Since the advent of the Internet, for better or for worse, government institutions have been struggling to keep up with ever-changing technology.  One topic that is of particular importance for all Internet users is the security of their private information – email addresses, passwords, financial data, etc.  There have been many instances in which savvy Internet users (i.e., hackers) have compromised private databases to obtain private information.  Dealing with this issue has attracted legislation from every state in the union, but striking the correct balance between ensuring that the Internet an open community on the one hand and keeping it secure for users on the other has proven to be a formidable challenge.

One recent criminal case from New Jersey exemplifies the misunderstanding between legislatures and the ever-evolving computer and Internet technologies.  A New Jersey jury convicted a member of a so-called “legitimate security organization” for violating the Computer Fraud and Abuse Act of 1986 (“CFAA”), a federal law that aims to reduce computer-related crimes.  The case involved Andrew Auernheimer, a member of GoatSec, for violating a provision of this law that punishes “access[ing] a computer without auhorizatin or exceed[ing] authorized access . . . from [a] protected computer.”  This provision was written long before the proliferation of the Internet, but yet it was used to convict Auerheimer for essentially changing the end of web addresses to obtain thousands of email addresses from AT&T.

Instead of convicting a hacker – a term used loosely when any Internet user can figure out what Auerheimer did to gain access to the email addressses – guilty of violating a law that is relatively archaic, the blame might be better placed on AT&T for having such an insecure method of data storage and retrieval.  Following in the footsteps of the Auerheimer decision will likely disincentivize Internet experts from revealing privacy issues for fear of criminal prosecution. At the same time that course of action would not encourage businesses like AT&T to take the initiative to make sure their websites protect customer data adequately.  One thing is sure, courts and legislatures across the country will be dealing with this battle for years to come.

J.P. Urban

Image Source

Tagged with:

13 Responses to Data Security: The Internet May Be Fast, but Law is Still Crawling

  1. Veronica says:

    To echo other commenters, this is an intriguing post. Although I agree with Tim regarding technology’s rapid growth as a recurring theme in history, I tend to agree with those who argue that the government should play some kind of role in regulating providers until more internet users become savvy enough to understand what they may be getting into when they click on websites or edit a URL. Nevertheless, there is a great difference between unsophisticated Internet users and hackers. Although the delineation between the two may seem somewhat clear today, it will become foggier as more people come to understand how to manipulate information on the internet.

  2. Amelia says:

    Mr. Hancock makes an interesting point suggesting that incorporating scienter could be a useful way to narrow the application of this very broad law. As a benevolent and unsophisticated internet user myself, I tend to think that, if I can see a document stored on another computer on my browser, I have access to it. The burden is definitely on the owner of that document to install sufficient protections. However, individuals who gain access to information and then use that information in destructive ways should certainly be prosecuted for the real damage that they did or attempted to do.

  3. Tim says:

    I think a much broader question that should be asked and seems to be simply assumed by many of the posts above is whether the government should even have a role in online data privacy? The argument that is so often trumpeted for a broader, more integral role for the government is the fact that “technology is advancing soooo quickly.” Has not that always been true? Has not technology since the technological revolution always been advancing quickly? The US government, as designed in order to preserve our personal freedoms and rights to privacy, was intended to move slowly, while technology, fed by an ever more insatiable drive for the “next thing,” moves quickly. With the expansion of the regulatory state, government has been able to move quickly than before, but it is still plagued by the problems characteristic of regulatory agencies (capture, mission creep, etc.). Government has rarely been in the past and never will be an effective enforcement force when it comes to data protection.

    More to the point of this article, however, is whether criminal laws should be enforced, seemingly at the whim of the prosecutor, against a “hacker.” Perhaps, rather than punishing a person for picking up gold nuggets on a beach, it would be better to keep the gold nuggets off the beach in the first place. Companies must protect their data security and that of their customers. Perhaps rather than criminalizing activities which the government cannot understand or sufficiently monitor, it would be far better to create incentives for self-regulatory agencies, those who are composed of member companies and involved in the industry, to police data security systems.

    Unfortunately, one of the realities we must come to terms with is it will never be possible to have 100% data security in an open and free internet system. There will always be hackers. And there will always be security breaches. Creating criminal laws that will then be arbitrarily enforced against those the prosecutor decides he does not like is not an acceptable system.

  4. Collins Kilgore says:

    There is also room for tort law to keep companies in line. For instance, the AT&T users whose emails were hacked might sue. There have been other, similar data breach lawsuits:

  5. John Craven says:

    I have to second Matt’s point above that the law itself, though not as refined as it could be, doesn’t seem to stand as too much of an impediment to protecting private information. However, poorly exercised prosecutorial discretion will likely become a much larger problem as these issues continue to grow to a global scale.

  6. Parker Hancock says:

    So, I actually wonder whether the law is bad because of the technology, or because it fails to wrestle with a much older topic – scienter.

    It may be impossible to draw a technological line between aimless users, security professionals, and hackers, but when a person stumbles upon an email list, it should be no crime. When the same person stumbles on that list, and posts it on the internet, does that show culpable intent? What about stealing credit card numbers? posting them? using them?

    I think the problem may be how to add to the statute “… with intent to [?].”

    It sounds like this may be yet another case of Congress failing to include an intent element, and seeing the consequences of not conforming to that tradition of the Criminal Law.

  7. Danielle Barav says:

    In an effort to update other technology-based laws, the Senate Judiciary Committee recently approved of an amendment to the Electronic Communications Privacy Act of 1986. When the ECPA was passed, email was treated much more like paper mail. Email that was unopened for 180 days was considered abandoned and the government could access it without a warrant. This amendment would offer more privacy protections for electronic communication by requiring government actors to get a warrant to access stored emails. For more information, see:

  8. Colton Cline says:

    Really interesting article. The issue is obfuscated even further by the fact that many online users are not necessarily savvy with regards to online security. Information is becoming easier and easier to obtain, and many times there isn’t even a technical breach of the law. All of this is especially disconcerting as different governments and organizations are seeking to exercise control over the internet (e.g., E.U., U.S. Government). All of this is compounded by the power and influence of ISPs and multimedia companies.

    Not the mention the proliferation of “hacktivist” culture. Yesterday, Anonymous distributed personal information about a prominent member of Westboro Baptist Church including social security numbers. Once the information is out there, it’s out there for good. It’s even scarier that vigilantes aren’t in it for financial gain, so there’s less of a “paper trail.”

    • Caitlin Angelette says:

      I gotta second Colton on this one. Maybe this guy was acting with the world’s best interests at heart, and maybe AT&T should just be grateful that it can close a security loophole and protect its customers. But, the internet is still a wild, unmanageable place and there will be bad actors who don’t have the best intentions. This might be an outdated law, this might be setting precedent as a warning to the others.

  9. Matt Ginther says:

    How much of this is bad laws compared to bad enforcement. On its face the law seems to be fairly neutral. But, for whatever reason, the U.S. Attorney in Jersey thought it would be appropriate for his office to bring a claim against this individual. I doubt any rewriting of the laws that will allow for the flexibility needed for contemporary technology can at the same time protect against misguided prosecutor discretion. Are the corporations at the receiving end of these embarrassing incidents applying pressure to prosecute these individuals, and if so why are we giving in when it is against public policy?

  10. Marina Visan says:

    The issue of the law being unable to keep up with technology is extremely prevalent at the moment. It’s very interesting that these laws/provisions apply, considering our recent technological abilities. Technology now can allow one to take a picture of a random stranger on the street, and, by blending online and offline data, produce that stranger’s personal information, such as date of birth, address, and even social security number. Obviously, something as intrusive as this was not foreseen when these provisions were written.

  11. Brad Edmondson says:

    See also this security researcher’s take on the chilling effect this type of enforcement will likely have:

    “[W]e could come up with a theory of ‘implicit’ authorization. Obviously I intend people to read this blog, and therefore, I’ve implicitly authorized you to do so.
    . . .
    But what are the limits of implicit authorization? Let’s say you are reading a website that has ‘articleId=31337′ at the end. You wonder what the next article is, so you go to the URL and change it “articleId=31338” and hit return. Have you ‘exceeded authorized access’? It’s hard to say. If article ’31337′ is public, why not ’31338′?
    . . .
    This is selective enforcement. The FBI doesn’t go after everyone who adds one to a URL, only those who embarrass the Fortune 500.
    . . .
    For cybersecurity researchers like me, this creates chilling effect. In order to fix security we have to point out when it’s broken. When we see this broken press release, what do we do? Do we keep our head down, or do we speak up? Even if we’ll probably be found innocent, why take the risk? Better to keep quiet.”

  12. Samantha says:

    I think this is a very interesting post. I will be curious to see how this issue develops in the future. It is also interesting to compare US data protection laws with the EU’s. Data protection is considered a fundamental right within the EU.