Monday, February 14, 2011

Divorce, Passwords and Keystroke Loggers

Contrary to how it may seem, I haven’t been looking for divorce cases involving spousal snooping to use as the basis of blog posts. For some reason, a number of them have cropped up lately, and I decided to do this post on a case that involves facts that are somewhat different from the facts in the cases I’ve written about before.


The case is Miller v. Myers, 2011 WL 210070 (U.S. District Court for the Western District of Arkansas 2011), and while it arises out of divorce proceedings the case, itself, isn’t a divorce case. Instead, it’s a civil suit Anna Miller brought against her former husband, Darin Myers, seeking damages for certain activities in which Myers allegedly engaged.


The complaint Miller filed to initiate the lawsuit explains what Myers allegedly did:


8. . . . Miller maintained private electronic accounts with various service providers. . . . [T]hese accounts included Miller's Yahoo! email accounts, `annachristinamuammar@ yahoo.com’ and `opaque2violet@yahoo.com’, as well as her Myspace.com account. . . . Miller was the sole authorized user of these accounts, maintained her passwords private, and did not provide means to access these accounts to any third parties. Specifically, Miller never provided the passwords for her electronic accounts to Meyers, nor did she authorize him to obtain and/or utilize the same.


9. Meyers is a sophisticated computer user. . . [who has] a background in Electrical Engineering and has admitted to `hacking’ in the past.


10. . . . Meyers utilized unauthorized means to gain unauthorized access into Miller's electronic accounts. Some of these means included . . . a keystroke logger. . . .


11. Meyers installed this keystroke recorder into Miller's personal computer without her authorization. . . .at some point prior to November 2006. Miller did not discover this act until January 2009. . . .


13. Meyers, in [a] deposition . . . , stated that he had acquired Miller's passwords through a `keystroke recorder’ and other methods.


14. Based on the password information recorded by the keystroke recorder and through his other methods, Meyers gained unauthorized access into the data contained in Miller's accounts with various Internet Service Providers. . .


16. Meyers utilized Miller's user names and passwords, and other confidential information he intercepted, to access Miller's e-mail, financial, and other website accounts without Miller's authorization. . . . Miller maintained in her Yahoo! account receipts and other financial information.


17. In a deposition . . . Meyers stated he. . . . logged into Miller's Yahoo! and Myspace accounts without her knowledge. . . .


20. Meyers accessed . . . Miller's unopened and unread electronic messages stored on Yahoo!'s servers. When Meyers opened these messages, he intercepted them as they were transiting from Yahoo!'s servers to his web browser and downloaded to his web browser cache.


21. Meyers also accessed . . . Miller's opened and read electronic messages stored on Yahoo's and Myspace.com's servers.


Amended Complaint, Miller v. Myers, 2010 WL 3358014 (U.D. District Court for the District of Arkansas 2010). There’s more in the Complaint, but I think you get the idea.


In her Complaint, Miller sought damages from Myers under eight different causes of action, three of which arose under federal law and the remainder of which arose under Arkansas law. Since federal courts were created to adjudicate issues under federal law, you may wonder how this federal court can hear Arkansas state law claims, as well as the three federal causes of action. As Wikipedia explains, the principle of pendent jurisdiction lets a federal court “hear [and decide the merits of] a state law claim against a party already facing a federal claim”. If you’d like to know more about pendent jurisdiction, check out the Wikipedia entry you can find here.


In the opinion we’re examining, the federal judge who has this case ruled on the cross-motions for summary judgment respectively filed by Miller and Myers. As Wikipedia notes, a summary judgment motion asks a court to decide an issue rather than having it be decided at trial. The premise is that if there are no disputed issues of “material” fact that “require a trial for their resolution” and if one party “is clearly entitled to judgment” when the law is “applied to the undisputed facts”, the court should apply the law and resolve that issue.


As you probably know, the purpose of having a trial is to determine disputed facts, not the law; a jury in a civil or criminal case determine the relevant facts proven by the evidence presented at trial, and then applies the law to those facts. A summary judgment motion asks the court to skip to the latter step, i.e., apply the law to facts that aren’t in dispute.


Okay back to the case: Both sides moved for summary judgment, apparently on all the claims in the case. Miller v. Myers, supra. We’re going to examine the court’s rulings on the federal claims and on one of the state law claims, as they all involve computer issues.


The first claim the court addresses was Miller’s allegation that Myers violated 18 U.S. Code § 1030(a)(4) by “knowingly and with intent to defraud,” accessing a computer without authorization or by exceeding authorized access and by means of such conduct furthering “the intended fraud and obtained things of value, namely Miller's financial account information and personal computer data”. Amended Complaint, supra, at ¶ 31. The judge denied both parties’ motions for summary judgment because genuine issues of material fact existed, “including but not limited to, whether or not Plaintiff has suffered a loss in excess of $5000, which is required to trigger a civil cause of action” under § 1030. Miller v. Myers, supra (citing 18 U.S. Code § 1030(c)(4)(A)(i)(I)).


The second claim the court addressed was Miller’s allegation that Myers violated 18 U.S. Code § 2701(a) by knowingly or intentionally “access[ing] without authorization a facility through which an electronic communication service is provided” and thereby “obtain[ing] access to a[n] . . . electronic communication while it is in electronic storage in such system”. Section 2707(a) of Title 18 of the U.S. Code creates a civil cause of action for someone injured by such conduct. Amended Complaint, supra, at ¶ 35. The judge granted Miller’s motion for summary judgment on this claim because there was


no genuine issue of any material fact regarding [Myers’] unlawful access to [Miller’s] stored communications. [He] has admitted to using a keylogger program to obtain [her] passwords. [He] then used those passwords to access [her] email account without authorization. Summary judgment for [Miller] as to liability is, therefore, appropriate. The amount of damages, if any, may be determined at trial.


Miller v. Myers, supra.


The third claim arose under the federal Wiretap Act: Miller’s Complaint alleged that Myer’s violated 18 U.S. Code § 2511 by (i) intentionally intercepting electronic communications, (ii) intentionally disclosing the contents of such intercepted communications to other persons and/or (iii) using the contents of such intercepted communications. Amended Complaint, supra, at ¶¶ 38-40. As I’ve explained in earlier posts, “intercepting” an electronic communication means you capture the contents of it while it’s “in flight,” i.e., while it’s moving from one part to another.


That requirement derives form the fact that the Wiretap Act has its origins in Katz v. U.S., 389 U.S. 347 (1967), the case in which the Supreme Court held that the 4th Amendment applies to wiretapping phone conversations. The only way to “intercept” a phone call is to capture the contents of the call while it’s in progress, and that requirement was codified in the original Wiretap Act and survives in the current, amended version.


Miller lost on the third claim. The judge found, “as a matter of law,” that Myers’ conduct


is not the type of conduct Congress sought to address through the Federal Wiretapping Act [FWA]. Furthermore, [Miller] has raised no genuine issue as to whether [Myers] actually intercepted any emails or other information contemporaneously with its transmission, as is required for a finding of liability under 18 U.S. Code § 2511. . . .


[T]he method and manner of monitoring is an important consideration in determining liability. . . . The covert installation of an automatic recording device would be more likely to violate the FWA, while eavesdropping on a telephone conversation using an extension line [is] . . . an exception to liability under the FWA. . . . [Myers’] monitoring of internet traffic on his own home network is analogous to the latter. . . . [Miller] has presented no evidence that [he] recorded any information during the course of his monitoring. . . . [Myers’] monitoring activity should be excepted from liability under the FWA. Furthermore, the key logger only allowed [him] to learn passwords, which were used to access Plaintiff's e-mails. Defendant did not obtain e-mails contemporaneously with their transmission, and thus, the FWA does not apply. . . .


Miller v. Myers, supra. The judge therefore granted Myers’ motion for summary judgment on this claim, which meant it was dismissed. Miller v. Myers, supra.


The fourth (and final, for our purposes) claim was for “computer trespass” under Arkansas Code § 5-41-104. Under § 5-41-104(a), someone commits computer trespass if he/she “intentionally and without authorization accesses . . . any computer, computer system, computer network, computer program, or data.” Miller claimed that she was “seriously damaged” by Myers’ accessing, attempting to access or causing access to a computer, etc. Amended Complaint, supra, at ¶¶ 43-44.


Miller won on this claim. The judge found that while there is


little case law interpreting this statute, it is clear . . . that [Myers] intentionally accessed the MySpace and Yahoo computer networks without authorization and should be held liable for computer trespass. While the extent of [Miller’s] actual injury . . . is not entirely clear, the Court finds she has at least sustained some minor damages in changing her passwords and assessing the consequences of her husband's snooping. . . . The Court therefore finds that summary judgment should be granted in favor of [Miller] on this count as to liability, and any damages may be determined at trial.


Miller v. Myers, supra. There were other claims, some of which the judge granted summary judgment on and some of which he denied to grant summary judgment on.


As you can see, summary judgment can be an effective way to narrow the claims (and issues) that have to be dealt with at trial. As such, it can expedite the process of resolving civil suits.


(And no, there is no summary judgment motion in criminal practice. If you’d like to read an argument that there is/should be, check out the article you can find here.)

4 comments:

Anonymous said...

What if they lived in a community property state (not sure of AK is, but let's assume), could the husband not argue that the emails and MySpace stuff were community property and that he had just as much right to them as she did?

Cyber Crime said...

Heya Susan Brenner,

I could not agree more with what Anonymous asked. I would love to see what you have to say on that.

Susan Brenner said...

Knowing absolutely nothing about family law and community property law, I have no idea how that would impact on the state computer trespass cause of action.

As to the Stored Communications Act claim, I suspect the answer would depend on whether Congress intended to allow state law to plain a role in determining whether the statute had been violated (or not). The Supreme Court has made it clear, in applying the 4th Amendment, that state law does not determine whether law enforcement conduct violated a 4th Amendment interest in privacy . . . so if that, or a similar, premise applies here, then the state law issues might not matter.

Mary said...

Hello - I am on this site because I am going through a horrific divorce and custody battle. We are in NY state. My husband put webwatcher on my (business)computer AND my Blackberry. He used it to spy on me and "gather information" to use against me at trial. He also compromised my client files (I am a travel agent) and viewed private data of my clients.

The point is that in my research, I learned that the makers of webwatcher are adamant that spying on other adults is NOT the purpose of their product; it is meant to monitor your kids computers and phones. If anyone violates this they will investigate and turn off the "watcher's" account. I believe they did this already, but they won't confirm it. Instead they encourage you to go to law enforcement officials for next steps.

My husband is an FBI agent and he thinks we are all criminals and he is above the law, therefore it's ok to invade my privacy and that of my clients.

I would love your opinion on my situation and I am seriously considering taking this to the NY State Troopers tomorrow. I can't take it to local law enforcement because they won't know what to do with it (small town) AND they gave me no help the six times I called them when my husband was abusive and violent. THere is no doubt in my mind that they did not help me because my husband is "one of their own". My husband also has the matrimonial judge in his pocket and I am losing my case through no fault of my own. I am, and have always been, a great mom.

I am aware of the MI husband who also spied on his wife and "hacked" into her computer to "gather evidence" against her. He is doing 5 years in prison, I believe. My attorney knows nothing about cyber crime and does not know how to pursue any action to defend me in this regard.

Last, for those wondering about community property states, my understanding of those laws (I've learned a lot this year!) is that they are not intended to divide "personal" property. For example, just because you are in a community property state doesn't mean your ex can take the shirt off your back and belongings that are clearly personal in nature. However, being in such a state may make it harder to prove that it is your "personal" computer, or your phone. In my case, although my husband claims he "owns" everything in the house, he is wrong because the kids (he paid) gave me the Blackberry as a gift when I started my business and the fact that he helped me pay for the initial computer I used to start my business, thereafter it was under my exclusive (or so I thought!!) use and in particular, was for my business.

BTW, NY is NOT a community property state. I welcome any ideas or opinions. If you have ideas on where I can go for expert advice to determine if I have a case, I would appreciate it. THANKS!