Tor Ekeland works out of the smallest office I’ve ever seen, in the kind of Brooklyn coworking space where a guy is inexplicably asleep in the common area at 2:30 in the afternoon. The office has three chairs and glass walls and is not much wider than the doorway. There’s just enough room for Ekeland, his partner, Mark Jaffe, and, once, a third lawyer who left the tiny firm “for a job that actually paid.”
This is where Ekeland was sitting when, earlier this year, Andrew Auernheimer—the hacker and activist known as weev and, also, Ekeland’s very first client when he struck out into private practice—called him and said, “Matthew Keys has just been indicted. You want to take this case.”
The federal government was alleging that Keys, then a social media editor at Reuters, had conspired with the infamous group Anonymous to hack the Los Angeles Times’ website. Keys, according to the government, had given the hackers access, and off they went. They managed to, as the Department of Justice put it, “make changes to the web version of a Los Angeles Times news feature,” changing a headline to “Pressure builds in House to elect CHIPPY 1337,” and the text of article to report on a “deal cut which will see uber skid Chippy 1337 take his rightful place, as head of the Senate, reluctant House Democrats told to SUCK IT UP.”
Like Auernheimer, Keys would face charges under the Computer Fraud and Abuse Act, and he needed a lawyer.
Not that long ago, Ekeland hadn’t even heard of the CFAA. But in 2011, his wife, a photojournalist, was covering Occupy Wall Street when she happened to meet Auernheimer. “She sees this guy holding up a controversial sign,” says Ekeland. (It had anti-Zionist slogan on it.) “She’s talking to him while she shoots—she’s good at that. ‘You’re not going to be so popular in town,’ she says.”
By the time she was done shooting, she’d learned that Auernheimer was, indeed, unpopular with powerful people—that he had been indicted for his part in downloading and sharing, widely, the email addresses of AT&T iPad customers. She had also learned that he wanted to get rid of the public defender who had been assigned to him. She came home and told Ekeland, who had recently left a job in Big Law and was planning on striking out on his own. He googled Auernheimer, realized that—whatever the outcome—the case could make a difference, long term, in how the law was interpreted. Ekeland had never tried a case in federal court before. But Auernheimer, Ekeland said, didn’t see that as a problem. “I told him my stats, and he was like, ‘Okay, let’s go.’”
* * *
For lawyers, one of the attractive aspects of computer crime is that the legal questions at issue haven’t been settled. They can see how the cases they take on now could define the shape of digital law for years to come—and there are more of those cases than ever before. “I think the CFAA has been a favored tool of federal prosecutors,” says Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation. “My instinct is that it’s growing in popularity.”
The CFAA was first written in a world when few people had personal computers and even fewer went online: As we’ve come to use computers (and phones and iPads) to do pretty much everything, the law has become more powerful, and prosecutors are only now testing the limits of what they can do with it. It allows them to ask for large fines and stiff sentences for misdeeds like accessing websites or downloading data. Keys faces up to $750,000 in fines, and up to 25 years in prison. Aaron Swartz could have been sentenced to a maximum of $1 million fines, and up to 35 years. At the same time, defense attorneys are pushing back, trying to convince judges to narrow their interpretation of the law’s power.
The campaign to pass “Aaron’s Law”—or, at least, some version of CFAA reform—is meant to address the law’s shortcomings. But as it stands now, if, like Keys, or Auernheimer, you’re faced with CFAA charges, you need to start by calling a good defense lawyer.
Tor Ekeland is part of a small but growing cadre of attorneys, working, for the most part, on one coast or the other, who specialize in defending against computer crime charges. There are also more lawyers working to prosecute alleged violations of the CFAA. When Orin Kerr, now a professor and expert on computer crime law, began working at the Justice Department in 1998, he was only the 17th lawyer in the computer crime and intellectual property section. Now, there’s at least twice that many, just in Main Justice, that work on computer crime, and dozens more working across the federal government and in US Attorney offices.
While Kerr worked as a prosecutor for the government, as an academic he’s focused on reforming the CFAA and defending a select few clients whose cases shows the flaws he’s identified in the law. When Kerr started teaching in 2001, he focused this area because he thought computer crime issues “were going to be the criminal law subject of my generation,” he says. He wanted to delve into it, see how the issues were going to play out over time. He also saw a chance to influence how the law was going to develop.
“No one was writing about this 10 years ago,” he says. “Other academics thought that was a very odd subject. Ten years later, it’s a major issue.”
* * *
The case that most represents the opportunity to influence the law right now is Auerheimer’s. “The trial is a shitshow,” says Ekeland. “A fight in a pit.” They lost the first round: Last November, a jury found Auernheimer guilty of violating the CFAA, and he’s currently serving a sentence of 41 months. Ekeland was right, though, to think the case could make a difference in how the law is interpreted: Since he took it up, EFF and Kerr have signed on to help with Auernheimer’s appeal.
This case, in particular, is attractive to lawyers because it could change how courts interpret the the CFAA. “I look for major impact in the direction of the law,” Kerr says. “The scholarship is what helps frame the debate but the litigation is what influences the courts.”
At issue in the case is what constitutes “unauthorized access” to a computer. The information that Auerheimer and his co-defendant (who pled guilty) accessed and spread was available on the Internet, without a password—you just needed to know where to look.What they did is close enough to techniques journalists use regularly that, when the subject of a Scripps-Howard investigation threatened to use the CFAA against the news agency, reporters immediately started making comparisons.
The legal issues in Keys’ case, which hasn’t gone to trial yet, are a little more cut-and-dry. He’s indicted under a different section of the law, for “causing damage without authorization to a protected computer”—not for accessing the computer but for, essentially, forcing the Tribune Company to invest in better digital protection. But his case is part of the same story as Auerheimer’s and Swartz’s. These three cases are data points in an argument that advocacy groups like the EFF and academics like Kerr are making: that the CFAA, as it’s written now, makes little sense and, at the whim of prosecutors, can be used to punish people for relatively minor offenses.
Disclosure: CJR has received funding from the Motion Picture Association of America (MPAA) to cover intellectual-property issues, but the organization has no influence on the content.