An online hacker who went by the name "Guccifer" got a lot of attention a year and a half ago or so for regularly hacking into the email and social media accounts of various political officials and insiders along with some Hollywood folks, with the most high profile being former President George W. Bush's email, leading to the leaking of some of Bush's early attempts at painting. But that was hardly all. Among others, he hacked into email and/or social media accounts of Senator Lisa Murkowski, Colin Powell, top Hillary Clinton advisor Sidney Blumenthal, venture capitalist John Doerr, former White House chief of staff Kenneth Duberstein, actor Jeffrey Tambor (Jeffrey Tambor?!?!), Sex and the City author Candace Bushnell, Watergate reporter Carl Bernstein, President Obama's head of the National Intelligence Council Christopher Kojm and the head of the National Nuclear Security Administration Neile Miller. In other words, Guccifer was pretty busy.
While the indictment does not name the people who were hacked, calling them Victim 1, 2, 3, 4 and 5, it's not difficult to figure out that Victim 1 is President Bush's sister Dorothy Bush, which is how he got the GWB paintings (GWB had sent photos of them to his sister) and Victim 3 is Colin Powell, who had to deny an affair with a foreign diplomat after some of his emails were leaked. The indictment appears to suggest a particular infatuation with Powell, as it also included hacks of his Facebook page and posting anti-Bush rants on Powell's Facebook page.
I'm always a little nervous about computer hacking cases, because the government is fairly well known for exaggerating non-hacking situations and pretending that they're hacking under the CFAA, but assuming that this guy really did get into all of these accounts, it seems like what the CFAA was more written to cover in the first place.
The full indictment is below, but what I'm trying to figure out is how "victim 2" got included in the list. Notice if you can spot which one of the following "is different from the others" in the list below:
Victim 1... was a family member of two former
U.S. presidents who was the true owner of an AOL account....
Victim 2... was a sanitation engineer who was the true
owner of an AOL account....
Victim 3... was a former U.S. Cabinet member who
resided in the Eastern District of Virginia. Victim 3 was the true owner of an AOL account with
subaccounts and a Facebook account....
Victim 4... was a former member of the U.S. Joint Chiefs
of Staff who was the true owner of a Facebook account....
Victim 5, known to the grand jury, was a journalist and former presidential
advisor who was the true owner of an AOL account with subaccounts....
It just seems that if you were to put the five of those together at a Washington DC cocktail party, one of them would stick out as somewhat different from the others.
Any hackers that manage to carry out "cyberattacks which result in loss of life, serious illness or injury or serious damage to national security, or a significant risk thereof" would face the full life sentence, according to the serious crime bill proposed in Wednesday's Queen's speech.
As well as targeting cyberterrorists, the new offence in the proposed update to the Computer Misuse Act [CMA] 1990 would also hand harsher sentences to those hackers carrying out industrial espionage, believed to be a growing menace affecting UK business.
The law would have a maximum sentence of 14 years for attacks that create "a significant risk of severe economic or environmental damage or social disruption". Currently, the section of the CMA covering such an offence carries a 10-year sentence.
Much of this is the kind of activity carried out in the form of attacks sponsored by governments outside the UK -- or, as in the case of the NSA, directly by those governments. Despite the recent grandstanding by the US when it filed criminal charges against members of the Chinese military whom it accuses of espionage, there is little hope of ever persuading the main players to hand over their citizens for trial, so the new UK law will be largely ineffectual against the most serious threats.
But there is a real danger in the "or significant risk, thereof" part, since that gives the UK authorities huge scope to claim -- as they have in other contexts -- that some online action "risked" some terrible outcome, even though nothing actually happened. Things are made worse by the fact that there is no public interest defense or exemption for research. As the Guardian notes:
The government has also not addressed complaints over the application of current computer crime law, which some in the security industry claim actually makes the internet less safe.
This is because certain kinds of research could be deemed illegal. Experts known as penetration testers, who look for weaknesses in internet infrastructure, often carry out similar actions to real cybercriminals in their attempts to improve the security of the web, such as scanning for vulnerabilities.
But such research is punishable under British law, even if it is carried out for altruistic ends, leaving potential weaknesses unresolved, critics of the CMA said.
What this means is that while it will fail to tackle the most serious online attacks, and chill research into security flaws, the proposed Bill will conveniently allow the UK government to target groups like Anonymous who carry out high-profile but relatively harmless actions over the Net. This section of the proposed Bill is really about the UK government bolstering its already disproportionate powers to throttle online protests by characterizing them as "serious cyberattacks", and threatening to impose life sentences on anyone involved.
The Computer Fraud and Abuse Act is so severely flawed that people are extremely hesitant to report security holes in websites, especially after witnessing what happened to Weev (Andrew Auernheimer), who went to jail for exposing a flaw in AT&T's site that exposed user info when values in the URL were incremented.
"I remember a person was recently arrested for finding this same flaw in a website and told (at&t/apple??) about it. He was arrested and jailed if I remember right. This is the type of chilling effects that come when people view techies as hackers and are arrested for pointing out flaws.
By changing the number at the end you can harvest personal info.
I won't report the flaw, I could go to jail."
Is that overdramatic? Doubtful. People have reported security flaws to companies only to have these entities press charges, file lawsuits or otherwise tell them to shut up. Weev's only out because the government's case was brought in the wrong venue. The CFAA, which has been used to punish many helpful people, is still intact and as awful as ever.
As the (also anonymous) redditor points out, he or she has tried to contact the company but has found no avenue to address this security hole which exposes names, addresses and email addresses of customers sending in claims for a free year of Netflix streaming that came bundled with their purchase of an LG Smart TV. Incrementing the digits at the end of the URL brings up other claims, some with images of receipts attached. In addition, anyone can upload support documents to these claims.
Here's a screenshot of the hole in question:
As the original poster points out, with a little coding, someone could put together a database of addresses that most likely house a brand new LG Smart TV. And this may not just be limited to LG. ACB Incentives is the company behind this promotion, and it handles the same sort of online rebate forms for a variety of companies. These rebate submission sites all branch off acbincentives.com, which could mean it's just a matter of figuring out how each one handles submitted claims, URL-wise.
Now, I've contacted the company to let them know. Amanda Phelps at the Memphis branch says she's bringing it to the attention of programming. I also let her know that it may affect other rebate pages but that I can't confirm that. We'll see how quickly this is closed*, but all in all, the people at ACB seemed to be concerned and helpful, rather than suspcious.
*Very quickly, it appears. See note at top of post.
But the underlying point remains. Many people who discover these flaws aren't criminals and aren't looking to expose the data of thousands of unsuspecting users. They're simply concerned that this is happening and often incredulous that major companies would be this careless with customers' data. That the kneejerk reaction has often been to shoot the messenger definitely gives those discovering these holes second thoughts as to reporting them, a hesitation that could allow someone with more nefarious aims to exploit the exposed data. The law needs to change, and so does the attitude that anyone discovering a flaw must be some sort of evil hacker -- or that the entity must do whatever it takes, even if it means throwing the CFAA at someone, just to prevent a little embarrassment.
The hope, of course, was that the court might address the ridiculousness of the charge and the huge problems of the CFAA, which currently permits the government to go after pretty much anyone who uses a computer in a way they don't like. Instead, the conviction was tossed for being in the wrong venue:
Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue.
But, while the ruling punts on the CFAA, it raises some issues in its venue analysis that could themselves have a wider impact. Weev was prosecuted in New Jersey based on the flimsy rationale that New Jersey residents were affected by the security flaw exposure (but really because New Jersey has its own anti-hacking laws, and the DOJ was able to pursue a harsher punishment if the CFAA intersected with state laws). But the appeals court found that, since none of the allegedly illegal activities undertaken by weev happened in New Jersey, this was inappropriate:
The statute’s plain language reveals two essential conduct elements: accessing without authorization and obtaining information.
New Jersey was not the site of either essential conduct element. The evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia. In addition, during the time that the conspiracy began, continued, and ended, Spitler was obtaining information in San Francisco, California, and Auernheimer was assisting him from Fayetteville, Arkansas. No protected computer was accessed and no data was obtained in New Jersey.
Since the question of venue is still very muddy when it comes to the internet, this likely isn't the last we'll be hearing about this ruling, and its impact on other cases could prove interesting. It's also likely not an end to weev's story, and certainly not an end to government abuse of the CFAA. But, for now and at the very least, it says that if the DOJ is going to try to throw you in jail for the crime of Vaguely Misusing A Computer While Being Kind Of A Jerk, it at least has to do it in the correct venue instead of going fishing for the most favorable one.
Update: As noted in the First Word comment below, the ruling did make mention of the fact that no crime had been clearly established, which suggests that if the court had addressed the bigger questions about the charge, it may not have gone well for the DOJ. For now, we'll have to be satisfied with a non-binding footnote.
There have been a bunch of stories going around about how 5-year-old Kristoffer Von Hassel figured out a way to hack the Xbox Live password system. Kristoffer's parents noticed that their son was logging into his father's account and playing games he wasn't supposed to be playing. They asked him how he was doing it and he showed them:
Just after Christmas, Kristoffer's parents noticed he was logging into his father's Xbox Live account and playing games he wasn't supposed to be.
“I got nervous. I thought he was going to find out,” said Kristoffer.
In video shot soon after, his father, Robert Davies, is heard asking Kristoffer how he was doing it.
A suddenly excited Kristoffer showed Dad that when he typed in a wrong password for his father’s account, it clicked to a password verification screen. By typing in space keys, then hitting enter, Kristoffer was able to get in through a back door.
Kristoffer's father, Robert Davies, works in computer security (which, frankly, makes me a little skeptical that Kristoffer really made this discovery), and submitted the bug to Microsoft, who not only quickly fixed it, but also listed Kristoffer on their March "acknowledgements" for security researchers who helped them find bugs and vulnerabilities.
Of course, the flip side to this story is how we've seen the CFAA used in the past to go after people discovering similar flaws. Compare the story of Kristoffer to the story of Andrew "weev" Auernheimer. Kristoffer clearly exceeded authorized access to the Xbox Live system in order to obtain something of value (perhaps he gets off because the "something" is not worth more than $5,000, but still...). Of course, weev is an obnoxious internet troll, and Kristoffer is a cute 5-year-old. I guess that's what's meant by "prosecutorial discretion."
We've been covering the ridiculous DOJ case against Andrew "weev" Auernheimer for quite some time. If you don't recall, Auernheimer and a partner found a really blatant security hole on AT&T's servers that allowed them to very easily find out the email addresses of iPad owners. There was no breaking in to anything. The issue was that AT&T left this all exposed. But, with a very dangerous reading of the CFAA (Computer Fraud and Abuse Act) and a bunch of folks who don't understand basic technology, weev was sentenced to 3.5 years in jail (and has been kept in solitary confinement for much of his stay so far). Part of the case is complicated by the fact that weev is kind of a world class jerk -- who took great pleasure in being an extreme online troll, getting a thrill out of making others miserable. But that point should have no bearing on whether or not exposing a security hole, by basically entering a URL that AT&T failed to secure, becomes a criminal activity.
Throughout the case, it's been clear that the DOJ was trying to make up an interpretation of the law that had no basis in the actual technology world. And it became abundantly clear at a hearing before the appeals court concerning weev's case, that the DOJ really has no idea what weev did. They're just sure it's bad because it involves computers and stuff. Seriously, as reported by Vice:
"He had to decrypt and decode, and do all of these things I don't even understand," Assistant US Attorney Glenn Moramarco argued.
Say what? If that's the basis for being declared a felon and locked up for 3.5 years, almost everyone is a felon. It's likely that under that "standard" Moramarco himself is a felon, because I'll bet he "decrypts and decodes and all of these things he doesn't understand" on pretty much a daily basis. But, a tip to the US Attorneys' office: when prosecuting a computer crime, you might want to at least try to have someone who actually understands the fundamental basics of what the person you've locked up has done.
But, Moramarco apparently doesn't want to let his complete ignorance of what actually happened (someone putting a URL into a box and seeing the page that AT&T failed to secure) to get in the way of insane hyperbole about what he thinks weev did:
In its opening statement, the government made an incendiary comparison that seemed to reflect the nature of its understanding of the crime: the prosecution compared Auernheimer's deeds to hackers "[blowing] up a nuclear power plant in New Jersey" in an attempt to illustrate how it was a relevant venue.
Yes, apparently exposing the fact that AT&T left its customers' info wide open to anyone is the equivalent of blowing up a nuclear power plant. Yikes.
As the article notes, much of the hearing actually focused on the question of venue, and it appears that weev may get off on something of a technicality. Prosecutors had moved the case to New Jersey for no known reason and so it may get rejected for being the improper venue, which potentially could mean that the appeals court never even addresses the issue of just how badly the DOJ twisted the CFAA to bring down weev. The judges appear to be considering this, as they noted that based on the details of the case, there was no apparent connection to New Jersey and no reason why the DOJ couldn't have brought the case anywhere (one judge apparently mentioned Hawaii).
The case is important because of all the CFAA abuse we've seen by the DOJ over recent years, and now it sounds like the appeals court may be able to just skip over that issue entirely. Given the DOJ's own admissions of its lack of understanding about weev's actions, that actually might be the best thing for the DOJ, allowing it to continue to make completely bogus CFAA arguments to take down technologically sophisticated people that the DOJ doesn't like and doesn't understand.
from the not-so-fun-when-it's-your-metadata,-huh? dept
Earlier today, we wrote about Senator Dianne Feinstein's justified anger over the CIA "spying" on the Senate Intelligence Committee staffers as they went about putting together a massive (and apparently incredibly damning) report condemning the CIA's torture program. Having now watched the whole video of her speech, as well as read the transcript, there's a lot more here to discuss. You can watch the speech yourself if you'd like, or read the full transcript, which we've embedded below:
Apparently, some of the concerns actually stem from an earlier incident, from back in 2010, during which the CIA deleted access to a bunch of documents that it had previously given to the committee staffers. This came after an initial fight over whether or not the CIA would interfere with the staffers' efforts. The Intelligence Committee eventually agreed with the CIA's request that the research work be carried out on the CIA's premises, but only after the CIA promised not to interfere and to leave the staffers alone. The staffers requested lots of documents, and the CIA did a full pure data dump on them, just handing over piles and piles of documents with no context at all. Basically, it appears the CIA sought to bury the staffers in bullshit, hoping to hide many of the important bits. In response, the staffers asked the CIA to provide an electronic search engine, in order to go through the electronic documents. Also, to keep things organized, the staffers would regularly make local copies and/or print out key documents so they could more easily organize them and keep track of them. Based on this, they noticed that some documents that had initially been available "went missing" in 2010:
In May of 2010, the committee staff noticed that [certain] documents that had been provided for the committee’s review were no longer accessible. Staff approached the CIA personnel at the offsite location, who initially denied that documents had been removed. CIA personnel then blamed information technology personnel, who were almost all contractors, for removing the documents themselves without direction or authority. And then the CIA stated that the removal of the documents was ordered by the White House. When the committee approached the White House, the White House denied giving the CIA any such order.
After a series of meetings, I learned that on two occasions, CIA personnel electronically removed committee access to CIA documents after providing them to the committee. This included roughly 870 documents or pages of documents that were removed in February 2010, and secondly roughly another 50 were removed in mid-May 2010.
This was done without the knowledge or approval of committee members or staff, and in violation of our written agreements. Further, this type of behavior would not have been possible had the CIA allowed the committee to conduct the review of documents here in the Senate. In short, this was the exact sort of CIA interference in our investigation that we sought to avoid at the outset.
Apparently, this snafu was settled quietly between the intelligence committee and the CIA, with the CIA promising not to do it again.
Now, as we've been pointing out, and which was revealed by McClatchy and the NY Times last week, this latest fight is focused mostly on a draft of an internal review by the CIA of the torture program, conducted for then director Leon Panetta. Feinstein reveals some more key details about this document. First, it appears that Panetta more or less ordered the CIA to conduct what appears to be a "shadow review" of the very same documents that were being handed over to the Senate staffers. The report, as noted, appears to come to the same basic conclusions about the CIA's torture program (i.e., that it went to insane lengths and produced absolutely nothing in the way of useful intelligence). This internal review also contradicted the CIA's "official response" to the Intelligence Committee's own report.
Here's where it gets a bit trickier. When current CIA director John Brennan was asked for the full internal report, rather than the draft that the staffers had, there appears to have been a freakout at the CIA, because no one had intended for the intelligence committee to see the report, either as a draft or final report. The CIA appears to have believed that Senate staffers got access to the report illegally (hence the CIA's request that the staffers be investigated for illegal activity). Feinstein denies all of this and notes that the draft report was among the many documents provided in the data dump -- in what now looks like an accident by the CIA folks (and some contractors) in charge of compiling the data dump for the intelligence committee. The staffers "found" this document by using that search tool, which they'd asked the CIA to provide.
Feinstein goes on to reject the claims made by the CIA and CIA supporters that (1) the staffers should have known not to read the documents since they were marked "deliberative" or "privileged" and (2) that they somehow "mishandled" those classified documents by printing them out and bringing them to the Senate. As she notes, both of those claims make little sense. On the classification:
As with many other documents provided to the committee at the CIA facility, some of the Internal Panetta Review documents—some—contained markings indicating that they were “deliberative” and/or “privileged.” This was not especially noteworthy to staff. In fact, CIA has provided thousands of internal documents, to include CIA legal guidance and talking points prepared for the CIA director, some of which were marked as being deliberative or privileged.
Moreover, the CIA has officially provided such documents to the committee here in the Senate. In fact, the CIA’s official June 27, 2013, response to the committee study, which Director Brennan delivered to me personally, is labeled “Deliberative Process Privileged Document.”
We have discussed this with the Senate Legal Counsel who has confirmed that Congress does not recognize these claims of privilege when it comes to documents provided to Congress for our oversight duties.
That takes care of that. On the question of mishandling the documents, the argument is not quite as strong, but still quite reasonable. Yes, it does appear that staffers did not follow the exact process for removing the documents -- in that they were supposed to first review it with CIA staffers, but the reasoning here is not so crazy. The review process was supposedly just so that the CIA could make sure that names of key people or details of operations weren't revealed. The staffers made sure that all such info had been redacted before moving the document -- and, of course, they recognized that this document was a bit of a smoking gun for the CIA in that it appeared to confirm that Director Brennan had been lying to the committee. Taking it to the CIA to review would be an odd move -- especially for staffers tasked with oversight of the CIA itself. Even more important, the staffers noticed that, like back in 2010, that draft review document suddenly "disappeared" from their computer system, despite the previous promises that the CIA wouldn't do that any more (also, she points out that the CIA had previously destroyed early evidence about their torture program). So they made the entirely reasonable decision to make a copy and store it in the Senate:
When the Internal Panetta Review documents disappeared from the committee’s computer system, this suggested once again that the CIA had removed documents already provided to the committee, in violation of CIA agreements and White House assurances that the CIA would cease such activities.
As I have detailed, the CIA has previously withheld and destroyed information about its Detention and Interrogation Program, including its decision in 2005 to destroy interrogation videotapes over the objections of the Bush White House and the Director of National Intelligence. Based on the information described above, there was a need to preserve and protect the Internal Panetta Review in the committee’s own secure spaces.
Now, the Relocation of the Internal Panetta Review was lawful and handled in a manner consistent with its classification. No law prevents the relocation of a document in the committee’s possession from a CIA facility to secure committee offices on Capitol Hill. As I mentioned before, the document was handled and transported in a manner consistent with its classification, redacted appropriately, and it remains secured—with restricted access—in committee spaces.
Now that brings us to the latest "fight." In late 2013, after the intelligence committee had seen that draft report, it had requested the final report from the CIA. That set off alarm bells in the CIA when they realized that the committee knew such a report existed, leading to a freakout and further "searching" the staffers' supposedly private computers and networks:
Shortly thereafter, on January 15, 2014, CIA Director Brennan requested an emergency meeting to inform me and Vice Chairman Chambliss that without prior notification or approval, CIA personnel had conducted a “search”—that was John Brennan’s word—of the committee computers at the offsite facility. This search involved not only a search of documents provided to the committee by the CIA, but also a search of the ”stand alone” and “walled-off” committee network drive containing the committee’s own internal work product and communications.
According to Brennan, the computer search was conducted in response to indications that some members of the committee staff might already have had access to the Internal Panetta Review. The CIA did not ask the committee or its staff if the committee had access to the Internal Review, or how we obtained it.
Instead, the CIA just went and searched the committee’s computers. The CIA has still not asked the committee any questions about how the committee acquired the Panetta Review. In place of asking any questions, the CIA’s unauthorized search of the committee computers was followed by an allegation—which we have now seen repeated anonymously in the press—that the committee staff had somehow obtained the document through unauthorized or criminal means, perhaps to include hacking into the CIA’s computer network.
As I have described, this is not true. The document was made available to the staff at the offsite facility, and it was located using a CIA-provided search tool running a query of the information provided to the committee pursuant to its investigation.
Of course, as Julian Sanchez points out, from this description, it certainly appears that the CIA was collecting "just metadata," and, as you may recall, Feinstein has been at the forefront of arguing that no one should care about the NSA's activities, because it's just metadata. Kinda funny how perspective shifts when it's your metadata being discussed. Suddenly, it becomes a constitutional issue:
Based on what Director Brennan has informed us, I have grave concerns that the CIA’s search may well have violated the separation of powers principles embodied in the United States Constitution, including the Speech and Debate clause. It may have undermined the constitutional framework essential to effective congressional oversight of intelligence activities or any other government function.
Besides the constitutional implications, the CIA’s search may also have violated the Fourth Amendment, the Computer Fraud and Abuse Act, as well as Executive Order 12333, which prohibits the CIA from conducting domestic searches or surveillance.
And yet that doesn't apply when the NSA spies on all Americans? Yes, Feinstein is absolutely right to be angry about this. It is an astounding breach of protocol, and given that it's the Senate Intelligence Committee's job to oversee the CIA, it appears to be quite a brazen move by the CIA to effectively undermine the Senate's oversight. It's just too bad she doesn't see how the very same things she's angry about concerning her own staff apply equally to everyone else.
There's one other issue in the speech that should be highlighted as well. She notes both of the referrals (that we've previously discussed) to the DOJ: the request to investigate the CIA's activities, and the CIA's tit-for-tat response asking for an investigation into the staffers' access and removal of the draft Panetta review. Feinstein also points out that the person at the CIA who filed the crimes report against her staffers at the DOJ was heavily involved in the torture program the report condemns, and certainly suggests that the move is much more about intimidating Senate overseers:
Weeks later, I was also told that after the inspector general referred the CIA’s activities to the Department of Justice, the acting general counsel of the CIA filed a crimes report with the Department of Justice concerning the committee staff’s actions. I have not been provided the specifics of these allegations or been told whether the department has initiated a criminal investigation based on the allegations of the CIA’s acting general counsel.
As I mentioned before, our staff involved in this matter have the appropriate clearances, handled this sensitive material according to established procedures and practice to protect classified information, and were provided access to the Panetta Review by the CIA itself. As a result, there is no legitimate reason to allege to the Justice Department that Senate staff may have committed a crime. I view the acting general counsel’s referral as a potential effort to intimidate this staff—and I am not taking it lightly.
I should note that for most, if not all, of the CIA’s Detention and Interrogation Program, the now acting general counsel was a lawyer in the CIA’s Counterterrorism Center—the unit within which the CIA managed and carried out this program. From mid-2004 until the official termination of the detention and interrogation program in January 2009, he was the unit’s chief lawyer. He is mentioned by name more than 1,600 times in our study.
And now this individual is sending a crimes report to the Department of Justice on the actions of congressional staff—the same congressional staff who researched and drafted a report that details how CIA officers—including the acting general counsel himself—provided inaccurate information to the Department of Justice about the program.
Once again, it's worth noting that these are the very same folks that, just weeks ago, Feinstein was insisting would never abuse their positions because they're professionals. She said that on January 19th. That was just four days after CIA Director Brennan had told her about how the CIA had conducted the almost certainly illegal search on her own staffers.\
And, of course, this is the point that many of us have been making all along to Feinstein and other kneejerk defenders of the intelligence community. No matter how "professional" they are, they're still human. And given situations where their own jobs may be threatened, they're going to do what they do, and that often leads to serious abuses, like the ones that now have Feinstein so angry. That's why we're so concerned by her lack of real oversight of the intelligence community for years, as well as the rather permissive attitude that both Congress and the courts have taken for years to the intelligence community, by insisting that they only do what they do for the purposes of "national security." I'm curious what kind of "national security" reason the CIA has for spying on the very staffers who were investigating the CIA's torture program?
By this point, it should be clear that when Senators Ron Wyden and Mark Udall ask questions to senior intelligence community officials in open hearings, it's not because they don't know the answers, but because they do, and they have information that they think should be public. Remember, of course, that, years ago, Wyden and Udall were clearly hinting at what Ed Snowden eventually revealed. So, during yesterday's hearing during which leaders from the intelligence community tried to pull their usual "be scared American people!" schtick, Wyden's and Udall's questions point to some potential mischief by the CIA. Both asked questions of CIA boss John Brennan concerning the legality of certain actions. It is unlikely that they did this because they were just curious. Wyden kicked it off by asking if the Computer Fraud and Abuse Act (CFAA) applied to the CIA:
Wyden: Does the federal Computer Fraud and Abuse Act apply to the CIA?
Brennan: I would have to look into what that act actually calls for and its applicability to CIA’s authorities. I’ll be happy to get back to you, Senator, on that.
Wyden: How long would that take?
Brennan: I’ll be happy to get back to you as soon as possible but certainly no longer than–
Wyden: A week?
Brennan: I think that I could get that back to you, yes.
Of course, we've written about the CFAA many times, and how the broadly (terribly) written law has been abused by law enforcement to go after all sorts of ordinary or reasonable computer activity. But Wyden is flipping this around in a slightly interesting way -- asking if the CFAA applies to the CIA. The answer, actually, is probably no, the CFAA doesn't apply to the CIA. If you look at 18 USC 1030(f) (which is part of the CFAA), it says:
This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
It seems likely that the eventual answer from Brennan to Wyden will basically point to this particular language. But that's not particularly important, as the intent of the question likely had little to do with actually looking at the scope of the CFAA, but rather hinting very strongly that the CIA is hacking into computers in a manner that would violate the CFAA if it wasn't being done by law enforcement.
This was then followed up soon after with a question from Udall, again to Brennan, asking a slightly different question about the CIA's legal authority, which Brennan doesn't actually answer, instead answering a different question that wasn't asked:
Udall: I want to be able to reassure the American people that the CIA and the Director understand the limits of its authorities. We are all aware of Executive Order 12333. That order prohibits the CIA from engaging in domestic spying and searches of US citizens within our borders. Can you assure the Committee that the CIA does not conduct such domestic spying and searches?
Brennan: I can assure the Committee that the CIA follows the letter and spirit of the law in terms of what CIA’s authorities are, in terms of its responsibilities to collect intelligence that will keep this country safe. Yes Senator, I do.
Got that? He was asked "do you spy on Americans?" and the answer was "we follow the law." Considering that Wyden and Udall have been among the leading folks pointing out that the intelligence community has regularly reinterpreted the laws in secret in order to broaden their claimed authority, that answer is hardly assuring. Instead, it sure sounds like the CIA admitting that, hell yes, they spy on Americans under their twisted interpretation of the law. Combine that with Wyden's question -- which may or may not be about the same issue, but the two have often coordinated on these issues -- and it certainly hints at the idea that the CIA is hacking into Americans' computers.
Over the last few months, much of the focus has been on the NSA, but it's important to remember that the CIA actually is bigger in terms of its budget, and remains incredibly powerful and secretive. Also, over the last decade or so there appears to be significant evidence of incredible abuse by the CIA. As we've noted a few times, the Senate Intelligence Committee has been sitting on a supposedly explosive report that cost $40 million to put together, detailing some horrific CIA abuses, which the CIA has been doing everything possible to stop from being released.
Given all this, how long will it be until we discover "explosive" revelations about the CIA that confirm what Wyden and Udall have been hinting at?
We've written about the issue of revenge porn sites and the so-called "king" of revenge porn, Hunter Moore, quite a few times. The issue is a tricky one because the whole concept of revenge porn -- people posting nude photos of others, complete with contact info, and frequently offering to take down the photos for money -- is unquestionably horrific. But... horrific issues can make for bad and overly broad laws. In fact, we've been quite concerned with attempts by some to craft laws against revenge porn that would upend basic established law concerning free speech and important internet safe harbors for service providers. Similarly, when revenge porn operators, like Kevin Bollaert, have been arrested, the charges against them have been problematic. Bad cases make for bad law, and since these sites are so morally repugnant, it's easy to understand why some would stretch the law to try to go after those responsible. But the end consequences of stretching the law could be disastrous for many.
So, with the news that Hunter Moore was indicted with a co-conspirator under the CFAA today, we feared the worst. After all, the CFAA is already a terribly drafted law, regularly twisted by the DOJ to go after people for ordinary computing activities. However, in looking over the details of the indictment, we can at least breathe an initial sigh of relief (well, and disgust at the two individuals), as it details what appears to be Moore's "co-conspirator" Charles Evens (also known as Gary) hacking into emails accounts to get access to nude photos, and then giving them to Moore. Moore gives Evens a bunch of money for this, at times calling him an employee, and urging him to break into more email accounts and to obtain more nude photos.
If proven true (and, admittedly, we're only seeing the DOJ's account here), this is the kind of thing that the CFAA was supposed to be used for. Any case involving the CFAA is always worrisome, given how widely the DOJ has abused it. And cases involving not just any "revenge porn" site, but the most famous one, IsAnyoneUp, and its founder Hunter Moore, are bound to be a risky proposition, since so much will focus on the emotional response to what an out-and-out jackass Moore is. But at first glance, this lawsuit looks like a much more legitimate application of the law. At the very least, hopefully, this suggests that existing laws can often be used legitimately against bad actors, without having to upend the basic legal framework of the internet.
You may have heard about the recent high-profile, malicious hack of Target's point of sale systems, giving the attackers access to the details of at least 40 million credit cards. Senator Patrick Leahy is, incredibly cynically, using this news event to try to sneak through a change to the "anti-hacking" law, the CFAA, which was used to prosecute Aaron Swartz and many others. And it's not a change to improve that law, but to broaden it, extending massively how the DOJ can charge just about anyone they want with serious computer crimes. This is monumentally bad, and Senator Leahy is trying to hide it behind a major news event because he knows he couldn't get this kind of DOJ wishlist through without hiding it.
Officially, this is Leahy reintroducing his Personal Data Privacy and Security Act -- a bill he's tried to introduce a number of times before. The crux of that bill makes some sense: requiring companies that have had a security breach to inform those who were impacted. State laws (most notably, California's) already include some similar requirements, but this is an attempt to create a federal law on that front. There are some reasonable concerns about such a law, but the general idea of better protecting the public from data breaches, by at least letting them know about it, is an idea worth considering.
The problem is that Leahy has inserted a couple of other dangerous bits and pieces into the bill, including a couple of "reforms" to the parts of the CFAA that have raised significant concerns, and burying them deep within this bill. Section 105 of the bill, for example, simply repeats the same change that the House Judiciary tried to include last year in an attempt at bad CFAA reform. It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense. It may be difficult to understand if you just read the proposed bill (this is on purpose), but the bill says it wants to include the term "for the completed offense" so that the CFAA now reads:
Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.
Right now, the law does not include those four words. Why is that a big change? As we explained last year:
All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.
While the proposed bill does include a further change that notes that merely violating a terms of service agreement does not make you subject to the CFAA, it's not just the TOS issue that concerns so many people about the CFAA.
The CFAA needs to be greatly scaled back, not expanded, no matter what the DOJ wants. It's ridiculous that Senator Leahy is not only proposing this, but then trying to hide it in this bill about security breach reporting, tying it to a news event.