The hope, of course, was that the court might address the ridiculousness of the charge and the huge problems of the CFAA, which currently permits the government to go after pretty much anyone who uses a computer in a way they don't like. Instead, the conviction was tossed for being in the wrong venue:
Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue.
But, while the ruling punts on the CFAA, it raises some issues in its venue analysis that could themselves have a wider impact. Weev was prosecuted in New Jersey based on the flimsy rationale that New Jersey residents were affected by the security flaw exposure (but really because New Jersey has its own anti-hacking laws, and the DOJ was able to pursue a harsher punishment if the CFAA intersected with state laws). But the appeals court found that, since none of the allegedly illegal activities undertaken by weev happened in New Jersey, this was inappropriate:
The statute’s plain language reveals two essential conduct elements: accessing without authorization and obtaining information.
New Jersey was not the site of either essential conduct element. The evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia. In addition, during the time that the conspiracy began, continued, and ended, Spitler was obtaining information in San Francisco, California, and Auernheimer was assisting him from Fayetteville, Arkansas. No protected computer was accessed and no data was obtained in New Jersey.
Since the question of venue is still very muddy when it comes to the internet, this likely isn't the last we'll be hearing about this ruling, and its impact on other cases could prove interesting. It's also likely not an end to weev's story, and certainly not an end to government abuse of the CFAA. But, for now and at the very least, it says that if the DOJ is going to try to throw you in jail for the crime of Vaguely Misusing A Computer While Being Kind Of A Jerk, it at least has to do it in the correct venue instead of going fishing for the most favorable one.
Update: As noted in the First Word comment below, the ruling did make mention of the fact that no crime had been clearly established, which suggests that if the court had addressed the bigger questions about the charge, it may not have gone well for the DOJ. For now, we'll have to be satisfied with a non-binding footnote.
There have been a bunch of stories going around about how 5-year-old Kristoffer Von Hassel figured out a way to hack the Xbox Live password system. Kristoffer's parents noticed that their son was logging into his father's account and playing games he wasn't supposed to be playing. They asked him how he was doing it and he showed them:
Just after Christmas, Kristoffer's parents noticed he was logging into his father's Xbox Live account and playing games he wasn't supposed to be.
“I got nervous. I thought he was going to find out,” said Kristoffer.
In video shot soon after, his father, Robert Davies, is heard asking Kristoffer how he was doing it.
A suddenly excited Kristoffer showed Dad that when he typed in a wrong password for his father’s account, it clicked to a password verification screen. By typing in space keys, then hitting enter, Kristoffer was able to get in through a back door.
Kristoffer's father, Robert Davies, works in computer security (which, frankly, makes me a little skeptical that Kristoffer really made this discovery), and submitted the bug to Microsoft, who not only quickly fixed it, but also listed Kristoffer on their March "acknowledgements" for security researchers who helped them find bugs and vulnerabilities.
Of course, the flip side to this story is how we've seen the CFAA used in the past to go after people discovering similar flaws. Compare the story of Kristoffer to the story of Andrew "weev" Auernheimer. Kristoffer clearly exceeded authorized access to the Xbox Live system in order to obtain something of value (perhaps he gets off because the "something" is not worth more than $5,000, but still...). Of course, weev is an obnoxious internet troll, and Kristoffer is a cute 5-year-old. I guess that's what's meant by "prosecutorial discretion."
We've been covering the ridiculous DOJ case against Andrew "weev" Auernheimer for quite some time. If you don't recall, Auernheimer and a partner found a really blatant security hole on AT&T's servers that allowed them to very easily find out the email addresses of iPad owners. There was no breaking in to anything. The issue was that AT&T left this all exposed. But, with a very dangerous reading of the CFAA (Computer Fraud and Abuse Act) and a bunch of folks who don't understand basic technology, weev was sentenced to 3.5 years in jail (and has been kept in solitary confinement for much of his stay so far). Part of the case is complicated by the fact that weev is kind of a world class jerk -- who took great pleasure in being an extreme online troll, getting a thrill out of making others miserable. But that point should have no bearing on whether or not exposing a security hole, by basically entering a URL that AT&T failed to secure, becomes a criminal activity.
Throughout the case, it's been clear that the DOJ was trying to make up an interpretation of the law that had no basis in the actual technology world. And it became abundantly clear at a hearing before the appeals court concerning weev's case, that the DOJ really has no idea what weev did. They're just sure it's bad because it involves computers and stuff. Seriously, as reported by Vice:
"He had to decrypt and decode, and do all of these things I don't even understand," Assistant US Attorney Glenn Moramarco argued.
Say what? If that's the basis for being declared a felon and locked up for 3.5 years, almost everyone is a felon. It's likely that under that "standard" Moramarco himself is a felon, because I'll bet he "decrypts and decodes and all of these things he doesn't understand" on pretty much a daily basis. But, a tip to the US Attorneys' office: when prosecuting a computer crime, you might want to at least try to have someone who actually understands the fundamental basics of what the person you've locked up has done.
But, Moramarco apparently doesn't want to let his complete ignorance of what actually happened (someone putting a URL into a box and seeing the page that AT&T failed to secure) to get in the way of insane hyperbole about what he thinks weev did:
In its opening statement, the government made an incendiary comparison that seemed to reflect the nature of its understanding of the crime: the prosecution compared Auernheimer's deeds to hackers "[blowing] up a nuclear power plant in New Jersey" in an attempt to illustrate how it was a relevant venue.
Yes, apparently exposing the fact that AT&T left its customers' info wide open to anyone is the equivalent of blowing up a nuclear power plant. Yikes.
As the article notes, much of the hearing actually focused on the question of venue, and it appears that weev may get off on something of a technicality. Prosecutors had moved the case to New Jersey for no known reason and so it may get rejected for being the improper venue, which potentially could mean that the appeals court never even addresses the issue of just how badly the DOJ twisted the CFAA to bring down weev. The judges appear to be considering this, as they noted that based on the details of the case, there was no apparent connection to New Jersey and no reason why the DOJ couldn't have brought the case anywhere (one judge apparently mentioned Hawaii).
The case is important because of all the CFAA abuse we've seen by the DOJ over recent years, and now it sounds like the appeals court may be able to just skip over that issue entirely. Given the DOJ's own admissions of its lack of understanding about weev's actions, that actually might be the best thing for the DOJ, allowing it to continue to make completely bogus CFAA arguments to take down technologically sophisticated people that the DOJ doesn't like and doesn't understand.
from the not-so-fun-when-it's-your-metadata,-huh? dept
Earlier today, we wrote about Senator Dianne Feinstein's justified anger over the CIA "spying" on the Senate Intelligence Committee staffers as they went about putting together a massive (and apparently incredibly damning) report condemning the CIA's torture program. Having now watched the whole video of her speech, as well as read the transcript, there's a lot more here to discuss. You can watch the speech yourself if you'd like, or read the full transcript, which we've embedded below:
Apparently, some of the concerns actually stem from an earlier incident, from back in 2010, during which the CIA deleted access to a bunch of documents that it had previously given to the committee staffers. This came after an initial fight over whether or not the CIA would interfere with the staffers' efforts. The Intelligence Committee eventually agreed with the CIA's request that the research work be carried out on the CIA's premises, but only after the CIA promised not to interfere and to leave the staffers alone. The staffers requested lots of documents, and the CIA did a full pure data dump on them, just handing over piles and piles of documents with no context at all. Basically, it appears the CIA sought to bury the staffers in bullshit, hoping to hide many of the important bits. In response, the staffers asked the CIA to provide an electronic search engine, in order to go through the electronic documents. Also, to keep things organized, the staffers would regularly make local copies and/or print out key documents so they could more easily organize them and keep track of them. Based on this, they noticed that some documents that had initially been available "went missing" in 2010:
In May of 2010, the committee staff noticed that [certain] documents that had been provided for the committee’s review were no longer accessible. Staff approached the CIA personnel at the offsite location, who initially denied that documents had been removed. CIA personnel then blamed information technology personnel, who were almost all contractors, for removing the documents themselves without direction or authority. And then the CIA stated that the removal of the documents was ordered by the White House. When the committee approached the White House, the White House denied giving the CIA any such order.
After a series of meetings, I learned that on two occasions, CIA personnel electronically removed committee access to CIA documents after providing them to the committee. This included roughly 870 documents or pages of documents that were removed in February 2010, and secondly roughly another 50 were removed in mid-May 2010.
This was done without the knowledge or approval of committee members or staff, and in violation of our written agreements. Further, this type of behavior would not have been possible had the CIA allowed the committee to conduct the review of documents here in the Senate. In short, this was the exact sort of CIA interference in our investigation that we sought to avoid at the outset.
Apparently, this snafu was settled quietly between the intelligence committee and the CIA, with the CIA promising not to do it again.
Now, as we've been pointing out, and which was revealed by McClatchy and the NY Times last week, this latest fight is focused mostly on a draft of an internal review by the CIA of the torture program, conducted for then director Leon Panetta. Feinstein reveals some more key details about this document. First, it appears that Panetta more or less ordered the CIA to conduct what appears to be a "shadow review" of the very same documents that were being handed over to the Senate staffers. The report, as noted, appears to come to the same basic conclusions about the CIA's torture program (i.e., that it went to insane lengths and produced absolutely nothing in the way of useful intelligence). This internal review also contradicted the CIA's "official response" to the Intelligence Committee's own report.
Here's where it gets a bit trickier. When current CIA director John Brennan was asked for the full internal report, rather than the draft that the staffers had, there appears to have been a freakout at the CIA, because no one had intended for the intelligence committee to see the report, either as a draft or final report. The CIA appears to have believed that Senate staffers got access to the report illegally (hence the CIA's request that the staffers be investigated for illegal activity). Feinstein denies all of this and notes that the draft report was among the many documents provided in the data dump -- in what now looks like an accident by the CIA folks (and some contractors) in charge of compiling the data dump for the intelligence committee. The staffers "found" this document by using that search tool, which they'd asked the CIA to provide.
Feinstein goes on to reject the claims made by the CIA and CIA supporters that (1) the staffers should have known not to read the documents since they were marked "deliberative" or "privileged" and (2) that they somehow "mishandled" those classified documents by printing them out and bringing them to the Senate. As she notes, both of those claims make little sense. On the classification:
As with many other documents provided to the committee at the CIA facility, some of the Internal Panetta Review documents—some—contained markings indicating that they were “deliberative” and/or “privileged.” This was not especially noteworthy to staff. In fact, CIA has provided thousands of internal documents, to include CIA legal guidance and talking points prepared for the CIA director, some of which were marked as being deliberative or privileged.
Moreover, the CIA has officially provided such documents to the committee here in the Senate. In fact, the CIA’s official June 27, 2013, response to the committee study, which Director Brennan delivered to me personally, is labeled “Deliberative Process Privileged Document.”
We have discussed this with the Senate Legal Counsel who has confirmed that Congress does not recognize these claims of privilege when it comes to documents provided to Congress for our oversight duties.
That takes care of that. On the question of mishandling the documents, the argument is not quite as strong, but still quite reasonable. Yes, it does appear that staffers did not follow the exact process for removing the documents -- in that they were supposed to first review it with CIA staffers, but the reasoning here is not so crazy. The review process was supposedly just so that the CIA could make sure that names of key people or details of operations weren't revealed. The staffers made sure that all such info had been redacted before moving the document -- and, of course, they recognized that this document was a bit of a smoking gun for the CIA in that it appeared to confirm that Director Brennan had been lying to the committee. Taking it to the CIA to review would be an odd move -- especially for staffers tasked with oversight of the CIA itself. Even more important, the staffers noticed that, like back in 2010, that draft review document suddenly "disappeared" from their computer system, despite the previous promises that the CIA wouldn't do that any more (also, she points out that the CIA had previously destroyed early evidence about their torture program). So they made the entirely reasonable decision to make a copy and store it in the Senate:
When the Internal Panetta Review documents disappeared from the committee’s computer system, this suggested once again that the CIA had removed documents already provided to the committee, in violation of CIA agreements and White House assurances that the CIA would cease such activities.
As I have detailed, the CIA has previously withheld and destroyed information about its Detention and Interrogation Program, including its decision in 2005 to destroy interrogation videotapes over the objections of the Bush White House and the Director of National Intelligence. Based on the information described above, there was a need to preserve and protect the Internal Panetta Review in the committee’s own secure spaces.
Now, the Relocation of the Internal Panetta Review was lawful and handled in a manner consistent with its classification. No law prevents the relocation of a document in the committee’s possession from a CIA facility to secure committee offices on Capitol Hill. As I mentioned before, the document was handled and transported in a manner consistent with its classification, redacted appropriately, and it remains secured—with restricted access—in committee spaces.
Now that brings us to the latest "fight." In late 2013, after the intelligence committee had seen that draft report, it had requested the final report from the CIA. That set off alarm bells in the CIA when they realized that the committee knew such a report existed, leading to a freakout and further "searching" the staffers' supposedly private computers and networks:
Shortly thereafter, on January 15, 2014, CIA Director Brennan requested an emergency meeting to inform me and Vice Chairman Chambliss that without prior notification or approval, CIA personnel had conducted a “search”—that was John Brennan’s word—of the committee computers at the offsite facility. This search involved not only a search of documents provided to the committee by the CIA, but also a search of the ”stand alone” and “walled-off” committee network drive containing the committee’s own internal work product and communications.
According to Brennan, the computer search was conducted in response to indications that some members of the committee staff might already have had access to the Internal Panetta Review. The CIA did not ask the committee or its staff if the committee had access to the Internal Review, or how we obtained it.
Instead, the CIA just went and searched the committee’s computers. The CIA has still not asked the committee any questions about how the committee acquired the Panetta Review. In place of asking any questions, the CIA’s unauthorized search of the committee computers was followed by an allegation—which we have now seen repeated anonymously in the press—that the committee staff had somehow obtained the document through unauthorized or criminal means, perhaps to include hacking into the CIA’s computer network.
As I have described, this is not true. The document was made available to the staff at the offsite facility, and it was located using a CIA-provided search tool running a query of the information provided to the committee pursuant to its investigation.
Of course, as Julian Sanchez points out, from this description, it certainly appears that the CIA was collecting "just metadata," and, as you may recall, Feinstein has been at the forefront of arguing that no one should care about the NSA's activities, because it's just metadata. Kinda funny how perspective shifts when it's your metadata being discussed. Suddenly, it becomes a constitutional issue:
Based on what Director Brennan has informed us, I have grave concerns that the CIA’s search may well have violated the separation of powers principles embodied in the United States Constitution, including the Speech and Debate clause. It may have undermined the constitutional framework essential to effective congressional oversight of intelligence activities or any other government function.
Besides the constitutional implications, the CIA’s search may also have violated the Fourth Amendment, the Computer Fraud and Abuse Act, as well as Executive Order 12333, which prohibits the CIA from conducting domestic searches or surveillance.
And yet that doesn't apply when the NSA spies on all Americans? Yes, Feinstein is absolutely right to be angry about this. It is an astounding breach of protocol, and given that it's the Senate Intelligence Committee's job to oversee the CIA, it appears to be quite a brazen move by the CIA to effectively undermine the Senate's oversight. It's just too bad she doesn't see how the very same things she's angry about concerning her own staff apply equally to everyone else.
There's one other issue in the speech that should be highlighted as well. She notes both of the referrals (that we've previously discussed) to the DOJ: the request to investigate the CIA's activities, and the CIA's tit-for-tat response asking for an investigation into the staffers' access and removal of the draft Panetta review. Feinstein also points out that the person at the CIA who filed the crimes report against her staffers at the DOJ was heavily involved in the torture program the report condemns, and certainly suggests that the move is much more about intimidating Senate overseers:
Weeks later, I was also told that after the inspector general referred the CIA’s activities to the Department of Justice, the acting general counsel of the CIA filed a crimes report with the Department of Justice concerning the committee staff’s actions. I have not been provided the specifics of these allegations or been told whether the department has initiated a criminal investigation based on the allegations of the CIA’s acting general counsel.
As I mentioned before, our staff involved in this matter have the appropriate clearances, handled this sensitive material according to established procedures and practice to protect classified information, and were provided access to the Panetta Review by the CIA itself. As a result, there is no legitimate reason to allege to the Justice Department that Senate staff may have committed a crime. I view the acting general counsel’s referral as a potential effort to intimidate this staff—and I am not taking it lightly.
I should note that for most, if not all, of the CIA’s Detention and Interrogation Program, the now acting general counsel was a lawyer in the CIA’s Counterterrorism Center—the unit within which the CIA managed and carried out this program. From mid-2004 until the official termination of the detention and interrogation program in January 2009, he was the unit’s chief lawyer. He is mentioned by name more than 1,600 times in our study.
And now this individual is sending a crimes report to the Department of Justice on the actions of congressional staff—the same congressional staff who researched and drafted a report that details how CIA officers—including the acting general counsel himself—provided inaccurate information to the Department of Justice about the program.
Once again, it's worth noting that these are the very same folks that, just weeks ago, Feinstein was insisting would never abuse their positions because they're professionals. She said that on January 19th. That was just four days after CIA Director Brennan had told her about how the CIA had conducted the almost certainly illegal search on her own staffers.\
And, of course, this is the point that many of us have been making all along to Feinstein and other kneejerk defenders of the intelligence community. No matter how "professional" they are, they're still human. And given situations where their own jobs may be threatened, they're going to do what they do, and that often leads to serious abuses, like the ones that now have Feinstein so angry. That's why we're so concerned by her lack of real oversight of the intelligence community for years, as well as the rather permissive attitude that both Congress and the courts have taken for years to the intelligence community, by insisting that they only do what they do for the purposes of "national security." I'm curious what kind of "national security" reason the CIA has for spying on the very staffers who were investigating the CIA's torture program?
By this point, it should be clear that when Senators Ron Wyden and Mark Udall ask questions to senior intelligence community officials in open hearings, it's not because they don't know the answers, but because they do, and they have information that they think should be public. Remember, of course, that, years ago, Wyden and Udall were clearly hinting at what Ed Snowden eventually revealed. So, during yesterday's hearing during which leaders from the intelligence community tried to pull their usual "be scared American people!" schtick, Wyden's and Udall's questions point to some potential mischief by the CIA. Both asked questions of CIA boss John Brennan concerning the legality of certain actions. It is unlikely that they did this because they were just curious. Wyden kicked it off by asking if the Computer Fraud and Abuse Act (CFAA) applied to the CIA:
Wyden: Does the federal Computer Fraud and Abuse Act apply to the CIA?
Brennan: I would have to look into what that act actually calls for and its applicability to CIA’s authorities. I’ll be happy to get back to you, Senator, on that.
Wyden: How long would that take?
Brennan: I’ll be happy to get back to you as soon as possible but certainly no longer than–
Wyden: A week?
Brennan: I think that I could get that back to you, yes.
Of course, we've written about the CFAA many times, and how the broadly (terribly) written law has been abused by law enforcement to go after all sorts of ordinary or reasonable computer activity. But Wyden is flipping this around in a slightly interesting way -- asking if the CFAA applies to the CIA. The answer, actually, is probably no, the CFAA doesn't apply to the CIA. If you look at 18 USC 1030(f) (which is part of the CFAA), it says:
This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
It seems likely that the eventual answer from Brennan to Wyden will basically point to this particular language. But that's not particularly important, as the intent of the question likely had little to do with actually looking at the scope of the CFAA, but rather hinting very strongly that the CIA is hacking into computers in a manner that would violate the CFAA if it wasn't being done by law enforcement.
This was then followed up soon after with a question from Udall, again to Brennan, asking a slightly different question about the CIA's legal authority, which Brennan doesn't actually answer, instead answering a different question that wasn't asked:
Udall: I want to be able to reassure the American people that the CIA and the Director understand the limits of its authorities. We are all aware of Executive Order 12333. That order prohibits the CIA from engaging in domestic spying and searches of US citizens within our borders. Can you assure the Committee that the CIA does not conduct such domestic spying and searches?
Brennan: I can assure the Committee that the CIA follows the letter and spirit of the law in terms of what CIA’s authorities are, in terms of its responsibilities to collect intelligence that will keep this country safe. Yes Senator, I do.
Got that? He was asked "do you spy on Americans?" and the answer was "we follow the law." Considering that Wyden and Udall have been among the leading folks pointing out that the intelligence community has regularly reinterpreted the laws in secret in order to broaden their claimed authority, that answer is hardly assuring. Instead, it sure sounds like the CIA admitting that, hell yes, they spy on Americans under their twisted interpretation of the law. Combine that with Wyden's question -- which may or may not be about the same issue, but the two have often coordinated on these issues -- and it certainly hints at the idea that the CIA is hacking into Americans' computers.
Over the last few months, much of the focus has been on the NSA, but it's important to remember that the CIA actually is bigger in terms of its budget, and remains incredibly powerful and secretive. Also, over the last decade or so there appears to be significant evidence of incredible abuse by the CIA. As we've noted a few times, the Senate Intelligence Committee has been sitting on a supposedly explosive report that cost $40 million to put together, detailing some horrific CIA abuses, which the CIA has been doing everything possible to stop from being released.
Given all this, how long will it be until we discover "explosive" revelations about the CIA that confirm what Wyden and Udall have been hinting at?
We've written about the issue of revenge porn sites and the so-called "king" of revenge porn, Hunter Moore, quite a few times. The issue is a tricky one because the whole concept of revenge porn -- people posting nude photos of others, complete with contact info, and frequently offering to take down the photos for money -- is unquestionably horrific. But... horrific issues can make for bad and overly broad laws. In fact, we've been quite concerned with attempts by some to craft laws against revenge porn that would upend basic established law concerning free speech and important internet safe harbors for service providers. Similarly, when revenge porn operators, like Kevin Bollaert, have been arrested, the charges against them have been problematic. Bad cases make for bad law, and since these sites are so morally repugnant, it's easy to understand why some would stretch the law to try to go after those responsible. But the end consequences of stretching the law could be disastrous for many.
So, with the news that Hunter Moore was indicted with a co-conspirator under the CFAA today, we feared the worst. After all, the CFAA is already a terribly drafted law, regularly twisted by the DOJ to go after people for ordinary computing activities. However, in looking over the details of the indictment, we can at least breathe an initial sigh of relief (well, and disgust at the two individuals), as it details what appears to be Moore's "co-conspirator" Charles Evens (also known as Gary) hacking into emails accounts to get access to nude photos, and then giving them to Moore. Moore gives Evens a bunch of money for this, at times calling him an employee, and urging him to break into more email accounts and to obtain more nude photos.
If proven true (and, admittedly, we're only seeing the DOJ's account here), this is the kind of thing that the CFAA was supposed to be used for. Any case involving the CFAA is always worrisome, given how widely the DOJ has abused it. And cases involving not just any "revenge porn" site, but the most famous one, IsAnyoneUp, and its founder Hunter Moore, are bound to be a risky proposition, since so much will focus on the emotional response to what an out-and-out jackass Moore is. But at first glance, this lawsuit looks like a much more legitimate application of the law. At the very least, hopefully, this suggests that existing laws can often be used legitimately against bad actors, without having to upend the basic legal framework of the internet.
You may have heard about the recent high-profile, malicious hack of Target's point of sale systems, giving the attackers access to the details of at least 40 million credit cards. Senator Patrick Leahy is, incredibly cynically, using this news event to try to sneak through a change to the "anti-hacking" law, the CFAA, which was used to prosecute Aaron Swartz and many others. And it's not a change to improve that law, but to broaden it, extending massively how the DOJ can charge just about anyone they want with serious computer crimes. This is monumentally bad, and Senator Leahy is trying to hide it behind a major news event because he knows he couldn't get this kind of DOJ wishlist through without hiding it.
Officially, this is Leahy reintroducing his Personal Data Privacy and Security Act -- a bill he's tried to introduce a number of times before. The crux of that bill makes some sense: requiring companies that have had a security breach to inform those who were impacted. State laws (most notably, California's) already include some similar requirements, but this is an attempt to create a federal law on that front. There are some reasonable concerns about such a law, but the general idea of better protecting the public from data breaches, by at least letting them know about it, is an idea worth considering.
The problem is that Leahy has inserted a couple of other dangerous bits and pieces into the bill, including a couple of "reforms" to the parts of the CFAA that have raised significant concerns, and burying them deep within this bill. Section 105 of the bill, for example, simply repeats the same change that the House Judiciary tried to include last year in an attempt at bad CFAA reform. It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense. It may be difficult to understand if you just read the proposed bill (this is on purpose), but the bill says it wants to include the term "for the completed offense" so that the CFAA now reads:
Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.
Right now, the law does not include those four words. Why is that a big change? As we explained last year:
All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.
While the proposed bill does include a further change that notes that merely violating a terms of service agreement does not make you subject to the CFAA, it's not just the TOS issue that concerns so many people about the CFAA.
The CFAA needs to be greatly scaled back, not expanded, no matter what the DOJ wants. It's ridiculous that Senator Leahy is not only proposing this, but then trying to hide it in this bill about security breach reporting, tying it to a news event.
The case against Andrew "weev" Auernheimer is already crazy enough. He's been charged by the feds with a violation of the Computer Fraud and Abuse Act (CFAA) for finding a huge security hole created by AT&T. Still, a court found him guilty. The appeal is ongoing, with the DOJ basically arguing that weev broke a rule that it made up. And, now, the third circuit appeals court is apparently stacking the deck against weev.
The government had made a request to file an "oversized" brief to present their case. In response, weev's lawyers requested the ability to file an "oversized" brief in reply to the government's brief. The DOJ did not oppose this request. Yet, the court approved the government's request while denying the defense request. In short: the government can file a giant brief throwing the kitchen sink of legal theories at weev, while weev's team is limited in how much space it has to reply. No matter what you think of weev, who seemed to take joy in pissing off just about everyone, at the very least you'd think he deserved the right to present a full response to the claims made against him by the government.
On Friday, we wrote about Jeremy Hammond's 10-year prison sentence, mentioning that the judge had required part of Hammond's statement be redacted from any reports as his discussion of the list of targets he was asked to hack by FBI informant Sabu (Hector Xavier Monsegur) was considered classified. Of course, it will come as little surprise that the unredacted/uncensored text of his original statement is alleged to have leaked soon after the sentencing. Someone posted it to Pastebin. While it's entirely possible that this is fake, there are at least some indications that it's accurate.
Sabu also supplied lists of targets that were vulnerable to "zero day exploits" used to break into systems, including a powerful remote root vulnerability effecting the popular Plesk software. At his request, these websites were broken into, their emails and databases were uploaded to Sabu's FBI server, and the password information and the location of root backdoors were supplied. These intrusions took place in January/February of 2012 and affected over 2000 domains, including numerous foreign government websites in Brazil, Turkey, Syria, Puerto Rico, Colombia, Nigeria, Iran, Slovenia, Greece, Pakistan, and others. A few of the compromised websites that I recollect include the official website of the Governor of Puerto Rico, the Internal Affairs Division of the Military Police of Brazil, the Official Website of the Crown Prince of Kuwait, the Tax Department of Turkey, the Iranian Academic Center for Education and Cultural Research, the Polish Embassy in the UK, and the Ministry of Electricity of Iraq.
Sabu also infiltrated a group of hackers that had access to hundreds of Syrian systems including government institutions, banks, and ISPs. He logged several relevant IRC channels persistently asking for live access to mail systems and bank transfer details. The FBI took advantage of hackers who wanted to help support the Syrian people against the Assad regime, who instead unwittingly provided the U.S. government access to Syrian systems, undoubtedly supplying useful intelligence to the military and their buildup for war.
All of this happened under the control and supervision of the FBI and can be easily confirmed by chat logs the government provided to us pursuant to the government's discovery obligations in the case against me. However, the full extent of the FBI's abuses remains hidden. Because I pled guilty, I do not have access to many documents that might have been provided to me in advance of trial, such as Sabu's communications with the FBI. In addition, the majority of the documents provided to me are under a "protective order" which insulates this material from public scrutiny. As government transparency is an issue at the heart of my case, I ask that this evidence be made public. I believe the documents will show that the government's actions go way beyond catching hackers and stopping computer crimes.
Again, while Hammond is responsible for actually carrying out the activity of breaking into these sites, it still seems incredibly questionable that the targets may have been suggested by the FBI, which then basically got to take advantage of Hammond's activities, and then when that wasn't useful any more, to throw him in jail for a decade.
We wrote, earlier this year, about LulzSec/Antisec/Anonymous hacktivist Jeremy Hammond pleading guilty to hacking Stratfor. While the other Lulzsec hackers who were arrested in the UK got sentences of one to three years, the fact that here in the US we have the CFAA, and the fact that the DOJ saw another hacktivist to railroad, it was expected that Hammond would get a much longer sentence. Indeed, he did: he was sentenced today to ten years in prison plus another three years of supervised release.
No one denies that he broke into Stratfor's computers (as well as other sites and even governments). However, many people quite reasonably argue that he was doing so for the purposes of activism, not for personal wealth or benefits, and that fact should have been taken into account in his sentencing. The DOJ, of course, want to use Hammond as yet another example case of how they can throw the book at hacktivists. The Sparrow Project has a good account of what happened in the courtroom:
Jeremy’s lead counsel, Sarah Kunstler, who is 9 months pregnant and due to give birth today, delivered a passionate testimonial as to the person that Jeremy is, and the need for people like Jeremy during our changing socio-political landscape. She was followed by co-counsel, Susan Keller, who wept as she recalled her experiences reading the hundreds of letters from supporters to the court detailing the Jeremy Hammond’s selflessness and enthusiastic volunteerism. She pointed out that it was this same selflessness that motivated Jeremy’s actions in this case. She closed her testimony by underscoring that, “The centerpiece of our argument is a young man with high hopes and unbelievably laudable expectations in this world.”
They also include Hammond's statement, in which he clearly states why he did what he did, and repeatedly points out that most of the sites he hacked (including Stratfor and foreign governments) were done under the direction of Sabu (real name: Hector Xavier Monsegur) who had already turned into an FBI informant. In other words, he's suggesting that the FBI was more or less telling him who to hack, and then they get to turn around and throw the book at him.
The acts of civil disobedience and direct action that I am being sentenced for today are in line with the principles of community and equality that have guided my life. I hacked into dozens of high profile corporations and government institutions, understanding very clearly that what I was doing was against the law, and that my actions could land me back in federal prison. But I felt that I had an obligation to use my skills to expose and confront injustice--and to bring the truth to light.
Could I have achieved the same goals through legal means? I have tried everything from voting petitions to peaceful protest and have found that those in power do not want the truth to be exposed. When we speak truth to power we are ignored at best and brutally suppressed at worst. We are confronting a power structure that does not respect its own system of checks and balances, never mind the rights of it’s own citizens or the international community.
The full statement is long, but well worth reading. The court forced everyone to redact part of the speech -- where he names who else he hacked at the direction of Sabu, including foreign governments. When you think about this, it seems particularly obnoxious. Basically, the FBI had Sabu tell Hammond to hack into the computers of foreign governments and now Hammond gets the book thrown at him because of that. Does anyone think that the feds didn't make use of that access to foreign government computers? It's a pretty neat trick: trick a hacktivist to break into the computers of foreign governments for you and then throw him in jail for ten years.
In an interview Hammond gave to The Guardian prior to the sentencing, Hammond notes that his days of hacking "are done" but remains pretty defiant and supportive of hacktivism in general and against oppressive government action. He notes that one of the reasons he was such a target was he had access to an exploit that it appears the NSA didn't yet have, which allowed him to get into those foreign government servers:
“I felt betrayed, obviously. Though I knew these things happen. What surprised me was that Sabu was involved in so much strategic targeting, in actually identifying targets. He gave me the information on targets.”
Part of Sabu’s interest in him, he now believes, was that Hammond had access to advanced tools including one known as PLESK that allowed him to break into web systems used by large numbers of foreign governments. “The FBI and NSA are clearly able to do their own hacking of other countries. But when a new vulnerability emerges in internet security, sometimes hackers have access to tools that are ahead of them that can be very valuable,” he said.
In that same interview, he notes he never would have hacked Stratfor if it weren't for Sabu, noting he'd never even heard of the organization before that.
Clearly, Hammond broke the law. But it seems very, very wrong that the federal government clearly used him to break into places they wanted to get into (all of which now remains classified), and then threw the book at him and will lock him up for a decade.