Court Says Sending Too Many Emails To Someone Is Computer Hacking

from the you-can't-be-serious dept

Okay, the courts are just getting out of hand when it comes to the Computer Fraud and Abuse Act (CFAA), which is supposed to be used against cases of malicious hacking. Most people would naturally assume that this meant situations in which someone specifically broke into a protected computing system and either copied stuff or destroyed stuff. And yet, because of terrible drafting, the law is broad and vague and courts are regularly stretching what the CFAA covers in dangerous ways.

The latest example, found via Michael Scott is that the Sixth Circuit appeals court has overturned a district court ruling, and is now saying that a labor union can be sued for violating the CFAA because it asked members to email and call an employer many times, in an effort to protest certain actions. Now some of the volume may have hurt the business, but does it reach the level of hacking? What's really troubling is even just the focus on emails:
The e-mails wreaked more havoc: they overloaded Pulte's system, which limits the number of e-mails in an inbox; and this, in turn, stalled normal business operations because Pulte's employees could not access business-related e-mails or send e-mails to customers and vendors
So... because Pulte's IT folks set up their email boxes such that they could only hold a certain number of emails, suddenly this raises to the level of "hacking"? That seems like a stretch, and you can definitely see how such a rule can and likely will be abused. Especially since the court made some very broad statements, including:
[We] conclude that a transmission that weakens a sound computer system—or, similarly, one that diminishes a plaintiff’s ability to use data or a system—causes damage.
Broad enough for you? I can see this ruling being cited in all sorts of abusive trials now.

Filed Under: cfaa, email, hacking

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Rich Kulawiec, 9 Aug 2011 @ 1:44pm

    The court has clearly never run an email server...

    ...whereas some of us have been running them for decades.

    There is no doubt that an excess of messages is abusive, but "abusive" is not the same as "hacking". "Abusive" (in the context of email) encompasses the sometimes-overlapping categories of mailbombing, forgery, spam, DoS attacks against SMTP, rapid-retry, etc. None of these qualify as hacking. Oh, they're all reprehensible, like many other things that aren't hacking either, but that doesn't make them what the court imagines them to be.

    Moreover, a read through this indicates that the company's own profound incompetence is largely responsible for its troubles. It is a trivial matter for any minimally-clueful mail system administrator to deal with issues like this -- many of us deal with them on a routine basis. Sometimes they're the result of malicious action; sometimes they're the result of somebody else's screwup; sometimes they're the result of a well-meaning but poorly conceived campaign, as appears to be the case here. But whatever the cause, dealing with the results is very easy, so much so that I think it reasonable to presume any competent mail system administrator would be ready for this and would only need to flick the switch, so to speak, to deal with the issue.

    Of course one of the obvious, fundamental errors made by the mail system administrators shows up as early as page 3 of this ruling, where it states that the mail system "limits the number of emails in an inbox". In a time when 2T drives cost much less than an hour of system admin time, that's not just stupid, it's set-yourself-on-fire stupid. While there is a reasonable argument to be made that the very largest email providers (e.g., gmail) may need count/size quotas, there is no such argument to made for the overwhelming majority of mail operations. (Yes, I'm well aware there are outliers. I've run some of them.) It is vastly more efficient, cost-effective, secure (mail quotas facilitate DoS attacks), and simple to add storage in almost every case.

    The correct response from Pulte Homes is not to pursue this in court, but to fire their mail system admin(s) on the spot and replace them with individuals who possess at least minimal competence in the field.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.