Sophos Cloud Optix
This week’s fascinating Friday fable reaches back nearly a decade, and is a reminder of how hard it can be to decide what wrong has been done, if any, in court cases that deal with what most people would call “hacking”.
The story of the original court case is simply told, and it goes like this.
In late 2013, X was brought in as an IT manager for a city in the state of Georgia in the US, supposedly to “increase the reliability and efficiency of the City’s computer system.”
X seems to have decided that Y’s work wasn’t up to scratch, and “criticized Y’s work performance, which led to an argument and a loud outburst from Y.”
The outcome of this, it seems, is that Y had some of his IT powers reduced for security reasons, and sadly ended up getting fired in mid-2014.
A couple of months after Y’s departure, X received an email from another colleague, whom we shall call Z…
…and Z received a “bounce” message (a delivery failure) from a external email address Q that Z hadn’t copied in on the original email.
Smelling a rat, Z alerted Y to inform him about the mysterious “Q” in the email equation.
An additional recipient
You can probably guess what was going on here.
Back in 2013, presumably before his administrator privileges were revoked but after their falling-out, Y had modified X’s email account settings so that a copy of all X’s incoming email messages would be sent to the mysterious outside address, Q.
Q, it transpired, was not only operated by Y but also had been “routinely accessed from his cellphone.”
As you probably know, abusing built-in mail forwarding rules in email systems is a common trick used by cybercrooks to keep tabs on what their victims are up to, especially in so-called Business Email Compromise (BEC) scams.
BEC criminals typically monitor messages to senior figures in a company, such as the CEO or CFO, so that they have first-hand information about major financial milestones.
When huge invoices are due (or, in one notorious case, when a multimillion dollar major league soccer transfer was about to conclude), the crooks make their play to get some or all of the money redirected to a bogus account.
The ruse revealed
In this case, the siphoning off of X’s emails had been orchestrated unsubtly enough that it eventually drew attention to itself when one of X’s reply-to-alls failed to reach the unexpected additional recipient.
Unsurprisingly, perhaps, Y was prosecuted, convicted by a jury of “computer trespass”, and sentenced to 10 years’ probation.
Given that there is no suggestion that Y didn’t actually do what was described above – namely, use his Administrator powers to get copies of his boss’s emails – this probably sounds like an open-and-shut case.
However, Y has very recently, nearly eight years after the incidents described above, had his conviction set aside by the Supreme Court of Georgia.
The legal report from the hearing makes fascinating reading, albeit that it is both lengthy (at 36 pages) and full of legal jargon, such as:
The fundamental rules of statutory construction require us to construe [a] statute according to its own terms, to give words their plain and ordinary meaning, and to avoid a construction that makes some language mere surplusage.
Obstruction and interference
In plain English, the judgment focuses on examining whether the plain English meaning of the words “obstruction” and “interference”, as used in Georgia’s Computer Trespass law, actually apply in this case.
Did Y’s actions – siphoning off and looking at someone else’s business email, even after his employment at that company had ended – really amount to obstruction, given that no emails were actually impeded?
The court, it seems, decided that Y didn’t obstruct or interfere with anything, so that whatever he did, it wasn’t Computer Trespass, even though the judgement expressly notes that it is “[i]t is undisputed that Y did not have authority or permission to forward X’s e-mail.”
Ironically, the judgement mentions in one of its footnotes that Y could have been charged under a nearby part of Georgia law that uses rather different words, perhaps with a different final outcome.
That part of the Georgia computer crime statutes criminalises “us[ing] a computer or computer network with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority.”
The dissenters
Interestingly, three of the judges on this case dissented from the majority opinion, remarking that:
By manipulating the data stream to give himself access to X’s e-mails, Y intermeddled in the affairs of others and the data intended to go to others with neither authority nor invitation. As such, there was sufficient evidence to support a finding that Y interfered with the use of the City’s computer program and its data.
Additionally, the dissenting judges criticised the majority opinion with these intriguing words:
The majority opinion educates wrongdoers that they are better off from both a detection standpoint and from prosecution as a matter of law if they simply copy data rather than block its delivery.
We can’t help but wonder whether the dissenters were alluding to contemporary ransomware attacks here, where data is often both copied, or “stolen” as you or I might say (which does not prevent the owner of the data from continuing to use it), and scrambled (which does).
What do you think?
I tend to agree with “By manipulating the data stream to give himself access to X’s e-mails, Y intermeddled in the affairs of others and the data intended to go to others with neither authority nor invitation.”
I’m definitely adopting the word “intermeddling”. It’s like meddling, but not merely in a mischevious way.
I’m adopting “inferference.” Is that making an inference that interference occurred? It’s the kind of word that I can normally only pronounce after one too many adult beverages.
More seriously, it is disheartening when computer misuse laws often seem to target legitimate and ethical security researchers while leaving a loophole a mile wide for actual miscreants, as in this case. The observation that bad guys can stay out of trouble “if they simply copy data rather than block its delivery” should be a pretty compelling message.
Fixed the typo, thanks! (I nearly left it, but given I had put the word in quote marks – in the sense of “take this literally” rather than “take this virtually” -I figured I ought to correct it.)
Y had no business snooping X’s email. I highly doubt he didn’t realize this. And most reasonable people would agree. I wonder if the majority ruling judges would change their tune if someone did this to THEM! If that isn’t a crime, it should be! Fix the statute!
While it is wrong, by the sounds of it, it isn’t technically illegal due to the wording.
So the moral of the story is, the prosecutors didn’t know enough about tech to use the proper statute to charge him with and like many lawyers thought he knew it all so didn’t get a technology expert to assist. Shocking!
That’s not quite what happened, to be fair to everyone involved in the original case.
After all, the dissenting judges said that they did think that “interference” was proved by the evidence, presumably because they didn’t think that any data needed to be blocked or modified to be interfered with, or because they considered that violating someone’s privacy can, in plain English, be considered “interfering” with it, even though no data was suppressed or altered. Presumably the original prosecutors felt the same way, and so did the jury.
Also, there’s no suggestion that there were no technology experts involved or that the prosecution decided not to call on experts because they “thought [they] knew it all”. Indeed, I don’t think that “bringing in (more) technology experts” would have done the trick. A linguist might have been a better bet…
“A linguist might have been a better bet.” Why not an English teacher or maybe a logician?
“Surplusage” is linguistic surplusage.
He didn’t interfere with the usual operation of the system, per se, but he did cause some of their data to be leaked to an account he operated. That’s data theft.
I agree with this statement. However, many companies are actually snooping into the email communications of their employees “for security reasons”. In this case it is data Theft as it is copied into an outside email account not affiliated to the company. It’s really that simple.
I agree with Paul to bring in the linguists. I spent a lifetime in the Insurance world and the one thing Judges hammer into their judgements is that insurance contracts must be interpreted in the ordinary meaning of the words used. Most of them don’t understand insurance jargon. The quote in your article could have come from one of hundreds of insurance matters that was put forth before a judge or supreme judges. When dealing with something that smacks of “can it be this or that” or a new word that is planned for the next addendum to the Oxford English Dictionary, don’t bring in the experts from 50 miles away but rather bring in the linguists to clarify the unclarified. We are not talking about butter here.
As they say in the classics:
The Law is an Ass.
It should be classified the same way that wire tapping in the phone industry is handled. Eventually, our lives will become extremely more complicated, because people can not resist being in the lives of others and making judgments about them.
Surplusage? Intermeddled? An awful lot of neologisms for judges looking to ‘to give words their plain and ordinary meaning, and to avoid a construction that makes some language mere surplusage’. Leave the invented vocabulary to the legislature, or better still, Lewis Carroll.
Of course, if the legislature gets a free pass when it comes to neologisms, then you can expect to hear them echoed by the judiciary when they hear cases based on neologistic laws (neolawgisms?), after which I guess they become, without let or hindrance, oldologims…
I notice that you are careful to obfuscate the identities of those involved in this story… however, in the second last quote you say “finding that [redacted] interfered with” and reveal the identity of “Y”. I was then able to google more details of the Georgia Supreme Court [redacted] v State case. Knowing the identity perhaps isn’t an issue… its all over the internet… however slipping his name into that quote seems inconsistent with the rest of your article.
[Redacted] it fully now, thanks. As you say, the names are not secrets, but I have changed it to Y as I did elsewhere.
[Commented redacted slightly]
I was confused by this:
Not that it bears much impact to the crux of this article, but I don’t believe X got the bounce. [From the court case link, it seems that] Z emailed X, got the bounce from Q, then notified X (not that X replied to Z*then* got the bounce back.
Keeping multiple surrogate names straight is a PITA – I’ve done it a few times, and while “in the thick of it,” the process sure does suck.
What has worked for me in the past is to compose with all the names correct, and then do a Find/Replace before publishing. If I’m nervous I might slip and (publish|send) too soon, I’ll compose in a different medium (such as Libre Office Writer or my favorite VIM), then duplicate to the final message.
HTH
:,)
Yes, that’s quite right. I have reworded it to make the sequence clear. Here’s what seemed to have happened: Z sends an email to Y. Secret side-delivery to Q takes place. Transient problem with Q’s email address (or somesuch) causes a bounce that should never have happened. Z gets clued in to the existence of the mysterious Q. Z smells a rat, says to Y, “Who’s Q?”. Plot rumbled.
Thanks a lot for the comment.
It’s a digital soap opera. Can’t wait to find out who got pregnant, who blackmailed whom, and who was sneaking around with whose spouse.
Even if one debases onself to the surreptitious “sneaky email” plan, it’s not a very forward-thinking sort of thing to do.
If Bryan is fired, how does he revert the
tunnel email forwardplan? His entire plan rests upon a somewhat unreliable set of protocols until the boss leaves or retires, with many things that could break in the interim.(Although this seems to be reversed for ransomware), the bad guys need to be lucky every time, but the cops only need to get lucky once.
I suppose he was either [a] hoping no one would connect Q with X (except cellphone records showed otherwise) [b] wasn’t thinking clearly [c] wasn’t thinking at all.
Now that many emails are encrypted over HTTPS and intended to be private, I would argue that intercepting a private conversation is “interfering”.