Uncle Sam has gotten his wires crossed on internet data privacy. A hacker went to prison for exposing private customer information that AT&T failed to protect from online access. Now U.S. prosecutors are defending their right to do essentially the same thing in the Silk Road drug-website case. Anti-hacking laws are tough to take seriously when even enforcers can’t decide what’s allowed.
The Computer Fraud and Abuse Act prohibits using or accessing computers without authorization. What that means, though, is far from clear. Several courts have ruled, for example, that almost any breach of an employer’s computer policies can be a crime. And a federal jury convicted Andrew Auernheimer in 2012 for, in effect, revealing a website’s security flaws.
Auernheimer, also known as Weev, discovered that digitally mimicking an iPad could lead him to an obscure but unprotected AT&T website that displayed iPad users’ email addresses. He told gossip site Gawker about the privacy hole, and prosecutors charged him with criminal hacking. Their argument was that AT&T meant to keep the addresses confidential, even though anyone with internet access could theoretically find them. Auernheimer was locked up for about a year until April this year, when an appeals court reversed his conviction on a technicality.
Prosecutors seem to have picked up on his tricks, though. The Silk Road underground website allegedly trafficked in illegal drugs. Last year, the FBI discovered the computer server hosting it when the hidden address leaked through a flaw in the site’s log-in page. Prosecutors say searching the server was legal, because its address was public – even though the site owner meant to keep it secret.
The argument makes sense. But it also sounds like Weev’s defense. There are differences, of course. The legal standards for violating the computer fraud act and constitutional limits on searches and seizures aren’t necessarily the same. And the statute includes an exception for “lawfully authorized” government investigations.
It’s hard to understand, though, why stumbling upon information that’s publicly available on the internet should ever be illegal. U.S. prosecutors may be guilty of hypocrisy and poor judgment for pursuing Auernheimer. But only Congress can fix a law that’s overly broad and ambiguous.