April 24, 2014

avatar

Did the Sanford E-Mail Tipster or the Newspaper Break the Law?

Part of me doesn’t want to comment on the Mark Sanford news, because it’s all so tawdry and inconsistent with the respectable, family-friendly tone of Freedom to Tinker. But since everybody from the Gray Lady on down is plastering the web with stories, and because all of this reporting is leaving unanalyzed some Internet law questions, let me offer this:

On Wednesday, after Sanford’s confessional press conference, The State, the largest newspaper in South Carolina, posted email messages appearing to be love letters between the Governor and his mistress. (The paper obscured the name of the mistress, calling her only “Maria.”) The paper explained in a related news story that they had received these messages from an anonymous tipster back in December, but until yesterday’s unexpected corroboration of their likely authenticity, they had just sat on them.

Did the anonymous tipster break the law by obtaining or disclosing the email messages? Did the paper break the law by publishing them? After the jump, I’ll offer my take on these questions.

Three disclaimers: First, the paper has not yet revealed (and may not even know) most of the important facts I would need to know to thoroughly analyze whether a law has been broken. Like a first year law student, I am trying to spot legal issues that will turn on what might be the facts. Second, I know nothing about the law of South Carolina (or, for that matter, Argentina). I am analyzing three specific federal laws with which I am very familiar. Third, I am barely scratching the surface of some very complex laws.

The Anonymous Tipster

Let’s start with the anonymous tipster (AT). AT might have broken three federal laws, depending on who AT is and how he or she obtained the messages. First, the Stored Communications Act (SCA) prohibits unauthorized access to a “facility through which an electronic communication service is provided” to obtain messages “in electronic storage.” In a separate provision, the SCA prohibits providers from disclosing the content of user communications. Second, the Wiretap Act prohibits the interception of electronic communications and the disclosure and use of illegally intercepted communications. Third, the Computer Fraud and Abuse Act (CFAA) prohibits certain types of unauthorized conduct on computers and computer networks.

All three of these laws provide both civil remedies (Maria, Sanford, or an affected ISP can sue the anonymous tipster for damages) and criminal prohibitions. So should AT worry about jail or a hefty fine? Probably not, but it turns on who AT turns out to be.

What if AT turns out to be Maria herself? Even putting to one side whether these laws apply outside the U.S., she almost certainly would not have broken any of them. Each of these laws provides an exception or defense for consent of the communicating party or authorization of the email account owner. To take one example, under the SCA it is not illegal for the owner of an email account to access or disclose his or her email messages.

These defenses would also protect AT if he turns out, in a bizarre twist, to be Sanford himself.

For the same reasons, AT probably did not break these laws if it turns out Maria or Sanford intentionally disclosed the email messages to AT, perhaps a friend or acquaintance or employee, who then passed them on to the newspaper. This is probably true even if Maria or Sanford asked AT to promise to protect the secret. As in other parts of the law, misplaced trust is no defense under these three laws.

But now we get to more difficult cases. What if AT is a friend or acquaintance or employee of Maria or Sanford who had access to Maria’s or Sanford’s email account, but did not have specific permission to access these particular messages? For example, what if AT was Sanford’s secretary, a person likely to have permission to view his inbox? On these facts, the case against AT would turn on hard questions of authorization. Did Sanford or Maria limit AT’s authorized access to the inbox? If so, how? With written rules, technological access controls, or vague admonitions? Courts have interpreted the word “authorization” in the CFAA, in particular, quite narrowly, ruling that otherwise-authorized users may no longer act with authorization once they violate rules or contractual promises. (This is the legal theory being advanced by DOJ in the Lori Drew CFAA prosecution.)

Next, what if AT works for an ISP—perhaps on the IT staff for the State of South Carolina or for a commercial email provider? In this case, AT should worry a little more. Although ISPs tend to have many legal reasons to access the content of communications stored on their servers or passing through their wires, this authority is not unlimited, as I have written about elsewhere. The ISP employee’s liability or culpability will turn on factors like terms of service and motive. For example, if the employee stumbled upon the messages during routine server maintenance, there may be a good defense.

The Newspaper

Lastly, let’s turn to the newspaper, The State. First, if AT did not break any of these laws by obtaining or disclosing the messages, then the newspaper likewise did not break any of these laws by publishing them.

Even if AT has broken the CFAA or SCA, the newspaper probably has no downstream liability for its subsequent publication. These two laws focus on initial access or disclosure, not on subsequent, downstream uses and disclosures.

The Wiretap Act, on the other hand, restricts the downstream use and disclosure of illegally intercepted communications. Here, however, the First Amendment probably provides a defense.

In Bartnicki v. Vopper, the Supreme Court held that the First Amendment shields the media from liability for the publication of content illegally intercepted under the Wiretap Act if the content is “about a matter of public concern.” Granted, the private communications in Bartnicki—a phone call between a union negotiator and the union’s president about the status of negotiations—seem more a matter of public concern and less private than the intimate love letters between a politician and his mistress. But, I am no First Amendment expert, so I will leave it to others to decide how these facts fare under Bartnicki. To my nonexpert eye, given the sweeping language both in Bartnicki and in the cases cited by Bartnicki (starting with New York Times v. Sullivan), it seems that the First Amendment shield applies here.

Final Thought: So, Who is the Tipster?

Finally, Sanford or Maria might sue the newspaper and AT (as a so-called “John Doe” defendant) in order to discover AT’s identity. A plaintiff in a civil lawsuit can ask a judge to order a subpoena to discover an unknown defendant’s identity. No doubt, the newspaper would fight such a subpoena vigorously, but whether or not it would succeed is a topic for another day.

Comments

  1. Ken Houghton says:

    If I were taking bets–and I’m not–it would not be surprising (early favorite on the morning line) to discover AT either was or was working in support of Mrs. Sanford. (Whether by direct request or out of loyalty is a matter of slice-and-dice left as an exercise.) She, after all, clearly knew where her husband and what he was doing–witness her use of “MY children” in excusing herself from further discussion.

    Does this complicate the answer? And does Sanford’s use of his Government account to send and receive e-mails (that is, his making them de facto part of the public record, even if unintentionally) make prosecution even more difficult?

  2. Mitch Golden says:

    —For example, if the employee stumbled upon the messages during routine server maintenance, there may be a good defense.

    In general, e-mail is written to disk on the server in non-encrypted form, so if a sysadmin can make a claim like this, it means the law is a dead letter. Anyone with root access to my ISPs machine can read all users’ e-mail (and all other files, for that matter). You don’t “stumble upon” a mailbox. It’s clear to any sysadmin which files are mailboxes and which aren’t. (I.e. if it’s in /var/mail, it’s a mailbox.)

    Even if for some reason the sysadmin needed to examine the mailbox to see if the file was corrupted (an extremely unlikely scenario, but let’s go with it) I don’t see how this would give him any cause to disclose the contents.

    • Anonymous says:

      Sometimes the cyber winds can kick up quite a gale, blow those emails all over the system. Then some lowly sysadmin has to go and pick `em all up, stuff `em back in the mailboxes. I always used to get that job, back in my junior days, and I can tell you I hated it.

      Sure as eggs, one or two would end up getting pushed under the device driver stack and who would think to look there? They might not get found again till garbage collection day, then alls you can do is throw it into the lost&found folder and get right out the way before the blame game starts.

      Sheesh! People have no appreciation of the work we do.

  3. Bob Gezelter says:

    Thank you for the detailed analysis.

    Upon seeing the first stories with the actual text of the emails, I concluded that there was likely a violation of the ECPA, among other statutes. If the messages were on an official account, there are other questions (e.g., whether they are public documents). If it was a private account, there is a whole other issue.

    I noted these thoughts yesterday in “Governor Mark Sanford Email Disclosure: An ECPA Violation?”, an entry in “Ruminations-An IT Blog” at http://www.rlgsc.com/blog/ruminations/sanford-ecpa.html.

    I noted that we have had other situations like this in the recent past, including now-President Obama’s mobile phone records and an email account belonging to Governor Sarah Palin (R-AK). If recollection serves correctly, the individual involved in the Palin email case faced prosecution.

    - Bob Gezelter

  4. Jana says:

    This shows again, that mailing is not a discreet communication system. This is known since existence of e-mail.

  5. Carlie Coats says:

    Under post-Berne copyright law, the emails are copyright works as soon as the writer hits the “save” button. Unless the publisher has license to publish from that author, it’s an open-and-shut case of copyright violation.

    FWIW.

  6. Olivia Wang says:

    There was a movie recently, “State of Play”, describing a similar affair. But let us pray it will not go that far. More seriously, please please please. This is no news, all bull. Let him have some fun, the old man.
    Pokersavvy Plus

  7. Anonymous says:

    The site has a collection of absolutely nothing. There’s just a download link for an iPhone app I can’t use, since I don’t have an iPhone.

    When you have a site that actually has a collection of something, that can actually be browsed right there on the site using nothing more than a Javascript-disabled, Flash-disabled normal Web browser on any device, let me know. Until then, quit lying to people about your site!

  8. BromaCleanse says:

    It’s very hard to check, considering the anonymous nature of the internet.

    BromaCleanse
    Flexarite

  9. IW says:

    Why would the ISP have the right to give out private messages just because they have legal access to the email server?
    —————————————————————-
    Pit Bike | Cover Letter Examples