The Computer Fraud and Abuse Act (CFAA) was passed in 1986. It has a very, very broad definition of “hacking,” one that is so broad that it has triggered some very serious prosecutorial abuse.
For example, in 2011, a security researcher named Andrew Auernheimer was arrested, then tried and convicted under CFAA for “hacking.” What he actually did was publicize a serious vulnerability in AT&T’s website that exposed 114,000 emails. Here’s how he described the deed in his own words:
In June of 2010, there was an AT&T webserver on the open Internet. There was an API on this server, a URL with a number at the end. If you incremented this number, you saw the next iPad 3G user email address. I thought it was egregiously negligent for AT&T to be publishing a complete target list of iPad 3G owners, and I took a sample of the API output to a journalist at Gawker.
He was sentenced to 41 months in prison and was ordered to pay an unexplained $73,000 in restitution to AT&T. To AT&T, the guys who created the problem, not the email account holders who were exposed. Auernheimer’s legal team subsequently filed a brief challenging the conviction, claiming he hadn’t violated CFAA. He was released a year later, though the Second Circuit sidestepped the abuse of the CFAA issue by vacating the conviction based on improper venue.
For example, a 14-year-old eighth grader in Florida, Domanik Green, was arrested, under CFAA and Florida law, for committing a felony when he broke into his school’s network to change the wallpaper on his teacher’s computer to a theme more appropriate to Gay Pride Day, an image of two men kissing. When chalenged as to why he had charged a junior high kid with a felony, Pasco County Sheriff Chris Nocco stated:
Even though some might say this is just a teenage prank, who knows what this teenager might have done…
WC is only a lawyer, but he thought you could only be charged and convicted for crimes you committed, not crimes you might have committed.
For example, and this is one WC has written about before, there’s Aaron Swartz, a programmer and hacktivist who liked to form nonprofits that aimed to use technology to promote democracy, share information, and other crazy ideas. In 2011, Aaron was arrested on a ridiculous number of charges after he broke into a wiring closet to download a large number of academic journal articles from a digital repository. Look, he connected a laptop to a switch in an unlocked wiring closet, used his academic account access to get into the database, and started a download script. Ostensibly he did it because he wanted to share the articles with the public — notably third-world academia – who were barred from access. Swartz, facing felony charges, struggling to pay his bills, and fighting depression, committed suicide.
Aaron’s law is intended to prevent more Aaron Swartzs, more Andrew Aurenheimers, and more Domanik Greens. The amendment to CFAA would redefine various “hacking” activities so that they more directly apply to malicious acts rather than whatever a politiclly ambitious prosecutor thinks they might be. Aaron’s Law was originally introduced in the last Congress, but couldn’t get enough support. Now it’s back, introduced by Rep. Zoe Lofgren (D, Calif.), who’s backing the House version, and in the Senate by Sens. Ron Wyden (D, Oregon) and, ironically for Kentuckians, Rand Paul (R, Ky).
The Alaska Congressional delegation seems to be annoyed with WC over some of his comments here. Hardly surprising. But maybe WC’s readers could mention to their Congresscritters that Aaron’s Law is a genuinely good idea, and deserves their support. But you probably shouldn’t mention where you read about it.