Controversial Hacks

This article excerpt, written by Kim Zetter, originally appeared here:

THE COMPUTER FRAUD and Abuse Act, the law that’s been at the heart of almost every controversial hacking case of the past decade, is in the news again this month.

Prosecutors recently used the law to convict journalist Matthew Keys on felony hacking charges, drawing rounds of condemnation on the web. Edward Snowden, for one, derided the harsh penalty Keys now faces—a maximum possible sentence of 25 years.

But as critics have pushed to limit CFAA prosecutions, the government has simultaneously sought to further strengthen and increase the law’s scope.

In the interest of tracking how the law has been used, we’ve compiled a list of some of the most bizarre and controversial cases prosecuted under it. With most of these examples, how the government used the CFAA was often as much on trial as the defendants who were charged.

Aaron Swartz

Internet activist Aaron Swartz’s CFAA prosecution is one of the leading reasons critics want to reform the law. Swartz was indicted in 2011 after allegedly connecting to an MIT network and downloading 2.7 million academic papers that were freely available to any campus visitor through theJSTOR service. JSTOR didn’t pursue a complaint, but the Justice Department prosecuted anyway, saying Swartz violated the terms of service by downloading the documents with an intent to distribute them off-campus. “Stealing is stealing,” US Attorney Carmen Ortiz said.

Prosecutors charged Swartz with four felony counts, but later increased this to 13 counts by delineating each date he downloaded documents and turning them into separate counts, thereby increasing the maximum sentence he faced to 50 years and his potential fines to $1 million. Prosecutors offered Swartz a plea deal that would have had him serve six months in prison, but he rejected it because he didn’t want any prison time, or a felony conviction on his record. Three months before his trial, Swartz committed suicide, which his family blamed in part on the overzealous prosecution.

Andrew Auernheimer

Andrew Auernheimer (aka “weev”), a self-professed internet troll, was hardly a sympathetic figure when the government brought hacking charges against him and friend Daniel Spitler in 2011. The two discovered a hole in AT&T’s website that allowed them to obtain the email addresses of AT&T iPad users. When iPad users accessed AT&T’s website, the site recognized their device ID and displayed their email address. Spitler and Auernheimer wrote a script that managed to harvest about 120,000 email addresses by modeling the behavior of thousands of iPads with unique IDs contacting the website. The government insisted that accessing unprotected emails that AT&T didn’t want anyone to access was criminal hacking.

Auernheimer was convicted and sentenced to three and a half years in prison. His conviction, however, was vacated on appeal over the issue of venue—the court ruled that New Jersey, where the case was tried, had no business charging him since none of his crimes occurred in that state. Unfortunately, this meant that the more significant issue addressed by his attorneys on appeal—challenging the government’s claim that accessing data on a public website qualified as hacking—never got resolved.

Matthew Keys

By the government’s own admission, Matthew Keys’ hacking crime was minor. But prosecutors inflated the victim’s losses to elevate the charge from a misdemeanor to a felony, according to his attorneys.

Keys had been a web producer for KTXL FOX-40 TV in Sacramento before his job ended in October 2010, following a dispute with managers. Later, in an online chatroom frequented by members of Anonymous, he disclosed the username and password for a server owned by the Tribune Company—parent company to Fox-40 and the Los Angeles Times newspaper—and encouraged members to use the credentials to “go 'f' some 's' up.”

A hacker known as “Sharpie” used the credentials to superficially alter an LA Times news story. The breach was discovered within an hour, and the article restored, seemingly causing little damage. Prosecutors didn’t charge Keys with conspiracy to gain unauthorized access, however. They charged him with conspiracy to cause unauthorized damage to a computer, then proceeded to work with the victim to elevate the damages. They did this by calculating activity that involved no damage to computers. For example, they counted as damage the amount of times Fox-40 workers spent responding to emails Keys allegedly sent them after leaving his job and responding to complaints from viewers that came in after Keys allegedly obtained a viewer email list and sent spam to them. Keys was recently convicted on all charges and is awaiting sentencing.