reasonable person would not expect that sending large numbers of emails would deleteriously impact either the individual receiving mailboxes or the servers that provide the mail service, so the intent to cause damage does not exist. It isn’t DoS, it isn’t B&E, and it isn’t even harrassment. The decision is groundless on its face and will be overturned.
Key word being "sound"
How is an email system that goes down in this situation “sound”?
Re: Key word being "sound"
It’s obviously being hosted on a Windows box (I kid, I kid!).
Re: Key word being "sound"
+1
Re: Key word being "sound"
exactly! a system that can be tampered with is not sound.
Re: Key word being "sound"
If a sound email system falls down, does it make a sound?
inciting an email riot?
so, when MoveOn emails its constituency and tells them to email their elected officials, are they going to be found liable too?
seems to me like this could bump right into free First Amendment law.
Re: Re:
This was my thought too. How about when Rush campaigns to have every one of his 10 Million + listeners call in and tell Congress what they think. He’s caused them untold headaches before.
On the other hand, the Union hired an autodialer to spam the voicemail. And when Pulte came to them 4 days later the union refused to stop. I think the email claims are garbage of a poorly designed network, but the phone may have been what pushed them over the line.
Re: MoveOn
“[We] conclude that a transmission…that diminishes a plaintiff?s ability to use data or a system?causes damage.”
Under that logic, and assuming the brain is classified as a system, MoveOn could be sued for a multitude of infringements that diminish its constituents’ ability to use their systems… pretty much any time they say something.
So the way this was written, its not hacking if the inbox you’re flooding has excess capacity…
Jesus! I’ve just found out I’m a hacker!
I remember a time when I was trying to watch some streaming online and after a few reloads the servers went unresponsive! I need to hide!
/derp
If memory serves it was some fashion related event (back when streaming was actually in its infancy) and they had predicted x visitors but received 10x visitors and system went boom. 1.5 million simultaneous accesses if memory serves. All of them hackers!
Re: Re:
Oh snap! Every time I read a story on Slashdot I’m contributing to a DOS too! Looks like I’ll be serving some hard time.
Re: Re:
If memory serves it was some fashion related event
The only fashion related event that could generate that many views (especially back then) was probably the Victoria’s Secret event.
I think I remember helping to crash that one, too.
Limits the number of e-mails in an inbox?
It sounds like Pulte could use some improvements in the design of its e-mail system.
I once used an eff.org link to e-mail my congressman. Guess I’m p 1337, eh guys?
slashdot effect?
From this ruling we can conclude that it is illegal for slashdot (or any other high-trafficked websites) to publish any outbound links.
Re: slashdot effect?
Christ, it might be illegal to use google! Just think how many other people are submitting queries at the same time!
Re: Re: slashdot effect?
Yeah, but Google isn’t hosted on Windows.
judgement was sound
the law may be interpreted widely, but the union used a auto dialing service to overload the computer system.
The union is able to protest but at some point, sending way too email and way too many phone calls become harassment. Freedom of speech doesn’t allow you to yell fire in a theater.
Re: judgement was sound
Harassment is not the same as hacking.
Re: judgement was sound
Free speech DOES allow you to yell ‘fire’ in a theatre, there just has to be a fire. Sounds to me like the difference here would depend on if the union were performing its duties like this, or getting revenge for something.
Re: Re: judgement was sound
There doesn’t have to be a fire at all. the first amendment doesn’t say “freedom of speech, well except the words ‘fire’, ‘bomb’, ‘gun’, when expressed loudly in public places were that word doesn’t exist” it says “…Freedom of Speech…”
However you may be brought up on charges of inciting a riot, or inciting a panic, disturbing the peace kinds of laws. However you freedom of speech is uninhibited.
Re: Re: Re: judgement was sound
If there were a law that said you can criticize the government all you want, but you can be charged with sedition if you do, would you say your freedom of speech is uninhibited? The fire in a crowded theater example is specifically recognized as a limitation on freedom of speech, and there are others.
Re: judgement was sound
no one yelled fire, they said “stop doing (enter issue here) because it’s wrong”. since when were companies immune to the actions of free speech? As a citizen, I have to tolerate all kinds of free speech, like the abortion protestors who put up signs of dead babies and fetuses on busy highways where kids see it.
Since companies are people too, shouldn’t they have to put up with the excess of free speech, and if they can’t handle it, then stop what you are doing?
I believe If I tried to sue those protestors i would be laughed out of court, just as this ruling should have been.
Re: judgement was sound
Auto dialing services are a form of hacking now too? Better start getting anyone that’s ever worked as a telemarketer into court on violations of the CFAA too!
Re: @#13 - judgement was sound
Wrong! Use of an autodialer doesn’t constitute hacking, even if the receiving PBX is computer-based, and even if no other calls can get through. Were that the case, anyone who calls your home phone becomes a hacker when a second caller receives a busy signal.
And wrong again! You can yell “fire” in a theater.
One permissible scenario: when there is a fire.
Two for two. Maybe you should try not facing sunward. Your vision seems to have been impaired.
Re: judgement was sound
Shouting fire in a crowded theatre has nothing do with autodiallers.
I’m sorry, but simply having a large number of people send in emails isn’t hacking. Would it be hacking if thousands of people wrote their Congressman on a certain issue or fans requested a show be brought back? It might be disruptive, but sometimes mass messaging is the only way to get the message that a lot of people care about something across.
Re: Re:
If this judgment stands, then the appropriate way for any coporation to deal with criticism becomes create a mail server with a max inbox size of 1KB and sue anyone who clutters it instead of reading their concerns. Would be perfectly legal.
Re: Re: Quick, Everyone do this NOW.... finally a way to end spam (or at least profit privately from it)
We should all be able to get findings and judgements against all unwanted e-mail spam… which we can use to wallpaper out bathroom…
Ok, while it would be nice, the ones who should be held responsible will just disappear and re-appear with a new name and company and start the same crap over again….
does the judge know what email is? /sarc
Misleading article . . .I expect better of Techdirt
If you read the judgment or more accurate reports you will also see that the court says it’s not illegal access if a public network is used, and the union won this case.
http://www.out-law.com/page-12138
That said, no difference here between what the union did here any any other form of DDOS. Most “hacking” starts with human engineering. . .
Re: Misleading article . . .I expect better of Techdirt
How is this misleading again? Many of the quotes in your article are identical to those in this article. The court’s statements are dangerous no mater what verdict they came to in this case.
Re: Misleading article . . .I expect better of Techdirt
Organizing a protest to send emails alerting an organization that you don’t approve of its policies is human engineering?
Re: Misleading article . . .I expect better of Techdirt
The posting in “out-law.com” misunderstood the court’s judgement. The court was addressing Pulte’s complaint where they claimed both a “transmission” and an “access without authorization” violation in the context of the CFAA. The appeals court agreed with the district court that the access portion of the claim was not valid as LIUNA had a right (i.e. was authorized to) make calls and send emails to Pulte. However, the appeals court reversed the district court’s decision and allowed the transmission claim.
Also, this case is not over. It has been remanded back to the district court.
Didn’t your President also encourage American citizens to make their voices heard in regards to the debt stalemate?
I seem to remember there was a bit of an IT crisis right after..
Now I could see, if the union were aware that there was a limitation on the system, how this ruling would make sense.
Reading the backstory on the case, after 4 days the union was contacted by the company and asked to stop because it was harming the business. They continued. It could be that this point they entered into the arena of using a form of a Denial of Service attack on the company.
Having hired outside robodialers, this was infact the plan of attack the union wanted to use.
A limitation of the email accounts could be seen as a bad system design, but the goal the union had was to cripple the company. After they were aware they had the intended effect, they continued.
This is a delicate matter trying to balance the rights of people to protest, and the rights of a business to be in business.
When people picket, they get arrested if they harass people entering/exiting or block entranceways.
This protest effectively harmed the business by closing it down.
While the law itself might be to broadly worded, it seems like it might have been properly applied in this case. The company was fully aware of the complaints of the union, but continuing knowing that your causing actual harm to the business is just designed to punish the business that if done in real world terms would get you arrested.
But then I might be insane, the jury is still out.
Re: Re:
Any limits set would be simply corporate email policy and should have NO bearing on the rule of law.
Re: Re: Re:
And when your informed your damaging your target by continuing on the same course, we can just ignore that fact?
After 4 days of the systems, email & phone, being overloaded and the union being informed that they were causing damage to the business they are under no obligation to consider what they are doing is harmful?
They were not sued on day 1, 2, 3, or 4. They were sued after they knew that were causing damage to the business they targeted.
While the limits on the email system settings might be debatable, the union caused damage to the business by denying their ability to function. The union was informed of this fact, and continued to inflict harm on the business to make their point.
Did we think the first 100, 1000, 100000 emails were possibly missed?
Because I am sure the robodialer flooding every number for the business made sure to drive that home.
Re: Re: Re: Re:
your
adj yər, ˈyu̇r, ˈyȯr
Definition of YOUR
1
: of or relating to you or yourself or yourselves especially as possessor or possessors , agent or agents , or object or objects of an action
you’re
yər, ˈyu̇r, ˈyȯr, ˌy?-ər
Definition of YOU’RE
: you are
Re: Re: Re: Re:
So which email was the problem? The 101st? The 1001st? The 100001st? Thats the issue. Also, the business was never harmed, they just didnt have the manpower to sort through their email. Thats what harmed the business, not the emails themselves. Notice the server was never brought down. If im emailing someone and they tell me to stop, and I keep emailing them, am I hacking their computer? No. This is most certainly harassment, but civil harassment, not ‘hacking’.
Re: Re: Re:2 Re:
Basically if not having the staff to deal with the influx of communication was liability on the person sending the communication the ENITRE legal system would crumble. The best defense to any suit would be to fire your lawyer and say that the constant influx of motions and suits is harming your business because you dont have anyone to deal with it.
Re: Re: Re: Re:
The cease and desist letter from Pulte said, vaguely, that the calls and emails “prevented Pulte?s employees from doing their jobs”. LIUNA, in fact, claimed in a court filing that they were not informed that their conduct was harmful to Pulte’s computer systems. The appeals court did not argue that LIUNA was informed. Their argument was that knowledge of damage was the wrong standard to show intent. The appeals court said that the proper standard was just to show that LIUNA intended to cause damage. The case has been remanded to the District Court, so the question of intent is still to be decided.
It is possible that LIUNA intended to harass Pulte with a limited DOS attack. It is also possible that DOS wasn’t their goal. You have to take a closer look at what was done.
LIUNA put out a call on their website to make calls to Pulte and to email them. They set up a pre-written letter which any member could click on and cause a separate email to be sent. LIUNA has 500,000 members. Even if all 500,000 sent an email this way, it would be hard to argue that that action was illegal. Such mass, topic oriented, email campaigns are done elsewhere, and should be protected under first amendment freedom of speech. Now, if a single person had caused hundreds, or thousands of emails to be sent, that would be a scenario accurately described as a DOS attack.
The use of an autodialer sounds suspicious. I do not know how it was used. It is possible that the autodialer was used similarly to the emails. The website could have allowed a member to click on a button that caused the autodialer to send a pre-recorded voice message to a Pulte phone number. That would not be much different than the email scenario and should also be protected under the first amendment. On the other hand, if the autodialer was programmed to just automatically, and continuously, call and leave messages, that would be a DOS attack.
An interesting aspect of this case is that even if this was a kind of DOS attack, the capabilities of the computer to resist such damage is taken into account. Pulte claims they had to “shut down their email in boxes”. I am sure what really happens is that once the box is full new incoming emails are automatically discarded. What if the email in-boxes were capable of handling 200,000 messages, would there still be a case? Pulte claimed they could not send emails. That is most certainly wrong. I suspect they were being intentionally vague in describing that they could not respond to emails because it took too much time to filter through the spam or were automatically discarded. If they could still send emails, would there still be a case? finally, any email client or server created in the last decade (at least) is capable of filtering out some spam. The easiest thing to filter out are identical messages all coming from the same address. Most of the emails were from the LIUNA server via their website trigger. If Pulte could have easily filtered out all those emails, why didn’t they and would there still be a case?
My suspicion is that both LIUNA and Pulte are harassing each other in anyway they can. The fact that Pulte is using the court system for a case that shouldn’t really exist may be legal but is unethical.
Re: Re:
But it still wont be hacking!
Hackers are spinning in their graves over this one.
This diminishes the honorific of “hacker”. No monkey jokes please, this it not nice. This offends the eye.
I could say the same thing about snail mail
Regarding ‘too many e-mails’, the court says:
“[We] conclude that a transmission that weakens a sound computer system ? or, similarly, one that diminishes a plaintiff?s ability to use data or a system ? causes damage.”
Regarding ‘too many advertising flyers’, I say:
“[We] conclude that a transmission that weakens a sound mailbox ? or, similarly, one that diminishes a plaintiff?s ability to use the mailbox or extract mail from it ? causes damage.”
Is there a fundamental difference here? I don’t think so. One claim is as silly as the other.
but wouldn’t messages from employees be “business-related”
did i misunderstand? is the union not affiliated at all with the employer?
unless they were threatening, malicious… but at that point, shouldn’t the person sending the threats be liable?
why should the union be liable for the actions of its members… or is that one of the drawbacks of being a union?
I also fail to see how the law was broken.. even if it is read incredibly broad. The article makes it seem like the employees could still access and use the communication systems and that the system was working just as it should.
Re: Re:
None of Pulte’s employees were members of LIUNA. LIUNA argued that the call and email campaign was part of their normal organizing efforts. That does not ring true and the appeals court pointed out that the sales office and 3 executives were the target and not potential union recruits. However, there should be a freedom of speech argument in allowing union members (500,000 of them) to voice their displeasure with a company seen as anti-union. The court is saying that collective campaign, organized by LIUNA, could be intended by them just as a form of harassment against Pulte. Since the form of harassment here affected Pulte’s computers negatively, that is a (civil, at least here) violation of the CFAA. Even a slowdown of the computer or forced discarding of incoming email is considered damage.
Maybe we should flood the judge’s inbox; then we can sue his stupid self for wasting resources on such judgements…
I understand it may be a DoS but it was not malicious nor should it of cause a DoS…called lousy thought process by the company
Re: Re:
Did it become malicious when after 4 days of flooding the systems, the union was informed they had shut the business down with these tactics and were asked to stop and continued anyways?
Re: Re:
“then we can sue his stupid self for wasting resources on such judgements…”
Interesting idea, the ability to sue judges for bogus rulings, that might get them to consider getting aid from some experts on rulings outside their expertise.
The court never says anything about hacking
I agree that the CFAA is poorly drafted (and dangerously amended to include private computers–originally it was only addressed to government computers). But nowhere in the opinion does it say that the labor union conducting hacking, or that “sending too many emails to someone is computer hacking.” Hacking doesn’t even appear in the opinion.
The decision says the union violated the CFAA. You say that the CFAA is supposed to protect against hacking, but hacking doesn’t appear in the statute either.
Re: The court never says anything about hacking
The CFAA was drafted to prevent data theft, which was the only conceivable way a hacker could impact a business in the early – mid 90s. Its hopelessly outdated and has no bearing on the modern world.
Re: The court never says anything about hacking
I agree that the CFAA is poorly drafted (and dangerously amended to include private computers–originally it was only addressed to government computers). But nowhere in the opinion does it say that the labor union conducting hacking, or that “sending too many emails to someone is computer hacking.” Hacking doesn’t even appear in the opinion.
The decision says the union violated the CFAA. You say that the CFAA is supposed to protect against hacking, but hacking doesn’t appear in the statute either.
Mike, of course, made up the part about “hacking” for effect. The court did not say it’s hacking. Did you expect any more from him? He blows most things out of proportion.
Computer Hacking via emails
I agree with the judge on this one. Sending massive amounts of emails is clearly a tactic intended to deny email to the person or business being attacked. It seems to be the same type of attack as a denial of service.
Amusing
I have nothing to say about the court case. I cannot speak about Pulte, though I do know them well. I just wanted to share an amusing little video from a few years back where Pulte sent in its “street cleaning” truck to break up a protest. Enjoy!
http://www.youtube.com/watch?v=Ml00gVWhSGY
Re: Amusing
Holy god, how was that not assault??
Re: Re: Amusing
I’m pretty sure it is.
Re: Amusing
Seriously, I had to laugh at this. Did they honestly believe that THIS would have been any deterrent? That wasn’t my definition of high pressure, and this was Phoenix, Arizona. In summer, from the looks of it. Yeah, umm… the worker’s joking quote in the subtext, too: ‘This wasn’t what we meant when we ask for drinking water on the job site.’ Assault or not, it was damn funny.
Threats and Vulgar language
Apparently some of these included threats and vulgar language.
There is no need for this, and president Obama just did a similar thing calling for citizens to call congress. In essence this was unsolicited spam email and should be held in the same regard..
Re: Threats and Vulgar language
So all email, unless solicited, is illegal? Wow. Hope you never need tech support……
Re: Re: Threats and Vulgar language
So all email, unless solicited, is illegal? Wow. Hope you never need tech support……
Or Viagra.
Re: Re: Re: Threats and Vulgar language
Or Viagra.
Or tech support for his Viagra.
Does it for the Lulz
So if my cat plays on my keyboard and (not impossible) spams someone, my cat not only “hacked” my computer but “hacked” the recipient? Mathtastic!
So I can use this against spammers, marketers, lawyers, and bill collectors who call too much? Cool.
I can use this
Maybe I can finally get my brother to stop forwarding every piece of email he gets to me.
This might be a bit iffy. If the goal was to flood, this is just a DDoS. If not, this is protected speech.
Yes, it's hacking
It’s called a denial of service attack.
Re: Yes, it's hacking
Even if it were (which it’s not), a DDOS is not “hacking.” Hell, what the media calls “hacking” is not hacking.
Re: Re: Yes, it's hacking
I think we’re eventually going to have to say that the word “hacker” has been warped by common usage.
Yes, it's hacking
It’s called a denial of service attack.
Why has no one compared this to the idea of a sit-in? In the same way that a sit-in overloads normal operating procedures to inhibit business as a form of protest, this block emails from coming in (albeit unintentionally). The way I see it, this is just another form of protest.
Also, I remember a post that was probably on techdirt, but maybe not, that compared DDoS attacks to digital sit-ins.
Re: Re:
hahaha damn you matt beat me by a few minutes on the sit in…
This is ridiculous. I would compare it to the sit in type of protests held during the civil rights era.
Yes, of course it’s meant to disrupt business. How else are you supposed to get their damn attention.
The point is it is a very peaceful and incredibly effective way to get your point across.
Maybe you should address the root cause of this protest instead of the protest itself. If a child is crying because it’s hungry do you spank the child for crying?
I do not like the over-broad reading of this statute but, being an IT guy, I agree with the judges in this case.
Re: Re:
Don’t you mean an “it girl?”
[We] conclude that a transmission that weakens a sound computer system?or, similarly, one that diminishes a plaintiff?s ability to use data or a system?causes damage.
A sound “computer system” is one that can’t be weakened by incoming “transmissions” at all.
What is the judges definition of a sound computer system?
Re: Re:
I’d imagine one that was working before the other people did stuff to it. It’s the same standard used elsewhere (“he was in sound health before you pushed him down the stairs”).
R.Murdock will come to the rescue! He’s got people that will log into your voice mail and email systems and delete trivial messages to make room for more important messages. And not only that, he won’t charge you a dime for it.
FINALLY!
I think this is amazing. I’ve always been a bit miffed at those guys at my apartment network always taking up the bandwidth. My inability to successfully enjoy a game of internet monopoly was severely injured by their selfish use.
I’d also like to take this wonderful opportunity to personally attack those evil little trolls that build those awful flash enabled websites. Don’t they know those things are taxing on a 56k modem?
No different than a good old postal mail blitz
So if I and several thousand friends wrote actual letters, and mailed them via snail-mail (I know, I know, just work with me here….), and totally clogged someones mailbox to the point where they had trouble picking the legitimate business mail out from the piles and piles of angry letters, we’d be hacking that mailbox?
This is simply an e-version of that, and I don’t recall anyone ever being punished for mailing too many letters.
Abuse
BIG COPY: The PROTECT IP Act and the proposed embedded streaming law will never be stretched to absurd lengths, because that’s not where the law is targeted. Trust us!
NORMAL PEOPLE: But the CFAA wasn’t targeted at people sending lots of emails, either, and look where we are now.
BIG COPY: Shut up.
Please don't lie about the law.
http://source4politics.blogspot.com/2011/08/incompetent-legal-commentary-on.html
Re: Please don't lie about the law.
Did you write this? Because your wrong. The damage was NOT caused to the computer, which the statute covers, but to the business, which it does not. Try again. And if you have a law degree, I weep for you.
Re: Re: Please don't lie about the law.
you’re
Re: Re: Please don't lie about the law.
Out of curiosity, did you actually read the linked article? It makes no claims about whether or not the actions in questioned violated the CFAA. Try again.
Re: Please don't lie about the law.
There is no legal definition for the terms “hacking” and “hacker”. In fact, there is no agreed upon definition for hacking. I, as an aging software engineer, have my own preference, which corresponds closely to the original meaning of a skilled programmers actions. I have given up on that preference as I have recognized I cannot fight the direction that our language is going. Mike is using “hacking” in a very broad way. A way that reflects it’s very general use nowadays. Yes, there is no reference to “hacking” in the court case, but that does not mean he is lying about the law.
Re: Re: Please don't lie about the law.
Yes it does. He’s suggesting that the word “hacking” is somehow relevant to the legal question, and that if the conduct in question isn’t “hacking,” then the law doesn’t cover it. That’s a lie.
Re: Please don't lie about the law.
Lying about the law is Mike’s forte. Asking him to stop is like asking him to stop breathing.
Re: Please don't lie about the law.
http://source4politics.blogspot.com/2011/08/incompetent-legal-commentary-on.html
Wow. Sorry, but the CFAA is very much about “hacking.” Just because they don’t use the word does not mean that it’s not what it’s about. I stand by the article 100%.
Re: Re: Please don't lie about the law.
You’re creating a new standard that has absolutely no basis in the law, and then using it to criticize a ruling that was very much based in the law. It’s dishonest and indefensible. If you want to criticize the legal ruling, have the courage to do so within the scope of the law, nicely published online for your convenience, not what you have imagined the purpose of the law to be.
Re: Re: Re: Please don't lie about the law.
You’re creating a new standard that has absolutely no basis in the law, and then using it to criticize a ruling that was very much based in the law.
I did no such thing. The CFAA was designed to deal with computer hacking. It’s a descriptive term for what is in the law, including the types of hacking, which you describe in your article. The specific violations described within the CFAA are an attempt (weak one) by Congress to define illegal hacking.
It’s dishonest and indefensible.
Oh come on. It’s completely honest and very defensible. No need to get obnoxious over a difference of opinion.
. If you want to criticize the legal ruling, have the courage to do so within the scope of the law, nicely published online for your convenience, not what you have imagined the purpose of the law to be
I did. Honestly the only thing I find dishonest is your attempt to attack me because I didn’t use the magic words you wanted to hear. Sorry, but the law is an anti-hacking law. Saying that this qualifies under the law is the courts saying that this could be a form of hacking.
It’s not dishonest. And it’s most certainly defensible.
Re: Re: Re:2 Please don't lie about the law.
“The CFAA was designed to deal with computer hacking. It’s a descriptive term for what is in the law, including the types of hacking, which you describe in your article. The specific violations described within the CFAA are an attempt (weak one) by Congress to define illegal hacking.”
Do you have any evidence whatsoever to back up this claim?
You decided, out of thin air, to use the word “hacking” to describe the crimes under the CFAA. You then wrote things and used quotation marks in such a way as to suggest that the word “hacking” was actually used by the court:
“Court Says Sending Too Many Emails To Someone Is Computer Hacking”
“So… because Pulte’s IT folks set up their email boxes such that they could only hold a certain number of emails, suddenly this raises to the level of “hacking”?”
Finally, you suggested that if it wasn’t “hacking” under some unspecified definition, then the court ruling must be wrong.
All of those things are lies.
In fact, the stated purposes of the CFAA include “to provide additional penalties for fraud and related activities in connection with access devices and computers,” which is certainly broader than “hacking.”
You don’t have a foot to stand on, which is unfortunate because there are so many easy and legitimate criticisms of the CFAA. But unfortunately, you chose to make a ridiculous one.
Re: Re: Please don't lie about the law.
Yeah, they just forgot to use the word “hacking” when they were writing the anti-hacking legislation.
To be fair, if I was saying that a piece of writing was very much about something the lack of the authors using the word I thought it was about would make me somewhat less confident in my analysis.
Re: Re: Re: Please don't lie about the law.
To be fair, if I was saying that a piece of writing was very much about something the lack of the authors using the word I thought it was about would make me somewhat less confident in my analysis.
Here is a course about bumping uglies and getting knocked up. I’m quite confident of that despite the fact that the term “knocked up” appears nowhere in the course material.
” one that diminishes a plaintiff?s ability to use data or a system?causes damage.”
Spam diminishes my ability to use a system, can I sue spammers now?
The court has a point
It seems to me that a tort or crime may be committed if a company or union organizes a deliberate denial of service attack on a company or individual.
Imagine the howls of indignation here if the MPAA started DOS attacks on people who criticized their tactics or in some way tried to compete with them?
The court has clearly never run an email server...
…whereas some of us have been running them for decades.
There is no doubt that an excess of messages is abusive, but “abusive” is not the same as “hacking”. “Abusive” (in the context of email) encompasses the sometimes-overlapping categories of mailbombing, forgery, spam, DoS attacks against SMTP, rapid-retry, etc. None of these qualify as hacking. Oh, they’re all reprehensible, like many other things that aren’t hacking either, but that doesn’t make them what the court imagines them to be.
Moreover, a read through this indicates that the company’s own profound incompetence is largely responsible for its troubles. It is a trivial matter for any minimally-clueful mail system administrator to deal with issues like this — many of us deal with them on a routine basis. Sometimes they’re the result of malicious action; sometimes they’re the result of somebody else’s screwup; sometimes they’re the result of a well-meaning but poorly conceived campaign, as appears to be the case here. But whatever the cause, dealing with the results is very easy, so much so that I think it reasonable to presume any competent mail system administrator would be ready for this and would only need to flick the switch, so to speak, to deal with the issue.
Of course one of the obvious, fundamental errors made by the mail system administrators shows up as early as page 3 of this ruling, where it states that the mail system “limits the number of emails in an inbox”. In a time when 2T drives cost much less than an hour of system admin time, that’s not just stupid, it’s set-yourself-on-fire stupid. While there is a reasonable argument to be made that the very largest email providers (e.g., gmail) may need count/size quotas, there is no such argument to made for the overwhelming majority of mail operations. (Yes, I’m well aware there are outliers. I’ve run some of them.) It is vastly more efficient, cost-effective, secure (mail quotas facilitate DoS attacks), and simple to add storage in almost every case.
The correct response from Pulte Homes is not to pursue this in court, but to fire their mail system admin(s) on the spot and replace them with individuals who possess at least minimal competence in the field.
Re: The court has clearly never run an email server...
This. This should NEVER be an issue. If, in 4 days, you cannot handle a simple quota problem then theres a lot of other stuff you probably arent handling properly anyway.
Re: The court has clearly never run an email server...
Of course, “hacking” has nothing to do with it. That was a myth invented by the author of this post.
1 set mailbox size to 50mb
2 apply spam filter to present the appearance of taking precautions
3 file civil and criminal charges against everyone that sends me more than 2 emails.
4 patent method
5 profit
Is an software update hacking?
I have experienced a “transmission” in the form a Microsoft software update that stopped my “sound computer” from operating. Does that mean Microsoft is a hacker? Wow that is a broad statement.
Re: Is an software update hacking?
Damn man, I had trouble deciding on “insightful” versus “funny” on this one. Tempted to see if I can do both…
bad ruling
This was way too broad. It shouldn’t fall under hacking. While they should be charged with purposefully disrupting their network, it shouldn’t fall under “hacking”.
Hacking is a security issue, not an overload disruption issue.
Terrible drafting?
And yet, because of terrible drafting, the law is broad and vague and courts are regularly stretching what the CFAA covers in dangerous ways.
Apparently you fail to realize it’s not terrible drafting when its designed so the government can use it to smother anyone that pisses them off.
The reality of it...
At its core this whole situation has nothing to do with the acts mentioned in the filing. If you do some digging you will see a long history of a tinkling war going on with Pulte and the Union (see my prior post video from 2007).
Everyone who agrees that this is hacking is wrong! There was no intention to disrupt systems, but to send a message. Sure, the bloat of emails and phone calls would slow some workers down but not to do harm to the company. As a previous poster stated this is no different than protesters standing in front of a store and a different poster referenced Limbaugh and Moore mobilizing their armies to action.
This is another case of a judge not understanding technology and not taking the time to educate themselves.
What the shocker here is that the Union lost, I thought they ran the country.
story doesn't fit title
Title said that the court called it hacking. But the story only talked about the court directly in relation to CFAA. I suspect that tying in the label “hacking” was simply misleading journalism (or else it should have been made clear).
So...
If I set up a mail server with ONE mailbox that can only accept ONE email, then I get someone to send me an email, thus blocking everyone else from sending me business communications, does this mean I get to sue [insert name of rich person/company here] ?
OHHHHH CANADA
….i’m glad i don’t live in the wrecked justice system of America …THIS IS funny as hell….What is this guys email address again? I’ll forward a few emails to him form me and i dunno 1000000 Canadians….ya call that a hack.Same shit happened to MS over VB4.0 a decade ago and forced MS to make the stuff i make with the package mine and mine alone versus you make it with a ms tool they too can steal it.
NOW lets go forward to now and your telling me that if 30000 coders did this today we’d all be arrested as hackers for sending a single email….
WHAT A JOKE THE USA IS.
THIS IS NOT EVEN FUNNY ANYMORE.
I sincerely hope you don’t pay your debts and go right into bankruptcy big time.
Re: OHHHHH CANADA
What? Normally I abstain from correcting grammar as I think it’s petty. However, when you start bashing the land that I love I can’t hold back.
“forced MS to make the stuff i make with the package mine and mine alone versus you make it with a ms tool they too can steal it…” You make no sense. I understand the individual words but the combination in which you use them is perplexing!
Take your universal health care and Tim Hortons and stick it, ‘eh.
All in good fun! I do like Toronto.
@25
you do realize that once ONE persons email reaches a limit you just get and use a second account and not make that public ….except to business clients….
I will add this doesn’t shut down the business it has phones and faxes and other communications no? was the union sending non stop faxes and telephone calls by the thousands constantly ..NO i see so it didn’t cripple the business just one email account hardly hacking…get a good email bomber and it don’t care what email accounts are there it will just hammer it to death THAT’S HACKING.
NOW when you send one email form 30000 people that shows you the union and its members are serious about some issue. NOW you have those mails you can auto block them and this does what then to said business….NOTHING. unless they all sent in minutes which they did not do.
AGAIN it was not a email bomb from a single person it was the union and its members. SO by your reasoning if said union said call this company that it would be hacking as the phone lines be all tied up. BOY OH BOY what a nasty police state world you live in …..control control control.
Did the judge really call it a CFAA violation? Because that law has actually been pretty reasonably enforced, unlike the DMCA. There have been very few cases and most have been dismissed, for example Lori Drew.
It would be pretty hard to claim that sending e-mail to a server that was setup to accept mail from anyone was “unauthorized”.
@40 then @43 then @45 then @46 then @53
@40
too bad none of what you said was done by said union and in fact as the article says all that was done was the union asking its members to email that address.
@43
and that’s why no spam filtering would work on this cause these were real people doing as they should email someone, if your going to raise taxes and are a politician do you think you want to only be able to get 10 email a day and then not use your account? HRMMMM me thinks someone really overreached authority here. Expect an appeal i would say. Other wise we in other nations will just laugh or heads off….
@45
actually when vb 4 was around there was 30000 coders whom banded together after MS said anything you make with said tool they owned too cause they made the tool….WE all emailed them once a day for a week personally and MS backed down …we were sending them the “message” NOT trying to damage but that its important to us….they not do what they were saying. IT worked and you make it its your software.report was MS servers fell 4 times in that week.
@46
So when open media got 446000 people to electronically sign a petition you think sending all our emails to the minister is a hack? NOW i SAY GOT YA ….its bad precedent to go down this road cause once people cant vent they go out into london streets and do what?
@53
the inbox was full via way of the email systems rules and no other email accounts had issues. GO FIGURE.
Intent
The important thing here is that the union undertook these actions with the intent of imparing the function of those systems affected.
If you are being mailed marketing material the intent is that your system works perfectly, so that you may receive more information or contact the vendor.
If you try to access a website and your traffic causes it’s service to diminish, your intent was to view some content on that web page.
The union did a number of things that made the intent of its efforts clear and that it was aware of the results of its actions. Requesting that it’s members send emails in a manner that would compromise the victims systems is essentially the same a DDOS attack, it’s just that part of the system is biological. They sent a message from a command system to other systems which then directed traffic to a particular machine with the idea that it would be negatively effected by this.
wow I am suddenly a l33t h4ck3r… Just knowing how to script this can be done in 5 minutes.
Intent, and yes it is a DOS attack plain and simple
DOS – Denial of service, it does not matter if it is PING’s or bulk email’s as has been said it is the INTENT of the actions, that intent was to deny a service to a company.
DDOS is illegal, call it what you will, hacking, cracking or straight out criminal activity. The result is the same.
What would have happened if this union decided to do that with the 000 (or 911) phone number ? and closed down that system.
Or the phone line of the ambulance or fire brigade ?
Re:
So when Obama told the nation to call/email their representatives about the debt ceiling, he should be on trial for hacking?
This is why you need lawyers
Actually, the article got the opinion wrong. The court merely said that given the definition of damage integrity and transmission, and taking as true all allegations that this company made, those allegations are sufficient to support all the necessary elements of the cause of action (Survive a 12(b)(6) motion). It says nothing about whether those allegations are valid.
When a court entertains a motion to dismiss for failure to state a claim, they basically take the complaint and, for the sake of the motion, take everything in it to be true (regardless of whether that is ACTUALLY the case). That’s what they did here. The definition they gave is obviously over broad, but that may be refined once the facts of the case become more apparent. Further, I don’t think its the definition of damage that matters so much as the definition of intent. I don’t think it will be possible, given the facts, to show that LIUNA actually intended to damage the system. Further, this sort of case seems like it will implicate the first amendment. In any case, the battle is clearly not over, and it sounds highly unlikely that Pulte is going to win.
This is why tech geeks need lawyers.
Ruling will be overturned by SCOTUS
This is definitely a case of ignoramus. It will undoubtedly be overturned by the United States Supreme Court.
“Under the CFAA, “any impairment to the integrity or availability of data, a program, a system, or information” qualifies as “damage””
OH HO HO, MR GOVERNMENT SIR, IS THIS NOT WHAT YOU ARE ATTEMPTING TO DO YOURSELF?
Does this apply to snailmail?
I wonder if the judges in this case have considered that this act is no different than local businesses flooding your mailbox with ads you didn’t ask for or want and then the mailperson leaves your mail at the post office instead of your box. If so, anyone else up to suing the USPS for hacking people’s mailboxes?
re: re
It sounds to me like there are two issues here.
The first being a lawyer who is reaching to get a case.
The second here is a judge who has no clue on technical (and legal) issues here and should be forced to
a. Reverse himself and
b. Never listen to any case that has technical issues having to do with computers again.
One of the many problems with US Labor law is that Unions can get away with practically destroying a company through harassment and fraud without repercussions. Is this a bad application of law, Yes. Is the Labor Union without guilt, No.
If you can not e-mail them boycott their services and products.
The old stanby that has worked over the ages is “don’t buy from thieves”. if you feel they are treating customer, workers or suppliers unfairly then do not purchase their sevices or products. In a free economy, there are many suppliers out there you can do business with and if you are bound by a contract that penalizes you from witholding your payment and subscription, due pressess gives you your day in court to air the just reasons they have not fullfilled their part of the agreement. As a customer, refusing to take your E-mail is refusing service to air grievences and must be arbritrated or resolved in a court of law.
Case holding
I read the case. I am an attorney.
1.There is no mention of “hacking”
2.There was no ruling on the flood of emails–only permission to sue under the statute that addresses hard to computers. (This was a labor disute.)
3. The number of emails was huge and shut down Pulte’s system. Writing to CEOS will not shut down their systems.
4. If the same thing were done to Congress the same law would apply.
Release the email addresses!