The First Amendment and the Computer Fraud and Abuse Act collided last month when the UK arrested Wikileaks founder Julian Assange on, among other things, a US extradition request for computer crime. He has since been sentenced to 50 weeks in a British prison. For roughly seven years before his arrest, he’d been living in the Ecuadorian Embassy in London, but on April 11, the Ecuadorian government withdrew his asylum. Now the UK courts will evaluate the US’s request to send Assange to Virginia to stand trial in federal court for a single felony charge of conspiracy to commit unauthorized access to a government computer, a violation of the Computer Fraud and Abuse Act (CFAA).
After Assange’s arrest, many reached out to ask me about the CFAA. For years, I've represented hackers in federal criminal cases nationally involving the CFAA, including Lauri Love, whom the U.S. unsuccessfully tried to extradite from the U.K. The U.S. indicted Love in three separate federal courts in New York, New Jersey, and Virginia, for hacking of a number of government sites including NASA, the FBI, the United States Sentencing Commission, and the Bureau of Prisons. This was part of #OpLastResort, in protest of the CFAA prosecution and death of computer science pioneer Aaron Swartz, whose suicide in 2013 was widely viewed as resulting from a draconian CFAA prosecution. Whether intended or not, the CFAA makes it easy for a prosecutor to bring felony computer crime charges even when there’s little or no harm.
The CFAA is the federal government's primary anti-hacking statute. Created in 1984, it prohibits unauthorized access to a computer, system, or network and unauthorized deletion, alteration, or blocking of access to, data or information. It is both a civil and criminal statute, meaning that people and businesses can use it to sue each other for private wrongs, and the government can use it to put you in jail for public wrongs. Its dual nature gives rise to a problematic feature: most of the law interpreting it comes from civil cases where the stakes aren't as high as in a criminal case. Thus, the quality of reasoning in civil cases, despite frequent lip service from courts to the contrary, isn't as robust as in a hard-fought criminal case. Because at the end of the day, if you lose a civil case you just lose money. If you lose a criminal case, you lose your liberty. But the CFAA doesn’t clearly tell you all the ways it can be used to take away your liberty.
The core problem with the Computer Fraud and Abuse Act is that it doesn't clearly define one of the central things it prohibits: unauthorized access to a computer.
The core problem with the Computer Fraud and Abuse Act is that it doesn't clearly define one of the central things it prohibits: unauthorized access to a computer. The courts across the country aren't any help on this front, issuing conflicting decisions both with other jurisdictions and often within their own. Under the CFAA, what is a felony in one jurisdiction is legal in another. This lack of definitional clarity allows prosecutors to charge felonies even when the harms are minimal, questionable, or just political views that DOJ doesn't like. This is a serious problem, given that much political speech and protest these days is done with computers. And DOJ has previously used the CFAA in a politically charged prosecution.
In 2011, DOJ charged the politically outspoken Aaron Swartz under the CFAA for going into an open server closet at MIT, a mecca of modern American hacking, and downloading academic articles—many of which were publicly funded—for public distribution. Even though the extent of any harm was questionable—this was a mere copying of articles—DOJ charged him with felony unauthorized access to a computer, unauthorized damage to a protected computer, felony aiding and abetting of both, and wire fraud. He faced a maximum sentence of decades and large fines. The punishment sought was strikingly disproportionate to the alleged harm.
On January 11, 2013, Aaron Swartz killed himself before there was any trial. Swartz's death was a loss to our society, given the innovations he contributed to it, like co-developing RSS and co-founding Reddit. Many, myself included, view his prosecution as a political one directed against Swartz’s belief that information should be free.
Likewise, the Assange prosecution looks more like an attack on core political speech protected by the First Amendment than a proper exercise of prosecutorial discretion. Assange is facing a single count indictment for conspiracy to violate the CFAA. The indictment stems from an incident in 2010 when Assange allegedly told then-Army private Chelsea Manning, who was leaking classified materials to Assange to be published on Wikileaks, that he would help her crack a password to gain access to military computers. Prosecuting Assange for a computer crime sidesteps the elephant in the room: this is the prosecution of a publisher of information of interest and importance to the public about our government. The First Amendment protects the act of publishing that information. Therefore, the act being prosecuted is inextricably linked to the act of obtaining this information because the charged crime is conspiracy to access the system with the information of public import. Prison time for Assange might deter others from publishing information that exposes the inner workings of government.
Assange and WikiLeaks are publishers just like the New York Times. And if it was legal for the New York Times to publish the classified Pentagon Papers detailing the U.S.'s lies when it came to Vietnam, it's legal for Wikileaks to do the same.
Assange's factually threadbare indictment doesn't give much indication of how strong a conspiracy case the government has.
The indictment dances around this issue by trying to limit everything to a technical computer crime conspiracy. The indictment accuses Assange of a single count of conspiring to hack a password to gain unauthorized access to a government computer. As such, it rests squarely in the anti hacking purpose of the CFAA—preventing someone from hacking into a system. But note, under the CFAA it's not against the law to crack a password. You have to crack a password, and then use it to gain unauthorized access to a system. Gaining, attempting to gain, or conspiring to gain, access is the critical element. And Assange's factually threadbare indictment doesn't give much indication of how strong a conspiracy case the government has.
The indictment and its context make it obvious that DOJ is struggling with this issue and may bring more charges, including espionage charges, that will turn Assange's case into a First Amendment battle royale. The narrowness of the indictment and the fact that its theory of liability is based on conspiring to hack a password—and not the theft and publication of information—is evidence that DOJ is dancing around the issue. We know that a grand jury is reviewing the possibility of another indictment against Assange, because Chelsea Manning is in jail for refusing to testify against Assange in front of it. And we know, because of the extradition treaty with the U.K., that the U.S. has 65 days to submit its final charges from the time it submitted its extradition request. This means that DOJ has until the middle of June to bring final charges.
If DOJ brings espionage charges, it's going to bring out the First Amendment heavy-hitters. The Espionage Act has a long history of being used to silence political dissent going back to President John Adams’ administration, which used the Alien and Sedition Acts to prosecute critics of its foreign policy. In the 20th century, the Alien and Sedition Acts turned into the Espionage Act, which is used to prosecute whistleblowers more than spies. It's no coincidence that the first Supreme Court First Amendment cases involve Espionage Act prosecutions for political speech.
DOJ can try and dodge the First Amendment implications of its actions by sticking with the current indictment. If so, Assange has some obvious defenses. For instance, the government has to prove that there was a conspiracy to gain unauthorized access to a government computer. Again, it's not against the law to hack a password, but it is to hack a password and then use it to gain access. This requires the government to prove that when Assange agreed to the conspiracy, he had the same mental state necessary to be found guilty of committing that criminal object of the conspiracy. For this reason, conspiracy is often called a crime of two intents. The government not only has to prove that Assange agreed to conspire, and that an act in furtherance of the conspiracy was committed by one of the conspirators, but also that Assange had the same intent necessary to convict him of actually gaining unauthorized access to a government computer. To be convicted of conspiring to rob a bank, you have to have really intended to rob the bank. But it's possible that Assange was just playing along with Manning, or yessing her, or never agreed to participate at all. That’s for a jury for decide.
There's a lot of problems with the Assange prosecution just like there are with the CFAA. More than there's space for here. Stay tuned though, because there's surely more to come. Whatever you think of Assange, his prosecution is a fraught one for press freedom. That much is clear from the indictment’s careful avoidance of the First Amendment elephant in the room, and the current Grand Jury contemplating more charges against Assange. It’s also fraught because the prosecution seems to be not really directed at deterring or punishing the actual hacking—for which Manning has done her time—but at punishing those who publish the government's dirty secrets.
WIRED Opinion publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions here. Submit an op-ed at email@example.com