The client was known online as Commander X, the leader of the People’s Liberation Front, a group allied with the hacker collective Anonymous. He was suspected of engineering an attack on the county of Santa Cruz’s servers, an allegation that could land him in prison for up to 15 years.
His attorney, Jay Leiderman of Ventura, had never defended a computer crimes case. In the summer of 2011, after weeks of email and phone conversations, they decided to meet in person.
By then, Leiderman knew his client’s real name, but Commander X was keeping his identity a secret to the outside world. The client had a protocol for their meeting, and his lawyer followed it. Leiderman went to a specific street corner in a Northern California town — he won’t say which one — where he found a middle-aged homeless man sitting on the sidewalk.
Leiderman wrapped a dollar bill around his business card and dropped it in the man’s hat. Then he walked two blocks to a nearby park and sat on an empty bench.
The homeless man got up a few minutes later and joined Leiderman on the park bench. He was Christopher Doyon, also known as Commander X. The two men talked for hours.
“It feels really exciting at first, like you’re this spy lawyer,” Leiderman said in a recent interview in his Ventura office. “But then you get serious and get to work about it. It all gets normal very quickly.”
Helping shape law
Today, Leiderman is one of the top attorneys in the country for people accused of violating the federal Computer Fraud and Abuse Act, or the CFAA. It’s a red-hot area of law, the subject of recent congressional hearings by lawmakers concerned with the prosecution of programmer and activist Aaron Swartz, who was facing CFAA charges when he committed suicide in January.
Although he didn’t work on Swartz’s defense, Leiderman seems to have had a piece of almost every other headline-grabbing hacking case. This month, when Reuters social media editor Matthew Keys was indicted on charges of enabling a hack of a newspaper website owned by his former employer, Tribune Company, he hired Leiderman as one half of his defense team.
Like the rest of his computer crimes work, Leiderman took the Keys case pro bono. He pays the bills doing standard criminal defense work in Ventura County, including the ongoing appeal of convicted rapist Andrew Luster’s 124-year sentence, and defending medical marijuana sellers all over the state.
Computer crimes interest him for the same reason medical marijuana does: It’s an area of the law that’s relatively new, so there are plenty of gray areas and potential test cases.
“In both cases, you’re just starting to see the law being shaped, and you can be the tip of that blade that’s shaping the law,” he said.
Leiderman, 41, started his career as a public defender and now has his own firm. He traces his interest in computer crimes to late 2010 and early 2011, when his wife was pregnant with their son. They’d stopped going out at night, and Leiderman quickly grew tired of watching television.
He started reading about the hacker collective Anonymous and its war on PayPal, Visa and MasterCard. The companies had all blocked donations to WikiLeaks after the site published its trove of leaked diplomatic cables. Anonymous retaliated with something called a distributed denial-of-service attack, slowing down the financial companies’ websites.
The U.S. government was tracking the hackers and prosecuting some of them, and that didn’t sit well with Leiderman. He thought the denial-of-service attacks were legitimate protests and should be treated the same as a march or a sit-in.
Sometime in the spring of 2011, Leiderman announced on Twitter that he would be happy to represent any “righteous hacktivists” free of charge. A friend retweeted the message to influential people in the hacker community, and the next thing Leiderman knew, he was exchanging emails with Commander X.
Crime, punishment
Because he takes the cases pro bono, Leiderman is picky about which hackers he represents. In his view, they are people who are unjustly targeted by the government or who wouldn’t be able to navigate the justice system on their own.
He thinks Doyon is an example of both. Commander X was a sophisticated hacker and online activist, the leader of the People’s Liberation Front, a group allied with Anonymous. Christopher Doyon was a 50-something homeless man whose most recent photo ID, Leiderman said, was a 20-year-old library card.
Doyon allegedly hit the county of Santa Cruz with a distributed denial-of-service attack that slowed its servers to a crawl for half an hour. He claimed he did so to protest the county’s actions in breaking up a protest of the city of Santa Cruz’s policy against sleeping in public.
“It was a symbolic crime,” Leiderman said. “A symbolic punishment would have been something like a $200 fine.”
Instead, Doyon was arrested on federal CFAA charges that carry a maximum sentence of 15 years in prison. Leiderman said it was likely that Doyon would get six months or less, but a 15-year sentence was on the table.
Doyon jumped bail and says he fled to Canada last year. In an email interview, he said the stiff potential sentence was one reason he fled, along with bail conditions that severely limited his use of the Internet.
Doyon said he felt bad about fleeing because he knew it would make things difficult for Leiderman, whom he considers a friend and “one of the greatest attorneys ever.”
“Jay has a deeply held passion for the freedom of information and cyberactivism movement,” Doyon said.
Prosecutors disagree
Federal prosecutors dispute Leiderman’s characterization of his clients as righteous protesters or harmless hobbyists.
One of Leiderman’s clients, Raynaldo Rivera, pleaded guilty in October to his part in a 2011 hack of Sony Pictures Entertainment by LulzSecurity, or LulzSec.
Sony had sued a hacker for “jailbreaking” his PlayStation 3 to let it run software unapproved by Sony and publishing a guide on his website for others to do the same. LulzSec then obtained and posted the names, passwords and personal information of thousands of Sony accounts.
Leiderman maintains that Rivera, now 20, is a “good and promising man” who was manipulated by an older LulzSec leader. Rivera will be sentenced soon, and Leiderman said he hopes that his client will get probation rather than prison.
The U.S. attorney’s office agreed to seek a sentence at the low end of the possible guidelines for Rivera. Still, Thom Mrozek, a spokesman for the U.S. attorney’s office in Los Angeles, said in an email that Rivera committed a serious crime that put thousands of people at risk of identity theft. Some people did report having their email or Facebook accounts hacked after their Sony information was released online.
“This type of conduct is more than a prank and is worthy of a federal criminal prosecution,” Mrozek said. “I’m sure that each and every person at risk of identity theft as a result of Mr. Rivera’s criminal conduct would agree.”
The law’s future
The Computer Fraud and Abuse Act was passed in 1984, and Leiderman believes that it is obsolete in many respects. Back then, Congress was concerned about a scenario like in the movie “War Games,” in which a hacker infiltrates Pentagon computers and almost starts World War III. Computer networks were rare, and someone hacking into one was presumed to have bad intentions.
Today, computers are everywhere, and the CFAA can be vague on what constitutes illegal access to one.
Even when access is clearly illegal, Leiderman and other reformers see a problem in the law’s sentencing guidelines.
Slowing down Santa Cruz County’s website carries the same maximum 15-year sentence as an attack that permanently destroys the site of a major corporation or government agency and costs it millions of dollars. In practice, a hacker who doesn’t cause much harm isn’t likely to get a long sentence, but it is possible.
“They’re still facing 15 years, and a judge that gets pissed off can throw them in prison for 15 years if he wants,” Leiderman said.
There are signs that Leiderman’s position on the CFAA is gaining traction. A House subcommittee this month heard testimony on the law. Many lawmakers said they were opposed to any reduction in the scope of computer crimes or the severity of penalties, but others were open to changes.
The current CFAA is the one Leiderman must deal with. His latest case, that of Matthew Keys, will keep Leiderman on the front pages and the airwaves. He was recently interviewed on NPR and the Huffington Post, making the case that Keys was acting as a journalist, not a co-conspirator, in his dealings with Anonymous.
A few days before Keys was arrested, Leiderman sat in his office and said he was looking for “that next great case.”
“I want to make the government stop and think about what they’re doing, and maybe change what they’re doing,” he said.