How hacktivism intersects with the law

Ben Johnson and Danielle Stephens Apr 28, 2017
A demonstrator, and supporter of the group Anonymous, rests during a protest against corrupt governments and corporations in front of the White House in Washington, D.C. Saul Loeb/AFP/Getty Images

How hacktivism intersects with the law

Ben Johnson and Danielle Stephens Apr 28, 2017
A demonstrator, and supporter of the group Anonymous, rests during a protest against corrupt governments and corporations in front of the White House in Washington, D.C. Saul Loeb/AFP/Getty Images

We’re taking a deeper look at the idea of hacktivism, and how activists use technology to push forward a social or political agenda. To try and understand the laws around hacking and the future of hacktivism, Marketplace Tech host Ben Johnson talked to Molly Sauter, a doctoral researcher and author of the book, “The Coming Swarm: DDoS Actions, Hacktivism, and Civil Disobedience on the Internet.” Below is an edited transcript of their conversation.

Ben Johnson: So can you briefly explain some of the laws governing cyber crime in the U.S. right now?

Molly Sauter: So there really is just one. It’s called the Computer Fraud and Abuse Act and is the major piece of anti-hacking legislation in the U.S. and what it is at core is a fraud statute. And this has a couple implications. One, it’s both a criminal and a civil law so you can be prosecuted as a criminal under this law but you can also have a civil action brought against you under this law and because it’s a fraud statute, it has certain implications for how jail time and fines and restitution payments are constructed. And how these are constructed is fairly complicated but essentially what it boils down to is if more people are impacted by your action, the worse your punishment is and the higher your fine is. Right. And as we know, on the internet audiences can scale very fast so the quote unquote like “impacted victim group” can be very high and there isn’t really an established way of calculating what that number is or what the damages are that companies can claim.

Johnson: Right. So like, it could be anyone who has ever seen a movie by Sony?

Sauter: In theory, yes. So not only is the victim pool not readily calculateable, but also the law itself is very vaguely worded. It talks a lot about unauthorized access of, quote unquote “protected computers,” which was initially a term of art intended to refer to computers involved in banking or in government, but has been widely interpreted to include, like, really any computer. And unauthorized access has also been very widely interpreted. It could be that you were using somebody else’s password with permission, but you didn’t have the quote unquote permission of the service or the person who owned that computer. It could be that you didn’t have password access because it didn’t require password access, but someone just mistakenly put something online that maybe they didn’t intend to put online. So the law itself, while vaguely worded in the beginning to sort of enable it to scale with the times means that there has been a huge amount of what I would consider prosecutorial overreach: trying to pursue people who have made the internet maybe not as safe for commerce as maybe the U.S. government would like it to be.

Johnson: But it is interesting here that the law was basically designed to age well.

Sauter: Yeah, so most of the time when you make a law about something that’s rapidly changing like technology, you want to err on the side of being vague, because you want people to be able to adapt that law to the future. So it wasn’t necessarily written badly – what it was was written vaguely, and now it is being implemented badly in many cases.

Johnson: You’ve been listening to some of the previous stories that we have put in our series. If we look at some of the individuals featured, like this woman who founded Sci-Hub, legally how could she be punished under this law?

Sauter: So we’ve actually already seen this as is noted in the interview. She’s basically being pursued under the same theory of the law as Aaron Swartz was.

Johnson: Right.

Sauter: Essentially she is getting access to art and she’s not doing it the same way necessarily that Aaron Swartz did – he used a small script and basically downloaded too many articles too fast. And JSTOR wasn’t super thrilled about that. But she’s being prosecuted under the same theory of the law that she’s violating what are called the Terms of Service of these different websites and releasing their work, what they are claiming is their work product, in a way that violates how they would like people to be releasing it.

Johnson: Are there clear examples of the kind of overreach that you’re talking about of this law being sort of abused?

Sauter: So that’s a complicated question and has a lot to do with sort of how you interpret what computers are and what these different types of, quote unquote crimes are. I think a lot of people consider the Aaron Swartz prosecution to be a massive example of prosecutorial overreach. I think people have generally considered to be the weev prosecution to be a huge example of prosecutorial overreach that was later overturned.

Johnson: Can you just describe that weev example for those who don’t know it?

Sauter: So the weev case was, there was a guy who goes on the internet by the name of “weev.” Whose name is Andrew “weev” Aurenheimer. And he stumbled across — So AT&T assigns an address to your iPad when you put your iPad on the network. Andrew discovered that this address was actually publicly accessible. If you typed in a certain URL into your web browser and then iterated a series of numbers on the end of that URL, you could find people’s iPads on the public internet. You didn’t need a password, you didn’t need to be internal to AT&T systems – you could just find them. And he sent them an email, is like, “Hey, this is a thing that happened – you need to fix this because this is a massive security bug or I’m going to give it to Gawker.” They certainly didn’t fix it. And he and his partner gave that information to Gawker, which wrote an article about it. And Andrew and his partner were arrested and criminally prosecuted for hacking. It was said that they had hacked into this system when these, when these objects, these technical objects were publicly available on the Internet through a mistake of the company.

Johnson: You’ve written some pieces about what you think the future of hacktivism looks like. Can you paint that picture for us?

Sauter: So I think there are a couple of directions that hacktivism is going to go into in the future. One of them is something I call alternate infrastructures. And we can see that right now actually if you’ve heard the chatter around Mastodon as a federated alternative to Twitter. Now there have been other federated alternatives to major social networking sites that have been introduced in the past that haven’t really taken off. You might remember Diaspora, which was supposed to be the federated Facebook for a hot minute.

So people often come up with these alternative systems. What’s interesting about Mastodon and other of these so-called federated examples, is that they enable people to host individual instances of the code on their own servers. So they control their own servers. They tend to have a very strong emphasis on you controlling your data and then because it’s federated, it means you can see what’s happening on all the other servers as well as what’s going on on your server. So you’re not just stuck in your own little, like IRC channel with just your people. You can also see what’s going on in the rest of the network. And alternative infrastructure like this is a really powerful way to remove yourself from the net economy that is powered by advertising, data scraping and data analysis which is getting more and more creepy, especially as it becomes sort of a technological tactic that’s being picked up by political campaigns.

Johnson: This is fascinating. It’s like this idea of privacy protection through total transparency or something.

Sauter: Yes, so the idea of transparency is really core to what I would consider to be sort of the history of activist technology. And we can go back and see this in the free software and open source movements, which were fundamentally about having your source code available and being able to share it and have lots of people look at it. Now this was sort of counterintuitive because you think, “Well if everyone can look at my source code, you know they’re going to steal it or they’re going to find the bugs in it and then exploit them.” But what ends up happening is as you have more eyes looking at your code, you do have more people who can see the bugs, but you also have more people who can fix your bugs. And you also have more ways to innovate on that code so you can fork the code and someone else can say, “Well you made a really cool piece of code for like making coffee. I made a fork that’s about making lattes, and now you have both coffee and lattes together.” So this concept of open source like really promotes both innovation and safety.

Johnson: What’s another example of the future of hacktivism?

Sauter: So another thing that is going to become, I think, very popular is something I’m calling information exfiltration. And this is slightly different than leaking and it’s slightly different than like hacking for information. It’s an over-concept. So you have both internal leakers – so people on the inside who are leaking information to the outside – but then you have people on the outside who want information that’s inside a company or inside an individual’s e-mail, so they’ll hack into that database and remove that information and publish it. There’s not only going to be more information online but because there’s more information online it’s actually far more accessible even if it’s encrypted, because strong security is very hard. And as we’ve seen with the weev case, people make mistakes. Like we’ve also seen this with the Panama Papers case. As I can tell, the server that those emails were on for the Panama Papers case was wildly out of date. And so someone was able to access it because someone on the inside of that company failed to maintain their own security.

Sauter: So as more things get moved online, those things become more vulnerable. And as different organizations who might be vulnerable to people wanting to know what’s going on in them, like tax accountants who specialize in offshore accounts, or lawyers who specialize in international business or international taxation or international real estate, they’re going to fail because it’s inevitable, it’s inevitable for that security to fail. So that information will be pulled and targeted and then put online.

Johnson: Do you think that hacktivism in the digital world will ever replace activism in the physical world?

Sauter: I don’t think so. I think it will become more intuitive. So right now it’s not super intuitive to the vast majority of the population that if you want to protest something you go online to do it. What’s intuitive to them is petitions, street marches, sort of, media campaigns right now that involved like hashtags and those things feel much more intuitive than say joining a distributed denial of service action, which is a way of doing mass activism online. That started in the 90s and has become more popular since then, mostly through the actions of Anonymous. So Anonymous is the sort of internet collective that involves a large and ever-changing group of people who loosely share a politics and loosely share an aesthetic sense. And they’ve been engaged in a number of different actions that have included both online actions that are DDOS actions, information exfiltration and social media campaigns, but have also involved sort of real life street actions. So there were street marches against the Church of Scientology during Op Chanology. But that also included online actions. So you’re not just going to — I don’t think you’re going to see a sole push to be online.

I think what you’re going to see is more people doing stuff online because that’s where they’re used to taking action. So especially people, sort of, of the millennial generation and up seeing this as a natural place for politics to occur. But you’ll also see people engaged in street marches and you’ll also see people engaged in what are more broadly considered mainstream politics. So I think more people are getting interested in running for office since the last presidential election. More people are interested in knowing how their government works. So you’re going to see panoply of tactics that are coming forward and the internet’s just going to be part of it.

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.