This is our second guest post by Joe Fionda, actor and activist.
President Obama is set to go before congress for the State of the Union and argue for reform of the Computer Fraud and Abuse Act (CFAA). He will be doing so in front of the same body of Senate members to whom it was disclosed last week, that the White House was coordinating with the CIA to hack. Yes, your tax dollars at work: the White House and CIA conspired to hack Senate computers & staffers to prevent the disclosure of war crimes; you remember, those war crimes in which the CIA was anally funneling hummus to the indefinitely-detained prisoners of the “War on Terror.” Nor should any irony be lost pointing out that the driving public force pushing reform of the CFAA, ie the hack of Sony, is being pushed along by allegations that the perpetrator was North Korea, the attribution of which was only possible for the government to make because the NSA hacked North Korea first, one of the many US government-backed hacks which we only know about because of Edward Snowden’s disclosures.
In case you haven’t been paying attention, things are a bit silly; by “silly” we mean that the government’s digital hypocrisy is folding in on itself. Yes, the CFAA is badly in need of reform, as an alarmist law signed into being in 1984 by Ronald Reagan after he saw the movie War Games, before the internet as we know it even existed. It means that proverbial Windows Update is at least a quarter-century overdue.
But this revision is a literal doubling down of the government’s already misguided heavy- handedness, which seeks to double the length of sentences for hackers to make them face more time than most rapists. The revisions do not substantially help define what the key phrase “exceeding authorized access” means, other than insofar as it relates to the alleged hacker’s knowledge of whether he or she knew that their actions were improper. With the arbitrary damage figure being set as “over $5,000” as a felony trigger, any potential hacking accusation could be considered felonious if the victim simply claims over the requisite amount for a felony, or decides they want to shell out a ton of money to contractor buddies for DDoS mitigation consultants. This is a godsend to the consulting industry. The revisions to RICO (the racketeering statutes designed to prosecute mob figures such as John Gotti) would make the government’s wet dream of charging groups like Anonymous with racketeering come true. With the horrible Citizens United decision turning corporations into people with the stroke of a lobbyist-funded pen, they, too are also given the same victims’ rights as an individual human being, but with infinitely more legal & technical resources. No doubt, if a corporation were to be charged with a hacking RICO offense, they would likely be able to negotiate their way out of meaningful criminal penalties, as has been the case for major financial institutions involved in the economic crash of 2008. The ones we bailed out, remember?
There is much missing from the CFAA revisions that would greatly improve the safety and security of these persons whom the law allegedly seeks to protect; specifically, the protection of the citizenry from the government itself and its endless phalanx of contractors. The government has constantly been arguing for the need for backdoors, the ability to hack targets and the need to be able to otherwise engage in criminal acts, and absolutely no edits have been proposed in regards to CFAA for exemptions for law enforcement. Thus, the government would continue to essentially have no accountability for their own access fraud simply because they are the government. Remember Nixon? “If the President does it, it’s not illegal.” American victims of foreign hackers, who may be outside of the reach of American law enforcement due to lack of extradition treaties but nevertheless using the same technology, don’t appear to have any substantial avenue of recourse for losses incurred by foreign actors. Nor are there apparent provisions for citizens to ‘hack back’ when the hacks in question do not merit the time or resources of law enforcement.
Even though the 3rd Circuit of Appeals smacked down the Justice Department for venue impropriety in United States v. Auernheimer for dragging weev all the way from Arkansas to New Jersey, no effort in the proposed revisions seem to indicate that the critical issue of prosecutorial venue is being addressed. In weev’s case, the number of victims in New Jersey was statistically minimal, and the conviction was overturned. In a similar case involving the New Jersey venue & AT&T, Lance Moore, a young Las Cruces, NM man who was accused of leaking a confidential AT&T document to Lulzsec, was driven to suicide before trial. The US Attorneys in the district of New Jersey for that case, Paul Fishman and Gurbir Grelawi, faced absolutely no public consequences in light of the identical venue-related issues. Moore’s case would almost certainly have been vacated on thanks to the 3rd Circuit’s ruling United States v. Auernheimer. Nor despite overwhelming public outcry, did Massachusetts US Attorneys Carmen Ortiz or Steven Heymann face any consequences for driving Aaron Swartz to his own suicide. Nor has the FBI had to face any for their role in helping to socially engineer the hack of Stratfor by using informant Sabu to direct and outsource the rest of the incomplete job from another hacker to Jeremy Hammond, who completed the assignment as agents watched over Sabu’s back. That case later lead to journalist Barrett Brown’s prosecution for simply trying to report on it. Brown remains in custody awaiting sentencing.
Forget the argument that the new revisions would criminalize security research and journalism. Any bill proposed to revise the CFAA that doesn’t include provisions to address our government’s responsibility for it’s own hacking and helps restore individual privacy is at best a farce, at worst a decree that The People are to continue to be subject to an awful national security theater where we are to stand naked before its tyranny. If the government previously hacked North Korea and then claimed they couldn’t stop North Korea from shutting down Sony Pictures Entertainment because they got to their payment systems, and the government couldn’t stop this from happening if they had advanced warning, should the government making this declaration be on the hook for the work stoppage those of us have had to deal with in the film industry?
There must be public input on the legislation, as well as realistic remedy and relief for what is considered “hacking”. There must be a conversation most of all, because it seems that heavy-handedness and sentencing coercion are not going to solve the real problems the real world faces when it comes to our cyber-legislation.
Joe Fionda is a New York based Italian-Irish American actor and associate producer of The Hacker Wars. When he isn’t creating lulz for film & TV he is editor & tech ops for globalrevolution.tv.