An indictment by a federal grand jury has issued in Knoxville, Tennessee with respect to the alleged hacking of Alaska Governor Sarah Palin's Yahoo email account. The defendant, David Kernell, the son of Tennessee Representative Mike Kernell, has pleaded not guilty. If convicted, David Kernell could be sentenced to up to five years in prison, along with a hefty fine and years of supervised release. Trial in the case is currently set for December 16, well after the Presidential election. The question at this point might be whether the indictment stands up as a matter of law.
The indictment alleges that David Kernell is a resident of Knoxville and that he has used the nicknames "rubico" and "rubico10" on the Internet. The indictment asserts that Governor Palin maintained and used the email account email@example.com. According to the indictment, the existence of this email account was disclosed publicly on September 10 by several news sources.
On September 16, David Kernell allegedly gained unauthorized access to this email account by resetting the password using Yahoo's password-recovery tool. The indictment states that he reset the password to "popcorn" by researching and then correctly answering a set of personal security questions.
After he gained control over the email account by changing the password, David Kernell then read the contents and made screenshots of the email directory, email content and other personal information, as alleged in the indictment. The personal information included, according to the indictment, other email addresses of family members, photos of family members, a cell phone number of a family member, Governor Palin's birth date and the birth date of another family member, and the Governor's address book for her Yahoo email account. The screenshots obtained from the account were posted on the Internet, and David Kernell posted the reset password, enabling a means of access for others to the account, as asserted in the indictment.
The indictment alleges that at least one other individual successfully used the reset password to gain access to Governor Palin's email account, and that in contemplation of a law enforcement investigation, David Kernell removed, altered, concealed and covered up files on his laptop computer.
The indictment in part charges David Kernell with being in violation of the Computer Fraud and Abuse Act because, "in furtherance of the commission of a criminal act . . . , intentionally and without authorization [he] accessed a protected computer by means of an interstate communication and thereby obtained information, and did aid and abet the same."
To bring the case as a felony, instead of a simple misdemeanor, the government was required to assert that the unauthorized access was "committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State."
The problem here is that the indictment nowhere sets forth the crime or tort that the alleged unauthorized access was suppose to further. Simply referring to the Computer Fraud and Abuse Act and another intrusion statute within the indictment likely should not lead to felony enhancement - otherwise, the enhancement would be triggered for an alleged crime supposedly committed in furtherance of itself.
One would think that enhancement only should be permitted when the alleged unauthorized access is committed in furtherance of a separate crime. If that were not the case, then one could imagine that practically every misdemeanor under the statute automatically could be asserted as a felony as a crime in furtherance of itself. This would seem to defeat the intent of the statutory language.
Perhaps defense counsel will seek to attack the indictment prior to trial as being defective for these reasons. Time will tell how this matter will proceed.