Hacking, Privacy Laws: Time To Reboot
Recent cases highlight serious flaws in current privacy and cyber abuse legislation, allowing prosecutors to wield a hammer when a stick will do.
What's more important: protecting civil liberties, or prosecuting people who misbehave?
Unfortunately, two cases have recently highlighted serious shortcomings in how our public officials pursue both of those goals, suggesting that the only viable solution is for Congress to overhaul existing privacy and computer-abuse laws.
More Security Insights
- How Attackers Identify and Exploit Software and Network Vulnerabilities
- Cloud Security: It’s Not Just for IT Anymore
White PapersMore >>
For starters, the Computer Fraud and Abuse Act (CFAA) gives prosecutors such wide discretion in pursuing "computer crimes" that they can threaten minor offenders with excessive jail time, thus creating the possibility that people have been coerced into pleading guilty. That's why, on the civil rights front, numerous digital rights groups and privacy lawyers have been calling on Congress to rein in the CFAA, including its criminalization of the nebulous concept of "unauthorized access."
Thanks to the CFAA, prosecutors can wield a hammer when a stick -- at most -- is all they need. For example, Internet activist Aaron Swartz, who allegedly used the Massachusetts Institute of Technology's network to download millions of academic articles from the JSTOR academic database, faced 13 felony charges and a maximum jail sentence of at least 35 years in prison. Prosecutors charged Swartz despite JSTOR officials saying in 2011 that they'd dropped civil charges against him, noting that he'd apologized and promised that he'd returned all copies of the data he downloaded. Arguably, the case should have been closed -- and JSTOR officials urged prosecutors to do so. They declined.
[ How do you define cyberwarfare? Read Uncertain State Of Cyberwar. ]
Swartz's efforts weren't in pursuit of illicit financial gain. He wasn't reselling academic papers or stealing users' identities. Instead, he was campaigning for free access to information that was funded with taxpayer dollars. Regardless, he was hit with felony violations -- including wire fraud, computer fraud, "recklessly damaging" a computer, as well as unauthorized access -- in part for saying he'd wanted to publish the information for free. Yet he never did so.
The Swartz case shows that CFAA is far too broad, and prosecutors can't be trusted -- or perhaps expected -- to not use every prosecutorial tool available to gain a conviction or plea bargain. Critics of Carmen Ortiz, the lead federal prosecutor in Swartz's case, have accused her of bullying, given the threat of massive jail time that Swartz faced. But it's more useful to look at his case as a bellwether: this is what prosecutors will do with CFAA, if given the chance. Accordingly, Congress must rein it in.
Another bellwether of the types of overreach that are allowed -- this time on the privacy front -- stems from the case of David Petraeus, who last year resigned as director of the CIA, after an FBI agent reported that Petraeus was having an affair.
The bureau's cyber-crime investigators had considered the case to be closed. But FBI agent Frederick W. Humphries II, who'd gotten the investigation started on behalf of an acquaintance, feared that they were covering up a national security incident. He reported Petraeus' extramarital affair to Rep. Dave Reichert (R-Wash.), who told House majority leader Eric Cantor (R-Va.), who informed F.B.I. director Robert S. Mueller III.
Cue scandal, and Petraeus' resignation. Yet no related charges have been filed in the case against Petraeus. Likewise, no charges have been filed against his mistress -- and biographer -- Paula Blackwell, who'd been accused in the press of improperly handling classified information and of stalking socialite Jill Kelley, whom she saw as a rival for Petraeus' attentions. Finally, no charges have been filed against the FBI agent, because he apparently broke no privacy laws.
To be clear, the privacy missteps in the case involved a rank-and-file FBI agent who wasn't part of the cyber investigation and evidently didn't understand that affairs aren't a national security matter. In fact, since CIA regulations require employees to disclose any affairs they're having to the agency -- to mitigate blackmail threats -- it's likely that the relevant agency officials knew full well what Petraeus was doing.
But the FBI agent's airing of the affair kicked off a media storm and investigation that supposedly then found evidence that Kelley was having an affair with the top U.S. commander in Afghanistan, Gen. John Allen, to whom she'd supposedly sent 30,000 emails. Except that Kelley and Allen said none of it was true. Closing the matter, Army investigators cleared Allen of any misconduct.
Adding insult to privacy injury for the Kelley family is that they'd reached out to FBI agent Humphries in the first place. "We simply appealed for help after receiving anonymous e-mails with threats of blackmail and extortion," Jill Kelley and her husband Scott wrote in a recent Washington Post opinion piece. "When the harassment escalated to acts of cyberstalking in the early fall, we were, naturally, terrified for the safety of our daughters and ourselves. Consequently, we did what Americans are taught to do in dangerous situations: sought the help of law enforcement."
Unsurprisingly, the Kelleys are calling on Congress to get tough on what law enforcement agencies and government officials can do with people's private information -- for starters, by expanding the Electronic Communications Privacy Act (ECPA) to safeguard how people's emails can be accessed or disclosed. "Ours is a story of how the simple act of quietly appealing to legal authorities for advice on how to stop anonymous harassing e-mails can result in a victim being re-victimized," the Kelleys wrote.
Who re-victimized the Kelleys? Interestingly, they've accused government officials of leaking their names and the existence of private correspondence, along with failing to safeguard their identities even though they had reported a potential cyber-stalking crime.
Broadwell's reportedly threatening emails to Kelley aside, isn't the real crime the fact that unnamed authorities violated no privacy or data-mishandling laws, while leaving behind a trail of allegations and innuendo?
Offensive cybersecurity is a tempting prospect. It's also way too early to go there. Here's what to do instead. Also in the new, all-digital Nuclear Option issue of InformationWeek: Military agencies worldwide are figuring out the tactics and capabilities that will be critical in any future cyber war. (Free registration required.)