Total Pageviews

Sunday, January 27, 2013

Disruptions: A Fuzzy and Shifting Line Between Hacker and Criminal

In January 2011, I was assigned to cover a hearing in Newark, where Daniel Spitler, then 26, stood accused of breaching AT&T’s servers and stealing 114,000 e-mail addresses.

As I sat in the courtroom watching Mr. Spitler, who stood nervously next to armed United States marshals while listening to the judge and prosecutors, I couldn’t help thinking that I could have been the one in front of that judge, labeled a hacker by the Justice Department.

Am I a hacker No. Not even close. Yet years ago, when I first started learning how to write software code, I dabbled in things that could have been labeled as such by our outdated justice system: downloading free online scripts that could trace pople’s whereabouts or scraping Web sites in search of music that didn’t belong to me.

A hacker can be a vandal who renders a Web site inoperable or a thief who profits from stolen passwords and credit card numbers. Mr. Spitler was neither kind. But he was being paraded in front of the world, charged with fraud and conspiracy, and likened, by Paul J. Fishman, the United States attorney for New Jersey, to hackers from LulzSec and Anonymous. Mr. Spitler told prosecutors that he tried to notify AT&T about the security hole on its site, but after the company did not respond, the e-mail addresses were given to Gawker and other media outlets. He said he did not sell them, or post them online.

“Forty years ago, a hacker was someone who took great joy in knowing everything about computers,” said Susan P. Crawford, a pr! ofessor at the Benjamin N. Cardozo School of Law at Yeshiva University. “The word was really used in admiration. Now it is used to describe and condemn both professional cyberattackers and amateurs who are swept together within the broad description of the word.”

The same label of hacker was also applied by the Justice Department to Aaron Swartz. Mr. Swartz, a 26-year-old entrepreneur and activist, was set to be charged with wire fraud and computer fraud after he downloaded 4.8 million articles and documents from Jstor, a subscription-only service for distributing scientific and literary journals, because he felt that information should be available to everyone at no cost.

Mr. Swartz could have faced up to 35 years in prison and $1 million in fines, but before the case went to trial, he hanged himself i his Brooklyn apartment. His family issued a statement, saying that his death “is the product of a criminal justice system rife with intimidation and prosecutorial overreach.” The United States attorney who was overseeing the case, Carmen Ortiz, said her office’s “conduct was appropriate in bringing and handling this case.”

Both cases are perfect examples of the justice system’s misunderstanding what a hacker actually is. To many people who understand computers and the law, there is a danger in lumping people who have not sought financial gain with armed robbers. Where people should receive slaps on the wrist, they face decades in jail.

“There’s still uncertainty as to what should be criminal online, and the statutes are pretty vague,” said Orin S. Kerr, a professor of law at George Washington University. “It’s hard because you’ve got conduct that looks bad, and maybe leads to some harm, coupled with vague laws that haven’t properly been clarified by Congress.”

The lack of clarity is something that became all too apparent in Mr. Spitler’s case. When asked by prosecutors why he had hacked the servers, he said he didn’t think he was doing anything illegal. When asked why, he replied, “’cause I didn’t hack anything.”

E-mail: bilton@nytimes.com