Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:33 PM

Hacking, Privacy Laws: Time To Reboot

Recent cases highlight serious flaws in current privacy and cyber abuse legislation, allowing prosecutors to wield a hammer when a stick will do.

What's more important: protecting civil liberties, or prosecuting people who misbehave?

Unfortunately, two cases have recently highlighted serious shortcomings in how our public officials pursue both of those goals, suggesting that the only viable solution is for Congress to overhaul existing privacy and computer-abuse laws.

For starters, the Computer Fraud and Abuse Act (CFAA) gives prosecutors such wide discretion in pursuing "computer crimes" that they can threaten minor offenders with excessive jail time, thus creating the possibility that people have been coerced into pleading guilty. That's why, on the civil rights front, numerous digital rights groups and privacy lawyers have been calling on Congress to rein in the CFAA, including its criminalization of the nebulous concept of "unauthorized access."

Thanks to the CFAA, prosecutors can wield a hammer when a stick -- at most -- is all they need. For example, Internet activist Aaron Swartz, who allegedly used the Massachusetts Institute of Technology's network to download millions of academic articles from the JSTOR academic database, faced 13 felony charges and a maximum jail sentence of at least 35 years in prison. Prosecutors charged Swartz despite JSTOR officials saying in 2011 that they'd dropped civil charges against him, noting that he'd apologized and promised that he'd returned all copies of the data he downloaded. Arguably, the case should have been closed -- and JSTOR officials urged prosecutors to do so. They declined.

[ How do you define cyberwarfare? Read Uncertain State Of Cyberwar. ]

Swartz's efforts weren't in pursuit of illicit financial gain. He wasn't reselling academic papers or stealing users' identities. Instead, he was campaigning for free access to information that was funded with taxpayer dollars. Regardless, he was hit with felony violations -- including wire fraud, computer fraud, "recklessly damaging" a computer, as well as unauthorized access -- in part for saying he'd wanted to publish the information for free. Yet he never did so.

The Swartz case shows that CFAA is far too broad, and prosecutors can't be trusted -- or perhaps expected -- to not use every prosecutorial tool available to gain a conviction or plea bargain. Critics of Carmen Ortiz, the lead federal prosecutor in Swartz's case, have accused her of bullying, given the threat of massive jail time that Swartz faced. But it's more useful to look at his case as a bellwether: this is what prosecutors will do with CFAA, if given the chance. Accordingly, Congress must rein it in.

Another bellwether of the types of overreach that are allowed -- this time on the privacy front -- stems from the case of David Petraeus, who last year resigned as director of the CIA, after an FBI agent reported that Petraeus was having an affair.

The bureau's cyber-crime investigators had considered the case to be closed. But FBI agent Frederick W. Humphries II, who'd gotten the investigation started on behalf of an acquaintance, feared that they were covering up a national security incident. He reported Petraeus' extramarital affair to Rep. Dave Reichert (R-Wash.), who told House majority leader Eric Cantor (R-Va.), who informed F.B.I. director Robert S. Mueller III.

Cue scandal, and Petraeus' resignation. Yet no related charges have been filed in the case against Petraeus. Likewise, no charges have been filed against his mistress -- and biographer -- Paula Blackwell, who'd been accused in the press of improperly handling classified information and of stalking socialite Jill Kelley, whom she saw as a rival for Petraeus' attentions. Finally, no charges have been filed against the FBI agent, because he apparently broke no privacy laws.

To be clear, the privacy missteps in the case involved a rank-and-file FBI agent who wasn't part of the cyber investigation and evidently didn't understand that affairs aren't a national security matter. In fact, since CIA regulations require employees to disclose any affairs they're having to the agency -- to mitigate blackmail threats -- it's likely that the relevant agency officials knew full well what Petraeus was doing.

But the FBI agent's airing of the affair kicked off a media storm and investigation that supposedly then found evidence that Kelley was having an affair with the top U.S. commander in Afghanistan, Gen. John Allen, to whom she'd supposedly sent 30,000 emails. Except that Kelley and Allen said none of it was true. Closing the matter, Army investigators cleared Allen of any misconduct.

Adding insult to privacy injury for the Kelley family is that they'd reached out to FBI agent Humphries in the first place. "We simply appealed for help after receiving anonymous e-mails with threats of blackmail and extortion," Jill Kelley and her husband Scott wrote in a recent Washington Post opinion piece. "When the harassment escalated to acts of cyberstalking in the early fall, we were, naturally, terrified for the safety of our daughters and ourselves. Consequently, we did what Americans are taught to do in dangerous situations: sought the help of law enforcement."

Unsurprisingly, the Kelleys are calling on Congress to get tough on what law enforcement agencies and government officials can do with people's private information -- for starters, by expanding the Electronic Communications Privacy Act (ECPA) to safeguard how people's emails can be accessed or disclosed. "Ours is a story of how the simple act of quietly appealing to legal authorities for advice on how to stop anonymous harassing e-mails can result in a victim being re-victimized," the Kelleys wrote.

Who re-victimized the Kelleys? Interestingly, they've accused government officials of leaking their names and the existence of private correspondence, along with failing to safeguard their identities even though they had reported a potential cyber-stalking crime.

Broadwell's reportedly threatening emails to Kelley aside, isn't the real crime the fact that unnamed authorities violated no privacy or data-mishandling laws, while leaving behind a trail of allegations and innuendo?

Offensive cybersecurity is a tempting prospect. It's also way too early to go there. Here's what to do instead. Also in the new, all-digital Nuclear Option issue of InformationWeek: Military agencies worldwide are figuring out the tactics and capabilities that will be critical in any future cyber war. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
2/6/2013 | 5:17:00 PM
re: Hacking, Privacy Laws: Time To Reboot
Ok, so noone in this scandal did anything legally wrong. But, one portion deserves to be presented more clearly. A rank and file agent that disregarded the expertise and perhaps authority of his department's cyber crime unit in closing the case and continued to use bureau resources (including his time) to pursue an investigation for a friend. Abuse of office, misuse of resources, at least questionable if not prosecutible.

Looks like the only result was a political one without delving into where our senior military commanders focus is if they can deal with 30000 emails from an obviously well connected socialite. Kind of leads one to view Jack Nicholson's speech to Tom Cruise as a sort of premonition "All you did today was weaken a nation" (considering there are certainly others capable of filling the office).
J. Nicholas Hoover
J. Nicholas Hoover,
User Rank: Apprentice
2/6/2013 | 5:56:15 PM
re: Hacking, Privacy Laws: Time To Reboot
In many ways, this only scratches the surface. While laws like CFAA and ECPA need to be reformed, so too may federal wiretap laws, compliance regimes, breach notification laws, laws of war, and others. It's too bad legislators are dangerously unprepared for cyberlaw.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.
PUBLISHED: 2021-06-24
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the pa...
PUBLISHED: 2021-06-24
SQL Injection vulnerability in WebPort <=1.19.1 via the new connection, parameter name in type-conn.
PUBLISHED: 2021-06-24
Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and p...
PUBLISHED: 2021-06-24
Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.