September 23, 2008

September 23, 2008 | Commentary on Legal Issues

A Tale of Two Hackers

Consider two cases. In one, a suburban housewife posed as a teenage boy on MySpace to learn more about her daughter's on-again, off-again friend. In the other, a gang of computer geeks broke into the personal e-mail account of a vice-presidential candidate because they were seeking smear material.

Here's the odd thing: In all likelihood, both - the housewife and the hackers - will be tried under the same federal anti-hacking statute. It's a case study in how good intentions can lead to bad laws. The law in this case is the Computer Fraud and Abuse Act of 1986. It was the result of a dilemma that Congress and all states faced about 20 years ago. Computer crime was on the rise, with more computers being networked together, and something needed to be done. The problem, as law professor Orin Kerr has explained, is that it's actually difficult to conceptualize, and then put into clear language, what we think of today as hacking.

So Congress, and most state legislators, did what comes easiest to them: Punt on the hard question and leave it to prosecutors and the courts. The laws they passed ban "unauthorized access" to computers. It's not clear, however, exactly what that means.

In the vast majority cases, that issue never arises. The Sarah Palin case fits this mold.

According to reports, one of a group of online delinquents who hang out on a message board called "/b/" on a site called 4chan - they're known as "b-tards" - discovered that Governor Palin uses Yahoo! for her e-mail. He was able to reset the account's password using information gleaned from Google searches: Palin's zip code, her birthdate, and where she met her spouse.

There's not much skill involved in that, but it's still hacking, the same way that pushing open an unlocked window and shimmying inside is breaking and entering.

In an account posted on /b/ and reported by Wired, the hacker said he read all the e-mails in the account and found "nothing incriminating, nothing that would derail her campaign as I had hoped." After he posted the details of his exploit on 4chan, a slew of forum denizens accessed the account to root through Palin's correspondence.

The FBI and Secret Service are on the case, and though the initial intruder used a proxy server to disguise his location, that server's owner says he's more than happy to share his logs with the authorities. The authorities already have a suspect (the college-age son of a Democrat state senator in Tennessee) and came knocking on his door with a search warrant early Sunday morning.

The next stop for that hacker, and the others who accessed the account, may well be jail, for up to five years under the Computer Fraud and Abuse Act. Throw in a possible conspiracy offense, a favorite of prosecutors because they're easy to prove, and the prison term could double.

That's the same sentence that suburban mom Lori Drew faces when she goes to trial next month.

Drew created a MySpace account under the name "Josh Evans" and befriended 13-year-old Megan Meier, a former friend of her daughter. She shared the login information with others - including an employee in her coupon-book business, her daughter, and some of the daughter's friends - and soon things took a turn for the worse.

After a quick friendship, Josh began to play on Megan's emotions. First he was flirtatious, and then his messages suddenly turned mean. He shared some of her private messages with her friends and posted public bulletins calling her "fat" and a "slut."

Megan's father recalls the final message his daughter received from Evans: "The world would be a better place without you." Twenty minutes after reading it, Megan killed herself.

According to the county prosecutor who investigated the case, Drew was not behind any of these later messages.

But gradually word of Drew's involvement emerged. When the media got wind of what had happened, the story exploded, and the public demanded vengeance. Two local prosecutors - one federal, one county - looked into the case but declined to prosecute: they decided Drew hadn't committed a crime.

But a federal prosecutor in Los Angeles, home of MySpace, was more creative. He indicted Drew for creating the fake account, a violation of the site's terms of service and therefore "unauthorized access." Drew now faces a long prison term, and all Internet users face the prospect that violating any site's terms of service - even adding an inch or two to your height on Match.com - may be a criminal offense.

The Computer Fraud and Abuse Act is, unfortunately, not unique in its breadth or its ambiguity. Many federal laws criminalize bad behavior and lots more, putting honest, law-abiding Americans at risk of prosecution and even jail. Prosecutors' discretion provides some protection, but even that fades when it's most needed, in the face of public outrage.

Maintaining the rule of law and liberty requires that criminal offenses be narrow and clear. Any law that can't tell the difference between Lori Drew and the Palin hackers fails that test.

Andrew M. Grossman is senior legal policy analyst at the Heritage Foundation.

About the Author

Andrew M. Grossman Visiting Fellow
Edwin Meese III Center for Legal and Judicial Studies

First Appeared in NRO