For weeks, President Barack Obama has been pushing a set of controversial cybersecurity proposals. He prominently mentioned the plans during his State of the Union address, stressing the need for legislation, using that classic political pretext for demolishing civil liberties, protecting children.
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids,” he said during the speech, dutifully ignoring the elephant in the room: the U.S. government’s role in doing much of the same.
But Obama’s proposals are a mixed bag of old and dangerous ideas. He wants to create information-sharing regimes between private companies and the government to detect threats as well as expand the Computer Fraud and Abuse Act (CFAA), the draconian anti-hacking law that the government used to prosecute the late Internet activist Aaron Swartz. Both steps would not only be ineffective at improving cybersecurity in any practical sense but also further empower the government to go after activists and journalists such as Barrett Brown, who was sentenced Thursday to 63 months in prison.
Brown’s sentencing (which came after more than two years of imprisonment, vigorous prosecution and unjustified solitary confinement) is just a chilling prelude if Congress succeeds in expanding the CFAA. Before his arrest, Brown and his crowdsourced research initiative ProjectPM were investigating the underbelly of the military intelligence complex, mapping ties between the U.S. surveillance state and shadowy private corporations such as Mantech and Booz Allen Hamilton — the very world from which National Security Agency whistleblower Edward Snowden emerged.
The U.S. government dedicated a disturbing amount of effort to ensuring Brown’s conviction. His charges (which later regrettably included publishing a threatening YouTube video rant against an FBI agent who seized his computer) originally carried sentences totaling more than 100 years in prison. The prosecution saw to it that Brown was gagged from speaking about the case and that large portions of the case’s court documents remained under seal. The government also tried to go after Brown’s contributors and even attempted to freeze donations made to his legal defense fund.
The charges revolved around a simple act: copying and pasting a hyperlink into a chat room. The link led to publicly available files stolen by the hacktivist collective Anonymous from the U.S. intelligence contractor Stratfor — part of a breach that revealed, among other things, surveillance of political activists around the world and efforts to discredit journalists such as Glenn Greenwald. Prosecutors alleged Brown posted the link knowing the file contained credit card information, even though chat logs suggested he had no intention to commit fraud and may have not known what was in it.
Last year the government dropped the linking charge and recharged Brown with being an accessory after the fact for unauthorized access to a computer under the CFAA. It claims he crossed a line when he offered to act as a liaison between the Anonymous hackers and Stratfor so that harmful information could be redacted from the documents before they were released. But during Thursday’s sentencing hearing, that didn’t stop prosecutors from portraying the act of linking as trafficking and using it to seek to stiffen his sentence. Judge Sam Lindsay refused to consider relevant the fact that the data Brown linked to was already public.
Brown pleaded guilty to the lesser charges under a plea deal (PDF) signed last April. Under an expanded CFAA hacking law, securing such convictions against journalists, activists and others would be far easier. The vaguely worded anti-hacking statute already gives prosecutors wide authority to define what constitutes “unauthorized access” or “exceeding authorized access” to a computer. Some courts have even said that violating a website’s terms of service agreement constitutes felonious unauthorized access. (Facebook, for example, considers it a violation not to use your real name.) The law allows prosecutors to deconstruct a single act into multiple, redundant charges, resulting in absurd maximum sentences that compel defendants to take plea deals.
Under the changes Obama proposed, simply posting, retweeting or clicking on a link you know to contain certain information would be a felony bringing up to 10 years in prison. The government would no longer need to prove you were accessing the information with intent to defraud. It would simply have to show that you were trafficking a link containing passwords or other means of access and had reason to believe such information might be abused. That means that prosecutors could charge you for sharing your Netflix password with a friend if they were so inclined.
The proposal would also let prosecutors use racketeering laws to prosecute hackers and their associates in the same way they do mob bosses and drug cartels. The definitions of “unauthorized access” would be expanded even further to include any access to a computer a person knows the owner hasn’t explicitly authorized.
These changes would further endanger journalists working with hackers and leaked documents as well as cybersecurity researchers working to find and patch vulnerabilities. Moreover, it would do nothing to deter major computer breaches such as the hack of Sony Pictures, most of which come from overseas attackers and are the result of corporate-security negligence.
What no one in government seems to understand about cases such as Brown’s is that this is simply the way journalism is done today. Hackers break in, and whistleblowers speak out. Documents are leaked, and journalists disseminate and report on the contents of those leaks. At a hearing on Brown’s case, security journalist Quinn Norton testified that allowing the government to depict someone’s linking to source material as trafficking stolen information is “absolutely chilling” to the practice of journalism in the 21st century.
She’s right. And yet lawmakers are considering expanding harsh hacking laws when they should be rolling them back. When merely clicking on or pasting a link is grounds for a felony, it sets the stage for the persecution of journalists, activists and virtually anyone else possessing enough curiosity and an Internet connection.