Hacker's Hell: Many want to narrow the Computer Fraud and Abuse Act
Angered that the Internet site PayPal had ceased allowing its users to donate to the controversial online publisher WikiLeaks, 14 computer users allegedly fought back. They sent PayPal multiple communication requests, a program that hackers use to saturate networks with information and crash them.
One of the programmers, Keith W. Downey from Jacksonville, Fla., was charged with violating the Computer Fraud and Abuse Act for unauthorized use of a computer. If convicted, Downey, 28, faces 15 years in federal prison.
Downey is among a growing number of individuals charged with violating the CFAA. In late 2010, Aaron Swartz, a well-known Internet developer, began posing as a guest on the Massachusetts Institute of Technology network and downloaded academic journals from the digital library JSTOR. Swartz, an open-source leader who developed the RSS feed, was charged with wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a computer. He faced up to 35 years.
In January the 26-year-old Swartz was found dead in his Brooklyn apartment, where he had hanged himself. Friends and family say the indictment was why he killed himself, although Carmen M. Ortiz, the Massachusetts U.S. attorney whose office prosecuted the case, said after his death that her agency would have agreed to a six-month sentence. Ortiz’s public statement added, however, that “this office’s conduct was appropriate in bringing and handling this case.”
CALL FOR UPDATE
Many lawyers and computer experts say the Computer Fraud and Abuse Act, adopted in 1984, is outdated. They claim it is too broad, and that it allows U.S. attorneys to abuse it. In some cases, prosecutors go after minor uses of the Internet, like downloading lists or sharing information by email.
Downey’s case was brought by the U.S. attorney’s office for the Northern District of California. Neither that office nor the Massachusetts U.S. attorney’s office would comment.
Shortly after Swartz’s death, U.S. Rep. Zoe Lofgren, D-Calif., introduced amendments to the CFAA. Called Aaron’s Law, the bill proposes excluding terms-of-service violations from the act and wire fraud statutes. If passed, it would make clear that the CFAA is a data trespass statute, not a data misuse statute.
“The idea that for downloading too many academic articles you could be facing decades in prison—that’s absurd,” says John Hamasaki, a San Francisco lawyer who represents Downey.
“While some people think Aaron went too far, there is no social consensus that what he did was a crime,” says Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society. She says that the act should not apply to breaches of contract. Swartz was charged with accessing MIT and JSTOR without authorization.
A JSTOR statement noted that it reached a civil settlement with Swartz, and that he agreed to turn over the articles. That served the digital library’s interests in the matter, according to the statement.
Yet others find Swartz’s behavior questionable. “If you’re simply looking at what they alleged in the indictment, it tracks the statute,” says Patrick E. Corbett, a professor at Thomas M. Cooley Law School and a former federal prosecutor who studies computer crimes.
“As much as his heart may have been in the right place,” Corbett adds, “Aaron Swartz appeared to be a guy who decided he didn’t like a law and he was going to break it, rather than work with Congress to change the law.”
In September 2010, Swartz registered with MIT’s computer network as a guest, using false information, according to the government. A program that could submit download requests rapidly pulled the articles, the government claimed, and confused JSTOR’s computerized efforts to restrict volume.
When the JSTOR system recognized the problem, it refused communication with Swartz’s assigned IP address. The next day, the government said, Swartz established a new IP address and downloaded more JSTOR articles. That IP address was also blocked.
Swartz repeated his actions in October 2010, according to the indictment, and in response JSTOR briefly blocked MIT’s access.
In November Swartz returned to MIT. He allegedly entered a restricted network-interface closet, plugged a laptop directly into the network and assigned himself two IP addresses. He returned in January 2011, the indictment stated, replacing his laptop’s external hard drive.
According to the government, Swartz knew the closet had security cameras and shielded his face with a bicycle helmet when entering.
Downey and 13 others were part of the online hacking collective called Anonymous, according to the indictment. They sent PayPal a program known as a Low Orbit Ion Cannon, a computer network stress test used to crash a network. Downey is charged with intentionally causing damage without authorization to a protected computer.
The motive was a protest of PayPal’s termination of its WikiLeaks donation account, after WikiLeaks published classified cables from the U.S. Department of State.
PayPal claimed that its site was hampered for several hours, the New York Times reported. PayPal also claimed the incident caused $5.6 million in damages, Hamasaki says. He questions whether the amount is an actual loss, since it’s not in PayPal’s annual report.
Cooley law professor Corbett says that the CFAA as written allows for a wide range of prosecution theories. In addition, he says, courts interpret the statute differently.
TOLERANCE VARIANCE
In 2011 the 11th U.S. Circuit Court of Appeals at Atlanta upheld a 12-month sentence for a former Social Security Administration employee who was convicted of violating the CFAA’s provision against unauthorized access. Roberto Rodriguez’s crime involved using agency databases to get in-formation about his ex-wife and girlfriend, and to pull information about women he wanted to date.
In 2012, the 9th Circuit at San Francisco found that an employee could not be prosecuted for exceeding authorized access on an employer’s computer system. Defendant David Nosal was a former Korn/Ferry International employee who allegedly convinced current employees to download a confidential source list. The executive search firm had a policy prohibiting the use of work computers for nonbusiness purposes.
The en banc opinion noted that employees routinely use work computers for nonbusiness purposes, like reading personal emails, checking Facebook or chatting with friends. Some businesses prohibit that, the court wrote, but rarely are employees disciplined for it.
“Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes,” Chief Judge Alex Kozinski wrote for the majority.
Eventually the issue will reach the Supreme Court, says Orin S. Kerr, a professor at George Washington University Law School. It’s likely, he says, that the court would take a narrow view of the statute.
“Courts are struggling to interpret the law,” Kerr says. “The key question is: What is ‘authorization?’ ”
Also, the statute has become so broad that individuals may not realize they are violating it, says Ridgewood, N.J., lawyer Susan C. Cassell. She represented Daniel Spitler, who was accused of hacking AT&T servers and taking personal emails from iPad users.
Spitler thought that co-defendant Andrew Auernheimer, whom he had never met in person, would alert AT&T about the security breach, Cassell says. Instead, a copy of the emails was shared with the website Gawker.
The government claims the two chatted online about potential financial gains. In 2011 Spitler pleaded guilty to one count of conspiracy to gain unauthorized access to computers and one count of identity theft. In 2012 a New Jersey federal jury convicted Auernheimer of conspiracy to gain unauthorized access to com-puters and identity theft. In March he was sentenced to 41 months.
Tor Ekeland, a lawyer in Brooklyn, represents Auernheimer. He also represents Reuters’ deputy social media editor, Matthew Keys, who was indicted in March for allegedly helping Anonymous hack the website Tribune.com. Keys, 26, faces up to 25 years in prison if convicted.
Cassell notes that the men merely obtained email addresses.
“That doesn’t seem to be the kind of information that needs to be protected under the CFAA, like Social Security numbers and bank account information,” she says. “[Email addresses] are like phone numbers.”