The Computer Fraud and Abuse Act, or CFAA

We Should All Step Back from Security Journalism

Quinn Norton
The Message
Published in
9 min readJan 23, 2015

--

I’ll Go First

I started studying the computer underground back when I worked in tech, as an early web developer, in the mid 1990s. I found the world fascinating, and I interviewed people and wrote about it, initially for myself. I never participated much. At first this was because I didn’t have much to contribute, but in time I came to understand that I wanted to remain on the disinterested side of law enforcement. This was not only because of what it meant for my own long-term prospects, but because it would let me build more understanding of the culture I was studying, and ultimately let me share what I learned of that culture with more people.

As the internet escaped its counter-culture and specialist roots, I have been able to speak to a much wider audience than I could have dared to hope for back in 1995. The internet went from being my world to being nearly everyone’s world in the historical flash of two decades. As for me, I left the tech industry and began to write about how that industry was changing the world full time, including tech’s often hunted underground. I was speaking to a wider audience than were on the net at all when I started.

Since then, I have built a career largely out of writing about hackers, often from deep in their culture. Even when I’ve not worked on reported pieces myself, I have helped many other journalists understand, interpret, and find sources on hacking stories. While it’s not been key to my reporting for the last 18 months, much of my career as a journalist has involved reported pieces on legal and illegal hacking, activist and otherwise.

Barrett Brown’s Case

Part of Barrett Brown’s 63 month sentence, issued yesterday, is a 12 month sentence for a count of Accessory After the Fact, of the crime of hacking Stratfor. This sentence was enhanced by Brown’s posting a link in chat and possessing credit card data. This, and a broad pattern of misunderstanding and criminalizing normal behavior online, has led me to feel that the situation for journalists and security researchers is murky and dangerous.

I am stepping back from reporting on hacking/databreach stories, and restricting my assistance to other journalists to advice. (But please, journalists, absolutely feel free to ask me for advice!) I can’t look at the specific data another journalist has, and I can’t pass it along to a security expert, without feeling like there’s risk to the journalists I work with, the security experts, and myself.

I know some of my activist hacker contacts will find this cowardly of me. Many of them risk much more than this in the course of their lives, but I have two replies to this. One is that I have a family to care for including a child, and I can’t ask them to enter this murky legal territory. The other is that my causes are often not the same as the causes I write about, and I feel I best serve my causes by stepping back and highlighting this problem of law to the public.

The Growing Need for Legislative Reform

I strongly encourage Congress to take up legislative remedy and clarification, taking into account the testimony and advice of people who deal with these issues every day: independent security researchers and security journalists. These are the people with the fewest political conflicts and the most practical knowledge of on-the-ground procedures to pass along to Congress.

Barrett Brown crossed lines that journalists shouldn’t cross, and when he threatened the family of a man whom he hated, he crossed a line humans shouldn’t cross. But in holding that he had done something potentially criminally wrong in posting a link, the government has also crossed a line. They threatened a behavior basic to the operation of the net, by conflating pointing at data and examining it, with using that data for fraudulent purposes.

In seeking to punish people who find themselves in receipt of information such as credit card data, or perhaps hack logs and vulnerability information, with charges as if they’d broken in and gotten the information themselves, the government chills the basic techniques used every day to keep us safer and more informed.

As the legal system drifts further out of sync with reality, the danger slowly but surely grows. When many journalists working on national and commercial cyber and security issues, and just about everyone working in security is an unindicted felon, such indictments will drift into the area of political suppression and corporate backlash. This is a process well under way in the American system.

A Dangerous History

This isn’t a trend that begins with Barrett Brown, or Anonymous, or James Risen, or Wikileaks, or any of the recent headline grabbers. It begins with Dmitri Sklyarov in 2001, arrested at Defcon at the behest of Adobe for breaking their inept DRM.

It begins with the CFAA and the DMCA, but it continues with their ever-widening interpretation. We focus in a case like Brown’s on the government use of these unrealistic laws, but most of their abuse comes from corporations. This is why Oracle killed Aaron’s law, an attempt to reform the CFAA to, among other things, stop making violating a company’s Terms of Service a criminal offense. We saw it with Adobe and Sklyarov, with Diebold’s e-voting machines, and we see it with the innumerable DMCA take down notices recorded by Chilling Effects aimed at the issuers’ competition and critics.

What happened in this latest case, in which I served as a witness, was subtle. Barrett Brown had been originally charged with a felony for posting a link in a chat to an archive of stolen credit cards. This charge was dropped, but then used as a sentencing enhancement by the prosecution. This meant the Brown could serve more time for this alleged crime, despite not being convicted of it or pleading to it. Leaving aside for this moment what a terrible idea this is to have enshrined in our legal system, the prosecution claimed, and the court upheld, that this was relevant conduct — something Brown could serve more time for doing. I don’t believe either the court or the government understand the internet well enough to understand how catastrophic this idea is.

Security professionals and the journalists who work with them (and in cases like mine, work with a broad range of sources of different legal standing) have to piece together what’s happened on the internet from traces left behind. Early on in my career I learned this lesson the hard way. I was approached with evidence that a credit card biller who largely dealt with porn sites had lost their customer database and was ignoring it or covering it up. I had information from two different security researchers — one gave me a file with a million users’ worth of data, the other 22 million. I called the FBI office that had been informed of the situation, but they explained that because the data was considered to be too old, over six months, there wasn’t any interest in pursuing it as a case. The company refused to speak to me, and I ran the story.

Within the next week I had to retract the story and issue an apology — the file of 22 million cards was bogus, one that had been passed around black market carding sites to bilk newbies. In this case, I was that newbie. I was new at Wired, and I not only felt humiliated by my mistake, but terrified my career was going to end before it really got started. My editor forgave me but drove home that in journalism, we check our facts. Scared and upset, I was determined not to let that happen again. This meant I had to examine the data any story was based on, and if I didn’t have the sophistication to understand it, I had to reach out for help from someone who did.

I’ve been inspecting my data and getting help ever since.

In 2011, when Anonymous breached Stratfor and took its customers’ credit cards, I had a lot of claims to verify. Was this really Stratfor’s server? Or just its website? Were the credit cards real credit cards, and if they were, were they really Stratfor’s customers, or purchased from a carding site for a stunt? As Gabriella Coleman noted in her book, a surprising number of Anonymous’ claims have turned out to be true, but not all of them.

So I took the data, and I checked it.

Since my first big blunder I have watched much of the non-technical media repeating hackers’ (and law enforcement’s) claims with breathless and enthusiastic speed. I have criticized my field harshly for this, because we aren’t doing our jobs when we don’t check the claims of politically and personally interested people. I have also, because one should not just criticize and leave, taken a lot of time out of my writing career to help journalists and activists understand better the technology and consequently how to check these claims. I have helped more journalists than I can count, and I intend to keep doing this. I have explained how to use encryption to many news organizations, and with that, taken time to explain how the net works. I have written explainers on security and networked life, and sent them to journalists. I have even started working more on digital literacy issues in children’s education, because journalism isn’t the only place where one informs a polity, and maybe isn’t even the most important.

And then in December I went and told the story of how I did my job in 2011 to a court in Dallas. It was clear that the prosecution considers what I do to check my stories criminal. It’s also clear that they don’t understand how security research works.

Ms. Candina Heath, the prosecutor in Brown’s case, said to me — and here I must paraphrase from memory — Isn’t it true that the people who uncover credit cards generally work for the companies that issue or hold them? I told her that is rarely the case. She protested this was my opinion. I said no, it wasn’t, and gave her the best brief on-the-spot explanation of how the security field actually works: People who work in the field (or in security academia) find or are alerted to abnormalities. They can be everything from a phishing link in their email to a DDoS that’s generating notable traffic to a post including code that exploits a flaw in software. When they investigate, they will look for traces of what happened, and often this leads to a cache of data that has been collected from a set of victims. There’s no way to know what’s in such a cache until you look at it. It can be anything: pictures, personal info, banking details, credit cards. According to this Texas prosecutor, and many more law enforcement agents, once someone grabs this data cache and examines it, passes it along to expert eyes, or to a journalist, they are committing crimes for which they may be ripped from their home, job, family, and the future they expected to have. They may be incarcerated for doing their job.

I may be incarcerated for doing my job.

Goodbye, For Now

It’s entirely possible these decisions, even in Brown’s case, can be interpreted in ways that don’t significantly threaten journalism and security. But right now we are protected by a political mood at best, and not the law of the land. Right now the legal system sees us all as criminals-in-waiting, able to be taken down when the political mood changes. It should be made clear, in law, that the tasks security reseachers do to make the net more secure and journalists do to understand and contextualize the truth for the public are not crimes.

Journalism is hampered by this lack of clarity. Right now it may seem like a narrow range of journalism and research is affected, but as the Sony hack aftermath has shown, as the internet becomes the world, internet issues just become everyone’s issues.

If journalists and security professionals can’t do their jobs, even when you may not like what they’re telling you, we all live in a more dangerous world.

This decision by one court in Texas undoubtedly doesn’t have as much power as a normal conviction, and it doesn’t yet reach beyond the 5th circuit, but after 14 years of an ever-tightening noose on security, journalism, and even normal internet life, it is past time for Congress and the people who inform and protect our polity to come together and fix this ever widening gap between law and reality. In the meantime, I can’t do my job and be assured that I won’t be ripped away from my family, which means I can’t do my job.

I hope that other journalists and security professionals join me in protecting themselves by stepping back, and calling for legislative clarity. And as that hampers American security and journalism, I hope that our colleagues overseas can step in and fill the gaps.

And to all the hackers, geeks, weirdos, coders, sysadmins, network junkies, students, professors, and enthusiasts, thank you for a fantastic 20 years. I hope to rejoin this great story of human history when the law protects me and my colleagues in journalism.

— Quinn

--

--

Quinn Norton
The Message

A journalist, essayist, and sometimes photographer of Technology, Science, Hackers, Internets, and Civil Unrest.