If Obama Gets His Way, Sharing This Story Will Soon Be a Felony
On Jan. 20, this website published a story titled, "If This Is Your Password, Change It Immediately." The article included a list of the 25 personal passwords — "password" and "abc123" among them — most commonly found in databases of personal account information routinely leaked by hackers. The material came from SplashData, an internet security firm that seeks out vulnerable targets and reports on them to an often endangered public. The list of passwords appeared in various forms on outlets including CBS News, NPR and the BBC, to name a few.
Later that night, President Barack Obama in his State of the Union address made the case for a new proposal to rewrite and tighten federal cybersecurity laws, so that no "foreign nation" or "hacker" would have the ability to "shut down our networks, steal our trade secrets or invade the privacy of American families. Especially our kids."
Inaction, he said, would leave the country "vulnerable" to attacks like the one launched against Sony Pictures Entertainment. Only by adopting this new language, Obama said, could Congress "continue to protect the technologies that have unleashed untold opportunities for people around the globe."
But the broad laws he proposed would not simply target shadowy foreign hackers. American bloggers and media companies would also be subject to felony cybercrime charges for disseminating hacked material. The statute would apply to normal Internet users too: If you, dear reader, saw the "bad passwords" article and passed it along to a friend over email, or posted the link to Reddit, or retweeted the article, or shared it on Facebook, then you too could face federal prosecution for "willfully" trafficking "in any password or similar information."
Does that sound insane? Surely it does. Is it a real possibility? With Republicans and Democrats both backing the bill, it surely is.
Why this, why now? Though Obama's public pitch might be appealing, a closer look at the details underlying his proposal reveals something more complicated and potentially menacing to millions of ordinary Americans: a vast expansion of prosecutorial power that could stifle online speech and, in a jarring miscalculation, criminalize some of the most effective known tools for assessing security networks.
"This is a solution looking for a problem," Nate Cardozo, a lawyer on Electronic Frontier Foundation's digital civil liberties team, told Mic. "A large part of this is the need to be seen to do something. A lot of these proposals were first put forward in 2011. They failed then. And they've been put forward a number of times since then." Only to flop again. The Sony hack and ensuing sense of national crisis, stoked by Obama and other administration officials, provided a new opening.
But the product remains deeply, dangerously flawed.
"Cybersecurity is something everyone wants and it sounds nice, but the malicious kind of hacking that typically steals headlines, passwords and financial information mainly emanates from abroad — and cannot be stopped by domestic legislation," attorney and legal theorist Colin Kalmbacher, who is presently an LL.M. candidate at the Benjamin N. Cardozo School of Law in New York, told Mic in an email.
"If you're one of those people who cares even a little bit about liberty and individual rights against the backdrop of a frequently abuse-laden government," Kalmbacher said, the law "should not be made any more vague than it already is."
The American Civil Liberties Union agrees.
"The high-profile hacks we're hearing about tend to be cases where the companies need to more careful in defending their own systems," ACLU lawyer Gabe Rottman told USA Today. "An information-sharing bill would not have stopped any of those hacks."
Fixing what isn't broken: Despite the handful of successful, high-profile recent hack attacks, the Internet is still a pretty safe place for the hundreds of millions of people who store sensitive information, from credit card numbers to Social Security numbers in reinforced online databases.
Maintaining that security, however, is a constantly evolving challenge. Given the relative impotence of Congress in passing relevant laws, the Internet has mostly come to protect and police itself.
Take Google's "Project Zero."
The premise is simple. Google security engineers seek out and find security bugs in other company's products. At that point, they pass along their findings privately and start the clock, giving the vendor 90 days to fix the bug or have it exposed publicly on Google's website. If a company takes even a day longer, Google publishes its findings — a warning to users that a website or software package could potentially endanger their private information.
The project is a win-win for Internet users and the companies targeted by Google's altruistic hackers. The latter get to fix their security flaws in a timely, quiet way, while consumers can go forward with greater confidence knowing those issues are under constant scrutiny.
But if the administration's proposals pass, Google's actions could subject them to civil suits or criminal prosecution. As Tom's Guide's Paul Wagenseil wrote recently, Obama's "revision might make such disclosures illegal, because Google researchers would know or have "reason to know that a protected computer could be accessed or damaged without authorization" by individuals using their findings.
When Google recently exposed a series of security bugs in Microsoft's Windows software after the company refused to deliver a security patch until the 92nd day, Microsoft responded with an angry blog post challenging Google's ethics and motives.
"But under the new proposal," Cardozo said, "they could do worse than write a nasty blog post — they could potentially sue Google. Now, Microsoft would probably think twice about suing Google, because Google can afford the best lawyers on the planet. But Microsoft might not think twice about suing a little guy, a solo researcher."
And with that, contrary to the administration's stated intentions and the public's obvious desire, the Internet very quickly becomes a less secure place.
Everyone is a criminal: With cybersecurity threatened, it follows a certain twisted logic that we'll need more criminals to blame. So under the new proposals, the penalties for something as mundane as sharing a Netflix password would become gravely serious.
"Sharing your password with one person, under the current law, is arguably a misdemeanor," Cardozo said. "Now, federal prosecutors almost never bring misdemeanor charges. It just doesn't happen. But under the new proposal, it's a 10-year felony for a first time offense. And that is much more appealing to a prosecutor."
Under current law, the Department of Justice isn't likely to track you down and drag you into a federal court for sharing a Netflix or HBO Go password. But as Cardozo said, "the fact that they can makes us worried. If you piss off the wrong prosecutor for a competed unrelated reason, they can quite easily find a felony to prosecute you for."
If that reads like a conspiracy theory or far-flung assumption, it's not. The federal government — in particular its ambitious, conviction-hungry prosecutors — has shown a willingness to use every tool afforded by the statute, with little or no regard for the intent of its authors to reach a set of predetermined goals.
Two cases, one involving a young programmer and another centering on a controversial independent journalist, show the danger created by overzealous prosecutors equipped in murky or overbroad laws.
The long shadow of the law: The prosecution of Aaron Swartz, the Web wunderkind who created the technology behind the RSS feed, is the most disturbing and instructive example.
Swartz was a pioneer and champion of the open Internet, who in 2011 was charged with wire and computer fraud after downloading 4.8 million documents from JSTOR, an MIT-based subscription database of academic writing.
After coming to an out-of-court agreement with Swartz — he gave the files back — JSTOR said it had no interest in pursuing legal action. But the Department of Justice was not satisfied. By 2013, after nearly two years of hearings and negotiations, Swartz still faced 35 years in prison. Before the case could go to trial, the 26-year-old killed himself.
If Obama's proposals are passed by Congress, not only would someone like Swartz face tougher charges, but a reporter or blogger who links to the kind of database he was trying to create could be threatened with jail time too. Or, in the case of investigative journalist Barrett Brown, be hounded by law enforcement and eventually sentenced by a U.S. judge to more than five years in a federal prison.
"Barrett Brown's case will likely prove instructive for what's to come whether the new measures make it into law or not," Kalmbacher wrote in his email. "Brown was prosecuted for, amongst other things, posting a link in a chatroom to information that was stolen from a private company. Let that sink in. This government prosecuted a journalist for doing his job under the present form of the [cybersecurity law]."
The story is a bit more convoluted than that, but it goes like this: After a long court battle, Brown pleaded guilty to being an accessory to hacking, interfering with the execution of a search warrant and transmitting threats. Most of his 63-month sentence is tied to the "threats" charge, which was brought after Brown posted a weird but innocuous YouTube video threatening to "ruin" the FBI agent pursuing his case.
Brown was initially targeted by prosecutors for sharing a publicly available link with information obtained by a hacker who stole information from a personal security firm called Stratfor. Brown posted the link, which included personal passwords, but did not partake in nor play any role in organizing or inciting the hack itself.
Those initial charges — aggravated identity theft and trafficking in stolen data — didn't figure in the final plea agreement. Having already served 30 months, Brown is expected to be released in the next two years.
Broaden the law, widen the net: If Brown committed a crime, it was at the very least partially provoked by the FBI, which his supporters say had been following him for years. With a broad new statute like the one the Obama administration is pursuing, law enforcement would be gifted an even wider net to pursue individuals, like Brown, with reputations for being closely associated with "hacktivists" like Anonymous.
As it is currently written, the law requires that prosecutors prove an "intent to defraud" to establish guilt. In Obama's restructuring, that language is dropped in favor of "willfully," a more ambiguous definition that, as Cardozo explains, removes "the financial gain requirement" from the law. If you're unclear on what that means, then you are perfectly clear on the problem. "Willfully" can be just about whatever a prosecutor wants it to be.
"Under the new proposal, 'willfullness' is defined in the statute to mean having a 'wrongful intent,' Cardozo continues, underlining the absurdity, "but 'wrongful' is not defined in the statute. Me tweeting an article about a list of passwords, knowing that people are going to use those passwords to break into innocent people's computers is certainly arguably wrongful."
At the very least, this scenario will create confusion among law-abiding citizens and social media butterflies. It will also cast a shadow on journalists and investigators whose line of work requires they occasionally contact unsavory characters online.
A worthy fight: But the social stakes are even higher. By choking off the exchange of information online with the threat of legal action, the government will effectively slap an arbitrary and expensive price tag on the Web's most precious commodity.
The language of the proposal also has implications for millions of Americans who might either unwittingly or tangentially have some association with cybercriminals. The knock-on effects could do permanent damage to the Internet, stigmatizing any online activity apart from heavily regulated consumer activity.
It simply doesn't follow. Why would a president who speaks so frequently about trying to create new opportunity for the dispossessed push for a law that experts agree will slow the democratization of information — and thus, economic and social power — for decades?
Share if you dare: For Kalmbacher, the proposals betray the administration's "fundamental lack of understanding about digital life, computers and cyberspace."
That they would put another "useful tool in the quiver of ambitious, resume-padding prosecutors," he wrote, only makes the legislation more popular with law enforcement officials and their political allies. The desire to hang a 10-year felony prison sentence over the head of a college kid who's shared her Netflix password might be rare, but it's still a "tool."
If you find that prospect unnerving, it's time to stand up and speak out. The Obama administration has rare bipartisan support for its proposals and, barring any kind of significant grassroots opposition, there is little incentive for Congress not to continue following his lead. So tell a friend and share this story — if that's a risk you're willing to take.
Correction: Jan. 29, 2015