In his non-cooperating plea deal, Jeremy Hammond pleaded guilty to one violation of the Computer Fraud and Abuse Act. The CFAA, enacted in 1986, is the primary US law dealing with computer crime, even though it was written for the pre-internet age.
The CFAA is a blunt legal instrument whose flexibility gives great power to prosecutors. The meaning of the CFAA’s provisions has changed significantly since it was originally brought into force and, by criminalising violations of terms of service agreements, it effectively allows corporations to determine what should be a criminal offence and what damages should be applied. Partly as a result of this, when compared to the comparable laws in other jurisdictions, the penalties mandated for CFAA violations are grossly disproportionate.
Prosecutors can put enormous pressure on defendants to accept plea deals, but the way punishment is determined under CFAA makes no allowance for intent. Not only have recent cases seen the CFAA applied to acts of online activism, the law has also been used against security researchers and others whose actions would not be considered crimes outside of the United States.
The CFAA in Jeremy’s case
Jeremy Hammond was originally indicted on six counts, including violating the CFAA and identity theft. The indictment cites the allegation that credit card numbers were found in the leaked Stratfor emails as an aggravating factor.
As in many CFAA cases, the charges in Jeremy Hammond’s indictment were not to come to court, but were used as a bargaining tool to get him to accept a plea deal:
even if I was found not guilty at trial, the government claimed that there were eight other outstanding indictments against me from jurisdictions scattered throughout the country. If I had won this trial I would likely have been shipped across the country to face new but similar charges in a different district.
While plea deals are endemic in the US justice system, CFAA cases are particularly vulnerable to this kind of prosecutorial overreach. As legislators in favour of reform point out, one of the quirks of the CFAA as it exists today is that it allows prosecutors to generate multiple charges from the same underlying action.
The power of prosecutors in CFAA cases is exacerbated by the way the legislation determines penalties. The one count Jeremy Hammond pleaded guilty to led to him being imprisoned for 10 years – for actions he did not seek to benefit from personally. The way penalties under CFAA are determined makes no allowance for motivation, but does factor in losses as estimated by the victim.
The CFAA takes an expansive approach to estimating these losses, using different rules to those applied in theft and fraud cases. Damages can, for instance, include proposed remedial security measures. The effect in Jeremy Hammond’s case was that Stratfor could claim massive damages despite the fact that their security practices fell well short of industry standards, storing customer information on unprotected, unencrypted databases that were easily accessed.
The disproportionate nature of the penalties available to prosecutors under the CFAA becomes particularly glaring when compared to similar offences in comparable jurisdictions. Five other members of Lulzsec were arrested at the same time as Jeremy; three in the United Kingdom and two in Ireland. In fact, all five appear in the same initial indictment.
In the event, there was no prosecution of the two men arrested in Ireland. The three British Lulzsec members were sentenced in May 2013. The longest sentence handed down to any of the British Lulzsec defendants was 30 months in prison, of which only half was served – a shorter length of time than Jeremy Hammond spent in prison awaiting trial.
As the EFF noted at the time, “The pleas in the UK were likely the result of the CFAA as well: by pleading guilty these co-defendants potentially precluded extradition to the US.”
The CFAA in related cases
Along with the Espionage Act, the CFAA is a favoured tool of the Obama Administration in its crack down on whistleblowers and digital activists. In addition to Jeremy Hammond, the CFAA has been used to prosecute the PayPal 14, Chelsea Manning, Barrett Brown, Thomas Drake and Aaron Swartz.
The PayPal 14
In 2010, major banking companies, including MasterCard, Visa and PayPal, blocked donations to WikiLeaks after the organisation began publishing US diplomatic cables. In response, members of Anonymous working under the Operation Payback banner initiated Distributed Denial of Service attacks against these corporations, which Jeremy Hammond has described as the “largest coordinated electronic civil disobedience sit-in in history.”
Arrests were made in July 2011 as a result of information supplied by PayPal and the PayPal 14 were charged under the CFAA. This use of the Act ignored the activists’ motivations and treated acts of political dissent as reckless vandalism. Use of the CFAA in this case created felony violations out of behaviour that would, if it were conducted offline, be recognised as free assembly or, at worst, treated by police as failure to disperse or a similar misdemeanor. Use of the CFAA in this way criminalises what should be protected, democratic speech.
In May 2013, eleven defendants made a deal in which they agreed to make a formal statement of guilt to individual CFAA felony counts of either ‘intentional damage to a protected computer’ or ‘conspiracy’. Under the terms of the deal, prosecutors will recommend probation instead of jail time if the defendants break no laws before sentencing in December 2014.
Barrett Brown is an author, activist, journalist and founder of Project PM, a collaborative resource that aimed to create a “centralized, actionable data set regarding the intelligence contracting industry, the PR industry’s interface with totalitarian regimes, the mushrooming infosec/’cybersecurity’ industry, and other issues constituting threats to human rights, civic transparency, individual privacy, and the health of democratic institutions.”
Brown has lauded and been associated with Anonymous, sometimes being referred to as its unofficial “spokesperson”. After multiple indictments earlier in the year, Brown was indicted on 4 December 2012 on 12 charges, including identity theft and “access device fraud” related to the Stratfor documents. According to the US Attorney’s office, Brown was indicted for
transferr[ing] a hyperlink from an Internet Relay Chat (IRC) channel to an IRC channel under his control. That hyperlink provided access to data stolen from the company Stratfor Global Intelligence (Stratfor), which included more than 5,000 credit card account numbers, the card holders’ identification information and the authentication features for the credit cards, known as the Card Verification Values (CVV). By transferring and posting the hyperlink, Brown caused the data to be made available to other persons online, without the knowledge and authorization of Stratfor and the card holders.
What was not made clear in that press release is that the link posted by Barrett Brown had already been published. As Glenn Greenwald has pointed out, no evidence has ever been produced to suggest that Brown’s posting a URL from one public forum into another “resulted in any unauthorised use of credit cards, and certainly never redounded in any way to his benefit.” Criminalising linking would vastly expand the government’s power to crack down on the sharing of publicly available information.
As Adrian Chen wrote, “This is scary to anyone who ever links to anything… As a journalist who covers hackers and has “transferred and posted” many links to data stolen by hackers — in order to put them in stories about the hacks — this indictment is frightening because it seems to criminalise linking.”
On 31 March 2013, the government issued a superseding indictment claiming Brown is an “accessory after the fact to an unauthorized access to a protected computer” under the Computer Fraud and Abuse Act, for assisting Jeremy Hammond from evading authorities after Stratfor’s communications were compromised and “diverted attention away” from Jeremy.
This new indictment made it possible for Brown to enter into a plea deal with government prosecutors, greatly reducing the potential jail sentence he faced. But the government’s series of indictments shows its willingness to overcharge, broadly interpreting computer violations in order to intimidate defendants into accepting deals that criminalise their journalistic, democratic work.
On 25 October 2013, Lauri Love was arrested in the UK on suspicion of committing actions contrary to the UK’s Computer Misuse Act although, as yet, he has only been indicted on American charges under the CFAA, which carry penalties far in excess of what would apply under UK law. Love stands accused of accessing US government computers but, after almost a year, still faces no charges in the UK. He was released on bail in June 2014.
The extraordinary disparity between penalties imposed under the CFAA and typical sentences elsewhere explains why the focus of those facing charges of computer crimes in Europe is often to avoid extradition to the US. That threat is still hanging over Lauri Love. His lawyers have said they will “vehemently oppose” any attempt to extradite him to the US. The ultimately successful decade-long battle to avoid Gary McKinnon being extradited to the US suggests any formal extradition request for Love would prove controversial in the UK.
In Feburary 2014, Love refused to hand over his encryption keys to the UK authorities, which can constitute an offence under the UK’s Regulation of Investigatory Powers Act.
Aaron Swartz was a computer programmer and hacktivist, who founded the internet-rights group Demand Progress. Swartz is alleged to have used JSTOR to download academic journal articles through MIT’s computer network in late 2010 and early 2011. Swartz was charged with wire fraud, computer fraud, obtaining information from a protected computer and criminal forfeiture, including 11 violations under the Computer Fraud and Abuse Act and carrying a cumulative maximum penalty of 35 years in prison and $1 million in fines. The government offered a plea deal and Swartz countered with an offer of his own. Two days after prosecutors rejected the counteroffer, Swartz hanged himself.
“He was killed by the government, and MIT betrayed all of its basic principles,” Aaron’s father, Robert Swartz, said at his funeral.
Rep. Zoe Lofgren subsequently drafted ‘Aaron’s Law’ to “prevent what happened to Aaron from happening to other internet users”, a bill which would exclude terms of service violations from the CFAA, although those reforms would not have done enough to protect Aaron from the steep punishment he faced. The bill remains stalled, but internet rights groups continue to criticise the CFAA and abusive interpretations of it which criminalise computer activism. The Electronic Freedom Foundation encourages support for CFAA reform here.