The Year Hacktivists And The Government Went To War

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.huffingtonpost.com/2013/12/20/hacktivists-government_n_4460489.html

Does the law have mercy for computer hackers with a cause?

That was a recurring question in 2013 as several so-called hacktivists,
facing years in prison, pleaded for leniency, claiming they had broken into
computer networks for the public good.

"I did this because I believe people have a right to know what governments
and corporations are doing behind closed doors," Jeremy Hammond told a
judge, echoing other hackers who said their motives were ideological, not
financial. "I did what I believe is right."

But the courts showed little sympathy for such arguments in 2013, a year
when hacktivists and the government clashed repeatedly in an escalating
struggle over control of information.

Peter Ludlow, a philosophy professor at Northwestern University, wrote in
The Nationthat the prosecution of hacktivists was part of "a war on
knowledge" that extends beyond hackers to include Edward Snowden and
Chelsea Manning, who exposed government secrets. Manning is serving a
35-year sentence for Espionage Act violations. Snowden, in Russia on
temporary asylum, has been charged with espionage and theft of government
property.

“Taken together, the lesson appears to be that computer hacking for social
causes and computer hacking aimed at exposing the secrets of governing
elites will not be tolerated,” Ludlow wrote.

In November, Hammond, 28, whose hacking of a private intelligence firm
revealed how the government had monitored members of the Occupy Wall Street
movement,was sentenced to 10 years in prison.

In March, Andrew “Weev” Auernheimer, 27, who said he was trying to protect
consumers from identity theft when he shared a security loophole in AT&T’s
servers with a journalist, was sentenced to three years in prison.

In January, Aaron Swartz, 26, who claimed he was trying to free publicly
funded research from behind a paywall, committed suicide while facing a
felony charge and potential prison sentence for downloading millions of
scholarly articles from Massachusetts Institute of Technology servers.

Gabriella Coleman, a professor at McGill University who studies hacker
culture, said the work of hacktivists was "producing tangible effects."

"But the courts are unwilling to acknowledge this activity as politically
motivated and for the public good," Coleman said in an email.

Michael Sussman, a former Justice Department cybercrime prosecutor, said
hackers who say they deserve leniency because they did not hack for
financial gain are unlikely to see compassion from the government.

“I don’t think the ‘Robin Hood’ aspect of this is going to matter much to
prosecutors,” Sussman said. “I don’t think in the federal government anyone
is saying, ‘Oh well, these people consider themselves hacktivists, so we
should have a real hands-off policy.’”

In fact, prosecutors say hacktivists have caused substantial harm. Hammond,
who also stole credit card data belonging to nearly 1 million people,
caused “personal and financial chaos for individuals whose identities and
money he took and for companies whose businesses he decided he didn’t
like," Manhattan U.S. Attorney Preet Bharara said after Hammond pleaded
guilty this year.

Prosecutors said Auernheimer violated the privacy of thousands of iPad
owners by disclosing their email addresses to a reporter at the gossip
website Gawker, which published redacted versions of some emails.

But 2013 was not only the year the law caught up with some hacktivists. It
was also the year the law itself came under scrutiny.

In June, legislation was introduced in Congress to amend the Computer Fraud
and Abuse Act, which prosecutors invoked to charge Swartz, Auernheimer and
Hammond. Critics say the law is too broad and excessively punitive, meting
out stiff prison terms for some computer-related crimes they deem
relatively innocuous.

Rep. Zoe Lofgren (D-Calif.) said in an interview that she introduced the
bill, called “Aaron’s Law” because she felt Swartz “was bullied” by
prosecutors for “an act of civil disobedience that certainly didn’t call
out for multiple years in federal prison.”

Lofgren said the 1986 law to combat criminal hacking of military and bank
computers has become outdated.

“Things have changed,” Lofgren told HuffPost. “To allow a statute created
when the Internet was not in commercial use to go without review is a big
mistake.”

But with many competing priorities in Congress, Lofgren said her
legislation “has not been a major topic of discussion” this year.

“There hasn’t been an outpouring,” she said. “It does not appear my
colleagues in the House feel pressure” to reform the law.

Not all hacktivists donned prison jumpsuits this year. In 2011, federal
authorities accused 14 people of helping the hacker group Anonymous launch
a cyberattack against the online payment service PayPal. Most faced up to
15 years in prison if convicted.

But earlier this month, 11 of the 14 people charged in the case pleaded
guilty. If they stay out of trouble, prosecutors will seek to drop the
felony charges, and the defendants may avoid prison.

Hanni Fakhoury, of the Electronic Frontier Foundation, said the plea deal
in the “PayPal 14” case may be a sign that the government is willing to
take “a more reasonable approach” with some hacktivists.

“It’s a way to say, ‘We’ll give you a chance to redeem yourself,'” Fakhoury
said. “As long as you don’t screw up again, you won’t have this hanging
over your head.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.