Skip to main content

This friend to hackers is probably your best bet for Internet freedom, too

Tor Ekeland
Image used with permission by copyright holder

Since the death of famed developer and “hacktivist” Aaron Swartz at the beginning of this year, one law more than any others has come to the forefront of the Internet community’s consciousness: The Computer Fraud and Abuse Act, or CFAA, which many believe is dangerously vague and can result in grossly unfair punishments for those, like Swartz, who are prosecuted under its statutes. And few people are as close to the front lines of this battle over the CFAA as New York-based attorney Tor Ekeland.

Ekeland first jumped into the CFAA fight last year, after he agreed to represent infamous “AT&T iPad hacker” Andrew “Weev” Auernheimer, who was recently sentenced to 41 months in prison for something many say should not be illegal. He is continuing this fight by representing Matthew Keys, Reuter’s deputy social media editor and famed Twitter journalist, who has been indicted under the CFAA for allegedly handing over login credential for the network of his former employer, the Tribune Company, to Anonymous hackers. Keys potentially faces 25 years in prison and $250,000 in fines.

Recommended Videos

We gave Ekeland a call to get his take on the computer crime law that critics believe could, if the government so chose, land every Web user behind bars.

Digital Trends: How did you get into computer crime law?

Tor Ekeland: I came into this by chance because my wife is a photo journalist who was shooting Occupy Wall Street. And she ran into Andrew Auernheimer. She started talking to him. He mentioned he was looking for a lawyer to replace his federal defender. I had worked in corporate law for five years, and was about to start my own law practice. So she came home and said, ‘Hey, I met this guy. Looks like a really interesting case. Are you interested?’ I took a look at it and said, ‘This is really fascinating. I think the issues here are potentially really major.’ So I call him up. We met. He agreed to me repping him pro bono. And that was that.

You’ve mentioned on Twitter that you “hate” the Computer Fraud and Abuse Act. Can you tell me a bit about why that is?

The Computer Fraud and Abuse Act is a statute that originated in 1984, before the Internet existed, before HTTP existed. And it originally existed to protect government computers and financial institution networks, things related to national security and protecting the economy. Over time, it’s been amended a number of times. And among the statutes at its core, it forbids ‘unauthorized access’ to a ‘protected computer.’ A ‘protected computer’ is basically anything with a microchip that’s involved in interstate commerce. So, I mean, your coffee maker is probably a ‘protected computer.’ The phone you and I are talking on right now could, with the broad definition, be a ‘protected computer.’

“He would have been better off beating his boss with a lead pipe because the criminal penalties in the physical world are less draconian than the penalties under the CFAA.”

What’s problematic about the statute is that it no where defines what it seeks to prohibit, which is ‘unauthorized access.’ It doesn’t define it anywhere. And the courts are continuously confused about that. So, they come up with a number of different interpretations that are arguably very problematic. You know, some courts have read ‘unauthorized access’ to mean that if you violated the terms of service of a website or Facebook or something, you know, you’ve engaged in unauthorized access.

In Andrew’s case, what’s so interesting about the case and why it’s a major case is … essentially, his co-defendant [Daniel Spitler] queried AT&T’s publicly accessible iPad servers with a number that matched the number on the SIM card in an iPad. When he entered number in a URL directed to these iPad servers, it would publish an email address, if that number actually matched a customer’s SIM card number, it would publish that customer’s email address, and then ask you for a password. So, you know, he wrote a script that did that, that harvested like 114,000 email address – no personal information, nothing, no password was ever hacked. And now Andrew’s been sentenced to 41 months for participating in this conspiracy to do this.

The problem at root here is basically that entering a number into a URL is what people do a lot every day on the Internet. And if you’re not going to define ‘unauthorized access’ as bypassing a password or some kind of code-based restriction, the statute’s potentially criminalizing what’s considered normal computer behavior that people engage in every day. Now, is our federal government is going to prosecute millions of people for alleged computer crimes every day? No. But it allows them to pick and choose, and engage in these arbitrary prosecutions. 

In Andrew’s case, AT&T wasn’t telling people to change their email address. There was no spear phishing, or all that stuff. They were embarrassed. But the Department of Justice decided to go after Andrew and seek this harsh sentence. Same thing with Swartz; the courts.. even if it wasn’t a technical violation of the statute, but there really was no harm involved. JSTOR and MIT really didn’t want it to go down that path. The DOJ I think sort of has this mentality that hackers are evil, and it’s kind of paranoia is reminiscent of the Red Scare. I think hackers are the new communists. 

So, it’s just problematic because it’s a really vague statute. And because it’s so vague, it invited what I think are unwarranted prosecutions.

You can make an argument that what Google’s search engine is doing is a violation of the CFAA because they’re crawling the Internet with their bots for collecting links. And the theory of “unauthorized access” in Andrew’s is “unauthorized access” because they’re saying it was – AT&T says it was and the federal government says it was. But there’s no notice or warning or pop-up saying, ‘You don’t have access to this website. It’s forbidden or unauthorized.’ So under this theory, you could have someone who does a Google search, clicks on a link, the website of it decides that, ‘No, I don’t want you at this website,’ and you’ve potentially committed a felony. And I think that would surprise most people. 

How would you fix the CFAA?

Well, Congress is actually talking about making the law more draconian. Which I think is nuts. One thing I think they need to do is to make the punishment proportional to the actual harm. Like, right now with Andrew’s case you’ve got somebody who’s committed felonies, been sentenced to three and a half years, where there really was no harm. 

“Hackers are the new communists.”

I would make most of the statute civil. Right now it’s a criminal and civil statute. I think most of these cases could be remedied by having the companies sue the person, civilly, and don’t involve jail time. I think they should reserve the criminal punishments for real harm to lives – national security or financial institutions, or messing with the 911 network, or taking out part of a hospital, or something with real harm.

Some sort of fear of the mysterious computer hackers that causes people to kind of get hysterical and call these punishments. There’s a disconnect. Some people pointed out that in Matthew Keys’s case, if what they’re alleging is true, and that he’s a disgruntled employee who tried to take revenge on his boss, that he would have been better off beating his boss with a lead pipe because the criminal penalties in the physical world are less draconian than the penalties under the CFAA. 

Why should the average Web user, who’s never going to “hack” anything, who’s never going to write any scripts of any type, care about the problems with the CFAA?

Well, they should just be concerned that their Google searches, and clicking on a website, is potentially criminal. If you go to some website that somebody doesn’t want you there, you might have just committed a federal crime. I think, like what you see with Andrew, our government tends to go after unpopular defendants first. And Andrew, you know, he’s a very controversial figure, and Internet troll. And so there they get this expansive reading of this statute, they get precedent after going after someone unpopular that nobody’s really too concerned about. Now they can just go around and prosecute with these extremely broad theories.

It kind of plays into that book Three Felonies a Day, where the authors argue that because criminal law’s become so expansive, most people are committing three felonies a day without knowing it. And so it puts you in a position where, should you be in the wrong place at the wrong time with a computer, the government can prosecute you at a whim, and you’re going to end up in this unexpected Kafkaesque nightmare.

Is it just a coincidence that we’ve seen three high-profile CFAA cases – Aaron Swartz, Andrew Auernheimer, and Matthew Keys – become big news in the past three months, or is the government actively pursuing these more frequently?

That’s a good question. And it certainly raises one’s eyebrows that all of a sudden you’re getting all of these Computer Fraud and Abuse Act prosecutions lately. And I think what’s going on is there’s this hysteria about hackers. You can’t open up a newspaper, or turn on your computer and read the news, without finding a story about how the Chinese are hacking us, or the Russians are hacking us. … And part of that I think is just fear of the unknown that scares people. And there’s a bit of an overreaction there.

Given the rate at which technology changes, and the way we use technology changes, is it even possible to write “good” computer crime laws?

That’s a good question. I think part of what’s happening is you see the law struggling with this rapid technological change. I think you probably could write a decent law, but it’d have to be written by informed people who know about how general principles on the how the Internet and computers actually work. I think one really good suggestion to amend the Computer Fraud and Abuse Act is, define ‘unauthorized access’ as bypassing a password or some type of code-based restriction. And I think that’s pretty simple. Passwords have been around for a long time. My 5-year-old son know what a password is, and that’s sort of a line to draw. A company knows that, if I want to protect my information and prevent unauthorized access, I put up a password. That’s not rocket science.

But, like you said, nobody can predict what’s going to happen in the future. And I think it’s tricky. It’s tricky because you can write these laws with good intentions, but there’s the inadvertent consequences. 

Photo by Katja Heinemann

Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
PayPal vs. Venmo vs. Cash App vs. Apple Cash: which app should you use?
PayPal, Venmo, Cash App, and Apple Wallet apps on an iPhone.

We’re getting closer every day to an entirely cashless society. While some folks may still carry around a few bucks for emergencies, electronic payments are accepted nearly everywhere, and as mobile wallets expand, even traditional credit and debit cards are starting to fall by the wayside.

That means many of us are past the days of tossing a few bills onto the table to pay our share of a restaurant tab or slipping our pal a couple of bucks to help them out. Now, even those things are more easily doable from our smartphones than our physical wallets.

Read more
How to change margins in Google Docs
Laptop Working from Home

When you create a document in Google Docs, you may need to adjust the space between the edge of the page and the content --- the margins. For instance, many professors have requirements for the margin sizes you must use for college papers.

You can easily change the left, right, top, and bottom margins in Google Docs and have a few different ways to do it.

Read more
What is Microsoft Teams? How to use the collaboration app
A close-up of someone using Microsoft Teams on a laptop for a videoconference.

Online team collaboration is the new norm as companies spread their workforce across the globe. Gone are the days of primarily relying on group emails, as teams can now work together in real time using an instant chat-style interface, no matter where they are.

Using Microsoft Teams affords video conferencing, real-time discussions, document sharing and editing, and more for companies and corporations. It's one of many collaboration tools designed to bring company workers together in an online space. It’s not designed for communicating with family and friends, but for colleagues and clients.

Read more