As of March 1, 2009, The MTTLR Blog is migrating to http://www.mttlrblog.org. All new updates will be posted at the new location.

Wednesday, November 5, 2008

Palin Email Hack - Time to Update and Expand the Computer Fraud and Abuse Act?

by: Sherri Nazarian, Associate Editor, MTTLR

Editor: This post is part of a short MTTLR Blog series on the Computer Fraud and Abuse Act - Part one argues that the CFAA should not be expanded to address the problem of online bullying. Part two (this post) looks to the Sarah Palin email hacking case to call for a review and possible expansion of the CFAA's provisions.

padlock and latch
Image Security by David Goehring. Used under a Creative Commons BY 2.0 license.
It has been over two decades since David Lightman, a scrawny Seattle high school boy, stole our hearts when he almost started World War III by hacking into the North American Aerospace Defense computer system in the 1983 movie Wargames. David Kernell, a modern day hacker, who allegedly broke into Sarah Palin’s personal Yahoo e-mail account certainly generated the same amount of attention, but he may not have elicited the same emotions.

The hacker impersonated Palin and used three pieces of readily available personal information in order to change the account’s password and get access to her e-mails. Palin’s e-mail contents, including some personal family pictures, went online overnight and in the process raised not only questions about internet security and personal privacy on the web, but also about whether Palin was deliberately attempting to hide public records by using a personal e-mail account to conduct state business.

This high-profile incident suggests it may be time to revisit the available legal tools to prosecute cyber crimes. The primary statute used to incriminate hackers is the Computer Fraud and Abuse Act (CFAA)—originally enacted in 1984. The statute makes it illegal for a person to “intentionally access[] a computer without authorization or exceed[] authorized access and thereby obtain[] … information from any protected computer ….” However, the statute does not make it easy for a prosecutor to charge Palin’s hacker with a felony, unless other conditions are met. Former Justice Department computer crime Prosecutor Mark Rasch anticipates that the hacker could be charged with as little as a misdemeanor and face “little, if any, jail time.” The statute calls for a felony charge if, inter alia, the value of the information the hacker obtains exceeds $5000, or if the hacking was “committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” It is not clear that Palin’s hacker falls under any of these categories.

According to computer experts, Palin’s hacker used a domestic proxy server in order to transmit the images to websites, which led to his arrest. One of the bigger problems stemming from advances in internet technology is the difficulty in tracking down hackers who leave little or no trace behind. One such dilemma results when a hacker cleverly uses a proxy server located in a foreign country, where potentially the United States has no jurisdiction (or means via a treaty) to subpoena the log entry. The need for more domestic and international protection remains a salient need of our society.

Even though Palin’s e-mail hacking incident is no inauguration of World War III, it is a wake up call to officials—who hopefully have checked their e-mail security by now—and legislators in charge of amending the laws. Today’s fast-paced technological society and the borderless world of the internet make us aware of the need for more protection against cyber criminals through broader statutes with provisions that cover not just hackers, but facilitators as well. The possibility of cyber crimes pushing countries into ratifying treaties like the Convention on Cybercrime, is, to say the least, a rational expectation.

Labels: , ,


Anonymous Anonymous said...

While I agree with the author that it is undoubtedly time for our domestic and international laws to catch-up with cyber crimes in our ever-advancing technological world, I would question whether any broadening of the CFAA in this context is necessary.

Reiterated in my article below, the CFAA was enacted with the Congressional intent to protect Government and financial computer systems. Broadening the CFAA to include personal email protection might be beyond the original purpose and intent of the Act.

Furthermore, it is not necessary for federal prosecutors to stretch the CFAA to prosecute David Kernell. Rather, prosecutors can look to the Electronic Communications Privacy Act (ECPA) to charge Kernell. Congress passed the ECPA specifically to afford privacy protection of electronic communications to any person aggrieved by violations within the Act. Under Title I of the ECPA, the Wiretap Act makes it a criminal offense to intentionally intercept any electronic communication. 18 U.S.C. § 2511(1)(a). Under Title II of the ECPA, the Stored Communications Act, anyone who "intentionally accesses without authorization…an electronic communication service…and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage…shall be punished." 18 U.S.C. § 2701(a). David Kernell’s action clearly falls within the violations listed in the ECPA. Whether Congress should modernize the ECPA to fit our current times is a question I’ll leave open in this comment. Regardless of the answer, the ECPA still remains a better tool for prosecutors to deal with Palin’s personal email fiasco than the CFAA.

November 14, 2008 at 12:28 AM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home