How the Computer Fraud and Abuse Act is being misused

HACKING THE LAW

In last month’s column I discussed how far the Computer Fraud and Abuse Act has strayed from its roots. According to the Guardian: “One night in June 1983, [film enthusiast Ronald Reagan] sat down [ ] to watch WarGames. The film stars Matthew Broderick as a tech-wiz teenager who unwittingly hacks into the main computer at Norad, the North American Aerospace Defense Command. [Broderick almost starts globalthermo nuclear warfare.] ¶ [Reagan asked] John Vessey, the chairman of the joint chiefs: “Could something like this really happen?” A week later Vessey said it could.”

Accordingly, 1984 saw the first computer law in the U.S. It was designed to prevent the “realistic” situation in “WarGames.” In 1986, the 1984 law was replaced by the CFAA, the present statute. Columbia professor Tim Wu has referred to the CFAA as “the worst law in technology.” “It shows how aggressive they are, and how they seek to destroy your reputation in the press even when the charges are complete, fricking garbage,” said prominent CFAA lawyer Tor Ekeland.

I want to discuss a number of cases that show how the CFAA is being misused today.

Commander X

My first CFAA client was Christopher Doyon, aka “Commander X.” X had been homeless for decades by choice. He preferred it. Yes, this was a pro bono case. X and one other person performed a DDoS (Distributed Denial of Service) on the Santa Cruz County computer network at lunchtime, when they knew activity would be slow so as not to disturb the public. The DDoS was a protest over the Santa Cruz laws that had the net effect of outlawing homelessness by preventing homeless persons from sleeping for more than 45 minutes at any time.

The media and county were alerted beforehand about the nature of the protest. At noon, the DDoS began. The county’s servers were slowed for 17 minutes. They never went offline. Damages were calculated at around $6,300.00.

X was indicted and faced 15 years in prison and a $500,000 fine. Due to what he perceived as harsh pretrial release conditions, he fled to Canada where it is presumed he remains.

The Environmentally Conscious Park Ranger(s)

In January, there were gag orders issued by the White House to various federal departments and agencies, with a particular emphasis on social media. Soon thereafter a Twitter feed from a national park started tweeting about climate change. Though this case is yet to be charged (and may never be), it appears that these tweets probably constitute a violation of 18 U.S.C Section 1030(a)(3), the CFAA’s government computer provision that criminalizes acting “without authorization to access any nonpublic computer of a department or agency of the United States.” If convicted, the person sending the tweet could receive up to one year in prison and a $250,000 fine.

The High School Journalism Prank

In 1998, a Wisconsin high school student who wrote about — but did not act upon — a school computer system’s security flaws for an underground high school paper. He was expelled, partially based upon the fact that he may have violated Wisconsin’s anti-hacking statute, modelled after the CFAA. See Boucher v. School Bd. of Greenfield, 134 F.3d 821, 824 n.3 (7th Cir. 1998). The Wisconsin law at issue is an amalgam of the CFAA’s 1030(a)(5) and (6).

In Boucher, “[T]he Board concluded that the article ‘provided instruction to the public and unauthorized persons on how to access the school district computer programs and disclosed restricted access information to the school district’s computers’ in violation of Wisconsin’s computer crimes law, Wis. Stat. § 943.70(2).”

Andrew Aurenheimer, aka “weev”

When the generation 1 iPads first came out, each user was provided a webpage linked to their device. The problem was that the web pages were public. With enough know-how and some guesswork, one could access all of the iPad pages. When weev’s friend-turned-snitch Daniel Spitler got an iPad, he realized that his page was public-facing, and wrote a “slurper” script (it literally “sucked up” all of the information) that gave him the information on 114,000 other iPads.

In simple terms, let’s call the first iPad sold iPad #1. #1’s owner page might have been www.apple.com/ipad/1. It doesn’t take a genius to figure out that someone probably has the same thing, but it ends with /2, and so on. It was simply a guess. These sites contained some sensitive and supposed-to-be private information.

weev told AT&T, then the sole distributor of iPads, of this serious security flaw. When they failed to act, and refused to fix the problem, he gave the 114,000 addresses to Gawker. Gawker redacted and published the information.

weev was sentenced to 41 months in prison for violating the identity theft statutes with the CFAA as the relevant conduct behind the crime. He was released after 18 months after his successful appeal on jurisdictional grounds.

Matthew Keys

Reuters’ social media editor Matthew Keys didn’t do any hacking himself. But he did remember the login credentials for his old job at an affiliate at the Chicago Tribune. In December 2010, he allegedly passed them on to a couple members of hacktivist collective Anonymous. Thus, Keys is allegedly responsible for hackers using that login info to deface an insignificant Los Angeles Times article. By the government’s own admission, Matthew Keys’ hacking crime was minor. Nonetheless, he faced charges of 25 years in prison and $750,000 in fines. He was ultimately sentenced to two years in prison.

Fidel Salinas Faced 440 Years

Salinas faced 440 years because the prosecution added a new charge for every time Salinas had merely entered text into an unnamed victim’s website over the course of a few minutes. Ultimately, the nonsencical charges were reduced to a single misdemeanor: slowing down a state government website by repeatedly querying it with vulnerability-scanning software.

Robert Riggs and the $13 Computer File

In the 1990s, Riggs found a file on a telephone carrier’s website that discussed a 911 protocol program. Riggs shared the file with a co-conspirator. Charges were dropped when, under cross-examination, a Bell South employee revealed to the court that the file was available to the public for $13.

United States v. Kramer

Kramer (63 F.3d 900 (8th Cir. 2011)), involved the use of a cellphone that was neither a smartphone not was it connected to the internet. The 8th U.S. Circuit Court of Appeals recognized that “The language of 18 U.S.C. § 1030(e)(1) is exceedingly broad … [and] can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators.” The court left it up to the U.S. Sentencing Commission or Congress to fix this mess.

Aaron Swartz

Internet activist Aaron Swartz’s CFAA prosecution is one of the leading reasons critics want to reform the law. Swartz was indicted in 2011 after connecting to an MIT network and downloading 2.7 million academic papers that were freely available to any campus visitor through the JSTOR service. Though these articles were publicly funded, they were behind a paywall and the public had to pay to access the articles. JSTOR didn’t pursue a complaint, but the Justice Department prosecuted anyway, saying Swartz violated the terms of service by downloading the documents with the intent to distribute them off-campus. “Stealing is stealing,” U.S. Attorney Carmen Ortiz said.

Prosecutors charged Swartz with four felony counts, but later increased this to 13 counts by delineating each date he downloaded documents and turning them into separate counts, thereby greatly increasing the maximum sentence he faced. Prosecutors offered Swartz a plea deal that would have had him serve six months in prison, but he rejected it because he didn’t want any prison time, or a felony conviction on his record. Three months before his trial, Swartz committed suicide, which the bulk of society blamed in part on the overzealous prosecution.

A congresswoman subsequently proposed a CFAA revision known as “Aaron’s Law,” that would have removed terms of service violations from violating the CFAA. The bill went nowhere and has not been reintroduced in subsequent years.

And that is where CFAA reform remains: ignored.