A couple weeks ago I went to a “When Activism Goes Online: Anonymous, Hacktivism and the Law” at New York Law School, co-sponsored by the Institute for Information Law and Policy, National Lawyers Guild- National Office, and Students for Free Culture. The panelists were Kenneth Citarella, an adjunct professor at NYLS and former prosecutor who specialized in computer crimes starting in the 1980’s, Abi Hassen, Mass Defense Coordinator with the National Lawyers Guild, and Grainne O’Neill, a defense attorney specializing in the intersection of law and technology.
Citarella talked a little bit about his experience as a prosecutor of computer crimes very early on. One of his main points is that he strongly dislikes the word hacker, specifically because he doesn’t feel like he known what it means. Later on in the evening he emphasizes the difference between in person actions and actions mediated by technology, without clarifying exactly how. Mainly, I think that he served as a prosecution-side counter point to the other speakers. The most interesting thing for me was hearing how generally conservative he is in his interpretation and squaring that against his early involvement in the Electronic Frontier Foundation, which serves as a good reminder that civil liberties is an area where many people can find common ground.
O’Neill started by talking about the Computer Fraud and Abuse Act (CFAA) of 1984. The CFAA was conceived of and passed in a time before the internet as we know it- both socially and technologically- and was passed to specifically protect financial institutions, the government, and interstate commerce. For purposes of the CFAA, “unauthorized access” is defined by the computer or website’s Terms of Service (TOS), violations of which would otherwise be only a matter of contract law, not criminal law. In effect, CFAA empowered private companies to dictate criminal law through their TOS. The CFAA’s definition of damages sets a low standard.
After covering the basics of what the CFAA, O’Neill compared the penalties for online behaviors to their closest offline equivalents. She placed a DDOS (distributed denial of service) attack as similar to a picket, since both are intended to provide visibility to the activists’ displeasure with the target. Theft of a cheap laptop in a coffee shop that contained sensitive information might be punishable by a year in jail, but accessing the same information via an unsecured wi-fi network would get up to 10 years in prison under the CFAA, and in that senario, the victim hasn’t lost use of anything. Even assuming that that the laptop is more expensive and taken from a home, burglary in New York has a maximum sentence of 7 years, which is still less than allowed for remote entry under the CFAA, and involves someone physically entering one’s home. After going over the potential disparate treatment of crimes based on the involvement of hacking or not, O’Neill reiterated that many online crimes are criminalized under non-online specific legislation and that we should look to our rich history of jurisprudence in seeking to address
Hassan put together a PowerPoint presentation which he titled “The Fifth Estate: Information Activism in the Age of Secrecy,” drawing on the idea that hackers and information activists (including whistleblowers) may work for the public good, as a watch dog, much as the press, or forth estate, has. An example of this he gave was Hamed Al-Khabaz, a Canadian student who was expelled from Dawson College after finding and reporting a major security flaw in his university’s storage of student information. He also emphasized the role of “lulz,” vaguely defined as humor or mischievous satisfaction, in hacking. His example of this was Guccifer’s release of George W. Bush’s remarkably bad self-portrait while showering.
Hassan’s presentation included a couple of really great quotations on related topics from Bloomberg and Thomas Jefferson. He showed graphs from Google and Microsoft of requests for user information from governmental agencies and emphasized the contradiction of increased government and corporate secrecy with the decrease of personal privacy and increase of individual surveillance at the same time. He also gave a great run-down of current major hacking cases in the United States:
- Weev (his defense fund)
- Matthew Keys (summary from wikipedia)
- Paypal 14
- Aaron Swartz
- Barrett Brown
- LULZSEC/ ANTISEC (Hector Xavier Monsegur, a.k.a. Sabu, Jeremy Hammond, plus four more outside the United States)
And of whistleblower cases:
- John Kiriakou, who exposed the CIA’s use of torture
- Thomas Drake, William Binney, and J. Kirk Wiebe, who exposed NSA’s spying on American citizens through proper channels
- Bradley Manning
The best part of the lecture was the question and answer session after the structured presentation. I didn’t take great notes on that part, and since the lecture was back on April 3rd, my memory is not good enough to flesh out the discussion. Highlights included: Citarella arguing that federal sentencing guidelines are frequently too ridgid and pointing out that in the case of Matthew Keys we should strongly consider the difference between what the end result of his giving out passwords was with what it could have been in understanding it’s treatment in the courts; Hassan building on his early talk of current cases and mentioning that 95% of cases end in pleas, largely because of the power that prosecutors have in their discretion regarding charges and requests; and O’Neill stating that the freedom to assemble is really the freedom to assemble anonymously and that it is the anonymity is key to the power of the freedom to assemble. Other items of discussion including emergent 4th and 5th Amendment issues as well an time-place-manner restrictions on in-person protests and how that translates into online activism.