Did The NYTimes Violate The Stored Communications Act?

Felix Salmon isn’t impressed by the explanation of how the NYTimes found emails intended to be delivered to former Goldman Sachs trader Fabrice Tourre. As a reminder, as the NYTimes puts it, Tourre earned "the dubious distinction of becoming the only individual at Goldman and across Wall Street sued by the Securities and Exchange Commission for helping to sell a mortgage-securities investment, in one of the hundreds of mortgage deals created during the bubble years."

Back to the emails. Here’s the NYTimes’ version:

These legal replies, which are not public, were provided to The New York Times by Nancy Cohen, an artist and filmmaker in New York also known as Nancy Koan, who says she found the materials in a laptop she had been given by a friend in 2006.

The friend told her he had happened upon the laptop discarded in a garbage area in a downtown apartment building. E-mail messages for Mr. Tourre continued streaming into the device, but Ms. Cohen said she had ignored them until she heard Mr. Tourre’s name in news reports about the S.E.C. case. She then provided the material to The Times. Mr. Tourre’s lawyer did not respond to an inquiry for comment.

Felix raises a couple problems with this form of journalist sourcing:

I’m sure this was extremely carefully formulated, but it does raise a lot of questions without answering them. Tourre’s name was splashed over the newspapers in April 2010, so it stands to reason that the NYT has had some kind of access to Tourre’s private, password-protected email account — not to mention archives going back at least to 2006 — for a good year at this point. I’d also guess that the NYT is going public with its source now because Tourre finally got around to changing his password, and the stream of emails then dried up.

He concludes:

I understand that the computer was found in a garbage area, and that there’s a long tradition of investigative reporters using information found in the trash. But if Tourre left a key to his apartment in the trash, that wouldn’t give reporters the right to use that key to enter his apartment and snoop around. The laptop was essentially a key to Tourre’s email account — which held highly confidential correspondence between Tourre and his lawyers. An email account, these days, is arguably more private than an apartment, and breaking into a password-protected email account is clearly wrong.

Indeed, there are a couple laws which cover this type of illicit surveillance of someone else’s communications, namely the Computer Fraud and Abuse Act (“CFAA”), Stored Communications Act (“SCA”), and Wiretap Act (“Wiretap Act”), all criminal statutes that also permit, in certain circumstances, alleged victims to bring civil actions independent of any pending or filed criminal proceeding.

The potential SCA violation jumps out at me. "The purpose of the SCA was, in part to protect privacy interests in personal and proprietary information and to address the growing problem of unauthorized persons deliberately gaining access to, and sometimes tampering with, electronic or wire communications that are not intended to be available to the public." Penrose Computer Marketgroup, Inc. v. Camin, 682 F. Supp. 2d 202, 209 (N.D.N.Y 2010)(quotations and citations omitted).

18 U.S.C. § 2701(a)(1) establishes liability for anyone who "intentionally accesses without authorization a facility through which an electronic communication service is provided." I don’t think it’s too much of a stretch to say that, when a person knowingly keeps using a computer which is automatically obtaining emails from a server, that person "intentionally accesses without authorization a facility through which an electronic communication service is provided." Indeed, as Penrose Computer noted, "’The Senate Report explaining the statute . . . [states] for example, that a subscriber to a computer mail facility would violate the statute by accessing the electronic storage of other subscribers to the facility without specific authorization to do so.’" Id., citing S.Rep. No. 99-541, at 9 (1986)(internal citation omitted).

Isn’t that reference to "computer mail" quaint? Bear in mind that the Senate report was prepared in 1986.

Back to the point: did the NYTimes or its source think they had "specific authorization" to read Tourre’s emails just because it found his discarded laptop? I find that unlikely, to say the least. 

It seems the NYTimes might have a wee bit of a problem here. 

UPDATEBusiness Insider read this post and asked the NYTimes what they thought. The NYTimes responded,  "As we disclosed in our story, certain documents were provided to us by a named source. The Times did not ‘hack’ any email accounts or ask anyone to do so.  We are confident that our receipt and use of those documents was in keeping with our journalistic standards and complied with the law."

Mere receipt of e-mails that were obtained in violation of the SCA, which is what the NYTimes’ statement seems to focus on, would likely not trigger SCA liability, but that’s not the issue. The issue is if Cohen/Koan continued to receive emails using the laptop — as the NYTimes story says, "E-mail messages for Mr. Tourre continued streaming into the device" — and the NYTimes was involved in that process, as Felix suspects they might have been. Such continued access to the server sending out emails would indeed create SCA liability.