The Dallas Morning News
What law is Assange accused of breaking?
Critics say vagueness of 1984 antihacking statute often abused
WASHINGTON — The crime U.S. authorities have charged Wikileaks founder Julian Assange with wasn’t for publishing classified information, an accusation that some have said would amount to an attack on media freedoms.
Instead, federal officials accused Assange of violating a very different law when he allegedly conspired with former Army intelligence analyst Chelsea Manning to try to break the password of a government computer and gain access to its secrets. It is unclear from the indictment whether Assange succeeded in breaking the password.
The law in question — the Computer Fraud and Abuse Act, the premier U.S. antihacking statute — makes it illegal to access a computer without authorization. But the 35yearold legislation has long been dogged by critics who say the law’s vagueness has been abused to go after even relatively innocuous behavior by everyday Americans.
When the law was passed in 1984, it largely focused on unauthorized penetration into government computers, said Paul Ohm, a professor in computer and privacy law at Georgetown University. But within a couple of years it was broadened significantly.
“It is really sweeping,” Ohm said. “And it’s been expanded in lots of ways to cover lots of unsavory activity involving computers, even if it’s activity we never would consider traditional computer hacking. It’s become a sort of Swiss Army knife for punishing misconduct online.”
Assange is not the only foreign citizen to come into the law’s cross hairs. U.S. officials invoked the law to seek the extradition of Lauri Love, a Briton who allegedly broke into the computer networks of the FBI, NASA and the Department of Energy in 2012 and 2013. Another British citizen, Gary Mackinnon, faced similar charges over his alleged hacking of the Defense Department in 2001 and 2002. Neither Love nor Mackinnon was successfully extradited to the United States — but a different fate may await Assange, whose arrest at the Ecuadorian Embassy in London came in response to a U.S. extradition request.
The vagueness of the law, Ohm said, stems from varying interpretations of its two key parts: A prohibition on accessing a computer “without authorization,” and “exceeding” authorized access.
Exceeding authorized access was the key to an infamous case involving Aaron Swartz, an internet activist who committed suicide in 2013 after federal prosecutors accused him of hacking into a university computer network.
Swartz’s alleged crime was using an automated program to download large troves of publicaccess academic journals from the online database JSTOR. Swartz’s actions were a violation of JSTOR’S terms of service, but the transgression gave prosecutors an opening to charge him under the Computer Fraud and Abuse Act. Swartz faced a maximum of 50 years behind bars and a fine of $1 million, but he hanged himself before the case went to trial.
Following Swartz’s death, Rep. Zoe Lofgren, DCalif., introduced legislation to narrow the scope of the law. The bill did not pass.
Assange’s arrest could revive calls for the law to be narrowed in scope. But that may not shield him from prosecution under the law. That’s because Assange’s charge of conspiring to break into a government computer hews much more closely to the law’s original intent, Ohm said.
“It would be a mistake to conflate this case with the really aggressive uses of the CFAA,” he said.