Yesterday, OTM producer Chris Neary read this Wired.com article about a bill called The Computer Fraud and Abuse Act, a law that leaker Bradley Manning is charged with having violated numerous times. Since Chris had some questions about the story and I'm kind of a nerd about hacking stuff, we thought it might be useful to have our conversation about the CFAA on the blog. Please feel free to contribute in the comments below.

Chris: Hey Alex, it’s Chris.

Alex:  Hi, Chris.

Chris: I have a few questions about this latest story about whether or not someone is a hacker – or more accurately whether or not someone can be prosecuted as a hacker. Brooke did a whole story on the show (embedded below) about this, but it keeps coming up. I have a few questions after reading this Wired piece about hacking and the courts.

Alex:  I think I can handle that.

Chris: Ok. First of all, Why is the government so hell bent on a broad definition of hacking?

Alex:  I think it's important to know the context in which the law was written. It was originally introduced in 1984, after a couple of startling stories in which kids broke into some pretty complex computer systems. The law was written with language that might have seemed specific enough at the time, because it was rare for your average computer user to be doing the bulk of their computing in concert with other machines. There were no Facebooks, no Twitters, and no websites. Generally, people were communicating on homespun bulletin board systems that often had very few, if any, rules governing behavior aside from "don't break the BBS."

As the law is written (you can read the text of the law here), it prohibits "superceding authorized access" to "restricted computers." Again, that probably seemed pretty clear in 1984, because the interactions between personal computer users and the computers of corporations or governments was almost non-existent. Now pretty much all computer use involves a third party's computers, and for every online service you use, you sign a terms of service agreement. Most people sign a contract upon employment at a company, and spend their tenure at that company using company computers on company networks. 

The CFAA is attractive because it gives prosecutors and governmental officials a lot of wiggle room. Sure, they could prosecute violations like this as contract disputes, and contract violations of these types are frequently go to court as civil cases under tort law. But the CFAA gives prosecutors, should they really want to punish someone, a way of prosecuting these same types of tresspasses criminally as a federal crime.

Chris: What does this have to do with WikiLeaks?

Alex:  Well, Bradley Manning superceded his authorized access to protected computers by leaking the information that ended up comprising the WikiLeaks "Collateral Murder" video, the Iraq War Logs and the Afghan War Diary. Violating the CFAA is not the only crime Manning been charged with (This list of charges against Manning on Wikipedia is about the most thorough I've seen, though usual caveats about Wikipedia accurracy apply), he's been charged with aiding the enemy, failure to obey a lawful order or regulation, violating the espionage act, and other things. But he has been hit with 10 counts of violating the CFAA.

Chris: The court gets close to flat out calling the government stupid with this decision. Here’s a sample from the decision:

“Under the government’s proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself as ‘tall, dark and handsome,’ when you are actually short and homely, will earn you a handsome orange jumpsuit,” the court ruled, adding in a footnote that the government’s interpretation of the law opens employees up to be arrested, not merely fired, for playing Farmville at work.

I love an entertaining opinion, but does the government deserve it?

Alex:  Judge Kozinski is kind of having a laugh, bit it's just a distillation of the criticisms of the Computer Fraud and Abuse Act that have been made by its critics for years. The argument is that the law should be more narrowly applied, and that the broad interpretation of the act is problematic. There have been some pretty strange applications of the act in the past. Last year a civil suit was brought against a labor union under the CFAA for essentially robo-spamming an employer with emails making it impossible for them to communicate with vendors. It's certainly annoying, and I would argue it's probably unlawful, but was it a violation of the CFAA? Was the labor union "superceding authorized access" by sending more emails than the recipient's mail server could handle?

Chris: Who is David Nosal? Is there any chance he’s a master criminal who’s eluded the government’s grasp?

Alex:  David Nosal is the defendant in the case mentioned in the Wired article. The way he "superceded authorized access" was by getting his former co-workers to furnish him data from a former employer. Not exactly the work of a master cyber criminal. I think it's also important to note that he was indicted on a number of charges including trade secret theft and mail fraud. The only ones that the 9th circuit dismissed were related to the CFAA.

Chris: What does this have to do with the Lori Drew case?

Alex:  For those who don't remember, Lori Drew was a woman who set up a fake MySpace account to torment Megan Meier, the daughter of a neighbor. In 2006, as a result of Drew's harrassment, Meier committed suicide. There were a lot of calls to prosecute Drew, but since there was no convenient statute to prosecute MySpace harrassment, she was eventually indicted under the Computer Fraud and Abuse Act for violating MySpace's terms of service. Drew was originally convicted under the CFAA in 2008 (see OTM story about her problematic conviction below) but was later acquitted in 2009.

Chris: There’s a sharply worded dissent from one of the judges:

In dissent, Judge Barry Silverman, joined by Richard C. Tallman, wrote: “In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men — far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy. The majority also takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress. No other circuit that has considered this statute finds the problems that the majority does.”

Does Judge Barry have a point?

Alex:  It would be the case if Judge Kozinski had just been knocking down strawmen, but in the case of a law that has been used to prosecute a woman for using Facebook at work too much, the shoe appears to fit. It seems like the language of the law should be refined to express precisely who should be prosecuted under this statute.

Chris: You must tire of answering this question – but if this case isn’t hacking…what is hacking?

Alex:  I never tire of being asked questions as though I'm an expert in something. It makes me feel like a smart guy. I did a piece about what the word "hack" means (see embedded audio below) and the conclusion was basically "it means a lot of different things to a lot of different people, and we as journalists have a job to be more specific." Legally, I think that hacking should be narrowly defined as intrusion by outside parties into a protected computer system with intent to leak or sell protected, private information. That said, I think there should be exceptions and protections baked into laws against hacking for whistleblowers (both corporate and governmental).

The discussion of hacking is a fine line to walk for two reasons. First, the word has taken on a lot of meanings in its relatively brief history, and the definition is constantly changing, encompassing new activities and excluding old ones. I doubt that many people consider model train enthusiasts hackers anymore, but at least some in the legal world think that hacking can be the violation of terms of service..

Second, the word still holds a nefarious air of mystery that makes hacking seem much more dangerous, and it effects the way that hacking is punished. As sophisticated a behavior as the word implies, it often just means dumb luck and guessing that someone's password is "12345," or running scripts that send the same string of text over and over again until you get a lucky break. The danger inherent in hacking is seriously overplayed, which is why prosecution guidelines for hacking tend to be so overblown.

Chris: Well thanks for explaining that stuff. It cleared some things up for me about the case. If you ever have any sports questions, please don't hesitate to ask.

Alex:  I can say with confidence that will never happen.