College Student Accused of Hacking Sarah Palins Email Account Convicted of Hacking

May 3, 2010 by David S. Seltzer

Some news from last Friday caught my eye as a West Palm Beach hacking criminal defense lawyer. According to the BBC, a Tennessee federal jury has convicted 22-year-old David Kernell of unauthorized access to a computer and felony obstruction of justice. Kernell was 20 and a student at the University of Tennessee when he briefly became famous for breaking into the Yahoo! email account of then-vice presidential candidate Sarah Palin. He is also the son of Tennessee state representative Mike Kernell, D-Memphis. The younger Kernell also faced a charge of wire fraud, of which he was acquitted, and a charge of identity theft, which ended with a hung jury. At his sentencing, he faces up to 20 years in prison for the obstruction of justice charge, a felony, and up to a year on the misdemeanor unauthorized access charge.

Although media reports say Kernell was accused of “hacking,” he did not get into the account through hacking as it’s generally understood. Rather, he used the “lost password” feature used by Yahoo! mail and other websites and used publicly available information about the candidate, or educated guesses, to answer the site’s “security questions.” After getting into the email account, the Associated Press reported during the trial, Kernell bragged about it in “obscenity-laced” Internet postings, and posted screenshots including family photos and the phone number of Bristol Palin, Sarah Palin’s eldest daughter. Bristol Palin and a former Palin aide said they received harassing calls, texts and emails because their information was compromised by Kernell. He may also have had access to information related to Palin’s former job as governor of Alaska.

One of the things that interests me about this case is that the bulk of the prison time Kernell faces comes from the obstruction of justice charge. That charge stems from his decision to delete the evidence from his computer before authorities could find it. My experience as a Miami cyber crime criminal defense attorney has repeatedly shown that it’s hard to delete things from a hard drive in a way that data recovery professionals cannot undo. Thus, Kernell faces up to 20 years in prison for deleting the evidence, but only up to one year for the actual crime, a misdemeanor. Of course, he may not be sentenced to all of that time; the decision is up to a judge.

Another interesting issue was the fact that the jury was hung on the identity theft law. The federal statute on identity theft has eight subsections, but none are quite right to describe what Kernell did; for example, he did not intend to defraud the United States, or knowingly possess five or more identification documents. It’s even debatable whether he possessed an “authentication feature” within the meaning of the statute. Kendall may be retried on that count, but some observers doubt it. However, it’s clear that Kernell’s behavior did fit the federal definition of “unauthorized access,” even though it wasn’t technically hacking. To convict someone under the relevant federal law, prosecutors only have to show that he or she “intentionally accesse[d] a computer without authorization or exceeds authorized access, and thereby obtain[ed]... information from any protected computer.” Florida’s state-law version, “offenses against computer users,” also sets a low bar.

I’d like to be clear that I don’t believe Kernell should face no penalties at all. No matter what your politics, it’s an invasion of privacy, not a harmless “college prank,” to break into someone else’s email account and post their personal information online. The testimony at trial about the effects on the lives of the Palins and their associates reflects that, as does the conviction for misdemeanor unauthorized access. But as a Fort Lauderdale hacking criminal defense attorney, I hope the judge sticks to the low end of the sentencing for the obstruction of justice charge, keeping in mind that the underlying crime was a misdemeanor. And if authorities do try to bring another identity theft charge, I hope they can mount a stronger case than the facts available to the public suggest they have. Guessing a password isn’t appropriate behavior, but it is not the financial fraud that identity theft laws were meant to penalize.