Home > Web > This friend to hackers is probably your best bet…

This friend to hackers is probably your best bet for Internet freedom, too

Tor Ekeland

Since the death of famed developer and “hacktivist” Aaron Swartz at the beginning of this year, one law more than any others has come to the forefront of the Internet community’s consciousness: The Computer Fraud and Abuse Act, or CFAA, which many believe is dangerously vague and can result in grossly unfair punishments for those, like Swartz, who are prosecuted under its statutes. And few people are as close to the front lines of this battle over the CFAA as New York-based attorney Tor Ekeland.

Ekeland first jumped into the CFAA fight last year, after he agreed to represent infamous “AT&T iPad hacker” Andrew “Weev” Auernheimer, who was recently sentenced to 41 months in prison for something many say should not be illegal. He is continuing this fight by representing Matthew Keys, Reuter’s deputy social media editor and famed Twitter journalist, who has been indicted under the CFAA for allegedly handing over login credential for the network of his former employer, the Tribune Company, to Anonymous hackers. Keys potentially faces 25 years in prison and $250,000 in fines.

We gave Ekeland a call to get his take on the computer crime law that critics believe could, if the government so chose, land every Web user behind bars.

Digital Trends: How did you get into computer crime law?

Tor Ekeland: I came into this by chance because my wife is a photo journalist who was shooting Occupy Wall Street. And she ran into Andrew Auernheimer. She started talking to him. He mentioned he was looking for a lawyer to replace his federal defender. I had worked in corporate law for five years, and was about to start my own law practice. So she came home and said, ‘Hey, I met this guy. Looks like a really interesting case. Are you interested?’ I took a look at it and said, ‘This is really fascinating. I think the issues here are potentially really major.’ So I call him up. We met. He agreed to me repping him pro bono. And that was that.

You’ve mentioned on Twitter that you “hate” the Computer Fraud and Abuse Act. Can you tell me a bit about why that is?

The Computer Fraud and Abuse Act is a statute that originated in 1984, before the Internet existed, before HTTP existed. And it originally existed to protect government computers and financial institution networks, things related to national security and protecting the economy. Over time, it’s been amended a number of times. And among the statutes at its core, it forbids ‘unauthorized access’ to a ‘protected computer.’ A ‘protected computer’ is basically anything with a microchip that’s involved in interstate commerce. So, I mean, your coffee maker is probably a ‘protected computer.’ The phone you and I are talking on right now could, with the broad definition, be a ‘protected computer.’

“He would have been better off beating his boss with a lead pipe because the criminal penalties in the physical world are less draconian than the penalties under the CFAA.”

What’s problematic about the statute is that it no where defines what it seeks to prohibit, which is ‘unauthorized access.’ It doesn’t define it anywhere. And the courts are continuously confused about that. So, they come up with a number of different interpretations that are arguably very problematic. You know, some courts have read ‘unauthorized access’ to mean that if you violated the terms of service of a website or Facebook or something, you know, you’ve engaged in unauthorized access.

In Andrew’s case, what’s so interesting about the case and why it’s a major case is … essentially, his co-defendant [Daniel Spitler] queried AT&T’s publicly accessible iPad servers with a number that matched the number on the SIM card in an iPad. When he entered number in a URL directed to these iPad servers, it would publish an email address, if that number actually matched a customer’s SIM card number, it would publish that customer’s email address, and then ask you for a password. So, you know, he wrote a script that did that, that harvested like 114,000 email address – no personal information, nothing, no password was ever hacked. And now Andrew’s been sentenced to 41 months for participating in this conspiracy to do this.

The problem at root here is basically that entering a number into a URL is what people do a lot every day on the Internet. And if you’re not going to define ‘unauthorized access’ as bypassing a password or some kind of code-based restriction, the statute’s potentially criminalizing what’s considered normal computer behavior that people engage in every day. Now, is our federal government is going to prosecute millions of people for alleged computer crimes every day? No. But it allows them to pick and choose, and engage in these arbitrary prosecutions. 

In Andrew’s case, AT&T wasn’t telling people to change their email address. There was no spear phishing, or all that stuff. They were embarrassed. But the Department of Justice decided to go after Andrew and seek this harsh sentence. Same thing with Swartz; the courts.. even if it wasn’t a technical violation of the statute, but there really was no harm involved. JSTOR and MIT really didn’t want it to go down that path. The DOJ I think sort of has this mentality that hackers are evil, and it’s kind of paranoia is reminiscent of the Red Scare. I think hackers are the new communists. 

So, it’s just problematic because it’s a really vague statute. And because it’s so vague, it invited what I think are unwarranted prosecutions.

You can make an argument that what Google’s search engine is doing is a violation of the CFAA because they’re crawling the Internet with their bots for collecting links. And the theory of “unauthorized access” in Andrew’s is “unauthorized access” because they’re saying it was – AT&T says it was and the federal government says it was. But there’s no notice or warning or pop-up saying, ‘You don’t have access to this website. It’s forbidden or unauthorized.’ So under this theory, you could have someone who does a Google search, clicks on a link, the website of it decides that, ‘No, I don’t want you at this website,’ and you’ve potentially committed a felony. And I think that would surprise most people. 

How would you fix the CFAA?

Well, Congress is actually talking about making the law more draconian. Which I think is nuts. One thing I think they need to do is to make the punishment proportional to the actual harm. Like, right now with Andrew’s case you’ve got somebody who’s committed felonies, been sentenced to three and a half years, where there really was no harm. 

“Hackers are the new communists.”

I would make most of the statute civil. Right now it’s a criminal and civil statute. I think most of these cases could be remedied by having the companies sue the person, civilly, and don’t involve jail time. I think they should reserve the criminal punishments for real harm to lives – national security or financial institutions, or messing with the 911 network, or taking out part of a hospital, or something with real harm.

Some sort of fear of the mysterious computer hackers that causes people to kind of get hysterical and call these punishments. There’s a disconnect. Some people pointed out that in Matthew Keys’s case, if what they’re alleging is true, and that he’s a disgruntled employee who tried to take revenge on his boss, that he would have been better off beating his boss with a lead pipe because the criminal penalties in the physical world are less draconian than the penalties under the CFAA. 

Why should the average Web user, who’s never going to “hack” anything, who’s never going to write any scripts of any type, care about the problems with the CFAA?

Well, they should just be concerned that their Google searches, and clicking on a website, is potentially criminal. If you go to some website that somebody doesn’t want you there, you might have just committed a federal crime. I think, like what you see with Andrew, our government tends to go after unpopular defendants first. And Andrew, you know, he’s a very controversial figure, and Internet troll. And so there they get this expansive reading of this statute, they get precedent after going after someone unpopular that nobody’s really too concerned about. Now they can just go around and prosecute with these extremely broad theories.

It kind of plays into that book Three Felonies a Day, where the authors argue that because criminal law’s become so expansive, most people are committing three felonies a day without knowing it. And so it puts you in a position where, should you be in the wrong place at the wrong time with a computer, the government can prosecute you at a whim, and you’re going to end up in this unexpected Kafkaesque nightmare.

Is it just a coincidence that we’ve seen three high-profile CFAA cases – Aaron Swartz, Andrew Auernheimer, and Matthew Keys – become big news in the past three months, or is the government actively pursuing these more frequently?

That’s a good question. And it certainly raises one’s eyebrows that all of a sudden you’re getting all of these Computer Fraud and Abuse Act prosecutions lately. And I think what’s going on is there’s this hysteria about hackers. You can’t open up a newspaper, or turn on your computer and read the news, without finding a story about how the Chinese are hacking us, or the Russians are hacking us. … And part of that I think is just fear of the unknown that scares people. And there’s a bit of an overreaction there.

Given the rate at which technology changes, and the way we use technology changes, is it even possible to write “good” computer crime laws?

That’s a good question. I think part of what’s happening is you see the law struggling with this rapid technological change. I think you probably could write a decent law, but it’d have to be written by informed people who know about how general principles on the how the Internet and computers actually work. I think one really good suggestion to amend the Computer Fraud and Abuse Act is, define ‘unauthorized access’ as bypassing a password or some type of code-based restriction. And I think that’s pretty simple. Passwords have been around for a long time. My 5-year-old son know what a password is, and that’s sort of a line to draw. A company knows that, if I want to protect my information and prevent unauthorized access, I put up a password. That’s not rocket science.

But, like you said, nobody can predict what’s going to happen in the future. And I think it’s tricky. It’s tricky because you can write these laws with good intentions, but there’s the inadvertent consequences. 

Photo by Katja Heinemann