Tor Ekeland works out of the smallest office I’ve ever seen, in the kind of Brooklyn coworking space where a guy is inexplicably asleep in the common area at 2:30 in the afternoon. The office has three chairs and glass walls and is not much wider than the doorway. There’s just enough room for Ekeland, his partner, Mark Jaffe, and, once, a third lawyer who left the tiny firm “for a job that actually paid.”
This is where Ekeland was sitting when, earlier this year, Andrew Auernheimer—the hacker and activist known as weev and, also, Ekeland’s very first client when he struck out into private practice—called him and said, “Matthew Keys has just been indicted. You want to take this case.”
The federal government was alleging that Keys, then a social media editor at Reuters, had conspired with the infamous group Anonymous to hack the Los Angeles Times’ website. Keys, according to the government, had given the hackers access, and off they went. They managed to, as the Department of Justice put it, “make changes to the web version of a Los Angeles Times news feature,” changing a headline to “Pressure builds in House to elect CHIPPY 1337,” and the text of article to report on a “deal cut which will see uber skid Chippy 1337 take his rightful place, as head of the Senate, reluctant House Democrats told to SUCK IT UP.”
Like Auernheimer, Keys would face charges under the Computer Fraud and Abuse Act, and he needed a lawyer.
Not that long ago, Ekeland hadn’t even heard of the CFAA. But in 2011, his wife, a photojournalist, was covering Occupy Wall Street when she happened to meet Auernheimer. “She sees this guy holding up a controversial sign,” says Ekeland. (It had anti-Zionist slogan on it.) “She’s talking to him while she shoots—she’s good at that. ‘You’re not going to be so popular in town,’ she says.”
By the time she was done shooting, she’d learned that Auernheimer was, indeed, unpopular with powerful people—that he had been indicted for his part in downloading and sharing, widely, the email addresses of AT&T iPad customers. She had also learned that he wanted to get rid of the public defender who had been assigned to him. She came home and told Ekeland, who had recently left a job in Big Law and was planning on striking out on his own. He googled Auernheimer, realized that—whatever the outcome—the case could make a difference, long term, in how the law was interpreted. Ekeland had never tried a case in federal court before. But Auernheimer, Ekeland said, didn’t see that as a problem. “I told him my stats, and he was like, ‘Okay, let’s go.’”
* * *
For lawyers, one of the attractive aspects of computer crime is that the legal questions at issue haven’t been settled. They can see how the cases they take on now could define the shape of digital law for years to come—and there are more of those cases than ever before. “I think the CFAA has been a favored tool of federal prosecutors,” says Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation. “My instinct is that it’s growing in popularity.”
The CFAA was first written in a world when few people had personal computers and even fewer went online: As we’ve come to use computers (and phones and iPads) to do pretty much everything, the law has become more powerful, and prosecutors are only now testing the limits of what they can do with it. It allows them to ask for large fines and stiff sentences for misdeeds like accessing websites or downloading data. Keys faces up to $750,000 in fines, and up to 25 years in prison. Aaron Swartz could have been sentenced to a maximum of $1 million fines, and up to 35 years. At the same time, defense attorneys are pushing back, trying to convince judges to narrow their interpretation of the law’s power.
The campaign to pass “Aaron’s Law”—or, at least, some version of CFAA reform—is meant to address the law’s shortcomings. But as it stands now, if, like Keys, or Auernheimer, you’re faced with CFAA charges, you need to start by calling a good defense lawyer.