Jay Leiderman is a criminal defense attorney in Ventura, California. He co-authored the first ever book on the legal defense of California medical marijuana crimes and has been called the “Hacktivist’s Advocate” for his work defending those accused of computer crimes. He has been recognized and won awards for going above and beyond to represent clients accused of all sorts of crimes. Jay frequently lectures around the state and nation on various criminal defense topics.
Thursday, December 13, 2012
TWO RECENT HACKTIVIST TRIALS HAVE DANGEROUS IMPLICATIONS FOR A FREE INTERNET
TWO RECENT HACKTIVIST TRIALS HAVE DANGEROUS IMPLICATIONS FOR A FREE INTERNET
Twice last week, the justice system heard cases related to hacking, and in both instances, information sharing and cyberlaw were dealt a seriously heavy-handed blow. The government was the bully here, and the dorky little hacker had his glasses knocked square off his face.
It reminds us that the Internet is serious business, but also that a man’s gaping butthole can cause a lot of damage — but more on that later.
On November 20, alleged Wikileaks source Jeremy Hammond was denied bail in a New York City courtroom, and told he’s more dangerous than a sex offender because he compromised the computers of a private intelligence firm. In New Jersey, just hours later, a jury of his peers quickly convicted Andrew Auernheimer on charges of accessing a protected computer, and disclosing an AT&T security flaw while working with a group called Goatse Security. Hammond could get life in jail for his crime, and Auernheimer is likely to do a few years on a trumped-up charge for involving himself with a collective named after an Internet-famous image of a man’s wide-open rectum. Really. Look it up.
But it’s more than just a matter of sharing information, vile viral photographs, and making the world a wee-bit smarter. These rulings offer an eye-opening example of how far the government is willing to go to deter future hacktivism, even if it sets a deleterious legal precedent that could affect us all.
Hammond, seen here, plotting teh evil cyber-terrorisms
There was no conviction in Hammond’s case, but in Manhattan a federal judge did deny bail for the twenty-something Chicago man accused of involvement with last year’s high-profile hack of Strategic Forecasting, aka Stratfor, a private intelligence company that advises customers on global issues and has been routinely commissioned by law enforcement to, among other activities, investigate political protesters in the United States. Federal prosecutors are charging Hammond with being one of a handful of persons responsible for compromising Stratfor’s data by collaborating with a group called LulzSec, an offshoot of the hacktivist collective Anonymous. Now he is stuck behind bars facing three charges relating to hacking and fraud stemming from months of undercover investigation.
UNTIL THE COURTS CAN CATCH UP WITH THE TECHNOLOGY, AND CONGRESS CAN FIND A WAY TO BALANCE PRIVACY AND SECURITY IN THE CYBER-SECTOR, IT’S AN INCREDIBLY HOSTILE TIME FOR ALL COMPUTER USERS, NOT JUST HACKERS.
Hammond likely won’t stand trial for quite a while. As of this writing, he’s been locked up more than 260 days with slim chance of release. On Tuesday, a judge said she will keep it that way indefinitely until the government’s attorneys are ready have at him.
“Jeremy, only 27 years old, has spent most of his young life contributing to charitable efforts and acting on his principles to right what he perceives as wrong,” reads a statement posted this week on an online support network for the hacker’s defense. “Now, due to his contributions to the Anonymous collective, Jeremy could, if found guilty, spend 30-plus years in prison.”
Sure enough, Judge Loretta A. Preska did acknowledge in court that Hammond faces a sentence of 35 years to life should a jury convict him on charges that have so far proven relatively victimless, with the exception of the few intelligence agents whose reputations were tarnished, along with the customers of the company whose log-ins were compromised. Coincidentally, details emerged last week that reveal that Judge Preska’s husband happens to be one of the thousands of Stratfor subscribers whose credentials were hacked by LulzSec. The court has not acknowledged the connection, and now the wife of someone with a vested interest in seeing a conviction controls Hammond’s fate. So far, she’s showing signs that it won’t be an easy case for the defense.
“Judge Preska and the prosecuting attorneys did state that Jeremy was more of a danger to the community than an online sexual predator because Jeremy has ways to hide his identity online and, pardon my sarcasm here, because Jeremy knows how to use Tor,” writes Sue Crabtree of the Hammond Solidarity Network. Tor, or The Onion Router, is an identity-masking software bundle funded by the US State Department and used to create anonymity for web users who wish to keep their digital footprint relatively untraceable, often over fear of prosecution and persecution. So far it seems like Hammond was right in thinking he needed it.
“The truth is, Jeremy has done no wrong and those determined to prosecute him are guilty,” reads a statement from his supporters. “The State is guilty of protecting their own interest, especially in their pursuit to prosecute those they consider dangerous to their agenda.”
According to Crabtree, the courtroom was informed this week that Hammond’s name is now on a federal terrorist watch-list and his pleas for bail were rejected because the judge considers him a flight-risk, despite the fact that he doesn’t have a passport.
Auernheimer, seen here, sporting a super-terrorist beard
Across the river in Newark, New Jersey, 27-year-old Andrew Auernheimer was found guilty of essentially punching his keyboard.
In 2010, Auernheimer found what was pretty much a massive AT&T fuck-up while working with a group called Goatse Security, or GoatSec. The Apple iPad that worked with the telecom’s 3G network was just a few weeks old at the time and still the coolest and most must-have item for upper-middle-class America, a fact that posed a pretty big problem when Auernheimer noticed that all of those privileged persons’ information was sitting on the Internet, unencrypted, open for anyone smart enough to see if they knew where to look.
“IF RECENT EVENTS HAVE TAUGHT US ANYTHING IT’S THAT CONGRESS IS ABSOLUTELY USELESS AND IS NOT LIKELY TO DO ANYTHING ON ANY ISSUE AT ANY TIME,” SAYS LEIDERMAN. “THEY ARE THE MOST IMPOTENT BAND OF INDIVIDUALS ON THE PLANET, SO WE NEED TO LEAVE IT TO THE COURT TO LET THIS SHAPE OUT.”
Auernheimer never stole any passwords, and he never hacked Apple or AT&T. Last week in court he was abundantly clear about his intentions. “No, I did not attempt to monetize off of this,” he said during testimony, a fact reinforced by the prosecution’s own evidence. When GoatSec was asked to sell their findings, Auernheimer told a colleague well before he was under indictment, “I am saying that it has been destroyed and we’re not going to violate principles for money. And none of our people have a copy of the data at all.” GoatSec never quite made the damage prosecutors led the jury to believe. AT&T patched the flaw almost instantly–a flaw they only learned of because of Auernheimer.
“I don’t think that people should keep software vulnerabilities secret,” Auernheimer explained to the court. “I think the consumer has a right to be informed when they’re put at risk by a company. And we have not only a right as Americans to analyze things that corporations publish and make publicly accessible, but perhaps even a moral obligation to tell people.”
While no nefarious hacks ever occurred, Auernheimer did, however, hype up his discovery. Just like how he used his noggin to discover a massive security breach and went public with his findings, he also sold himself goddamn brilliantly, using hyperbole and elusiveness in disclosing his findings with a cryptic allure that only a hacker could have. It worked in getting the story out, and it worked on convincing a jury to convict him.
A driving force during the prosecution’s questioning of Auernheimer was the specific language he used when he first approached the press with his findings. “I would be absolutely happy to describe the method of theft in more detail,” Auernheimer wrote on behalf of GoatSec in June 2010 to a few media contacts whose emails were compromised by the exploit. It was PR gold and likely the impetus behind the story’s success. Then the courts used it against him, bringing it up repeatedly during Auernheimer’s brief time on the stand.
“I felt I was free to use rhetoric and hyperbole like ‘theft’ because the underlying act of accessing public information–it boggles my mind that it could be considered a crime,” Auernheimer said on the stand this week.
“It’s a universal understanding,” he said, “when you put something on the Internet — http, to my understanding, is a publishing system. And when you put something on the open Internet and you didn’t protect it with a password or a firewall, you’ve made it a part of the public record.”
“And when you publish something, you can’t sit there and say–you know, when somebody uses it to embarrass you, you can’t kill the messenger and say, ‘Well, I didn’t want you to have that.’ Well, you shouldn’t have made it available if that’s true.”
For accessing a “protected computer,” Auernheimer could get fives years for each of the two charges. Security experts say a retrial is likely and Auernheimer himself is adamant about appealing. After all, his charges are dog shit.
“The ‘protected computer’ is any network computer. You access a protected computer every day,” Auernheimer told reporters outside of a courtroom on Tuesday. “Have you ever received permission from Google to go to Google?”
Auernheimer said moments after being convicted that he expected a guilty verdict and will appeal—news he tweeted from his phone since he isn’t allowed to touch an actual computer for a while. For the time being, he’s out on $50,000 bail awaiting sentencing or perhaps an appellate ruling that could eventually bring his case to the Supreme Court.
After details from both the Auernheimer and Hammond cases came in Tuesday evening, I called Jay Leiderman, a defense attorney from Southern California who has represented a fair share of alleged computer criminals, including some aligned with the Anonymous movement that spawned LulzSec. When Leiderman picked up the phone, he was just finishing a day of lawyering near Los Angeles and had barely heard any news from the East Coast yet.
“Hammond was told he can’t do house arrest and could be put away for 39 years to life,” I told him. He paused. For a while.
Leiderman suggests there’s no way in hell that Hammond will be put away for life for sharing the Stratfor data, but says that the way his and Auernheimer’s cases were handled say a lot about the justice system.
“The way the government is reading these laws really makes about all behavior criminal,” Leiderman tells me.
In the case of Auerenheimer, Leiderman says, “He didn’t access a protected computer yet he was convicted of it.”
“It is clearly a situation of them striking while the iron is still ambiguous,” he says. For right now, there is a real lack of well-defined cyberlaw.
“At some point the federal courts are going to have a chance to consider these issues and realize the prosecutions that they are currently undertaking are in fact what the laws were designed to prevent,” he says. “But before that happens, the federal government is intensifying their pound of flesh. They are trying to scare everyone and make them think that every time they punch upon that keyboard that they are risking 15 years in federal prison. And for as long as that, it’s nothing but a scare tactic and one that ultimately can’t survive in an era of internet freedom.”
Hammond, who has been confined to jail since March, isn’t likely to be spared from those scare tactics as his case progresses. In a case that is highly under documented, even within the court reporting circuit, the federal charges against Hammond likely have as much to do with computer hacking as it does with making a domestic scapegoat out of one of the few US citizens the government might be able to directly link to Wikileaks. Unlike with Auerenheimer, though, there is at least a precedent and an actual burden of proof that Hammond acted on ill intentions.
To say either Auernheimer or Hammond went public with some Earth shattering knowledge wouldn’t exactly be correct. It is, however, pretty safe to acknowledge that Tuesday’s ruling—especially in the Newark case —accentuates the fact that the Justice Department is now willing to put anyone behind bars for crimes that aren’t yet properly defined.
Hammond’s story is one that has a bit more structure to it—in terms of current law, anyway—but both tales need to be talked about before another harmless hacker is locked away for exposing anything from botched, billion-dollar corporate security to handing “super-secret” intelligence to the enemy—in this case, Julian Assange of Wikileaks.
According to his indictment, Hammond and LulzSec stole credit card numbers from Stratfor’s servers as well as a trove of personal emails from employees, hundreds of thousands of messages that are still being combed through by researchers nearly a year later. If he is guilty of what he is accused, Hammond is likely to receive a sentence that will set an unfortunate precedent. It’ll also be perhaps the first real punch Uncle Sam’s landed on WikiLeaks.
As of this writing, no person has yet to be tried in civilian court for any crimes connected to WikiLeaks. Private First Class Bradley Manning, the accused source of sensitive military documents from the Iraq and Afghanistan wars, will be court-martialed early next year. Meanwhile, he’s been held in conditions considered torturous by the UN for over 900 days. Jacob Appelbaum, a computer researcher from the West Coast who represented Assange at a hacker conference in 2010, was recently informed that he is still under federal investigation nearly two years after the FBI first subpoenaed his personal Gmail account. At this rate, Hammond might be the first head from the WikiLeaks snake that the Justice Department can cut away, although information sharing and hacktivism isn’t likely to die as quickly. They will, however, have hard proof that their actions won’t be tolerated.
Hammond’s a self-described communist and anarchist, but his political leanings aren’t quite as sexy and dangerous as the US attorneys’ hyperbolic Hollywood portrayal His indictment highlights his freeganism—digging through garbage for food. His rap sheet is called into question, which includes an arrest for “violently protesting” a speech delivered by a Holocaust denier. The court has been made aware that Hammond’s probation officer once found “questionable literature” in his residence—pamphlets for a protest against a white supremacist group.
“I do think that Hammond’s prosecution is 100 percent political, not withstanding whatever actions he may have taken,” Leiderman says.
“I think we’ve come to a place in America where we no longer value the political dissident. Where speech that is contrary to government is no longer seen as a valuable thing in society,” he says.
“The way that speech works and the way that free speech works is that if an idea is too radical and if an idea is too far flung and too far fetched—like dumpster diving for your food—it’s going to be rejected by the people in the marketplace of ideas, and that’s the way the marketplace of ideas works. But when it’s the government telling us, ‘Nah, this idea is no good. We need to reject it,’ then it’s no longer free choice in the marketplace of ideas. We’re being told what to think and that’s where it gets scary.”
“It is scary when you put it that way,” I told Leiderman.
LulzSec and Anonymous have both waged online campaigns to draw attention to efforts from Washington to pass cybersecurity legislation that, in every instance so far, sought to severely limit personal Internet freedoms. President Obama is soon expected to act on an executive order to do what Congress can’t, and prosecutions against harmless computer “criminals” could easily crescendo. After all, almost every attempt from Washington so far to put together cybersecurity legislation has allowed for the government to play grab-ass with any and all information stored on the servers of private companies. At the same time, existing legislation already lets the feds conduct surveillance over email accounts and other activity with little more than a court order. Just ask the last head of the CIA.
While lawmakers on the Hill and the country’s courts are both trying to make sense of how to approach computer crime, no one is safe in the meantime. Currently, over 5,000 people have installed a free browser plug-in that lets anyone comb through websites using a URL incrementing script in Firefox that more or less mimics what Auernheimer was charged with, and there’s another publicly available plugin for Google Chrome. Even Facebook was started with a script that combed through Harvard’s databases for public-facing images of the student population. Auernheimer’s discovery wasn’t groundbreaking, but his conviction would be. Until the courts can catch up with the technology, and Congress can find a way to balance privacy and security in the cyber-sector, it’s an incredibly hostile time for all computer users, not just hackers.
“If recent events have taught us anything it’s that Congress is absolutely useless and is not likely to do anything on any issue at any time,” says Leiderman. “They are the most impotent band of individuals on the planet, so we need to leave it to the court to let this shape out. And you know, the courts don’t suffer fools lightly. The courts have historically done a reasonably good job in protecting our freedoms and narrowly circumscribing crimes such that bold behavior isn’t criminal. And the way the government is reading these laws really makes about all behavior criminal.”
For now, says Leiderman, interpretation in regards to computer crimes is weak. While it’s arguable that the justice system will never keep up with the pace of technology, at this rate it could be too late before laws are finally structured in such a way that Hammond and Auernheimer aren’t looking at guaranteed, asinine sentences.
Meanwhile, says Leiderman, the state of affairs is ludicrous. “They’ve made a rule so broad, so amorphous and so ambiguous,” he says, “that reasonable people can’t ascertain what conduct is in fact covered.”
“We’re at a point in the history of these prosecutions where the government can literally charge anyone for anything and they seem to be doing that in a very targeted manner. They are going after people they don’t like for speech that they don’t like and they are going to get these convictions up until the point where courts start telling them, ‘Stop it. This isn’t what these laws were meant for.’”
That’s assuming the people have a voice long enough to make that opinion heard.