09 May 2013

Hacking Law: Is It Time For Reform?

by Matt Andersen, Op-Ed Participant

© www.news.com.au
          We currently reside in a technologically rich era, and our personal information is constantly under attack, or available to attack, by hackers.  Luckily, the United States legislature enacted the Computer Fraud and Abuse Act (CFAA) in 1984, and it has been heavily critiqued ever since.  It goes without question that technology has significantly changed since 1984, and for that reason judges and United States citizens are calling for reform of the 29-year-old law.  Additionally, every state legislature has enacted a statute similar to the CFAA (Pennsylvania’s can be found at 18 Pa. Consol. Stat. Ann. § 7611 (West 2012)).
            The CFAA can be found at 18 U.S.C.A. § 1030 (West 2012), and it specifically states that it is illegal to “intentionally access a computer without authorization or exceed authorized access.”  In recent months, there has been public outcry over the CFAA, and, most notably, because the United States government has used the CFAA to indict a few well respected members of the hacker community. 
            Most recently, Andrew Auernheimer, commonly known in the hacker community as “Weev,” was sentenced to 41 months in prison for violating the CFAA.  Specifically, Auernheimer hacked into AT&T’s servers and obtained the email addresses of over 114,000 iPad users.  By doing this, Auernheimer was able to obtain the email addresses of New York City Mayor Michael Bloomberg, New York Times CEO Janet Robinson, ABC’s Diane Sawyer, and former White House Chief of Staff Rahm Emmanuel. 
            Auernheimer considers himself a “gray hat” in the hacking community, which means he hacks into a company’s servers, strictly to expose the flaws in their cyber security.  When a gray hat finds a flaw in a company’s cyber security, they will usually let the company know, and offer to sell them the information so they can fix it.  After a company is hacked, it will usually spend at least $100,000 to fix the breach, because companies are required to inform every customer who could be affected, and they have to pay to resolve the breach.  In fact, the largest hack in history happened to the Sony Playstation Network, which caused Sony to shut down the network for 24 days, and pay the 77 million affected users a total of $170 million. 
            However, this was not a normal “gray hat” hack for Auernheimer.  The jury did not believe Auernheimer’s argument that he was acting as a gray hat, because, upon obtaining these email addresses, he subsequently handed the data over to Gawker, which publicly posted the information on its website. 
            Just a week before Auernheimer’s sentencing, federal prosecutors indicted Reuters social media editor Matthew Keys for helping the world-renowned hacker group “Anonymous” attack the website of his former employer, the Tribune Company.  Keys is facing up to 25 years in prison, as well as fines that could reach $750,000. 
© theverge.com/Daniel J. Sieradski
   The biggest news story came in January when Aaron Swartz, an internet activist who advocates for absolute freedom of information, committed suicide while he was awaiting trial.  Swartz allegedly hacked into the Massachusetts Institute of Technology’s digital archive and stole millions of scholarly journals that would normally require payment to access.  Swartz was facing a potential prison sentence of more than 30 years.  Many devout fans of Swartz believe that the federal prosecutor’s threats of an extreme prison sentence are what led Swartz to commit suicide. 
            Auernheimer, Keys, and Swartz were all charged under the CFAA, and many have criticized this law for being too broad and overly vague.  Many also criticize the CFAA for imposing sentences that are entirely too harsh for merely computer crimes.  However, many critics do not realize that Keys and Swartz were indicted under completely separate provisions of the CFAA.  Swartz was indicted for violating the provision of the CFAA dealing with unauthorized access, and Keys was indicted for violating the provision dealing with damage to a computer. 
            The provision of the CFAA dealing with unauthorized access, which Auernheimer and Swartz violated, is what has received the most criticism in recent months.  It certainly seems that a law enacted in 1984 that deals with computer hacking is most likely out-of-date, and in need of some serious change.  With high profile cases in federal courts, and the attention that this issue is getting from mainstream media, an amendment to the CFAA within the next few years appears likely.