Julian Assange’s Prosecution is about Much More Than Attempting to Hack a Password


By Cindy Cohn

Electronic Frontier Foundation

April 17, 2019

 

Julian Assange’s Prosecution is about Much More Than Attempting to Hack a Password

 

Julian Assange's Prosecution is about Much More Than Attempting to Hack a Password

 

The recent arrest of Wikileaks editor Julian Assange surprised many by hinging on one charge: a Computer Fraud and Abuse Act (CFAA) charge for a single, unsuccessful attempt to reverse engineer a password. This might not be the only charge Assange ultimately faces. The government can add more before the extradition decision and possibly even after that if it gets a waiver from the UK or otherwise. Yet some have claimed that as the indictment sits now, the single CFAA charge is a sign that the government is not aiming at journalists. We disagree.  This case seems to be a clear attempt to punish Assange for publishing information that the government did not want published, and not merely arising from a single failed attempt at cracking a password. And having watched CFAA criminal prosecutions for many years, we think that neither journalists nor the rest of us should be breathing a sigh of relief.




The CFAA grants broad discretion to prosecutors and has been used to threaten, prosecute, and civilly sue security researchers, competitors, and disloyal employees, among others. It has notoriously severe penalties, often applied out of all proportion to the offense. Here the government says the single charge of attempted, apparently unsuccessful assistance in password cracking can carry five years in prison, although under the sentencing guidelines the actual sentence would likely be lower. Remember, there is no parole in the federal judicial system.

While we can all agree that we need some method for prosecuting malicious computer crimes, the lack of clear limits and exceptions, combined with draconian penalties, make the CFAA a powerful hammer that prosecutors can use against those who act against the wishes of a computer owner. That’s an especially broad reach in this age of networked computers. As the tragic prosecution of our friend Aaron Swartz for downloading scientific articles demonstrated, this also isn’t the first time that the CFAA has been used to bludgeon people for trying to inform the public.

Since journalists often work to provide us with information that the powerful do not want us to see, we do not believe this will be the last time we see the CFAA used to prosecute efforts central to journalism.

Of course, breaking into computers and cracking passwords in many contexts is rightly illegal. When analyzing the worst abuses of the CFAA, EFF has argued that the statute should only be applied to serious attempts to circumvent technological access barriers, including passwords. But even if the government has made a sufficient claim of a ‘legitimate’ CFAA violation here, it still must prove every element beyond a reasonable doubt, and it should do so without relying on irrelevant arguments about whether Wikileaks was truly engaged in journalism.

Whistleblower Chelsea Manning was charged in 2010 for her role in the release of approximately 700,000 military war and diplomatic records to WikiLeaks, which created front page news stories around the world and spurred significant reforms. The disclosure of classified Iraq war documents exposed human rights abuses and corruption the government had kept hidden from the public. While the disclosures riveted the globe, they also angered, embarrassed, and inconvenienced many, including the U.S. Departments of Defense and State, although no injuries or deaths were ever demonstrated as a result.

The Assange indictment, in contrast, arises from conversations the two had about an apparently unsuccessful attempt to access other classified documents. Here’s why it seems clear to us that the government’s charge of an attempted conspiracy to violate the CFAA is being used as a thin cover for attacking the journalism.

First, the government spends much of the indictment referencing regular journalistic techniques that are irrelevant to the CFAA claim. The indictment includes the actual elements of the CFAA claim in paragraph 15. Here’s an attempt to translate it in plain English: pursuant to an agreement aimed at giving Assange access to secret government information, Manning gave Assange a scrambled portion of a password that would allow Manning to log into a computer in a way that would hide her identity from the government. Assange’s only alleged illegal act was trying to unscramble a portion of that password.




If the government wasn’t aiming further, it could have stopped there. But it didn’t. Instead it included descriptions of normal journalistic practices in the modern age: using a secure chat service, using cloud services to transfer files, removing usernames, and deleting logs to protect the source’s identity. The government includes in the indictment a cryptic comment by Assange: “curious eyes never run dry in my experience,” which it characterizes as “encouraging” violations of the law. The government’s inclusion of these facts, as well as its reference to the Espionage Act, is a strong signal that it believes these other actions should also be viewed as part of a crime.

On top of that, as they have since the 1990s when they want to feed the “hacker madness” narrative, the prosecutors added unnecessary computer allegations to the indictment. The indictment mentions Manning’s use of the Linux operating system, darkly described as “special software . . . to access the computer file” that contained the password. It describes the use of a secure online chat service called Jabber. It even includes the fact that Manning used a “special folder” in Wikileaks’ cloud-based file transfer system. These facts are completely irrelevant to the single CFAA claim, but they, along with the Justice Department’s press release headline trumpeting Assange’s “hacking,” appear aimed at linking and even equating journalism and use of normal technical tools with the underlying crime.

Second, President Trump himself has blurred the distinction between what Wikileaks is accused of here and mainstream journalism. In an interview just after the arrest, Trump received a lot of scorn for saying that he did not know much about Wikileaks, an obvious lie.But what he said next should also be raising concerns about Trump’s view of the legality of normal journalistic practices: “I guess the concept is perhaps [Assange] is a reporter type and, you know, The New York Times is doing the same thing maybe and The Washington Post maybe the same thing.” Trump has made no secret of his hatred for these outlets and desire to create more liability for journalists revealing facts and news he doesn’t like to the public. His words here should give journalists pause.

Third, legally speaking, the claim in the indictment itself seems very small. The underlying act Assange is accused of—a single failed attempt to figure out a password—was not even important enough to be included in the formal CFAA charges leveled against Manning, even though it was known to the prosecutors and reported about long ago. The government made its CFAA case against Manning on her separate use of an “unauthorized” program (Wget) to actually access other materials she provided to Wikileaks, in violation of the government’s terms of use. For separate reasons, this was not a legitimate use of the CFAA, as EFF argued in its amicus brief in support of Manning. The misapplication of the CFAA to Manning is actually still pending in the appeal of Manning’s case, which continues despite the commutation of her sentence.

In the prosecutors’ desperation to find something, anything, to charge Assange, the U.S. government had to reach beyond the acts it used to court-martial Manning into something that apparently didn’t happen. While attempted violations of the CFAA are illegal, as with many other crimes, it’s still a remarkably small potatoes violation—with no apparent harm. It’s difficult to imagine that any U.S. Attorneys’ office would even investigate, much less impanel a grand jury and demand extradition for an attempted, unsuccessful effort to unscramble a single password if it wasn’t being done to punish the later publication of other materials.

From where we sit this prosecution feels sadly familiar. Just a few years ago this same statute was used by federal prosecutors to find something, anything, they could use to charge our friend Aaron Swartz. Swartz angered the government, first by downloading a bunch of judicial documents from the Pacer system and later, by downloading scientific journal articles from JSTOR. The government then continued the JSTOR prosecution even when JSTOR, the alleged victim, asked them to stop. Facing the CFAA’s draconian penalties, Swartz took his own life.

From these and other CFAA prosecutions we’ve tracked over at least the past 20 years, it’s nearly impossible to weigh the relatively narrow charge used to arrest Assange without considering the nearly decade-long effort by the U.S. government to find a way to punish Wikileaks for publishing information vital to the public interest. Anyone concerned about press freedom should be concerned about this application of the CFAA.

 


Cindy Cohn

 

Cindy Cohn is the Executive Director of the Electronic Frontier Foundation. From 2000-2015 she served as EFF’s Legal Director as well as its General Counsel. Ms. Cohn first became involved with EFF in 1993, when EFF asked her to serve as the outside lead attorney in Bernstein v. Dept. of Justice, the successful First Amendment challenge to the U.S. export restrictions on cryptography.

 

 

Copyright © 2019 Electronic Frontier Foundation.