Risk
2/5/2013
01:33 PM
Connect Directly
RSS
E-Mail
50%
50%

Hacking, Privacy Laws: Time To Reboot

Recent cases highlight serious flaws in current privacy and cyber abuse legislation, allowing prosecutors to wield a hammer when a stick will do.

What's more important: protecting civil liberties, or prosecuting people who misbehave?

Unfortunately, two cases have recently highlighted serious shortcomings in how our public officials pursue both of those goals, suggesting that the only viable solution is for Congress to overhaul existing privacy and computer-abuse laws.

For starters, the Computer Fraud and Abuse Act (CFAA) gives prosecutors such wide discretion in pursuing "computer crimes" that they can threaten minor offenders with excessive jail time, thus creating the possibility that people have been coerced into pleading guilty. That's why, on the civil rights front, numerous digital rights groups and privacy lawyers have been calling on Congress to rein in the CFAA, including its criminalization of the nebulous concept of "unauthorized access."

Thanks to the CFAA, prosecutors can wield a hammer when a stick -- at most -- is all they need. For example, Internet activist Aaron Swartz, who allegedly used the Massachusetts Institute of Technology's network to download millions of academic articles from the JSTOR academic database, faced 13 felony charges and a maximum jail sentence of at least 35 years in prison. Prosecutors charged Swartz despite JSTOR officials saying in 2011 that they'd dropped civil charges against him, noting that he'd apologized and promised that he'd returned all copies of the data he downloaded. Arguably, the case should have been closed -- and JSTOR officials urged prosecutors to do so. They declined.

[ How do you define cyberwarfare? Read Uncertain State Of Cyberwar. ]

Swartz's efforts weren't in pursuit of illicit financial gain. He wasn't reselling academic papers or stealing users' identities. Instead, he was campaigning for free access to information that was funded with taxpayer dollars. Regardless, he was hit with felony violations -- including wire fraud, computer fraud, "recklessly damaging" a computer, as well as unauthorized access -- in part for saying he'd wanted to publish the information for free. Yet he never did so.

The Swartz case shows that CFAA is far too broad, and prosecutors can't be trusted -- or perhaps expected -- to not use every prosecutorial tool available to gain a conviction or plea bargain. Critics of Carmen Ortiz, the lead federal prosecutor in Swartz's case, have accused her of bullying, given the threat of massive jail time that Swartz faced. But it's more useful to look at his case as a bellwether: this is what prosecutors will do with CFAA, if given the chance. Accordingly, Congress must rein it in.

Another bellwether of the types of overreach that are allowed -- this time on the privacy front -- stems from the case of David Petraeus, who last year resigned as director of the CIA, after an FBI agent reported that Petraeus was having an affair.

The bureau's cyber-crime investigators had considered the case to be closed. But FBI agent Frederick W. Humphries II, who'd gotten the investigation started on behalf of an acquaintance, feared that they were covering up a national security incident. He reported Petraeus' extramarital affair to Rep. Dave Reichert (R-Wash.), who told House majority leader Eric Cantor (R-Va.), who informed F.B.I. director Robert S. Mueller III.

Cue scandal, and Petraeus' resignation. Yet no related charges have been filed in the case against Petraeus. Likewise, no charges have been filed against his mistress -- and biographer -- Paula Blackwell, who'd been accused in the press of improperly handling classified information and of stalking socialite Jill Kelley, whom she saw as a rival for Petraeus' attentions. Finally, no charges have been filed against the FBI agent, because he apparently broke no privacy laws.

To be clear, the privacy missteps in the case involved a rank-and-file FBI agent who wasn't part of the cyber investigation and evidently didn't understand that affairs aren't a national security matter. In fact, since CIA regulations require employees to disclose any affairs they're having to the agency -- to mitigate blackmail threats -- it's likely that the relevant agency officials knew full well what Petraeus was doing.

But the FBI agent's airing of the affair kicked off a media storm and investigation that supposedly then found evidence that Kelley was having an affair with the top U.S. commander in Afghanistan, Gen. John Allen, to whom she'd supposedly sent 30,000 emails. Except that Kelley and Allen said none of it was true. Closing the matter, Army investigators cleared Allen of any misconduct.

Adding insult to privacy injury for the Kelley family is that they'd reached out to FBI agent Humphries in the first place. "We simply appealed for help after receiving anonymous e-mails with threats of blackmail and extortion," Jill Kelley and her husband Scott wrote in a recent Washington Post opinion piece. "When the harassment escalated to acts of cyberstalking in the early fall, we were, naturally, terrified for the safety of our daughters and ourselves. Consequently, we did what Americans are taught to do in dangerous situations: sought the help of law enforcement."

Unsurprisingly, the Kelleys are calling on Congress to get tough on what law enforcement agencies and government officials can do with people's private information -- for starters, by expanding the Electronic Communications Privacy Act (ECPA) to safeguard how people's emails can be accessed or disclosed. "Ours is a story of how the simple act of quietly appealing to legal authorities for advice on how to stop anonymous harassing e-mails can result in a victim being re-victimized," the Kelleys wrote.

Who re-victimized the Kelleys? Interestingly, they've accused government officials of leaking their names and the existence of private correspondence, along with failing to safeguard their identities even though they had reported a potential cyber-stalking crime.

Broadwell's reportedly threatening emails to Kelley aside, isn't the real crime the fact that unnamed authorities violated no privacy or data-mishandling laws, while leaving behind a trail of allegations and innuendo?

Offensive cybersecurity is a tempting prospect. It's also way too early to go there. Here's what to do instead. Also in the new, all-digital Nuclear Option issue of InformationWeek: Military agencies worldwide are figuring out the tactics and capabilities that will be critical in any future cyber war. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
2/6/2013 | 5:56:15 PM
re: Hacking, Privacy Laws: Time To Reboot
In many ways, this only scratches the surface. While laws like CFAA and ECPA need to be reformed, so too may federal wiretap laws, compliance regimes, breach notification laws, laws of war, and others. It's too bad legislators are dangerously unprepared for cyberlaw.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
2/6/2013 | 5:17:00 PM
re: Hacking, Privacy Laws: Time To Reboot
Ok, so noone in this scandal did anything legally wrong. But, one portion deserves to be presented more clearly. A rank and file agent that disregarded the expertise and perhaps authority of his department's cyber crime unit in closing the case and continued to use bureau resources (including his time) to pursue an investigation for a friend. Abuse of office, misuse of resources, at least questionable if not prosecutible.

Looks like the only result was a political one without delving into where our senior military commanders focus is if they can deal with 30000 emails from an obviously well connected socialite. Kind of leads one to view Jack Nicholson's speech to Tom Cruise as a sort of premonition "All you did today was weaken a nation" (considering there are certainly others capable of filling the office).
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.