There’s currently a controversy around some Hunter Biden emails found on a laptop that he apparently flew from his home in Los Angeles and dropped off with a blind Mac repairman in Wilmington Delaware over a year ago and never picked up. Actually, several controversies — including whether social media like Twitter and Facebook should permit the dissemination of these “hacked” emails. Indeed, Twitter first restricted publication of a New York Post article describing the contents of those emails based on their “policy” not to republish “hacked” information. They later relented, partially on pressure from conservative groups proclaiming censorship, but also based on complaints from mainstream journalists who noted that such a “no hacked information” policy might restrict publication (or social media broadcast) of unsourced or anonymously sourced information, including for example, President Trump’s “leaked” tax returns.
All of this raises the issue of whether and how information can be “stolen,” and whether, under the circumstances in the Hunter Biden case, any of the parties (the repairman, Giuliani’s lawyers, the Post, Twitter) commit any violation of the law. In short, were Hunter Biden’s emails (assuming that they WERE Hunter Biden’s emails) “hacked” under the law?
While we typically think about “computer crimes” — hacking, dDOS, ID fraud, ransomware — it’s really an archaic way of thinking about crime. We don’t think of frauds perpetrated over the phone as “phone crime,” or those through the mails as “envelope crime” (OK, maybe we do, but that’s not the point). More than anything else, what we think of as “computer crime” is a crime against the confidentiality, availability or integrity of information. So was Hunter Biden’s email “hacked?”
Under the Computer Fraud and Abuse Act, 18 USC 1030, which is the principal federal computer crime statute, the term “hacking” of course does not appear. The statute focuses on the “unauthorized access” to or “exceeding authorized access to” or unauthorized “alteration, deletion or destruction” of computers or data contained on those computers. While the statute does not address what constitutes “authorized,” “unauthorized” or “exceeding authorized” access, cases currently pending before the U.S. Supreme Court like HiQ v. LinkedIn and United States v. VanBuren may address those issues in various contexts. With respect to the computer repairman, assuming Hunter Biden gave the computers that contained the emails to the repairman voluntarily and without restriction (the latter being the key), then the repairman likely had “authorized access” to both the computer and the data contained therein.
In fact, the government has relied on this concept to essentially enlist computer repair personnel as informants, using them to scan computers for things like CSAM (kiddie porn), or other things that the government might use as evidence. In a highly publicized case several years ago, the FBI was paying Best Buy “Geek Squad” personnel a bounty (and listing them as confidential informants) to search for files the FBI was interested in on computers brought in for repair, and to provide that information to law enforcement. While the bulk of these cases involve contraband like child pornography which is illegal to possess, and for which certain individuals have a legal duty to report, the question of whether the repair person, in lawful (but temporary) possession of the computer for one purpose (to repair it), may then examine the files on the computer for the purpose not of fixing the computer, but of reporting crime. On the one hand, it’s an example of “if you see something say something,” on the other hand, a good case could be made that the repairman “exceeded the scope of his authorization” to examine the files on the computer for a purpose other than repairing the device. What might complicate this is if Hunter Biden, the computer owner, gave the repairman some limiting instructions — express or implied, like “just fix the power supply” or “find out why the screen is not working…” In those cases, you could argue that, even though the repairman was in lawful possession of the computer (and presumably the data contained in it), they exceeded the scope of their authorization to access the computer when they looked at things that were not necessary to perform the task assigned. The Delaware Computer Crime statute additionally makes it a crime to make an “unauthorized copy” of data — something you can argue that the computer repairperson (and the person who sends kiddie porn to NCMEC or the cops) does as well.
And you thought this would be easy?
So maybe the repairman exceeded the scope of his authorization to access Hunter Biden’s computer and email, and maybe not. You might also look at questions like whether the computer and/or email was protected by a password, but in most cases the repairman will ask the user to divulge their password as a necessary condition of doing the work (at least the lock screen password).
Personally, I think that when you ask someone to repair your computer, you are asking them to repair your computer — not authorizing them to copy anything they find and give it to others. On the other hand, when you hire a cleaning person to clean your house, you run the risk that they will call the cops to report the dead body in the living room or the cocaine stash in the medicine cabinet. That’s the thing about privacy.
So did the repairman “hack” Hunter Biden’s computer? Magic 8 ball says, “Maybe.” But in light of the child porn cases, a Court would likely say that by giving the computer to a third party, you abandoned your expectation of privacy in the computer.
That’s just the box — the computer itself. What about the email on the computer? Just because we like to make things complicated, the law treats stored email differently than it treats other files. Sometimes. Under the Stored Communications Act it is generally illegal to access “stored” communications without authorization. The law treats different kinds of stored communications differently, including those that are stored incident to transmission, those that are in temporary storage, and those that are in more permanent storage. The point was to approximate the IRL world of “interception” of communications in transmission (e.g., wiretaps), reading mail, and reading mail that’s been sitting on the recipient’s kitchen table for a few weeks. (like Jerry Seinfeld’s piece on when clothes become laundry — when does an Ikea catalogue stop being “mail?”) The problem is, the SCA focuses on accessing stored email that is stored by a communications provider, not email that I store on my computer itself. When I store my own email on my own computer, it becomes just another file.
As noted above, if Hunter Biden put restrictions on what the repairman could do on the device (express or implied) this could limit whether the repairman’s access was or was not authorized (and therefore whether or not the emails were accessed without authorization or “hacked.”) In addition, you need to look at the contract (if any) between the computer owner and the repair facility — you know, the fine print. The contract may limit what the repair person can look at and do with the data (or you could add such language), or may restrict the rights of the computer owner.
Having said that the computer repair person can “look” at the files is not the same thing as saying that they can do whatever they want with the files. If you take your photos to a one-hour photo place (yes, I know this is an anachronism, but stay with me here) and the photo shop sees child porn, and they report it to the cops, it’s hard to assert a right to privacy. But if the photoshop place copies your family pictures and posts them to Facebook, or if you take some documents to Kinko’s and they copy and republish your personal diary, you probably have recourse. It’s mostly a question of degree. When (if) Hunter Biden wanted his computer fixed, I doubt any reasonable person would expect that the repairman had the right to copy his emails and give them to Rudy Giuliani. That’s simply not a risk that you could say the computer owner reasonably took.
Copyrights and Wrongs
The repairman did more than simply look at the emails. He copied them. And he transmitted the copies to third parties. Without the consent of the owner of the computer or emails (unless you argue that, by not picking up the computers, Hunter Biden “abandoned” them.) Those actions, in addition to raising concerns about unauthorized access, also implicate civil and criminal copyright law. The act of copying copyrighted materials (and yes, for the most part, emails are copyrighted even without registration with the government) may give rise to claims of infringement. Reading and copying are different things. Now, the repairman might argue some “fair use” or “public interest” exception to the copyright laws, but hey — that’s what lawyers were invented for. To argue about these things.
Right to Privacy
OK, so there are issues about unauthorized access, breach of contract, copyright law, etc., but what about the most fundamental issue – Hunter Biden’s (or anyone else’s) right to privacy. The computer crime laws focus primarily on unauthorized access, and the Fourth Amendment focuses primarily on the reasonableness of the search (and whether the search is done by a government agent.) But these are personal and private (well, corporate and private) communications. Does general privacy law provide some recourse here?
Short answer — maybe. Longer answer – probably not. At least not in the U.S. U.S. privacy law is a patchwork quilt of common law actions like “intrusion into seclusion” and “false light” coupled with data breach laws and a few statutory rights to privacy (e.g., HIPAA for health data and GLBA for financial information). But most of these regulations focus on the entities that collect the data — the banks and hospitals. In Hunter Biden’s case, HE was the data collector. The repairman would be a “data processor.” Moreover, the law focuses on “personal information” or “personally identifiable information” collected or processed – a term that has a specific meaning in the law. The Hunter Biden information was certainly personal and about a specific person (or persons) but may not meet the statutory definition of PII in many states. In fact, as the journalists pointed out in their complaint to Twitter, almost every “leak” or “scoop” involves a reporter finding out information that the subject does not want them to know. So publishing information that someone considers private (like NC Democratic Senatorial candidate Cal Cunningham’s “sexting” scandal or Anchorage AK mayor Ethan Berkowitz’ similar conduct with a local reporter may be an invasion of their privacy, but would not be “hacking” or off limits.
Did you think this would be easy?
So, was Hunter Biden’s email “hacked?” Yes, in the sense that it was read and disseminated without his knowledge or consent. But under the law? Magic 8 ball says, “situation unclear. Ask again later…”
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.