The same hacking statute internet sensation Aaron Swartz was being prosecuted under until his January suicide is quietly being tested in a San Francisco federal courtroom -- to little fanfare in a case devoid of hacking in the traditional sense.
Swartz's case and his untimely death set off a firestorm across the internet to reform the hacking law known as the Computer Fraud and Abuse Act -- a statute many suggested the government was abusing. The Swartz prosecution prompted Attorney General Eric Holder to enter the fray, saying it was a "good use of prosecutorial discretion."
But none of that drama associated with the Swartz case and its aftermath is present in the San Francisco courtroom of U.S. District Judge Edward Chen. It's where one of the most bizarre applications of the anti-hacking law is playing itself out to a virtually empty gallery.
Beginning today, jurors will begin deliberating their first full day in the two-week hacking prosecution of David Nosal, whose case has had a tortured legal history with two trips to a federal appeals court.
Nosal's crime, prosecutors say, is this: Nosal coaxed, sometimes through monetary payments, his former colleagues at Los Angeles-based executive search firm Korn/Ferry International to access the firm's proprietary database and provide him with trade secrets to help him build a competing firm.
"This is a stretch of the law," Steven Gruel said in a brief interview during a recent recess in the case.
Before the case went to the jury Friday, Nosal's defense team unsuccessfully urged the judge to toss the charges, arguing that the alleged crime doesn't fit the statute.
The Computer Fraud and Abuse Act was passed in 1984 to enhance the government's ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality.
The act makes it a federal offense if one "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period." Prison penalties are up to 5 years per violation.
The government, however, has interpreted the anti-hacking provisions to include activities such as violating a website's terms of service. That legal theory was used to prosecute Lori Drew, who was charged criminally for participating in a MySpace cyberbullying scheme against a 13-year-old Missouri girl who later committed suicide.
The Los Angeles federal court case against Drew hinged on the government's argument that violating MySpace's terms of service was the legal equivalent of computer hacking and a violation of the CFAA. A federal judge who presided over the prosecution tossed the guilty verdicts in July 2009, and the government declined to appeal.
In Nosal's case, he's accused of violating his former employer's computer usage policy because he allegedly was not authorized to access its proprietary database, even if he didn't access it himself.
Consider a recent exchange between federal prosecutor Kyle Waldinger and Korn/Ferry's Marlene Briski, the vice president of information services:
"Is there policies for sharing the password?"
"Yes."
"Under these policies is it permissible for an employee of Korn/Ferry to loan their username and password to anyone else?"
"No it is not."
Moments before, Briski used her index fingers to draw a box in the air, to illustrate to jurors a popup that appears on a computer screen when somebody logs in: "It says you have to have an authorized user name and password in order to access it."
A reproduction of that dialogue box was shown to jurors on a large monitor and to the handful of court watchers in the gallery. All the while, the 12 jurors and two alternates took notes and watched intently as Waldinger went over Korn/Ferry's computer usage policy for hours.
The two Korn/Ferry employees who allegedly coughed up their passwords to Nosal are cooperating with the government and have not been charged.
And if Nosal's case is a stretch of the hacking law, consider a different one filed in March, in which the circumstances are just the opposite.
An online social media editor for the Reuters news agency was indicted for allegedly helping members of Anonymous hack another media organization's network.
The editor was outed by the prominent former member of Anonymous known as Sabu who became a snitch for the FBI following his own arrest last year.
Matthew Keys, a 26-year-old deputy social media editor for Reuters in New York, allegedly provided log-in credentials for a server owned by the Tribune Company, his former employer, and encouraged members of Anonymous to use the credentials to "go fuck some shit up," according to prosecutors.
A federal appeals court has taken notice of the government's willy nilly application of the anti-hacking statute, which is also being used to prosecute alleged WikiLeaks leaker Bradley Manning.
The 9th U.S. Circuit Court of Appeals, ruling in Nosal's case for a second time last year, decided that employees may not be prosecuted under the anti-hacking statute for simply violating their employer's computer use policy. The tossed charges against Nosal stemmed from when Nosal, while still a Korn/Ferry employee, had authorized credentials to access Korn/Ferry's so-called "searcher" database. He was accused of using the information he allegedly obtained to help build a competing business.
"Under the government's proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself as 'tall, dark and handsome,' when you are actually short and homely, will earn you a handsome orange jumpsuit," the court ruled, adding in a footnote that the government's interpretation of the law opens employees up to be arrested, not merely fired, for playing Farmville at work.
The 9th Circuit covers Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon and Washington and does not affect the Manning prosecution.
The decision also conflicts with at least three other circuit courts of appeal nationwide, which means the Supreme Court could take up the issue. The San Francisco-based appeals court noted the split and urged its sister circuits to reconsider their rulings.
Nosal is now awaiting a verdict for a trial that now accuses him of accessing the "searcher" database after he left the company in 2005, when he didn't have authorized access to Korn/Ferry's computer program.
All the while, the public eye is seemingly glued to the Swartz matter.
Swartz was under indictment in Massachusetts for more than a dozen counts of computer hacking and wire fraud in connection to the downloading of millions of academic articles from a subscription database from MIT's campus. An internet sensation who helped develop the Creative Commons and was part of a small team that sold Reddit to Wired parent company Condé Nast, prosecutors suggested Swartz had planned to release to the public the millions of JSTOR academic papers he downloaded.
Yet even some of the CFAA's biggest critics said the Swartz case had some merit.
"My conclusion, at least based on what we know so far, is that the legal charges against Swartz were pretty much legit. Three of them are pretty strong; one is plausible but we would need to know more facts to be sure," said Orin Kerr, a George Washington University legal scholar and one of the nation's top CFAA experts who defended Drew at trial.
Shortly after Swartz's death -- which family members claimed was a result in part of the government's prosecutorial zeal -- Rep. Zoe Lofgren (D-California) introduced legislation that would alter the hacking statute to prevent prosecutions for violating "an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an internet service provider, internet website, or employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized."
While the language, which is evolving, might not have assisted Swartz if it was the law, it likely would have helped Nosal and Keys.
But strange things happen in Washington. A draft now circulating among House Judiciary Committee members might stiffen the computer hacking law.
"This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions," Kerr said. "It would make it a felony crime for anyone to violate the TOS (terms of service) on a government website."
To Hanni Fakhoury, a staff attorney for the Electronic Frontier Foundation and a former federal public defender, the Computer Fraud and Abuse Act just doesn't add up, especially in Nosal's case.
"When I think of the CFAA I think of hacking. You break into a system not through a simple process but aggressively and violently take stuff and ransack the place. Using a username and password is like using a key," he said. "If I give you the key to my house is that the same thing as knocking down the door? The problem with the law is it kind of treats it the same."
