In June 2010, Andrew Auernheimer, a well-known Internet-security expert, discovered a gaping hole in AT&T’s website that exposed 114,000 e-mail addresses belonging to the wireless giant’s Apple iPad customers. After a colleague downloaded the data, Auernheimer passed the information to a journalist at Gawker. The episode was a major embarrassment for AT&T because the list included thousands of high-profile individuals, including New York City Mayor Michael Bloomberg and then White House chief of staff Rahm Emanuel. AT&T quickly patched the hole.
The FBI promptly launched an investigation, and in November, Auernheimer was convicted of two felony counts under the Computer Fraud and Abuse Act (CFAA), a 1980s-era law originally designed to punish and deter intrusions into government and financial-industry computer systems. His colleague Daniel Spitler pleaded guilty last year. On Monday, Auernheimer, 27, was sentenced to 41 months in prison and ordered to pay $73,000 in restitution to AT&T. He has vowed to appeal.
Auernheimer’s case is just the latest involving the CFAA amid what appears to be an intensifying federal crackdown against so-called hackers. The CFAA makes it a federal crime to “access a computer without authorization or exceed authorized access.” Critics say the law has been twisted by U.S. prosecutors to bully and intimidate security researchers, journalists and activists with extremely harsh federal prison sentences. Earlier this month, Reuters journalist Matthew Keys, 26, was indicted on CFAA felony charges alleging that he provided a hacker with log-in credentials to access the Los Angeles Times website, which was then vandalized. Keys faces 25 years in prison and a $500,000 fine.
The CFAA was also used to prosecute Aaron Swartz, the 26-year-old programmer who killed himself earlier this year. Swartz had been charged with accessing a server at the Massachusetts Institute of Technology and downloading too many articles from the subscription-based academic research service JSTOR. Swartz faced up to 35 years in prison and a $1 million fine. In the wake of Swartz’s suicide, his family and friends accused federal prosecutors of using the CFAA to harass and intimidate the young activist. Swartz was “killed by the government,” his father told mourners at his son’s funeral. The case has became a cause célèbre among Internet activists and has prompted a prominent U.S. lawmaker, California Democrat Zoe Lofgren, to introduce a bill called Aaron’s Law to reform the CFAA.
Thus far, many of Lofgren’s House colleagues have expressed little enthusiasm for reforming the CFAA, a law supported by many big tech companies including database giant Oracle, which has an understandable interest in data security. The U.S. has brought over 500 CFAA criminal cases over the past several years, according to Reuters. In fact, the Justice Department wants to expand the law, Richard Downing, deputy section chief for computer crime and intellectual property, told Congress in November, according to Reuters.
Each CFAA case cited above is different. Auernheimer (also known as Weev) maintained that his actions were driven by a desire to highlight security lapses in AT&T’s systems. Swartz believed deeply that academic information should be made available to the public. And Keys’ alleged conduct appears to be little more than a juvenile prank. What ties them together is the government’s use of the CFAA, a law that critics say is too vague, overly broad and allows prosecutors to treat terms-of-service violations as malicious criminal hacking. Critics also say the law allows the government to seek wildly disproportionate sentences for victimless crimes, often to send a message to other would-be “hackers.”
For example, as CNET’s Declan McCullagh observed, if Keys had allowed vandals to access the Los Angeles Times printing press in order to modify a headline, he might have faced a few months in jail or probation for violating misdemeanor California trespass or malicious mischief laws. He would not have faced 25 years in federal prison on felony charges. To be sure, it’s highly unlikely that if convicted Keys will go to prison for 25 years, but critics of the CFAA say the law allows federal prosecutors to hang draconian sentences over the head of defendants in order to pressure them into plea agreements that will brand them as felons for the rest of their life.
“The Computer Fraud and Abuse Act is the most outrageous criminal law you’ve never heard of,” Columbia Law School professor Tim Wu wrote in the New Yorker this week. “It bans ‘unauthorized access’ of computers, but no one really knows what those words mean … Over the years, the punishments for breaking the law have grown increasingly severe — it can now put people in prison for decades for actions that cause no real economic or physical harm. It is, in short, a nightmare for a country that calls itself free.”
The CFAA was enacted in 1984, well before the Internet became the ubiquitous commercial and communication medium it is today. The law was designed to punish and deter attempts to break into sensitive government computer systems like NORAD (à la WarGames), as well as financial institutions like banks. In the years since, the CFAA has been repeatedly broadened by amendment, in one case to include so-called protected computers. But the courts are divided about how the law should be applied, and in April, a federal judge rejected prosecutors’ use of the law as too broad, saying it could potentially criminalize millions of Americans.
Lofgren says Aaron’s Law is designed to prevent what happened to Swartz from happening to other Internet users. “The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act and the wire-fraud statute,” Lofgren wrote recently. “It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire-fraud statute.”
Prosecutors in the Auernheimer case defended their decision to take the case to trial. “What did the 114,000 iPad users do that was so wrong, to have their personal information exposed to Gawker?” asked assistant U.S. Attorney Zach Intrater, in comments cited by the Associated Press. “He could have contacted AT&T and let them know what was wrong, and they could have patched the hole and then the defendant could have published and got his reputation.”
In the wake of Auernheimer’s sentencing, the Electronic Frontier Foundation (EFF) has joined his legal team to litigate his appeal and will argue that “fundamental problems” with the CFAA result in unfair prison sentences. “Weev is facing more than three years in prison because he pointed out that a company failed to protect its users’ data, even though his actions didn’t harm anyone,” Marcia Hofmann, EFF senior staff attorney, said in a statement on Monday. “The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them.”