Back to News list

Anti-Hacking Law Needs Further Clarification, Defense Lawyers Say

Daily Journal

Passed in 1986, the Computer Fraud and Abuse Act aimed to prevent computer hacking at a time when personal computers were relatively new on the scene and the World Wide Web had yet to be conceived. Since then, efforts to interpret the law have raised questions about how to apply it to today's rapidly evolving online environment. Many experts agree that the law needs to better define hacking, and some worry that an overbroad reading could expose everyday citizens to charges for activities considered relatively benign.

Appeals in cases against two convicted hackers, David Nosal and Andrew "Weev" Auernheimer, largely hinge on the definition of hacking, and the defendants argue they are victims of an unreasonable expansion of the law.

Nosal, who had worked as an executive at global recruitment firm Korn/Ferry International, was accused of stealing proprietary information from his former employer. But defense attorneys maintain he didn't hack anything, pointing to the fact that Nosal and his associates used authorized passwords to gain the data they wanted.

Auernheimer was convicted of working with a colleague to download and distribute email addresses of AT&T Inc. customers. But that information came from a publicly available website, which some similarly argue shouldn't qualify as hacking.

"Auernheimer and Nosal are the two most important cases that are up on appeal," said Jay Leiderman, Ventura defense attorney who represents accused hackers.

The matters speak to a concern among some that the Computer Fraud and Abuse Act, or CFAA, has become overbroad, criminalizing activity that, if committed in an analog world, might not be prosecuted.

"I don't [think] that what Nosal did was laudable," said Santa Clara Law professor Eric Goldman, "but I don't know that we would have punished it the same way if he did it with paper instead of digitally."

Both appeals are proceeding in the shadow of Aaron Swartz, a well-known computer programmer who last year committed suicide while facing charges for violating the CFAA. He allegedly accessed the Massachusetts Institute of Technology's servers, downloaded articles from JSTOR, which maintains a database of academic journals, and distributed the information for free online. While JSTOR chose not to press charges, the government took on the case.

Elliot R. Peters, a Keker & Van Nest LLP partner who represented Swartz, said current hacking laws allow prosecutors too much discretion. The articles Swartz posted were accessible to any visitor to MIT's campus, he said; the programmer merely made them available to Internet users.

Peters said he feels prosecutors "kept escalating the case rather than finding a way to resolve it appropriately." Swartz was widely respected in the programming world, having been a key contributor to the popular online website Reddit Inc. as well as an early acolyte of Harvard Law School professor Lawrence Lessig's project Creative Commons, an alternative to traditional copyright protection.

"They targeted this brilliant young guy who was making a political statement about access to knowledge over the Internet," Peters said. "That hardly seems like a goal or motive that needs to be criminalized."

Like Nosal's and Aurnheimer's cases, Swartz's centered on the interpretation of "unauthorized access to a computer." But defense attorneys say that rather than focus on the means by which a crime is committed, the law should target the illegal acts themselves.

"It’s just too broad," Peters said. "It needs to focus more on people trying to steal credit card numbers and money, to defraud people using access to their computers."

None of the U.S. attorney's offices that brought these cases agreed to comment for this story.

The 9th U.S. Circuit Court of Appeals is set to take the Nosal case up for the third time, this time to weigh three charges under the CFAA related to password-sharing. Previously, a three-judge appellate panel reinstated five CFAA charges in 2011, but the court en banc reversed that decision the following year. Essentially, the circuit ruled, the misuse of information that one is authorized to access doesn't qualify as hacking.

Hanni M. Fakhoury, an Electronic Frontier Foundation attorney who filed amicus briefs in the case, said he hopes the 9th Circuit will throw out the remaining three CFAA charges over password-sharing. Sending someone to prison for misusing a password, he said, could lead to a massive expansion in hacking cases and criminalize the acts of millions of Americans.

"If you have HBO Go and the user agreement says its one credential per person, and you share it with your wife, are you now a felon under the CFAA?" he said. "We don't think so, but that's what the government is saying."

The Auernheimer case raises similar questions. Auernheimer instructed another hacker on how to access an AT&T website intended for iPad users with his personal computer. The pair discovered that the AT&T site would reveal a user's email address when that user's iPad identification number was entered into the site. Auernheimer disclosed the problem to Gawker Media, along with more than 100,000 email addresses he was able to obtain through the method.

Fakhoury, who represents Auernheimer, said his client didn't hack anything. Rather, AT&T failed to secure its site.

"Information that Weev and his co-defendant obtained from AT&T was information AT&T had made publicly available - foolishly," Fakhoury said.

For their part, attorneys who represent companies that suffer data breaches are less critical of the law. They hope any changes to the law expand the powers of prosecutors and civil plaintiffs pursuing alleged hackers.

Bradford K. Newman, a Paul Hastings LLP partner, said the current interpretation of the CFAA is mostly spot-on and provides a useful deterrence against hacking. He does, however, hope the 9th Circuit will reverse its most recent ruling in Nosal.

In that case, he said, the court made too fine a distinction between authorized and unauthorized access when it dismissed the five CFAA charges based on the argument that Nosal's accomplices weren't engaged in hacking because they were authorized to access to Korn/Ferry's computer systems.

Newman offered an analogy to the physical world to argue that even authorized access can be criminally exploited.

"You have permission to work at the bank," he said, "but you don't have permission to steal the money."

He said the Nosal case would ultimately have to be addressed by the U.S. Supreme Court.