hass associates http://business.time.com/2013/03/19/u-s-hacker-crackdown-sparks-debate-over-computer-fraud-law/ In June 2010, Andrew Auernheimer, a well-known Internet-security expert, discovered a gaping hole in AT&T’s website that exposed 114,000 e-mail addresses belonging to the wireless giant’s Apple iPad customers. After a colleague downloaded the data, Auernheimer passed the information to a journalist at Gawker. The episode was a major embarrassment for AT&T because the list included thousands of high-profile individuals, including New York City Mayor Michael Bloomberg and then White House chief of staff Rahm Emanuel. AT&T quickly patched the hole. The FBI promptly launched an investigation, and in November, Auernheimer was convicted of two felony counts under the Computer Fraud and Abuse Act (CFAA), a 1980s-era law originally designed to punish and deter intrusions into government and financial-industry computer systems. His colleague Daniel Spitler pleaded guilty last year. On Monday, Auernheimer, 27, was sentenced to 41 months in prison and ordered to pay $73,000 in restitution to AT&T. He has vowed to appeal. Auernheimer’s case is just the latest involving the CFAA amid what appears to be an intensifying federal crackdown against so-called hackers. The CFAA makes it a federal crime to “access a computer without authorization or exceed authorized access.” Critics say the law has been twisted by U.S. prosecutors to bully and intimidate security researchers, journalists and activists with extremely harsh federal prison sentences. Earlier this month, Reuters journalist Matthew Keys, 26, was indicted on CFAA felony charges alleging that he provided a hacker with log-in credentials to access the Los Angeles Times website, which was then vandalized. Keys faces 25 years in prison and a $500,000 fine. The CFAA was also used to prosecute Aaron Swartz, the 26-year-old programmer who killed himself earlier this year. Swartz had been charged with accessing a server at the Massachusetts Institute of Technology and downloading too many articles from the subscription-based academic research service JSTOR.

1. http://business.time.com/2013/03/19/u-s-hacker-crackdown-sparks-debate-over-computer-fraud-law/

2. U.S. ‘HACKER’ CRACKDOWN SPARKS
DEBATE OVER COMPUTER-FRAUD LAW
In June 2010, Andrew Auernheimer, a well-known Internet-security
expert, discovered a gaping hole in AT&T‟s website that exposed 114,000
e-mail addresses belonging to the wireless giant‟s Apple iPad customers.
After a colleague downloaded the data, Auernheimer passed the information
to a journalist at Gawker. The episode was a major embarrassment for
AT&T because the list included thousands of high-profile individuals,
including New York City Mayor Michael Bloomberg and then White House
chief of staff Rahm Emanuel. AT&T quickly patched the hole. The FBI
promptly launched an investigation, and in November, Auernheimer was
convicted of two felony counts under the Computer Fraud and Abuse Act
(CFAA), a 1980s-era law originally designed to punish and deter intrusions
into government and financial-industry computer systems. His colleague
Daniel Spitler pleaded guilty last year. On Monday, Auernheimer, 27, was
sentenced to 41 months in prison and ordered to pay $73,000 in restitution to
AT&T. He has vowed to appeal.

3. Auernheimer‟s case is just the latest involving the CFAA amid
what appears to be an intensifying federal crackdown against so-called
hackers. The CFAA makes it a federal crime to “access a computer
without authorization or exceed authorized access.” Critics say the law has
been twisted by U.S. prosecutors to bully and intimidate security
researchers, journalists and activists with extremely harsh federal prison
sentences. Earlier this month, Reuters journalist Matthew Keys, 26, was
indicted on CFAA felony charges alleging that he provided a hacker with
log-in credentials to access the Los Angeles Times website, which was
then vandalized. Keys faces 25 years in prison and a $500,000 fine. The
CFAA was also used to prosecute Aaron Swartz, the 26-year-old
programmer who killed himself earlier this year. Swartz had been charged
with accessing a server at the Massachusetts Institute of Technology and
downloading too many articles from the subscription-based academic
research service JSTOR. Swartz faced up to 35 years in prison and a $1
million fine. In the wake of Swartz‟s suicide, his family and friends
accused federal prosecutors of using the CFAA to harass and intimidate
the young activist.

4. Swartz was “killed by the government,” his father told mourners at his
son‟s funeral. The case has became a cause célèbre among Internet
activists and has prompted a prominent U.S. lawmaker, California
Democrat Zoe Lofgren, to introduce a bill called Aaron‟s Law to reform
the CFAA. Thus far, many of Lofgren‟s House colleagues have
expressed little enthusiasm for reforming the CFAA, a law supported by
many big tech companies including database giant Oracle, which has an
understandable interest in data security. The U.S. has brought over 500
CFAA criminal cases over the past several years, according to Reuters.
In fact, the Justice Department wants to expand the law, Richard
Downing, deputy section chief for computer crime and intellectual
property, told Congress in November, according to Reuters. Each
CFAA case cited above is different. Auernheimer (also known as
Weev) maintained that his actions were driven by a desire to highlight
security lapses in AT&T‟s systems. Swartz believed deeply that
academic information should be made available to the public. And
Keys‟ alleged conduct appears to be little more than a juvenile prank.

5. What ties them together is the government‟s use of the CFAA, a
law that critics say is too vague, overly broad and allows prosecutors to
treat terms-of-service violations as malicious criminal hacking. Critics
also say the law allows the government to seek wildly disproportionate
sentences for victimless crimes, often to send a message to other would-
be “hackers.” For example, as CNET‟s Declan McCullagh observed, if
Keys had allowed vandals to access the Los Angeles Times printing press
in order to modify a headline, he might have faced a few months in jail or
probation for violating misdemeanor California trespass or malicious
mischief laws. He would not have faced 25 years in federal prison on
felony charges. To be sure, it‟s highly unlikely that if convicted Keys will
go to prison for 25 years, but critics of the CFAA say the law allows
federal prosecutors to hang draconian sentences over the head of
defendants in order to pressure them into plea agreements that will brand
them as felons for the rest of their life. “The Computer Fraud and Abuse
Act is the most outrageous criminal law you‟ve never heard of,”
Columbia Law School professor Tim Wu wrote in the New Yorker this
week.

6. “It bans „unauthorized access‟ of computers, but no one really
knows what those words mean … Over the years, the punishments for
breaking the law have grown increasingly severe — it can now put people
in prison for decades for actions that cause no real economic or physical
harm. It is, in short, a nightmare for a country that calls itself free.” The
CFAA was enacted in 1984, well before the Internet became the
ubiquitous commercial and communication medium it is today. The law
was designed to punish and deter attempts to break into sensitive
government computer systems like NORAD (à la WarGames), as well as
financial institutions like banks. In the years since, the CFAA has been
repeatedly broadened by amendment, in one case to include so-called
protected computers. But the courts are divided about how the law should
be applied, and in April, a federal judge rejected prosecutors‟ use of the
law as too broad, saying it could potentially criminalize millions of
Americans. Lofgren says Aaron‟s Law is designed to prevent what
happened to Swartz from happening to other Internet users. “The
government was able to bring such disproportionate charges against Aaron
because of the broad scope of the Computer Fraud and Abuse Act and the
wire-fraud statute,” Lofgren wrote recently.

7. “It looks like the government used the vague wording of those
laws to claim that violating an online service‟s user agreement or terms of
service is a violation of the CFAA and the wire-fraud statute.”
Prosecutors in the Auernheimer case defended their decision to take the
case to trial. “What did the 114,000 iPad users do that was so wrong, to
have their personal information exposed to Gawker?” asked assistant U.S.
Attorney Zach Intrater, in comments cited by the Associated Press. “He
could have contacted AT&T and let them know what was wrong, and
they could have patched the hole and then the defendant could have
published and got his reputation.” In the wake of Auernheimer‟s
sentencing, the Electronic Frontier Foundation (EFF) has joined his legal
team to litigate his appeal and will argue that “fundamental problems”
with the CFAA result in unfair prison sentences. “Weev is facing more
than three years in prison because he pointed out that a company failed to
protect its users‟ data, even though his actions didn‟t harm anyone,”
Marcia Hofmann, EFF senior staff attorney, said in a statement on
Monday. “The punishments for computer crimes are seriously off-kilter,
and Congress needs to fix them.”