By Hanni Fakhoury and Trevor Timm | EFF | July 19, 2013
Twitter was abuzz yesterday when an unknown person published what were alleged to be a group of passwords for the email accounts of Congressional staffers. Multiple journalists, including reporters from the Daily Beast and Buzzfeed, commented on the list while linking to it.
While one would assume linking to the list is a First Amendment-protected activity—given the journalists had nothing to do with stealing the passwords—Barrett Brown is currently under indictment, in part, for remarkably similar behavior. And if he is convicted, it could have dire consequences for press freedom.
Brown, who has written for Vanity Fair and the Guardian among other publications, started a website called “Project PM” in 2009, which crowdsourced public information about security contractors who worked with government agencies like the NSA. Part of what Brown and other Project PM users investigated were leaked emails from security contractors like HB Gary and Stratfor.
Now, it’s important to note that, despite his fascination with Anonymous, Brown has never been accused of participating in any hacking. In fact, he lacks the expertise to even do so. Northwestern professor Peter Ludlow described what happened after Stratfor emails were leaked online by Anonymous: “When the contents of the Stratfor leak became available, Brown decided to put ProjectPM on it. A link to the Stratfor dump appeared in an Anonymous chat channel; Brown copied it and pasted it into the private chat channel for ProjectPM, bringing the dump to the attention of the editors.”
The link, it turned out, contained credit card numbers, among the wealth of information on the company itself. But by merely transferring the link from one chat room to another, Brown was indicted for trafficking in stolen authentication features (specifically the credit card verification values (“CVV”), or the three-digit number on the back of a credit card), access device (i.e., credit card) fraud and aggravated identity theft. (He is also indicted in two separate criminal cases with making online threats to an FBI agent and obstruction of justice, but those have no bearing on the charges being discussed here.)
The government’s prosecution theory isn’t limited to credit card numbers. The same theory could potentially be used against the Daily Beast or Buzzfeed journalists yesterday, or against any journalist that has linked to stolen material of a similar nature. That’s because the federal identity theft statute, 18 USC § 1028, is remarkably broad.
The statute criminalizes knowingly transferring an “authentication feature” known to be stolen or taken without lawful authority. “Authentication feature” means any “symbol,” “code” or “sequence of numbers or letters” used to authenticate a means of identification. And “means of identification” is defined as “any name or number that may be used alone or in conjunction with any other information, to identify a specific individual” including a “unique electronic identification number, address, or routing code.” The government has argued before—specifically in its prosecution of Andrew “Weev” Auernheimer—that this definition covers email addresses.
Under the government’s theory in Barrett Brown’s case, all journalists (and anyone else for that matter) tweeting out the link to the list of Congressional staffer email addresses and passwords were trafficking in authentication features and are guilty of a felony. While it turns out that many of the passwords in this case may not have been accurate, this lesson holds true anytime someone links to groups of stolen passwords posted online, which seems to happen fairly frequently.
And in this situation, under the Justice Department’s theory, those linking to the list violated the aggravated identity theft statute too because during that crime, they knowingly transferred “without lawful authority, a means of identification of another person”—the email addresses. These are serious charges; aggravated identity theft alone carries a mandatory two-year prison sentence that must run consecutively to any other sentence imposed.
It bears repeating: the government does not allege Brown participated in the hacking of Stratfor at all. Here, Brown didn’t even publish anything, he merely directed other people to where information was already published via a standard hyperlink. The right of journalists—or anyone for that matter—to link to already-public information, including sensitive information, is in serious jeopardy if Brown is convicted.
We’ll have more on the dangers of the Barrett Brown prosecution to both the press and public soon. In the meantime Brown’s case and the massive linking to the Congressional e-mail addresses and passwords that occurred yesterday emphasize why journalists should be worried when the right to link is threatened.