Web

This friend to hackers is probably your best bet for Internet freedom, too

Tor Ekeland

Since the death of famed developer and “hacktivist” Aaron Swartz at the beginning of this year, one law more than any others has come to the forefront of the Internet community’s consciousness: The Computer Fraud and Abuse Act, or CFAA, which many believe is dangerously vague and can result in grossly unfair punishments for those, like Swartz, who are prosecuted under its statutes. And few people are as close to the front lines of this battle over the CFAA as New York-based attorney Tor Ekeland.

Ekeland first jumped into the CFAA fight last year, after he agreed to represent infamous “AT&T iPad hacker” Andrew “Weev” Auernheimer, who was recently sentenced to 41 months in prison for something many say should not be illegal. He is continuing this fight by representing Matthew Keys, Reuter’s deputy social media editor and famed Twitter journalist, who has been indicted under the CFAA for allegedly handing over login credential for the network of his former employer, the Tribune Company, to Anonymous hackers. Keys potentially faces 25 years in prison and $250,000 in fines.

We gave Ekeland a call to get his take on the computer crime law that critics believe could, if the government so chose, land every Web user behind bars.

Digital Trends: How did you get into computer crime law?

Tor Ekeland: I came into this by chance because my wife is a photo journalist who was shooting Occupy Wall Street. And she ran into Andrew Auernheimer. She started talking to him. He mentioned he was looking for a lawyer to replace his federal defender. I had worked in corporate law for five years, and was about to start my own law practice. So she came home and said, ‘Hey, I met this guy. Looks like a really interesting case. Are you interested?’ I took a look at it and said, ‘This is really fascinating. I think the issues here are potentially really major.’ So I call him up. We met. He agreed to me repping him pro bono. And that was that.

You’ve mentioned on Twitter that you “hate” the Computer Fraud and Abuse Act. Can you tell me a bit about why that is?

The Computer Fraud and Abuse Act is a statute that originated in 1984, before the Internet existed, before HTTP existed. And it originally existed to protect government computers and financial institution networks, things related to national security and protecting the economy. Over time, it’s been amended a number of times. And among the statutes at its core, it forbids ‘unauthorized access’ to a ‘protected computer.’ A ‘protected computer’ is basically anything with a microchip that’s involved in interstate commerce. So, I mean, your coffee maker is probably a ‘protected computer.’ The phone you and I are talking on right now could, with the broad definition, be a ‘protected computer.’

“He would have been better off beating his boss with a lead pipe because the criminal penalties in the physical world are less draconian than the penalties under the CFAA.”

What’s problematic about the statute is that it no where defines what it seeks to prohibit, which is ‘unauthorized access.’ It doesn’t define it anywhere. And the courts are continuously confused about that. So, they come up with a number of different interpretations that are arguably very problematic. You know, some courts have read ‘unauthorized access’ to mean that if you violated the terms of service of a website or Facebook or something, you know, you’ve engaged in unauthorized access.

In Andrew’s case, what’s so interesting about the case and why it’s a major case is … essentially, his co-defendant [Daniel Spitler] queried AT&T’s publicly accessible iPad servers with a number that matched the number on the SIM card in an iPad. When he entered number in a URL directed to these iPad servers, it would publish an email address, if that number actually matched a customer’s SIM card number, it would publish that customer’s email address, and then ask you for a password. So, you know, he wrote a script that did that, that harvested like 114,000 email address – no personal information, nothing, no password was ever hacked. And now Andrew’s been sentenced to 41 months for participating in this conspiracy to do this.

The problem at root here is basically that entering a number into a URL is what people do a lot every day on the Internet. And if you’re not going to define ‘unauthorized access’ as bypassing a password or some kind of code-based restriction, the statute’s potentially criminalizing what’s considered normal computer behavior that people engage in every day. Now, is our federal government is going to prosecute millions of people for alleged computer crimes every day? No. But it allows them to pick and choose, and engage in these arbitrary prosecutions. 

In Andrew’s case, AT&T wasn’t telling people to change their email address. There was no spear phishing, or all that stuff. They were embarrassed. But the Department of Justice decided to go after Andrew and seek this harsh sentence. Same thing with Swartz; the courts.. even if it wasn’t a technical violation of the statute, but there really was no harm involved. JSTOR and MIT really didn’t want it to go down that path. The DOJ I think sort of has this mentality that hackers are evil, and it’s kind of paranoia is reminiscent of the Red Scare. I think hackers are the new communists. 

So, it’s just problematic because it’s a really vague statute. And because it’s so vague, it invited what I think are unwarranted prosecutions.

You can make an argument that what Google’s search engine is doing is a violation of the CFAA because they’re crawling the Internet with their bots for collecting links. And the theory of “unauthorized access” in Andrew’s is “unauthorized access” because they’re saying it was – AT&T says it was and the federal government says it was. But there’s no notice or warning or pop-up saying, ‘You don’t have access to this website. It’s forbidden or unauthorized.’ So under this theory, you could have someone who does a Google search, clicks on a link, the website of it decides that, ‘No, I don’t want you at this website,’ and you’ve potentially committed a felony. And I think that would surprise most people. 

How would you fix the CFAA?

Well, Congress is actually talking about making the law more draconian. Which I think is nuts. One thing I think they need to do is to make the punishment proportional to the actual harm. Like, right now with Andrew’s case you’ve got somebody who’s committed felonies, been sentenced to three and a half years, where there really was no harm. 

“Hackers are the new communists.”

I would make most of the statute civil. Right now it’s a criminal and civil statute. I think most of these cases could be remedied by having the companies sue the person, civilly, and don’t involve jail time. I think they should reserve the criminal punishments for real harm to lives – national security or financial institutions, or messing with the 911 network, or taking out part of a hospital, or something with real harm.

Some sort of fear of the mysterious computer hackers that causes people to kind of get hysterical and call these punishments. There’s a disconnect. Some people pointed out that in Matthew Keys’s case, if what they’re alleging is true, and that he’s a disgruntled employee who tried to take revenge on his boss, that he would have been better off beating his boss with a lead pipe because the criminal penalties in the physical world are less draconian than the penalties under the CFAA. 

Why should the average Web user, who’s never going to “hack” anything, who’s never going to write any scripts of any type, care about the problems with the CFAA?

Well, they should just be concerned that their Google searches, and clicking on a website, is potentially criminal. If you go to some website that somebody doesn’t want you there, you might have just committed a federal crime. I think, like what you see with Andrew, our government tends to go after unpopular defendants first. And Andrew, you know, he’s a very controversial figure, and Internet troll. And so there they get this expansive reading of this statute, they get precedent after going after someone unpopular that nobody’s really too concerned about. Now they can just go around and prosecute with these extremely broad theories.

It kind of plays into that book Three Felonies a Day, where the authors argue that because criminal law’s become so expansive, most people are committing three felonies a day without knowing it. And so it puts you in a position where, should you be in the wrong place at the wrong time with a computer, the government can prosecute you at a whim, and you’re going to end up in this unexpected Kafkaesque nightmare.

Is it just a coincidence that we’ve seen three high-profile CFAA cases – Aaron Swartz, Andrew Auernheimer, and Matthew Keys – become big news in the past three months, or is the government actively pursuing these more frequently?

That’s a good question. And it certainly raises one’s eyebrows that all of a sudden you’re getting all of these Computer Fraud and Abuse Act prosecutions lately. And I think what’s going on is there’s this hysteria about hackers. You can’t open up a newspaper, or turn on your computer and read the news, without finding a story about how the Chinese are hacking us, or the Russians are hacking us. … And part of that I think is just fear of the unknown that scares people. And there’s a bit of an overreaction there.

Given the rate at which technology changes, and the way we use technology changes, is it even possible to write “good” computer crime laws?

That’s a good question. I think part of what’s happening is you see the law struggling with this rapid technological change. I think you probably could write a decent law, but it’d have to be written by informed people who know about how general principles on the how the Internet and computers actually work. I think one really good suggestion to amend the Computer Fraud and Abuse Act is, define ‘unauthorized access’ as bypassing a password or some type of code-based restriction. And I think that’s pretty simple. Passwords have been around for a long time. My 5-year-old son know what a password is, and that’s sort of a line to draw. A company knows that, if I want to protect my information and prevent unauthorized access, I put up a password. That’s not rocket science.

But, like you said, nobody can predict what’s going to happen in the future. And I think it’s tricky. It’s tricky because you can write these laws with good intentions, but there’s the inadvertent consequences. 

Photo by Katja Heinemann

Emerging Tech

Intel’s new ‘neural network on a stick’ aims to unchain A.I. from the internet

To kick off its first developer conference in Beijing, Intel unveiled the second generation of its Neural Compute Stick -- a device that promises to democratize the development of computer vision A.I. applications.
Digital Trends Live

DT Daily: D-Wave wants to help developers make the leap into quantum computing

If you are curious about quantum computing but don't know where to start, you're not alone. D-Wave has a platform for people to learn quantum computing, and the company's Murray Thom appeared on Digital Trends Live to talk about it.
Movies & TV

The best shows on Netflix, from 'The Haunting of Hill House’ to ‘The Good Place’

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.
Computing

Here's why 64-bit (not 32-bit) dominates modern computing

Today's computing world isn't the same as it once was. With 64-bit processors and operating systems replacing the older 32-bit designs, we look at what 32-bit vs. 64-bit really means for you.
Computing

Want to save a webpage as a PDF? Just follow these steps

Need to quickly save and share a webpage? The best way is to learn how to save a webpage as a PDF file, as they're fully featured and can handle images and text with ease. Here's how.
Social Media

‘Superwoman’ YouTuber Lilly Singh taking a break for her mental health

Claiming to be "mentally, physically, emotionally, and spiritually exhausted," popular YouTuber Lilly Singh has told her millions of fans she's taking a break from making videos in order to recuperate.
Smart Home

Amazon has a huge team dedicated to enhancing Alexa and Echo

An Amazon executive on Tuesday, November 13 revealed the huge size of the team that's tasked with developing the Echo, the company's smart speaker, and Alexa, the digital assistant that powers it.
Music

Here's our head-to-head comparison of Pandora and Spotify

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.
Social Media

Going incognito: Here's how to appear offline on Facebook

How do you make sure your friends and family can't see if you're on Facebook, even if you are? Here, we'll show you how to turn off your active status on three different platforms, so you can browse Facebook without anyone knowing.
Computing

Our 10 favorite Chrome themes add some much-needed pizzazz to your boring browser

Sometimes you just want Chrome to show a little personality and ditch the grayscale for something a little more lively. Lucky for you, we've sorted through the Chrome Web Store to find best Chrome themes available.
Outdoors

Aussies hope free Wi-Fi on their beaches will lead to fewer drownings

Lifeguards in Australia have hit on an idea to use Wi-Fi to make the nation's beaches safer. It's a simple but clever idea that plays on our need to stay connected around the clock.
Computing

How to easily record your laptop screen with apps you already have

Learning how to record your computer screen shouldn't be a challenge. Lucky for you, our comprehensive guide lays out how to do so using a host of methods, including both free and premium utilities, in both MacOS and Windows 10.
Gaming

These are the coolest games you can play on your Google Chrome browser right now

Not only is Google Chrome a fantastic web browser, it's also a versatile gaming platform that you can access from just about anywhere. Here are a few of our favorite titles for the platform.
Smart Home

Amazon will bring a 7-foot-tall Christmas tree to your doorstep starting today

If you have fond memories of going out with your family and searching for the perfect Christmas tree, well, Amazon wants to create its own holiday tradition. Starting today, you can order a real, 7-foot tree from Amazon.