April 23, 2014

avatar

If Wikileaks Scraped P2P Networks for "Leaks," Did it Break Federal Criminal Law?

On Bloomberg.com today, Michael Riley reports that some of the documents hosted at Wikileaks may not be “leaks” at all, at least not in the traditional sense of the word. Instead, according to a computer security firm called Tiversa, “computers in Sweden” have been searching the files shared on p2p networks like Limewire for sensitive and confidential information, and the firm supposedly has proof that some of the documents found in this way have ended up on the Wikileaks site. These charges are denied as “completely false in every regard” by Wikileaks lawyer Mark Stephens.

I have no idea whether these accusations are true, but I am interested to learn from the story that if they are true they might provide “an alternate path for prosecuting WikiLeaks,” most importantly because the reporter attributes this claim to me. Although I wasn’t misquoted in the article, I think what I said to the reporter is a few shades away from what he reported, so I wanted to clarify what I think about this.

In the interview and in the article, I focus only on the Computer Fraud and Abuse Act (“CFAA”), the primary federal law prohibiting computer hacking. The CFAA defines a number of federal crimes, most of which turn on whether an action on a computer or network was done “without authorization” or in a way that “exceeds authorized access.”

The question presented by the reporter to me (though not in these words) was: is it a violation of the CFAA to systematically crawl a p2p network like Limewire searching for and downloading files that might be mistakenly shared, like spreadsheets or word processing documents full of secrets?

I don’t think so. With everything I know about the text of this statute, the legislative history surrounding its enactment, and the cases that have interpreted it, this kind of searching and downloading won’t “exceed the authorized access” of the p2p network. This simply isn’t a crime under the CFAA.

But although I don’t think this is a viable theory, I can’t unequivocally dismiss it for a few reasons, all of which I tried to convey in the interview. First, some courts have interpreted “exceeds authorized access” broadly, especially in civil lawsuits arising under the CFAA. For example, back in 2001, one court declared it a CFAA violation to utilize a spider capable of collecting prices from a travel website by a competitor, if the defendant built the spider by taking advantage of “proprietary information” from a former employee of the plaintiff. (For much more on this, see this article by Orin Kerr.)

Second, it seems self-evident that these confidential files are being shared on accident. The users “leaking” these files are either misunderstanding or misconfiguring their p2p clients in ways that would horrify them, if only they knew the truth. While this doesn’t translate directly into “exceeds authorized access,” it might weigh heavily in court, especially if the government can show that a reasonable searcher/downloader would immediately and unambiguously understand that the files were shared on accident.

Third, let’s be realistic: there may be judges who are so troubled by what they see as the harm caused by Wikileaks that they might be willing to read the open-textured and mostly undefined terms of the CFAA broadly if it might help throw a hurdle in Wikileaks’ way. I’m not saying that judges will bend the law to the facts, but I think that with a law as vague as the CFAA, multiple interpretations are defensible.

But I restate my conclusion: I think a prosecution under the CFAA against someone for searching a p2p network should fail. The text and caselaw of the CFAA don’t support such a prosecution. Maybe it’s “not a slam dunk either way,” as I am quoted saying in the story, but for the lawyers defending against such a theory, it’s at worst an easy layup.

Comments

  1. Jonathan Hall says:

    If the computers allegedly used to trawl for “leaks” were in Sweden, how could that possibly break American law? Or am I underestimating the US’s belief that it runs the world?

    • paul says:

      The computers in Sweden were downloading files from other computers, and at least in the case of the leaked U.S. Government documents, most of the other computers were probably sitting in the U.S.

      And even if all of the computers involved in a given download were abroad, the CFAA could still provide extraterritorial jurisdiction. It protects any computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” 18 U.S.C. 1030(e)(2)(B).

  2. Anonymous says:

    Even if documents were leaked through P2P, there is no way to proove that the documents were actively downloaded by Wikileaks. It could as well be a 3rd party who downloaded the documents, and forwarded to Wikileaks. One would have to proove that Wikileaks actively downloaded the documents, which can be hard to proove.

    • paul says:

      The report makes it sound like the company working with the FBI, Tiversa, has proof that a computer at a particular IP address in Sweden has sent a particular series of especially suspicious search queries to a p2p network. Someone who understands p2p network architecture better than me can explain how this is possible. Can a Supernode track searches and tie them to particular IP addresses?

      And even if Tiversa has this, it’s hard to imagine how a series of searches can be that incriminating. I suppose if the searches contain the exact titles of documents that later appear on the Wikileaks site, that’s at least mildly circumstantial, but it still requires many inferences to get from that to guilty download.

      So, yes, this is another good reason we won’t see a successful CFAA prosecution in this case.

      • golden says:

        Yes, P2P searches are more open things than, say, a search on google. Searches are forwarded around the network, and so it is plausible that a supernode could tell what an IP address in Sweden is searching for.

  3. golden says:

    Third, let’s be realistic: there may be judges who are so troubled by what they see as the harm caused by Wikileaks that they might be willing to read the open-textured and mostly undefined terms of the CFAA broadly if it might help throw a hurdle in Wikileaks’ way. I’m not saying that judges will bend the law to the facts, but I think that with a law as vague as the CFAA, multiple interpretations are defensible.

    I don’t know why you claim that you don’t mean to say that the judges don’t bend the law to the facts – that is precisely what you are saying. Your claim is that the judge would be troubled by who the defendant is and what they are doing, and so will interpret the law in such a way as to lower the bar for a conviction of wikileaks. In contrast, if the very same judge liked the defendant or thought that what was done was harmless, he/she would choose a more restrictive interpretation that would make conviction more difficult. If that isn’t bending the law, what is?

    In my observation, judges do this all the time and to such an extent that it practically makes a mockery of the notion that there is such a thing as “law”. A friend of mine who is a criminal defense attorney once told me he could predetermine how a judge would rule on virtually every motion. Ask the question “does it help the prosecution”?

    It’s Bush v. Gore, over and over and over.

    • Steven Clark says:

      A friend of mine who is a criminal defense attorney once told me he could predetermine how a judge would rule on virtually every motion. Ask the question “does it help the prosecution”?

      actually, this is an example of consistency.

      as a former criminal defence lawyer myself, this is a common complaint. but one you hear from both sides of the bar. often at the same time, of the same judge.

      if that single question underpins the judge’s decision-making, then the judge is actually predictable and consistent. whilst in your friend’s view this is not fair, it actually gives him/her an excellent starting point for structuring her/his defence strategy.

      law is, and has to be, flexible. it’s hard enough to predict the impact and effects of a law just passed, let alone twenty, fifty, two hundred years hence. in the common law, what has gone before has explicit effects upon what happens now.

      legal interpretation is grounded upon perceptions, attitudes, beliefs, and procedures. it is also shaped by evidence and by precedent. it’s a human-driven process (at least for now, whilst humans are the final arbiters) and thus exhibits all our frailties and foibles. but it is also a ‘self-correcting’ process: one that operates on population scales and generational time frames. it is not a political campaign, reacting reflexively to polls. nor is it specifically about each and every person who comes before the bench. it is about the larger picture of society.

      also: very few judges like to be consistently overruled. a certain degree of conservatism creeps into the system as judges at the bottom of the pyramid try to work roughly within what is both just and consistent with similar cases. judges expect some of their decisions will be replaced on appeal. every decision-maker in the chain has latitude to decide differently.

      but every single one of them must also explain – and publish – their reasoning for their decisions.

      and it is in that that judicial decision-making will always be more transparent, and less arbitrary, than decision-making in executive, legislative or commercial spheres.

  4. Unwritten says:

    Andy Greenberg from Forbes checked with Trivesa’s CEO Boback and confirmed that there is no ‘smoking gun’ connecting WikiLeaks with the P2P searches done by the frou Swedish servers. (see Greenberg http://blogs.forbes.com/andygreenberg/2011/01/20/no-smoking-gun-in-hints-that-wikileaks-actively-stole-data/?)

    Here’s a quote from Forbes:
    “In fact, in a phone interview with me today, Boback sounded distinctly less sure of his firm’s deductions than he did in the Bloomberg piece. “What we saw were people who were searching [computers connected to filesharing networks] for .xls, .doc, .pdf, and searching for those generic terms over and over again,” says Boback. “They had multiple Swedish IPs. Can I say that those are WikiLeaks? I can’t. But we can track the downloads of people doing that, and a short time after those files were downloaded, they’re listed on WikiLeaks.”

    “Boback, who says he’s working with a U.S. government investigation into possible peer-to-peer sources for WikiLeaks, says that he saw downloads of documents that later were posted to WikiLeaks from other countries too, both “in the U.S. and across Europe.” ”Many of the searches are in Sweden, many are outside,” adds Boback. “It’s hard for us to say that any IP address was WikiLeaks.”
    [end of Forbes quote]

    In fact, Trivesa’s findings point to the porosity of DOD’s so-called ‘secure systems,’ rather than WikiLeaks, as the problem. The confidential documents detained in teh Bloomberg article were gathered by Trivsa in 2009, possibly in preparation for Trivesa’s presentation at a Congressional hearing on DOD computer security. The Bloomberg article includes documents which (per Bloomberg) were never sent to WikiLeaks; the other documents included in Bloomberg showed up on WikiLeaks from two months and over a year after they were accessed by P2P.

    What Trevisa found, and brought to Congress, was evidence that “every nation in the world” is successfully using P2P gaps in DOD computers to troll for supposedly secure data. A few quotes & links to support this:

    ” “We’ve noticed it out of [Iran], Pakistan, Yemen, Qatar and China. They are actively searching for information that is disclosed in this fashion because it is a great source of intelligence,” Boback said.”
    http://www.wpxi.com/news/18818589/detail.html

    [Cnet's Charles Cooper interviews Trivesa's chief tech officer] –
    “Q: So your team concluded that the materials fell into the hands of Iran. Is it possible that other actors also are trying to take advantage of similar openings in the system?
    Hopkins: Heck yeah. Every nation does that. We see information flying out there to Iran, China, Syria, Qatar–you name it. There’s so much out there that sometimes we can’t keep up with it.”

    “Q: I would have assumed military contractors would use more secure networks to communicate.
    Hopkins: Everybody uses (P2P). Everybody. We see classified information leaking all the time. When the Iraq war got started, we knew what U.S. troops were doing because G.I.’s who wanted to listen to music would install software on secure computers and it got compromised.”
    http://news.cnet.com/8301-10787_3-10184785-60.html

    [Trevisa's Boback testifies to Congress] -
    “Saying that the mentioned ‘confidential’ documents were found during the last few months, and most of them can still be found on P2P networks, Boback added: “Clearly there is a problem. A number of government agencies are exposing information.” ”
    http://topnews.us/content/26336-tiversa-ceo-high-profile-confidential-information-exploding-p2p-networks

    So, could Bloomberg’s ‘four servers in Sweden’ that are trolling P2P for USG info be operated by any country in the world just as easily as by WikiLeaks? ‘Heck Yeah.’ Does DOD actually SECURE its confidential documents? Not so much.

  5. Anonymous says:

    And here’s why.

    The CFAA outlaws accessing a computer in a way that exceeds authorization. It does not outlaw accessing information, but only a computer, without authorization.

    Suppose A entrusts B with confidential file X. B puts a copy of X on a computer and unintentionally lets P2P software share this file.

    C downloads it from B. D downloads it from C. E downloads it from D. F downloads it from E. G downloads it from F. And, eventually, Wikileaks downloads it from G.

    All of the operators of the computers, from B through G, authorized the use, if unintentionally.

    B however is subject to being fired or worse by A for accidentally leaking the document.

    And if B installed the file-sharing software on A’s computer containing X, then A may be the one whose permission C needed to download a copy of X, and C *might* arguably be liable — under the broadest interpretations of the CFAA under which it’s a violation even if you got invited in, let alone didn’t have to break any passwords or anything. Those broad interpretations are very dangerous, though; it means potentially huge liability any time anyone does pretty much anything on the Internet, just in case whoever was running some web server somewhere did not have permission of the hardware owner. A user can’t check that; they just access port 80 and lo! they get some kind of a response with files in response to URLs. It should require actual proactive hacking to be in violation of the CFAA.

    Regardless, D, E, F, G, and Wikileaks are in the clear in this scenario, since none of them accessed A’s computer at all, with or without authorization.

    Furthermore, prosecuting Wikileaks is aiming at the wrong target here anyway. As others have already pointed out, pretty much every government’s foreign-intelligence division is trolling p2p networks for files being accidentally leaked to p2p by every other government. Those files are out there, and prosecuting one relatively large and findable target won’t change that. All it will do is make those files privy to only the world’s governments and spooks instead of to the world.

    Any national security value in confidentiality of that information has already been irrevocably lost and cannot be regained. There is no further loss if the information becomes outright public, but there is a gain if it does: the public then knows what the world’s leaders all already knew, and is better informed.

    The smart thing to do is downplay the significance of this in public, in particular not prosecuting any high-profile targets, whilst quietly instituting more stringent practices regarding storage of classified information. I’m thinking encryption here, not only over the wire but when stored on disk drives, until accessed for a particular purpose, and, furthermore, giving anyone who needs to work with such stuff 2 separate devices, one for working with classified materials and one for everything else. If they have to move data back and forth between them it can be by USB key, and never classified material to the non-classified machine nor p2p software to the classified machine. The classified machine can be connected into a WAN via encrypted VPN tunnel and blocked from all other network access, as an added safety measure. It also should not be bootable from the USB ports; that protects it in case a USB key catches a boot-sector virus that might be designed to leak classified files by trolling machines for such files and copying them to hidden partitions on keys (also infecting any uninfected keys inserted into infected machines), and copying from such partitions on any inserted keys to any p2p shared folders on any machines.

  6. rp says:

    Considering that a plaintiff is claiming that accessing your own computer in any way that violates the shrinkwrap license is criminal under the CFAA, see http://www.gamerlaw.co.uk/2011/01/hacker-jailbreaks-ps3-pwned-by-sony.html and similar, I’m not sure the narrow construction has much life left.

  7. Peter says:

    It’s an attempt to shut Wikileaks down plain and simple. The US government has been really miffed about Wikileaks for several years now and has wanted to shut them down. The reason isn’t about a danger to national security; it’s about control of the flow of information and protecting those in power from being exposed for wrongdoing.

    It’s kind of ironic that when anybody wants to know what the government is doing it’s either a state secret or classified in one way or another (even when this information does not endanger national security in any way, shape, or form); yet they freely spy on us whenever they can?

    As for the P2P issue, it doesn’t apply; the servers they trawled were in Sweden, not the United States which places it outside its jurisdiction; they have no business making such a claim.

  8. Anonymous says:

    to put it simply if a ‘crime’ is comited in one country and it is not ilegal in that country the perpratator or in this case victem is enitrely inosent and can notbe charged for example vagrancy is not ilegal in britan but is in the us (i think) so if a down and out (homeless man) sleeps in a rail way sation he can not be prosicuted in a us court a the crime did not hapen in a us court

  9. Adam Fisk says:

    Paul- To anyone versed in P2P tech (I authored or co-authored all the second generation search algorithms used on modern day Gnutella while I was at LimeWire), it’s obvious that Tiversa is a huge scam. They systematically drum up congressional hearings to whip up hysteria about sharing on P2P networks, repeatedly and shamelessly misrepresenting how files are shared on p2p. Not only do I think they can’t actually connect those Swedish searches to WikiLeaks, I think if there was any way to dig deeper you’d find those documents are likely not even on p2p networks either.

    If you’ve followed this company, it’s clear a large part of their business model is to issue these sensational press releases that are impossible to disprove, get some congressional cronies to call a hearing, and then sign up a few more government contracts for $300K a pop.

    Please, please stop talking about these guys as if they’re somehow legitimate. Every whiff of them I get smells like fraud.