< The Hacker Law

Transcript

Friday, September 23, 2011

BROOKE GLADSTONE:

 

This is On the Media. I'm Brooke Gladstone.

BOB GARFIELD:

And I'm Bob Garfield. And I’m going to pull in OTM producer Alex Goldman for a second. Earlier Brooke mentioned that the website is full of hacker-related yummy deliciousness. Alex, you've been in charge. What do you got, baby?

ALEX GOLDMAN:

Yeah, we've got stories about the history of hacking from ancient history to present day. We've got a story on the cultural resonance of the movie War Games. We've got an interview with the editor of The Hacker's Dictionary.

 

We discuss hardware hacking and 3D printing. We even have a story from Radio Lab’s Sean Cole about the history of phone phreaking, which is to telephones what hacking is to computers.

 

And we've got a whole lot more, so just go to On the Media.org and click on Blog at top of the screen.

BOB GARFIELD:

Click on Blog, will do. Alex, thanks. I guess we’ll hear from you in a couple of  minutes.

ALEX GOLDMAN:

Yep, see you soon.

       [MUSIC UP AND UNDER]

BROOKE GLADSTONE:

An anti-hacking law called the Computer Fraud and Abuse Act has been on the books since 1986. But when non-technical legislators get into a technical subject, well they can really screw things up

 

Marcia Hofmann is a senior staff attorney for the Electronic Frontier Foundation, Marcia, welcome to the show.

MARCIA HOFMANN:

Thank you.

BROOKE GLADSTONE:

So, first of all, tell me a little bit about the Computer Fraud and Abuse Act.

MARCIA HOFMANN:

The way that the law is written, it is illegal to intentionally access a computer without authorization or to exceed authorized access to that computer and, thereby, obtain information from any protected computer.

 

And over the years it's been amended several times, and at this point there are certain parts of it that are written so broadly that it's actually really unclear what kind of behavior that law  targets.

BROOKE GLADSTONE:

So, that's the screw-up. What specifically is confusing?

MARCIA HOFMANN:

Obtaining information can be something as minor is just looking at it. There have been several cases where an employee does something that is thought to be disloyal. Perhaps the employee decides to leave and start a competing business, or what have you. And at that points the employer tries to sue the  former employee under the Computer Fraud and Abuse Act, claiming that once the employee had a disloyal frame of mind, then access to the employer's computers becomes unauthorized.

BROOKE GLADSTONE:

The very fact that having thought about leaving the company makes them liable to prosecution under the Computer Fraud and Abuse Act? Has a case like that ever been tried?

MARCIA HOFMANN:

Absolutely. You know, to give you an example, there was a case in which an individual was working for an employer and in the course of his work he emailed himself some documents that were associated with his work, which he was authorized to do. And then at some point he decided that he was gonna leave and start a competing business. And his former employer sued him and said, when you emailed yourself those things then at that point that was unauthorized access. You violated the Computer Fraud and Abuse Act.

 

The court basically said, well, that can't be a violation of the Computer Fraud and Abuse Act because he was allowed to do that in the course of his work. The employer can't decide after the fact that something is unauthorized, just because subsequent events happen that the employer doesn't like.

BROOKE GLADSTONE:

But there have also been cases where the courts have stated that people who delete information off of their work computers, while still authorized to use them, are in violation of the Act. There was a case recently involving a consultant at the accounting firm Deloitte & Touche.

MARCIA HOFMANN:

In that particular case, the employee decided to leave his job, and before he returned his work computer to his employer he destroyed the hard disk. And, you know, what the former employee said was that there had been some personal information stored on there that he didn't want the employer to have and that he had returned all of the important work-related documents already.

 

Deloitte and Touche alleged that he violated this provision of the Computer Fraud and Abuse Act that says that it's illegal to knowingly cause the transmission of a program, information, code or command that intentionally causes damage to a computer.

 

The court really got that case wrong because this provision of the Act, I think, is pretty clearly targeted at sending some sort of an  electronic. Transmission to a computer that causes damage, not physically destroying a hard drive.

BROOKE GLADSTONE:

What's the difference, really? I mean, we only have the employee’s word for it, that what he was destroying was his personal data.

MARCIA HOFMANN:

You know, that's absolutely true and, you know, I —  I'm not suggesting that the employee might not have done something that could be punishable. Perhaps the employee destroyed property. There's a different law for that.

 

But we're talking about a law that has  both civil and criminal penalties. And the Computer Fraud and Abuse Act has some pretty harsh penalties. Provisions of the law can land you in prison up to 20 years.

 

Certainly, this is not a criminal prosecution here; it's a civil case. But that's part of the problem with this law, is that because it is both civil and criminal, when you have these employer-employee disputes that create certain precedents in the law, those are then precedents that could be available to the government to make a case against a criminal defendant.

BROOKE GLADSTONE:

When we review the record of how the Computer Fraud and Abuse Act has been applied, we find that it was used to sue a union that urged its members to email their employer repeatedly, thus crashing the servers.

 

In another case, Lori Drew created a fake MySpace profile to harass a neighborhood child, and that child ended up committing suicide - was also charged for unauthorized use of a computer for violating the MySpace terms of service under this Act.

 

So what you have are a bunch of people who were doing illegal things, for which there are no other laws under which they could be charged? This seems like the RICO Act of computer prosecutions, to get people who otherwise could evade charges, no?

MARCIA HOFMANN:

The important thing is for Congress to decide what behavior it is that we want to penalize and make that behavior illegal. You know, one of the hallmarks of our criminal justice system is that people know what behavior is illegal. And in some of these situations they may or may not know what behavior is illegal.

BROOKE GLADSTONE:

Mm-hmm.

MARCIA HOFMANN:

And if they don't have notice, then you’re talking about a potentially unconstitutional law.

 

There was a case just a few months ago in which a former employee of a business sued her employer for wrongful termination. She believed that she was fired from her job because she became pregnant.

 

And her former employer turned around and sued her, claiming that she violated the Computer Fraud and Abuse Act because she spent too much time at work using her computer to check her email and Facebook and do some personal surfing around.

BROOKE GLADSTONE:

That’s computer fraud and abuse?

MARCIA HOFMANN:

Thankfully, the courts said that is just too much. But I think that is the risk here.

 

Luckily, Congress is starting to recognize that this is a problem. Just recently, in the past few days, a bipartisan coalition of senators amended some pending legislation to add a provision that would make clear that it's not illegal to violate terms of use or an acceptable use policy, at least under the Computer Fraud and Abuse Act.

BROOKE GLADSTONE:

Marcia, thank you very much.

MARCIA HOFMANN:

Oh, thank you.

BROOKE GLADSTONE:

Marcia Hofmann is a senior staff attorney for the Electronic Frontier Foundation.