By Sanya Dosani and Aaron Ernst
Although they call themselves Anonymous, it didn’t take federal authorities long to identify members of the loosely affiliated “hactivist” network responsible for high-profile attacks on a series of corporate websites.
In July 2011, the FBI arrested 16 members of the group, accusing them of launching attacks against MasterCard, Visa and PayPal because the companies refused to process payments to Julian Assange’s whistleblower website WikiLeaks.
The attack, known as a distributed denial of service attack, or DDoS, involved using a program called the Low Orbit Ion Canon to send thousands of requests to the targeted website at a coordinated time. Overwhelmed with the volume of requests to view a page, the websites crashed.
In response, 14 members of Anonymous were indicted and charged under the Computer Fraud and Abuse Act (CFAA), a law enacted after a mid-1980s computer-hacking scare. Some of the counts carried more than a decade in prison.
Those charges, and others brought under the CFAA against “hactivists” seeking to remedy what they see as social injustice through online protest, have critics arguing that the potential punishment under the law doesn’t fit the crime.
Tor Ekeland, a New York lawyer who represents several hacktivists being charged under the CFAA, told America Tonight that he’s frustrated by the broad wording of the law.
“It prohibits unauthorized access to protected computers, and obtaining information in in one section,” he said. “So you could go to a website right now, click on a link, and the owner decides that they don’t want you to be at the website. Your access is unauthorized. Bang. You probably committed a felony under the CFAA.”
Ekeland represents Deric Lostutter, a hacktivist who helped expose the rape of a girl in Steubenville, Ohio, with this video. After reading about the case online, he recorded the video, which was then posted on Roll Red Roll, a fan site dedicated to the Steubenville High School football team. Two team members were later convicted of the rape in juvenile court. Lostutter admitted he made the video, but said someone else hacked into the site.
Lostutter’s life changed in April of this year. He had just returned from turkey hunting, he said, and was getting ready to go to work as a computer consultant, when a truck pulled into his driveway. “They jumped out with M16s and pointed them at my head and told me, ‘FBI, get the F down!’” he told America Tonight. “So, I did, and they put me in handcuffs.”
The FBI confiscated Lostutter’s computer and questioned him for hours. He says they later emailed him with a target letter, indicating that the government wanted to charge him with three felonies.
Lostutter believes that the government’s priorities are misplaced. “So you get 25 years in prison for forcibly entering your way into a computer, but one year in prison for forcibly entering your way into a female,” he said. “That’s the message that we’re sending with the Computer Fraud and Abuse Act.”
Federal officials in Ohio did not confirm whether the government plans to press ahead with charges against Lostutter. Few hactivists end up serving decades in jail, but the FBI raid on Lostutter represents a pattern of what many hacktivists told America Tonight is an overzealous crackdown by the government on people who just happen to use computers in old-fashioned protests against social injustice.
The Department of Justice and the FBI's cyber crime division refused multiple requests for an interview. Mark Rasch, a former prosecutor for the Department of Justice who helped write the CFAA, said the government doesn’t want to discourage civil disobedience, but those who break the law for the sake of protest should still face the legal consequences.
“When you do a denial of service attack on a commercial entity or government agency, you have taken it upon yourself to violate the law for a civil disobedience purpose,” he said. “When you do that you run the risk of being arrested.”
But hactivists’ protest tactics extend beyond DDoS attacks.
In December 2011, a politically motivated offshoot of Anonymous called AntiSec breached the website of global intelligence contractor Stratfor, stealing and publishing the passwords, addresses and credit card information of its clients, as well as internal e-mails – a practice known as “doxing.” Within the more than 5 million Stratfor e-mails published were “revelations about close and perhaps inappropriate ties between government security agencies and private contractors.”
Three months later, a man suspected of being behind the hack, Jeremy Hammond, was arrested. He pleaded guilty in May of this year for the Stratfor hack and eight other hacks of law enforcement and defense contractor websites, and faces up to 10 years in prison with his deal.
“I did this because I believe people have a right to know what governments and corporations are doing behind closed doors,” he wrote in a statement after the plea deal. “I did what I believe is right.” According to his supporters, he has been denied bail for being a flight risk and called “more dangerous than an online sexual predator” by the judge presiding his case.
Perhaps the case that has generated the most support for reforming the CFAA has been the tragic story of 26-year-old computer prodigy and Internet activist Aaron Swartz.
Swartz (pictured right) was a well-known figure advocating for freedom of information on the Internet. As a teenager, he helped create RSS, computer code that allows people to get automatic feeds from websites. Over time, he became an open information activist. In 2008, Swartz downloaded and released about 2.7 million public court documents from the Public Access to Court Electronic Records -- better known as PACER -- in an effort to make them available outside of the service, which charges for access to public records. In 2010, he and Wikler founded the online group Demand Progress, which was instrumental in preventing the passage of the Stop Online Piracy Act, which was criticized for promoting censorship without adequately preventing criminal behavior. He also helped develop SecureDrop, a tool for sources to anonymously share confidential documents with journalists.
But in July 2011, Swartz was charged under the CFAA for using an unauthorized computer to download millions of academic articles from JSTOR, an online library protected by a paywall. The government alleged Swartz intended to distribute the articles to the public.
“It was like checking too many books out of the library,” his friend Ben Wikler told America Tonight.
Under the CFAA, Swartz faced 13 felony charges, up to 35 years in prison and a $1 million fine.
In January, just weeks before his trial was set to begin, Swartz committed suicide. His death, which many of his friends arrtibuted directly to the government’s prosecution, raised questions about the fairness of the CFAA, triggered debates about political action in the digital age and served as a rallying point for “Aaron’s Law,” a bill to update the CFAA and narrow its scope.
Introduced by Representatives Zoe Lofgren (D-Calif.), Jim Sensenbrenner (R-Wis.) and Sen. Ron Wyden (D-Ore.) in June, the bill defines unauthorized access, decriminalizes merely violating a website's terms of service and removes a provision allowing prosecutors to bring multiple charges for one violation, among other measures.
But some security professionals, prosecutors and politicians have been critical of efforts to reform the law, fearing it would hamper its enforcement effectiveness. In testimony before the the House Judiciary Committee in 2011, Richard Downing, deputy section chief for computer crime and intellectual property at the Department of Justice, said “limiting the use of such terms to define the scope of authorization would, in some instances, prevent prosecution of exactly the kind of serious insider cases the department handles on a regular basis.” Reformers argue existing laws that cover the misuse of trade secrets address those issues.
Others contend that the poblem isn't the law, but how prosecutors choose to enforce it.
Still, many internet activists maintain that reform is badly needed. “We still need to pass Aaron's Law to stop this from happening the next time,” Swartz’s friend Wilker told America Tonight. “If this ends here, the system beat Aaron in a way. We need to change the system now."
For now, the bill remains in committee, and hacktivsts like Deric Lostutter wait in limbo to see what the future holds.