By Joseph Marks
WikiLeaks founder Julian Assange is seen as he leaves a police station in London on April 11. (Peter Nicholls/Reuters)
They say it's a stretch to use the 35-year-old Computer Fraud and Abuse Act to nab Assange for the alleged crime — offering to help Chelsea Manning decipher a password so she could get greater access to a military database and pass more secrets to WikiLeaks.
And even that alleged crime, they say, is the mark of some crafty legal maneuvering since prosecutors couldn’t bring charges against Assange for what actually riled them — that WikiLeaks published secret information that threw U.S. diplomatic relations into chaos in 2010 and upended the presidential election in 2016 — without undermining First Amendment free speech protections. In other words, it’s a little like getting Al Capone for tax evasion — if the evidence of tax evasion was pretty tenuous.
“It's clear that this prosecution isn't substantially driven by any CFAA violation that may or may not have occurred,” David Segal, co-founder of the liberal advocacy group Demand Progress, told me. “Rather, an alleged such violation is being used to de facto prosecute for the publication of leaked materials.”
Indeed, it’s highly unlikely the government would have bothered to indict — and seek to extradite from England — someone who wasn’t Julian Assange for trying, but evidently failing, to assist in a computer hack, as Julian Sanchez, a senior fellow focused on technology and privacy at the libertarian Cato Institute, pointed out on Twitter.
Also, of course, it seems inconceivable DOJ would put the effort they have into extraditing someone who had merely agreed to run a password hash against some rainbow tables for another intruder.— Julian Sanchez (@normative) April 11, 2019
The creative use of it to grab Assange only highlights for them the cloud of legal menace often faced by legitimate security researchers who use hacking to point out cybersecurity vulnerabilities. And it's a reminder that prosecutors have used the law before to aggressively prosecute activists.
“CFAA is a ridiculously broad statute or, at least it has been interpreted that way by many courts,” Jeffrey Vagle, an affiliate scholar at Stanford University’s Center for Internet and Society, told me. “It was written in a completely different era with respect to how we use computers. It was not a well-thought-out law, and that’s come back to haunt us.”
A provision that bars “exceed[ing] authorized access” on a computer, for example, can be read to apply to simply violating a website's terms of service — such as by lying about your age in an online form.
That provision was what the Justice Department relied on to prosecute Aaron Swartz, an Internet activist who violated JSTOR’s terms of service by using an automated program to download troves of public-access academic journals from the online database. Swartz, an advocate for broad public access to information, wanted to demonstrate that the online database limited access to academic articles to institutions that could pay high fees. Swartz faced up to 50 years behind bars and a fine of $1 million but committed suicide in 2013 before his case went to trial.
That was just one of numerous prosecutions that activists deemed questionable under the law, as my colleague Brian Fung detailed. Another example: “In 2016, journalist Matthew Keys . . . was sentenced to two years behind bars under the law. Keys, who formerly worked for Tribune Media, was convicted under the CFAA for passing computer login information to the digital activist group Anonymous,” which then used the login to alter an online Los Angeles Times article, Brian reported.
Companies have also used civil portions of the law to threaten ethical hackers who try to find and publicize bugs in their software that can violate customers’ privacy.
In Assange’s case the charges deal with a specific CFAA provision focused on classified government materials, as University of Southern California Law Professor Orin Kerr outlined on Twitter:
Second, it's based on a relatively aggressive (and somewhat controversial) view of the Computer Fraud and Abuse Act -- that accessing files in violation of an order on classified materials is an unauthorized access.— Orin Kerr (@OrinKerr) April 11, 2019
Prosecutors are also tacking on a separate charge related to terrorism in order to extend the statue of limitations for the hacking crime -- which is normally five years -- to the eight years Assange has been holed up in the Ecuadorian embassy in London as CFAA-focused attorney Tor Ekeland pointed out on Twitter.
So, basically, they're saying that the SOL is 8 years because the 18 U.S.C. § 1030(a)(1) CFAA charge is listed as an act of terrorism under 18 U.S.C. § 2332bg(5)(b)(i). Got that? https://t.co/25NaYSToVf If true, they filed the indictment in the nick of time (3/6/18) #Assange— Tor Ekeland (@TorEkelandPLLC) April 11, 2019
“The bill, which would have removed exceeding authorized access as an offense, was colloquially known as Aaron’s Law. It did not pass,” Brian reported.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Russian President Vladimir Putin. (Dmitri Lovetsky/AP)
At the Post’s request, Clemson University researchers examined a trove of Russian-originated tweets that appeared designed to urge Sanders supporters to fall in line behind President Trump rather than Hillary Clinton after the Vermont senator dropped out of the race.
“It is impossible to say how many [tweets] were targeted at Sanders supporters because many don’t include his name,” Michael reported. “Some 9,000 of the Russian tweets used the word ‘Bernie,’ which were ‘liked’ 59,281 times and retweeted 61,804 times.”
“But that was only one element of the Russian effort to target Sanders supporters, the researchers said. Many thousands of other tweets, with no direct reference to Sanders, were also designed to appeal to his backers, urging them to do anything but vote for Clinton in the general election.
Here’s a take from one of the Clemson researchers, Darren Linvill, associate professor of communications: “I think there is no question that Sanders was central to their strategy. He was clearly used as a mechanism to decrease voter turnout for Hillary Clinton,” The tweets examined in the new analysis “give us a much clearer understanding of the tactics they were using. It was certainly a higher volume than people thought.”
U.S. Deputy Assistant secretary for Cyber and International Communications and Information Policy Robert Strayer, right, and Ajit Pai, chairman of the Federal Communications Commission. (Manu Fernandez/AP)
Timo S. Koster, the Dutch government’s top diplomatic official for cybersecurity issues, tweeted the invitation and a partial list of participants Thursday.
All 25 nations participating in #UNGGE on advancing responsible state behavior in cyberspace in the context of international law pic.twitter.com/ALdxtQOMof— Timo S. Koster (@tskos) April 11, 2019
Former State Department cyber coordinator Chris Painter told me last year that the 2019 dialogues should focus less on agreeing to new global cybersecurity norms and more on how to enforce the ones nations have agreed to.
Huawei mobile phones are displayed at a telecom service shop in Hong Kong. (Kin Cheung/AP)
“We are probably the most tested vendor in the world,” Huawei’s cybersecurity director Sophie Batas told journalists at Huawei’s new cybersecurity center in Brussels.
“She criticized comments by Robert Strayer, U.S. State Department deputy assistant secretary for cyber, international communications and information policy, who told journalists on Wednesday that countries adopting risk-based security frameworks for 5G would lead to Huawei being banned,” Reuters reported.
“I have difficulty believing that a government like the United States organized a press conference yesterday to single out one particular company, and I wonder why it is going so far,” Batas said.
The Assange arrest dominated most of Thursday’s news cycle and is sure to continue today. Here's more about:
- The years of debate over bringing charges against Assange, from my colleagues Rachel Weiner, Matt Zapotsky and Ellen Nakashima.
- The political fallout, from my colleagues William Booth, James McAuley, Ellen and Matt.
- Assange's arrest and whether it damages press freedom, per Post columnist David Ignatius.
- The effect for Trump, who once proclaimed: "I love WikiLeaks." From Shane Harris and Greg Miller.
Looks like the Assange / Wikileaks deadman switch just dropped. Coverage here:https://t.co/EnxLCO6bpg— Rob Joyce (@RGB_Lights) April 11, 2019
Cybersecurity news from the private sector:
Russian lawmakers are barreling toward final approval of a law that would effectively segregate the nation’s Internet from the rest of the world, Reuters reported.
The nation’s “Internet sovereignty” bill “aims to route Russian Web traffic and data through points controlled by state authorities and to build a national Domain Name System to allow the Internet to continue working even if Russia is cut off from foreign infrastructure, according to the report.
“The bill’s authors say the measures are needed to defend the country after the United States adopted what they described as aggressive new U.S. cyber security policies last year.”
Critics, however, say the bill would make it far easier for the Kremlin to censor foreign news sources, silence dissenters and ramp up domestic digital surveillance.
Source: The Washington Post