Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:33 PM

Hacking, Privacy Laws: Time To Reboot

Recent cases highlight serious flaws in current privacy and cyber abuse legislation, allowing prosecutors to wield a hammer when a stick will do.

What's more important: protecting civil liberties, or prosecuting people who misbehave?

Unfortunately, two cases have recently highlighted serious shortcomings in how our public officials pursue both of those goals, suggesting that the only viable solution is for Congress to overhaul existing privacy and computer-abuse laws.

For starters, the Computer Fraud and Abuse Act (CFAA) gives prosecutors such wide discretion in pursuing "computer crimes" that they can threaten minor offenders with excessive jail time, thus creating the possibility that people have been coerced into pleading guilty. That's why, on the civil rights front, numerous digital rights groups and privacy lawyers have been calling on Congress to rein in the CFAA, including its criminalization of the nebulous concept of "unauthorized access."

Thanks to the CFAA, prosecutors can wield a hammer when a stick -- at most -- is all they need. For example, Internet activist Aaron Swartz, who allegedly used the Massachusetts Institute of Technology's network to download millions of academic articles from the JSTOR academic database, faced 13 felony charges and a maximum jail sentence of at least 35 years in prison. Prosecutors charged Swartz despite JSTOR officials saying in 2011 that they'd dropped civil charges against him, noting that he'd apologized and promised that he'd returned all copies of the data he downloaded. Arguably, the case should have been closed -- and JSTOR officials urged prosecutors to do so. They declined.

[ How do you define cyberwarfare? Read Uncertain State Of Cyberwar. ]

Swartz's efforts weren't in pursuit of illicit financial gain. He wasn't reselling academic papers or stealing users' identities. Instead, he was campaigning for free access to information that was funded with taxpayer dollars. Regardless, he was hit with felony violations -- including wire fraud, computer fraud, "recklessly damaging" a computer, as well as unauthorized access -- in part for saying he'd wanted to publish the information for free. Yet he never did so.

The Swartz case shows that CFAA is far too broad, and prosecutors can't be trusted -- or perhaps expected -- to not use every prosecutorial tool available to gain a conviction or plea bargain. Critics of Carmen Ortiz, the lead federal prosecutor in Swartz's case, have accused her of bullying, given the threat of massive jail time that Swartz faced. But it's more useful to look at his case as a bellwether: this is what prosecutors will do with CFAA, if given the chance. Accordingly, Congress must rein it in.

Another bellwether of the types of overreach that are allowed -- this time on the privacy front -- stems from the case of David Petraeus, who last year resigned as director of the CIA, after an FBI agent reported that Petraeus was having an affair.

The bureau's cyber-crime investigators had considered the case to be closed. But FBI agent Frederick W. Humphries II, who'd gotten the investigation started on behalf of an acquaintance, feared that they were covering up a national security incident. He reported Petraeus' extramarital affair to Rep. Dave Reichert (R-Wash.), who told House majority leader Eric Cantor (R-Va.), who informed F.B.I. director Robert S. Mueller III.

Cue scandal, and Petraeus' resignation. Yet no related charges have been filed in the case against Petraeus. Likewise, no charges have been filed against his mistress -- and biographer -- Paula Blackwell, who'd been accused in the press of improperly handling classified information and of stalking socialite Jill Kelley, whom she saw as a rival for Petraeus' attentions. Finally, no charges have been filed against the FBI agent, because he apparently broke no privacy laws.

To be clear, the privacy missteps in the case involved a rank-and-file FBI agent who wasn't part of the cyber investigation and evidently didn't understand that affairs aren't a national security matter. In fact, since CIA regulations require employees to disclose any affairs they're having to the agency -- to mitigate blackmail threats -- it's likely that the relevant agency officials knew full well what Petraeus was doing.

But the FBI agent's airing of the affair kicked off a media storm and investigation that supposedly then found evidence that Kelley was having an affair with the top U.S. commander in Afghanistan, Gen. John Allen, to whom she'd supposedly sent 30,000 emails. Except that Kelley and Allen said none of it was true. Closing the matter, Army investigators cleared Allen of any misconduct.

Adding insult to privacy injury for the Kelley family is that they'd reached out to FBI agent Humphries in the first place. "We simply appealed for help after receiving anonymous e-mails with threats of blackmail and extortion," Jill Kelley and her husband Scott wrote in a recent Washington Post opinion piece. "When the harassment escalated to acts of cyberstalking in the early fall, we were, naturally, terrified for the safety of our daughters and ourselves. Consequently, we did what Americans are taught to do in dangerous situations: sought the help of law enforcement."

Unsurprisingly, the Kelleys are calling on Congress to get tough on what law enforcement agencies and government officials can do with people's private information -- for starters, by expanding the Electronic Communications Privacy Act (ECPA) to safeguard how people's emails can be accessed or disclosed. "Ours is a story of how the simple act of quietly appealing to legal authorities for advice on how to stop anonymous harassing e-mails can result in a victim being re-victimized," the Kelleys wrote.

Who re-victimized the Kelleys? Interestingly, they've accused government officials of leaking their names and the existence of private correspondence, along with failing to safeguard their identities even though they had reported a potential cyber-stalking crime.

Broadwell's reportedly threatening emails to Kelley aside, isn't the real crime the fact that unnamed authorities violated no privacy or data-mishandling laws, while leaving behind a trail of allegations and innuendo?

Offensive cybersecurity is a tempting prospect. It's also way too early to go there. Here's what to do instead. Also in the new, all-digital Nuclear Option issue of InformationWeek: Military agencies worldwide are figuring out the tactics and capabilities that will be critical in any future cyber war. (Free registration required.)

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
2/6/2013 | 5:17:00 PM
re: Hacking, Privacy Laws: Time To Reboot
Ok, so noone in this scandal did anything legally wrong. But, one portion deserves to be presented more clearly. A rank and file agent that disregarded the expertise and perhaps authority of his department's cyber crime unit in closing the case and continued to use bureau resources (including his time) to pursue an investigation for a friend. Abuse of office, misuse of resources, at least questionable if not prosecutible.

Looks like the only result was a political one without delving into where our senior military commanders focus is if they can deal with 30000 emails from an obviously well connected socialite. Kind of leads one to view Jack Nicholson's speech to Tom Cruise as a sort of premonition "All you did today was weaken a nation" (considering there are certainly others capable of filling the office).
J. Nicholas Hoover
J. Nicholas Hoover,
User Rank: Apprentice
2/6/2013 | 5:56:15 PM
re: Hacking, Privacy Laws: Time To Reboot
In many ways, this only scratches the surface. While laws like CFAA and ECPA need to be reformed, so too may federal wiretap laws, compliance regimes, breach notification laws, laws of war, and others. It's too bad legislators are dangerously unprepared for cyberlaw.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.