The Good Hackers

Listen to this episode

Speaker 1: And down the line it left into the corner. It is.

Lizzie O’Leary: Gone. We’re going to start this episode about computer hacking with a little baseball.

Speaker 1: RANDALL Gretchen puts the Cardinals on the board in the first inning with a home run right down the line. What? Nothing. See, Louis.

Lizzie O’Leary: That’s from the first game of the 2014 National League Division Series between the Saint Louis Cardinals and the L.A. Dodgers. The Cardinals eventually won the series 10 to 9. They later lost the league championship to San Francisco. Still a pretty impressive season. But that same year in the team’s front office, something else was going on.

Advertisement

Speaker 3: You’ve got this guy working for the Cardinals, Chris Correa.

Lizzie O’Leary: That’s Josephine Wolf. She teaches cybersecurity policy at Tufts University. She’s also a baseball fan. Chris Correa, the Cardinals executive, was looking at scouting reports and putting together lists of players the team might want to hire.

Speaker 3: And he has some former coworkers on the Cardinals, some folks who used to work there with him who leave and go to work for the Astros. And when they leave, they turn over, as you do your work computer and also the password, the account you use to access it. And Correa, who’s still with the cardinals after they leave, gets this idea that maybe the passwords haven’t changed that much in their new roles. Maybe they’ve set up their new accounts with the Astros and use just the same or very similar password. And he tries it out with one of his former co-workers, and it works.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

Lizzie O’Leary: Correa was able to get into the Houston Astros internal computer system. He could see all their stats, what players? They had their eyes on all of it. And he did this more than once.

Speaker 3: He continues to sort of access this through various people’s accounts and use it to pull down a lot of information. And he’s charged under the Computer Fraud and Abuse Act, this big anti hacking law that goes back to the eighties.

Lizzie O’Leary: The case was a huge deal both for people like Josephine, who study cybersecurity and for Major League Baseball.

Speaker 4: People are wondering in the game exactly how far the commissioner’s going to go. Is it going to take away an entire year’s worth of draft? Is he going to go harder than that? Is he going to issue a huge fine on the cardinals? Because, look, it’s it’s it’s industrial espionage.

Advertisement

Lizzie O’Leary: The league fined the Cardinals $2 million and made them give up two draft picks. But the bigger penalty fell to Chris Correa. He was sentenced to 46 months in prison.

Speaker 3: And a lot of people, including Correa, I think, kind of look at this and say, like, you know, I’m the hacker who you’re going after. I’m the example you want to set here of what illegal hacking is.

Lizzie O’Leary: On the one hand, Josephine says Correa did it. On the other, he’s not exactly a sophisticated blackhat hacker. Plus, there was the way he was sentenced.

Speaker 3: The way that we count charges in hacking is very, very kind of counterintuitive or subjective, we might say. Right. Like if we’re talking about counts of murder, we have a very good sense of sort of what’s one count of murder. If we’re talking about counts of hacking, then is that every time somebody logs in.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

Lizzie O’Leary: Correa’s 46 month sentence came in part because he pleaded guilty to five counts of unauthorized access. But also, Josephine says, because he was someone prosecutors could actually charge.

Speaker 3: A lot of illegal hacking. We don’t or can’t prosecute it’s people overseas. It’s people who we can’t identify or if we do identify, can’t get them extradited. And so there is a little bit of a sense that sort of when you actually catch somebody and are able to charge them, there’s there’s sometimes a bit of a desire to punish them as harshly as possible.

Lizzie O’Leary: But just recently, the government has started rethinking this, narrowing down what hacking really means and who should be charged with it. Today on the show, how a law that began with the eighties movie WarGames is getting a bit of a modern makeover. I’m Lizzie O’Leary. And this is what next TBD a show about technology, power and how the future will be determined. Stick around.

Advertisement

Lizzie O’Leary: Back in 1986 when the Computer Fraud and Abuse Act was enacted, there were already laws against extortion and other financial crimes that we often associate with hacking. But what didn’t exist, Josephine says, is a law that focused on the act of hacking itself.

Speaker 3: So what Congress needs to do when they decide we’re going to write a new law here is they need to come up with some class of behavior that’s specific to using computers that’s not already been made illegal. And what they come up with is they say it’s going to be illegal to access computers without authorization or an accessible authorization. We’re talking about trespassing into the computer. It’s not even really what you do with the computer that’s illegal. It’s that act of accessing it in the first place. Because all of the things that you were going to do with the computer that that would be illegal were already illegal.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

Lizzie O’Leary: There’s this story that President Reagan saw the movie war games and asked some adviser like, could that really happen? And they said, yeah. And that that’s where this law was born. If you don’t remember the plot. Teenager David Lightman, a.k.a. Matthew Broderick, accidentally hacks into a military supercomputer while looking for new video games and almost starts World War Three.

Speaker 3: There’s definitely a strong influence from that movie in this law, right? They actually show a few minutes of it at one of the early congressional meetings where they’re starting to draft, kind of what’s the CFA going to be? So no question, that’s hugely influential. I think, you know, the only thing I can say kind of in defense of Congress is they’re writing this law in the mid 1980s. Nobody has any idea what computer hacking is going to look like. I mean, if you if you know the movie, one of the sort of key moments of hacking in it comes when the very young Matthew Broderick guesses the password for a developer who’s who’s been building the system for the U.S. government.

Advertisement

Speaker 4: We’re in. If they sign Falcon then.

Speaker 3: So you can see how sort of that becomes a central part of what Congress is thinking about, sort of what if what if you guess a password or you figure out somebody’s password and you get access to their account or a computer system they were able to control. And we think kind of when we look at the language in the FAA, that’s pretty clearly mapped to this idea of accessing a computer without authorization. Right. I’m accessing it with somebody else’s credentials. But it’s certainly not the only way that we see people access computers without authorization. And and I think, you know, to Congress credit, perhaps they leave the language broad enough that as computing technology evolves and as people find new ways to hack into computers, the law encompasses that. But the flip side of that is that you have such a broad definition of hacking here that it encompasses all sorts of other stuff.

Advertisement
Advertisement
Advertisement
Advertisement

Lizzie O’Leary: The CFA is language was broad enough to prosecute Lori Drew in 2006. She helped create a fake MySpace profile to trick a girl named Megan Meier, who was a classmate and nemesis of her teen daughter. The page showed a teenage boy with a made up name, Josh Evans. The fake Josh sent the real Megan flirty, friendly messages, but then the messages turned dark and hateful. His last one read The World Would Be A Better Place Without You. Megan Meier, who was just 13, hanged herself and the federal government went after Lori Drew.

Speaker 3: And prosecutors actually bring CFA charges against her and say this was computer hacking, this was unauthorized. MySpace had a policy that you weren’t allowed to use fake names or other people’s photos. And so I think sort of that that broadness of the law, which is intended to help it stand, the test of time, also means that it’s very widely applied or has the potential to be very widely applied to a lot of different people.

Advertisement

Lizzie O’Leary: A jury convicted her on three misdemeanor violations of the CFA in 2008, but a judge later overturned the jury verdict against Drew and acquitted her. Perhaps the most famous CFA case is that of Aaron Swartz. Swartz was a computer programmer and Internet activist in 2011. He was arrested after downloading millions of articles from the academic journal database, JSTOR on MIT, his computer network. He was eventually charged with two counts of wire fraud and 11 violations of the CFA. The charges carried a possible penalty of $1,000,000 and 35 years in prison. Facing a trial and lengthy imprisonment, Swartz hanged himself.

Speaker 3: I think that that headline sort of immediately, especially following his death around, you know, this was somebody looking at more than three decades in prison, potentially really startled a lot of people in the same way that some of the sentences, like the 46 months in prison for Korea startled people. There were proposals following his death in Congress. There was one called Aaron’s Law to amend the CSA, change some of the sentencing, things like that. They they didn’t make a lot of progress. But I do think that it sort of got some conversation going around this topic. I’m not sure. I think it changed the ways that prosecutors were thinking about and using the law. That’s a very hard thing to assess.

Advertisement
Advertisement
Advertisement
Advertisement

Speaker 3: I will say we didn’t see a case exactly like Aaron’s, but very few cases are exactly like his right. It was it was such a unique situation, somebody who was downloading millions of academic articles that we wouldn’t expect necessarily to to have other examples in that regard. And I do think that there’s been a little bit of a tendency over the past few years, maybe in part because of his case, to try to focus CSA charges on clearer wins for the government and trying to focus on sort of people who have done something more clearly egregious or in violation of the law.

Speaker 3: But I wouldn’t say that there’s been any kind of very concrete change other than this ruling out of the Supreme Court, which didn’t didn’t speak exactly to Aaron’s case and sort of how that precedent might have changed it, but did start to narrow down a little bit. The way in which this law has been applied did send at least a signal of we don’t think that the broadest possible interpretation of accessing a computer without authorization should be used.

Lizzie O’Leary: But lately, the government has started to rethink the broad application of the law. The Justice Department recently released new guidelines for prosecutors about how to pursue CFR cases.

Lizzie O’Leary: Let’s talk a little bit about these new Justice Department guidelines. They seem to fall into two categories. I wonder if you could lay them out for me.

Speaker 3: I think the first thing that’s really important, especially for people like me who do research, is there’s an exemption carved out basically that says we don’t want prosecutors to charge anybody doing good faith security research. So there’s this concern if you’re doing the kinds of research where you look at popular computer programs or websites or platforms and try to find security vulnerabilities. Right. If you’re looking at autonomous vehicles and saying, look, here’s a bug, here’s a bug, here’s a way somebody could attack this, that the manufacturers of those devices could come after you and say, hey, you weren’t allowed to access that, you didn’t have authorization or you’re messing around with our copyrighted code or something like that.

Advertisement
Advertisement
Advertisement
Advertisement

Speaker 3: And so so one of the things that the new guidelines do, which I think is important, though, I think there are still a lot of questions to be resolved here is it says we don’t want prosecutors to charge anybody who’s doing that kind of security research in good faith. And I think the questions and the fights are going to come up around sort of, well, what makes security research good faith? The research and the example that they give in the guidelines for what would not be good faith research is if you do research and then you try to extort the manufacturers, you say, you know, I’m going to publish this unless you give me $1,000,000. I think there’s going to be a lot of gray area between sort of we did this research, we reported it responsibly to the companies that has an opportunity to fix it. We published it, you know, according to a reasonable timeline, all of that. And the researchers who are just like, oh, I found this thing and I tried to extort somebody with it.

Lizzie O’Leary: Yeah, it seems from my very layman’s understanding, like they’re sort of trying to differentiate between good hacking and bad hacking.

Speaker 3: In fairness to the Justice Department, one of the reasons they’re doing that is that when charges are brought under the CFA, often one of the sort of lines that people use is like, Oh, I was just doing security research, right? And so I think it’s reasonable for the Justice Department to want to say, like sometimes people are doing real good, beneficial security research and sometimes they’re just saying that.

Lizzie O’Leary: The other update to the guidelines is the DOJ essentially recognizing how we all use computers now and understanding that what might technically be unauthorized computer use isn’t exactly hacking.

Advertisement
Advertisement
Advertisement

Speaker 3: If we say, well, you know, let’s say you use a work computer during the workday and you sign an acceptable use policy, as many of us do when you start your job that says I’ll only use this work computer for work purposes and professional projects. And then you’re, you know, sitting around answering your email and you think, I’d really like to check the outlook for today. I’d really like to buy your shirt, right? And you start doing that and somebody says, Well, hey, you were exceeding your authorization when you did that because you were only authorized to use your computer for work purposes.

Lizzie O’Leary: It would be a big stretch to call that kind of unauthorized use. Hacking the lines around this stuff are a little blurry. Still, a recent Supreme Court case found that a police officer named Nathan Van Buren, who used his access to search digital license plate records in exchange for money, had not violated the CFA.

Speaker 3: The case I was talking about that went to the Supreme Court where you had a police officer using the license plate database for non-work reasons. Certainly I would say a little bit more egregious than checking the baseball scores, but a similar thing in which you have a computing resource that your employer has given you and you’re using it for some non-work purposes. And so I think the sentencing guidelines saying, look, if you violate some kind of written policy, there are all of these written things that we kind of click through and don’t read. Let’s say, here’s how I’ll use this computer or this website or whatever. And if you violate the terms of those, that’s not a crime. Right. That’s that’s the sort of important development here. And it is important because it says we’re not going to kind of leave it up to random companies to write criminal laws. Right. To say like here’s some random agreement that we wrote down and if you violate it, that could potentially be a crime. It’s certainly progress to have the US government saying like, that’s not something we’re going to prosecute as a crime.

Advertisement
Advertisement
Advertisement

Lizzie O’Leary: We started this conversation talking about the the Cardinals Astros case. Do you think that the Cardinals exact course Garcia would still be prosecuted in the same way? No.

Speaker 3: He certainly could still be prosecuted under the CFA. Using somebody else’s password without their permission to access their accounts is certainly and always has been a violation of the Computer Fraud and Abuse Act. So, yes, I think he would still be prosecuted. Would the sentence be exactly the same? That that depends so much on the court and the circumstances. It’s a little hard to know. But I think that sort of the specific terms of what he did would not in any way be altered by these new guidelines.

Lizzie O’Leary: I think one of the things that is so complicated when we are talking about either this piece of legislation or other really big ones, I’m thinking of a very important law that dictates a lot of our tech activity that was written in 1996 is that they were written in the eighties and the nineties. And so much of how we use technology has changed and changed so fast. What do you think is the right way to change or codify these laws? Should it be through subsequent court decisions like the Supreme Court? Should it be legislative updates? You know, how how should we make laws reflect the world in which they are applied?

Speaker 3: I think that, you know, if Congress had motivation to to change this law, they could do that potentially faster, certainly more comprehensively than we’ve seen it done by this kind of one off court cases. In the Van Buren case, last year was the first time the Supreme Court had ruled on the Computer Fraud and Abuse Act. So it took a very, very long time for this controversy to kind of even make it to that level. The reliance on courts to disagree at the lower levels and finally kind of work their way up to the Supreme Court in the circuit courts is is a very slow, very frustrating process.

Advertisement
Advertisement
Advertisement

Speaker 3: The things I would most like to see around the Computer Fraud and Abuse Act and these are these are not new ideas. These are ideas people have been floating for many years now. Are some revision of the ways in which charges are counted and sentences are applied? I do think that there’s something really startling about how large the prison sentences potentially are. Like with Alan Schwarz, it was sort of he, you know, was connecting to this JSTOR database multiple times. So there were multiple accounts. And so you you racked up the prison.

Speaker 3: Here’s the other thing that I think is really sort of weird about these sentencing guidelines is they often hinge on how much damage has been done. So, for instance, if you look at the baseball case, we were talking about a part of that 46 month sentence is that the Astros come to court and they say something like, you know, we’ve lost millions of dollars. It’s hard to know exactly what they mean by that. But the same thing with Alan Schwarz. You saw this case where you had an academic database that was like this is hundreds of millions of dollars worth of academic articles that have been stolen, which is and I say this as somebody who writes academic articles, a crazy way of thinking about the value of downloaded academic articles. And and so I think the sentencing really needs to be reconsidered. And we need more reasonable, more proportional ways of thinking about how that should work.

Speaker 3: And the other piece of this is that I think there really needs to be a much more across the board revision of how we define access in computers without authorization or an excess of authorization to say that that only applies to what we might call circumvention of code based restrictions.

Advertisement
Advertisement
Advertisement

Lizzie O’Leary: What does that mean in plain English?

Speaker 3: It means you have to do something technical. It means you don’t just violate the terms of service, right? You don’t just say, you know, oh, I was supposed to put my real name on my Facebook profile, but I thought it would be funny to put Father Christmas or whatever. And and it would also mean that, like, if Facebook sends you a cease and desist letter saying stop scraping data off of our site and you continue to do that, then they cannot say that was an act of illegal hacking. That was not a violation of a code based restriction. That was a violation of a cease and desist letter.

Speaker 3: And so it would be an attempt to say sort of you have to actually be doing something with the computer that you weren’t supposed to be able to do, that the computer itself had some code or some technical control that was meant to stop you from doing it. It certainly wouldn’t resolve every question around what’s illegal hacking, but it was narrow a fair bit, kind of the range of hacking activities to something that I at least think would would more closely resemble the kinds of behavior that we want to be trying to find legal restrictions for.

Lizzie O’Leary: And it sounds like the kind of thing that most people would actually say, oh, yeah, that sounds like hacking.

Speaker 3: Yeah. Something where where you would say, you know, not just this is such a broad law that we can bring it against anybody we were mad at, which I think is kind of what happens in that Lori Drew MySpace case where you’ve got somebody where there’s a lot of public outrage and prosecutors are kind of looking around trying to figure out what can we do here? But it’s something that’s that’s actually a little bit tailored to understanding what computers are and what it means to hack into that and to use them in a way that they’re not supposed to be used just fine.

Advertisement
Advertisement
Advertisement

Lizzie O’Leary: Well, thank you so much for your time.

Speaker 3: Thank you.

Lizzie O’Leary: Josephine Wolf is an associate professor of cybersecurity policy at the Fletcher School at Tufts University. All right. That is it for the show today. TBD is produced by Evan Campbell. Our show is edited by Tori Bosch. Joanne Levine is the executive producer for what next? Alicia montgomery is vice president of Audio for Slate. TBD is part of the larger what next family, and it’s also part of Future Tense, a partnership of Slate, Arizona State University and New America. Thanks so much for listening. I’m Lizzie O’Leary. We’ll be back next week with more episodes.