To some, hacker Andrew "Weev" Auernheimer is a cause celebré. To others, he's a famous douchebag. To many, he's a polarizing figure in a debate that's roiled Silicon Valley, pitting established tech companies against rogue innovators. When Auernheimer was sentenced to 41 months in prison for collecting and publicizing the names of 114,000 AT&T iPad users, reporters grappled over the right words to characterize him. A headline in Venture Beat reflected their ambivalence: "Terrorist, hacker, freedom fighter: Andrew Auernheimer parties tonight in expectation of jail tomorrow."
The law that federal prosecutors used as a blunt instrument against Auernheimer is nearly three decades old, but it's had a weird pop-culture resurgence in recent months. Called the Computer Fraud and Abuse Act (CFAA), it prohibits "unauthorized" invasion of a computer server, mostly to discourage vindictive hackers from drilling past a firewall and scooping up sensitive information. (Auerheimer's lawyer, Tor Bernhard Ekeland, says the law originally protected computers that were run by stock exchanges or big financial institutions.) But in recent years it's been wielded more broadly, often to punish individual programmers who only want to make information more accessible to the public.
Federal prosecutors deployed the CFAA against Internet programmer Aaron Swartz, who hanged himself while facing a potential 35-year rap for downloading documents from the academic website JSTOR. It also triggered a federal indictment of former Reuters social media editor Matthew Keys, who allegedly helped the hacker group Anonymous tweak a web headline in the Los Angeles Times, owned by Keys' former employer. His arraignment, scheduled for next week in Sacramento court has also stirred emotions and stoked a fierce debate in the tech world.
While bloggers spar over the guilt or innocence of these three defendants, activists have used them to animate a strong critique of the CFAA, even as lawmakers threaten to make the law tighter. At the same time, Silicon Valley companies are wielding it as a sword in litigation, since a provision added in 1994 allows any of them to sue a competitor for security breaches without waiting for help from the feds. Oracle won a $1.3 billion copyright verdict against its German rival, SAP AG, for a case that stemmed from CFAA complaints. Facebook used the law for its ongoing suit against Power Ventures Inc., a spammer based in the Cayman Islands. San Francisco lawyer Bree Hann, who helped represent Oracle, says she's seen the law crop up more and more frequently in intellectual-property suits.
"The way I've typically seen it, one company has a system, and the other company breaks into it," she says, explaining that some companies use security breaches to gain a competitive advantage. In other cases, a disgruntled employee might steal a password or hand it to someone else.
Because the CFAA has become such a valuable tool for protecting trade assets, most Silicon Valley giants have little reason to denounce it. If anything, legislators on Capitol Hill are pressing for stronger, broader language — a draft "cyber-security" bill circulating through the House Judiciary Committee would ratchet up punishments for computer crimes, and redefine CFAA violations as a form of racketeering. Interestingly, it's emerged at a moment when tech companies have more lobbying power in Congress than every before.
Last year, Silicon Valley bigwigs poured billions of dollars into "patent troll" reform, hoping to gird themselves against frivolous patent and copyright suits. This year, Facebook CEO Mark Zuckerberg plans to launch a Super PAC with help from Yahoo CEO Marissa Mayer and venture capitalist John Doerr. Those names alone could tilt the power axis in Washington.
But lawyers defending Keys and Auernheimer worry these companies have no intent to push for lighter cyber-security laws, even if Zuckerberg pays a ton of lip service to "innovation." Attorney Hanni Fakhoury, one of several Electronic Frontier Foundation attorneys representing Auernheimer on his appeal, says he's seeing more divisions now than two years ago, when a broad swath of the tech sector united against the Stop Online Piracy Act. He's not sure that Congresswoman Zoe Lofgren will garner the same widespread support for her proposed CFAA reform, which would narrow the law's scope. (She's called the revised version "Aaron's Law," in honor of Swartz.)
"If you follow what people are saying on Twitter versus what's happening in the decision-making room, there's a big disconnect," Fakhoury says, explaining that cyber-security has created a huge fault-line in the tech world. Internet activists want more leniency. Businesses want stronger protections. The Department of Justice, meanwhile, seems paranoid that a lighter law would make it more vulnerable to cyber-security attacks.
And those interests all intermingle: Kevin Mandia, a D.C. consultant who testified for Oracle in its suit against SAP, also tracked Chinese hackers who were attacking U.S. corporations and government agencies. Meanwhile, the Department of Justice often invites testimonials from representatives of Symantec Corp. or other security companies when it's considering these issues, which only skews the conversation, Ekeland says, because "they have a vested interest in playing into the hysteria."
The irony is that Silicon Valley was built by people who broke rules, tore down digital walls, and embraced "disruption" — all the outlaw values that big companies are now trying to expel.
"Steve Jobs was selling little black boxes that allowed you to get free access to AT&T's international phone network," Ekeland says. "Bill Gates wrote a virus that infected a company network when he was 13." Whatever their trespasses, Keys, Swartz, and Auernheimer also represent a long tradition of innovators worming into networks to extract information.
Ekeland insists that the tech sector has lost site of its goals as it's grown richer and more powerful. "There are people in the computer services industry who are freaking out about this stuff," he says. "And these prosecutions are stifling innovators like Aaron Swartz."
But the tech world still hasn't formed a consensus around web security. Everyone is abstractly interested in the idea of crossing boundaries and forging new ideas. Yet those ideals bump up against the day-to-day concerns of running an international business and shielding trade assets. If anything, the CFAA debate may be symptomatic of a yawning wealth-and-power gap in Silicon Valley. Fakhoury doesn't see a quick resolution.
"Here's what's funny about this," he says. "We got all up in arms when Swartz killed himself. We get all up in arms when we hear about these crazy prosecutions. We work our butts off to educate the public, and you read about it in ... all the liberal media outlets."
He paused a beat. "But the fact that Oracle wants it will be enough to keep it as is. If a big company funneling billions of dollars to DC wants [this law], then we're stuck."