Spyware, Divorce and the Law Firm

This post is about a federal civil case in Louisiana. Becker v. Toca, Civil Action No. 07-7202 (U.S. District Court for the Eastern District of Louisiana).

I’m doing a post on this civil case because it arose from the defendant’s allegedly installing a Trojan horse on a law firm’s computers. Here are the facts alleged in the plaintiff’s complaint, i.e., the pleading that got the case started:

Plaintiff, PHILLIP M. BECKER individually operates his law firm in Lake Charles, Louisiana, with the use of tools and equipment including computer hardware and software, which is connected to the Internet by typical means. . . .

Prior to 25th of October, 2006, BECKER . . . and personnel employed by his law firm, began to experience considerable difficulties in both their home and office computers. This consisted of error messages, slow processing, and other indicators of technical problems with the operations of the computers.

BECKER . . .retained the services of WebTronics LLC, a third party contractor with expertise in computer operation, to evaluate both his home and office computers.

After an extensive evaluation, WebTronics . . . identified . . .spyware and viruses on two Compaq computers and one Toshiba laptop . . . and advised BECKER . . . to take further action with an Internet forensic team located in Baton Rouge.

Upon further examination, it became apparent the computers . . . were infected with an interest `Trojan Horse’ virus named `Infostealer.’ Infostealer is used to detect and steal passwords from computers . . . by gathering the passwords from the compromised computer and sending them to a remote computer by email or other means.

The Infostealer virus was sent to BECKER and to his law firm by the Defendant, TOCA by means of various emails and attachments.

The Defendant, TOCA knew that the use of the Infostealer Trojan Horse virus would give her unauthorized access to her ex-husband's personal and business computers.

The actions of . . . TOCA were . . . done . . . in the hopes that private information disseminated to her by means of the Infostealer . . . would provide her with some kind of . . . advantage in ongoing domestic litigation . . . between the two parties.

Becker v. Toca, Complaint (October 23, 2007), 2007 WL 4546306 (E.D.La.).

Becker claimed the installation and use of the Trojan violated three federal statutes: the Wiretap Act, 18 U.S. Code § 2510, the Stored Communications Act, 18 U.S. Code § 2701 and the Computer Fraud and Abuse Act, 18 U.S. Code § 1030. Becker v. Toca, 2008 WL 4443050 (U.S. District Court for the Eastern District of Lousiana).

Toca responded by filing a motion to dismiss all three claims. When a defendant files a motion to dismiss civil claims, he/she says that even if the facts alleged in the plaintiff’s complaint are true, they don’t establish a valid claim under the law the plaintiff is relying on. So in ruling on her motion to dismiss, the judge had to assume – for the limited purpose of ruling on the motion – that the facts alleged in the complaint were true.

Toca’s first argument was that sending a “virus to detect and steal passwords . . . on a computer does not constitute an attempt to `intercept’ an “electronic communication” for purposes of the Federal Wiretap Act.” Becker v. Toca, supra. In ruling on this argument, the federal judge noted that the “The Federal Wiretap Act subjects to criminal liability any person who `intentionally intercepts . . . any wire, oral or electronic communication,’ except as otherwise permitted by law.” Becker v. Toca, supra (quoting 18 U.S. Code § 2511(1)(a). The Wiretap Act makes it permissible to intercept communications in certain circumstances – such as when someone is a party to the communication or when they are a law enforcement officer who has a court order authorizing the interception – but none of them applied to Toca.

The issue was whether the Infostealer Trojan “intercepted” electronic communications. The opinion doesn’t tell me what Toca’s argument was, but I assume she claimed the information the Trojan detected was stored on the computers it targeted; courts have found that to “intercept” a communication, you have to capture its contents while it is “in flight,” i.e., while it is traveling from one person to another. If the Trojan simply took data that was stored on the computers, it didn’t “intercept” a communication.

The federal judge rejected Toca’s effort to have the Wiretap Count dismissed, at least as this point in the litigation. The complaint said the targeted computers were “`connected to the Internet by typical means’”. Becker v. Toca, supra. Given that allegation, which the court had to assume was true for the purpose of ruling on the motion to dismiss, the judge found it was “reasonable at this time to infer that the Trojan Horse program may have collected information contemporaneous to its transmission over the internet.” So that claim is still live; once she’s able to introduce evidence to support her argument, Toca may be able to show there was no interception of an electronic communication, but the claim survives unless and until she does.

Toca’s second argument was that “the Stored Communications Act (SCA) does not apply to the instant case because the Plaintiff's computers are not `facilit[ies] through which an electronic communication service is provided.’” Becker v. Toca, supra. The Wiretap Act makes it a crime to intercept data while it is in transmission; the SCA makes it a crime to intentionally access “without authorization a facility through which an electronic communication service is provided” and obtain, alter or prevent “authorized access to a wire or electronic communication while it is in electronic storage in such system.” Becker v. Toca, supra (quoting 18 U.S. Code § 2701(a)). The SCA defines an electronic communication service as “any service which provides to users . . . the ability to send or receive . . . electronic communications.” 18 U.S.. Code § 2510(15). It defines electronic storage as “any temporary, intermediate storage of a[n] . . . electronic communication incidental to the electronic transmission thereof; and [ ] any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18 U.S. Code § 2510(17).

The federal judge held that he could not dismiss the SCA claim at this point in the case

because it is unclear to what extent the program may have accessed . . . information stored with an electronic communication service provider. Although the Plaintiff does not allege that his personal or office computers were `facilities through which an electronic communication service is provided,’ the computers may qualify as such because the Plaintiff does allege that he used the computers to run his business. Further, the Plaintiff alleges that the Defendant transmitted the Trojan Horse program to him via email and that the program sent information back to the Defendant `by email or other means.’ It is therefore unclear whether the program may have accessed files stored with an electronic service provider during its transmission of data. Finally, the Plaintiff alleges that the Trojan Horse program targeted passwords, and it is unclear . . . whether the targeted passwords were system passwords saved on the Plaintiff's hard drive or web-based passwords captured during transmission over the internet.

Becker v. Toca, supra. Again, the court was not saying that Toca was liable for violating the SCA. All he’s saying is that he can’t dismiss this claim at this point; later, she may be able to produce evidence at trial showing that she did not, in fact, violate the statute.

Finally, Toca argued that the Computer Fraud and Abuse Act (CFAA) did “not apply because the Plaintiff only alleges the Defendant sought to recover passwords and did not intend to `harm’ the Plaintiff's computer.” Becker v. Toca, supra. As I noted in an earlier post, the CFAA – or, as I prefer, 18 U.S. Code § 1030 – creates a number of federal computer crimes and creates a civil cause of action for people who have been the victim of such a crime.

Becker’s claim under § 1030 alleges Toca violated the statute, which gives him the right to sue for “damage” he sustained as a result of the violation. 18 U.S. Code § 1030(g). In moving to dismiss this claim, Toca argued that Becker had “failed to establish that the Defendant intentionally caused `damage’ to the Plaintiff's computers. Specifically, the Defendant argues that a person cannot simultaneously seek to damage a computer and gather passwords from the computer, because a person cannot recover passwords from a non-functioning computer.” Becker v. Toca, supra.

Once again, Toca lost. The federal judge explained that § 1030 does not, as Toca

suggests, apply only in the instance that a person intends to render a computer completely inoperable. Rather, the statute defines `damage’ as `any impairment to the integrity or availability of data, a program, a system, or information.’ 18 U.S. Code § 1030(e)(8). The Plaintiff alleges that his computers presented `error messages, slow processing, and other indicators of technical problems.’ . . . Error messages and slow processing constitute impairments to the integrity or availability of data. Therefore, assuming that all of the Plaintiff's allegations are true, it is reasonable to infer that the Defendant may have intended to cause such limited damage to the computers at issue, even if she did not intend to render them completely inoperable. Accordingly, the Court finds that the Plaintiff has stated a valid claim under the Computer Fraud and Abuse Act.

Becker v. Toca, supra.

So there you have it. I don’t know if the case has since settled or will wend its way to trial at some point. It’s not the first use of spyware I’ve seen in “domestic litigation,” but it’s the first time I’ve seen it used against a law firm.