Last week, the media reported that hackers had obtained unauthorized access to vice-Presidential candidate Sarah Palin’s Yahoo! personal e-mail account. Within hours, photos of her family and screenshots of her messages were posted on various Web sites.
You might think that such access is difficult to achieve. It isn’t. You also might think it’s illegal to read someone else’s stored e-mail messages. But according to the Bush administration, it’s not.
Breaking into a Yahoo! e-mail account is simplicity itself. You just have to take advantage of Yahoo’s “forgot-my password” feature. If you know your target’s birthday, county of residence, and zip code, you’re almost there. Your last hurdle is to answer a security question. If you answer it successfully, you can trick Yahoo! into giving you access to the account.
The hacker who broke into Palin’s account claims he used Wikipoedia to retrieve Palin's birth date and zip code. To answer the security question (“Where did you meet your spouse?”), he consulted a search engine. Within minutes, he was reading her e-mail.
Incredibly, this type of access is perfectly legal, according to the Department of Justice. It claims that e-mails that you open, but leave on the mail server of Yahoo! or other online e-mail service have no legal protection. That’s despite the fact that courts in the Ninth Circuit (where both Palin and Yahoo! are) have ruled that federal law prohibits unauthorized access to both read and unread emails. But since the DOJ disagrees with these decisions, it’s highly unlikely it will prosecute Palin’s hacker—or anyone else who accesses an account this way.
Why does the DOJ take this position? I think it’s to make it easier for federal investigators to snoop into anyone’s e-mail account at will. That’s despite the fact that to read your stored e-mails, police ordinarily need only demonstrate that the information sought is relevant to an investigation. There’s no warrant required.
How can you protect yourself from this kind of surveillance? First, don’t keep copies of any e-mail you send or receive on Yahoo!, g-Mail, and similar online services. Second, when you sign up, don’t use your real birthday, zip code, or country of residence as an identifier. This prevents the kind of hack that Palin suffered.
Finally, practice safe e-mailing. Encrypt your messages with a program like PGP, and never send an unencrypted message to anyone that you wouldn’t be willing to have printed on the front page of The New York Times.
Copyright © 2008 by Mark Nestmann
Comments